github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/iam/policies_test.go

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/iam/policies_test.go (about)

     1  package iam
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/aquasecurity/defsec/pkg/types"
     7  
     8  	"github.com/aquasecurity/defsec/pkg/providers/aws/iam"
     9  	"github.com/liamg/iamgo"
    10  
    11  	"github.com/aquasecurity/trivy-iac/internal/adapters/terraform/tftestutil"
    12  	"github.com/aquasecurity/trivy-iac/test/testutil"
    13  )
    14  
    15  func defaultPolicyDocuemnt(offset bool) iam.Document {
    16  
    17  	builder := iamgo.NewPolicyBuilder()
    18  	builder.WithVersion("2012-10-17")
    19  
    20  	sb := iamgo.NewStatementBuilder()
    21  	sb.WithEffect(iamgo.EffectAllow)
    22  	sb.WithActions([]string{"ec2:Describe*"})
    23  	sb.WithResources([]string{"*"})
    24  
    25  	builder.WithStatement(sb.Build())
    26  
    27  	return iam.Document{
    28  		Parsed:   builder.Build(),
    29  		Metadata: defsecTypes.NewTestMetadata(),
    30  		IsOffset: offset,
    31  		HasRefs:  false,
    32  	}
    33  }
    34  
    35  func Test_adaptPolicies(t *testing.T) {
    36  	tests := []struct {
    37  		name      string
    38  		terraform string
    39  		expected  []iam.Policy
    40  	}{
    41  		{
    42  			name: "basic",
    43  			terraform: `
    44  			resource "aws_iam_policy" "policy" {
    45  				name = "test"	
    46  
    47  				policy = jsonencode({
    48  					Version = "2012-10-17"
    49  					Statement = [
    50  					  {
    51  						Action = [
    52  						  "ec2:Describe*",
    53  						]
    54  						Effect   = "Allow"
    55  						Resource = "*"
    56  					  },
    57  					]
    58  				  })
    59  			  }
    60  `,
    61  			expected: []iam.Policy{
    62  				{
    63  					Metadata: defsecTypes.NewTestMetadata(),
    64  					Name:     defsecTypes.String("test", defsecTypes.NewTestMetadata()),
    65  					Document: defaultPolicyDocuemnt(false),
    66  					Builtin:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
    67  				},
    68  			},
    69  		},
    70  		{
    71  			name: "aws_iam_policy_document with count Meta-Argument",
    72  			terraform: `locals {
    73    sqs = [
    74      "arn:aws:sqs:::*"
    75    ]
    76  }
    77  
    78  data "aws_iam_policy_document" "this" {
    79    count = length(local.sqs)
    80    statement {
    81      sid = "test-${count.index}"
    82      actions = [
    83        "sqs:CancelMessageMoveTask"
    84      ]
    85      resources = [
    86        "${local.sqs[count.index]}"
    87      ]
    88    }
    89  }
    90  
    91  resource "aws_iam_policy" "this" {
    92    count  = length(local.sqs)
    93    name   = "test-${count.index}"
    94    policy = data.aws_iam_policy_document.this[count.index].json
    95  }
    96  `,
    97  			expected: []iam.Policy{
    98  				{
    99  					Metadata: defsecTypes.NewTestMetadata(),
   100  					Name:     defsecTypes.String("test-0", defsecTypes.NewTestMetadata()),
   101  					Builtin:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
   102  					Document: iam.Document{
   103  						Metadata: defsecTypes.NewTestMetadata(),
   104  						IsOffset: true,
   105  						HasRefs:  false,
   106  						Parsed: func() iamgo.Document {
   107  							builder := iamgo.NewPolicyBuilder()
   108  
   109  							sb := iamgo.NewStatementBuilder()
   110  							sb.WithEffect(iamgo.EffectAllow)
   111  							sb.WithSid("test-0")
   112  							sb.WithActions([]string{"sqs:CancelMessageMoveTask"})
   113  							sb.WithResources([]string{"arn:aws:sqs:::*"})
   114  
   115  							builder.WithStatement(sb.Build())
   116  							return builder.Build()
   117  						}(),
   118  					},
   119  				},
   120  			},
   121  		},
   122  		{
   123  			name: "aws_iam_policy_document with for_each meta-argument",
   124  			terraform: `locals {
   125    sqs = {
   126      sqs1 = "arn:aws:sqs:::*"
   127    }
   128  }
   129  
   130  data "aws_iam_policy_document" "this" {
   131    for_each = local.sqs
   132  
   133    statement {
   134      sid = each.key
   135      actions = [
   136        "sqs:CancelMessageMoveTask"
   137      ]
   138      resources = [each.value]
   139    }
   140  }
   141  
   142  
   143  resource "aws_iam_policy" "this" {
   144    for_each = local.sqs
   145    name        = "test-${each.key}"
   146    policy      = data.aws_iam_policy_document.this[each.key].json
   147  }`,
   148  			expected: []iam.Policy{
   149  				{
   150  					Metadata: defsecTypes.NewTestMetadata(),
   151  					Name:     defsecTypes.String("test-sqs1", defsecTypes.NewTestMetadata()),
   152  					Builtin:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
   153  					Document: iam.Document{
   154  						Metadata: defsecTypes.NewTestMetadata(),
   155  						IsOffset: true,
   156  						HasRefs:  false,
   157  						Parsed: func() iamgo.Document {
   158  							builder := iamgo.NewPolicyBuilder()
   159  
   160  							sb := iamgo.NewStatementBuilder()
   161  							sb.WithEffect(iamgo.EffectAllow)
   162  							sb.WithSid("sqs1")
   163  							sb.WithActions([]string{"sqs:CancelMessageMoveTask"})
   164  							sb.WithResources([]string{"arn:aws:sqs:::*"})
   165  
   166  							builder.WithStatement(sb.Build())
   167  							return builder.Build()
   168  						}(),
   169  					},
   170  				},
   171  			},
   172  		},
   173  	}
   174  
   175  	for _, test := range tests {
   176  		t.Run(test.name, func(t *testing.T) {
   177  			modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf")
   178  			adapted := adaptPolicies(modules)
   179  			testutil.AssertDefsecEqual(t, test.expected, adapted)
   180  		})
   181  	}
   182  }