268 lines
7.5 KiB
Go
268 lines
7.5 KiB
Go
package aws
|
|
|
|
import (
|
|
"context"
|
|
"testing"
|
|
|
|
remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
|
|
awstest "github.com/cloudskiff/driftctl/test/aws"
|
|
|
|
"github.com/aws/aws-sdk-go/aws/awserr"
|
|
resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
|
|
|
|
"github.com/cloudskiff/driftctl/pkg/parallel"
|
|
|
|
awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
|
|
|
|
"github.com/aws/aws-sdk-go/service/ec2"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
|
|
"github.com/cloudskiff/driftctl/test/goldenfile"
|
|
mocks2 "github.com/cloudskiff/driftctl/test/mocks"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/mock"
|
|
|
|
"github.com/cloudskiff/driftctl/pkg/resource"
|
|
"github.com/cloudskiff/driftctl/pkg/terraform"
|
|
"github.com/cloudskiff/driftctl/test"
|
|
)
|
|
|
|
func TestVPCSecurityGroupRuleSupplier_Resources(t *testing.T) {
|
|
cases := []struct {
|
|
test string
|
|
dirName string
|
|
mocks func(client *awstest.MockFakeEC2)
|
|
err error
|
|
}{
|
|
{
|
|
test: "no security group rules",
|
|
dirName: "vpc_security_group_rule_empty",
|
|
mocks: func(client *awstest.MockFakeEC2) {
|
|
client.On("DescribeSecurityGroupsPages",
|
|
&ec2.DescribeSecurityGroupsInput{},
|
|
mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
|
|
callback(&ec2.DescribeSecurityGroupsOutput{
|
|
SecurityGroups: []*ec2.SecurityGroup{
|
|
{
|
|
GroupId: aws.String("sg-0254c038e32f25530"),
|
|
IpPermissions: []*ec2.IpPermission{},
|
|
IpPermissionsEgress: []*ec2.IpPermission{},
|
|
},
|
|
},
|
|
}, true)
|
|
return true
|
|
})).Return(nil)
|
|
},
|
|
err: nil,
|
|
},
|
|
{
|
|
test: "with security group rules",
|
|
dirName: "vpc_security_group_rule_multiple",
|
|
mocks: func(client *awstest.MockFakeEC2) {
|
|
client.On("DescribeSecurityGroupsPages",
|
|
&ec2.DescribeSecurityGroupsInput{},
|
|
mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
|
|
callback(&ec2.DescribeSecurityGroupsOutput{
|
|
SecurityGroups: []*ec2.SecurityGroup{
|
|
{
|
|
GroupId: aws.String("sg-0254c038e32f25530"),
|
|
IpPermissions: []*ec2.IpPermission{
|
|
{
|
|
FromPort: aws.Int64(0),
|
|
ToPort: aws.Int64(65535),
|
|
IpProtocol: aws.String("tcp"),
|
|
UserIdGroupPairs: []*ec2.UserIdGroupPair{
|
|
{
|
|
GroupId: aws.String("sg-0254c038e32f25530"),
|
|
},
|
|
{
|
|
GroupId: aws.String("sg-9e0204ff"),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
IpProtocol: aws.String("-1"),
|
|
IpRanges: []*ec2.IpRange{
|
|
{
|
|
CidrIp: aws.String("1.2.0.0/16"),
|
|
},
|
|
{
|
|
CidrIp: aws.String("5.6.7.0/24"),
|
|
},
|
|
},
|
|
Ipv6Ranges: []*ec2.Ipv6Range{
|
|
{
|
|
CidrIpv6: aws.String("::/0"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
IpPermissionsEgress: []*ec2.IpPermission{
|
|
{
|
|
IpProtocol: aws.String("-1"),
|
|
IpRanges: []*ec2.IpRange{
|
|
{
|
|
CidrIp: aws.String("0.0.0.0/0"),
|
|
},
|
|
},
|
|
Ipv6Ranges: []*ec2.Ipv6Range{
|
|
{
|
|
CidrIpv6: aws.String("::/0"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, false)
|
|
callback(&ec2.DescribeSecurityGroupsOutput{
|
|
SecurityGroups: []*ec2.SecurityGroup{
|
|
{
|
|
GroupId: aws.String("sg-0cc8b3c3c2851705a"),
|
|
IpPermissions: []*ec2.IpPermission{
|
|
{
|
|
FromPort: aws.Int64(443),
|
|
ToPort: aws.Int64(443),
|
|
IpProtocol: aws.String("tcp"),
|
|
IpRanges: []*ec2.IpRange{
|
|
{
|
|
CidrIp: aws.String("0.0.0.0/0"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
IpPermissionsEgress: []*ec2.IpPermission{
|
|
{
|
|
IpProtocol: aws.String("-1"),
|
|
IpRanges: []*ec2.IpRange{
|
|
{
|
|
CidrIp: aws.String("0.0.0.0/0"),
|
|
},
|
|
},
|
|
Ipv6Ranges: []*ec2.Ipv6Range{
|
|
{
|
|
CidrIpv6: aws.String("::/0"),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
IpProtocol: aws.String("5"),
|
|
IpRanges: []*ec2.IpRange{
|
|
{
|
|
CidrIp: aws.String("0.0.0.0/0"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, true)
|
|
return true
|
|
})).Return(nil)
|
|
},
|
|
err: nil,
|
|
},
|
|
{
|
|
test: "should ignore default security group default rules",
|
|
dirName: "vpc_security_group_default_rules",
|
|
mocks: func(client *awstest.MockFakeEC2) {
|
|
client.On("DescribeSecurityGroupsPages",
|
|
&ec2.DescribeSecurityGroupsInput{},
|
|
mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
|
|
callback(&ec2.DescribeSecurityGroupsOutput{
|
|
SecurityGroups: []*ec2.SecurityGroup{
|
|
{
|
|
GroupId: aws.String("sg-a74815c8"),
|
|
GroupName: aws.String("default"),
|
|
IpPermissions: []*ec2.IpPermission{
|
|
{
|
|
IpProtocol: aws.String("-1"),
|
|
UserIdGroupPairs: []*ec2.UserIdGroupPair{
|
|
{
|
|
GroupId: aws.String("sg-a74815c8"),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
IpProtocol: aws.String("-1"),
|
|
IpRanges: []*ec2.IpRange{
|
|
{
|
|
CidrIp: aws.String("1.2.0.0/16"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
IpPermissionsEgress: []*ec2.IpPermission{
|
|
{
|
|
IpProtocol: aws.String("-1"),
|
|
IpRanges: []*ec2.IpRange{
|
|
{
|
|
CidrIp: aws.String("0.0.0.0/0"),
|
|
},
|
|
},
|
|
},
|
|
{
|
|
IpProtocol: aws.String("-1"),
|
|
IpRanges: []*ec2.IpRange{
|
|
{
|
|
CidrIp: aws.String("1.2.3.4/32"),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}, true)
|
|
return true
|
|
})).Return(nil)
|
|
},
|
|
err: nil,
|
|
},
|
|
{
|
|
test: "cannot list security group rules",
|
|
dirName: "vpc_security_group_rule_empty",
|
|
mocks: func(client *awstest.MockFakeEC2) {
|
|
client.On("DescribeSecurityGroupsPages",
|
|
&ec2.DescribeSecurityGroupsInput{},
|
|
mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
|
|
return true
|
|
})).Return(awserr.NewRequestFailure(nil, 403, ""))
|
|
},
|
|
err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsSecurityGroupRuleResourceType),
|
|
},
|
|
}
|
|
for _, c := range cases {
|
|
shouldUpdate := c.dirName == *goldenfile.Update
|
|
|
|
providerLibrary := terraform.NewProviderLibrary()
|
|
supplierLibrary := resource.NewSupplierLibrary()
|
|
|
|
if shouldUpdate {
|
|
provider, err := InitTestAwsProvider(providerLibrary)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
supplierLibrary.AddSupplier(NewVPCSecurityGroupRuleSupplier(provider))
|
|
}
|
|
|
|
t.Run(c.test, func(tt *testing.T) {
|
|
fakeEC2 := awstest.MockFakeEC2{}
|
|
c.mocks(&fakeEC2)
|
|
provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
|
|
deserializer := awsdeserializer.NewVPCSecurityGroupRuleDeserializer()
|
|
s := &VPCSecurityGroupRuleSupplier{
|
|
provider,
|
|
deserializer,
|
|
&fakeEC2,
|
|
terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
|
|
}
|
|
got, err := s.Resources()
|
|
assert.Equal(tt, c.err, err)
|
|
|
|
mock.AssertExpectationsForObjects(tt)
|
|
test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, tt)
|
|
})
|
|
}
|
|
}
|