github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/google/compute/instances_test.go (about) 1 package compute 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/google/compute" 9 10 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 11 "github.com/khulnasoft-lab/defsec/test/testutil" 12 ) 13 14 func Test_adaptInstances(t *testing.T) { 15 tests := []struct { 16 name string 17 terraform string 18 expected []compute.Instance 19 }{ 20 { 21 name: "defined", 22 terraform: ` 23 resource "google_service_account" "myaccount" { 24 } 25 26 resource "google_compute_instance" "example" { 27 name = "test" 28 29 boot_disk { 30 device_name = "boot-disk" 31 kms_key_self_link = "something" 32 } 33 34 shielded_instance_config { 35 enable_integrity_monitoring = true 36 enable_vtpm = true 37 enable_secure_boot = true 38 } 39 40 network_interface { 41 network = "default" 42 43 access_config { 44 } 45 } 46 47 service_account { 48 email = google_service_account.myaccount.email 49 scopes = ["cloud-platform"] 50 } 51 can_ip_forward = true 52 53 metadata = { 54 enable-oslogin = false 55 block-project-ssh-keys = true 56 serial-port-enable = true 57 } 58 } 59 `, 60 expected: []compute.Instance{ 61 { 62 Metadata: defsecTypes.NewTestMetadata(), 63 Name: defsecTypes.String("test", defsecTypes.NewTestMetadata()), 64 NetworkInterfaces: []compute.NetworkInterface{ 65 { 66 Metadata: defsecTypes.NewTestMetadata(), 67 HasPublicIP: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 68 NATIP: defsecTypes.String("", defsecTypes.NewTestMetadata()), 69 }, 70 }, 71 ShieldedVM: compute.ShieldedVMConfig{ 72 Metadata: defsecTypes.NewTestMetadata(), 73 SecureBootEnabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 74 IntegrityMonitoringEnabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 75 VTPMEnabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 76 }, 77 ServiceAccount: compute.ServiceAccount{ 78 Metadata: defsecTypes.NewTestMetadata(), 79 Email: defsecTypes.String("", defsecTypes.NewTestMetadata()), 80 Scopes: []defsecTypes.StringValue{ 81 defsecTypes.String("cloud-platform", defsecTypes.NewTestMetadata()), 82 }, 83 IsDefault: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 84 }, 85 CanIPForward: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 86 OSLoginEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 87 EnableProjectSSHKeyBlocking: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 88 EnableSerialPort: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 89 90 BootDisks: []compute.Disk{ 91 { 92 Metadata: defsecTypes.NewTestMetadata(), 93 Name: defsecTypes.String("boot-disk", defsecTypes.NewTestMetadata()), 94 Encryption: compute.DiskEncryption{ 95 Metadata: defsecTypes.NewTestMetadata(), 96 KMSKeyLink: defsecTypes.String("something", defsecTypes.NewTestMetadata()), 97 }, 98 }, 99 }, 100 }, 101 }, 102 }, 103 { 104 name: "defaults", 105 terraform: ` 106 resource "google_compute_instance" "example" { 107 } 108 `, 109 expected: []compute.Instance{ 110 { 111 Metadata: defsecTypes.NewTestMetadata(), 112 Name: defsecTypes.String("", defsecTypes.NewTestMetadata()), 113 ShieldedVM: compute.ShieldedVMConfig{ 114 Metadata: defsecTypes.NewTestMetadata(), 115 SecureBootEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 116 IntegrityMonitoringEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 117 VTPMEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 118 }, 119 ServiceAccount: compute.ServiceAccount{ 120 Metadata: defsecTypes.NewTestMetadata(), 121 Email: defsecTypes.String("", defsecTypes.NewTestMetadata()), 122 IsDefault: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 123 }, 124 CanIPForward: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 125 OSLoginEnabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 126 EnableProjectSSHKeyBlocking: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 127 EnableSerialPort: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 128 }, 129 }, 130 }, 131 { 132 name: "default service account", 133 terraform: ` 134 resource "google_compute_instance" "example" { 135 service_account {} 136 } 137 `, 138 expected: []compute.Instance{ 139 { 140 Metadata: defsecTypes.NewTestMetadata(), 141 Name: defsecTypes.String("", defsecTypes.NewTestMetadata()), 142 ShieldedVM: compute.ShieldedVMConfig{ 143 Metadata: defsecTypes.NewTestMetadata(), 144 SecureBootEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 145 IntegrityMonitoringEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 146 VTPMEnabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 147 }, 148 ServiceAccount: compute.ServiceAccount{ 149 Metadata: defsecTypes.NewTestMetadata(), 150 Email: defsecTypes.String("", defsecTypes.NewTestMetadata()), 151 IsDefault: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 152 }, 153 CanIPForward: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 154 OSLoginEnabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 155 EnableProjectSSHKeyBlocking: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 156 EnableSerialPort: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 157 }, 158 }, 159 }, 160 } 161 162 for _, test := range tests { 163 t.Run(test.name, func(t *testing.T) { 164 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 165 adapted := adaptInstances(modules) 166 testutil.AssertDefsecEqual(t, test.expected, adapted) 167 }) 168 } 169 }