270 lines
7.4 KiB
Go
270 lines
7.4 KiB
Go
package middlewares
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
|
|
"github.com/snyk/driftctl/pkg/resource"
|
|
"github.com/snyk/driftctl/pkg/resource/aws"
|
|
)
|
|
|
|
func TestAwsDefaults_Execute(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
remoteResources []*resource.Resource
|
|
resourcesFromState []*resource.Resource
|
|
assert func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource)
|
|
}{
|
|
{
|
|
"ignore default iam roles when they're not managed by IaC",
|
|
[]*resource.Resource{
|
|
{
|
|
Id: "AWSServiceRoleForSSO",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/aws-service-role/sso.amazonaws.com",
|
|
},
|
|
},
|
|
{
|
|
Id: "OrganizationAccountAccessRole",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/not-aws-service-role/sso.amazonaws.com/",
|
|
},
|
|
},
|
|
{
|
|
Id: "terraform-20210408093258091700000001",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/",
|
|
},
|
|
},
|
|
{
|
|
Id: "dummy-route",
|
|
Type: aws.AwsRouteResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"route_table_id": "default-route-table",
|
|
"gateway_id": "local",
|
|
},
|
|
},
|
|
},
|
|
[]*resource.Resource{
|
|
{
|
|
Id: "dummy-route",
|
|
Type: aws.AwsRouteResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"route_table_id": "default-route-table",
|
|
"gateway_id": "local",
|
|
},
|
|
},
|
|
{
|
|
Id: "terraform-20210408093258091700000001",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/",
|
|
},
|
|
},
|
|
},
|
|
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
|
|
assert.Len(t, remoteResources, 3)
|
|
for _, remoteResource := range remoteResources {
|
|
if remoteResource.ResourceId() == "AWSServiceRoleForSSO" {
|
|
t.Fatal("AWSServiceRoleForSSO should have been ignored")
|
|
}
|
|
}
|
|
},
|
|
},
|
|
{
|
|
"ignore default iam roles when they're managed by IaC",
|
|
[]*resource.Resource{
|
|
{
|
|
Id: "AWSServiceRoleForSSO",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/aws-service-role/sso.amazonaws.com/",
|
|
"description": "test",
|
|
},
|
|
},
|
|
{
|
|
Id: "OrganizationAccountAccessRole",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/not-aws-service-role/sso.amazonaws.com/",
|
|
},
|
|
},
|
|
{
|
|
Id: "driftctl_assume_role:driftctl_policy.10",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/",
|
|
"tags": map[string]string{
|
|
"test": "value",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
[]*resource.Resource{
|
|
{
|
|
Id: "AWSServiceRoleForSSO",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/aws-service-role/sso.amazonaws.com/",
|
|
},
|
|
},
|
|
{
|
|
Id: "OrganizationAccountAccessRole",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/not-aws-service-role/sso.amazonaws.com/",
|
|
},
|
|
},
|
|
{
|
|
Id: "driftctl_assume_role:driftctl_policy.10",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/",
|
|
"tags": map[string]string{},
|
|
},
|
|
},
|
|
},
|
|
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
|
|
assert.Len(t, remoteResources, 2)
|
|
assert.Len(t, resourcesFromState, 2)
|
|
},
|
|
},
|
|
{
|
|
"ignore default iam role policies when they're not managed by IaC",
|
|
[]*resource.Resource{
|
|
{
|
|
Id: "AWSServiceRoleForSSO",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/aws-service-role/sso.amazonaws.com",
|
|
},
|
|
},
|
|
{
|
|
Id: "OrganizationAccountAccessRole",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/not-aws-service-role/sso.amazonaws.com",
|
|
},
|
|
},
|
|
{
|
|
Id: "AWSServiceRoleForSSO",
|
|
Type: aws.AwsIamRolePolicyResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"role": "AWSServiceRoleForSSO",
|
|
},
|
|
},
|
|
{
|
|
Id: "OrganizationAccountAccessRole",
|
|
Type: aws.AwsIamRolePolicyResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"role": "OrganizationAccountAccessRole",
|
|
},
|
|
},
|
|
{
|
|
Id: "dummy-route",
|
|
Type: aws.AwsRouteResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"route_table_id": "default-route-table",
|
|
"gateway_id": "local",
|
|
},
|
|
},
|
|
},
|
|
[]*resource.Resource{
|
|
{
|
|
Id: "dummy-route",
|
|
Type: aws.AwsRouteResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"route_table_id": "default-route-table",
|
|
"gateway_id": "local",
|
|
},
|
|
},
|
|
},
|
|
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
|
|
assert.Len(t, remoteResources, 3)
|
|
for _, remoteResource := range remoteResources {
|
|
if remoteResource.ResourceId() == "AWSServiceRoleForSSO" &&
|
|
remoteResource.ResourceType() == aws.AwsIamRoleResourceType {
|
|
t.Fatal("AWSServiceRoleForSSO role should have been ignored")
|
|
}
|
|
if remoteResource.ResourceId() == "AWSServiceRoleForSSO" &&
|
|
remoteResource.ResourceType() == aws.AwsIamRolePolicyResourceType {
|
|
t.Fatal("AWSServiceRoleForSSO policy should have been ignored")
|
|
}
|
|
}
|
|
},
|
|
},
|
|
{
|
|
"ignore default iam role policies even when they're managed by IaC",
|
|
[]*resource.Resource{
|
|
{
|
|
Id: "custom-role",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/not-aws-service-role/sso.amazonaws.com",
|
|
},
|
|
},
|
|
{
|
|
Id: "OrganizationAccountAccessRole",
|
|
Type: aws.AwsIamRoleResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"path": "/aws-service-role/sso.amazonaws.com",
|
|
},
|
|
},
|
|
{
|
|
Id: "driftctl_assume_role:driftctl_policy.10",
|
|
Type: aws.AwsIamRolePolicyResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"role": "custom-role",
|
|
},
|
|
},
|
|
{
|
|
Id: "OrganizationAccountAccessRole:AdministratorAccess",
|
|
Type: aws.AwsIamRolePolicyResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"role": "OrganizationAccountAccessRole",
|
|
"name_prefix": nil,
|
|
},
|
|
},
|
|
},
|
|
[]*resource.Resource{
|
|
{
|
|
Id: "OrganizationAccountAccessRole:AdministratorAccess",
|
|
Type: aws.AwsIamRolePolicyResourceType,
|
|
Attrs: &resource.Attributes{
|
|
"role": "OrganizationAccountAccessRole",
|
|
"name_prefix": "tf-",
|
|
},
|
|
},
|
|
},
|
|
func(t *testing.T, remoteResources, resourcesFromState []*resource.Resource) {
|
|
assert.Len(t, remoteResources, 2)
|
|
for _, remoteResource := range remoteResources {
|
|
if remoteResource.ResourceId() == "OrganizationAccountAccessRole" &&
|
|
remoteResource.ResourceType() == aws.AwsIamRoleResourceType {
|
|
t.Fatal("OrganizationAccountAccessRole role should have been ignored")
|
|
}
|
|
if remoteResource.ResourceId() == "OrganizationAccountAccessRole:AdministratorAccess" &&
|
|
remoteResource.ResourceType() == aws.AwsIamRolePolicyResourceType {
|
|
t.Fatal("OrganizationAccountAccessRole:AdministratorAccess policy should have been ignored")
|
|
}
|
|
}
|
|
},
|
|
},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
m := &AwsDefaults{}
|
|
err := m.Execute(&tt.remoteResources, &tt.resourcesFromState)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
tt.assert(t, tt.remoteResources, tt.resourcesFromState)
|
|
})
|
|
}
|
|
}
|