def test_rule_supports_filter_config(bad_template_clusters_with_bad_instances,
default_allow_all_config):
rule = HardcodedRDSPasswordRule(default_allow_all_config)
result = rule.invoke(bad_template_clusters_with_bad_instances)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_failures_are_raised_for_instances(bad_template_instances):
rule = HardcodedRDSPasswordRule(None)
result = rule.invoke(bad_template_instances)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RDS Instance password parameter missing NoEcho for BadDb3.",
risk_value=RuleRisk.MEDIUM,
rule="HardcodedRDSPasswordRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"BadDb3"},
resource_types={"AWS::RDS::DBInstance"},
),
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"Default RDS Instance password parameter (readable in plain-text) for BadDb5.",
risk_value=RuleRisk.MEDIUM,
rule="HardcodedRDSPasswordRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"BadDb5"},
resource_types={"AWS::RDS::DBInstance"},
),
],
)
def test_failures_are_raised_for_clusters(bad_template_clusters):
result = Result()
rule = HardcodedRDSPasswordRule(None, result)
rule.invoke(bad_template_clusters)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "HardcodedRDSPasswordRule"
assert result.failed_rules[0].reason == "RDS Cluster password parameter missing NoEcho for BadCluster1."
def test_failures_are_raised_for_instances_without_protected_clusters(bad_template_good_clusters_with_bad_instances):
result = Result()
rule = HardcodedRDSPasswordRule(None, result)
rule.invoke(bad_template_good_clusters_with_bad_instances)
assert not result.valid
assert len(result.failed_rules) == 1
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "HardcodedRDSPasswordRule"
assert (
result.failed_rules[0].reason == "Default RDS Instance password parameter (readable in plain-text) for BadDb5."
)
def test_failures_are_raised_for_instances(bad_template_instances):
result = Result()
rule = HardcodedRDSPasswordRule(None, result)
rule.invoke(bad_template_instances)
assert not result.valid
assert len(result.failed_rules) == 2
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "HardcodedRDSPasswordRule"
assert result.failed_rules[0].reason == "RDS Instance password parameter missing NoEcho for BadDb3."
assert result.failed_rules[1].rule == "HardcodedRDSPasswordRule"
assert (
result.failed_rules[1].reason == "Default RDS Instance password parameter (readable in plain-text) for BadDb5."
)
def test_failures_are_raised_for_bad_instances_and_bad_clusters(
bad_template_clusters_with_bad_instances):
rule = HardcodedRDSPasswordRule(None)
result = rule.invoke(bad_template_clusters_with_bad_instances)
assert not result.valid
assert len(result.failed_rules) == 2
assert len(result.failed_monitored_rules) == 0
assert result.failed_rules[0].rule == "HardcodedRDSPasswordRule"
assert (
result.failed_rules[0].reason ==
"Default RDS Cluster password parameter (readable in plain-text) for BadCluster99."
)
assert result.failed_rules[1].rule == "HardcodedRDSPasswordRule"
assert result.failed_rules[
1].reason == "RDS Instance password parameter missing NoEcho for BadDb33."
def test_failures_are_raised_for_clusters(bad_template_clusters):
rule = HardcodedRDSPasswordRule(None)
result = rule.invoke(bad_template_clusters)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"RDS Cluster password parameter missing NoEcho for BadCluster1.",
risk_value=RuleRisk.MEDIUM,
rule="HardcodedRDSPasswordRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"BadCluster1"},
)
],
)
def test_failures_are_raised_for_instances_without_protected_clusters(
bad_template_good_clusters_with_bad_instances):
rule = HardcodedRDSPasswordRule(None)
result = rule.invoke(bad_template_good_clusters_with_bad_instances)
assert not result.valid
assert compare_lists_of_failures(
result.failures,
[
Failure(
granularity=RuleGranularity.RESOURCE,
reason=
"Default RDS Instance password parameter (readable in plain-text) for BadDb5.",
risk_value=RuleRisk.MEDIUM,
rule="HardcodedRDSPasswordRule",
rule_mode=RuleMode.BLOCKING,
actions=None,
resource_ids={"BadDb5"},
)
],
)
def test_passed_cluster_pw_protected(good_template_clusters_and_instances):
rule = HardcodedRDSPasswordRule(None)
result = rule.invoke(good_template_clusters_and_instances)
assert result.valid
assert compare_lists_of_failures(result.failures, [])
def test_passed_cluster_pw_protected(good_template_clusters_and_instances):
result = Result()
rule = HardcodedRDSPasswordRule(None, result)
rule.invoke(good_template_clusters_and_instances)
assert result.valid