github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/internal/adapters/terraform/google/gke/adapt_test.go (about) 1 package gke 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/aquasecurity/defsec/pkg/types" 7 8 "github.com/aquasecurity/defsec/pkg/providers/google/gke" 9 "github.com/stretchr/testify/assert" 10 "github.com/stretchr/testify/require" 11 12 "github.com/aquasecurity/trivy-iac/internal/adapters/terraform/tftestutil" 13 "github.com/aquasecurity/trivy-iac/test/testutil" 14 ) 15 16 func Test_Adapt(t *testing.T) { 17 tests := []struct { 18 name string 19 terraform string 20 expected gke.GKE 21 }{ 22 { 23 name: "separately defined pool", 24 terraform: ` 25 resource "google_service_account" "default" { 26 account_id = "service-account-id" 27 display_name = "Service Account" 28 } 29 30 resource "google_container_cluster" "example" { 31 name = "my-gke-cluster" 32 33 node_config { 34 metadata = { 35 disable-legacy-endpoints = true 36 } 37 } 38 39 pod_security_policy_config { 40 enabled = "true" 41 } 42 43 enable_legacy_abac = "true" 44 enable_shielded_nodes = "true" 45 46 remove_default_node_pool = true 47 initial_node_count = 1 48 monitoring_service = "monitoring.googleapis.com/kubernetes" 49 logging_service = "logging.googleapis.com/kubernetes" 50 51 master_auth { 52 client_certificate_config { 53 issue_client_certificate = true 54 } 55 } 56 57 master_authorized_networks_config { 58 cidr_blocks { 59 cidr_block = "10.10.128.0/24" 60 display_name = "internal" 61 } 62 } 63 64 resource_labels = { 65 "env" = "staging" 66 } 67 68 private_cluster_config { 69 enable_private_nodes = true 70 } 71 72 network_policy { 73 enabled = true 74 } 75 76 ip_allocation_policy {} 77 78 enable_autopilot = true 79 80 datapath_provider = "ADVANCED_DATAPATH" 81 } 82 83 resource "google_container_node_pool" "primary_preemptible_nodes" { 84 cluster = google_container_cluster.example.name 85 node_count = 1 86 87 node_config { 88 service_account = google_service_account.default.email 89 metadata = { 90 disable-legacy-endpoints = true 91 } 92 image_type = "COS_CONTAINERD" 93 workload_metadata_config { 94 mode = "GCE_METADATA" 95 } 96 } 97 management { 98 auto_repair = true 99 auto_upgrade = true 100 } 101 } 102 `, 103 expected: gke.GKE{ 104 Clusters: []gke.Cluster{ 105 { 106 Metadata: defsecTypes.NewTestMetadata(), 107 NodeConfig: gke.NodeConfig{ 108 Metadata: defsecTypes.NewTestMetadata(), 109 ImageType: defsecTypes.String("COS_CONTAINERD", defsecTypes.NewTestMetadata()), 110 WorkloadMetadataConfig: gke.WorkloadMetadataConfig{ 111 Metadata: defsecTypes.NewTestMetadata(), 112 NodeMetadata: defsecTypes.String("GCE_METADATA", defsecTypes.NewTestMetadata()), 113 }, 114 ServiceAccount: defsecTypes.String("", defsecTypes.NewTestMetadata()), 115 EnableLegacyEndpoints: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 116 }, 117 NodePools: []gke.NodePool{ 118 { 119 Metadata: defsecTypes.NewTestMetadata(), 120 Management: gke.Management{ 121 Metadata: defsecTypes.NewTestMetadata(), 122 EnableAutoRepair: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 123 EnableAutoUpgrade: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 124 }, 125 NodeConfig: gke.NodeConfig{ 126 Metadata: defsecTypes.NewTestMetadata(), 127 ImageType: defsecTypes.String("COS_CONTAINERD", defsecTypes.NewTestMetadata()), 128 WorkloadMetadataConfig: gke.WorkloadMetadataConfig{ 129 Metadata: defsecTypes.NewTestMetadata(), 130 NodeMetadata: defsecTypes.String("GCE_METADATA", defsecTypes.NewTestMetadata()), 131 }, 132 ServiceAccount: defsecTypes.String("", defsecTypes.NewTestMetadata()), 133 EnableLegacyEndpoints: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 134 }, 135 }, 136 }, 137 IPAllocationPolicy: gke.IPAllocationPolicy{ 138 Metadata: defsecTypes.NewTestMetadata(), 139 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 140 }, 141 MasterAuthorizedNetworks: gke.MasterAuthorizedNetworks{ 142 Metadata: defsecTypes.NewTestMetadata(), 143 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 144 CIDRs: []defsecTypes.StringValue{ 145 defsecTypes.String("10.10.128.0/24", defsecTypes.NewTestMetadata()), 146 }, 147 }, 148 NetworkPolicy: gke.NetworkPolicy{ 149 Metadata: defsecTypes.NewTestMetadata(), 150 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 151 }, 152 DatapathProvider: defsecTypes.String("ADVANCED_DATAPATH", defsecTypes.NewTestMetadata()), 153 PrivateCluster: gke.PrivateCluster{ 154 Metadata: defsecTypes.NewTestMetadata(), 155 EnablePrivateNodes: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 156 }, 157 LoggingService: defsecTypes.String("logging.googleapis.com/kubernetes", defsecTypes.NewTestMetadata()), 158 MonitoringService: defsecTypes.String("monitoring.googleapis.com/kubernetes", defsecTypes.NewTestMetadata()), 159 MasterAuth: gke.MasterAuth{ 160 Metadata: defsecTypes.NewTestMetadata(), 161 ClientCertificate: gke.ClientCertificate{ 162 Metadata: defsecTypes.NewTestMetadata(), 163 IssueCertificate: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 164 }, 165 Username: defsecTypes.String("", defsecTypes.NewTestMetadata()), 166 Password: defsecTypes.String("", defsecTypes.NewTestMetadata()), 167 }, 168 EnableShieldedNodes: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 169 EnableLegacyABAC: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 170 ResourceLabels: defsecTypes.Map(map[string]string{ 171 "env": "staging", 172 }, defsecTypes.NewTestMetadata()), 173 RemoveDefaultNodePool: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 174 EnableAutpilot: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 175 }, 176 }, 177 }, 178 }, 179 { 180 name: "default node pool", 181 terraform: ` 182 resource "google_container_cluster" "example" { 183 node_config { 184 service_account = "service-account" 185 metadata = { 186 disable-legacy-endpoints = true 187 } 188 image_type = "COS" 189 workload_metadata_config { 190 mode = "GCE_METADATA" 191 } 192 } 193 } 194 `, 195 expected: gke.GKE{ 196 Clusters: []gke.Cluster{ 197 { 198 Metadata: defsecTypes.NewTestMetadata(), 199 NodeConfig: gke.NodeConfig{ 200 Metadata: defsecTypes.NewTestMetadata(), 201 ImageType: defsecTypes.String("COS", defsecTypes.NewTestMetadata()), 202 WorkloadMetadataConfig: gke.WorkloadMetadataConfig{ 203 Metadata: defsecTypes.NewTestMetadata(), 204 NodeMetadata: defsecTypes.String("GCE_METADATA", defsecTypes.NewTestMetadata()), 205 }, 206 ServiceAccount: defsecTypes.String("service-account", defsecTypes.NewTestMetadata()), 207 EnableLegacyEndpoints: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 208 }, 209 210 IPAllocationPolicy: gke.IPAllocationPolicy{ 211 Metadata: defsecTypes.NewTestMetadata(), 212 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 213 }, 214 MasterAuthorizedNetworks: gke.MasterAuthorizedNetworks{ 215 Metadata: defsecTypes.NewTestMetadata(), 216 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 217 CIDRs: []defsecTypes.StringValue{}, 218 }, 219 NetworkPolicy: gke.NetworkPolicy{ 220 Metadata: defsecTypes.NewTestMetadata(), 221 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 222 }, 223 DatapathProvider: defsecTypes.StringDefault("DATAPATH_PROVIDER_UNSPECIFIED", defsecTypes.NewTestMetadata()), 224 PrivateCluster: gke.PrivateCluster{ 225 Metadata: defsecTypes.NewTestMetadata(), 226 EnablePrivateNodes: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 227 }, 228 LoggingService: defsecTypes.String("logging.googleapis.com/kubernetes", defsecTypes.NewTestMetadata()), 229 MonitoringService: defsecTypes.String("monitoring.googleapis.com/kubernetes", defsecTypes.NewTestMetadata()), 230 MasterAuth: gke.MasterAuth{ 231 Metadata: defsecTypes.NewTestMetadata(), 232 ClientCertificate: gke.ClientCertificate{ 233 Metadata: defsecTypes.NewTestMetadata(), 234 IssueCertificate: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 235 }, 236 Username: defsecTypes.String("", defsecTypes.NewTestMetadata()), 237 Password: defsecTypes.String("", defsecTypes.NewTestMetadata()), 238 }, 239 EnableShieldedNodes: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 240 EnableLegacyABAC: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 241 ResourceLabels: defsecTypes.Map(map[string]string{}, defsecTypes.NewTestMetadata()), 242 RemoveDefaultNodePool: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 243 }, 244 }, 245 }, 246 }, 247 } 248 249 for _, test := range tests { 250 t.Run(test.name, func(t *testing.T) { 251 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 252 adapted := Adapt(modules) 253 testutil.AssertDefsecEqual(t, test.expected, adapted) 254 }) 255 } 256 } 257 258 func TestLines(t *testing.T) { 259 src := ` 260 resource "google_container_cluster" "example" { 261 262 node_config { 263 metadata = { 264 disable-legacy-endpoints = true 265 } 266 } 267 pod_security_policy_config { 268 enabled = "true" 269 } 270 271 enable_legacy_abac = "true" 272 enable_shielded_nodes = "true" 273 274 remove_default_node_pool = true 275 monitoring_service = "monitoring.googleapis.com/kubernetes" 276 logging_service = "logging.googleapis.com/kubernetes" 277 278 master_auth { 279 client_certificate_config { 280 issue_client_certificate = true 281 } 282 } 283 284 master_authorized_networks_config { 285 cidr_blocks { 286 cidr_block = "10.10.128.0/24" 287 } 288 } 289 290 resource_labels = { 291 "env" = "staging" 292 } 293 294 private_cluster_config { 295 enable_private_nodes = true 296 } 297 298 network_policy { 299 enabled = true 300 } 301 ip_allocation_policy {} 302 } 303 304 resource "google_container_node_pool" "primary_preemptible_nodes" { 305 cluster = google_container_cluster.example.name 306 307 node_config { 308 metadata = { 309 disable-legacy-endpoints = true 310 } 311 service_account = google_service_account.default.email 312 image_type = "COS_CONTAINERD" 313 314 workload_metadata_config { 315 mode = "GCE_METADATA" 316 } 317 } 318 management { 319 auto_repair = true 320 auto_upgrade = true 321 } 322 } 323 ` 324 325 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 326 adapted := Adapt(modules) 327 328 require.Len(t, adapted.Clusters, 1) 329 cluster := adapted.Clusters[0] 330 nodePool := cluster.NodePools[0] 331 332 assert.Equal(t, 2, cluster.Metadata.Range().GetStartLine()) 333 assert.Equal(t, 44, cluster.Metadata.Range().GetEndLine()) 334 335 assert.Equal(t, 49, cluster.NodeConfig.Metadata.Range().GetStartLine()) 336 assert.Equal(t, 59, cluster.NodeConfig.Metadata.Range().GetEndLine()) 337 338 assert.Equal(t, 50, cluster.NodeConfig.EnableLegacyEndpoints.GetMetadata().Range().GetStartLine()) 339 assert.Equal(t, 52, cluster.NodeConfig.EnableLegacyEndpoints.GetMetadata().Range().GetEndLine()) 340 341 assert.Equal(t, 13, cluster.EnableLegacyABAC.GetMetadata().Range().GetStartLine()) 342 assert.Equal(t, 13, cluster.EnableLegacyABAC.GetMetadata().Range().GetEndLine()) 343 344 assert.Equal(t, 14, cluster.EnableShieldedNodes.GetMetadata().Range().GetStartLine()) 345 assert.Equal(t, 14, cluster.EnableShieldedNodes.GetMetadata().Range().GetEndLine()) 346 347 assert.Equal(t, 16, cluster.RemoveDefaultNodePool.GetMetadata().Range().GetStartLine()) 348 assert.Equal(t, 16, cluster.RemoveDefaultNodePool.GetMetadata().Range().GetEndLine()) 349 350 assert.Equal(t, 17, cluster.MonitoringService.GetMetadata().Range().GetStartLine()) 351 assert.Equal(t, 17, cluster.MonitoringService.GetMetadata().Range().GetEndLine()) 352 353 assert.Equal(t, 18, cluster.LoggingService.GetMetadata().Range().GetStartLine()) 354 assert.Equal(t, 18, cluster.LoggingService.GetMetadata().Range().GetEndLine()) 355 356 assert.Equal(t, 20, cluster.MasterAuth.Metadata.Range().GetStartLine()) 357 assert.Equal(t, 24, cluster.MasterAuth.Metadata.Range().GetEndLine()) 358 359 assert.Equal(t, 21, cluster.MasterAuth.ClientCertificate.Metadata.Range().GetStartLine()) 360 assert.Equal(t, 23, cluster.MasterAuth.ClientCertificate.Metadata.Range().GetEndLine()) 361 362 assert.Equal(t, 22, cluster.MasterAuth.ClientCertificate.IssueCertificate.GetMetadata().Range().GetStartLine()) 363 assert.Equal(t, 22, cluster.MasterAuth.ClientCertificate.IssueCertificate.GetMetadata().Range().GetEndLine()) 364 365 assert.Equal(t, 26, cluster.MasterAuthorizedNetworks.Metadata.Range().GetStartLine()) 366 assert.Equal(t, 30, cluster.MasterAuthorizedNetworks.Metadata.Range().GetEndLine()) 367 368 assert.Equal(t, 28, cluster.MasterAuthorizedNetworks.CIDRs[0].GetMetadata().Range().GetStartLine()) 369 assert.Equal(t, 28, cluster.MasterAuthorizedNetworks.CIDRs[0].GetMetadata().Range().GetEndLine()) 370 371 assert.Equal(t, 32, cluster.ResourceLabels.GetMetadata().Range().GetStartLine()) 372 assert.Equal(t, 34, cluster.ResourceLabels.GetMetadata().Range().GetEndLine()) 373 374 assert.Equal(t, 36, cluster.PrivateCluster.Metadata.Range().GetStartLine()) 375 assert.Equal(t, 38, cluster.PrivateCluster.Metadata.Range().GetEndLine()) 376 377 assert.Equal(t, 37, cluster.PrivateCluster.EnablePrivateNodes.GetMetadata().Range().GetStartLine()) 378 assert.Equal(t, 37, cluster.PrivateCluster.EnablePrivateNodes.GetMetadata().Range().GetEndLine()) 379 380 assert.Equal(t, 40, cluster.NetworkPolicy.Metadata.Range().GetStartLine()) 381 assert.Equal(t, 42, cluster.NetworkPolicy.Metadata.Range().GetEndLine()) 382 383 assert.Equal(t, 41, cluster.NetworkPolicy.Enabled.GetMetadata().Range().GetStartLine()) 384 assert.Equal(t, 41, cluster.NetworkPolicy.Enabled.GetMetadata().Range().GetEndLine()) 385 386 assert.Equal(t, 43, cluster.IPAllocationPolicy.Metadata.Range().GetStartLine()) 387 assert.Equal(t, 43, cluster.IPAllocationPolicy.Metadata.Range().GetEndLine()) 388 389 assert.Equal(t, 46, nodePool.Metadata.Range().GetStartLine()) 390 assert.Equal(t, 64, nodePool.Metadata.Range().GetEndLine()) 391 392 assert.Equal(t, 49, nodePool.NodeConfig.Metadata.Range().GetStartLine()) 393 assert.Equal(t, 59, nodePool.NodeConfig.Metadata.Range().GetEndLine()) 394 395 assert.Equal(t, 53, nodePool.NodeConfig.ServiceAccount.GetMetadata().Range().GetStartLine()) 396 assert.Equal(t, 53, nodePool.NodeConfig.ServiceAccount.GetMetadata().Range().GetEndLine()) 397 398 assert.Equal(t, 54, nodePool.NodeConfig.ImageType.GetMetadata().Range().GetStartLine()) 399 assert.Equal(t, 54, nodePool.NodeConfig.ImageType.GetMetadata().Range().GetEndLine()) 400 401 assert.Equal(t, 56, nodePool.NodeConfig.WorkloadMetadataConfig.Metadata.Range().GetStartLine()) 402 assert.Equal(t, 58, nodePool.NodeConfig.WorkloadMetadataConfig.Metadata.Range().GetEndLine()) 403 404 assert.Equal(t, 57, nodePool.NodeConfig.WorkloadMetadataConfig.NodeMetadata.GetMetadata().Range().GetStartLine()) 405 assert.Equal(t, 57, nodePool.NodeConfig.WorkloadMetadataConfig.NodeMetadata.GetMetadata().Range().GetEndLine()) 406 407 assert.Equal(t, 60, nodePool.Management.Metadata.Range().GetStartLine()) 408 assert.Equal(t, 63, nodePool.Management.Metadata.Range().GetEndLine()) 409 410 assert.Equal(t, 61, nodePool.Management.EnableAutoRepair.GetMetadata().Range().GetStartLine()) 411 assert.Equal(t, 61, nodePool.Management.EnableAutoRepair.GetMetadata().Range().GetEndLine()) 412 413 assert.Equal(t, 62, nodePool.Management.EnableAutoUpgrade.GetMetadata().Range().GetStartLine()) 414 assert.Equal(t, 62, nodePool.Management.EnableAutoUpgrade.GetMetadata().Range().GetEndLine()) 415 416 }