def test_sso_failure(self):
resource_conf = {'instance_arn': '${aws_ssoadmin_permission_set.example.arn}', 'permission_set_arn': '${aws_iam_user.lb.name}',
'inline_policy': [{'Version': '2012-10-17',
'Statement': [{'Action': ['*'], 'Effect': 'Allow', 'Resource': 'abc*'}]}]}
scan_result = check.scan_entity_conf(conf=resource_conf, entity_type='aws_ssoadmin_permission_set_inline_policy')
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure_multiple_statements(self):
resource_conf = {
'name': ['test'],
'user': ['${aws_iam_user.lb.name}'],
'policy': [{
'Version':
'2012-10-17',
'Statement': [{
'Sid':
'SqsAllow',
'Effect':
'Allow',
'Action': [
'sqs:GetQueueAttributes', 'sqs:GetQueueUrl',
'sqs:ListDeadLetterSourceQueues', 'sqs:ListQueues',
'sqs:ReceiveMessage', 'sqs:SendMessage',
'sqs:SendMessageBatch'
],
'Resource':
'*'
}, {
'Sid': 'ALL',
'Effect': 'Allow',
'Action': ['*'],
'Resource': ['${var.my_resource_arn}']
}]
}]
}
scan_result = check.scan_entity_conf(conf=resource_conf,
entity_type='aws_iam_policy')
self.assertEqual(CheckResult.FAILED, scan_result)
def test_success(self):
resource_conf = {
'name': ['test'],
'user': ['${aws_iam_user.lb.name}'],
'policy': [
'{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:Describe*"], "Effect": "Allow", "Resource": "abc*"}]}'
]
}
scan_result = check.scan_entity_conf(conf=resource_conf,
entity_type='aws_iam_policy')
self.assertEqual(CheckResult.PASSED, scan_result)
def test_failure_multiple_statements(self):
resource_conf = {
'name': ['test'],
'user': ['${aws_iam_user.lb.name}'],
'policy': [
'{"Version":"2012-10-17","Statement":[{"Sid":"SqsAllow","Effect":"Allow","Action":['
'"sqs:GetQueueAttributes","sqs:GetQueueUrl","sqs:ListDeadLetterSourceQueues",'
'"sqs:ListQueues","sqs:ReceiveMessage","sqs:SendMessage","sqs:SendMessageBatch"],'
'"Resource":"*"},{"Sid":"ALL","Effect":"Allow","Action":["*"],"Resource":["${var.my_resource_arn}"]}]}'
]
}
scan_result = check.scan_entity_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_success(self):
resource_conf = {
'name': ['test'],
'user': ['${aws_iam_user.lb.name}'],
'policy': [
'{\n "Version": "2012-10-17", \n \
"Statement": [\n {\n \
"Action": [\n "ec2:Describe*"\n ],\n \
"Effect": "Allow",\n \
"Resource": "abc*"\n }\n ]\n}'
]
}
scan_result = check.scan_entity_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_failure(self):
resource_conf = {
'name': ['test'],
'user': ['${aws_iam_user.lb.name}'],
'policy': [
'{\n "Version": "2012-10-17", \n \
"Statement": [\n {\n \
"Action": [\n "*"\n ],\n \
"Effect": "Allow",\n \
"Resource": "abc*"\n }\n ]\n}'
]
}
scan_result = check.scan_entity_conf(conf=resource_conf,
entity_type='aws_iam_policy')
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure(self):
resource_conf = {
'name': ['test'],
'user': ['${aws_iam_user.lb.name}'],
'policy': [{
'Version':
'2012-10-17',
'Statement': [{
'Action': ['*'],
'Effect': 'Allow',
'Resource': 'abc*'
}]
}]
}
scan_result = check.scan_entity_conf(conf=resource_conf,
entity_type='aws_iam_policy')
self.assertEqual(CheckResult.FAILED, scan_result)
def test_sso_success(self):
resource_conf = {'instance_arn': '${aws_ssoadmin_permission_set.example.arn}', 'permission_set_arn': '${aws_iam_user.lb.name}',
'inline_policy': ['{"Version": "2012-10-17", "Statement": [{"Action": ["ec2:Describe*"], "Effect": "Allow", "Resource": "abc*"}]}']}
scan_result = check.scan_entity_conf(conf=resource_conf, entity_type='aws_ssoadmin_permission_set_inline_policy')
self.assertEqual(CheckResult.PASSED, scan_result)
