github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/aws/rds/adapt_test.go (about) 1 package rds 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/aquasecurity/defsec/pkg/types" 7 8 "github.com/aquasecurity/defsec/pkg/providers/aws/rds" 9 "github.com/aquasecurity/trivy-iac/internal/adapters/terraform/tftestutil" 10 "github.com/stretchr/testify/assert" 11 "github.com/stretchr/testify/require" 12 13 "github.com/aquasecurity/trivy-iac/test/testutil" 14 ) 15 16 func Test_Adapt(t *testing.T) { 17 tests := []struct { 18 name string 19 terraform string 20 expected rds.RDS 21 }{ 22 { 23 name: "defined", 24 terraform: ` 25 26 resource "aws_rds_cluster" "example" { 27 engine = "aurora-mysql" 28 availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"] 29 backup_retention_period = 7 30 kms_key_id = "kms_key_1" 31 storage_encrypted = true 32 replication_source_identifier = "arn-of-a-source-db-cluster" 33 deletion_protection = true 34 } 35 36 resource "aws_rds_cluster_instance" "example" { 37 cluster_identifier = aws_rds_cluster.example.id 38 name = "bar" 39 performance_insights_enabled = true 40 performance_insights_kms_key_id = "performance_key_0" 41 kms_key_id = "kms_key_0" 42 storage_encrypted = true 43 } 44 45 resource "aws_db_security_group" "example" { 46 # ... 47 } 48 49 resource "aws_db_instance" "example" { 50 publicly_accessible = false 51 backup_retention_period = 5 52 skip_final_snapshot = true 53 performance_insights_enabled = true 54 performance_insights_kms_key_id = "performance_key_1" 55 storage_encrypted = true 56 kms_key_id = "kms_key_2" 57 } 58 `, 59 expected: rds.RDS{ 60 Instances: []rds.Instance{ 61 { 62 Metadata: defsecTypes.NewTestMetadata(), 63 BackupRetentionPeriodDays: defsecTypes.Int(5, defsecTypes.NewTestMetadata()), 64 ReplicationSourceARN: defsecTypes.String("", defsecTypes.NewTestMetadata()), 65 PerformanceInsights: rds.PerformanceInsights{ 66 Metadata: defsecTypes.NewTestMetadata(), 67 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 68 KMSKeyID: defsecTypes.String("performance_key_1", defsecTypes.NewTestMetadata()), 69 }, 70 Encryption: rds.Encryption{ 71 Metadata: defsecTypes.NewTestMetadata(), 72 EncryptStorage: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 73 KMSKeyID: defsecTypes.String("kms_key_2", defsecTypes.NewTestMetadata()), 74 }, 75 PublicAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 76 Engine: defsecTypes.String(rds.EngineAurora, defsecTypes.NewTestMetadata()), 77 StorageEncrypted: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 78 }, 79 }, 80 Clusters: []rds.Cluster{ 81 { 82 Metadata: defsecTypes.NewTestMetadata(), 83 BackupRetentionPeriodDays: defsecTypes.Int(7, defsecTypes.NewTestMetadata()), 84 ReplicationSourceARN: defsecTypes.String("arn-of-a-source-db-cluster", defsecTypes.NewTestMetadata()), 85 PerformanceInsights: rds.PerformanceInsights{ 86 Metadata: defsecTypes.NewTestMetadata(), 87 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 88 KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()), 89 }, 90 Encryption: rds.Encryption{ 91 Metadata: defsecTypes.NewTestMetadata(), 92 EncryptStorage: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 93 KMSKeyID: defsecTypes.String("kms_key_1", defsecTypes.NewTestMetadata()), 94 }, 95 Instances: []rds.ClusterInstance{ 96 { 97 Instance: rds.Instance{ 98 Metadata: defsecTypes.NewTestMetadata(), 99 BackupRetentionPeriodDays: defsecTypes.Int(0, defsecTypes.NewTestMetadata()), 100 ReplicationSourceARN: defsecTypes.String("", defsecTypes.NewTestMetadata()), 101 PerformanceInsights: rds.PerformanceInsights{ 102 Metadata: defsecTypes.NewTestMetadata(), 103 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 104 KMSKeyID: defsecTypes.String("performance_key_0", defsecTypes.NewTestMetadata()), 105 }, 106 Encryption: rds.Encryption{ 107 Metadata: defsecTypes.NewTestMetadata(), 108 EncryptStorage: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 109 KMSKeyID: defsecTypes.String("kms_key_0", defsecTypes.NewTestMetadata()), 110 }, 111 PublicAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 112 Engine: defsecTypes.String(rds.EngineAurora, defsecTypes.NewTestMetadata()), 113 StorageEncrypted: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 114 }, 115 ClusterIdentifier: defsecTypes.String("aws_rds_cluster.example", defsecTypes.NewTestMetadata()), 116 }, 117 }, 118 PublicAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 119 Engine: defsecTypes.String(rds.EngineAuroraMysql, defsecTypes.NewTestMetadata()), 120 AvailabilityZones: defsecTypes.StringValueList{ 121 defsecTypes.String("us-west-2a", defsecTypes.NewTestMetadata()), 122 defsecTypes.String("us-west-2b", defsecTypes.NewTestMetadata()), 123 defsecTypes.String("us-west-2c", defsecTypes.NewTestMetadata()), 124 }, 125 DeletionProtection: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 126 }, 127 }, 128 Classic: rds.Classic{ 129 DBSecurityGroups: []rds.DBSecurityGroup{ 130 { 131 Metadata: defsecTypes.NewTestMetadata(), 132 }, 133 }, 134 }, 135 }, 136 }, 137 } 138 139 for _, test := range tests { 140 t.Run(test.name, func(t *testing.T) { 141 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 142 adapted := Adapt(modules) 143 testutil.AssertDefsecEqual(t, test.expected, adapted) 144 }) 145 } 146 } 147 148 func Test_adaptInstance(t *testing.T) { 149 tests := []struct { 150 name string 151 terraform string 152 expected rds.Instance 153 }{ 154 { 155 name: "instance defaults", 156 terraform: ` 157 resource "aws_db_instance" "example" { 158 } 159 `, 160 expected: rds.Instance{ 161 Metadata: defsecTypes.NewTestMetadata(), 162 BackupRetentionPeriodDays: defsecTypes.Int(0, defsecTypes.NewTestMetadata()), 163 ReplicationSourceARN: defsecTypes.String("", defsecTypes.NewTestMetadata()), 164 PerformanceInsights: rds.PerformanceInsights{ 165 Metadata: defsecTypes.NewTestMetadata(), 166 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 167 KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()), 168 }, 169 Encryption: rds.Encryption{ 170 Metadata: defsecTypes.NewTestMetadata(), 171 EncryptStorage: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 172 KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()), 173 }, 174 PublicAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 175 Engine: defsecTypes.String(rds.EngineAurora, defsecTypes.NewTestMetadata()), 176 StorageEncrypted: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 177 IAMAuthEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 178 }, 179 }, 180 } 181 182 for _, test := range tests { 183 t.Run(test.name, func(t *testing.T) { 184 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 185 adapted := adaptInstance(modules.GetBlocks()[0], modules) 186 testutil.AssertDefsecEqual(t, test.expected, adapted) 187 }) 188 } 189 } 190 191 func Test_adaptCluster(t *testing.T) { 192 tests := []struct { 193 name string 194 terraform string 195 expected rds.Cluster 196 }{ 197 { 198 name: "cluster defaults", 199 terraform: ` 200 resource "aws_rds_cluster" "example" { 201 } 202 `, 203 expected: rds.Cluster{ 204 Metadata: defsecTypes.NewTestMetadata(), 205 BackupRetentionPeriodDays: defsecTypes.Int(1, defsecTypes.NewTestMetadata()), 206 ReplicationSourceARN: defsecTypes.String("", defsecTypes.NewTestMetadata()), 207 PerformanceInsights: rds.PerformanceInsights{ 208 Metadata: defsecTypes.NewTestMetadata(), 209 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 210 KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()), 211 }, 212 Encryption: rds.Encryption{ 213 Metadata: defsecTypes.NewTestMetadata(), 214 EncryptStorage: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 215 KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()), 216 }, 217 PublicAccess: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 218 Engine: defsecTypes.String(rds.EngineAurora, defsecTypes.NewTestMetadata()), 219 }, 220 }, 221 } 222 223 for _, test := range tests { 224 t.Run(test.name, func(t *testing.T) { 225 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 226 adapted, _ := adaptCluster(modules.GetBlocks()[0], modules) 227 testutil.AssertDefsecEqual(t, test.expected, adapted) 228 }) 229 } 230 } 231 232 func TestLines(t *testing.T) { 233 src := ` 234 resource "aws_rds_cluster" "example" { 235 backup_retention_period = 7 236 kms_key_id = "kms_key_1" 237 storage_encrypted = true 238 replication_source_identifier = "arn-of-a-source-db-cluster" 239 } 240 241 resource "aws_rds_cluster_instance" "example" { 242 cluster_identifier = aws_rds_cluster.example.id 243 backup_retention_period = 7 244 performance_insights_enabled = true 245 performance_insights_kms_key_id = "performance_key" 246 storage_encrypted = true 247 kms_key_id = "kms_key_0" 248 } 249 250 resource "aws_db_security_group" "example" { 251 } 252 253 resource "aws_db_instance" "example" { 254 publicly_accessible = false 255 backup_retention_period = 7 256 performance_insights_enabled = true 257 performance_insights_kms_key_id = "performance_key" 258 storage_encrypted = true 259 kms_key_id = "kms_key_0" 260 } 261 ` 262 263 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 264 adapted := Adapt(modules) 265 266 require.Len(t, adapted.Clusters, 1) 267 require.Len(t, adapted.Instances, 1) 268 269 cluster := adapted.Clusters[0] 270 instance := adapted.Instances[0] 271 classic := adapted.Classic 272 273 assert.Equal(t, 2, cluster.Metadata.Range().GetStartLine()) 274 assert.Equal(t, 7, cluster.Metadata.Range().GetEndLine()) 275 276 assert.Equal(t, 3, cluster.BackupRetentionPeriodDays.GetMetadata().Range().GetStartLine()) 277 assert.Equal(t, 3, cluster.BackupRetentionPeriodDays.GetMetadata().Range().GetEndLine()) 278 279 assert.Equal(t, 4, cluster.Encryption.KMSKeyID.GetMetadata().Range().GetStartLine()) 280 assert.Equal(t, 4, cluster.Encryption.KMSKeyID.GetMetadata().Range().GetEndLine()) 281 282 assert.Equal(t, 5, cluster.Encryption.EncryptStorage.GetMetadata().Range().GetStartLine()) 283 assert.Equal(t, 5, cluster.Encryption.EncryptStorage.GetMetadata().Range().GetEndLine()) 284 285 assert.Equal(t, 6, cluster.ReplicationSourceARN.GetMetadata().Range().GetStartLine()) 286 assert.Equal(t, 6, cluster.ReplicationSourceARN.GetMetadata().Range().GetEndLine()) 287 288 assert.Equal(t, 9, cluster.Instances[0].Instance.Metadata.Range().GetStartLine()) 289 assert.Equal(t, 16, cluster.Instances[0].Instance.Metadata.Range().GetEndLine()) 290 291 assert.Equal(t, 2, cluster.Instances[0].ClusterIdentifier.GetMetadata().Range().GetStartLine()) 292 assert.Equal(t, 7, cluster.Instances[0].ClusterIdentifier.GetMetadata().Range().GetEndLine()) 293 294 assert.Equal(t, 11, cluster.Instances[0].Instance.BackupRetentionPeriodDays.GetMetadata().Range().GetStartLine()) 295 assert.Equal(t, 11, cluster.Instances[0].Instance.BackupRetentionPeriodDays.GetMetadata().Range().GetEndLine()) 296 297 assert.Equal(t, 12, cluster.Instances[0].Instance.PerformanceInsights.Enabled.GetMetadata().Range().GetStartLine()) 298 assert.Equal(t, 12, cluster.Instances[0].Instance.PerformanceInsights.Enabled.GetMetadata().Range().GetEndLine()) 299 300 assert.Equal(t, 13, cluster.Instances[0].Instance.PerformanceInsights.KMSKeyID.GetMetadata().Range().GetStartLine()) 301 assert.Equal(t, 13, cluster.Instances[0].Instance.PerformanceInsights.KMSKeyID.GetMetadata().Range().GetEndLine()) 302 303 assert.Equal(t, 14, cluster.Instances[0].Instance.Encryption.EncryptStorage.GetMetadata().Range().GetStartLine()) 304 assert.Equal(t, 14, cluster.Instances[0].Instance.Encryption.EncryptStorage.GetMetadata().Range().GetEndLine()) 305 306 assert.Equal(t, 15, cluster.Instances[0].Instance.Encryption.KMSKeyID.GetMetadata().Range().GetStartLine()) 307 assert.Equal(t, 15, cluster.Instances[0].Instance.Encryption.KMSKeyID.GetMetadata().Range().GetEndLine()) 308 309 assert.Equal(t, 18, classic.DBSecurityGroups[0].Metadata.Range().GetStartLine()) 310 assert.Equal(t, 19, classic.DBSecurityGroups[0].Metadata.Range().GetEndLine()) 311 312 assert.Equal(t, 21, instance.Metadata.Range().GetStartLine()) 313 assert.Equal(t, 28, instance.Metadata.Range().GetEndLine()) 314 315 assert.Equal(t, 22, instance.PublicAccess.GetMetadata().Range().GetStartLine()) 316 assert.Equal(t, 22, instance.PublicAccess.GetMetadata().Range().GetEndLine()) 317 318 assert.Equal(t, 23, instance.BackupRetentionPeriodDays.GetMetadata().Range().GetStartLine()) 319 assert.Equal(t, 23, instance.BackupRetentionPeriodDays.GetMetadata().Range().GetEndLine()) 320 321 assert.Equal(t, 24, instance.PerformanceInsights.Enabled.GetMetadata().Range().GetStartLine()) 322 assert.Equal(t, 24, instance.PerformanceInsights.Enabled.GetMetadata().Range().GetEndLine()) 323 324 assert.Equal(t, 25, instance.PerformanceInsights.KMSKeyID.GetMetadata().Range().GetStartLine()) 325 assert.Equal(t, 25, instance.PerformanceInsights.KMSKeyID.GetMetadata().Range().GetEndLine()) 326 327 assert.Equal(t, 26, instance.Encryption.EncryptStorage.GetMetadata().Range().GetStartLine()) 328 assert.Equal(t, 26, instance.Encryption.EncryptStorage.GetMetadata().Range().GetEndLine()) 329 330 assert.Equal(t, 27, instance.Encryption.KMSKeyID.GetMetadata().Range().GetStartLine()) 331 assert.Equal(t, 27, instance.Encryption.KMSKeyID.GetMetadata().Range().GetEndLine()) 332 }