def test_passed_list_statement(self):
hcl_res = hcl2.loads("""
data "aws_iam_policy_document" "default" {
statement = [{
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.default.arn}/*"]
principals {
type = "AWS"
identifiers = ["*"]
}
}]
# Support replication ARNs
statement = ["${flatten(data.aws_iam_policy_document.replication.*.statement)}"]
# Support deployment ARNs
statement = ["${flatten(data.aws_iam_policy_document.deployment.*.statement)}"]
}
""")
resource_conf = hcl_res['data'][0]['aws_iam_policy_document'][
'default']
scan_result = check.scan_data_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_success(self):
resource_conf = {
"statement": [{
"actions": ["Describe*"],
"resources": ["arn:aws:s3:::my_corporate_bucket/*"]
}]
}
scan_result = check.scan_data_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_failure(self):
resource_conf = {
"statement": [{
"actions": ["*"],
"resources": ["*"]
}]
}
scan_result = check.scan_data_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure_no_effect(self):
resource_conf = {
'version': ['2012-10-17'],
'statement': [{
'actions': [['*']],
'resources': [['*']]
}]
}
scan_result = check.scan_data_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_success(self):
resource_conf = {
'version': ['2012-10-17'],
'statement': [{
'actions': [['s3:Describe*']],
'resources': [['*']],
'effect': ['Allow']
}]
}
scan_result = check.scan_data_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)