github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/ec2/adapt_test.go (about) 1 package ec2 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/aquasecurity/defsec/pkg/types" 7 8 "github.com/aquasecurity/defsec/pkg/providers/aws/ec2" 9 10 "github.com/aquasecurity/trivy-iac/internal/adapters/terraform/tftestutil" 11 12 "github.com/aquasecurity/trivy-iac/test/testutil" 13 "github.com/stretchr/testify/assert" 14 "github.com/stretchr/testify/require" 15 ) 16 17 func Test_Adapt(t *testing.T) { 18 tests := []struct { 19 name string 20 terraform string 21 expected ec2.EC2 22 }{ 23 { 24 name: "configured", 25 terraform: ` 26 resource "aws_instance" "example" { 27 ami = "ami-7f89a64f" 28 instance_type = "t1.micro" 29 30 root_block_device { 31 encrypted = true 32 } 33 34 metadata_options { 35 http_tokens = "required" 36 http_endpoint = "disabled" 37 } 38 39 ebs_block_device { 40 encrypted = true 41 } 42 43 user_data = <<EOF 44 export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE 45 EOF 46 } 47 `, 48 expected: ec2.EC2{ 49 Instances: []ec2.Instance{ 50 { 51 Metadata: defsecTypes.NewTestMetadata(), 52 MetadataOptions: ec2.MetadataOptions{ 53 Metadata: defsecTypes.NewTestMetadata(), 54 HttpTokens: defsecTypes.String("required", defsecTypes.NewTestMetadata()), 55 HttpEndpoint: defsecTypes.String("disabled", defsecTypes.NewTestMetadata()), 56 }, 57 UserData: defsecTypes.String( 58 `export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE 59 `, 60 defsecTypes.NewTestMetadata()), 61 RootBlockDevice: &ec2.BlockDevice{ 62 Metadata: defsecTypes.NewTestMetadata(), 63 Encrypted: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 64 }, 65 EBSBlockDevices: []*ec2.BlockDevice{ 66 { 67 Metadata: defsecTypes.NewTestMetadata(), 68 Encrypted: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 69 }, 70 }, 71 }, 72 }, 73 }, 74 }, 75 { 76 name: "defaults", 77 terraform: ` 78 resource "aws_instance" "example" { 79 } 80 `, 81 expected: ec2.EC2{ 82 Instances: []ec2.Instance{ 83 { 84 Metadata: defsecTypes.NewTestMetadata(), 85 MetadataOptions: ec2.MetadataOptions{ 86 Metadata: defsecTypes.NewTestMetadata(), 87 HttpTokens: defsecTypes.String("", defsecTypes.NewTestMetadata()), 88 HttpEndpoint: defsecTypes.String("", defsecTypes.NewTestMetadata()), 89 }, 90 UserData: defsecTypes.String("", defsecTypes.NewTestMetadata()), 91 RootBlockDevice: &ec2.BlockDevice{ 92 Metadata: defsecTypes.NewTestMetadata(), 93 Encrypted: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 94 }, 95 }, 96 }, 97 }, 98 }, 99 { 100 name: "ec2 instance with launch template, ref to id", 101 terraform: ` 102 resource "aws_launch_template" "this" { 103 metadata_options { 104 http_endpoint = "disabled" 105 http_tokens = "required" 106 } 107 } 108 109 resource "aws_instance" "this" { 110 launch_template { 111 id = aws_launch_template.this.id 112 } 113 } 114 `, 115 expected: ec2.EC2{ 116 LaunchTemplates: []ec2.LaunchTemplate{ 117 { 118 Metadata: defsecTypes.NewTestMetadata(), 119 Instance: ec2.Instance{ 120 Metadata: defsecTypes.NewTestMetadata(), 121 MetadataOptions: ec2.MetadataOptions{ 122 HttpEndpoint: defsecTypes.String("disabled", defsecTypes.NewTestMetadata()), 123 HttpTokens: defsecTypes.String("required", defsecTypes.NewTestMetadata()), 124 }, 125 }, 126 }, 127 }, 128 Instances: []ec2.Instance{ 129 { 130 Metadata: defsecTypes.NewTestMetadata(), 131 MetadataOptions: ec2.MetadataOptions{ 132 HttpEndpoint: defsecTypes.String("disabled", defsecTypes.NewTestMetadata()), 133 HttpTokens: defsecTypes.String("required", defsecTypes.NewTestMetadata()), 134 }, 135 RootBlockDevice: &ec2.BlockDevice{ 136 Metadata: defsecTypes.NewTestMetadata(), 137 Encrypted: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 138 }, 139 }, 140 }, 141 }, 142 }, 143 { 144 name: "ec2 instance with launch template, ref to name", 145 terraform: ` 146 resource "aws_launch_template" "this" { 147 name = "testname" 148 metadata_options { 149 http_endpoint = "disabled" 150 http_tokens = "required" 151 } 152 } 153 154 resource "aws_instance" "this" { 155 launch_template { 156 name = aws_launch_template.this.name 157 } 158 } 159 `, 160 expected: ec2.EC2{ 161 LaunchTemplates: []ec2.LaunchTemplate{ 162 { 163 Metadata: defsecTypes.NewTestMetadata(), 164 Instance: ec2.Instance{ 165 Metadata: defsecTypes.NewTestMetadata(), 166 MetadataOptions: ec2.MetadataOptions{ 167 HttpEndpoint: defsecTypes.String("disabled", defsecTypes.NewTestMetadata()), 168 HttpTokens: defsecTypes.String("required", defsecTypes.NewTestMetadata()), 169 }, 170 }, 171 }, 172 }, 173 Instances: []ec2.Instance{ 174 { 175 Metadata: defsecTypes.NewTestMetadata(), 176 MetadataOptions: ec2.MetadataOptions{ 177 HttpEndpoint: defsecTypes.String("disabled", defsecTypes.NewTestMetadata()), 178 HttpTokens: defsecTypes.String("required", defsecTypes.NewTestMetadata()), 179 }, 180 RootBlockDevice: &ec2.BlockDevice{ 181 Metadata: defsecTypes.NewTestMetadata(), 182 Encrypted: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 183 }, 184 }, 185 }, 186 }, 187 }, 188 } 189 190 for _, test := range tests { 191 t.Run(test.name, func(t *testing.T) { 192 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 193 adapted := Adapt(modules) 194 testutil.AssertDefsecEqual(t, test.expected, adapted) 195 }) 196 } 197 } 198 199 func TestLines(t *testing.T) { 200 src := ` 201 resource "aws_instance" "example" { 202 ami = "ami-7f89a64f" 203 instance_type = "t1.micro" 204 205 root_block_device { 206 encrypted = true 207 } 208 209 metadata_options { 210 http_tokens = "required" 211 http_endpoint = "disabled" 212 } 213 214 ebs_block_device { 215 encrypted = true 216 } 217 218 user_data = <<EOF 219 export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE 220 EOF 221 }` 222 223 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 224 adapted := Adapt(modules) 225 226 require.Len(t, adapted.Instances, 1) 227 instance := adapted.Instances[0] 228 229 assert.Equal(t, 2, instance.Metadata.Range().GetStartLine()) 230 assert.Equal(t, 22, instance.Metadata.Range().GetEndLine()) 231 232 assert.Equal(t, 6, instance.RootBlockDevice.Metadata.Range().GetStartLine()) 233 assert.Equal(t, 8, instance.RootBlockDevice.Metadata.Range().GetEndLine()) 234 235 assert.Equal(t, 7, instance.RootBlockDevice.Encrypted.GetMetadata().Range().GetStartLine()) 236 assert.Equal(t, 7, instance.RootBlockDevice.Encrypted.GetMetadata().Range().GetEndLine()) 237 238 assert.Equal(t, 10, instance.MetadataOptions.Metadata.Range().GetStartLine()) 239 assert.Equal(t, 13, instance.MetadataOptions.Metadata.Range().GetEndLine()) 240 241 assert.Equal(t, 11, instance.MetadataOptions.HttpTokens.GetMetadata().Range().GetStartLine()) 242 assert.Equal(t, 11, instance.MetadataOptions.HttpTokens.GetMetadata().Range().GetEndLine()) 243 244 assert.Equal(t, 12, instance.MetadataOptions.HttpEndpoint.GetMetadata().Range().GetStartLine()) 245 assert.Equal(t, 12, instance.MetadataOptions.HttpEndpoint.GetMetadata().Range().GetEndLine()) 246 247 assert.Equal(t, 15, instance.EBSBlockDevices[0].Metadata.Range().GetStartLine()) 248 assert.Equal(t, 17, instance.EBSBlockDevices[0].Metadata.Range().GetEndLine()) 249 250 assert.Equal(t, 16, instance.EBSBlockDevices[0].Encrypted.GetMetadata().Range().GetStartLine()) 251 assert.Equal(t, 16, instance.EBSBlockDevices[0].Encrypted.GetMetadata().Range().GetEndLine()) 252 253 assert.Equal(t, 19, instance.UserData.GetMetadata().Range().GetStartLine()) 254 assert.Equal(t, 21, instance.UserData.GetMetadata().Range().GetEndLine()) 255 }