def test_failure(self):
hcl_res = hcl2.loads("""
resource "aws_docdb_cluster_parameter_group" "test" {
family = "docdb3.6"
name = "test"
description = "docdb cluster parameter group"
parameter {
name = "tls"
value = "disabled"
}
parameter {
name = "other-param"
value = "enabled"
}
}
""")
resource_conf = hcl_res['resource'][0]['aws_docdb_cluster_parameter_group']['test']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure(self):
hcl_res = hcl2.loads("""
resource "azurerm_monitor_log_profile" "example" {
name = "default"
categories = [
"Action"
]
locations = [
"westus",
"global",
]
retention_policy {
enabled = true
days = 7
}
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_monitor_log_profile'][
'example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_success(self):
hcl_res = hcl2.loads("""
resource "azurerm_redis_cache" "example" {
name = "example-cache"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
capacity = 2
family = "C"
sku_name = "Standard"
enable_non_ssl_port = false
minimum_tls_version = "1.2"
public_network_access_enabled = false
redis_configuration {
}
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_redis_cache'][
'example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_module_double_slash_cleanup_string(self):
tf = hcl2.loads("""
resource "helm_release" "test" {
name = "influxdb"
repository = "https://helm.influxdata.com"
chart = "influxdb"
namespace = "influxdb"
set {
name = "ingress.annotations.kubernetes\\.io/ingress\\.class"
value = var.influxdb_ingress_annotations_kubernetes_ingress_class
}
}
""")
non_malformed_definitions = validate_malformed_definitions(tf)
definitions = {
'/mock/path/to.tf': clean_bad_definitions(non_malformed_definitions)
}
module, _ = Parser().parse_hcl_module_from_tf_definitions(definitions, '', 'terraform')
print(module)
self.assertEqual(1, len(module.blocks))
self.assertEqual('ingress.annotations.kubernetes\\.io/ingress\\.class', module.blocks[0].attributes['set.name'])
def test_success_no_volume(self):
hcl_res = hcl2.loads("""
resource "aws_ecs_task_definition" "test" {
family = "service"
container_definitions = file("task-definitions/service.json")
volume {
name = "service-storage"
host_path = "/ecs/service-storage"
}
placement_constraints {
type = "memberOf"
expression = "attribute:ecs.availability-zone in [us-west-2a, us-west-2b]"
}
}
""")
resource_conf = hcl_res['resource'][0]['aws_ecs_task_definition'][
'test']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_success(self):
hcl_res = hcl2.loads("""
resource "aws_eks_cluster" "test" {
name = "example"
role_arn = aws_iam_role.example.arn
vpc_config {
subnet_ids = [aws_subnet.example1.id, aws_subnet.example2.id]
}
encryption_config {
resources = ["secrets"]
provider {
key_arn = "test"
}
}
}
""")
resource_conf = hcl_res['resource'][0]['aws_eks_cluster']['test']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_success_4(self):
hcl_res = hcl2.loads("""
resource "google_sql_database_instance" "tfer--general-002D-mysql81" {
database_version = "MYSQL_8_0"
name = "general-mysql81"
project = "gcp-bridgecrew-deployment"
region = "us-central1"
settings {
activation_policy = "ALWAYS"
availability_type = "ZONAL"
pricing_plan = "PER_USE"
replication_type = "SYNCHRONOUS"
tier = "db-n1-standard-1"
}
}
""")
resource_conf = hcl_res['resource'][0]['google_sql_database_instance'][
'tfer--general-002D-mysql81']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_success(self):
hcl_res = hcl2.loads("""
resource "azurerm_app_service" "example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
site_config {
dotnet_framework_version = "v5.0"
scm_type = "someValue"
}
identity {
type = "SystemAssigned"
}
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_app_service'][
'example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_success(self):
hcl_res = hcl2.loads("""
resource "azurerm_linux_virtual_machine_scale_set" "example" {
name = var.scaleset_name
resource_group_name = var.resource_group.name
location = var.resource_group.location
sku = var.sku
instances = var.instance_count
admin_username = var.admin_username
disable_password_authentication = true
admin_ssh_key {
username = var.admin_username
public_key = tls_private_key.new.public_key_pem
}
tags = var.common_tags
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_linux_virtual_machine_scale_set']['example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_failure(self):
hcl_res = hcl2.loads("""
resource "aws_redshift_parameter_group" "examplea" {
name = var.param_group_name
family = "redshift-1.0"
parameter {
name = "require_ssl"
value = "false"
}
parameter {
name = "enable_user_activity_logging"
value = "true"
}
}
""")
resource_conf = hcl_res['resource'][0]['aws_redshift_parameter_group']['examplea']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure_1(self):
hcl_res = hcl2.loads("""
resource "azurerm_role_definition" "example" {
name = "my-custom-role"
scope = data.azurerm_subscription.primary.id
description = "This is a custom role created via Terraform"
permissions {
actions = ["*"]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id
]
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_role_definition'][
'example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure(self):
hcl_res = hcl2.loads("""
resource "aws_cloudfront_distribution" "example" {
origin {
domain_name = aws_s3_bucket.website.bucket_regional_domain_name
origin_id = "${aws_s3_bucket.website.id}-origin"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.website.cloudfront_access_identity_path
}
}
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
price_class = var.price_class
tags = var.common_tags
}
""")
resource_conf = hcl_res['resource'][0]['aws_cloudfront_distribution'][
'example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def _is_block_signature(self, line_num, line_tokens, entity_context_path):
# Ignore the alias as it is not part of the signature
is_provider = super()._is_block_signature(line_num, line_tokens,
entity_context_path[0:-1])
if not is_provider or '=' in line_tokens or line_tokens[
0] != 'provider':
# The line provider = alias is not a provider block although it has the correct words
# Also skips comments that include words like provider and aws
return False
end_line = self._compute_definition_end_line(line_num)
provider_type = entity_context_path[0]
provider_obj = hcl2.loads("\n".join(
map(
lambda obj: obj[1], self.
file_lines[line_num -
1:end_line if end_line > line_num else line_num]))
)['provider'][0]
alias = provider_obj[provider_type].get('alias', ['default'])
return super()._is_block_signature(line_num, line_tokens + alias,
entity_context_path)
def test_success(self):
hcl_res = hcl2.loads("""
resource "azurerm_sql_server" "example" {
name = "mssqlserver"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
version = "12.0"
administrator_login = "******"
administrator_login_password = "******"
extended_auditing_policy {
storage_endpoint = azurerm_storage_account.example.primary_blob_endpoint
storage_account_access_key = azurerm_storage_account.example.primary_access_key
storage_account_access_key_is_secondary = true
retention_in_days = 90
}
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_sql_server']['example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_success(self):
hcl_res = hcl2.loads("""
data "aws_iam_policy_document" "example" {
statement {
sid = "1"
effect = "Allow"
actions = [
"s3:*"
]
resources = [
"foo",
]
}
}
""")
resource_conf = hcl_res['data'][0]['aws_iam_policy_document'][
'example']
scan_result = check.scan_data_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)
def test_failure_empty(self):
hcl_res = hcl2.loads("""
resource "azurerm_mariadb_server" "example" {
name = var.server_name
location = var.resource_group.location
resource_group_name = var.resource_group.name
administrator_login = var.admin_login
administrator_login_password = random_string.password.result
sku_name = "B_Gen5_2"
storage_mb = 5120
version = "10.2"
auto_grow_enabled = true
backup_retention_days = 7
public_network_access_enabled = true
#test this i guess
ssl_enforcement_enabled = false
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_mariadb_server']['example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure_2(self):
hcl_res = hcl2.loads("""
resource "azurerm_postgresql_server" "example" {
name = "example-psqlserver"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
administrator_login = "******"
administrator_login_password = "******"
sku_name = "GP_Gen5_4"
version = "9.6"
storage_mb = 640000
backup_retention_days = 7
auto_grow_enabled = true
ssl_enforcement_enabled = true
ssl_minimal_tls_version_enforced = "TLS1_2"
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_postgresql_server'][
'example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure(self):
hcl_res = hcl2.loads("""
resource "azurerm_app_service" "example" {
name = "example-app-service"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
app_service_plan_id = azurerm_app_service_plan.example.id
https_only = true
storage_account {
name = "test_name"
type = "AzureBlob"
account_name ="test_account_name"
share_name = "test_share_name"
access_key = "test_access_key"
}
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_app_service'][
'example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_failure2(self):
hcl_res = hcl2.loads("""
resource "azurerm_kusto_cluster" "example" {
name = "kustocluster"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
double_encryption_enabled = false
sku {
name = "Standard_D13_v2"
capacity = 2
}
tags = {
Environment = "Production"
}
}
""")
resource_conf = hcl_res['resource'][0]['azurerm_kusto_cluster']['example']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.FAILED, scan_result)
def test_success_2(self):
hcl_res = hcl2.loads("""
resource "google_sql_database_instance" "tfer--general-002D-pos121" {
database_version = "POSTGRES_12"
name = "general-pos121"
project = "gcp-bridgecrew-deployment"
region = "us-central1"
settings {
activation_policy = "ALWAYS"
availability_type = "ZONAL"
database_flags {
name = "log_disconnections"
value = "on"
}
database_flags {
name = "log_min_messages"
value = "debug6"
}
database_flags {
name = "log_lock_waits"
value = "on"
}
database_flags {
name = "log_temp_files"
value = "10"
}
database_flags {
name = "log_min_duration_statement"
value = "1"
}
pricing_plan = "PER_USE"
replication_type = "SYNCHRONOUS"
tier = "db-custom-1-3840"
}
}
""")
resource_conf = hcl_res['resource'][0]['google_sql_database_instance'][
'tfer--general-002D-pos121']
scan_result = check.scan_resource_conf(conf=resource_conf)
self.assertEqual(CheckResult.PASSED, scan_result)