def test_run_persistent_data(self): resources_path = os.path.join( os.path.dirname(os.path.dirname(__file__)), "resources", "graph_files_test") runner = Runner() data_path = os.path.join(os.path.dirname(__file__), "persistent_data.json") with open(data_path) as f: data = json.load(f) tf_definitions = data["tf_definitions"] breadcrumbs = data["breadcrumbs"] definitions_context = data["definitions_context"] runner.set_external_data(tf_definitions, definitions_context, breadcrumbs) report = runner.run(root_folder=resources_path) self.assertGreaterEqual(len(report.failed_checks), 4) self.assertEqual(len(report.passed_checks), 6) self.assertEqual(len(report.skipped_checks), 0)
def test_external_definitions_context(self): current_dir = os.path.dirname(os.path.realpath(__file__)) tf_dir_path = current_dir + "/resources/valid_tf_only_passed_checks" external_definitions_context = { f'{current_dir}/resources/valid_tf_only_passed_checks/example.tf': { 'resource': { 'aws_s3_bucket': { 'foo-bucket': { 'start_line': 1, 'end_line': 34, 'code_lines': [(1, 'resource "aws_s3_bucket" "foo-bucket" {\n'), (2, ' region = var.region\n'), (3, ' bucket = local.bucket_name\n'), (4, ' force_destroy = true\n'), (5, ' tags = {\n'), (6, ' Name = "foo-${data.aws_caller_identity.current.account_id}"\n' ), (7, ' }\n'), (8, ' versioning {\n'), (9, ' enabled = true\n'), (10, ' mfa_delete = true\n'), (11, ' }\n'), (12, ' logging {\n'), (13, ' target_bucket = "${aws_s3_bucket.log_bucket.id}"\n' ), (14, ' target_prefix = "log/"\n'), (15, ' }\n'), (16, ' server_side_encryption_configuration {\n'), (17, ' rule {\n'), (18, ' apply_server_side_encryption_by_default {\n' ), (19, ' kms_master_key_id = "${aws_kms_key.mykey.arn}"\n' ), (20, ' sse_algorithm = "aws:kms"\n'), (21, ' }\n'), (22, ' }\n'), (23, ' }\n'), (24, ' acl = "private"\n'), (25, ' tags = "${merge\n'), (26, ' (\n'), (27, ' var.common_tags,\n'), (28, ' map(\n'), (29, ' "name", "VM Virtual Machine",\n'), (30, ' "group", "foo"\n'), (31, ' )\n'), (32, ' )\n'), (33, ' }"\n'), (34, '}\n')], 'skipped_checks': [] } }, 'null_resource': { 'example': { 'start_line': 36, 'end_line': 46, 'code_lines': [(36, 'resource "null_resource" "example" {\n'), (37, ' tags = "${merge\n'), (38, '(\n'), (39, 'var.common_tags,\n'), (40, 'map(\n'), (41, '"name", "VM Base Post Provisioning Library",\n' ), (42, '"group", "aut",\n'), (43, '"dependency", "${var.input_dependency_value}")\n' ), (44, ')\n'), (45, '}"\n'), (46, '}\n')], 'skipped_checks': [] } } }, 'data': { 'aws_caller_identity': { 'current': { 'start_line': 47, 'end_line': 0, 'code_lines': [], 'skipped_checks': [] } } }, 'provider': { 'kubernetes': { 'default': { 'start_line': 49, 'end_line': 55, 'code_lines': [(49, 'provider "kubernetes" {\n'), (50, ' version = "1.10.0"\n'), (51, ' host = module.aks_cluster.kube_config.0.host\n' ), (52, ' client_certificate = base64decode(module.aks_cluster.kube_config.0.client_certificate)\n' ), (53, 'client_key = base64decode(module.aks_cluster.kube_config.0.client_key)\n' ), (54, 'cluster_ca_certificate = base64decode(module.aks_cluster.kube_config.0.cluster_ca_certificate)\n' ), (55, '}\n')], 'skipped_checks': [] } } }, 'module': { 'module': { 'new_relic': { 'start_line': 57, 'end_line': 67, 'code_lines': [(57, 'module "new_relic" {\n'), (58, 'source = "s3::https://s3.amazonaws.com/my-artifacts/new-relic-k8s-0.2.5.zip"\n' ), (59, 'kubernetes_host = module.aks_cluster.kube_config.0.host\n' ), (60, 'kubernetes_client_certificate = base64decode(module.aks_cluster.kube_config.0.client_certificate)\n' ), (61, 'kubernetes_client_key = base64decode(module.aks_cluster.kube_config.0.client_key)\n' ), (62, 'kubernetes_cluster_ca_certificate = base64decode(module.aks_cluster.kube_config.0.cluster_ca_certificate)\n' ), (63, 'cluster_name = module.naming_conventions.aks_name\n' ), (64, 'new_relic_license = data.vault_generic_secret.new_relic_license.data["license"]\n' ), (65, 'cluster_ca_bundle_b64 = module.aks_cluster.kube_config.0.cluster_ca_certificate\n' ), (66, 'module_depends_on = [null_resource.delay_aks_deployments]\n' ), (67, '}')], 'skipped_checks': [] } } } }, f'{current_dir}/resources/valid_tf_only_passed_checks/example_skip_acl.tf': { 'resource': { 'aws_s3_bucket': { 'foo-bucket': { 'start_line': 1, 'end_line': 26, 'code_lines': [(1, 'resource "aws_s3_bucket" "foo-bucket" {\n'), (2, ' region = var.region\n'), (3, ' bucket = local.bucket_name\n'), (4, ' force_destroy = true\n'), (5, ' #checkov:skip=CKV_AWS_20:The bucket is a public static content host\n' ), (6, ' #bridgecrew:skip=CKV_AWS_52: foo\n'), (7, ' tags = {\n'), (8, ' Name = "foo-${data.aws_caller_identity.current.account_id}"\n' ), (9, ' }\n'), (10, ' versioning {\n'), (11, ' enabled = true\n'), (12, ' }\n'), (13, ' logging {\n'), (14, ' target_bucket = "${aws_s3_bucket.log_bucket.id}"\n' ), (15, ' target_prefix = "log/"\n'), (16, ' }\n'), (17, ' server_side_encryption_configuration {\n'), (18, ' rule {\n'), (19, ' apply_server_side_encryption_by_default {\n' ), (20, ' kms_master_key_id = "${aws_kms_key.mykey.arn}"\n' ), (21, ' sse_algorithm = "aws:kms"\n'), (22, ' }\n'), (23, ' }\n'), (24, ' }\n'), (25, ' acl = "public-read"\n'), (26, '}\n')], 'skipped_checks': [{ 'id': 'CKV_AWS_20', 'suppress_comment': 'The bucket is a public static content host' }, { 'id': 'CKV_AWS_52', 'suppress_comment': ' foo' }] } } }, 'data': { 'aws_caller_identity': { 'current': { 'start_line': 27, 'end_line': 0, 'code_lines': [], 'skipped_checks': [] } } } } } tf_definitions = { '/Users/nkor/dev/checkov_v2/tests/terraform/runner/resources/valid_tf_only_passed_checks/example.tf': { 'resource': [{ 'aws_s3_bucket': { 'foo-bucket': { 'region': ['${var.region}'], 'bucket': ['${local.bucket_name}'], 'force_destroy': [True], 'versioning': [{ 'enabled': [True], 'mfa_delete': [True] }], 'logging': [{ 'target_bucket': ['${aws_s3_bucket.log_bucket.id}'], 'target_prefix': ['log/'] }], 'server_side_encryption_configuration': [{ 'rule': [{ 'apply_server_side_encryption_by_default': [{ 'kms_master_key_id': ['${aws_kms_key.mykey.arn}'], 'sse_algorithm': ['aws:kms'] }] }] }], 'acl': ['private'], 'tags': [ '${merge\n (\n var.common_tags,\n map(\n "name", "VM Virtual Machine",\n "group", "foo"\n )\n )\n }' ] } } }], 'data': [{ 'aws_caller_identity': { 'current': {} } }], 'provider': [{ 'kubernetes': { 'version': ['1.10.0'], 'host': ['${module.aks_cluster.kube_config[0].host}'], 'client_certificate': [ '${base64decode(module.aks_cluster.kube_config[0].client_certificate)}' ], 'client_key': [ '${base64decode(module.aks_cluster.kube_config[0].client_key)}' ], 'cluster_ca_certificate': [ '${base64decode(module.aks_cluster.kube_config[0].cluster_ca_certificate)}' ] } }], 'module': [{ 'new_relic': { 'source': [ 's3::https://s3.amazonaws.com/my-artifacts/new-relic-k8s-0.2.5.zip' ], 'kubernetes_host': ['${module.aks_cluster.kube_config[0].host}'], 'kubernetes_client_certificate': [ '${base64decode(module.aks_cluster.kube_config[0].client_certificate)}' ], 'kubernetes_client_key': [ '${base64decode(module.aks_cluster.kube_config[0].client_key)}' ], 'kubernetes_cluster_ca_certificate': [ '${base64decode(module.aks_cluster.kube_config[0].cluster_ca_certificate)}' ], 'cluster_name': ['${module.naming_conventions.aks_name}'], 'new_relic_license': [ '${data.vault_generic_secret.new_relic_license.data["license"]}' ], 'cluster_ca_bundle_b64': [ '${module.aks_cluster.kube_config[0].cluster_ca_certificate}' ], 'module_depends_on': [['${null_resource.delay_aks_deployments}']] } }] }, '/Users/nkor/dev/checkov_v2/tests/terraform/runner/resources/valid_tf_only_passed_checks/example_skip_acl.tf': { 'resource': [{ 'aws_s3_bucket': { 'foo-bucket': { 'region': ['${var.region}'], 'bucket': ['${local.bucket_name}'], 'force_destroy': [True], 'tags': [{ 'Name': 'foo-${data.aws_caller_identity.current.account_id}' }], 'versioning': [{ 'enabled': [True] }], 'logging': [{ 'target_bucket': ['${aws_s3_bucket.log_bucket.id}'], 'target_prefix': ['log/'] }], 'server_side_encryption_configuration': [{ 'rule': [{ 'apply_server_side_encryption_by_default': [{ 'kms_master_key_id': ['${aws_kms_key.mykey.arn}'], 'sse_algorithm': ['aws:kms'] }] }] }], 'acl': ['public-read'] } } }], 'data': [{ 'aws_caller_identity': { 'current': {} } }] } } runner = Runner() parser = Parser() runner.tf_definitions = tf_definitions runner.set_external_data(tf_definitions, external_definitions_context, breadcrumbs={}) parser.parse_directory(tf_dir_path, tf_definitions) report = Report('terraform') runner.check_tf_definition(root_folder=tf_dir_path, report=report, runner_filter=RunnerFilter()) self.assertGreaterEqual(len(report.passed_checks), 1)