def remove_failures_of_whitelisted_resources(config: Config, result: Result): if not result.failed_rules: return clean_failures = [] for failure in result.failed_rules: if failure.granularity != RuleGranularity.RESOURCE: clean_failures.append(failure) continue if not failure.resource_ids: logger.warning(f"Failure with resource granularity doesn't have resources: {failure}") continue whitelisted_resources = { resource for resource in failure.resource_ids if any( [ re.match(whitelisted_resource_regex, resource) for whitelisted_resource_regex in config.get_whitelisted_resources(failure.rule) ] ) } failure.resource_ids = failure.resource_ids - whitelisted_resources if failure.resource_ids: clean_failures.append(failure) result.failed_rules = clean_failures
def test_stack_to_resource_whitelist_rule_not_in_whitelist(self, mock_rule_to_resource_whitelist): mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"] config = Config( stack_name="test_stack", rules=mock_rules, stack_whitelist={}, rule_to_resource_whitelist=mock_rule_to_resource_whitelist ) assert config.get_whitelisted_resources("SecurityGroupOpenToWorldRule") == []
def test_stack_to_resource_whitelist_normal_behavior(self, mock_rule_to_resource_whitelist): mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"] config = Config( stack_name="test_stack", rules=mock_rules, stack_whitelist={}, rule_to_resource_whitelist=mock_rule_to_resource_whitelist ) assert config.get_whitelisted_resources("RuleThatUsesResourceWhitelists") == [ "resource_5", "resource_1", "another_resource", ]