Merge pull request #574 from cloudskiff/fix/db_iam_sg_false_positive

Fix db iam sg false positive
2021-06-02 14:38:35 +02:00 · 2021-06-02 14:38:35 +02:00 · 26ad2e4261
parent 7bcbe0bf93 cfaddfaa08
commit 26ad2e4261
10 changed files with 367 additions and 189 deletions
--- a/pkg/resource/aws/aws_db_instance.go
+++ b/pkg/resource/aws/aws_db_instance.go
@ -18,5 +18,6 @@ func initAwsDbInstanceMetaData(resourceSchemaRepository resource.SchemaRepositor
 		val.SafeDelete([]string{"snapshot_identifier"})
 		val.SafeDelete([]string{"allow_major_version_upgrade"})
 		val.SafeDelete([]string{"apply_immediately"})
+		val.DeleteIfDefault("CharacterSetName")
 	})
 }
--- a/pkg/resource/aws/aws_iam_access_key.go
+++ b/pkg/resource/aws/aws_iam_access_key.go
@ -14,6 +14,9 @@ func initAwsIAMAccessKeyMetaData(resourceSchemaRepository resource.SchemaReposit
 		// We can't detect drift if we cannot retrieve latest value from aws API for fields like secrets, passwords etc ...
 		val.SafeDelete([]string{"secret"})
 		val.SafeDelete([]string{"ses_smtp_password_v4"})
+		val.SafeDelete([]string{"encrypted_secret"})
+		val.SafeDelete([]string{"key_fingerprint"})
+		val.SafeDelete([]string{"pgp_key"})
 	})
 	resourceSchemaRepository.SetHumanReadableAttributesFunc(AwsIamAccessKeyResourceType, func(res *resource.AbstractResource) map[string]string {
 		val := res.Attrs
--- a/pkg/resource/aws/aws_iam_access_key_test.go
+++ b/pkg/resource/aws/aws_iam_access_key_test.go
@ -21,9 +21,8 @@ func TestAcc_Aws_IamAccessKey(t *testing.T) {
 					if err != nil {
 						t.Fatal(err)
 					}
-					result.AssertDriftCountTotal(0)
-					result.AssertDeletedCount(0)
-					result.AssertManagedCount(1)
+					result.AssertInfrastructureIsInSync()
+					result.AssertManagedCount(2)
 				},
 			},
 		},
--- a/pkg/resource/aws/aws_security_group_rule_test.go
+++ b/pkg/resource/aws/aws_security_group_rule_test.go
@ -0,0 +1,32 @@
+package aws_test
+
+import (
+	"testing"
+
+	"github.com/cloudskiff/driftctl/test"
+	"github.com/cloudskiff/driftctl/test/acceptance"
+)
+
+func TestAcc_Aws_SecurityGroupRule(t *testing.T) {
+	acceptance.Run(t, acceptance.AccTestCase{
+		TerraformVersion: "0.14.9",
+		Paths:            []string{"./testdata/acc/aws_security_group_rule"},
+		Args:             []string{"scan", "--filter", "Type=='aws_security_group_rule'"},
+		Checks: []acceptance.AccCheck{
+			{
+				Env: map[string]string{
+					"AWS_REGION": "us-east-1",
+				},
+				Check: func(result *test.ScanResult, stdout string, err error) {
+					if err != nil {
+						t.Fatal(err)
+					}
+					result.AssertManagedCount(21)
+					result.AssertDeletedCount(2)
+					result.AssertUnmanagedCount(5)
+					result.AssertDriftCountTotal(0)
+				},
+			},
+		},
+	})
+}
--- a/pkg/resource/aws/aws_security_group_test.go
+++ b/pkg/resource/aws/aws_security_group_test.go
@ -11,7 +11,7 @@ func TestAcc_AwsSecurityGroup(t *testing.T) {
 	acceptance.Run(t, acceptance.AccTestCase{
 		TerraformVersion: "0.14.9",
 		Paths:            []string{"./testdata/acc/aws_security_group"},
-		Args:             []string{"scan", "--filter", "Type=='aws_security_group' || Type=='aws_default_security_group' || Type=='aws_security_group_rule'"},
+		Args:             []string{"scan", "--filter", "Type=='aws_security_group' || Type=='aws_default_security_group'"},
 		Checks: []acceptance.AccCheck{
 			{
 				Env: map[string]string{
@ -21,10 +21,8 @@ func TestAcc_AwsSecurityGroup(t *testing.T) {
 					if err != nil {
 						t.Fatal(err)
 					}
-					result.AssertManagedCount(31)
-					result.AssertDeletedCount(2)
-					result.AssertUnmanagedCount(5)
-					result.AssertDriftCountTotal(0)
+					result.AssertInfrastructureIsInSync()
+					result.AssertManagedCount(10)
 				},
 			},
 		},
--- a/pkg/resource/aws/testdata/acc/aws_iam_access_key/terraform.tf
+++ b/pkg/resource/aws/testdata/acc/aws_iam_access_key/terraform.tf
@ -16,3 +16,13 @@ resource "aws_iam_user" "testuser_access_key" {
 resource "aws_iam_access_key" "accesskey" {
    user = aws_iam_user.testuser_access_key.name
 }
+
+resource "aws_iam_access_key" "ak" {
+    user    = aws_iam_user.test.name
+    pgp_key = "keybase:test"
+}
+
+resource "aws_iam_user" "test" {
+    name = "test"
+    path = "/test/"
+}
--- a/pkg/resource/aws/testdata/acc/aws_security_group/.terraform.lock.hcl
+++ b/pkg/resource/aws/testdata/acc/aws_security_group/.terraform.lock.hcl
--- a/pkg/resource/aws/testdata/acc/aws_security_group/terraform.tf
+++ b/pkg/resource/aws/testdata/acc/aws_security_group/terraform.tf
@ -12,11 +12,6 @@ resource "aws_vpc" "vpc" {
  cidr_block = "10.0.0.0/16"
 }

-resource "aws_vpc_endpoint" "s3" {
-    vpc_id       = aws_vpc.vpc.id
-    service_name = "com.amazonaws.us-east-1.s3"
-}
-
 resource "aws_default_security_group" "default" {
  vpc_id = aws_vpc.vpc.id

@ -72,26 +67,6 @@ resource "aws_security_group" "sg-bis-tutu" {
    }
 }

-resource "aws_security_group_rule" "tutu-egress" {
-    cidr_blocks       = ["0.0.0.0/0"]
-    type              = "egress"
-    description       = "Bar Full Open"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "tcp"
-    security_group_id = aws_security_group.sg-bis-tutu.id
-}
-
-resource "aws_security_group_rule" "bla-ingress" {
-    type             = "ingress"
-    description      = "Bla 1"
-    from_port        = 0
-    to_port          = 0
-    protocol         = "-1"
-    ipv6_cidr_blocks = ["::/0"]
-    security_group_id = aws_security_group.sg-bis-tutu.id
-}
-
 resource "aws_security_group" "sg-bis-titi" {
    name = "titi"

@ -100,43 +75,6 @@ resource "aws_security_group" "sg-bis-titi" {
    }
 }

-resource "aws_security_group_rule" "test-ingress-custom-icmp" {
-    type              = "ingress"
-    protocol          = "1"
-    cidr_blocks       = ["0.0.0.0/0"]
-    security_group_id = aws_security_group.sg-bis-titi.id
-    from_port         = 8
-    to_port           = -1
-}
-
-resource "aws_security_group_rule" "test-ingress-custom-all" {
-    type              = "egress"
-    protocol          = "all"
-    ipv6_cidr_blocks  = ["::/0"]
-    cidr_blocks       = ["0.0.0.0/0"]
-    security_group_id = aws_security_group.sg-bis-titi.id
-    from_port         = 123
-    to_port           = 42
-}
-
-resource "aws_security_group_rule" "test-ingress-custom-tcp" {
-    type              = "ingress"
-    protocol          = "6"
-    cidr_blocks       = ["0.0.0.0/0"]
-    security_group_id = aws_security_group.sg-bis-titi.id
-    from_port         = 6
-    to_port           = 42
-}
-
-resource "aws_security_group_rule" "test-ingress-custom-udp" {
-    type              = "ingress"
-    protocol          = "17"
-    cidr_blocks       = ["0.0.0.0/0"]
-    security_group_id = aws_security_group.sg-bis-titi.id
-    from_port         = 6
-    to_port           = 42
-}
-
 resource "aws_security_group" "sg-bis-4" {
    name = "tata"

@ -145,33 +83,6 @@ resource "aws_security_group" "sg-bis-4" {
    }
 }

-resource "aws_security_group_rule" "test-ingress-icmp" {
-    type              = "ingress"
-    protocol          = "icmp"
-    cidr_blocks       = ["0.0.0.0/0"]
-    security_group_id = aws_security_group.sg-bis-4.id
-    from_port         = 8
-    to_port           = -1
-}
-
-resource "aws_security_group_rule" "test-ingress-icmpv6" {
-    type              = "ingress"
-    protocol          = "icmpv6"
-    cidr_blocks       = ["0.0.0.0/0"]
-    security_group_id = aws_security_group.sg-bis-4.id
-    from_port         = -1
-    to_port           = -1
-}
-
-resource "aws_security_group_rule" "test-ingress-bgp" {
-    type              = "ingress"
-    protocol          = "3"
-    cidr_blocks       = ["0.0.0.0/0"]
-    security_group_id = aws_security_group.sg-bis-4.id
-    from_port         = 10
-    to_port           = 55
-}
-
 resource "aws_security_group" "sg-bis-third" {
    name = "baz"

@ -180,17 +91,6 @@ resource "aws_security_group" "sg-bis-third" {
    }
 }

-resource "aws_security_group_rule" "baz-egress" {
-    cidr_blocks       = ["0.0.0.0/0"]
-    ipv6_cidr_blocks  = ["::/0"]
-    type              = "egress"
-    description       = "Bar Full Open"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "-1"
-    security_group_id = aws_security_group.sg-bis-third.id
-}
-
 resource "aws_security_group" "sg-bis" {
    name = "bar"

@ -206,27 +106,6 @@ resource "aws_security_group" "sg-bis" {
    }
 }

-resource "aws_security_group_rule" "bar-egress" {
-    cidr_blocks       = ["0.0.0.0/0"]
-    ipv6_cidr_blocks  = ["::/0"]
-    type              = "egress"
-    description       = "Bar Full Open"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "-1"
-    security_group_id = aws_security_group.sg-bis.id
-}
-
-resource "aws_security_group_rule" "bar-egress-stream" {
-    cidr_blocks       = ["0.0.0.0/0"]
-    type              = "egress"
-    description       = "Stream"
-    from_port         = 10
-    to_port           = 55
-    protocol          = "5"
-    security_group_id = aws_security_group.sg-bis.id
-}
-
 resource "aws_security_group" "test-sg" {
    name = "foo"

@ -234,63 +113,3 @@ resource "aws_security_group" "test-sg" {
        Name = "Foo SG"
    }
 }
-
-resource "aws_security_group_rule" "test-ingress-rule" {
-    type              = "ingress"
-    from_port         = 0
-    to_port           = 65535
-    protocol          = "tcp"
-    security_group_id = aws_security_group.test-sg.id
-    self              = true
-    description       = "Test 1"
-}
-
-resource "aws_security_group_rule" "test-ingress-rule-bis" {
-    type              = "ingress"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "icmp"
-    security_group_id = aws_security_group.test-sg.id
-    self              = true
-}
-
-resource "aws_security_group_rule" "ingress" {
-    cidr_blocks       = ["0.0.0.0/0"]
-    type              = "ingress"
-    description       = "Foo 1"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "-1"
-    security_group_id = aws_security_group.test-sg.id
-}
-
-resource "aws_security_group_rule" "foo" {
-    cidr_blocks       = ["1.2.0.0/16", "5.6.7.0/24"]
-    type              = "ingress"
-    description       = "Foo 5"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "-1"
-    security_group_id = aws_security_group.test-sg.id
-}
-
-resource "aws_security_group_rule" "baz-ingress" {
-    type              = "ingress"
-    description       = "Baz 2"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "tcp"
-    security_group_id = aws_security_group.test-sg.id
-    prefix_list_ids   = [aws_vpc_endpoint.s3.prefix_list_id]
-}
-
-resource "aws_security_group_rule" "egress" {
-    cidr_blocks       = ["0.0.0.0/0"]
-    ipv6_cidr_blocks  = ["::/0"]
-    type              = "egress"
-    description       = "Bar 1"
-    from_port         = 0
-    to_port           = 0
-    protocol          = "-1"
-    security_group_id = aws_security_group.test-sg.id
-}
--- a/pkg/resource/aws/testdata/acc/aws_security_group_rule/.terraform.lock.hcl
+++ b/pkg/resource/aws/testdata/acc/aws_security_group_rule/.terraform.lock.hcl
@ -0,0 +1,20 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.19.0"
+  constraints = "3.19.0"
+  hashes = [
+    "h1:xur9tF49NgsovNnmwmBR8RdpN8Fcg1TD4CKQPJD6n1A=",
+    "zh:185a5259153eb9ee4699d4be43b3d509386b473683392034319beee97d470c3b",
+    "zh:2d9a0a01f93e8d16539d835c02b8b6e1927b7685f4076e96cb07f7dd6944bc6c",
+    "zh:703f6da36b1b5f3497baa38fccaa7765fb8a2b6440344e4c97172516b49437dd",
+    "zh:770855565462abadbbddd98cb357d2f1a8f30f68a358cb37cbd5c072cb15b377",
+    "zh:8008db43149fe4345301f81e15e6d9ddb47aa5e7a31648f9b290af96ad86e92a",
+    "zh:8cdd27d375da6dcb7687f1fed126b7c04efce1671066802ee876dbbc9c66ec79",
+    "zh:be22ae185005690d1a017c1b909e0d80ab567e239b4f06ecacdba85080667c1c",
+    "zh:d2d02e72dbd80f607636cd6237a6c862897caabc635c7b50c0cb243d11246723",
+    "zh:d8f125b66a1eda2555c0f9bbdf12036a5f8d073499a22ca9e4812b68067fea31",
+    "zh:f5a98024c64d5d2973ff15b093725a074c0cb4afde07ef32c542e69f17ac90bc",
+  ]
+}
--- a/pkg/resource/aws/testdata/acc/aws_security_group_rule/terraform.tf
+++ b/pkg/resource/aws/testdata/acc/aws_security_group_rule/terraform.tf
@ -0,0 +1,296 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+terraform {
+  required_providers {
+    aws = "3.19.0"
+  }
+}
+
+resource "aws_vpc" "vpc" {
+  cidr_block = "10.0.0.0/16"
+}
+
+resource "aws_vpc_endpoint" "s3" {
+    vpc_id       = aws_vpc.vpc.id
+    service_name = "com.amazonaws.us-east-1.s3"
+}
+
+resource "aws_default_security_group" "default" {
+  vpc_id = aws_vpc.vpc.id
+
+  tags = {
+    Name = "Default SG"
+  }
+}
+
+resource "aws_security_group" "best-security-group-ever" {
+    name = "best-security-group-ever"
+
+    egress {
+        from_port   = 0
+        to_port     = 0
+        protocol    = "-1"
+        cidr_blocks = ["0.0.0.0/0"]
+    }
+
+    tags = {
+        Name = "This is the best"
+    }
+}
+
+resource "aws_security_group" "infra" {
+    name        = "infra"
+    description = "infra SSH"
+
+    egress {
+        from_port   = 0
+        to_port     = 0
+        protocol    = "-1"
+        cidr_blocks = ["0.0.0.0/0"]
+    }
+
+    tags = {
+        Name = "infra"
+    }
+}
+
+resource "aws_security_group" "sg-bis-tutu-twice" {
+    name = "tutu-twice"
+
+    tags = {
+        Name = "Tutu TWICE SG"
+    }
+}
+
+resource "aws_security_group" "sg-bis-tutu" {
+    name = "tutu"
+
+    tags = {
+        Name = "Tutu SG"
+    }
+}
+
+resource "aws_security_group_rule" "tutu-egress" {
+    cidr_blocks       = ["0.0.0.0/0"]
+    type              = "egress"
+    description       = "Bar Full Open"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "tcp"
+    security_group_id = aws_security_group.sg-bis-tutu.id
+}
+
+resource "aws_security_group_rule" "bla-ingress" {
+    type             = "ingress"
+    description      = "Bla 1"
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    ipv6_cidr_blocks = ["::/0"]
+    security_group_id = aws_security_group.sg-bis-tutu.id
+}
+
+resource "aws_security_group" "sg-bis-titi" {
+    name = "titi"
+
+    tags = {
+        Name = "Titi SG"
+    }
+}
+
+resource "aws_security_group_rule" "test-ingress-custom-icmp" {
+    type              = "ingress"
+    protocol          = "1"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = aws_security_group.sg-bis-titi.id
+    from_port         = 8
+    to_port           = -1
+}
+
+resource "aws_security_group_rule" "test-ingress-custom-all" {
+    type              = "egress"
+    protocol          = "all"
+    ipv6_cidr_blocks  = ["::/0"]
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = aws_security_group.sg-bis-titi.id
+    from_port         = 123
+    to_port           = 42
+}
+
+resource "aws_security_group_rule" "test-ingress-custom-tcp" {
+    type              = "ingress"
+    protocol          = "6"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = aws_security_group.sg-bis-titi.id
+    from_port         = 6
+    to_port           = 42
+}
+
+resource "aws_security_group_rule" "test-ingress-custom-udp" {
+    type              = "ingress"
+    protocol          = "17"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = aws_security_group.sg-bis-titi.id
+    from_port         = 6
+    to_port           = 42
+}
+
+resource "aws_security_group" "sg-bis-4" {
+    name = "tata"
+
+    tags = {
+        Name = "TATA SG"
+    }
+}
+
+resource "aws_security_group_rule" "test-ingress-icmp" {
+    type              = "ingress"
+    protocol          = "icmp"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = aws_security_group.sg-bis-4.id
+    from_port         = 8
+    to_port           = -1
+}
+
+resource "aws_security_group_rule" "test-ingress-icmpv6" {
+    type              = "ingress"
+    protocol          = "icmpv6"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = aws_security_group.sg-bis-4.id
+    from_port         = -1
+    to_port           = -1
+}
+
+resource "aws_security_group_rule" "test-ingress-bgp" {
+    type              = "ingress"
+    protocol          = "3"
+    cidr_blocks       = ["0.0.0.0/0"]
+    security_group_id = aws_security_group.sg-bis-4.id
+    from_port         = 10
+    to_port           = 55
+}
+
+resource "aws_security_group" "sg-bis-third" {
+    name = "baz"
+
+    tags = {
+        Name = "Baz SG"
+    }
+}
+
+resource "aws_security_group_rule" "baz-egress" {
+    cidr_blocks       = ["0.0.0.0/0"]
+    ipv6_cidr_blocks  = ["::/0"]
+    type              = "egress"
+    description       = "Bar Full Open"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "-1"
+    security_group_id = aws_security_group.sg-bis-third.id
+}
+
+resource "aws_security_group" "sg-bis" {
+    name = "bar"
+
+    ingress {
+        description = "TLS from VPC"
+        from_port   = 443
+        to_port     = 443
+        protocol    = "tcp"
+        cidr_blocks = ["0.0.0.0/0"]
+    }
+    tags = {
+        Name = "Bar SG"
+    }
+}
+
+resource "aws_security_group_rule" "bar-egress" {
+    cidr_blocks       = ["0.0.0.0/0"]
+    ipv6_cidr_blocks  = ["::/0"]
+    type              = "egress"
+    description       = "Bar Full Open"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "-1"
+    security_group_id = aws_security_group.sg-bis.id
+}
+
+resource "aws_security_group_rule" "bar-egress-stream" {
+    cidr_blocks       = ["0.0.0.0/0"]
+    type              = "egress"
+    description       = "Stream"
+    from_port         = 10
+    to_port           = 55
+    protocol          = "5"
+    security_group_id = aws_security_group.sg-bis.id
+}
+
+resource "aws_security_group" "test-sg" {
+    name = "foo"
+
+    tags = {
+        Name = "Foo SG"
+    }
+}
+
+resource "aws_security_group_rule" "test-ingress-rule" {
+    type              = "ingress"
+    from_port         = 0
+    to_port           = 65535
+    protocol          = "tcp"
+    security_group_id = aws_security_group.test-sg.id
+    self              = true
+    description       = "Test 1"
+}
+
+resource "aws_security_group_rule" "test-ingress-rule-bis" {
+    type              = "ingress"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "icmp"
+    security_group_id = aws_security_group.test-sg.id
+    self              = true
+}
+
+resource "aws_security_group_rule" "ingress" {
+    cidr_blocks       = ["0.0.0.0/0"]
+    type              = "ingress"
+    description       = "Foo 1"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "-1"
+    security_group_id = aws_security_group.test-sg.id
+}
+
+resource "aws_security_group_rule" "foo" {
+    cidr_blocks       = ["1.2.0.0/16", "5.6.7.0/24"]
+    type              = "ingress"
+    description       = "Foo 5"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "-1"
+    security_group_id = aws_security_group.test-sg.id
+}
+
+resource "aws_security_group_rule" "baz-ingress" {
+    type              = "ingress"
+    description       = "Baz 2"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "tcp"
+    security_group_id = aws_security_group.test-sg.id
+    prefix_list_ids   = [aws_vpc_endpoint.s3.prefix_list_id]
+}
+
+resource "aws_security_group_rule" "egress" {
+    cidr_blocks       = ["0.0.0.0/0"]
+    ipv6_cidr_blocks  = ["::/0"]
+    type              = "egress"
+    description       = "Bar 1"
+    from_port         = 0
+    to_port           = 0
+    protocol          = "-1"
+    security_group_id = aws_security_group.test-sg.id
+}