github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/elasticsearch/adapt_test.go (about) 1 package elasticsearch 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/elasticsearch" 9 10 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 11 12 "github.com/khulnasoft-lab/defsec/test/testutil" 13 "github.com/stretchr/testify/assert" 14 "github.com/stretchr/testify/require" 15 ) 16 17 func Test_adaptDomain(t *testing.T) { 18 tests := []struct { 19 name string 20 terraform string 21 expected elasticsearch.Domain 22 }{ 23 { 24 name: "configured", 25 terraform: ` 26 resource "aws_elasticsearch_domain" "example" { 27 domain_name = "domain-foo" 28 29 node_to_node_encryption { 30 enabled = true 31 } 32 33 encrypt_at_rest { 34 enabled = true 35 } 36 37 domain_endpoint_options { 38 enforce_https = true 39 tls_security_policy = "Policy-Min-TLS-1-2-2019-07" 40 } 41 42 log_publishing_options { 43 cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn 44 log_type = "AUDIT_LOGS" 45 enabled = true 46 } 47 } 48 `, 49 expected: elasticsearch.Domain{ 50 Metadata: defsecTypes.NewTestMetadata(), 51 DomainName: defsecTypes.String("domain-foo", defsecTypes.NewTestMetadata()), 52 LogPublishing: elasticsearch.LogPublishing{ 53 Metadata: defsecTypes.NewTestMetadata(), 54 AuditEnabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 55 }, 56 TransitEncryption: elasticsearch.TransitEncryption{ 57 Metadata: defsecTypes.NewTestMetadata(), 58 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 59 }, 60 AtRestEncryption: elasticsearch.AtRestEncryption{ 61 Metadata: defsecTypes.NewTestMetadata(), 62 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 63 }, 64 Endpoint: elasticsearch.Endpoint{ 65 Metadata: defsecTypes.NewTestMetadata(), 66 EnforceHTTPS: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 67 TLSPolicy: defsecTypes.String("Policy-Min-TLS-1-2-2019-07", defsecTypes.NewTestMetadata()), 68 }, 69 }, 70 }, 71 { 72 name: "defaults", 73 terraform: ` 74 resource "aws_elasticsearch_domain" "example" { 75 } 76 `, 77 expected: elasticsearch.Domain{ 78 Metadata: defsecTypes.NewTestMetadata(), 79 DomainName: defsecTypes.String("", defsecTypes.NewTestMetadata()), 80 LogPublishing: elasticsearch.LogPublishing{ 81 Metadata: defsecTypes.NewTestMetadata(), 82 AuditEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 83 }, 84 TransitEncryption: elasticsearch.TransitEncryption{ 85 Metadata: defsecTypes.NewTestMetadata(), 86 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 87 }, 88 AtRestEncryption: elasticsearch.AtRestEncryption{ 89 Metadata: defsecTypes.NewTestMetadata(), 90 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 91 }, 92 Endpoint: elasticsearch.Endpoint{ 93 Metadata: defsecTypes.NewTestMetadata(), 94 EnforceHTTPS: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 95 TLSPolicy: defsecTypes.String("", defsecTypes.NewTestMetadata()), 96 }, 97 }, 98 }, 99 } 100 101 for _, test := range tests { 102 t.Run(test.name, func(t *testing.T) { 103 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 104 adapted := adaptDomain(modules.GetBlocks()[0]) 105 testutil.AssertDefsecEqual(t, test.expected, adapted) 106 }) 107 } 108 } 109 110 func TestLines(t *testing.T) { 111 src := ` 112 resource "aws_elasticsearch_domain" "example" { 113 domain_name = "domain-foo" 114 115 node_to_node_encryption { 116 enabled = true 117 } 118 119 encrypt_at_rest { 120 enabled = true 121 } 122 123 domain_endpoint_options { 124 enforce_https = true 125 tls_security_policy = "Policy-Min-TLS-1-2-2019-07" 126 } 127 128 log_publishing_options { 129 cloudwatch_log_group_arn = aws_cloudwatch_log_group.example.arn 130 log_type = "AUDIT_LOGS" 131 enabled = true 132 } 133 }` 134 135 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 136 adapted := Adapt(modules) 137 138 require.Len(t, adapted.Domains, 1) 139 domain := adapted.Domains[0] 140 141 assert.Equal(t, 2, domain.Metadata.Range().GetStartLine()) 142 assert.Equal(t, 23, domain.Metadata.Range().GetEndLine()) 143 144 assert.Equal(t, 3, domain.DomainName.GetMetadata().Range().GetStartLine()) 145 assert.Equal(t, 3, domain.DomainName.GetMetadata().Range().GetEndLine()) 146 147 assert.Equal(t, 5, domain.TransitEncryption.Metadata.Range().GetStartLine()) 148 assert.Equal(t, 7, domain.TransitEncryption.Metadata.Range().GetEndLine()) 149 150 assert.Equal(t, 6, domain.TransitEncryption.Enabled.GetMetadata().Range().GetStartLine()) 151 assert.Equal(t, 6, domain.TransitEncryption.Enabled.GetMetadata().Range().GetEndLine()) 152 153 assert.Equal(t, 9, domain.AtRestEncryption.Metadata.Range().GetStartLine()) 154 assert.Equal(t, 11, domain.AtRestEncryption.Metadata.Range().GetEndLine()) 155 156 assert.Equal(t, 10, domain.AtRestEncryption.Enabled.GetMetadata().Range().GetStartLine()) 157 assert.Equal(t, 10, domain.AtRestEncryption.Enabled.GetMetadata().Range().GetEndLine()) 158 159 assert.Equal(t, 13, domain.Endpoint.Metadata.Range().GetStartLine()) 160 assert.Equal(t, 16, domain.Endpoint.Metadata.Range().GetEndLine()) 161 162 assert.Equal(t, 14, domain.Endpoint.EnforceHTTPS.GetMetadata().Range().GetStartLine()) 163 assert.Equal(t, 14, domain.Endpoint.EnforceHTTPS.GetMetadata().Range().GetEndLine()) 164 165 assert.Equal(t, 15, domain.Endpoint.TLSPolicy.GetMetadata().Range().GetStartLine()) 166 assert.Equal(t, 15, domain.Endpoint.TLSPolicy.GetMetadata().Range().GetEndLine()) 167 168 assert.Equal(t, 18, domain.LogPublishing.Metadata.Range().GetStartLine()) 169 assert.Equal(t, 22, domain.LogPublishing.Metadata.Range().GetEndLine()) 170 171 assert.Equal(t, 21, domain.LogPublishing.AuditEnabled.GetMetadata().Range().GetStartLine()) 172 assert.Equal(t, 21, domain.LogPublishing.AuditEnabled.GetMetadata().Range().GetEndLine()) 173 }