github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/eks/adapt_test.go (about) 1 package eks 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/eks" 9 10 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 11 12 "github.com/khulnasoft-lab/defsec/test/testutil" 13 "github.com/stretchr/testify/assert" 14 "github.com/stretchr/testify/require" 15 ) 16 17 func Test_adaptCluster(t *testing.T) { 18 tests := []struct { 19 name string 20 terraform string 21 expected eks.Cluster 22 }{ 23 { 24 name: "configured", 25 terraform: ` 26 resource "aws_eks_cluster" "example" { 27 encryption_config { 28 resources = [ "secrets" ] 29 provider { 30 key_arn = "key-arn" 31 } 32 } 33 34 enabled_cluster_log_types = ["api", "authenticator", "audit", "scheduler", "controllerManager"] 35 36 name = "good_example_cluster" 37 role_arn = var.cluster_arn 38 vpc_config { 39 endpoint_public_access = false 40 public_access_cidrs = ["10.2.0.0/8"] 41 } 42 } 43 `, 44 expected: eks.Cluster{ 45 Metadata: defsecTypes.NewTestMetadata(), 46 Logging: eks.Logging{ 47 Metadata: defsecTypes.NewTestMetadata(), 48 API: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 49 Authenticator: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 50 Audit: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 51 Scheduler: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 52 ControllerManager: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 53 }, 54 Encryption: eks.Encryption{ 55 Metadata: defsecTypes.NewTestMetadata(), 56 Secrets: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 57 KMSKeyID: defsecTypes.String("key-arn", defsecTypes.NewTestMetadata()), 58 }, 59 PublicAccessEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 60 PublicAccessCIDRs: []defsecTypes.StringValue{ 61 defsecTypes.String("10.2.0.0/8", defsecTypes.NewTestMetadata()), 62 }, 63 }, 64 }, 65 { 66 name: "defaults", 67 terraform: ` 68 resource "aws_eks_cluster" "example" { 69 } 70 `, 71 expected: eks.Cluster{ 72 Metadata: defsecTypes.NewTestMetadata(), 73 Logging: eks.Logging{ 74 Metadata: defsecTypes.NewTestMetadata(), 75 API: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 76 Authenticator: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 77 Audit: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 78 Scheduler: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 79 ControllerManager: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 80 }, 81 Encryption: eks.Encryption{ 82 Metadata: defsecTypes.NewTestMetadata(), 83 Secrets: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 84 KMSKeyID: defsecTypes.String("", defsecTypes.NewTestMetadata()), 85 }, 86 PublicAccessEnabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 87 PublicAccessCIDRs: nil, 88 }, 89 }, 90 } 91 92 for _, test := range tests { 93 t.Run(test.name, func(t *testing.T) { 94 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 95 adapted := adaptCluster(modules.GetBlocks()[0]) 96 testutil.AssertDefsecEqual(t, test.expected, adapted) 97 }) 98 } 99 } 100 101 func TestLines(t *testing.T) { 102 src := ` 103 resource "aws_eks_cluster" "example" { 104 encryption_config { 105 resources = [ "secrets" ] 106 provider { 107 key_arn = "key-arn" 108 } 109 } 110 111 enabled_cluster_log_types = ["api", "authenticator", "audit", "scheduler", "controllerManager"] 112 113 name = "good_example_cluster" 114 role_arn = var.cluster_arn 115 vpc_config { 116 endpoint_public_access = false 117 public_access_cidrs = ["10.2.0.0/8"] 118 } 119 }` 120 121 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 122 adapted := Adapt(modules) 123 124 require.Len(t, adapted.Clusters, 1) 125 cluster := adapted.Clusters[0] 126 127 assert.Equal(t, 2, cluster.Metadata.Range().GetStartLine()) 128 assert.Equal(t, 18, cluster.Metadata.Range().GetEndLine()) 129 130 assert.Equal(t, 3, cluster.Encryption.Metadata.Range().GetStartLine()) 131 assert.Equal(t, 8, cluster.Encryption.Metadata.Range().GetEndLine()) 132 133 assert.Equal(t, 4, cluster.Encryption.Secrets.GetMetadata().Range().GetStartLine()) 134 assert.Equal(t, 4, cluster.Encryption.Secrets.GetMetadata().Range().GetEndLine()) 135 136 assert.Equal(t, 6, cluster.Encryption.KMSKeyID.GetMetadata().Range().GetStartLine()) 137 assert.Equal(t, 6, cluster.Encryption.KMSKeyID.GetMetadata().Range().GetEndLine()) 138 139 assert.Equal(t, 10, cluster.Logging.Metadata.Range().GetStartLine()) 140 assert.Equal(t, 10, cluster.Logging.Metadata.Range().GetEndLine()) 141 142 assert.Equal(t, 10, cluster.Logging.API.GetMetadata().Range().GetStartLine()) 143 assert.Equal(t, 10, cluster.Logging.API.GetMetadata().Range().GetEndLine()) 144 145 assert.Equal(t, 10, cluster.Logging.Audit.GetMetadata().Range().GetStartLine()) 146 assert.Equal(t, 10, cluster.Logging.Audit.GetMetadata().Range().GetEndLine()) 147 148 assert.Equal(t, 10, cluster.Logging.Authenticator.GetMetadata().Range().GetStartLine()) 149 assert.Equal(t, 10, cluster.Logging.Authenticator.GetMetadata().Range().GetEndLine()) 150 151 assert.Equal(t, 10, cluster.Logging.Scheduler.GetMetadata().Range().GetStartLine()) 152 assert.Equal(t, 10, cluster.Logging.Scheduler.GetMetadata().Range().GetEndLine()) 153 154 assert.Equal(t, 10, cluster.Logging.ControllerManager.GetMetadata().Range().GetStartLine()) 155 assert.Equal(t, 10, cluster.Logging.ControllerManager.GetMetadata().Range().GetEndLine()) 156 157 assert.Equal(t, 15, cluster.PublicAccessEnabled.GetMetadata().Range().GetStartLine()) 158 assert.Equal(t, 15, cluster.PublicAccessEnabled.GetMetadata().Range().GetEndLine()) 159 160 assert.Equal(t, 16, cluster.PublicAccessCIDRs[0].GetMetadata().Range().GetStartLine()) 161 assert.Equal(t, 16, cluster.PublicAccessCIDRs[0].GetMetadata().Range().GetEndLine()) 162 163 }