def remove_failures_of_whitelisted_resources(config: Config, result: Result):
if not result.failed_rules:
return
clean_failures = []
for failure in result.failed_rules:
if failure.granularity != RuleGranularity.RESOURCE:
clean_failures.append(failure)
continue
if not failure.resource_ids:
logger.warning(f"Failure with resource granularity doesn't have resources: {failure}")
continue
whitelisted_resources = {
resource
for resource in failure.resource_ids
if any(
[
re.match(whitelisted_resource_regex, resource)
for whitelisted_resource_regex in config.get_whitelisted_resources(failure.rule)
]
)
}
failure.resource_ids = failure.resource_ids - whitelisted_resources
if failure.resource_ids:
clean_failures.append(failure)
result.failed_rules = clean_failures
def test_stack_to_resource_whitelist_rule_not_in_whitelist(self, mock_rule_to_resource_whitelist):
mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"]
config = Config(
stack_name="test_stack",
rules=mock_rules,
stack_whitelist={},
rule_to_resource_whitelist=mock_rule_to_resource_whitelist
)
assert config.get_whitelisted_resources("SecurityGroupOpenToWorldRule") == []
def test_stack_to_resource_whitelist_normal_behavior(self, mock_rule_to_resource_whitelist):
mock_rules = ["RuleThatUsesResourceWhitelists", "SecurityGroupOpenToWorldRule"]
config = Config(
stack_name="test_stack",
rules=mock_rules,
stack_whitelist={},
rule_to_resource_whitelist=mock_rule_to_resource_whitelist
)
assert config.get_whitelisted_resources("RuleThatUsesResourceWhitelists") == [
"resource_5",
"resource_1",
"another_resource",
]
