driftctl/pkg/remote/aws/vpc_security_group_rule_sup...

268 lines
7.5 KiB
Go

package aws
import (
"context"
"testing"
remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
awstest "github.com/cloudskiff/driftctl/test/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
"github.com/cloudskiff/driftctl/pkg/parallel"
awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go/aws"
"github.com/cloudskiff/driftctl/test/goldenfile"
mocks2 "github.com/cloudskiff/driftctl/test/mocks"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/mock"
"github.com/cloudskiff/driftctl/pkg/resource"
"github.com/cloudskiff/driftctl/pkg/terraform"
"github.com/cloudskiff/driftctl/test"
)
func TestVPCSecurityGroupRuleSupplier_Resources(t *testing.T) {
cases := []struct {
test string
dirName string
mocks func(client *awstest.MockFakeEC2)
err error
}{
{
test: "no security group rules",
dirName: "vpc_security_group_rule_empty",
mocks: func(client *awstest.MockFakeEC2) {
client.On("DescribeSecurityGroupsPages",
&ec2.DescribeSecurityGroupsInput{},
mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
callback(&ec2.DescribeSecurityGroupsOutput{
SecurityGroups: []*ec2.SecurityGroup{
{
GroupId: aws.String("sg-0254c038e32f25530"),
IpPermissions: []*ec2.IpPermission{},
IpPermissionsEgress: []*ec2.IpPermission{},
},
},
}, true)
return true
})).Return(nil)
},
err: nil,
},
{
test: "with security group rules",
dirName: "vpc_security_group_rule_multiple",
mocks: func(client *awstest.MockFakeEC2) {
client.On("DescribeSecurityGroupsPages",
&ec2.DescribeSecurityGroupsInput{},
mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
callback(&ec2.DescribeSecurityGroupsOutput{
SecurityGroups: []*ec2.SecurityGroup{
{
GroupId: aws.String("sg-0254c038e32f25530"),
IpPermissions: []*ec2.IpPermission{
{
FromPort: aws.Int64(0),
ToPort: aws.Int64(65535),
IpProtocol: aws.String("tcp"),
UserIdGroupPairs: []*ec2.UserIdGroupPair{
{
GroupId: aws.String("sg-0254c038e32f25530"),
},
{
GroupId: aws.String("sg-9e0204ff"),
},
},
},
{
IpProtocol: aws.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: aws.String("1.2.0.0/16"),
},
{
CidrIp: aws.String("5.6.7.0/24"),
},
},
Ipv6Ranges: []*ec2.Ipv6Range{
{
CidrIpv6: aws.String("::/0"),
},
},
},
},
IpPermissionsEgress: []*ec2.IpPermission{
{
IpProtocol: aws.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: aws.String("0.0.0.0/0"),
},
},
Ipv6Ranges: []*ec2.Ipv6Range{
{
CidrIpv6: aws.String("::/0"),
},
},
},
},
},
},
}, false)
callback(&ec2.DescribeSecurityGroupsOutput{
SecurityGroups: []*ec2.SecurityGroup{
{
GroupId: aws.String("sg-0cc8b3c3c2851705a"),
IpPermissions: []*ec2.IpPermission{
{
FromPort: aws.Int64(443),
ToPort: aws.Int64(443),
IpProtocol: aws.String("tcp"),
IpRanges: []*ec2.IpRange{
{
CidrIp: aws.String("0.0.0.0/0"),
},
},
},
},
IpPermissionsEgress: []*ec2.IpPermission{
{
IpProtocol: aws.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: aws.String("0.0.0.0/0"),
},
},
Ipv6Ranges: []*ec2.Ipv6Range{
{
CidrIpv6: aws.String("::/0"),
},
},
},
{
IpProtocol: aws.String("5"),
IpRanges: []*ec2.IpRange{
{
CidrIp: aws.String("0.0.0.0/0"),
},
},
},
},
},
},
}, true)
return true
})).Return(nil)
},
err: nil,
},
{
test: "should ignore default security group default rules",
dirName: "vpc_security_group_default_rules",
mocks: func(client *awstest.MockFakeEC2) {
client.On("DescribeSecurityGroupsPages",
&ec2.DescribeSecurityGroupsInput{},
mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
callback(&ec2.DescribeSecurityGroupsOutput{
SecurityGroups: []*ec2.SecurityGroup{
{
GroupId: aws.String("sg-a74815c8"),
GroupName: aws.String("default"),
IpPermissions: []*ec2.IpPermission{
{
IpProtocol: aws.String("-1"),
UserIdGroupPairs: []*ec2.UserIdGroupPair{
{
GroupId: aws.String("sg-a74815c8"),
},
},
},
{
IpProtocol: aws.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: aws.String("1.2.0.0/16"),
},
},
},
},
IpPermissionsEgress: []*ec2.IpPermission{
{
IpProtocol: aws.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: aws.String("0.0.0.0/0"),
},
},
},
{
IpProtocol: aws.String("-1"),
IpRanges: []*ec2.IpRange{
{
CidrIp: aws.String("1.2.3.4/32"),
},
},
},
},
},
},
}, true)
return true
})).Return(nil)
},
err: nil,
},
{
test: "cannot list security group rules",
dirName: "vpc_security_group_rule_empty",
mocks: func(client *awstest.MockFakeEC2) {
client.On("DescribeSecurityGroupsPages",
&ec2.DescribeSecurityGroupsInput{},
mock.MatchedBy(func(callback func(res *ec2.DescribeSecurityGroupsOutput, lastPage bool) bool) bool {
return true
})).Return(awserr.NewRequestFailure(nil, 403, ""))
},
err: remoteerror.NewResourceEnumerationError(awserr.NewRequestFailure(nil, 403, ""), resourceaws.AwsSecurityGroupRuleResourceType),
},
}
for _, c := range cases {
shouldUpdate := c.dirName == *goldenfile.Update
providerLibrary := terraform.NewProviderLibrary()
supplierLibrary := resource.NewSupplierLibrary()
if shouldUpdate {
provider, err := InitTestAwsProvider(providerLibrary)
if err != nil {
t.Fatal(err)
}
supplierLibrary.AddSupplier(NewVPCSecurityGroupRuleSupplier(provider))
}
t.Run(c.test, func(tt *testing.T) {
fakeEC2 := awstest.MockFakeEC2{}
c.mocks(&fakeEC2)
provider := mocks2.NewMockedGoldenTFProvider(c.dirName, providerLibrary.Provider(terraform.AWS), shouldUpdate)
deserializer := awsdeserializer.NewVPCSecurityGroupRuleDeserializer()
s := &VPCSecurityGroupRuleSupplier{
provider,
deserializer,
&fakeEC2,
terraform.NewParallelResourceReader(parallel.NewParallelRunner(context.TODO(), 10)),
}
got, err := s.Resources()
assert.Equal(tt, c.err, err)
mock.AssertExpectationsForObjects(tt)
test.CtyTestDiff(got, c.dirName, provider, deserializer, shouldUpdate, tt)
})
}
}