driftctl/pkg/remote/aws/vpc_security_group_rule_sup...

package aws

import (
	"context"
	"testing"

	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"

	"github.com/aws/aws-sdk-go/aws/awserr"
	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"

	"github.com/cloudskiff/driftctl/pkg/parallel"

	awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"

	"github.com/aws/aws-sdk-go/service/ec2"

	"github.com/aws/aws-sdk-go/aws"

	"github.com/cloudskiff/driftctl/test/goldenfile"
	mocks2 "github.com/cloudskiff/driftctl/test/mocks"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/mock"

	"github.com/cloudskiff/driftctl/mocks"

	"github.com/cloudskiff/driftctl/pkg/resource"
	"github.com/cloudskiff/driftctl/pkg/terraform"
	"github.com/cloudskiff/driftctl/test"
)

func TestVPCSecurityGroupRuleSupplier_Resources(t *testing.T) {
	cases := []struct {
		test    string
		dirName string
		mocks   func(client *mocks.FakeEC2)
		err     error
	}{
		{
			test:    "no security group rules",
			dirName: "vpc_security_group_rule_empty",
			mocks: func(client *mocks.FakeEC2) {
				client.On("DescribeSecurityGroupsPages",
					&ec2.DescribeSecurityGroupsInput{},
					mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
						callback(&ec2.DescribeSecurityGroupsOutput{
							SecurityGroups: []*ec2.SecurityGroup{
								{
									GroupId:             aws.String("sg-0254c038e32f25530"),
									IpPermissions:       []*ec2.IpPermission{},
									IpPermissionsEgress: []*ec2.IpPermission{},
								},
							},
						}, true)
						return true
					})).Return(nil)
			},
			err: nil,
		},
		{
			test:    "with security group rules",
			dirName: "vpc_security_group_rule_multiple",
			mocks: func(client *mocks.FakeEC2) {
				client.On("DescribeSecurityGroupsPages",
					&ec2.DescribeSecurityGroupsInput{},
					mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
						callback(&ec2.DescribeSecurityGroupsOutput{
							SecurityGroups: []*ec2.SecurityGroup{
								{
									GroupId: aws.String("sg-0254c038e32f25530"),
									IpPermissions: []*ec2.IpPermission{
										{
											FromPort:   aws.Int64(0),
											ToPort:     aws.Int64(65535),
											IpProtocol: aws.String("tcp"),
											UserIdGroupPairs: []*ec2.UserIdGroupPair{
												{
													GroupId: aws.String("sg-0254c038e32f25530"),
												},
												{
													GroupId: aws.String("sg-9e0204ff"),
												},
											},
										},
										{
											IpProtocol: aws.String("-1"),
											IpRanges: []*ec2.IpRange{
												{
													CidrIp: aws.String("1.2.0.0/16"),
												},
												{
													CidrIp: aws.String("5.6.7.0/24"),
												},
											},
											Ipv6Ranges: []*ec2.Ipv6Range{
												{
													CidrIpv6: aws.String("::/0"),
												},
											},
										},
									},
									IpPermissionsEgress: []*ec2.IpPermission{
										{
											IpProtocol: aws.String("-1"),
											IpRanges: []*ec2.IpRange{
												{
													CidrIp: aws.String("0.0.0.0/0"),
												},
											},
											Ipv6Ranges: []*ec2.Ipv6Range{
												{
													CidrIpv6: aws.String("::/0"),
												},
											},
										},
									},
								},
							},
						}, false)
						callback(&ec2.DescribeSecurityGroupsOutput{
							SecurityGroups: []*ec2.SecurityGroup{
								{
									GroupId: aws.String("sg-0cc8b3c3c2851705a"),
									IpPermissions: []*ec2.IpPermission{
										{
											FromPort:   aws.Int64(443),
											ToPort:     aws.Int64(443),
											IpProtocol: aws.String("tcp"),
											IpRanges: []*ec2.IpRange{
												{
													CidrIp: aws.String("0.0.0.0/0"),
												},
											},
										},
									},
									IpPermissionsEgress: []*ec2.IpPermission{
										{
											IpProtocol: aws.String("-1"),
											IpRanges: []*ec2.IpRange{
												{
													CidrIp: aws.String("0.0.0.0/0"),
												},
											},
											Ipv6Ranges: []*ec2.Ipv6Range{
												{
													CidrIpv6: aws.String("::/0"),
												},
											},
										},
										{
											IpProtocol: aws.String("5"),
											IpRanges: []*ec2.IpRange{
												{
													CidrIp: aws.String("0.0.0.0/0"),
												},
											},
										},
									},
								},
							},
						}, true)
						return true
					})).Return(nil)
			},
			err: nil,
		},
		{
			test:    "should ignore default security group default rules",
			dirName: "vpc_security_group_default_rules",
			mocks: func(client *mocks.FakeEC2) {
				client.On("DescribeSecurityGroupsPages",
					&ec2.DescribeSecurityGroupsInput{},
					mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
						callback(&ec2.DescribeSecurityGroupsOutput{
							SecurityGroups: []*ec2.SecurityGroup{
								{
									GroupId:   aws.String("sg-a74815c8"),
									GroupName: aws.String("default"),
									IpPermissions: []*ec2.IpPermission{
										{
											IpProtocol: aws.String("-1"),
											UserIdGroupPairs: []*ec2.UserIdGroupPair{
												{
													GroupId: aws.String("sg-a74815c8"),
												},
											},
										},
										{
											IpProtocol: aws.String("-1"),
											IpRanges: []*ec2.IpRange{
												{
													CidrIp: aws.String("1.2.0.0/16"),
												},
											},
										},
									},
									IpPermissionsEgress: []*ec2.IpPermission{
										{
											IpProtocol: aws.String("-1"),
											IpRanges: []*ec2.IpRange{
												{
													CidrIp: aws.String("0.0.0.0/0"),
												},
											},
										},
										{
											IpProtocol: aws.String("-1"),
											IpRanges: []*ec2.IpRange{
												{
													CidrIp: aws.String("1.2.3.4/32"),
												},
											},
										},
									},
								},
							},
						}, true)
						return true
					})).Return(nil)
			},
			err: nil,
		},
		{
			test:    "cannot list security group rules",
			dirName: "vpc_security_group_rule_empty",
			mocks: func(client *mocks.FakeEC2) {
				client.On("DescribeSecurityGroupsPages",
					&ec2.DescribeSecurityGroupsInput{},
					mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
						return true
					})).Return(awserr.NewRequestFailure(nil, 403, ""))
			},
			err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsSecurityGroupRuleResourceType),
		},
	}
	for _, c := range cases {
		shouldUpdate := c.dirName == *goldenfile.Update

		providerLibrary := terraform.NewProviderLibrary()
		supplierLibrary := resource.NewSupplierLibrary()

		if shouldUpdate {
			provider, err := InitTestAwsProvider(providerLibrary)
			if err != nil {
				t.Fatal(err)
			}
			supplierLibrary.AddSupplier(NewVPCSecurityGroupRuleSupplier(provider))
		}

		t.Run(c.test, func(tt *testing.T) {
			fakeEC2 := mocks.FakeEC2{}
			c.mocks(&fakeEC2)
			provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
			deserializer := awsdeserializer.NewVPCSecurityGroupRuleDeserializer()
			s := &VPCSecurityGroupRuleSupplier{
				provider,
				deserializer,
				&fakeEC2,
				terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
			}
			got, err := s.Resources()
			assert.Equal(tt, c.err, err)

			mock.AssertExpectationsForObjects(tt)
			test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, tt)
		})
	}
}
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`package aws`

			`import (`
			`"context"`
			`"testing"`

alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"`

			`"github.com/aws/aws-sdk-go/aws/awserr"`
			`resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"`

Add support for multiples IaC sources 2021-01-15 11:44:13 +00:00			`"github.com/cloudskiff/driftctl/pkg/parallel"`
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"`

			`"github.com/aws/aws-sdk-go/service/ec2"`

			`"github.com/aws/aws-sdk-go/aws"`

			`"github.com/cloudskiff/driftctl/test/goldenfile"`
			`mocks2 "github.com/cloudskiff/driftctl/test/mocks"`
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`"github.com/stretchr/testify/assert"`
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`"github.com/stretchr/testify/mock"`

			`"github.com/cloudskiff/driftctl/mocks"`

			`"github.com/cloudskiff/driftctl/pkg/resource"`
			`"github.com/cloudskiff/driftctl/pkg/terraform"`
			`"github.com/cloudskiff/driftctl/test"`
			`)`

			`func TestVPCSecurityGroupRuleSupplier_Resources(t *testing.T) {`
			`cases := []struct {`
			`test string`
			`dirName string`
			`mocks func(client *mocks.FakeEC2)`
			`err error`
			`}{`
			`{`
			`test: "no security group rules",`
			`dirName: "vpc_security_group_rule_empty",`
			`mocks: func(client *mocks.FakeEC2) {`
			`client.On("DescribeSecurityGroupsPages",`
			`&ec2.DescribeSecurityGroupsInput{},`
			`mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {`
			`callback(&ec2.DescribeSecurityGroupsOutput{`
			`SecurityGroups: []*ec2.SecurityGroup{`
			`{`
			`GroupId: aws.String("sg-0254c038e32f25530"),`
			`IpPermissions: []*ec2.IpPermission{},`
			`IpPermissionsEgress: []*ec2.IpPermission{},`
			`},`
			`},`
			`}, true)`
			`return true`
			`})).Return(nil)`
			`},`
			`err: nil,`
			`},`
			`{`
			`test: "with security group rules",`
			`dirName: "vpc_security_group_rule_multiple",`
			`mocks: func(client *mocks.FakeEC2) {`
			`client.On("DescribeSecurityGroupsPages",`
			`&ec2.DescribeSecurityGroupsInput{},`
			`mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {`
			`callback(&ec2.DescribeSecurityGroupsOutput{`
			`SecurityGroups: []*ec2.SecurityGroup{`
			`{`
			`GroupId: aws.String("sg-0254c038e32f25530"),`
			`IpPermissions: []*ec2.IpPermission{`
			`{`
			`FromPort: aws.Int64(0),`
			`ToPort: aws.Int64(65535),`
			`IpProtocol: aws.String("tcp"),`
			`UserIdGroupPairs: []*ec2.UserIdGroupPair{`
			`{`
			`GroupId: aws.String("sg-0254c038e32f25530"),`
			`},`
			`{`
			`GroupId: aws.String("sg-9e0204ff"),`
			`},`
			`},`
			`},`
			`{`
			`IpProtocol: aws.String("-1"),`
			`IpRanges: []*ec2.IpRange{`
			`{`
			`CidrIp: aws.String("1.2.0.0/16"),`
			`},`
			`{`
			`CidrIp: aws.String("5.6.7.0/24"),`
			`},`
			`},`
			`Ipv6Ranges: []*ec2.Ipv6Range{`
			`{`
			`CidrIpv6: aws.String("::/0"),`
			`},`
			`},`
			`},`
			`},`
			`IpPermissionsEgress: []*ec2.IpPermission{`
			`{`
			`IpProtocol: aws.String("-1"),`
			`IpRanges: []*ec2.IpRange{`
			`{`
			`CidrIp: aws.String("0.0.0.0/0"),`
			`},`
			`},`
			`Ipv6Ranges: []*ec2.Ipv6Range{`
			`{`
			`CidrIpv6: aws.String("::/0"),`
			`},`
			`},`
			`},`
			`},`
			`},`
			`},`
			`}, false)`
			`callback(&ec2.DescribeSecurityGroupsOutput{`
			`SecurityGroups: []*ec2.SecurityGroup{`
			`{`
			`GroupId: aws.String("sg-0cc8b3c3c2851705a"),`
			`IpPermissions: []*ec2.IpPermission{`
			`{`
			`FromPort: aws.Int64(443),`
			`ToPort: aws.Int64(443),`
			`IpProtocol: aws.String("tcp"),`
			`IpRanges: []*ec2.IpRange{`
			`{`
			`CidrIp: aws.String("0.0.0.0/0"),`
			`},`
			`},`
			`},`
			`},`
			`IpPermissionsEgress: []*ec2.IpPermission{`
			`{`
			`IpProtocol: aws.String("-1"),`
			`IpRanges: []*ec2.IpRange{`
			`{`
			`CidrIp: aws.String("0.0.0.0/0"),`
			`},`
			`},`
			`Ipv6Ranges: []*ec2.Ipv6Range{`
			`{`
			`CidrIpv6: aws.String("::/0"),`
			`},`
			`},`
			`},`
			`{`
			`IpProtocol: aws.String("5"),`
			`IpRanges: []*ec2.IpRange{`
			`{`
			`CidrIp: aws.String("0.0.0.0/0"),`
			`},`
			`},`
			`},`
			`},`
			`},`
			`},`
			`}, true)`
			`return true`
			`})).Return(nil)`
			`},`
			`err: nil,`
			`},`
			`{`
			`test: "should ignore default security group default rules",`
			`dirName: "vpc_security_group_default_rules",`
			`mocks: func(client *mocks.FakeEC2) {`
			`client.On("DescribeSecurityGroupsPages",`
			`&ec2.DescribeSecurityGroupsInput{},`
			`mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {`
			`callback(&ec2.DescribeSecurityGroupsOutput{`
			`SecurityGroups: []*ec2.SecurityGroup{`
			`{`
			`GroupId: aws.String("sg-a74815c8"),`
			`GroupName: aws.String("default"),`
			`IpPermissions: []*ec2.IpPermission{`
			`{`
			`IpProtocol: aws.String("-1"),`
			`UserIdGroupPairs: []*ec2.UserIdGroupPair{`
			`{`
			`GroupId: aws.String("sg-a74815c8"),`
			`},`
			`},`
			`},`
			`{`
			`IpProtocol: aws.String("-1"),`
			`IpRanges: []*ec2.IpRange{`
			`{`
			`CidrIp: aws.String("1.2.0.0/16"),`
			`},`
			`},`
			`},`
			`},`
			`IpPermissionsEgress: []*ec2.IpPermission{`
			`{`
			`IpProtocol: aws.String("-1"),`
			`IpRanges: []*ec2.IpRange{`
			`{`
			`CidrIp: aws.String("0.0.0.0/0"),`
			`},`
			`},`
			`},`
			`{`
			`IpProtocol: aws.String("-1"),`
			`IpRanges: []*ec2.IpRange{`
			`{`
			`CidrIp: aws.String("1.2.3.4/32"),`
			`},`
			`},`
			`},`
			`},`
			`},`
			`},`
			`}, true)`
			`return true`
			`})).Return(nil)`
			`},`
			`err: nil,`
			`},`
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`{`
			`test: "cannot list security group rules",`
			`dirName: "vpc_security_group_rule_empty",`
			`mocks: func(client *mocks.FakeEC2) {`
			`client.On("DescribeSecurityGroupsPages",`
			`&ec2.DescribeSecurityGroupsInput{},`
			`mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {`
			`return true`
			`})).Return(awserr.NewRequestFailure(nil, 403, ""))`
			`},`
			`err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsSecurityGroupRuleResourceType),`
			`},`
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`}`
			`for _, c := range cases {`
			`shouldUpdate := c.dirName == *goldenfile.Update`
Remove singleton to fix issues when chain multiples cmd run We have some issue when running acceptance test, more generally when we use to execute scan cmd multiples times. We were using global singletons for provider and resources suppliers managment which lead us to improper state in the second scan run. We should avoid this in the future and make proper initialization of our dependencies maybe using a dependency injection container. 2021-01-22 17:06:17 +00:00
			`providerLibrary := terraform.NewProviderLibrary()`
			`supplierLibrary := resource.NewSupplierLibrary()`

🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`if shouldUpdate {`
Fix aws suppliers and tests to use new provider 2021-02-09 13:56:11 +00:00			`provider, err := InitTestAwsProvider(providerLibrary)`
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`if err != nil {`
			`t.Fatal(err)`
			`}`
Remove singleton to fix issues when chain multiples cmd run We have some issue when running acceptance test, more generally when we use to execute scan cmd multiples times. We were using global singletons for provider and resources suppliers managment which lead us to improper state in the second scan run. We should avoid this in the future and make proper initialization of our dependencies maybe using a dependency injection container. 2021-01-22 17:06:17 +00:00			`supplierLibrary.AddSupplier(NewVPCSecurityGroupRuleSupplier(provider))`
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`}`

			`t.Run(c.test, func(tt *testing.T) {`
			`fakeEC2 := mocks.FakeEC2{}`
			`c.mocks(&fakeEC2)`
Remove singleton to fix issues when chain multiples cmd run We have some issue when running acceptance test, more generally when we use to execute scan cmd multiples times. We were using global singletons for provider and resources suppliers managment which lead us to improper state in the second scan run. We should avoid this in the future and make proper initialization of our dependencies maybe using a dependency injection container. 2021-01-22 17:06:17 +00:00			`provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)`
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`deserializer := awsdeserializer.NewVPCSecurityGroupRuleDeserializer()`
			`s := &VPCSecurityGroupRuleSupplier{`
			`provider,`
			`deserializer,`
			`&fakeEC2,`
Add support for multiples IaC sources 2021-01-15 11:44:13 +00:00			`terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),`
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00			`}`
			`got, err := s.Resources()`
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`assert.Equal(tt, c.err, err)`
🍾 Initial release Co-authored-by: William BEUIL <william.beuil@cloudskiff.com> Co-authored-by: Martin GUIBERT <martin@cloudskiff.com> 2020-12-09 15:31:34 +00:00
			`mock.AssertExpectationsForObjects(tt)`
			`test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, tt)`
			`})`
			`}`
			`}`