fix: Fix middleware to avoid false positive unmanaged

2022-04-08 10:29:09 +02:00 · 2022-04-08 10:29:09 +02:00 · 582ffa36e3
parent e600615a0a
commit 582ffa36e3
3 changed files with 41 additions and 36 deletions
--- a/pkg/middlewares/aws_s3_bucket_public_access_block_reconcilier.go
+++ b/pkg/middlewares/aws_s3_bucket_public_access_block_reconcilier.go
@ -28,8 +28,8 @@ import (
 // - Run the scan again
 //   - We still have the public block as unmanaged, this is NOT expected since all values are back to default
 //
-// This simple middleware is handling that edge case by removing resource that have every attribute set to false both
-// from resources from state and resources from remote.
+// This simple middleware is handling that edge case by removing resource that have every attribute set to false from remote.
+// We do not remove it when a resource is found in IaC
 type AwsS3BucketPublicAccessBlockReconciler struct{}

 func NewAwsS3BucketPublicAccessBlockReconciler() *AwsS3BucketPublicAccessBlockReconciler {
@ -40,35 +40,35 @@ func (r AwsS3BucketPublicAccessBlockReconciler) Execute(remoteResources, resourc

 	newRemoteResources := make([]*resource.Resource, 0)
 	for _, res := range *remoteResources {
-		// Only keep non-default public access blocks
-		if r.isDefaultPublicAccessBlock(res) {
+
+		// Skip every resource that is not a bucket public access block
+		if res.ResourceType() != aws.AwsS3BucketPublicAccessBlockResourceType {
+			newRemoteResources = append(newRemoteResources, res)
+			continue
+		}
+
+		isDefinedInIac := false
+		for _, iacRes := range *resourcesFromState {
+			if res.Equal(iacRes) {
+				isDefinedInIac = true
+				break
+			}
+		}
+
+		// Ignore unmanaged default public access blocks
+		if r.isDefaultPublicAccessBlock(res) && !isDefinedInIac {
 			logrus.WithField("id", res.ResourceId()).Debug("Ignored default aws_s3_bucket_public_access_block from remote")
 			continue
 		}
+
 		newRemoteResources = append(newRemoteResources, res)
 	}
 	*remoteResources = newRemoteResources

-	newResourcesFromState := make([]*resource.Resource, 0)
-	for _, res := range *resourcesFromState {
-		// Only keep non-default public access blocks
-		if r.isDefaultPublicAccessBlock(res) {
-			logrus.WithField("id", res.ResourceId()).Debug("Ignored default aws_s3_bucket_public_access_block from state")
-			continue
-		}
-		newResourcesFromState = append(newResourcesFromState, res)
-	}
-	*resourcesFromState = newResourcesFromState
-
 	return nil
 }

 func (r AwsS3BucketPublicAccessBlockReconciler) isDefaultPublicAccessBlock(res *resource.Resource) bool {
-
-	if res.ResourceType() != aws.AwsS3BucketPublicAccessBlockResourceType {
-		return false
-	}
-
 	if !awssdk.BoolValue(res.Attributes().GetBool("block_public_acls")) &&
 		!awssdk.BoolValue(res.Attributes().GetBool("block_public_policy")) &&
 		!awssdk.BoolValue(res.Attributes().GetBool("ignore_public_acls")) &&
--- a/pkg/middlewares/aws_s3_bucket_public_access_block_reconcilier_test.go
+++ b/pkg/middlewares/aws_s3_bucket_public_access_block_reconcilier_test.go
@ -116,28 +116,33 @@ func TestAwsS3BucketPublicAccessBlockReconciler(t *testing.T) {
 						"block_public_acls": false,
 					},
 				},
-			},
-			resourcesFromState: []*resource.Resource{
 				{
-					Id:   "should_be_skipped_because_default",
-					Type: aws.AwsS3BucketPublicAccessBlockResourceType,
-					Attrs: &resource.Attributes{
-						"block_public_acls":       false,
-						"block_public_policy":     false,
-						"ignore_public_acls":      false,
-						"restrict_public_buckets": false,
-					},
-				},
-				{
-					Id:   "should_be_skipped_because_nil_values",
+					Id:   "should_not_be_skipped_because_exist_in_iac",
 					Type: aws.AwsS3BucketPublicAccessBlockResourceType,
 					Attrs: &resource.Attributes{
 						"block_public_acls": false,
 					},
 				},
 			},
-			expected: []*resource.Resource{},
-			wantErr:  nil,
+			resourcesFromState: []*resource.Resource{
+				{
+					Id:   "should_not_be_skipped_because_exist_in_iac",
+					Type: aws.AwsS3BucketPublicAccessBlockResourceType,
+					Attrs: &resource.Attributes{
+						"block_public_acls": false,
+					},
+				},
+			},
+			expected: []*resource.Resource{
+				{
+					Id:   "should_not_be_skipped_because_exist_in_iac",
+					Type: aws.AwsS3BucketPublicAccessBlockResourceType,
+					Attrs: &resource.Attributes{
+						"block_public_acls": false,
+					},
+				},
+			},
+			wantErr: nil,
 		},
 	}

--- a/pkg/resource/aws/aws_s3_bucket_public_access_block_test.go
+++ b/pkg/resource/aws/aws_s3_bucket_public_access_block_test.go
@ -22,7 +22,7 @@ func TestAcc_Aws_S3Bucket_PublicAccessBlock(t *testing.T) {
 						t.Fatal(err)
 					}
 					result.AssertInfrastructureIsInSync()
-					result.AssertManagedCount(3)
+					result.AssertManagedCount(4)
 				},
 			},
 		},