github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/ec2/autoscaling_test.go (about) 1 package ec2 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/ec2" 9 10 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 11 12 "github.com/khulnasoft-lab/defsec/test/testutil" 13 "github.com/stretchr/testify/assert" 14 "github.com/stretchr/testify/require" 15 ) 16 17 func Test_AdaptAutoscaling(t *testing.T) { 18 tests := []struct { 19 name string 20 terraform string 21 expected ec2.EC2 22 }{ 23 { 24 name: "basic config", 25 terraform: ` 26 resource "aws_launch_configuration" "my_config" { 27 associate_public_ip_address = false 28 name = "web_config" 29 image_id = data.aws_ami.ubuntu.id 30 instance_type = "t2.micro" 31 user_data_base64 = "ZXhwb3J0IEVESVRPUj12aW1hY3M=" 32 33 root_block_device { 34 encrypted = true 35 } 36 ebs_block_device { 37 encrypted = true 38 } 39 } 40 `, 41 expected: ec2.EC2{ 42 LaunchConfigurations: []ec2.LaunchConfiguration{ 43 { 44 Metadata: defsecTypes.NewTestMetadata(), 45 Name: defsecTypes.String("web_config", defsecTypes.NewTestMetadata()), 46 AssociatePublicIP: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 47 UserData: defsecTypes.String("export EDITOR=vimacs", defsecTypes.NewTestMetadata()), 48 MetadataOptions: ec2.MetadataOptions{ 49 Metadata: defsecTypes.NewTestMetadata(), 50 HttpTokens: defsecTypes.String("", defsecTypes.NewTestMetadata()), 51 HttpEndpoint: defsecTypes.String("", defsecTypes.NewTestMetadata()), 52 }, 53 RootBlockDevice: &ec2.BlockDevice{ 54 Metadata: defsecTypes.NewTestMetadata(), 55 Encrypted: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 56 }, 57 EBSBlockDevices: []*ec2.BlockDevice{ 58 { 59 Metadata: defsecTypes.NewTestMetadata(), 60 Encrypted: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 61 }, 62 }, 63 }, 64 }, 65 }, 66 }, 67 { 68 name: "user data overrides user data base 64", 69 terraform: ` 70 resource "aws_launch_configuration" "my_config" { 71 associate_public_ip_address = false 72 name = "web_config" 73 image_id = data.aws_ami.ubuntu.id 74 instance_type = "t2.micro" 75 user_data_base64 = "ZXhwb3J0IEVESVRPUj12aW1hY3M=" 76 77 user_data = <<EOF 78 export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE 79 export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 80 export AWS_DEFAULT_REGION=us-west-2 81 EOF 82 83 root_block_device { 84 encrypted = true 85 } 86 } 87 `, 88 expected: ec2.EC2{ 89 LaunchConfigurations: []ec2.LaunchConfiguration{ 90 { 91 Metadata: defsecTypes.NewTestMetadata(), 92 Name: defsecTypes.String("web_config", defsecTypes.NewTestMetadata()), 93 AssociatePublicIP: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 94 UserData: defsecTypes.String(`export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE 95 export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 96 export AWS_DEFAULT_REGION=us-west-2 97 `, defsecTypes.NewTestMetadata()), 98 MetadataOptions: ec2.MetadataOptions{ 99 Metadata: defsecTypes.NewTestMetadata(), 100 HttpTokens: defsecTypes.String("", defsecTypes.NewTestMetadata()), 101 HttpEndpoint: defsecTypes.String("", defsecTypes.NewTestMetadata()), 102 }, 103 RootBlockDevice: &ec2.BlockDevice{ 104 Metadata: defsecTypes.NewTestMetadata(), 105 Encrypted: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 106 }, 107 }, 108 }, 109 }, 110 }, 111 { 112 name: "https token enforced", 113 terraform: ` 114 resource "aws_launch_template" "my_tmpl" { 115 associate_public_ip_address = false 116 name = "my_template" 117 image_id = data.aws_ami.ubuntu.id 118 instance_type = "t2.micro" 119 120 metadata_options { 121 http_tokens = "required" 122 } 123 } 124 `, 125 expected: ec2.EC2{ 126 LaunchTemplates: []ec2.LaunchTemplate{ 127 { 128 Metadata: defsecTypes.NewTestMetadata(), 129 Instance: ec2.Instance{ 130 Metadata: defsecTypes.NewTestMetadata(), 131 UserData: defsecTypes.String("", defsecTypes.NewTestMetadata()), 132 MetadataOptions: ec2.MetadataOptions{ 133 Metadata: defsecTypes.NewTestMetadata(), 134 HttpTokens: defsecTypes.String("required", defsecTypes.NewTestMetadata()), 135 HttpEndpoint: defsecTypes.String("", defsecTypes.NewTestMetadata()), 136 }, 137 }, 138 }, 139 }, 140 }, 141 }, 142 } 143 144 for _, test := range tests { 145 t.Run(test.name, func(t *testing.T) { 146 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 147 adapted := Adapt(modules) 148 testutil.AssertDefsecEqual(t, test.expected, adapted) 149 }) 150 } 151 } 152 153 func TestAutoscalingLines(t *testing.T) { 154 src := ` 155 resource "aws_launch_configuration" "my_config" { 156 associate_public_ip_address = false 157 name = "web_config" 158 image_id = data.aws_ami.ubuntu.id 159 instance_type = "t2.micro" 160 161 user_data = <<EOF 162 export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE 163 export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY 164 export AWS_DEFAULT_REGION=us-west-2 165 EOF 166 167 root_block_device { 168 encrypted = true 169 } 170 metadata_options { 171 http_tokens = "required" 172 } 173 ebs_block_device { 174 encrypted = true 175 } 176 }` 177 178 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 179 adapted := Adapt(modules) 180 181 require.Len(t, adapted.LaunchConfigurations, 1) 182 launchConfig := adapted.LaunchConfigurations[0] 183 184 assert.Equal(t, 3, launchConfig.AssociatePublicIP.GetMetadata().Range().GetStartLine()) 185 assert.Equal(t, 3, launchConfig.AssociatePublicIP.GetMetadata().Range().GetEndLine()) 186 187 assert.Equal(t, 8, launchConfig.UserData.GetMetadata().Range().GetStartLine()) 188 assert.Equal(t, 12, launchConfig.UserData.GetMetadata().Range().GetEndLine()) 189 190 assert.Equal(t, 15, launchConfig.RootBlockDevice.Encrypted.GetMetadata().Range().GetStartLine()) 191 assert.Equal(t, 15, launchConfig.RootBlockDevice.Encrypted.GetMetadata().Range().GetEndLine()) 192 193 assert.Equal(t, 18, launchConfig.MetadataOptions.HttpTokens.GetMetadata().Range().GetStartLine()) 194 assert.Equal(t, 18, launchConfig.MetadataOptions.HttpTokens.GetMetadata().Range().GetEndLine()) 195 196 assert.Equal(t, 21, launchConfig.EBSBlockDevices[0].Encrypted.GetMetadata().Range().GetStartLine()) 197 assert.Equal(t, 21, launchConfig.EBSBlockDevices[0].Encrypted.GetMetadata().Range().GetEndLine()) 198 199 }