driftctl/pkg/middlewares/aws_defaults_test.go

270 lines
7.4 KiB
Go

package middlewares
import (
"testing"
"github.com/stretchr/testify/assert"
"github.com/snyk/driftctl/pkg/resource"
"github.com/snyk/driftctl/pkg/resource/aws"
)
func TestAwsDefaults_Execute(t *testing.T) {
tests := []struct {
name string
remoteResources []*resource.Resource
resourcesFromState []*resource.Resource
assert func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource)
}{
{
"ignore default iam roles when they're not managed by IaC",
[]*resource.Resource{
{
Id: "AWSServiceRoleForSSO",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com",
},
},
{
Id: "OrganizationAccountAccessRole",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com/",
},
},
{
Id: "terraform-20210408093258091700000001",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/",
},
},
{
Id: "dummy-route",
Type: aws.AwsRouteResourceType,
Attrs: &resource.Attributes{
"route_table_id": "default-route-table",
"gateway_id": "local",
},
},
},
[]*resource.Resource{
{
Id: "dummy-route",
Type: aws.AwsRouteResourceType,
Attrs: &resource.Attributes{
"route_table_id": "default-route-table",
"gateway_id": "local",
},
},
{
Id: "terraform-20210408093258091700000001",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/",
},
},
},
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
assert.Len(t, remoteResources, 3)
for _, remoteResource := range remoteResources {
if remoteResource.ResourceId() == "AWSServiceRoleForSSO" {
t.Fatal("AWSServiceRoleForSSO should have been ignored")
}
}
},
},
{
"ignore default iam roles when they're managed by IaC",
[]*resource.Resource{
{
Id: "AWSServiceRoleForSSO",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com/",
"description": "test",
},
},
{
Id: "OrganizationAccountAccessRole",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com/",
},
},
{
Id: "driftctl_assume_role:driftctl_policy.10",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/",
"tags": map[string]string{
"test": "value",
},
},
},
},
[]*resource.Resource{
{
Id: "AWSServiceRoleForSSO",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com/",
},
},
{
Id: "OrganizationAccountAccessRole",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com/",
},
},
{
Id: "driftctl_assume_role:driftctl_policy.10",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/",
"tags": map[string]string{},
},
},
},
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
assert.Len(t, remoteResources, 2)
assert.Len(t, resourcesFromState, 2)
},
},
{
"ignore default iam role policies when they're not managed by IaC",
[]*resource.Resource{
{
Id: "AWSServiceRoleForSSO",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com",
},
},
{
Id: "OrganizationAccountAccessRole",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com",
},
},
{
Id: "AWSServiceRoleForSSO",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "AWSServiceRoleForSSO",
},
},
{
Id: "OrganizationAccountAccessRole",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "OrganizationAccountAccessRole",
},
},
{
Id: "dummy-route",
Type: aws.AwsRouteResourceType,
Attrs: &resource.Attributes{
"route_table_id": "default-route-table",
"gateway_id": "local",
},
},
},
[]*resource.Resource{
{
Id: "dummy-route",
Type: aws.AwsRouteResourceType,
Attrs: &resource.Attributes{
"route_table_id": "default-route-table",
"gateway_id": "local",
},
},
},
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
assert.Len(t, remoteResources, 3)
for _, remoteResource := range remoteResources {
if remoteResource.ResourceId() == "AWSServiceRoleForSSO" &&
remoteResource.ResourceType() == aws.AwsIamRoleResourceType {
t.Fatal("AWSServiceRoleForSSO role should have been ignored")
}
if remoteResource.ResourceId() == "AWSServiceRoleForSSO" &&
remoteResource.ResourceType() == aws.AwsIamRolePolicyResourceType {
t.Fatal("AWSServiceRoleForSSO policy should have been ignored")
}
}
},
},
{
"ignore default iam role policies even when they're managed by IaC",
[]*resource.Resource{
{
Id: "custom-role",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/not-aws-service-role/sso.amazonaws.com",
},
},
{
Id: "OrganizationAccountAccessRole",
Type: aws.AwsIamRoleResourceType,
Attrs: &resource.Attributes{
"path": "/aws-service-role/sso.amazonaws.com",
},
},
{
Id: "driftctl_assume_role:driftctl_policy.10",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "custom-role",
},
},
{
Id: "OrganizationAccountAccessRole:AdministratorAccess",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "OrganizationAccountAccessRole",
"name_prefix": nil,
},
},
},
[]*resource.Resource{
{
Id: "OrganizationAccountAccessRole:AdministratorAccess",
Type: aws.AwsIamRolePolicyResourceType,
Attrs: &resource.Attributes{
"role": "OrganizationAccountAccessRole",
"name_prefix": "tf-",
},
},
},
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
assert.Len(t, remoteResources, 2)
for _, remoteResource := range remoteResources {
if remoteResource.ResourceId() == "OrganizationAccountAccessRole" &&
remoteResource.ResourceType() == aws.AwsIamRoleResourceType {
t.Fatal("OrganizationAccountAccessRole role should have been ignored")
}
if remoteResource.ResourceId() == "OrganizationAccountAccessRole:AdministratorAccess" &&
remoteResource.ResourceType() == aws.AwsIamRolePolicyResourceType {
t.Fatal("OrganizationAccountAccessRole:AdministratorAccess policy should have been ignored")
}
}
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
m := &AwsDefaults{}
err := m.Execute(&tt.remoteResources, &tt.resourcesFromState)
if err != nil {
t.Fatal(err)
}
tt.assert(t, tt.remoteResources, tt.resourcesFromState)
})
}
}