github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/athena/adapt_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/athena/adapt_test.go (about)

     1  package athena
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/athena"
     9  
    10  	"github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil"
    11  
    12  	"github.com/khulnasoft-lab/defsec/test/testutil"
    13  	"github.com/stretchr/testify/assert"
    14  	"github.com/stretchr/testify/require"
    15  )
    16  
    17  func Test_adaptDatabase(t *testing.T) {
    18  	tests := []struct {
    19  		name      string
    20  		terraform string
    21  		expected  athena.Database
    22  	}{
    23  		{
    24  			name: "athena database",
    25  			terraform: `
    26  			resource "aws_athena_database" "my_wg" {
    27  				name   = "database_name"
    28  			  
    29  				encryption_configuration {
    30  				   encryption_option = "SSE_KMS"
    31  			   }
    32  			}
    33  `,
    34  			expected: athena.Database{
    35  				Metadata: defsecTypes.NewTestMetadata(),
    36  				Name:     defsecTypes.String("database_name", defsecTypes.NewTestMetadata()),
    37  				Encryption: athena.EncryptionConfiguration{
    38  					Metadata: defsecTypes.NewTestMetadata(),
    39  					Type:     defsecTypes.String(athena.EncryptionTypeSSEKMS, defsecTypes.NewTestMetadata()),
    40  				},
    41  			},
    42  		},
    43  	}
    44  
    45  	for _, test := range tests {
    46  		t.Run(test.name, func(t *testing.T) {
    47  			modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf")
    48  			adapted := adaptDatabase(modules.GetBlocks()[0])
    49  			testutil.AssertDefsecEqual(t, test.expected, adapted)
    50  		})
    51  	}
    52  }
    53  
    54  func Test_adaptWorkgroup(t *testing.T) {
    55  	tests := []struct {
    56  		name      string
    57  		terraform string
    58  		expected  athena.Workgroup
    59  	}{
    60  		{
    61  			name: "encryption type SSE KMS",
    62  			terraform: `
    63  			resource "aws_athena_workgroup" "my_wg" {
    64  				name = "example"
    65  			  
    66  				configuration {
    67  				  enforce_workgroup_configuration    = true
    68  			  
    69  				  result_configuration {
    70  					encryption_configuration {
    71  					  encryption_option = "SSE_KMS"
    72  					}
    73  				  }
    74  				}
    75  			  }
    76  `,
    77  			expected: athena.Workgroup{
    78  				Metadata: defsecTypes.NewTestMetadata(),
    79  				Name:     defsecTypes.String("example", defsecTypes.NewTestMetadata()),
    80  				Encryption: athena.EncryptionConfiguration{
    81  					Metadata: defsecTypes.NewTestMetadata(),
    82  					Type:     defsecTypes.String(athena.EncryptionTypeSSEKMS, defsecTypes.NewTestMetadata()),
    83  				},
    84  				EnforceConfiguration: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    85  			},
    86  		},
    87  		{
    88  			name: "configuration not enforced",
    89  			terraform: `
    90  			resource "aws_athena_workgroup" "my_wg" {
    91  				name = "example"
    92  			  
    93  				configuration {
    94  				  enforce_workgroup_configuration    = false
    95  			  
    96  				  result_configuration {
    97  					encryption_configuration {
    98  					  encryption_option = "SSE_KMS"
    99  					}
   100  				  }
   101  				}
   102  			}
   103  `,
   104  			expected: athena.Workgroup{
   105  				Metadata: defsecTypes.NewTestMetadata(),
   106  				Name:     defsecTypes.String("example", defsecTypes.NewTestMetadata()),
   107  				Encryption: athena.EncryptionConfiguration{
   108  					Metadata: defsecTypes.NewTestMetadata(),
   109  					Type:     defsecTypes.String(athena.EncryptionTypeSSEKMS, defsecTypes.NewTestMetadata()),
   110  				},
   111  				EnforceConfiguration: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
   112  			},
   113  		},
   114  		{
   115  			name: "enforce configuration defaults to true",
   116  			terraform: `
   117  			resource "aws_athena_workgroup" "my_wg" {
   118  				name = "example"
   119  			  
   120  				configuration {
   121  					result_configuration {
   122  						encryption_configuration {
   123  						  encryption_option = ""
   124  						}
   125  					}
   126  				}
   127  			}
   128  `,
   129  			expected: athena.Workgroup{
   130  				Metadata: defsecTypes.NewTestMetadata(),
   131  				Name:     defsecTypes.String("example", defsecTypes.NewTestMetadata()),
   132  				Encryption: athena.EncryptionConfiguration{
   133  					Metadata: defsecTypes.NewTestMetadata(),
   134  					Type:     defsecTypes.String(athena.EncryptionTypeNone, defsecTypes.NewTestMetadata()),
   135  				},
   136  				EnforceConfiguration: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
   137  			},
   138  		},
   139  		{
   140  			name: "missing configuration block",
   141  			terraform: `
   142  			resource "aws_athena_workgroup" "my_wg" {
   143  				name = "example"
   144  			}
   145  `,
   146  			expected: athena.Workgroup{
   147  				Metadata: defsecTypes.NewTestMetadata(),
   148  				Name:     defsecTypes.String("example", defsecTypes.NewTestMetadata()),
   149  				Encryption: athena.EncryptionConfiguration{
   150  					Metadata: defsecTypes.NewTestMetadata(),
   151  					Type:     defsecTypes.String(athena.EncryptionTypeNone, defsecTypes.NewTestMetadata()),
   152  				},
   153  				EnforceConfiguration: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
   154  			},
   155  		},
   156  	}
   157  
   158  	for _, test := range tests {
   159  		t.Run(test.name, func(t *testing.T) {
   160  			modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf")
   161  			adapted := adaptWorkgroup(modules.GetBlocks()[0])
   162  			testutil.AssertDefsecEqual(t, test.expected, adapted)
   163  		})
   164  	}
   165  }
   166  
   167  func TestLines(t *testing.T) {
   168  	src := `
   169  	resource "aws_athena_database" "good_example" {
   170  		name   = "database_name"
   171  		bucket = aws_s3_bucket.hoge.bucket
   172  	  
   173  		encryption_configuration {
   174  		   encryption_option = "SSE_KMS"
   175  		   kms_key_arn       = aws_kms_key.example.arn
   176  	   }
   177  	  }
   178  	  
   179  	  resource "aws_athena_workgroup" "good_example" {
   180  		name = "example"
   181  	  
   182  		configuration {
   183  		  enforce_workgroup_configuration    = true
   184  		  publish_cloudwatch_metrics_enabled = true
   185  	  
   186  		  result_configuration {
   187  			output_location = "s3://${aws_s3_bucket.example.bucket}/output/"
   188  	  
   189  			encryption_configuration {
   190  			  encryption_option = "SSE_KMS"
   191  			  kms_key_arn       = aws_kms_key.example.arn
   192  			}
   193  		  }
   194  		}
   195  	  }`
   196  
   197  	modules := tftestutil.CreateModulesFromSource(t, src, ".tf")
   198  	adapted := Adapt(modules)
   199  
   200  	require.Len(t, adapted.Databases, 1)
   201  	require.Len(t, adapted.Workgroups, 1)
   202  
   203  	assert.Equal(t, 7, adapted.Databases[0].Encryption.Type.GetMetadata().Range().GetStartLine())
   204  	assert.Equal(t, 7, adapted.Databases[0].Encryption.Type.GetMetadata().Range().GetEndLine())
   205  
   206  	assert.Equal(t, 16, adapted.Workgroups[0].EnforceConfiguration.GetMetadata().Range().GetStartLine())
   207  	assert.Equal(t, 16, adapted.Workgroups[0].EnforceConfiguration.GetMetadata().Range().GetEndLine())
   208  
   209  	assert.Equal(t, 23, adapted.Workgroups[0].Encryption.Type.GetMetadata().Range().GetStartLine())
   210  	assert.Equal(t, 23, adapted.Workgroups[0].Encryption.Type.GetMetadata().Range().GetEndLine())
   211  }