Warn on unmanaged security group rules

2021-02-15 15:49:20 +01:00 · 2021-02-15 15:49:20 +01:00 · b9150d5d2d
parent 8e72b0fc7a
commit b9150d5d2d
3 changed files with 69 additions and 0 deletions
--- a/doc/LIMITATIONS.md
+++ b/doc/LIMITATIONS.md
@ -11,3 +11,10 @@
 - Terraform version >= 0.12 is supported
 - Terraform AWS provider version >= 3.x is supported

+## Terraform Resources
+
+### AWS
+
+- aws_security_group and aws_security_group_rule:
+
+For security group that has in-line egress or ingress rules, driftctl will output an alert message at the end of the scan to warn you that those rules are falsely unmanaged. The explanation is that we can't distinct, based only on the Terraform state, rules created in the console and rules created in-line in either egress or ingress blocks.
--- a/pkg/analyser/analyzer.go
+++ b/pkg/analyser/analyzer.go
@ -4,6 +4,8 @@ import (
 	"reflect"
 	"sort"

+	resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
+
 	"github.com/cloudskiff/driftctl/pkg/alerter"
 	"github.com/cloudskiff/driftctl/pkg/resource"
 	"github.com/r3labs/diff/v2"
@ -77,6 +79,13 @@ func (a Analyzer) Analyze(remoteResources, resourcesFromState []resource.Resourc
 		}
 	}

+	if a.hasUnmanagedSecurityGroupRules(filteredRemoteResource) {
+		a.alerter.SendAlert("",
+			alerter.Alert{
+				Message: "You have unmanaged security group rules that could be false positives, find out more at https://github.com/cloudskiff/driftctl/blob/main/doc/LIMITATIONS.md#terraform-resources",
+			})
+	}
+
 	if haveComputedDiff {
 		a.alerter.SendAlert("",
 			alerter.Alert{
@ -148,3 +157,14 @@ func (a Analyzer) hasNestedFields(t reflect.Type) bool {
 		return t.Kind() == reflect.Struct
 	}
 }
+
+// hasUnmanagedSecurityGroupRules returns true if we find at least one unmanaged
+// security group rule
+func (a Analyzer) hasUnmanagedSecurityGroupRules(unmanagedResources []resource.Resource) bool {
+	for _, res := range unmanagedResources {
+		if res.TerraformType() == resourceaws.AwsSecurityGroupRuleResourceType {
+			return true
+		}
+	}
+	return false
+}
--- a/pkg/analyser/analyzer_test.go
+++ b/pkg/analyser/analyzer_test.go
@ -15,6 +15,7 @@ import (

 	"github.com/cloudskiff/driftctl/pkg/alerter"
 	"github.com/cloudskiff/driftctl/pkg/resource"
+	"github.com/cloudskiff/driftctl/pkg/resource/aws"

 	"github.com/r3labs/diff/v2"

@ -882,6 +883,47 @@ func TestAnalyze(t *testing.T) {
 			},
 			hasDrifted: true,
 		},
+		{
+			name: "Test alert on unmanaged security group rules",
+			iac: []resource.Resource{
+				&aws.AwsSecurityGroup{
+					Id: "managed security group",
+				},
+			},
+			cloud: []resource.Resource{
+				&aws.AwsSecurityGroup{
+					Id: "managed security group",
+				},
+				&aws.AwsSecurityGroupRule{
+					Id: "unmanaged rule",
+				},
+			},
+			expected: Analysis{
+				managed: []resource.Resource{
+					&aws.AwsSecurityGroup{
+						Id: "managed security group",
+					},
+				},
+				unmanaged: []resource.Resource{
+					&aws.AwsSecurityGroupRule{
+						Id: "unmanaged rule",
+					},
+				},
+				summary: Summary{
+					TotalResources: 2,
+					TotalManaged:   1,
+					TotalUnmanaged: 1,
+				},
+				alerts: alerter.Alerts{
+					"": {
+						{
+							Message: "You have unmanaged security group rules that could be false positives, find out more at https://github.com/cloudskiff/driftctl/blob/main/doc/LIMITATIONS.md#terraform-resources",
+						},
+					},
+				},
+			},
+			hasDrifted: true,
+		},
 	}

 	for _, c := range cases {