def test_resources_filtered_by_type():
generic_resource = {"Logical ID": {"Type": "Resource type", "Properties": {"foo": "bar"}}}
user = {"User": IAMUser()}
model = CFModel(Resources={**generic_resource, **user})
assert model.resources_filtered_by_type(("Resource type",)) == generic_resource
assert model.resources_filtered_by_type(("Resource type", IAMUser)) == {**generic_resource, **user}
assert model.resources_filtered_by_type((IAMUser,)) == user
def invoke(self, cfmodel: CFModel, extras: Optional[Dict] = None) -> Result:
result = Result()
for logical_id, resource in cfmodel.resources_filtered_by_type(("AWS::S3::Bucket",)).items():
if hasattr(resource, "Properties") and resource.Properties.get("AccessControl") == "PublicRead":
self.add_failure_to_result(
result,
self.REASON.format(logical_id),
resource_ids={logical_id},
context={"config": self._config, "extras": extras, "logical_id": logical_id, "resource": resource},
)
return result
def test_complex_metadata_schema():
metadata = {
"Foo": "a_string_value",
"Bar": 1,
"Fizz": ["a", "list"],
"Buzz": {
"another": "dict"
}
}
model = CFModel(Metadata=metadata)
assert model.Metadata == metadata
def model():
return CFModel(
**{
"AWSTemplateFormatVersion": "2012-12-12",
"Description": "JSON string",
"Metadata": {},
"Parameters": {},
"Mappings": {},
"Conditions": {},
"Transform": [],
"Resources": {"Logical ID": {"Type": "Resource type", "Properties": {"foo": "bar"}}},
"Outputs": {},
}
)
def invoke(self,
cfmodel: CFModel,
extras: Optional[Dict] = None) -> Result:
result = Result()
for logical_id, resource in cfmodel.resources_filtered_by_type(
{SecurityGroupIngress}).items():
filters_available_context = {
"config": self._config,
"extras": extras,
"logical_id": logical_id,
"resource": resource,
}
self.analyse_ingress(result, logical_id, resource.Properties,
filters_available_context)
return result
def invoke(self,
cfmodel: CFModel,
extras: Optional[Dict] = None) -> Result:
result = Result()
for logical_id, resource in cfmodel.resources_filtered_by_type(
{SecurityGroup}).items():
list_security_group_ingress = resource.Properties.SecurityGroupIngress
if not isinstance(list_security_group_ingress, list):
list_security_group_ingress = [list_security_group_ingress]
for ingress in list_security_group_ingress:
filters_available_context = {
"config": self._config,
"extras": extras,
"logical_id": logical_id,
"resource": resource,
}
self.analyse_ingress(result, logical_id, ingress,
filters_available_context)
return result
def invoke(self,
cfmodel: CFModel,
extras: Optional[Dict] = None) -> Result:
result = Result()
for logical_id, resource in cfmodel.resources_filtered_by_type(
"AWS::KMS::Key").items():
if not resource.Properties.KeySpec or resource.Properties.KeySpec == "SYMMETRIC_DEFAULT":
if not resource.Properties.EnableKeyRotation or resource.Properties.EnableKeyRotation is False:
self.add_failure_to_result(
result,
self.REASON.format(logical_id),
resource_ids={logical_id},
resource_types={resource.Type},
context={
"config": self._config,
"extras": extras,
"logical_id": logical_id,
"resource": resource,
},
)
return result
def invoke(self,
cfmodel: CFModel,
extras: Optional[Dict] = None) -> Result:
result = Result()
for logical_id, resource in cfmodel.resources_filtered_by_type(
"AWS::EC2::Volume").items():
encrypted_status = getattr(resource.Properties, "Encrypted", None)
if encrypted_status is None or encrypted_status is False:
self.add_failure_to_result(
result,
self.REASON.format(logical_id),
resource_ids={logical_id},
resource_types={resource.Type},
context={
"config": self._config,
"extras": extras,
"logical_id": logical_id,
"resource": resource
},
)
return result
def test_backwards_compatible_metadata():
metadata = {"ADict": {"foo": "bar"}}
model = CFModel(Metadata=metadata)
assert model.Metadata == metadata
def test_transform_handles_string():
transform = "MyMacro"
model = CFModel(Transform=transform)
assert model.Transform == transform
def parse(template):
return CFModel(**template)