driftctl/pkg/middlewares/aws_defaults_test.go

270 lines
7.4 KiB
Go
Raw Normal View History

package middlewares
import (
"testing"
2021-08-09 14:03:04 +00:00
"github.com/stretchr/testify/assert"
"github.com/cloudskiff/driftctl/pkg/resource"
"github.com/cloudskiff/driftctl/pkg/resource/aws"
)
2021-04-09 11:07:15 +00:00
func TestAwsDefaults_Execute(t *testing.T) {
tests := []struct {
name string
2021-08-09 14:03:04 +00:00
remoteResources []*resource.Resource
resourcesFromState []*resource.Resource
assert func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource)
}{
{
2021-08-09 14:03:04 +00:00
"ignore default iam roles when they're not managed by IaC",
[]*resource.Resource{
{
Id: "AWSServiceRoleForSSO",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com",
},
},
2021-08-09 14:03:04 +00:00
{
Id: "OrganizationAccountAccessRole",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com/",
},
},
2021-08-09 14:03:04 +00:00
{
2021-04-09 11:07:15 +00:00
Id: "terraform-20210408093258091700000001",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/",
},
2021-04-09 11:07:15 +00:00
},
2021-08-09 14:03:04 +00:00
{
2021-05-21 14:09:45 +00:00
Id: "dummy-route",
Type: aws.AwsRouteResourceType,
Attrs: &resource.Attributes{
"route_table_id": "default-route-table",
"gateway_id": "local",
},
},
},
2021-08-09 14:03:04 +00:00
[]*resource.Resource{
{
2021-05-21 14:09:45 +00:00
Id: "dummy-route",
Type: aws.AwsRouteResourceType,
Attrs: &resource.Attributes{
"route_table_id": "default-route-table",
"gateway_id": "local",
},
},
2021-08-09 14:03:04 +00:00
{
2021-04-09 11:07:15 +00:00
Id: "terraform-20210408093258091700000001",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/",
},
2021-04-09 11:07:15 +00:00
},
},
2021-08-09 14:03:04 +00:00
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
assert.Len(t, remoteResources, 3)
for _, remoteResource := range remoteResources {
if remoteResource.TerraformId() == "AWSServiceRoleForSSO" {
t.Fatal("AWSServiceRoleForSSO should have been ignored")
}
}
},
},
{
2021-08-09 14:03:04 +00:00
"ignore default iam roles when they're managed by IaC",
[]*resource.Resource{
{
2021-05-07 15:47:53 +00:00
Id: "AWSServiceRoleForSSO",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com/",
"description": "test",
},
},
2021-08-09 14:03:04 +00:00
{
Id: "OrganizationAccountAccessRole",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com/",
},
},
2021-08-09 14:03:04 +00:00
{
2021-04-09 11:07:15 +00:00
Id: "driftctl_assume_role:driftctl_policy.10",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/",
"tags": map[string]string{
"test": "value",
},
},
},
},
2021-08-09 14:03:04 +00:00
[]*resource.Resource{
{
Id: "AWSServiceRoleForSSO",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com/",
},
},
2021-08-09 14:03:04 +00:00
{
Id: "OrganizationAccountAccessRole",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com/",
},
},
2021-08-09 14:03:04 +00:00
{
Id: "driftctl_assume_role:driftctl_policy.10",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/",
"tags": map[string]string{},
},
},
},
2021-08-09 14:03:04 +00:00
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
assert.Len(t, remoteResources, 2)
assert.Len(t, resourcesFromState, 2)
},
},
{
2021-04-09 11:07:15 +00:00
"ignore default iam role policies when they're not managed by IaC",
2021-08-09 14:03:04 +00:00
[]*resource.Resource{
{
Id: "AWSServiceRoleForSSO",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com",
},
},
2021-08-09 14:03:04 +00:00
{
Id: "OrganizationAccountAccessRole",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com",
},
},
2021-08-09 14:03:04 +00:00
{
2021-05-07 15:47:53 +00:00
Id: "AWSServiceRoleForSSO",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "AWSServiceRoleForSSO",
},
},
2021-08-09 14:03:04 +00:00
{
2021-05-07 15:47:53 +00:00
Id: "OrganizationAccountAccessRole",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "OrganizationAccountAccessRole",
},
},
2021-08-09 14:03:04 +00:00
{
2021-05-21 14:09:45 +00:00
Id: "dummy-route",
Type: aws.AwsRouteResourceType,
Attrs: &resource.Attributes{
"route_table_id": "default-route-table",
"gateway_id": "local",
},
},
},
2021-08-09 14:03:04 +00:00
[]*resource.Resource{
{
2021-05-21 14:09:45 +00:00
Id: "dummy-route",
Type: aws.AwsRouteResourceType,
Attrs: &resource.Attributes{
"route_table_id": "default-route-table",
"gateway_id": "local",
},
},
},
2021-08-09 14:03:04 +00:00
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
assert.Len(t, remoteResources, 3)
for _, remoteResource := range remoteResources {
if remoteResource.TerraformId() == "AWSServiceRoleForSSO" &&
remoteResource.TerraformType() == aws.AwsIamRoleResourceType {
t.Fatal("AWSServiceRoleForSSO role should have been ignored")
}
if remoteResource.TerraformId() == "AWSServiceRoleForSSO" &&
remoteResource.TerraformType() == aws.AwsIamRolePolicyResourceType {
t.Fatal("AWSServiceRoleForSSO policy should have been ignored")
}
}
},
},
{
2021-04-09 11:07:15 +00:00
"ignore default iam role policies even when they're managed by IaC",
2021-08-09 14:03:04 +00:00
[]*resource.Resource{
{
Id: "custom-role",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com",
},
},
2021-08-09 14:03:04 +00:00
{
Id: "OrganizationAccountAccessRole",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com",
},
},
2021-08-09 14:03:04 +00:00
{
Id: "driftctl_assume_role:driftctl_policy.10",
2021-05-07 15:47:53 +00:00
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "custom-role",
},
},
2021-08-09 14:03:04 +00:00
{
2021-05-07 15:47:53 +00:00
Id: "OrganizationAccountAccessRole:AdministratorAccess",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "OrganizationAccountAccessRole",
"name_prefix": nil,
},
},
},
2021-08-09 14:03:04 +00:00
[]*resource.Resource{
{
2021-05-07 15:47:53 +00:00
Id: "OrganizationAccountAccessRole:AdministratorAccess",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "OrganizationAccountAccessRole",
"name_prefix": "tf-",
},
},
},
2021-08-09 14:03:04 +00:00
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
assert.Len(t, remoteResources, 2)
for _, remoteResource := range remoteResources {
if remoteResource.TerraformId() == "OrganizationAccountAccessRole" &&
remoteResource.TerraformType() == aws.AwsIamRoleResourceType {
t.Fatal("OrganizationAccountAccessRole role should have been ignored")
}
if remoteResource.TerraformId() == "OrganizationAccountAccessRole:AdministratorAccess" &&
remoteResource.TerraformType() == aws.AwsIamRolePolicyResourceType {
t.Fatal("OrganizationAccountAccessRole:AdministratorAccess policy should have been ignored")
}
}
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
2021-04-09 11:07:15 +00:00
m := &AwsDefaults{}
err := m.Execute(&tt.remoteResources, &tt.resourcesFromState)
if err != nil {
t.Fatal(err)
}
2021-08-09 14:03:04 +00:00
tt.assert(t, tt.remoteResources, tt.resourcesFromState)
})
}
}