github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/iam/groups_test.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/iam/groups_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
     7  
     8  	"github.com/aquasecurity/defsec/pkg/providers/aws/iam"
     9  
    10  	"github.com/aquasecurity/trivy-iac/internal/adapters/terraform/tftestutil"
    11  	"github.com/aquasecurity/trivy-iac/test/testutil"
    12  )
    13  
    14  func Test_adaptGroups(t *testing.T) {
    15  	tests := []struct {
    16  		name      string
    17  		terraform string
    18  		expected  []iam.Group
    19  	}{
    20  		{
    21  			name: "policy",
    22  			terraform: `
    23  			resource "aws_iam_group_policy" "my_developer_policy" {
    24  				name  = "my_developer_policy"
    25  				group = aws_iam_group.my_developers.name
    26  
    27  				policy = <<EOF
    28  				{
    29  				  "Version": "2012-10-17",
    30  				  "Statement": [
    31  				  {
    32  					"Effect": "Allow",
    33  					"Resource": "*",
    34  					"Action": [
    35  						"ec2:Describe*"
    36  					]
    37  				  }
    38  				  ]
    39  				}
    40  				EOF
    41  			  }
    42  			  
    43  			  resource "aws_iam_group" "my_developers" {
    44  				name = "developers"
    45  				path = "/users/"
    46  			  }
    47  			  
    48  			  `,
    49  			expected: []iam.Group{
    50  				{
    51  					Metadata: defsecTypes.NewTestMetadata(),
    52  					Name:     defsecTypes.String("developers", defsecTypes.NewTestMetadata()),
    53  					Policies: []iam.Policy{
    54  						{
    55  							Metadata: defsecTypes.NewTestMetadata(),
    56  							Name:     defsecTypes.String("my_developer_policy", defsecTypes.NewTestMetadata()),
    57  							Document: defaultPolicyDocuemnt(false),
    58  						},
    59  					},
    60  				},
    61  			},
    62  		},
    63  		{
    64  			name: "attachment policy",
    65  			terraform: `
    66  resource "aws_iam_group" "group" {
    67    name = "test-group"
    68  }
    69  
    70  resource "aws_iam_policy" "policy" {
    71    name        = "test-policy"
    72    description = "A test policy"
    73    policy = jsonencode({
    74      Version = "2012-10-17"
    75      Statement = [
    76        {
    77          Action = [
    78            "ec2:Describe*",
    79          ]
    80          Effect   = "Allow"
    81          Resource = "*"
    82        },
    83      ]
    84    })
    85  }
    86  
    87  resource "aws_iam_group_policy_attachment" "test-attach" {
    88    group      = aws_iam_group.group.name
    89    policy_arn = aws_iam_policy.policy.arn
    90  }
    91  `,
    92  			expected: []iam.Group{
    93  				{
    94  					Metadata: defsecTypes.NewTestMetadata(),
    95  					Name:     defsecTypes.String("test-group", defsecTypes.NewTestMetadata()),
    96  					Policies: []iam.Policy{
    97  						{
    98  							Metadata: defsecTypes.NewTestMetadata(),
    99  							Name:     defsecTypes.String("test-policy", defsecTypes.NewTestMetadata()),
   100  							Document: defaultPolicyDocuemnt(false),
   101  						},
   102  					},
   103  				},
   104  			},
   105  		},
   106  	}
   107  
   108  	for _, test := range tests {
   109  		t.Run(test.name, func(t *testing.T) {
   110  			modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf")
   111  			adapted := adaptGroups(modules)
   112  			testutil.AssertDefsecEqual(t, test.expected, adapted)
   113  		})
   114  	}
   115  }