github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/s3/bucket_test.go (about) 1 package s3 2 3 import ( 4 "testing" 5 6 "github.com/stretchr/testify/require" 7 8 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 9 10 "github.com/stretchr/testify/assert" 11 ) 12 13 func Test_GetBuckets(t *testing.T) { 14 15 source := ` 16 resource "aws_s3_bucket" "bucket1" { 17 18 19 } 20 ` 21 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 22 23 s3 := Adapt(modules) 24 25 assert.Equal(t, 1, len(s3.Buckets)) 26 27 } 28 29 func Test_BucketGetACL(t *testing.T) { 30 31 source := ` 32 resource "aws_s3_bucket" "example" { 33 bucket = "yournamehere" 34 acl = "authenticated-read" 35 36 # ... other configuration ... 37 }` 38 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 39 40 s3 := Adapt(modules) 41 42 assert.Equal(t, 1, len(s3.Buckets)) 43 assert.Equal(t, "authenticated-read", s3.Buckets[0].ACL.Value()) 44 45 } 46 47 func Test_V4BucketGetACL(t *testing.T) { 48 49 source := ` 50 resource "aws_s3_bucket" "example" { 51 bucket = "yournamehere" 52 } 53 54 resource "aws_s3_bucket_acl" "example" { 55 bucket = aws_s3_bucket.example.id 56 acl = "authenticated-read" 57 }` 58 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 59 60 s3 := Adapt(modules) 61 62 assert.Equal(t, 1, len(s3.Buckets)) 63 assert.Equal(t, "authenticated-read", s3.Buckets[0].ACL.Value()) 64 65 } 66 67 func Test_BucketGetLogging(t *testing.T) { 68 69 source := ` 70 resource "aws_s3_bucket" "example" { 71 bucket = "yournamehere" 72 73 # ... other configuration ... 74 logging { 75 target_bucket = aws_s3_bucket.log_bucket.id 76 target_prefix = "log/" 77 } 78 } 79 ` 80 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 81 82 s3 := Adapt(modules) 83 84 assert.Equal(t, 1, len(s3.Buckets)) 85 assert.True(t, s3.Buckets[0].Logging.Enabled.Value()) 86 87 } 88 89 func Test_V4BucketGetLogging(t *testing.T) { 90 91 source := ` 92 resource "aws_s3_bucket" "log_bucket" { 93 bucket = "example-log-bucket" 94 95 # ... other configuration ... 96 } 97 98 resource "aws_s3_bucket" "example" { 99 bucket = "yournamehere" 100 101 # ... other configuration ... 102 } 103 104 resource "aws_s3_bucket_logging" "example" { 105 bucket = aws_s3_bucket.example.id 106 target_bucket = aws_s3_bucket.log_bucket.id 107 target_prefix = "log/" 108 } 109 ` 110 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 111 112 s3 := Adapt(modules) 113 114 assert.Equal(t, 2, len(s3.Buckets)) 115 for _, bucket := range s3.Buckets { 116 switch bucket.Name.Value() { 117 case "yournamehere": 118 assert.True(t, bucket.Logging.Enabled.Value()) 119 case "example-log-bucket": 120 assert.False(t, bucket.Logging.Enabled.Value()) 121 } 122 } 123 } 124 125 func Test_BucketGetVersioning(t *testing.T) { 126 source := ` 127 resource "aws_s3_bucket" "example" { 128 bucket = "yournamehere" 129 130 # ... other configuration ... 131 versioning { 132 enabled = true 133 } 134 }` 135 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 136 137 s3 := Adapt(modules) 138 139 assert.Equal(t, 1, len(s3.Buckets)) 140 assert.True(t, s3.Buckets[0].Versioning.Enabled.Value()) 141 } 142 143 func Test_V4BucketGetVersioning(t *testing.T) { 144 source := ` 145 resource "aws_s3_bucket" "example" { 146 bucket = "yournamehere" 147 148 # ... other configuration ... 149 } 150 151 resource "aws_s3_bucket_versioning" "example" { 152 bucket = aws_s3_bucket.example.id 153 versioning_configuration { 154 status = "Enabled" 155 } 156 }` 157 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 158 159 s3 := Adapt(modules) 160 161 assert.Equal(t, 1, len(s3.Buckets)) 162 assert.True(t, s3.Buckets[0].Versioning.Enabled.Value()) 163 } 164 165 func Test_BucketGetVersioningWithLockDeprecated(t *testing.T) { 166 source := ` 167 resource "aws_s3_bucket" "example" { 168 bucket = "mybucket" 169 object_lock_configuration { 170 object_lock_enabled = "Enabled" 171 } 172 } 173 ` 174 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 175 176 s3 := Adapt(modules) 177 178 assert.Equal(t, 1, len(s3.Buckets)) 179 assert.True(t, s3.Buckets[0].Versioning.Enabled.Value()) 180 181 } 182 183 func Test_BucketGetVersioningWithLockForNewBucket(t *testing.T) { 184 source := ` 185 resource "aws_s3_bucket" "example" { 186 bucket = "mybucket" 187 object_lock_enabled = true 188 } 189 190 resource "aws_s3_bucket_object_lock_configuration" "example" { 191 bucket = aws_s3_bucket.example.id 192 } 193 ` 194 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 195 196 s3 := Adapt(modules) 197 198 assert.Equal(t, 1, len(s3.Buckets)) 199 assert.True(t, s3.Buckets[0].Versioning.Enabled.Value()) 200 201 } 202 203 func Test_BucketGetVersioningWhenLockDisabledButVersioningEnabled(t *testing.T) { 204 source := ` 205 resource "aws_s3_bucket" "example" { 206 bucket = "mybucket" 207 } 208 209 resource "aws_s3_bucket_object_lock_configuration" "example" { 210 bucket = aws_s3_bucket.example.id 211 } 212 213 resource "aws_s3_bucket_versioning" "example" { 214 bucket = aws_s3_bucket.example.id 215 versioning_configuration { 216 status = "Enabled" 217 } 218 } 219 ` 220 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 221 222 s3 := Adapt(modules) 223 224 assert.Equal(t, 1, len(s3.Buckets)) 225 assert.True(t, s3.Buckets[0].Versioning.Enabled.Value()) 226 227 } 228 229 func Test_BucketGetEncryption(t *testing.T) { 230 231 source := ` 232 resource "aws_s3_bucket" "example" { 233 bucket = "yournamehere" 234 235 # ... other configuration ... 236 server_side_encryption_configuration { 237 rule { 238 apply_server_side_encryption_by_default { 239 kms_master_key_id = aws_kms_key.mykey.arn 240 sse_algorithm = "aws:kms" 241 } 242 } 243 } 244 }` 245 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 246 247 s3 := Adapt(modules) 248 249 assert.Equal(t, 1, len(s3.Buckets)) 250 assert.True(t, s3.Buckets[0].Encryption.Enabled.Value()) 251 } 252 253 func Test_V4BucketGetEncryption(t *testing.T) { 254 255 source := ` 256 resource "aws_s3_bucket" "example" { 257 bucket = "yournamehere" 258 259 # ... other configuration ... 260 } 261 262 resource "aws_s3_bucket_server_side_encryption_configuration" "example" { 263 bucket = aws_s3_bucket.example.id 264 265 rule { 266 apply_server_side_encryption_by_default { 267 kms_master_key_id = aws_kms_key.mykey.arn 268 sse_algorithm = "aws:kms" 269 } 270 } 271 } 272 ` 273 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 274 275 s3 := Adapt(modules) 276 277 assert.Equal(t, 1, len(s3.Buckets)) 278 assert.True(t, s3.Buckets[0].Encryption.Enabled.Value()) 279 } 280 281 func Test_BucketWithPolicy(t *testing.T) { 282 283 source := ` 284 resource "aws_s3_bucket" "bucket1" { 285 bucket = "lol" 286 } 287 288 resource "aws_s3_bucket_policy" "allow_access_from_another_account" { 289 bucket = aws_s3_bucket.bucket1.id 290 policy = data.aws_iam_policy_document.allow_access_from_another_account.json 291 } 292 293 data "aws_iam_policy_document" "allow_access_from_another_account" { 294 statement { 295 principals { 296 type = "AWS" 297 identifiers = ["123456789012"] 298 } 299 300 actions = [ 301 "s3:GetObject", 302 "s3:ListBucket", 303 ] 304 305 resources = [ 306 aws_s3_bucket.bucket1.arn, 307 ] 308 } 309 } 310 311 ` 312 modules := tftestutil.CreateModulesFromSource(t, source, ".tf") 313 314 s3 := Adapt(modules) 315 316 require.Equal(t, 1, len(s3.Buckets)) 317 require.Equal(t, 1, len(s3.Buckets[0].BucketPolicies)) 318 319 policy := s3.Buckets[0].BucketPolicies[0] 320 321 statements, _ := policy.Document.Parsed.Statements() 322 require.Equal(t, 1, len(statements)) 323 324 principals, _ := statements[0].Principals() 325 actions, _ := statements[0].Actions() 326 327 awsPrincipals, _ := principals.AWS() 328 require.Equal(t, 1, len(awsPrincipals)) 329 require.Equal(t, 2, len(actions)) 330 331 }