driftctl/enumeration/remote/aws_ec2_scanner_test.go

2908 lines
101 KiB
Go

package remote
import (
"testing"
"github.com/snyk/driftctl/enumeration"
"github.com/snyk/driftctl/enumeration/remote/alerts"
aws2 "github.com/snyk/driftctl/enumeration/remote/aws"
"github.com/snyk/driftctl/enumeration/remote/aws/repository"
"github.com/snyk/driftctl/enumeration/remote/cache"
common2 "github.com/snyk/driftctl/enumeration/remote/common"
remoteerr "github.com/snyk/driftctl/enumeration/remote/error"
terraform3 "github.com/snyk/driftctl/enumeration/terraform"
awssdk "github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/pkg/errors"
"github.com/snyk/driftctl/enumeration/resource"
resourceaws "github.com/snyk/driftctl/enumeration/resource/aws"
"github.com/snyk/driftctl/mocks"
"github.com/snyk/driftctl/test"
"github.com/snyk/driftctl/test/goldenfile"
testresource "github.com/snyk/driftctl/test/resource"
terraform2 "github.com/snyk/driftctl/test/terraform"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
)
func TestEC2EbsVolume(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no volumes",
dirName: "aws_ec2_ebs_volume_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllVolumes").Return([]*ec2.Volume{}, nil)
},
},
{
test: "multiple volumes",
dirName: "aws_ec2_ebs_volume_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllVolumes").Return([]*ec2.Volume{
{VolumeId: awssdk.String("vol-081c7272a57a09db1")},
{VolumeId: awssdk.String("vol-01ddc91d3d9d1318b")},
}, nil)
},
},
{
test: "cannot list volumes",
dirName: "aws_ec2_ebs_volume_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllVolumes").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsEbsVolumeResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsEbsVolumeResourceType, resourceaws.AwsEbsVolumeResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2EbsVolumeEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsEbsVolumeResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsEbsVolumeResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsEbsVolumeResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2EbsSnapshot(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no snapshots",
dirName: "aws_ec2_ebs_snapshot_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllSnapshots").Return([]*ec2.Snapshot{}, nil)
},
},
{
test: "multiple snapshots",
dirName: "aws_ec2_ebs_snapshot_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllSnapshots").Return([]*ec2.Snapshot{
{SnapshotId: awssdk.String("snap-0c509a2a880d95a39")},
{SnapshotId: awssdk.String("snap-00672558cecd93a61")},
}, nil)
},
},
{
test: "cannot list snapshots",
dirName: "aws_ec2_ebs_snapshot_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllSnapshots").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsEbsSnapshotResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsEbsSnapshotResourceType, resourceaws.AwsEbsSnapshotResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2EbsSnapshotEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsEbsSnapshotResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsEbsSnapshotResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsEbsSnapshotResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2Eip(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no eips",
dirName: "aws_ec2_eip_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllAddresses").Return([]*ec2.Address{
{}, // Test Eip without AllocationId because it can happen (seen in sentry)
}, nil)
},
},
{
test: "multiple eips",
dirName: "aws_ec2_eip_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllAddresses").Return([]*ec2.Address{
{AllocationId: awssdk.String("eipalloc-017d5267e4dda73f1")},
{AllocationId: awssdk.String("eipalloc-0cf714dc097c992cc")},
}, nil)
},
},
{
test: "cannot list eips",
dirName: "aws_ec2_eip_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllAddresses").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsEipResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsEipResourceType, resourceaws.AwsEipResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2EipEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsEipResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsEipResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsEipResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2Ami(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no amis",
dirName: "aws_ec2_ami_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllImages").Return([]*ec2.Image{}, nil)
},
},
{
test: "multiple amis",
dirName: "aws_ec2_ami_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllImages").Return([]*ec2.Image{
{ImageId: awssdk.String("ami-03a578b46f4c3081b")},
{ImageId: awssdk.String("ami-025962fd8b456731f")},
}, nil)
},
},
{
test: "cannot list ami",
dirName: "aws_ec2_ami_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllImages").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsAmiResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsAmiResourceType, resourceaws.AwsAmiResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2AmiEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsAmiResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsAmiResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsAmiResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2KeyPair(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no key pairs",
dirName: "aws_ec2_key_pair_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllKeyPairs").Return([]*ec2.KeyPairInfo{}, nil)
},
},
{
test: "multiple key pairs",
dirName: "aws_ec2_key_pair_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllKeyPairs").Return([]*ec2.KeyPairInfo{
{KeyName: awssdk.String("test")},
{KeyName: awssdk.String("bar")},
}, nil)
},
},
{
test: "cannot list key pairs",
dirName: "aws_ec2_key_pair_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllKeyPairs").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsKeyPairResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsKeyPairResourceType, resourceaws.AwsKeyPairResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2KeyPairEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsKeyPairResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsKeyPairResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsKeyPairResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2EipAssociation(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no eip associations",
dirName: "aws_ec2_eip_association_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllAddressesAssociation").Return([]*ec2.Address{}, nil)
},
},
{
test: "single eip association",
dirName: "aws_ec2_eip_association_single",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllAddressesAssociation").Return([]*ec2.Address{
{
AssociationId: awssdk.String("eipassoc-0e9a7356e30f0c3d1"),
AllocationId: awssdk.String("eipalloc-017d5267e4dda73f1"),
},
}, nil)
},
},
{
test: "cannot list eip associations",
dirName: "aws_ec2_eip_association_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllAddressesAssociation").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsEipAssociationResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsEipAssociationResourceType, resourceaws.AwsEipAssociationResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2EipAssociationEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsEipAssociationResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsEipAssociationResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsEipAssociationResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2Instance(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no instances",
dirName: "aws_ec2_instance_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllInstances").Return([]*ec2.Instance{}, nil)
},
},
{
test: "multiple instances",
dirName: "aws_ec2_instance_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllInstances").Return([]*ec2.Instance{
{InstanceId: awssdk.String("i-0d3650a23f4e45dc0")},
{InstanceId: awssdk.String("i-010376047a71419f1")},
}, nil)
},
},
{
test: "terminated instances",
dirName: "aws_ec2_instance_terminated",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllInstances").Return([]*ec2.Instance{
{InstanceId: awssdk.String("i-0e1543baf4f2cd990")},
{InstanceId: awssdk.String("i-0a3a7ed51ae2b4fa0")}, // Nil
}, nil)
},
},
{
test: "cannot list instances",
dirName: "aws_ec2_instance_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllInstances").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsInstanceResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsInstanceResourceType, resourceaws.AwsInstanceResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2InstanceEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsInstanceResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsInstanceResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsInstanceResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2InternetGateway(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no internet gateways",
dirName: "aws_ec2_internet_gateway_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllInternetGateways").Return([]*ec2.InternetGateway{}, nil)
},
},
{
test: "multiple internet gateways",
dirName: "aws_ec2_internet_gateway_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllInternetGateways").Return([]*ec2.InternetGateway{
{InternetGatewayId: awssdk.String("igw-0184eb41aadc62d1c")},
{InternetGatewayId: awssdk.String("igw-047b487f5c60fca99")},
}, nil)
},
},
{
test: "cannot list internet gateways",
dirName: "aws_ec2_internet_gateway_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllInternetGateways").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsInternetGatewayResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsInternetGatewayResourceType, resourceaws.AwsInternetGatewayResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2InternetGatewayEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsInternetGatewayResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsInternetGatewayResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsInternetGatewayResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestVPC(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no VPC",
dirName: "aws_vpc_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllVPCs").Once().Return([]*ec2.Vpc{}, []*ec2.Vpc{}, nil)
},
wantErr: nil,
},
{
test: "VPC results",
dirName: "aws_vpc",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllVPCs").Once().Return([]*ec2.Vpc{
{
VpcId: awssdk.String("vpc-0768e1fd0029e3fc3"),
},
{
VpcId: awssdk.String("vpc-020b072316a95b97f"),
IsDefault: awssdk.Bool(false),
},
{
VpcId: awssdk.String("vpc-02c50896b59598761"),
IsDefault: awssdk.Bool(false),
},
}, []*ec2.Vpc{
{
VpcId: awssdk.String("vpc-a8c5d4c1"),
IsDefault: awssdk.Bool(false),
},
}, nil)
},
wantErr: nil,
},
{
test: "cannot list VPC",
dirName: "aws_vpc_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
client.On("ListAllVPCs").Once().Return(nil, nil, awsError)
alerter.On("SendAlert", resourceaws.AwsVpcResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsVpcResourceType, resourceaws.AwsVpcResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewVPCEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsVpcResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsVpcResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsVpcResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestDefaultVPC(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no VPC",
dirName: "aws_vpc_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllVPCs").Once().Return([]*ec2.Vpc{}, []*ec2.Vpc{}, nil)
},
wantErr: nil,
},
{
test: "default VPC results",
dirName: "aws_default_vpc",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllVPCs").Once().Return([]*ec2.Vpc{
{
VpcId: awssdk.String("vpc-0768e1fd0029e3fc3"),
IsDefault: awssdk.Bool(false),
},
{
VpcId: awssdk.String("vpc-020b072316a95b97f"),
IsDefault: awssdk.Bool(false),
},
}, []*ec2.Vpc{
{
VpcId: awssdk.String("vpc-a8c5d4c1"),
IsDefault: awssdk.Bool(true),
},
}, nil)
},
wantErr: nil,
},
{
test: "cannot list VPC",
dirName: "aws_vpc_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
client.On("ListAllVPCs").Once().Return(nil, nil, awsError)
alerter.On("SendAlert", resourceaws.AwsDefaultVpcResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsDefaultVpcResourceType, resourceaws.AwsDefaultVpcResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewDefaultVPCEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsDefaultVpcResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsDefaultVpcResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsDefaultVpcResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2RouteTableAssociation(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no route table associations (test for nil values)",
dirName: "aws_ec2_route_table_association_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllRouteTables").Return([]*ec2.RouteTable{
{
RouteTableId: awssdk.String("assoc_with_nil"),
Associations: []*ec2.RouteTableAssociation{
{
AssociationState: nil,
GatewayId: nil,
Main: nil,
RouteTableAssociationId: nil,
RouteTableId: nil,
SubnetId: nil,
},
},
},
{RouteTableId: awssdk.String("nil_assoc")},
}, nil)
},
},
{
test: "multiple route table associations (mixed subnet and gateway associations)",
dirName: "aws_ec2_route_table_association_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllRouteTables").Return([]*ec2.RouteTable{
{
RouteTableId: awssdk.String("rtb-05aa6c5673311a17b"), // route
Associations: []*ec2.RouteTableAssociation{
{ // Should be ignored
AssociationState: &ec2.RouteTableAssociationState{
State: awssdk.String("disassociated"),
},
GatewayId: awssdk.String("dummy-id"),
},
{ // Should be ignored
SubnetId: nil,
GatewayId: nil,
},
{ // assoc_route_subnet1
AssociationState: &ec2.RouteTableAssociationState{
State: awssdk.String("associated"),
},
Main: awssdk.Bool(false),
RouteTableAssociationId: awssdk.String("rtbassoc-0809598f92dbec03b"),
RouteTableId: awssdk.String("rtb-05aa6c5673311a17b"),
SubnetId: awssdk.String("subnet-05185af647b2eeda3"),
},
{ // assoc_route_subnet
AssociationState: &ec2.RouteTableAssociationState{
State: awssdk.String("associated"),
},
Main: awssdk.Bool(false),
RouteTableAssociationId: awssdk.String("rtbassoc-01957791b2cfe6ea4"),
RouteTableId: awssdk.String("rtb-05aa6c5673311a17b"),
SubnetId: awssdk.String("subnet-0e93dbfa2e5dd8282"),
},
{ // assoc_route_subnet2
AssociationState: &ec2.RouteTableAssociationState{
State: awssdk.String("associated"),
},
GatewayId: nil,
Main: awssdk.Bool(false),
RouteTableAssociationId: awssdk.String("rtbassoc-0b4f97ea57490e213"),
RouteTableId: awssdk.String("rtb-05aa6c5673311a17b"),
SubnetId: awssdk.String("subnet-0fd966efd884d0362"),
},
},
},
{
RouteTableId: awssdk.String("rtb-09df7cc9d16de9f8f"), // route2
Associations: []*ec2.RouteTableAssociation{
{ // assoc_route2_gateway
AssociationState: &ec2.RouteTableAssociationState{
State: awssdk.String("associated"),
},
RouteTableAssociationId: awssdk.String("rtbassoc-0a79ccacfceb4944b"),
RouteTableId: awssdk.String("rtb-09df7cc9d16de9f8f"),
GatewayId: awssdk.String("igw-0238f6e09185ac954"),
},
},
},
}, nil)
},
},
{
test: "cannot list route table associations",
dirName: "aws_ec2_route_table_association_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllRouteTables").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsRouteTableAssociationResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsRouteTableAssociationResourceType, resourceaws.AwsRouteTableResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2RouteTableAssociationEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsRouteTableAssociationResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsRouteTableAssociationResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, c.wantErr, err)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsRouteTableAssociationResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2Subnet(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no subnets",
dirName: "aws_ec2_subnet_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllSubnets").Return([]*ec2.Subnet{}, []*ec2.Subnet{}, nil)
},
},
{
test: "multiple subnets",
dirName: "aws_ec2_subnet_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllSubnets").Return([]*ec2.Subnet{
{
SubnetId: awssdk.String("subnet-05810d3f933925f6d"), // subnet1
DefaultForAz: awssdk.Bool(false),
},
{
SubnetId: awssdk.String("subnet-0b13f1e0eacf67424"), // subnet2
DefaultForAz: awssdk.Bool(false),
},
{
SubnetId: awssdk.String("subnet-0c9b78001fe186e22"), // subnet3
DefaultForAz: awssdk.Bool(false),
},
}, []*ec2.Subnet{
{
SubnetId: awssdk.String("subnet-44fe0c65"), // us-east-1a
DefaultForAz: awssdk.Bool(true),
},
{
SubnetId: awssdk.String("subnet-65e16628"), // us-east-1b
DefaultForAz: awssdk.Bool(true),
},
{
SubnetId: awssdk.String("subnet-afa656f0"), // us-east-1c
DefaultForAz: awssdk.Bool(true),
},
}, nil)
},
},
{
test: "cannot list subnets",
dirName: "aws_ec2_subnet_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllSubnets").Return(nil, nil, awsError)
alerter.On("SendAlert", resourceaws.AwsSubnetResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsSubnetResourceType, resourceaws.AwsSubnetResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2SubnetEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsSubnetResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsSubnetResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsSubnetResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2DefaultSubnet(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no default subnets",
dirName: "aws_ec2_default_subnet_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllSubnets").Return([]*ec2.Subnet{}, []*ec2.Subnet{}, nil)
},
},
{
test: "multiple default subnets",
dirName: "aws_ec2_default_subnet_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllSubnets").Return([]*ec2.Subnet{
{
SubnetId: awssdk.String("subnet-05810d3f933925f6d"), // subnet1
DefaultForAz: awssdk.Bool(false),
},
{
SubnetId: awssdk.String("subnet-0b13f1e0eacf67424"), // subnet2
DefaultForAz: awssdk.Bool(false),
},
{
SubnetId: awssdk.String("subnet-0c9b78001fe186e22"), // subnet3
DefaultForAz: awssdk.Bool(false),
},
}, []*ec2.Subnet{
{
SubnetId: awssdk.String("subnet-44fe0c65"), // us-east-1a
DefaultForAz: awssdk.Bool(true),
},
{
SubnetId: awssdk.String("subnet-65e16628"), // us-east-1b
DefaultForAz: awssdk.Bool(true),
},
{
SubnetId: awssdk.String("subnet-afa656f0"), // us-east-1c
DefaultForAz: awssdk.Bool(true),
},
}, nil)
},
},
{
test: "cannot list default subnets",
dirName: "aws_ec2_default_subnet_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllSubnets").Return(nil, nil, awsError)
alerter.On("SendAlert", resourceaws.AwsDefaultSubnetResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsDefaultSubnetResourceType, resourceaws.AwsDefaultSubnetResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2DefaultSubnetEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsDefaultSubnetResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsDefaultSubnetResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsDefaultSubnetResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2RouteTable(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no route tables",
dirName: "aws_ec2_route_table_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllRouteTables").Return([]*ec2.RouteTable{}, nil)
},
},
{
test: "multiple route tables",
dirName: "aws_ec2_route_table_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllRouteTables").Return([]*ec2.RouteTable{
{RouteTableId: awssdk.String("rtb-08b7b71af15e183ce")}, // table1
{RouteTableId: awssdk.String("rtb-0002ac731f6fdea55")}, // table2
{RouteTableId: awssdk.String("rtb-0c55d55593f33fbac")}, // table3
{
RouteTableId: awssdk.String("rtb-0eabf071c709c0976"), // default_table
VpcId: awssdk.String("vpc-0b4a6b3536da20ecd"),
Associations: []*ec2.RouteTableAssociation{
{
Main: awssdk.Bool(true),
},
},
},
}, nil)
},
},
{
test: "cannot list route tables",
dirName: "aws_ec2_route_table_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllRouteTables").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsRouteTableResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsRouteTableResourceType, resourceaws.AwsRouteTableResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2RouteTableEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsRouteTableResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsRouteTableResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsRouteTableResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2DefaultRouteTable(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no default route tables",
dirName: "aws_ec2_default_route_table_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllRouteTables").Return([]*ec2.RouteTable{}, nil)
},
},
{
test: "multiple default route tables",
dirName: "aws_ec2_default_route_table_single",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllRouteTables").Return([]*ec2.RouteTable{
{RouteTableId: awssdk.String("rtb-08b7b71af15e183ce")}, // table1
{RouteTableId: awssdk.String("rtb-0002ac731f6fdea55")}, // table2
{RouteTableId: awssdk.String("rtb-0c55d55593f33fbac")}, // table3
{
RouteTableId: awssdk.String("rtb-0eabf071c709c0976"), // default_table
VpcId: awssdk.String("vpc-0b4a6b3536da20ecd"),
Associations: []*ec2.RouteTableAssociation{
{
Main: awssdk.Bool(true),
},
},
},
}, nil)
},
},
{
test: "cannot list default route tables",
dirName: "aws_ec2_default_route_table_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllRouteTables").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsDefaultRouteTableResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsDefaultRouteTableResourceType, resourceaws.AwsDefaultRouteTableResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2DefaultRouteTableEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsDefaultRouteTableResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsDefaultRouteTableResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsDefaultRouteTableResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestVpcSecurityGroup(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no security groups",
dirName: "aws_vpc_security_group_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllSecurityGroups").Once().Return([]*ec2.SecurityGroup{}, []*ec2.SecurityGroup{}, nil)
},
wantErr: nil,
},
{
test: "with security groups",
dirName: "aws_vpc_security_group_multiple",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllSecurityGroups").Once().Return([]*ec2.SecurityGroup{
{
GroupId: awssdk.String("sg-0254c038e32f25530"),
GroupName: awssdk.String("foo"),
},
}, []*ec2.SecurityGroup{
{
GroupId: awssdk.String("sg-9e0204ff"),
GroupName: awssdk.String("default"),
},
}, nil)
},
wantErr: nil,
},
{
test: "cannot list security groups",
dirName: "aws_vpc_security_group_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
client.On("ListAllSecurityGroups").Return(nil, nil, awsError)
alerter.On("SendAlert", resourceaws.AwsSecurityGroupResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsSecurityGroupResourceType, resourceaws.AwsSecurityGroupResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewVPCSecurityGroupEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsSecurityGroupResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsSecurityGroupResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsSecurityGroupResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestVpcDefaultSecurityGroup(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no security groups",
dirName: "aws_vpc_default_security_group_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllSecurityGroups").Once().Return([]*ec2.SecurityGroup{}, []*ec2.SecurityGroup{}, nil)
},
wantErr: nil,
},
{
test: "with security groups",
dirName: "aws_vpc_default_security_group_multiple",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllSecurityGroups").Once().Return([]*ec2.SecurityGroup{
{
GroupId: awssdk.String("sg-0254c038e32f25530"),
GroupName: awssdk.String("foo"),
},
}, []*ec2.SecurityGroup{
{
GroupId: awssdk.String("sg-9e0204ff"),
GroupName: awssdk.String("default"),
},
}, nil)
},
wantErr: nil,
},
{
test: "cannot list security groups",
dirName: "aws_vpc_default_security_group_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
client.On("ListAllSecurityGroups").Return(nil, nil, awsError)
alerter.On("SendAlert", resourceaws.AwsDefaultSecurityGroupResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsDefaultSecurityGroupResourceType, resourceaws.AwsDefaultSecurityGroupResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewVPCDefaultSecurityGroupEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsDefaultSecurityGroupResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsDefaultSecurityGroupResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsDefaultSecurityGroupResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2NatGateway(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no nat gateways",
dirName: "aws_ec2_nat_gateway_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllNatGateways").Return([]*ec2.NatGateway{}, nil)
},
},
{
test: "single nat gateway",
dirName: "aws_ec2_nat_gateway_single",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllNatGateways").Return([]*ec2.NatGateway{
{NatGatewayId: awssdk.String("nat-0a5408508b19ef490")},
}, nil)
},
},
{
test: "cannot list nat gateways",
dirName: "aws_ec2_nat_gateway_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllNatGateways").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsNatGatewayResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsNatGatewayResourceType, resourceaws.AwsNatGatewayResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2NatGatewayEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsNatGatewayResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsNatGatewayResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsNatGatewayResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2NetworkACL(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no network ACL",
dirName: "aws_ec2_network_acl_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllNetworkACLs").Return([]*ec2.NetworkAcl{}, nil)
},
},
{
test: "network acl",
dirName: "aws_ec2_network_acl",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllNetworkACLs").Return([]*ec2.NetworkAcl{
{
NetworkAclId: awssdk.String("acl-043880b4682d2366b"),
IsDefault: awssdk.Bool(false),
},
{
NetworkAclId: awssdk.String("acl-07a565dbe518c0713"),
IsDefault: awssdk.Bool(false),
},
{
NetworkAclId: awssdk.String("acl-e88ee595"),
IsDefault: awssdk.Bool(true),
},
}, nil)
},
},
{
test: "cannot list network acl",
dirName: "aws_ec2_network_acl_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllNetworkACLs").Return(nil, awsError)
alerter.On("SendAlert",
resourceaws.AwsNetworkACLResourceType,
alerts.NewRemoteAccessDeniedAlert(
common2.RemoteAWSTerraform,
remoteerr.NewResourceListingErrorWithType(
awsError,
resourceaws.AwsNetworkACLResourceType,
resourceaws.AwsNetworkACLResourceType,
),
alerts.EnumerationPhase,
),
).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2NetworkACLEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsNetworkACLResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsNetworkACLResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsNetworkACLResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2NetworkACLRule(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no network ACL",
dirName: "aws_ec2_network_acl_rule_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllNetworkACLs").Return([]*ec2.NetworkAcl{}, nil)
},
},
{
test: "network acl rules",
dirName: "aws_ec2_network_acl_rule",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllNetworkACLs").Return([]*ec2.NetworkAcl{
{
NetworkAclId: awssdk.String("acl-0ad6d657494d17ee2"), // test
IsDefault: awssdk.Bool(false),
Entries: []*ec2.NetworkAclEntry{
{
Egress: awssdk.Bool(false),
RuleNumber: awssdk.Int64(100),
Protocol: awssdk.String("6"), // tcp
RuleAction: awssdk.String("deny"),
CidrBlock: awssdk.String("0.0.0.0/0"),
},
{
Egress: awssdk.Bool(false),
RuleNumber: awssdk.Int64(200),
Protocol: awssdk.String("6"), // tcp
RuleAction: awssdk.String("allow"),
Ipv6CidrBlock: awssdk.String("::/0"),
},
{
Egress: awssdk.Bool(true),
RuleNumber: awssdk.Int64(100),
Protocol: awssdk.String("17"), // udp
RuleAction: awssdk.String("allow"),
CidrBlock: awssdk.String("172.16.1.0/0"),
},
},
},
{
NetworkAclId: awssdk.String("acl-0de54ef59074b622e"), // test2
IsDefault: awssdk.Bool(false),
Entries: []*ec2.NetworkAclEntry{
{
Egress: awssdk.Bool(false),
RuleNumber: awssdk.Int64(100),
Protocol: awssdk.String("17"), // udp
RuleAction: awssdk.String("deny"),
CidrBlock: awssdk.String("0.0.0.0/0"),
},
{
Egress: awssdk.Bool(true),
RuleNumber: awssdk.Int64(100),
Protocol: awssdk.String("17"), // udp
RuleAction: awssdk.String("allow"),
CidrBlock: awssdk.String("172.16.1.0/0"),
},
},
},
}, nil)
},
},
{
test: "cannot list network acl",
dirName: "aws_ec2_network_acl_rule_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllNetworkACLs").Return(nil, awsError)
alerter.On("SendAlert",
resourceaws.AwsNetworkACLRuleResourceType,
alerts.NewRemoteAccessDeniedAlert(
common2.RemoteAWSTerraform,
remoteerr.NewResourceListingErrorWithType(
awsError,
resourceaws.AwsNetworkACLRuleResourceType,
resourceaws.AwsNetworkACLResourceType,
),
alerts.EnumerationPhase,
),
).Return()
},
wantErr: nil,
},
}
version := "3.19.0"
schemaRepository := testresource.InitFakeSchemaRepository("aws", version)
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := version
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
}
remoteLibrary.AddEnumerator(aws2.NewEC2NetworkACLRuleEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsNetworkACLRuleResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsNetworkACLRuleResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsNetworkACLRuleResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2DefaultNetworkACL(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no network ACL",
dirName: "aws_ec2_default_network_acl_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllNetworkACLs").Return([]*ec2.NetworkAcl{}, nil)
},
},
{
test: "default network acl",
dirName: "aws_ec2_default_network_acl",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllNetworkACLs").Return([]*ec2.NetworkAcl{
{
NetworkAclId: awssdk.String("acl-043880b4682d2366b"),
IsDefault: awssdk.Bool(false),
},
{
NetworkAclId: awssdk.String("acl-07a565dbe518c0713"),
IsDefault: awssdk.Bool(false),
},
{
NetworkAclId: awssdk.String("acl-e88ee595"),
IsDefault: awssdk.Bool(true),
},
}, nil)
},
},
{
test: "cannot list default network acl",
dirName: "aws_ec2_default_network_acl_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllNetworkACLs").Return(nil, awsError)
alerter.On("SendAlert",
resourceaws.AwsDefaultNetworkACLResourceType,
alerts.NewRemoteAccessDeniedAlert(
common2.RemoteAWSTerraform,
remoteerr.NewResourceListingErrorWithType(
awsError,
resourceaws.AwsDefaultNetworkACLResourceType,
resourceaws.AwsDefaultNetworkACLResourceType,
),
alerts.EnumerationPhase,
),
).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2DefaultNetworkACLEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsDefaultNetworkACLResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsDefaultNetworkACLResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsDefaultNetworkACLResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2Route(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
// route table with no routes case is not possible
// as a default route will always be present in each route table
test: "no routes",
dirName: "aws_ec2_route_empty",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllRouteTables").Return([]*ec2.RouteTable{}, nil)
},
},
{
test: "multiple routes (mixed default_route_table and route_table)",
dirName: "aws_ec2_route_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("ListAllRouteTables").Return([]*ec2.RouteTable{
{
RouteTableId: awssdk.String("rtb-096bdfb69309c54c3"), // table1
Routes: []*ec2.Route{
{
DestinationCidrBlock: awssdk.String("10.0.0.0/16"),
Origin: awssdk.String("CreateRouteTable"), // default route
},
{
DestinationCidrBlock: awssdk.String("1.1.1.1/32"),
GatewayId: awssdk.String("igw-030e74f73bd67f21b"),
Origin: awssdk.String("CreateRoute"),
},
{
DestinationIpv6CidrBlock: awssdk.String("::/0"),
GatewayId: awssdk.String("igw-030e74f73bd67f21b"),
Origin: awssdk.String("CreateRoute"),
},
},
},
{
RouteTableId: awssdk.String("rtb-0169b0937fd963ddc"), // table2
Routes: []*ec2.Route{
{
DestinationCidrBlock: awssdk.String("10.0.0.0/16"),
Origin: awssdk.String("CreateRouteTable"), // default route
},
{
DestinationCidrBlock: awssdk.String("0.0.0.0/0"),
GatewayId: awssdk.String("igw-030e74f73bd67f21b"),
Origin: awssdk.String("CreateRoute"),
},
{
DestinationIpv6CidrBlock: awssdk.String("::/0"),
GatewayId: awssdk.String("igw-030e74f73bd67f21b"),
Origin: awssdk.String("CreateRoute"),
},
},
},
{
RouteTableId: awssdk.String("rtb-02780c485f0be93c5"), // default_table
VpcId: awssdk.String("vpc-09fe5abc2309ba49d"),
Associations: []*ec2.RouteTableAssociation{
{
Main: awssdk.Bool(true),
},
},
Routes: []*ec2.Route{
{
DestinationCidrBlock: awssdk.String("10.0.0.0/16"),
Origin: awssdk.String("CreateRouteTable"), // default route
},
{
DestinationCidrBlock: awssdk.String("10.1.1.0/24"),
GatewayId: awssdk.String("igw-030e74f73bd67f21b"),
Origin: awssdk.String("CreateRoute"),
},
{
DestinationCidrBlock: awssdk.String("10.1.2.0/24"),
GatewayId: awssdk.String("igw-030e74f73bd67f21b"),
Origin: awssdk.String("CreateRoute"),
},
},
},
{
RouteTableId: awssdk.String(""), // table3
Routes: []*ec2.Route{
{
DestinationCidrBlock: awssdk.String("10.0.0.0/16"),
Origin: awssdk.String("CreateRouteTable"), // default route
},
},
},
}, nil)
},
},
{
test: "cannot list routes",
dirName: "aws_ec2_route_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("ListAllRouteTables").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsRouteResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsRouteResourceType, resourceaws.AwsRouteTableResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2RouteEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsRouteResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsRouteResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsRouteResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestVpcSecurityGroupRule(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no security group rules",
dirName: "aws_vpc_security_group_rule_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllSecurityGroups").Once().Return([]*ec2.SecurityGroup{
{
GroupId: awssdk.String("sg-0254c038e32f25530"),
IpPermissions: []*ec2.IpPermission{},
IpPermissionsEgress: []*ec2.IpPermission{},
},
}, nil, nil)
},
wantErr: nil,
},
{
test: "with security group rules",
dirName: "aws_vpc_security_group_rule_multiple",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
client.On("ListAllSecurityGroups").Once().Return([]*ec2.SecurityGroup{
{
GroupId: awssdk.String("sg-0254c038e32f25530"),
IpPermissions: []*ec2.IpPermission{
{
FromPort: awssdk.Int64(0),
ToPort: awssdk.Int64(65535),
IpProtocol: awssdk.String("tcp"),
UserIdGroupPairs: []*ec2.UserIdGroupPair{
{
GroupId: awssdk.String("sg-0254c038e32f25530"),
},
{
GroupId: awssdk.String("sg-9e0204ff"),
},
},
},
{
IpProtocol: awssdk.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: awssdk.String("1.2.0.0/16"),
},
{
CidrIp: awssdk.String("5.6.7.0/24"),
},
},
Ipv6Ranges: []*ec2.Ipv6Range{
{
CidrIpv6: awssdk.String("::/0"),
},
},
},
},
IpPermissionsEgress: []*ec2.IpPermission{
{
IpProtocol: awssdk.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: awssdk.String("0.0.0.0/0"),
},
},
Ipv6Ranges: []*ec2.Ipv6Range{
{
CidrIpv6: awssdk.String("::/0"),
},
},
},
},
},
{
GroupId: awssdk.String("sg-0cc8b3c3c2851705a"),
IpPermissions: []*ec2.IpPermission{
{
FromPort: awssdk.Int64(443),
ToPort: awssdk.Int64(443),
IpProtocol: awssdk.String("tcp"),
IpRanges: []*ec2.IpRange{
{
CidrIp: awssdk.String("0.0.0.0/0"),
},
},
},
},
IpPermissionsEgress: []*ec2.IpPermission{
{
IpProtocol: awssdk.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: awssdk.String("0.0.0.0/0"),
},
},
Ipv6Ranges: []*ec2.Ipv6Range{
{
CidrIpv6: awssdk.String("::/0"),
},
},
},
{
IpProtocol: awssdk.String("5"),
IpRanges: []*ec2.IpRange{
{
CidrIp: awssdk.String("0.0.0.0/0"),
},
},
},
},
},
}, nil, nil)
},
wantErr: nil,
},
{
test: "cannot list security group rules",
dirName: "aws_vpc_security_group_rule_empty",
mocks: func(client *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
client.On("ListAllSecurityGroups").Once().Return(nil, nil, awsError)
alerter.On("SendAlert", resourceaws.AwsSecurityGroupRuleResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsSecurityGroupRuleResourceType, resourceaws.AwsSecurityGroupResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewVPCSecurityGroupRuleEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsSecurityGroupRuleResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsSecurityGroupRuleResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, c.wantErr, err)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsSecurityGroupRuleResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}
func TestEC2LaunchTemplate(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no launch template",
dirName: "aws_launch_template",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("DescribeLaunchTemplates").Return([]*ec2.LaunchTemplate{}, nil)
},
},
{
test: "multiple launch templates",
dirName: "aws_launch_template_multiple",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
launchTemplates := []*ec2.LaunchTemplate{
{LaunchTemplateId: awssdk.String("lt-0ed993d09ce6afc67"), LatestVersionNumber: awssdk.Int64(1)},
{LaunchTemplateId: awssdk.String("lt-00b2d18c6cee7fe23"), LatestVersionNumber: awssdk.Int64(1)},
}
repository.On("DescribeLaunchTemplates").Return(launchTemplates, nil)
},
},
{
test: "cannot list launch templates",
dirName: "aws_launch_template",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("DescribeLaunchTemplates").Return(nil, awsError)
alerter.On("SendAlert", resourceaws.AwsLaunchTemplateResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsLaunchTemplateResourceType, resourceaws.AwsLaunchTemplateResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewLaunchTemplateEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsLaunchTemplateResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsLaunchTemplateResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsLaunchTemplateResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
testFilter.AssertExpectations(tt)
})
}
}
func TestEC2EbsEncryptionByDefault(t *testing.T) {
tests := []struct {
test string
dirName string
mocks func(*repository.MockEC2Repository, *mocks.AlerterInterface)
wantErr error
}{
{
test: "no encryption by default resource",
dirName: "aws_ebs_encryption_by_default_list",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
repository.On("IsEbsEncryptionEnabledByDefault").Return(false, nil)
},
},
{
test: "cannot list encryption by default resources",
dirName: "aws_ebs_encryption_by_default_error",
mocks: func(repository *repository.MockEC2Repository, alerter *mocks.AlerterInterface) {
awsError := awserr.NewRequestFailure(awserr.New("AccessDeniedException", "", errors.New("")), 403, "")
repository.On("IsEbsEncryptionEnabledByDefault").Return(false, awsError)
alerter.On("SendAlert", resourceaws.AwsEbsEncryptionByDefaultResourceType, alerts.NewRemoteAccessDeniedAlert(common2.RemoteAWSTerraform, remoteerr.NewResourceListingErrorWithType(awsError, resourceaws.AwsEbsEncryptionByDefaultResourceType, resourceaws.AwsEbsEncryptionByDefaultResourceType), alerts.EnumerationPhase)).Return()
},
wantErr: nil,
},
}
schemaRepository := testresource.InitFakeSchemaRepository("aws", "3.19.0")
resourceaws.InitResourcesMetadata(schemaRepository)
factory := terraform3.NewTerraformResourceFactory(schemaRepository)
deserializer := resource.NewDeserializer(factory)
for _, c := range tests {
t.Run(c.test, func(tt *testing.T) {
shouldUpdate := c.dirName == *goldenfile.Update
sess := session.Must(session.NewSessionWithOptions(session.Options{
SharedConfigState: session.SharedConfigEnable,
}))
scanOptions := ScannerOptions{Deep: true}
providerLibrary := terraform3.NewProviderLibrary()
remoteLibrary := common2.NewRemoteLibrary()
// Initialize mocks
alerter := &mocks.AlerterInterface{}
fakeRepo := &repository.MockEC2Repository{}
c.mocks(fakeRepo, alerter)
var repo repository.EC2Repository = fakeRepo
providerVersion := "3.19.0"
realProvider, err := terraform2.InitTestAwsProvider(providerLibrary, providerVersion)
if err != nil {
t.Fatal(err)
}
provider := terraform2.NewFakeTerraformProvider(realProvider)
provider.WithResponse(c.dirName)
// Replace mock by real resources if we are in update mode
if shouldUpdate {
err := realProvider.Init()
if err != nil {
t.Fatal(err)
}
provider.ShouldUpdate()
repo = repository.NewEC2Repository(sess, cache.New(0))
}
remoteLibrary.AddEnumerator(aws2.NewEC2EbsEncryptionByDefaultEnumerator(repo, factory))
remoteLibrary.AddDetailsFetcher(resourceaws.AwsEbsEncryptionByDefaultResourceType, common2.NewGenericDetailsFetcher(resourceaws.AwsEbsEncryptionByDefaultResourceType, provider, deserializer))
testFilter := &enumeration.MockFilter{}
testFilter.On("IsTypeIgnored", mock.Anything).Return(false)
s := NewScanner(remoteLibrary, alerter, scanOptions, testFilter)
got, err := s.Resources()
assert.Equal(tt, err, c.wantErr)
if err != nil {
return
}
test.TestAgainstGoldenFile(got, resourceaws.AwsEbsEncryptionByDefaultResourceType, c.dirName, provider, deserializer, shouldUpdate, tt)
alerter.AssertExpectations(tt)
fakeRepo.AssertExpectations(tt)
})
}
}