github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/msk/adapt_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/msk/adapt_test.go (about)

     1  package msk
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/msk"
     9  
    10  	"github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil"
    11  
    12  	"github.com/khulnasoft-lab/defsec/test/testutil"
    13  	"github.com/stretchr/testify/assert"
    14  	"github.com/stretchr/testify/require"
    15  )
    16  
    17  func Test_adaptCluster(t *testing.T) {
    18  	tests := []struct {
    19  		name      string
    20  		terraform string
    21  		expected  msk.Cluster
    22  	}{
    23  		{
    24  			name: "configured",
    25  			terraform: `
    26  			resource "aws_msk_cluster" "example" {
    27  				cluster_name           = "example"
    28  
    29  				encryption_info {
    30  					encryption_in_transit {
    31  						client_broker = "TLS"
    32  						in_cluster = true
    33  					}
    34  					encryption_at_rest_kms_key_arn = "foo-bar-key"
    35  				}
    36  			  
    37  				logging_info {
    38  				  broker_logs {
    39  					cloudwatch_logs {
    40  					  enabled   = true
    41  					  log_group = aws_cloudwatch_log_group.test.name
    42  					}
    43  					firehose {
    44  					  enabled         = true
    45  					  delivery_stream = aws_kinesis_firehose_delivery_stream.test_stream.name
    46  					}
    47  					s3 {
    48  					  enabled = true
    49  					  bucket  = aws_s3_bucket.bucket.id
    50  					  prefix  = "logs/msk-"
    51  					}
    52  				  }
    53  				}
    54  			  }
    55  `,
    56  			expected: msk.Cluster{
    57  				Metadata: defsecTypes.NewTestMetadata(),
    58  				EncryptionInTransit: msk.EncryptionInTransit{
    59  					Metadata:     defsecTypes.NewTestMetadata(),
    60  					ClientBroker: defsecTypes.String("TLS", defsecTypes.NewTestMetadata()),
    61  				},
    62  				EncryptionAtRest: msk.EncryptionAtRest{
    63  					Metadata:  defsecTypes.NewTestMetadata(),
    64  					KMSKeyARN: defsecTypes.String("foo-bar-key", defsecTypes.NewTestMetadata()),
    65  					Enabled:   defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    66  				},
    67  				Logging: msk.Logging{
    68  					Metadata: defsecTypes.NewTestMetadata(),
    69  					Broker: msk.BrokerLogging{
    70  						Metadata: defsecTypes.NewTestMetadata(),
    71  						S3: msk.S3Logging{
    72  							Metadata: defsecTypes.NewTestMetadata(),
    73  							Enabled:  defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    74  						},
    75  						Cloudwatch: msk.CloudwatchLogging{
    76  							Metadata: defsecTypes.NewTestMetadata(),
    77  							Enabled:  defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    78  						},
    79  						Firehose: msk.FirehoseLogging{
    80  							Metadata: defsecTypes.NewTestMetadata(),
    81  							Enabled:  defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    82  						},
    83  					},
    84  				},
    85  			},
    86  		},
    87  		{
    88  			name: "defaults",
    89  			terraform: `
    90  			resource "aws_msk_cluster" "example" {
    91  			  }
    92  `,
    93  			expected: msk.Cluster{
    94  				Metadata: defsecTypes.NewTestMetadata(),
    95  				EncryptionInTransit: msk.EncryptionInTransit{
    96  					Metadata:     defsecTypes.NewTestMetadata(),
    97  					ClientBroker: defsecTypes.String("TLS_PLAINTEXT", defsecTypes.NewTestMetadata()),
    98  				},
    99  				Logging: msk.Logging{
   100  					Metadata: defsecTypes.NewTestMetadata(),
   101  					Broker: msk.BrokerLogging{
   102  						Metadata: defsecTypes.NewTestMetadata(),
   103  						S3: msk.S3Logging{
   104  							Metadata: defsecTypes.NewTestMetadata(),
   105  							Enabled:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
   106  						},
   107  						Cloudwatch: msk.CloudwatchLogging{
   108  							Metadata: defsecTypes.NewTestMetadata(),
   109  							Enabled:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
   110  						},
   111  						Firehose: msk.FirehoseLogging{
   112  							Metadata: defsecTypes.NewTestMetadata(),
   113  							Enabled:  defsecTypes.Bool(false, defsecTypes.NewTestMetadata()),
   114  						},
   115  					},
   116  				},
   117  			},
   118  		},
   119  	}
   120  
   121  	for _, test := range tests {
   122  		t.Run(test.name, func(t *testing.T) {
   123  			modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf")
   124  			adapted := adaptCluster(modules.GetBlocks()[0])
   125  			testutil.AssertDefsecEqual(t, test.expected, adapted)
   126  		})
   127  	}
   128  }
   129  
   130  func TestLines(t *testing.T) {
   131  	src := `
   132  	resource "aws_msk_cluster" "example" {
   133  		cluster_name           = "example"
   134  
   135  		encryption_info {
   136  			encryption_in_transit {
   137  				client_broker = "TLS"
   138  				in_cluster = true
   139  			}
   140  			encryption_at_rest_kms_key_arn = "foo-bar-key"	
   141  		}
   142  	  
   143  		logging_info {
   144  		  broker_logs {
   145  			cloudwatch_logs {
   146  			  enabled   = true
   147  			  log_group = aws_cloudwatch_log_group.test.name
   148  			}
   149  			firehose {
   150  			  enabled         = true
   151  			  delivery_stream = aws_kinesis_firehose_delivery_stream.test_stream.name
   152  			}
   153  			s3 {
   154  			  enabled = true
   155  			  bucket  = aws_s3_bucket.bucket.id
   156  			  prefix  = "logs/msk-"
   157  			}
   158  		  }
   159  		}
   160  	  }`
   161  
   162  	modules := tftestutil.CreateModulesFromSource(t, src, ".tf")
   163  	adapted := Adapt(modules)
   164  
   165  	require.Len(t, adapted.Clusters, 1)
   166  	cluster := adapted.Clusters[0]
   167  
   168  	assert.Equal(t, 2, cluster.Metadata.Range().GetStartLine())
   169  	assert.Equal(t, 30, cluster.Metadata.Range().GetEndLine())
   170  
   171  	assert.Equal(t, 6, cluster.EncryptionInTransit.Metadata.Range().GetStartLine())
   172  	assert.Equal(t, 9, cluster.EncryptionInTransit.Metadata.Range().GetEndLine())
   173  
   174  	assert.Equal(t, 10, cluster.EncryptionAtRest.Metadata.Range().GetStartLine())
   175  	assert.Equal(t, 10, cluster.EncryptionAtRest.Metadata.Range().GetEndLine())
   176  
   177  	assert.Equal(t, 13, cluster.Logging.Metadata.Range().GetStartLine())
   178  	assert.Equal(t, 29, cluster.Logging.Metadata.Range().GetEndLine())
   179  
   180  	assert.Equal(t, 14, cluster.Logging.Broker.Metadata.Range().GetStartLine())
   181  	assert.Equal(t, 28, cluster.Logging.Broker.Metadata.Range().GetEndLine())
   182  
   183  	assert.Equal(t, 15, cluster.Logging.Broker.Cloudwatch.Metadata.Range().GetStartLine())
   184  	assert.Equal(t, 18, cluster.Logging.Broker.Cloudwatch.Metadata.Range().GetEndLine())
   185  
   186  	assert.Equal(t, 16, cluster.Logging.Broker.Cloudwatch.Enabled.GetMetadata().Range().GetStartLine())
   187  	assert.Equal(t, 16, cluster.Logging.Broker.Cloudwatch.Enabled.GetMetadata().Range().GetEndLine())
   188  
   189  	assert.Equal(t, 19, cluster.Logging.Broker.Firehose.Metadata.Range().GetStartLine())
   190  	assert.Equal(t, 22, cluster.Logging.Broker.Firehose.Metadata.Range().GetEndLine())
   191  
   192  	assert.Equal(t, 20, cluster.Logging.Broker.Firehose.Enabled.GetMetadata().Range().GetStartLine())
   193  	assert.Equal(t, 20, cluster.Logging.Broker.Firehose.Enabled.GetMetadata().Range().GetEndLine())
   194  
   195  	assert.Equal(t, 23, cluster.Logging.Broker.S3.Metadata.Range().GetStartLine())
   196  	assert.Equal(t, 27, cluster.Logging.Broker.S3.Metadata.Range().GetEndLine())
   197  
   198  	assert.Equal(t, 24, cluster.Logging.Broker.S3.Enabled.GetMetadata().Range().GetStartLine())
   199  	assert.Equal(t, 24, cluster.Logging.Broker.S3.Enabled.GetMetadata().Range().GetEndLine())
   200  }