github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/azure/container/adapt_test.go (about) 1 package container 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/azure/container" 9 10 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 11 12 "github.com/khulnasoft-lab/defsec/test/testutil" 13 "github.com/stretchr/testify/assert" 14 "github.com/stretchr/testify/require" 15 ) 16 17 func Test_adaptCluster(t *testing.T) { 18 tests := []struct { 19 name string 20 terraform string 21 expected container.KubernetesCluster 22 }{ 23 { 24 name: "defined", 25 terraform: ` 26 resource "azurerm_kubernetes_cluster" "example" { 27 private_cluster_enabled = true 28 29 network_profile { 30 network_policy = "calico" 31 } 32 33 api_server_access_profile { 34 35 authorized_ip_ranges = [ 36 "1.2.3.4/32" 37 ] 38 39 } 40 41 addon_profile { 42 oms_agent { 43 enabled = true 44 } 45 } 46 47 role_based_access_control { 48 enabled = true 49 } 50 } 51 `, 52 expected: container.KubernetesCluster{ 53 Metadata: defsecTypes.NewTestMetadata(), 54 NetworkProfile: container.NetworkProfile{ 55 Metadata: defsecTypes.NewTestMetadata(), 56 NetworkPolicy: defsecTypes.String("calico", defsecTypes.NewTestMetadata()), 57 }, 58 EnablePrivateCluster: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 59 APIServerAuthorizedIPRanges: []defsecTypes.StringValue{ 60 defsecTypes.String("1.2.3.4/32", defsecTypes.NewTestMetadata()), 61 }, 62 AddonProfile: container.AddonProfile{ 63 Metadata: defsecTypes.NewTestMetadata(), 64 OMSAgent: container.OMSAgent{ 65 Metadata: defsecTypes.NewTestMetadata(), 66 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 67 }, 68 }, 69 RoleBasedAccessControl: container.RoleBasedAccessControl{ 70 Metadata: defsecTypes.NewTestMetadata(), 71 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 72 }, 73 }, 74 }, 75 { 76 name: "rbac with a new syntax", 77 terraform: ` 78 resource "azurerm_kubernetes_cluster" "example" { 79 role_based_access_control_enabled = true 80 } 81 `, 82 expected: container.KubernetesCluster{ 83 Metadata: defsecTypes.NewTestMetadata(), 84 NetworkProfile: container.NetworkProfile{ 85 Metadata: defsecTypes.NewTestMetadata(), 86 NetworkPolicy: defsecTypes.String("", defsecTypes.NewTestMetadata()), 87 }, 88 EnablePrivateCluster: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 89 AddonProfile: container.AddonProfile{ 90 Metadata: defsecTypes.NewTestMetadata(), 91 OMSAgent: container.OMSAgent{ 92 Metadata: defsecTypes.NewTestMetadata(), 93 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 94 }, 95 }, 96 RoleBasedAccessControl: container.RoleBasedAccessControl{ 97 Metadata: defsecTypes.NewTestMetadata(), 98 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 99 }, 100 }, 101 }, 102 { 103 name: "defaults", 104 terraform: ` 105 resource "azurerm_kubernetes_cluster" "example" { 106 } 107 `, 108 expected: container.KubernetesCluster{ 109 Metadata: defsecTypes.NewTestMetadata(), 110 NetworkProfile: container.NetworkProfile{ 111 Metadata: defsecTypes.NewTestMetadata(), 112 NetworkPolicy: defsecTypes.String("", defsecTypes.NewTestMetadata()), 113 }, 114 EnablePrivateCluster: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 115 AddonProfile: container.AddonProfile{ 116 Metadata: defsecTypes.NewTestMetadata(), 117 OMSAgent: container.OMSAgent{ 118 Metadata: defsecTypes.NewTestMetadata(), 119 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 120 }, 121 }, 122 RoleBasedAccessControl: container.RoleBasedAccessControl{ 123 Metadata: defsecTypes.NewTestMetadata(), 124 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 125 }, 126 }, 127 }, 128 { 129 name: "rbac off with k8s rbac on", 130 terraform: ` 131 resource "azurerm_kubernetes_cluster" "misreporting_example" { 132 role_based_access_control_enabled = true # Enable k8s RBAC 133 azure_active_directory_role_based_access_control { 134 managed = true # Enable AKS-managed Azure AAD integration 135 azure_rbac_enabled = false # Explicitly disable Azure RBAC for Kubernetes Authorization 136 } 137 } 138 `, 139 expected: container.KubernetesCluster{ 140 Metadata: defsecTypes.NewTestMetadata(), 141 NetworkProfile: container.NetworkProfile{ 142 Metadata: defsecTypes.NewTestMetadata(), 143 NetworkPolicy: defsecTypes.String("", defsecTypes.NewTestMetadata()), 144 }, 145 EnablePrivateCluster: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 146 AddonProfile: container.AddonProfile{ 147 Metadata: defsecTypes.NewTestMetadata(), 148 OMSAgent: container.OMSAgent{ 149 Metadata: defsecTypes.NewTestMetadata(), 150 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 151 }, 152 }, 153 RoleBasedAccessControl: container.RoleBasedAccessControl{ 154 Metadata: defsecTypes.NewTestMetadata(), 155 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 156 }, 157 }, 158 }, 159 } 160 161 for _, test := range tests { 162 t.Run(test.name, func(t *testing.T) { 163 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 164 adapted := adaptCluster(modules.GetBlocks()[0]) 165 testutil.AssertDefsecEqual(t, test.expected, adapted) 166 }) 167 } 168 } 169 170 func TestLines(t *testing.T) { 171 src := ` 172 resource "azurerm_kubernetes_cluster" "example" { 173 private_cluster_enabled = true 174 175 network_profile { 176 network_policy = "calico" 177 } 178 179 api_server_access_profile { 180 181 authorized_ip_ranges = [ 182 "1.2.3.4/32" 183 ] 184 185 } 186 187 addon_profile { 188 oms_agent { 189 enabled = true 190 } 191 } 192 193 role_based_access_control { 194 enabled = true 195 } 196 }` 197 198 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 199 adapted := Adapt(modules) 200 201 require.Len(t, adapted.KubernetesClusters, 1) 202 cluster := adapted.KubernetesClusters[0] 203 204 assert.Equal(t, 3, cluster.EnablePrivateCluster.GetMetadata().Range().GetStartLine()) 205 assert.Equal(t, 3, cluster.EnablePrivateCluster.GetMetadata().Range().GetEndLine()) 206 207 assert.Equal(t, 5, cluster.NetworkProfile.Metadata.Range().GetStartLine()) 208 assert.Equal(t, 7, cluster.NetworkProfile.Metadata.Range().GetEndLine()) 209 210 assert.Equal(t, 6, cluster.NetworkProfile.NetworkPolicy.GetMetadata().Range().GetStartLine()) 211 assert.Equal(t, 6, cluster.NetworkProfile.NetworkPolicy.GetMetadata().Range().GetEndLine()) 212 213 assert.Equal(t, 11, cluster.APIServerAuthorizedIPRanges[0].GetMetadata().Range().GetStartLine()) 214 assert.Equal(t, 13, cluster.APIServerAuthorizedIPRanges[0].GetMetadata().Range().GetEndLine()) 215 216 assert.Equal(t, 17, cluster.AddonProfile.Metadata.Range().GetStartLine()) 217 assert.Equal(t, 21, cluster.AddonProfile.Metadata.Range().GetEndLine()) 218 219 assert.Equal(t, 18, cluster.AddonProfile.OMSAgent.Metadata.Range().GetStartLine()) 220 assert.Equal(t, 20, cluster.AddonProfile.OMSAgent.Metadata.Range().GetEndLine()) 221 222 assert.Equal(t, 19, cluster.AddonProfile.OMSAgent.Enabled.GetMetadata().Range().GetStartLine()) 223 assert.Equal(t, 19, cluster.AddonProfile.OMSAgent.Enabled.GetMetadata().Range().GetEndLine()) 224 225 assert.Equal(t, 23, cluster.RoleBasedAccessControl.Metadata.Range().GetStartLine()) 226 assert.Equal(t, 25, cluster.RoleBasedAccessControl.Metadata.Range().GetEndLine()) 227 228 assert.Equal(t, 24, cluster.RoleBasedAccessControl.Enabled.GetMetadata().Range().GetStartLine()) 229 assert.Equal(t, 24, cluster.RoleBasedAccessControl.Enabled.GetMetadata().Range().GetEndLine()) 230 } 231 232 func TestWithLocals(t *testing.T) { 233 src := ` 234 variable "ip_whitelist" { 235 description = "IP Ranges with allowed access." 236 type = list(string) 237 default = ["1.2.3.4"] 238 } 239 240 locals { 241 ip_whitelist = concat(var.ip_whitelist, split(",", data.azurerm_public_ip.build_agents.ip_address)) 242 } 243 244 resource "azurerm_kubernetes_cluster" "aks" { 245 # not working 246 api_server_access_profile { 247 authorized_ip_ranges = local.ip_whitelist 248 } 249 # working 250 api_server_access_profile { 251 authorized_ip_ranges = concat(var.ip_whitelist, split(",", data.azurerm_public_ip.example.ip_address)) 252 } 253 }` 254 255 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 256 adapted := Adapt(modules) 257 258 require.Len(t, adapted.KubernetesClusters, 1) 259 cluster := adapted.KubernetesClusters[0] 260 require.Len(t, cluster.APIServerAuthorizedIPRanges, 1) 261 assert.False(t, cluster.APIServerAuthorizedIPRanges[0].GetMetadata().IsResolvable()) 262 }