github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/digitalocean/compute/adapt_test.go (about) 1 package compute 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/aquasecurity/defsec/pkg/types" 7 8 "github.com/aquasecurity/defsec/pkg/providers/digitalocean/compute" 9 "github.com/stretchr/testify/assert" 10 "github.com/stretchr/testify/require" 11 12 "github.com/aquasecurity/trivy-iac/internal/adapters/terraform/tftestutil" 13 "github.com/aquasecurity/trivy-iac/test/testutil" 14 ) 15 16 func Test_adaptDroplets(t *testing.T) { 17 tests := []struct { 18 name string 19 terraform string 20 expected []compute.Droplet 21 }{ 22 { 23 name: "key as data reference", 24 terraform: ` 25 data "digitalocean_ssh_key" "terraform" { 26 name = "myKey" 27 } 28 29 resource "digitalocean_droplet" "example" { 30 ssh_keys = [ data.digitalocean_ssh_key.myKey.id ] 31 } 32 `, 33 expected: []compute.Droplet{ 34 { 35 Metadata: defsecTypes.NewTestMetadata(), 36 SSHKeys: []defsecTypes.StringValue{ 37 defsecTypes.String("", defsecTypes.NewTestMetadata()), 38 }, 39 }, 40 }, 41 }, 42 { 43 name: "key as string", 44 terraform: ` 45 data "digitalocean_ssh_key" "terraform" { 46 name = "myKey" 47 } 48 49 resource "digitalocean_droplet" "example" { 50 ssh_keys = [ "my-ssh-key" ] 51 } 52 `, 53 expected: []compute.Droplet{ 54 { 55 Metadata: defsecTypes.NewTestMetadata(), 56 SSHKeys: []defsecTypes.StringValue{ 57 defsecTypes.String("my-ssh-key", defsecTypes.NewTestMetadata()), 58 }, 59 }, 60 }, 61 }, 62 { 63 name: "defaults", 64 terraform: ` 65 resource "digitalocean_droplet" "example" { 66 } 67 `, 68 expected: []compute.Droplet{ 69 { 70 Metadata: defsecTypes.NewTestMetadata(), 71 }, 72 }, 73 }, 74 } 75 76 for _, test := range tests { 77 t.Run(test.name, func(t *testing.T) { 78 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 79 adapted := adaptDroplets(modules) 80 testutil.AssertDefsecEqual(t, test.expected, adapted) 81 }) 82 } 83 } 84 85 func Test_adaptFirewalls(t *testing.T) { 86 tests := []struct { 87 name string 88 terraform string 89 expected []compute.Firewall 90 }{ 91 { 92 name: "basic", 93 terraform: ` 94 resource "digitalocean_firewall" "example" { 95 droplet_ids = [digitalocean_droplet.web.id] 96 97 outbound_rule { 98 protocol = "tcp" 99 port_range = "22" 100 destination_addresses = ["192.168.1.0/24"] 101 } 102 103 inbound_rule { 104 protocol = "tcp" 105 port_range = "22" 106 source_addresses = ["192.168.1.0/24", "fc00::/7"] 107 } 108 } 109 `, 110 expected: []compute.Firewall{ 111 { 112 Metadata: defsecTypes.NewTestMetadata(), 113 OutboundRules: []compute.OutboundFirewallRule{ 114 { 115 Metadata: defsecTypes.NewTestMetadata(), 116 DestinationAddresses: []defsecTypes.StringValue{ 117 defsecTypes.String("192.168.1.0/24", defsecTypes.NewTestMetadata()), 118 }, 119 }, 120 }, 121 InboundRules: []compute.InboundFirewallRule{ 122 { 123 Metadata: defsecTypes.NewTestMetadata(), 124 SourceAddresses: []defsecTypes.StringValue{ 125 defsecTypes.String("192.168.1.0/24", defsecTypes.NewTestMetadata()), 126 defsecTypes.String("fc00::/7", defsecTypes.NewTestMetadata()), 127 }, 128 }, 129 }, 130 }, 131 }, 132 }, 133 { 134 name: "defaults", 135 terraform: ` 136 resource "digitalocean_firewall" "example" { 137 } 138 `, 139 expected: []compute.Firewall{ 140 { 141 Metadata: defsecTypes.NewTestMetadata(), 142 OutboundRules: []compute.OutboundFirewallRule{}, 143 InboundRules: []compute.InboundFirewallRule{}, 144 }, 145 }, 146 }, 147 } 148 149 for _, test := range tests { 150 t.Run(test.name, func(t *testing.T) { 151 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 152 adapted := adaptFirewalls(modules) 153 testutil.AssertDefsecEqual(t, test.expected, adapted) 154 }) 155 } 156 } 157 158 func Test_adaptLoadBalancers(t *testing.T) { 159 tests := []struct { 160 name string 161 terraform string 162 expected []compute.LoadBalancer 163 }{ 164 { 165 name: "basic", 166 terraform: ` 167 resource "digitalocean_loadbalancer" "example" { 168 169 forwarding_rule { 170 entry_port = 443 171 entry_protocol = "https" 172 173 target_port = 443 174 target_protocol = "https" 175 } 176 177 redirect_http_to_https = true 178 } 179 `, 180 expected: []compute.LoadBalancer{ 181 { 182 Metadata: defsecTypes.NewTestMetadata(), 183 RedirectHttpToHttps: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 184 ForwardingRules: []compute.ForwardingRule{ 185 { 186 Metadata: defsecTypes.NewTestMetadata(), 187 EntryProtocol: defsecTypes.String("https", defsecTypes.NewTestMetadata()), 188 }, 189 }, 190 }, 191 }, 192 }, 193 { 194 name: "defaults", 195 terraform: ` 196 resource "digitalocean_loadbalancer" "example" { 197 } 198 `, 199 expected: []compute.LoadBalancer{ 200 { 201 Metadata: defsecTypes.NewTestMetadata(), 202 ForwardingRules: nil, 203 }, 204 }, 205 }, 206 } 207 208 for _, test := range tests { 209 t.Run(test.name, func(t *testing.T) { 210 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 211 adapted := adaptLoadBalancers(modules) 212 testutil.AssertDefsecEqual(t, test.expected, adapted) 213 }) 214 } 215 } 216 217 func Test_adaptKubernetesClusters(t *testing.T) { 218 tests := []struct { 219 name string 220 terraform string 221 expected []compute.KubernetesCluster 222 }{ 223 { 224 name: "basic", 225 terraform: ` 226 resource "digitalocean_kubernetes_cluster" "example" { 227 name = "foo" 228 region = "nyc1" 229 version = "1.20.2-do.0" 230 surge_upgrade = true 231 auto_upgrade = true 232 } 233 `, 234 expected: []compute.KubernetesCluster{ 235 { 236 Metadata: defsecTypes.NewTestMetadata(), 237 SurgeUpgrade: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 238 AutoUpgrade: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 239 }, 240 }, 241 }, 242 { 243 name: "defaults", 244 terraform: ` 245 resource "digitalocean_kubernetes_cluster" "example" { 246 } 247 `, 248 expected: []compute.KubernetesCluster{ 249 { 250 Metadata: defsecTypes.NewTestMetadata(), 251 SurgeUpgrade: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 252 AutoUpgrade: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 253 }, 254 }, 255 }, 256 } 257 258 for _, test := range tests { 259 t.Run(test.name, func(t *testing.T) { 260 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 261 adapted := adaptKubernetesClusters(modules) 262 testutil.AssertDefsecEqual(t, test.expected, adapted) 263 }) 264 } 265 } 266 267 func TestLines(t *testing.T) { 268 src := ` 269 data "digitalocean_ssh_key" "terraform" { 270 name = "myKey" 271 } 272 273 resource "digitalocean_droplet" "example" { 274 ssh_keys = [ data.digitalocean_ssh_key.myKey.id ] 275 } 276 277 resource "digitalocean_firewall" "example" { 278 279 outbound_rule { 280 destination_addresses = ["192.168.1.0/24"] 281 } 282 283 inbound_rule { 284 source_addresses = ["192.168.1.0/24", "fc00::/7"] 285 } 286 } 287 288 resource "digitalocean_loadbalancer" "example" { 289 290 forwarding_rule { 291 entry_port = 443 292 entry_protocol = "https" 293 } 294 } 295 296 resource "digitalocean_kubernetes_cluster" "example" { 297 name = "foo" 298 surge_upgrade = true 299 auto_upgrade = true 300 }` 301 302 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 303 adapted := Adapt(modules) 304 305 require.Len(t, adapted.Droplets, 1) 306 require.Len(t, adapted.Firewalls, 1) 307 require.Len(t, adapted.KubernetesClusters, 1) 308 require.Len(t, adapted.LoadBalancers, 1) 309 310 droplet := adapted.Droplets[0] 311 firewall := adapted.Firewalls[0] 312 cluster := adapted.KubernetesClusters[0] 313 loadBalancer := adapted.LoadBalancers[0] 314 315 assert.Equal(t, 6, droplet.Metadata.Range().GetStartLine()) 316 assert.Equal(t, 8, droplet.Metadata.Range().GetEndLine()) 317 318 assert.Equal(t, 7, droplet.SSHKeys[0].GetMetadata().Range().GetStartLine()) 319 assert.Equal(t, 7, droplet.SSHKeys[0].GetMetadata().Range().GetEndLine()) 320 321 assert.Equal(t, 10, firewall.Metadata.Range().GetStartLine()) 322 assert.Equal(t, 19, firewall.Metadata.Range().GetEndLine()) 323 324 assert.Equal(t, 12, firewall.OutboundRules[0].Metadata.Range().GetStartLine()) 325 assert.Equal(t, 14, firewall.OutboundRules[0].Metadata.Range().GetEndLine()) 326 327 assert.Equal(t, 13, firewall.OutboundRules[0].DestinationAddresses[0].GetMetadata().Range().GetStartLine()) 328 assert.Equal(t, 13, firewall.OutboundRules[0].DestinationAddresses[0].GetMetadata().Range().GetEndLine()) 329 330 assert.Equal(t, 16, firewall.InboundRules[0].Metadata.Range().GetStartLine()) 331 assert.Equal(t, 18, firewall.InboundRules[0].Metadata.Range().GetEndLine()) 332 333 assert.Equal(t, 17, firewall.InboundRules[0].SourceAddresses[0].GetMetadata().Range().GetStartLine()) 334 assert.Equal(t, 17, firewall.InboundRules[0].SourceAddresses[0].GetMetadata().Range().GetEndLine()) 335 336 assert.Equal(t, 21, loadBalancer.Metadata.Range().GetStartLine()) 337 assert.Equal(t, 27, loadBalancer.Metadata.Range().GetEndLine()) 338 339 assert.Equal(t, 23, loadBalancer.ForwardingRules[0].Metadata.Range().GetStartLine()) 340 assert.Equal(t, 26, loadBalancer.ForwardingRules[0].Metadata.Range().GetEndLine()) 341 342 assert.Equal(t, 25, loadBalancer.ForwardingRules[0].EntryProtocol.GetMetadata().Range().GetStartLine()) 343 assert.Equal(t, 25, loadBalancer.ForwardingRules[0].EntryProtocol.GetMetadata().Range().GetEndLine()) 344 345 assert.Equal(t, 29, cluster.Metadata.Range().GetStartLine()) 346 assert.Equal(t, 33, cluster.Metadata.Range().GetEndLine()) 347 348 assert.Equal(t, 31, cluster.SurgeUpgrade.GetMetadata().Range().GetStartLine()) 349 assert.Equal(t, 31, cluster.SurgeUpgrade.GetMetadata().Range().GetEndLine()) 350 351 assert.Equal(t, 32, cluster.AutoUpgrade.GetMetadata().Range().GetStartLine()) 352 assert.Equal(t, 32, cluster.AutoUpgrade.GetMetadata().Range().GetEndLine()) 353 }