github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_vpc_change_alarm_test.go

github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/cloudwatch/require_vpc_change_alarm_test.go (about)

     1  package cloudwatch
     2  
     3  import (
     4  	"testing"
     5  
     6  	defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types"
     7  
     8  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudtrail"
     9  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/cloudwatch"
    10  	"github.com/khulnasoft-lab/defsec/pkg/scan"
    11  	"github.com/khulnasoft-lab/defsec/pkg/state"
    12  	"github.com/stretchr/testify/assert"
    13  )
    14  
    15  func TestCheckVPCChangeAlarm(t *testing.T) {
    16  	tests := []struct {
    17  		name       string
    18  		cloudtrail cloudtrail.CloudTrail
    19  		cloudwatch cloudwatch.CloudWatch
    20  		expected   bool
    21  	}{
    22  		{
    23  			name: "Multi-region CloudTrail alarms on VPC changes",
    24  			cloudtrail: cloudtrail.CloudTrail{
    25  				Trails: []cloudtrail.Trail{
    26  					{
    27  						Metadata:                  defsecTypes.NewTestMetadata(),
    28  						CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    29  						IsLogging:                 defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    30  						IsMultiRegion:             defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    31  					},
    32  				},
    33  			},
    34  			cloudwatch: cloudwatch.CloudWatch{
    35  				LogGroups: []cloudwatch.LogGroup{
    36  					{
    37  						Metadata: defsecTypes.NewTestMetadata(),
    38  						Arn:      defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    39  						MetricFilters: []cloudwatch.MetricFilter{
    40  							{
    41  								Metadata:   defsecTypes.NewTestMetadata(),
    42  								FilterName: defsecTypes.String("VPCChange", defsecTypes.NewTestMetadata()),
    43  								FilterPattern: defsecTypes.String(`{($.eventName=CreateVpc) || 
    44  					($.eventName=DeleteVpc) || ($.eventName=ModifyVpcAttribute) || 
    45  					($.eventName=AcceptVpcPeeringConnection) || ($.eventName=CreateVpcPeeringConnection) || 
    46  					($.eventName=DeleteVpcPeeringConnection) || ($.eventName=RejectVpcPeeringConnection) || 
    47  					($.eventName=AttachClassicLinkVpc) || ($.eventName=DetachClassicLinkVpc) || 
    48  					($.eventName=DisableVpcClassicLink) || ($.eventName=EnableVpcClassicLink)}`, defsecTypes.NewTestMetadata()),
    49  							},
    50  						},
    51  					},
    52  				},
    53  				Alarms: []cloudwatch.Alarm{
    54  					{
    55  						Metadata:   defsecTypes.NewTestMetadata(),
    56  						AlarmName:  defsecTypes.String("VPCChange", defsecTypes.NewTestMetadata()),
    57  						MetricName: defsecTypes.String("VPCChange", defsecTypes.NewTestMetadata()),
    58  						Metrics: []cloudwatch.MetricDataQuery{
    59  							{
    60  								Metadata: defsecTypes.NewTestMetadata(),
    61  								ID:       defsecTypes.String("VPCChange", defsecTypes.NewTestMetadata()),
    62  							},
    63  						},
    64  					},
    65  				},
    66  			},
    67  			expected: false,
    68  		},
    69  		{
    70  			name: "Multi-region CloudTrail has no filter for VPC changes",
    71  			cloudtrail: cloudtrail.CloudTrail{
    72  				Trails: []cloudtrail.Trail{
    73  					{
    74  						Metadata:                  defsecTypes.NewTestMetadata(),
    75  						CloudWatchLogsLogGroupArn: defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    76  						IsLogging:                 defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    77  						IsMultiRegion:             defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
    78  					},
    79  				},
    80  			},
    81  			cloudwatch: cloudwatch.CloudWatch{
    82  				LogGroups: []cloudwatch.LogGroup{
    83  					{
    84  						Metadata:      defsecTypes.NewTestMetadata(),
    85  						Arn:           defsecTypes.String("arn:aws:cloudwatch:us-east-1:123456789012:log-group:cloudtrail-logging", defsecTypes.NewTestMetadata()),
    86  						MetricFilters: []cloudwatch.MetricFilter{},
    87  					},
    88  				},
    89  				Alarms: []cloudwatch.Alarm{
    90  					{
    91  						Metadata:  defsecTypes.NewTestMetadata(),
    92  						AlarmName: defsecTypes.String("VPCChange", defsecTypes.NewTestMetadata()),
    93  						Metrics: []cloudwatch.MetricDataQuery{
    94  							{},
    95  						},
    96  					},
    97  				},
    98  			},
    99  			expected: true,
   100  		},
   101  	}
   102  	for _, test := range tests {
   103  		t.Run(test.name, func(t *testing.T) {
   104  			var testState state.State
   105  			testState.AWS.CloudWatch = test.cloudwatch
   106  			testState.AWS.CloudTrail = test.cloudtrail
   107  			results := requireVPCChangeAlarm.Evaluate(&testState)
   108  			var found bool
   109  			for _, result := range results {
   110  				if result.Status() == scan.StatusFailed && result.Rule().LongID() == requireVPCChangeAlarm.Rule().LongID() {
   111  					found = true
   112  				}
   113  			}
   114  			if test.expected {
   115  				assert.True(t, found, "Rule should have been found")
   116  			} else {
   117  				assert.False(t, found, "Rule should not have been found")
   118  			}
   119  		})
   120  	}
   121  }