github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/google/gke/adapt_test.go (about) 1 package gke 2 3 import ( 4 "testing" 5 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 8 "github.com/khulnasoft-lab/defsec/pkg/providers/google/gke" 9 "github.com/stretchr/testify/assert" 10 "github.com/stretchr/testify/require" 11 12 "github.com/khulnasoft-lab/defsec/internal/adapters/terraform/tftestutil" 13 "github.com/khulnasoft-lab/defsec/test/testutil" 14 ) 15 16 func Test_Adapt(t *testing.T) { 17 tests := []struct { 18 name string 19 terraform string 20 expected gke.GKE 21 }{ 22 { 23 name: "separately defined pool", 24 terraform: ` 25 resource "google_service_account" "default" { 26 account_id = "service-account-id" 27 display_name = "Service Account" 28 } 29 30 resource "google_container_cluster" "example" { 31 name = "my-gke-cluster" 32 33 node_config { 34 metadata = { 35 disable-legacy-endpoints = true 36 } 37 } 38 39 pod_security_policy_config { 40 enabled = "true" 41 } 42 43 enable_legacy_abac = "true" 44 enable_shielded_nodes = "true" 45 46 remove_default_node_pool = true 47 initial_node_count = 1 48 monitoring_service = "monitoring.googleapis.com/kubernetes" 49 logging_service = "logging.googleapis.com/kubernetes" 50 51 master_auth { 52 client_certificate_config { 53 issue_client_certificate = true 54 } 55 } 56 57 master_authorized_networks_config { 58 cidr_blocks { 59 cidr_block = "10.10.128.0/24" 60 display_name = "internal" 61 } 62 } 63 64 resource_labels = { 65 "env" = "staging" 66 } 67 68 private_cluster_config { 69 enable_private_nodes = true 70 } 71 72 network_policy { 73 enabled = true 74 } 75 76 ip_allocation_policy {} 77 78 } 79 80 resource "google_container_node_pool" "primary_preemptible_nodes" { 81 cluster = google_container_cluster.example.name 82 node_count = 1 83 84 node_config { 85 service_account = google_service_account.default.email 86 metadata = { 87 disable-legacy-endpoints = true 88 } 89 image_type = "COS_CONTAINERD" 90 workload_metadata_config { 91 mode = "GCE_METADATA" 92 } 93 } 94 management { 95 auto_repair = true 96 auto_upgrade = true 97 } 98 } 99 `, 100 expected: gke.GKE{ 101 Clusters: []gke.Cluster{ 102 { 103 Metadata: defsecTypes.NewTestMetadata(), 104 NodeConfig: gke.NodeConfig{ 105 Metadata: defsecTypes.NewTestMetadata(), 106 ImageType: defsecTypes.String("COS_CONTAINERD", defsecTypes.NewTestMetadata()), 107 WorkloadMetadataConfig: gke.WorkloadMetadataConfig{ 108 Metadata: defsecTypes.NewTestMetadata(), 109 NodeMetadata: defsecTypes.String("GCE_METADATA", defsecTypes.NewTestMetadata()), 110 }, 111 ServiceAccount: defsecTypes.String("", defsecTypes.NewTestMetadata()), 112 EnableLegacyEndpoints: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 113 }, 114 NodePools: []gke.NodePool{ 115 { 116 Metadata: defsecTypes.NewTestMetadata(), 117 Management: gke.Management{ 118 Metadata: defsecTypes.NewTestMetadata(), 119 EnableAutoRepair: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 120 EnableAutoUpgrade: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 121 }, 122 NodeConfig: gke.NodeConfig{ 123 Metadata: defsecTypes.NewTestMetadata(), 124 ImageType: defsecTypes.String("COS_CONTAINERD", defsecTypes.NewTestMetadata()), 125 WorkloadMetadataConfig: gke.WorkloadMetadataConfig{ 126 Metadata: defsecTypes.NewTestMetadata(), 127 NodeMetadata: defsecTypes.String("GCE_METADATA", defsecTypes.NewTestMetadata()), 128 }, 129 ServiceAccount: defsecTypes.String("", defsecTypes.NewTestMetadata()), 130 EnableLegacyEndpoints: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 131 }, 132 }, 133 }, 134 IPAllocationPolicy: gke.IPAllocationPolicy{ 135 Metadata: defsecTypes.NewTestMetadata(), 136 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 137 }, 138 MasterAuthorizedNetworks: gke.MasterAuthorizedNetworks{ 139 Metadata: defsecTypes.NewTestMetadata(), 140 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 141 CIDRs: []defsecTypes.StringValue{ 142 defsecTypes.String("10.10.128.0/24", defsecTypes.NewTestMetadata()), 143 }, 144 }, 145 NetworkPolicy: gke.NetworkPolicy{ 146 Metadata: defsecTypes.NewTestMetadata(), 147 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 148 }, 149 PrivateCluster: gke.PrivateCluster{ 150 Metadata: defsecTypes.NewTestMetadata(), 151 EnablePrivateNodes: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 152 }, 153 LoggingService: defsecTypes.String("logging.googleapis.com/kubernetes", defsecTypes.NewTestMetadata()), 154 MonitoringService: defsecTypes.String("monitoring.googleapis.com/kubernetes", defsecTypes.NewTestMetadata()), 155 PodSecurityPolicy: gke.PodSecurityPolicy{ 156 Metadata: defsecTypes.NewTestMetadata(), 157 Enabled: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 158 }, 159 MasterAuth: gke.MasterAuth{ 160 Metadata: defsecTypes.NewTestMetadata(), 161 ClientCertificate: gke.ClientCertificate{ 162 Metadata: defsecTypes.NewTestMetadata(), 163 IssueCertificate: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 164 }, 165 Username: defsecTypes.String("", defsecTypes.NewTestMetadata()), 166 Password: defsecTypes.String("", defsecTypes.NewTestMetadata()), 167 }, 168 EnableShieldedNodes: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 169 EnableLegacyABAC: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 170 ResourceLabels: defsecTypes.Map(map[string]string{ 171 "env": "staging", 172 }, defsecTypes.NewTestMetadata()), 173 RemoveDefaultNodePool: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 174 }, 175 }, 176 }, 177 }, 178 { 179 name: "default node pool", 180 terraform: ` 181 182 resource "google_container_cluster" "example" { 183 node_config { 184 service_account = "service-account" 185 metadata = { 186 disable-legacy-endpoints = true 187 } 188 image_type = "COS" 189 workload_metadata_config { 190 mode = "GCE_METADATA" 191 } 192 } 193 } 194 `, 195 expected: gke.GKE{ 196 Clusters: []gke.Cluster{ 197 { 198 Metadata: defsecTypes.NewTestMetadata(), 199 NodeConfig: gke.NodeConfig{ 200 Metadata: defsecTypes.NewTestMetadata(), 201 ImageType: defsecTypes.String("COS", defsecTypes.NewTestMetadata()), 202 WorkloadMetadataConfig: gke.WorkloadMetadataConfig{ 203 Metadata: defsecTypes.NewTestMetadata(), 204 NodeMetadata: defsecTypes.String("GCE_METADATA", defsecTypes.NewTestMetadata()), 205 }, 206 ServiceAccount: defsecTypes.String("service-account", defsecTypes.NewTestMetadata()), 207 EnableLegacyEndpoints: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 208 }, 209 210 IPAllocationPolicy: gke.IPAllocationPolicy{ 211 Metadata: defsecTypes.NewTestMetadata(), 212 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 213 }, 214 MasterAuthorizedNetworks: gke.MasterAuthorizedNetworks{ 215 Metadata: defsecTypes.NewTestMetadata(), 216 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 217 CIDRs: []defsecTypes.StringValue{}, 218 }, 219 NetworkPolicy: gke.NetworkPolicy{ 220 Metadata: defsecTypes.NewTestMetadata(), 221 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 222 }, 223 PrivateCluster: gke.PrivateCluster{ 224 Metadata: defsecTypes.NewTestMetadata(), 225 EnablePrivateNodes: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 226 }, 227 LoggingService: defsecTypes.String("logging.googleapis.com/kubernetes", defsecTypes.NewTestMetadata()), 228 MonitoringService: defsecTypes.String("monitoring.googleapis.com/kubernetes", defsecTypes.NewTestMetadata()), 229 PodSecurityPolicy: gke.PodSecurityPolicy{ 230 Metadata: defsecTypes.NewTestMetadata(), 231 Enabled: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 232 }, 233 MasterAuth: gke.MasterAuth{ 234 Metadata: defsecTypes.NewTestMetadata(), 235 ClientCertificate: gke.ClientCertificate{ 236 Metadata: defsecTypes.NewTestMetadata(), 237 IssueCertificate: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 238 }, 239 Username: defsecTypes.String("", defsecTypes.NewTestMetadata()), 240 Password: defsecTypes.String("", defsecTypes.NewTestMetadata()), 241 }, 242 EnableShieldedNodes: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()), 243 EnableLegacyABAC: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 244 ResourceLabels: defsecTypes.Map(map[string]string{}, defsecTypes.NewTestMetadata()), 245 RemoveDefaultNodePool: defsecTypes.Bool(false, defsecTypes.NewTestMetadata()), 246 }, 247 }, 248 }, 249 }, 250 } 251 252 for _, test := range tests { 253 t.Run(test.name, func(t *testing.T) { 254 modules := tftestutil.CreateModulesFromSource(t, test.terraform, ".tf") 255 adapted := Adapt(modules) 256 testutil.AssertDefsecEqual(t, test.expected, adapted) 257 }) 258 } 259 } 260 261 func TestLines(t *testing.T) { 262 src := ` 263 resource "google_container_cluster" "example" { 264 265 node_config { 266 metadata = { 267 disable-legacy-endpoints = true 268 } 269 } 270 pod_security_policy_config { 271 enabled = "true" 272 } 273 274 enable_legacy_abac = "true" 275 enable_shielded_nodes = "true" 276 277 remove_default_node_pool = true 278 monitoring_service = "monitoring.googleapis.com/kubernetes" 279 logging_service = "logging.googleapis.com/kubernetes" 280 281 master_auth { 282 client_certificate_config { 283 issue_client_certificate = true 284 } 285 } 286 287 master_authorized_networks_config { 288 cidr_blocks { 289 cidr_block = "10.10.128.0/24" 290 } 291 } 292 293 resource_labels = { 294 "env" = "staging" 295 } 296 297 private_cluster_config { 298 enable_private_nodes = true 299 } 300 301 network_policy { 302 enabled = true 303 } 304 ip_allocation_policy {} 305 } 306 307 resource "google_container_node_pool" "primary_preemptible_nodes" { 308 cluster = google_container_cluster.example.name 309 310 node_config { 311 metadata = { 312 disable-legacy-endpoints = true 313 } 314 service_account = google_service_account.default.email 315 image_type = "COS_CONTAINERD" 316 317 workload_metadata_config { 318 mode = "GCE_METADATA" 319 } 320 } 321 management { 322 auto_repair = true 323 auto_upgrade = true 324 } 325 } 326 ` 327 328 modules := tftestutil.CreateModulesFromSource(t, src, ".tf") 329 adapted := Adapt(modules) 330 331 require.Len(t, adapted.Clusters, 1) 332 cluster := adapted.Clusters[0] 333 nodePool := cluster.NodePools[0] 334 335 assert.Equal(t, 2, cluster.Metadata.Range().GetStartLine()) 336 assert.Equal(t, 44, cluster.Metadata.Range().GetEndLine()) 337 338 assert.Equal(t, 49, cluster.NodeConfig.Metadata.Range().GetStartLine()) 339 assert.Equal(t, 59, cluster.NodeConfig.Metadata.Range().GetEndLine()) 340 341 assert.Equal(t, 50, cluster.NodeConfig.EnableLegacyEndpoints.GetMetadata().Range().GetStartLine()) 342 assert.Equal(t, 52, cluster.NodeConfig.EnableLegacyEndpoints.GetMetadata().Range().GetEndLine()) 343 344 assert.Equal(t, 9, cluster.PodSecurityPolicy.Metadata.Range().GetStartLine()) 345 assert.Equal(t, 11, cluster.PodSecurityPolicy.Metadata.Range().GetEndLine()) 346 347 assert.Equal(t, 10, cluster.PodSecurityPolicy.Enabled.GetMetadata().Range().GetStartLine()) 348 assert.Equal(t, 10, cluster.PodSecurityPolicy.Enabled.GetMetadata().Range().GetEndLine()) 349 350 assert.Equal(t, 13, cluster.EnableLegacyABAC.GetMetadata().Range().GetStartLine()) 351 assert.Equal(t, 13, cluster.EnableLegacyABAC.GetMetadata().Range().GetEndLine()) 352 353 assert.Equal(t, 14, cluster.EnableShieldedNodes.GetMetadata().Range().GetStartLine()) 354 assert.Equal(t, 14, cluster.EnableShieldedNodes.GetMetadata().Range().GetEndLine()) 355 356 assert.Equal(t, 16, cluster.RemoveDefaultNodePool.GetMetadata().Range().GetStartLine()) 357 assert.Equal(t, 16, cluster.RemoveDefaultNodePool.GetMetadata().Range().GetEndLine()) 358 359 assert.Equal(t, 17, cluster.MonitoringService.GetMetadata().Range().GetStartLine()) 360 assert.Equal(t, 17, cluster.MonitoringService.GetMetadata().Range().GetEndLine()) 361 362 assert.Equal(t, 18, cluster.LoggingService.GetMetadata().Range().GetStartLine()) 363 assert.Equal(t, 18, cluster.LoggingService.GetMetadata().Range().GetEndLine()) 364 365 assert.Equal(t, 20, cluster.MasterAuth.Metadata.Range().GetStartLine()) 366 assert.Equal(t, 24, cluster.MasterAuth.Metadata.Range().GetEndLine()) 367 368 assert.Equal(t, 21, cluster.MasterAuth.ClientCertificate.Metadata.Range().GetStartLine()) 369 assert.Equal(t, 23, cluster.MasterAuth.ClientCertificate.Metadata.Range().GetEndLine()) 370 371 assert.Equal(t, 22, cluster.MasterAuth.ClientCertificate.IssueCertificate.GetMetadata().Range().GetStartLine()) 372 assert.Equal(t, 22, cluster.MasterAuth.ClientCertificate.IssueCertificate.GetMetadata().Range().GetEndLine()) 373 374 assert.Equal(t, 26, cluster.MasterAuthorizedNetworks.Metadata.Range().GetStartLine()) 375 assert.Equal(t, 30, cluster.MasterAuthorizedNetworks.Metadata.Range().GetEndLine()) 376 377 assert.Equal(t, 28, cluster.MasterAuthorizedNetworks.CIDRs[0].GetMetadata().Range().GetStartLine()) 378 assert.Equal(t, 28, cluster.MasterAuthorizedNetworks.CIDRs[0].GetMetadata().Range().GetEndLine()) 379 380 assert.Equal(t, 32, cluster.ResourceLabels.GetMetadata().Range().GetStartLine()) 381 assert.Equal(t, 34, cluster.ResourceLabels.GetMetadata().Range().GetEndLine()) 382 383 assert.Equal(t, 36, cluster.PrivateCluster.Metadata.Range().GetStartLine()) 384 assert.Equal(t, 38, cluster.PrivateCluster.Metadata.Range().GetEndLine()) 385 386 assert.Equal(t, 37, cluster.PrivateCluster.EnablePrivateNodes.GetMetadata().Range().GetStartLine()) 387 assert.Equal(t, 37, cluster.PrivateCluster.EnablePrivateNodes.GetMetadata().Range().GetEndLine()) 388 389 assert.Equal(t, 40, cluster.NetworkPolicy.Metadata.Range().GetStartLine()) 390 assert.Equal(t, 42, cluster.NetworkPolicy.Metadata.Range().GetEndLine()) 391 392 assert.Equal(t, 41, cluster.NetworkPolicy.Enabled.GetMetadata().Range().GetStartLine()) 393 assert.Equal(t, 41, cluster.NetworkPolicy.Enabled.GetMetadata().Range().GetEndLine()) 394 395 assert.Equal(t, 43, cluster.IPAllocationPolicy.Metadata.Range().GetStartLine()) 396 assert.Equal(t, 43, cluster.IPAllocationPolicy.Metadata.Range().GetEndLine()) 397 398 assert.Equal(t, 46, nodePool.Metadata.Range().GetStartLine()) 399 assert.Equal(t, 64, nodePool.Metadata.Range().GetEndLine()) 400 401 assert.Equal(t, 49, nodePool.NodeConfig.Metadata.Range().GetStartLine()) 402 assert.Equal(t, 59, nodePool.NodeConfig.Metadata.Range().GetEndLine()) 403 404 assert.Equal(t, 53, nodePool.NodeConfig.ServiceAccount.GetMetadata().Range().GetStartLine()) 405 assert.Equal(t, 53, nodePool.NodeConfig.ServiceAccount.GetMetadata().Range().GetEndLine()) 406 407 assert.Equal(t, 54, nodePool.NodeConfig.ImageType.GetMetadata().Range().GetStartLine()) 408 assert.Equal(t, 54, nodePool.NodeConfig.ImageType.GetMetadata().Range().GetEndLine()) 409 410 assert.Equal(t, 56, nodePool.NodeConfig.WorkloadMetadataConfig.Metadata.Range().GetStartLine()) 411 assert.Equal(t, 58, nodePool.NodeConfig.WorkloadMetadataConfig.Metadata.Range().GetEndLine()) 412 413 assert.Equal(t, 57, nodePool.NodeConfig.WorkloadMetadataConfig.NodeMetadata.GetMetadata().Range().GetStartLine()) 414 assert.Equal(t, 57, nodePool.NodeConfig.WorkloadMetadataConfig.NodeMetadata.GetMetadata().Range().GetEndLine()) 415 416 assert.Equal(t, 60, nodePool.Management.Metadata.Range().GetStartLine()) 417 assert.Equal(t, 63, nodePool.Management.Metadata.Range().GetEndLine()) 418 419 assert.Equal(t, 61, nodePool.Management.EnableAutoRepair.GetMetadata().Range().GetStartLine()) 420 assert.Equal(t, 61, nodePool.Management.EnableAutoRepair.GetMetadata().Range().GetEndLine()) 421 422 assert.Equal(t, 62, nodePool.Management.EnableAutoUpgrade.GetMetadata().Range().GetStartLine()) 423 assert.Equal(t, 62, nodePool.Management.EnableAutoUpgrade.GetMetadata().Range().GetEndLine()) 424 425 }