github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_route_table_change_alarm_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_route_table_change_alarm_test.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudtrail"
     9  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  	"github.com/khulnasoft-lab/defsec/pkg/state"
    12  	"github.com/stretchr/testify/assert"
    13  )
    14  
    15  func TestCheckRouteTableChangeAlarm(t *testing.T) {
    16  	tests := []struct {
    17  		name       string
    18  		cloudtrail cloudtrail.CloudTrail
    19  		cloudwatch cloudwatch.CloudWatch
    20  		expected   bool
    21  	}{
    22  		{
    23  			name: "Multi-region CloudTrail alarms on route table changes",
    24  			cloudtrail: cloudtrail.CloudTrail{
    25  				Trails: []cloudtrail.Trail{
    26  					{
    27  						Metadata:                  defsecTypes.NewTestMetadata(),
    28  						CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    29  						IsLogging:                 defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    30  						IsMultiRegion:             defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    31  					},
    32  				},
    33  			},
    34  			cloudwatch: cloudwatch.CloudWatch{
    35  				LogGroups: []cloudwatch.LogGroup{
    36  					{
    37  						Metadata: defsecTypes.NewTestMetadata(),
    38  						Arn:      defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    39  						MetricFilters: []cloudwatch.MetricFilter{
    40  							{
    41  								Metadata:   defsecTypes.NewTestMetadata(),
    42  								FilterName: defsecTypes.String("RouteTableChange", defsecTypes.NewTestMetadata()),
    43  								FilterPattern: defsecTypes.String(`{($.eventName=CreateRoute) || 
    44  					($.eventName=CreateRouteTable) || ($.eventName=ReplaceRoute) || 
    45  					($.eventName=ReplaceRouteTableAssociation) || ($.eventName=DeleteRouteTable) || 
    46  					($.eventName=DeleteRoute) || ($.eventName=DisassociateRouteTable)}`, defsecTypes.NewTestMetadata()),
    47  							},
    48  						},
    49  					},
    50  				},
    51  				Alarms: []cloudwatch.Alarm{
    52  					{
    53  						Metadata:   defsecTypes.NewTestMetadata(),
    54  						AlarmName:  defsecTypes.String("RouteTableChange", defsecTypes.NewTestMetadata()),
    55  						MetricName: defsecTypes.String("RouteTableChange", defsecTypes.NewTestMetadata()),
    56  						Metrics: []cloudwatch.MetricDataQuery{
    57  							{
    58  								Metadata: defsecTypes.NewTestMetadata(),
    59  								ID:       defsecTypes.String("RouteTableChange", defsecTypes.NewTestMetadata()),
    60  							},
    61  						},
    62  					},
    63  				},
    64  			},
    65  			expected: false,
    66  		},
    67  		{
    68  			name: "Multi-region CloudTrail has no filter for route table changes",
    69  			cloudtrail: cloudtrail.CloudTrail{
    70  				Trails: []cloudtrail.Trail{
    71  					{
    72  						Metadata:                  defsecTypes.NewTestMetadata(),
    73  						CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    74  						IsLogging:                 defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    75  						IsMultiRegion:             defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    76  					},
    77  				},
    78  			},
    79  			cloudwatch: cloudwatch.CloudWatch{
    80  				LogGroups: []cloudwatch.LogGroup{
    81  					{
    82  						Metadata:      defsecTypes.NewTestMetadata(),
    83  						Arn:           defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    84  						MetricFilters: []cloudwatch.MetricFilter{},
    85  					},
    86  				},
    87  				Alarms: []cloudwatch.Alarm{
    88  					{
    89  						Metadata:  defsecTypes.NewTestMetadata(),
    90  						AlarmName: defsecTypes.String("RouteTableChange", defsecTypes.NewTestMetadata()),
    91  						Metrics: []cloudwatch.MetricDataQuery{
    92  							{},
    93  						},
    94  					},
    95  				},
    96  			},
    97  			expected: true,
    98  		},
    99  	}
   100  	for _, test := range tests {
   101  		t.Run(test.name, func(t *testing.T) {
   102  			var testState state.State
   103  			testState.AWS.CloudWatch = test.cloudwatch
   104  			testState.AWS.CloudTrail = test.cloudtrail
   105  			results := requireRouteTableChangeAlarm.Evaluate(&testState)
   106  			var found bool
   107  			for _, result := range results {
   108  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == requireRouteTableChangeAlarm.Rule().LongID() {
   109  					found = true
   110  				}
   111  			}
   112  			if test.expected {
   113  				assert.True(t, found, "Rule should have been found")
   114  			} else {
   115  				assert.False(t, found, "Rule should not have been found")
   116  			}
   117  		})
   118  	}
   119  }