def test_run_persistent_data(self):
resources_path = os.path.join(
os.path.dirname(os.path.dirname(__file__)), "resources",
"graph_files_test")
runner = Runner()
data_path = os.path.join(os.path.dirname(__file__),
"persistent_data.json")
with open(data_path) as f:
data = json.load(f)
tf_definitions = data["tf_definitions"]
breadcrumbs = data["breadcrumbs"]
definitions_context = data["definitions_context"]
runner.set_external_data(tf_definitions, definitions_context,
breadcrumbs)
report = runner.run(root_folder=resources_path)
self.assertGreaterEqual(len(report.failed_checks), 4)
self.assertEqual(len(report.passed_checks), 6)
self.assertEqual(len(report.skipped_checks), 0)
def test_external_definitions_context(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
tf_dir_path = current_dir + "/resources/valid_tf_only_passed_checks"
external_definitions_context = {
f'{current_dir}/resources/valid_tf_only_passed_checks/example.tf':
{
'resource': {
'aws_s3_bucket': {
'foo-bucket': {
'start_line':
1,
'end_line':
34,
'code_lines':
[(1, 'resource "aws_s3_bucket" "foo-bucket" {\n'),
(2, ' region = var.region\n'),
(3, ' bucket = local.bucket_name\n'),
(4, ' force_destroy = true\n'),
(5, ' tags = {\n'),
(6,
' Name = "foo-${data.aws_caller_identity.current.account_id}"\n'
), (7, ' }\n'), (8, ' versioning {\n'),
(9, ' enabled = true\n'),
(10, ' mfa_delete = true\n'), (11, ' }\n'),
(12, ' logging {\n'),
(13,
' target_bucket = "${aws_s3_bucket.log_bucket.id}"\n'
), (14, ' target_prefix = "log/"\n'),
(15, ' }\n'),
(16,
' server_side_encryption_configuration {\n'),
(17, ' rule {\n'),
(18,
' apply_server_side_encryption_by_default {\n'
),
(19,
' kms_master_key_id = "${aws_kms_key.mykey.arn}"\n'
),
(20, ' sse_algorithm = "aws:kms"\n'),
(21, ' }\n'), (22, ' }\n'), (23, ' }\n'),
(24, ' acl = "private"\n'),
(25, ' tags = "${merge\n'), (26, ' (\n'),
(27, ' var.common_tags,\n'),
(28, ' map(\n'),
(29, ' "name", "VM Virtual Machine",\n'),
(30, ' "group", "foo"\n'), (31,
' )\n'),
(32, ' )\n'), (33, ' }"\n'), (34, '}\n')],
'skipped_checks': []
}
},
'null_resource': {
'example': {
'start_line':
36,
'end_line':
46,
'code_lines':
[(36, 'resource "null_resource" "example" {\n'),
(37, ' tags = "${merge\n'), (38, '(\n'),
(39, 'var.common_tags,\n'), (40, 'map(\n'),
(41,
'"name", "VM Base Post Provisioning Library",\n'
), (42, '"group", "aut",\n'),
(43,
'"dependency", "${var.input_dependency_value}")\n'
), (44, ')\n'), (45, '}"\n'), (46, '}\n')],
'skipped_checks': []
}
}
},
'data': {
'aws_caller_identity': {
'current': {
'start_line': 47,
'end_line': 0,
'code_lines': [],
'skipped_checks': []
}
}
},
'provider': {
'kubernetes': {
'default': {
'start_line':
49,
'end_line':
55,
'code_lines':
[(49, 'provider "kubernetes" {\n'),
(50, ' version = "1.10.0"\n'),
(51,
' host = module.aks_cluster.kube_config.0.host\n'
),
(52,
' client_certificate = base64decode(module.aks_cluster.kube_config.0.client_certificate)\n'
),
(53,
'client_key = base64decode(module.aks_cluster.kube_config.0.client_key)\n'
),
(54,
'cluster_ca_certificate = base64decode(module.aks_cluster.kube_config.0.cluster_ca_certificate)\n'
), (55, '}\n')],
'skipped_checks': []
}
}
},
'module': {
'module': {
'new_relic': {
'start_line':
57,
'end_line':
67,
'code_lines':
[(57, 'module "new_relic" {\n'),
(58,
'source = "s3::https://s3.amazonaws.com/my-artifacts/new-relic-k8s-0.2.5.zip"\n'
),
(59,
'kubernetes_host = module.aks_cluster.kube_config.0.host\n'
),
(60,
'kubernetes_client_certificate = base64decode(module.aks_cluster.kube_config.0.client_certificate)\n'
),
(61,
'kubernetes_client_key = base64decode(module.aks_cluster.kube_config.0.client_key)\n'
),
(62,
'kubernetes_cluster_ca_certificate = base64decode(module.aks_cluster.kube_config.0.cluster_ca_certificate)\n'
),
(63,
'cluster_name = module.naming_conventions.aks_name\n'
),
(64,
'new_relic_license = data.vault_generic_secret.new_relic_license.data["license"]\n'
),
(65,
'cluster_ca_bundle_b64 = module.aks_cluster.kube_config.0.cluster_ca_certificate\n'
),
(66,
'module_depends_on = [null_resource.delay_aks_deployments]\n'
), (67, '}')],
'skipped_checks': []
}
}
}
},
f'{current_dir}/resources/valid_tf_only_passed_checks/example_skip_acl.tf':
{
'resource': {
'aws_s3_bucket': {
'foo-bucket': {
'start_line':
1,
'end_line':
26,
'code_lines':
[(1, 'resource "aws_s3_bucket" "foo-bucket" {\n'),
(2, ' region = var.region\n'),
(3, ' bucket = local.bucket_name\n'),
(4, ' force_destroy = true\n'),
(5,
' #checkov:skip=CKV_AWS_20:The bucket is a public static content host\n'
), (6, ' #bridgecrew:skip=CKV_AWS_52: foo\n'),
(7, ' tags = {\n'),
(8,
' Name = "foo-${data.aws_caller_identity.current.account_id}"\n'
), (9, ' }\n'), (10, ' versioning {\n'),
(11, ' enabled = true\n'), (12, ' }\n'),
(13, ' logging {\n'),
(14,
' target_bucket = "${aws_s3_bucket.log_bucket.id}"\n'
), (15, ' target_prefix = "log/"\n'),
(16, ' }\n'),
(17,
' server_side_encryption_configuration {\n'),
(18, ' rule {\n'),
(19,
' apply_server_side_encryption_by_default {\n'
),
(20,
' kms_master_key_id = "${aws_kms_key.mykey.arn}"\n'
),
(21, ' sse_algorithm = "aws:kms"\n'),
(22, ' }\n'), (23, ' }\n'), (24, ' }\n'),
(25, ' acl = "public-read"\n'),
(26, '}\n')],
'skipped_checks': [{
'id':
'CKV_AWS_20',
'suppress_comment':
'The bucket is a public static content host'
}, {
'id': 'CKV_AWS_52',
'suppress_comment': ' foo'
}]
}
}
},
'data': {
'aws_caller_identity': {
'current': {
'start_line': 27,
'end_line': 0,
'code_lines': [],
'skipped_checks': []
}
}
}
}
}
tf_definitions = {
'/Users/nkor/dev/checkov_v2/tests/terraform/runner/resources/valid_tf_only_passed_checks/example.tf':
{
'resource': [{
'aws_s3_bucket': {
'foo-bucket': {
'region': ['${var.region}'],
'bucket': ['${local.bucket_name}'],
'force_destroy': [True],
'versioning': [{
'enabled': [True],
'mfa_delete': [True]
}],
'logging': [{
'target_bucket':
['${aws_s3_bucket.log_bucket.id}'],
'target_prefix': ['log/']
}],
'server_side_encryption_configuration': [{
'rule': [{
'apply_server_side_encryption_by_default':
[{
'kms_master_key_id':
['${aws_kms_key.mykey.arn}'],
'sse_algorithm': ['aws:kms']
}]
}]
}],
'acl': ['private'],
'tags': [
'${merge\n (\n var.common_tags,\n map(\n "name", "VM Virtual Machine",\n "group", "foo"\n )\n )\n }'
]
}
}
}],
'data': [{
'aws_caller_identity': {
'current': {}
}
}],
'provider': [{
'kubernetes': {
'version': ['1.10.0'],
'host': ['${module.aks_cluster.kube_config[0].host}'],
'client_certificate': [
'${base64decode(module.aks_cluster.kube_config[0].client_certificate)}'
],
'client_key': [
'${base64decode(module.aks_cluster.kube_config[0].client_key)}'
],
'cluster_ca_certificate': [
'${base64decode(module.aks_cluster.kube_config[0].cluster_ca_certificate)}'
]
}
}],
'module': [{
'new_relic': {
'source': [
's3::https://s3.amazonaws.com/my-artifacts/new-relic-k8s-0.2.5.zip'
],
'kubernetes_host':
['${module.aks_cluster.kube_config[0].host}'],
'kubernetes_client_certificate': [
'${base64decode(module.aks_cluster.kube_config[0].client_certificate)}'
],
'kubernetes_client_key': [
'${base64decode(module.aks_cluster.kube_config[0].client_key)}'
],
'kubernetes_cluster_ca_certificate': [
'${base64decode(module.aks_cluster.kube_config[0].cluster_ca_certificate)}'
],
'cluster_name':
['${module.naming_conventions.aks_name}'],
'new_relic_license': [
'${data.vault_generic_secret.new_relic_license.data["license"]}'
],
'cluster_ca_bundle_b64': [
'${module.aks_cluster.kube_config[0].cluster_ca_certificate}'
],
'module_depends_on':
[['${null_resource.delay_aks_deployments}']]
}
}]
},
'/Users/nkor/dev/checkov_v2/tests/terraform/runner/resources/valid_tf_only_passed_checks/example_skip_acl.tf':
{
'resource': [{
'aws_s3_bucket': {
'foo-bucket': {
'region': ['${var.region}'],
'bucket': ['${local.bucket_name}'],
'force_destroy': [True],
'tags': [{
'Name':
'foo-${data.aws_caller_identity.current.account_id}'
}],
'versioning': [{
'enabled': [True]
}],
'logging': [{
'target_bucket':
['${aws_s3_bucket.log_bucket.id}'],
'target_prefix': ['log/']
}],
'server_side_encryption_configuration': [{
'rule': [{
'apply_server_side_encryption_by_default':
[{
'kms_master_key_id':
['${aws_kms_key.mykey.arn}'],
'sse_algorithm': ['aws:kms']
}]
}]
}],
'acl': ['public-read']
}
}
}],
'data': [{
'aws_caller_identity': {
'current': {}
}
}]
}
}
runner = Runner()
parser = Parser()
runner.tf_definitions = tf_definitions
runner.set_external_data(tf_definitions,
external_definitions_context,
breadcrumbs={})
parser.parse_directory(tf_dir_path, tf_definitions)
report = Report('terraform')
runner.check_tf_definition(root_folder=tf_dir_path,
report=report,
runner_filter=RunnerFilter())
self.assertGreaterEqual(len(report.passed_checks), 1)
