Merge branch 'main' into parallel_acc_tests

2021-02-15 17:35:28 +01:00 · 2021-02-15 17:35:28 +01:00 · 9674b09d5f
parent 15cd8802a9 4bb6e7403f
commit 9674b09d5f
5 changed files with 81 additions and 18 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -137,15 +137,6 @@ jobs:
          name: "Update Lambda version"
          command: |
            aws lambda update-function-configuration --function-name $FUNCTION_NAME --environment "{\"Variables\":{\"LATEST_VERSION\":\"$CIRCLE_TAG\"}}"
-  bump-homebrew-core:
-    macos:
-      xcode: 12.3.0
-    steps:
-      - run:
-          name: "Bump driftctl formula"
-          command: |
-            brew install-bundler-gems -d -v
-            brew bump-formula-pr driftctl --url https://github.com/cloudskiff/driftctl/archive/$CIRCLE_TAG.tar.gz -d -v
 workflows:
  nightly:
    jobs:
@ -232,12 +223,3 @@ workflows:
              only: /^v.*/
            branches:
              ignore: /.*/
-      - bump-homebrew-core:
-          context: driftctl-homebrew
-          requires:
-            - release
-          filters:
-            tags:
-              only: /^v.*/
-            branches:
-              ignore: /.*/
--- a/.github/workflows/homebrew.yml
+++ b/.github/workflows/homebrew.yml
@ -0,0 +1,12 @@
+name: Homebrew Bump Formula
+on:
+  release:
+    types: [published]
+jobs:
+  homebrew:
+    runs-on: macos-latest
+    steps:
+      - uses: dawidd6/action-homebrew-bump-formula@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          formula: driftctl
--- a/doc/LIMITATIONS.md
+++ b/doc/LIMITATIONS.md
@ -11,3 +11,10 @@
 - Terraform version >= 0.12 is supported
 - Terraform AWS provider version >= 3.x is supported

+## Terraform Resources
+
+### AWS
+
+- aws_security_group and aws_security_group_rule:
+
+For security group that has in-line egress or ingress rules, driftctl will output an alert message at the end of the scan to warn you that those rules are falsely unmanaged. The explanation is that we can't distinct, based only on the Terraform state, rules created in the console and rules created in-line in either egress or ingress blocks.
--- a/pkg/analyser/analyzer.go
+++ b/pkg/analyser/analyzer.go
@ -4,6 +4,8 @@ import (
 	"reflect"
 	"sort"

+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
 	"github.com/cloudskiff/driftctl/pkg/alerter"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/r3labs/diff/v2"
@ -77,6 +79,13 @@ func (a Analyzer) Analyze(remoteResources, resourcesFromState []resource.Resourc
 		}
 	}

+	if a.hasUnmanagedSecurityGroupRules(filteredRemoteResource) {
+		a.alerter.SendAlert("",
+			alerter.Alert{
+				Message: "You have unmanaged security group rules that could be false positives, find out more at https://github.com/cloudskiff/driftctl/blob/main/doc/LIMITATIONS.md#terraform-resources",
+			})
+	}
+
 	if haveComputedDiff {
 		a.alerter.SendAlert("",
 			alerter.Alert{
@ -148,3 +157,14 @@ func (a Analyzer) hasNestedFields(t reflect.Type) bool {
 		return t.Kind() == reflect.Struct
 	}
 }
+
+// hasUnmanagedSecurityGroupRules returns true if we find at least one unmanaged
+// security group rule
+func (a Analyzer) hasUnmanagedSecurityGroupRules(unmanagedResources []resource.Resource) bool {
+	for _, res := range unmanagedResources {
+		if res.TerraformType() == resourceaws.AwsSecurityGroupRuleResourceType {
+			return true
+		}
+	}
+	return false
+}
--- a/pkg/analyser/analyzer_test.go
+++ b/pkg/analyser/analyzer_test.go
@ -15,6 +15,7 @@ import (

 	"github.com/cloudskiff/driftctl/pkg/alerter"
 	"github.com/cloudskiff/driftctl/pkg/resource"
+	"github.com/cloudskiff/driftctl/pkg/resource/aws"

 	"github.com/r3labs/diff/v2"

@ -882,6 +883,47 @@ func TestAnalyze(t *testing.T) {
 			},
 			hasDrifted: true,
 		},
+		{
+			name: "Test alert on unmanaged security group rules",
+			iac: []resource.Resource{
+				&aws.AwsSecurityGroup{
+					Id: "managed security group",
+				},
+			},
+			cloud: []resource.Resource{
+				&aws.AwsSecurityGroup{
+					Id: "managed security group",
+				},
+				&aws.AwsSecurityGroupRule{
+					Id: "unmanaged rule",
+				},
+			},
+			expected: Analysis{
+				managed: []resource.Resource{
+					&aws.AwsSecurityGroup{
+						Id: "managed security group",
+					},
+				},
+				unmanaged: []resource.Resource{
+					&aws.AwsSecurityGroupRule{
+						Id: "unmanaged rule",
+					},
+				},
+				summary: Summary{
+					TotalResources: 2,
+					TotalManaged:   1,
+					TotalUnmanaged: 1,
+				},
+				alerts: alerter.Alerts{
+					"": {
+						{
+							Message: "You have unmanaged security group rules that could be false positives, find out more at https://github.com/cloudskiff/driftctl/blob/main/doc/LIMITATIONS.md#terraform-resources",
+						},
+					},
+				},
+			},
+			hasDrifted: true,
+		},
 	}

 	for _, c := range cases {