From edeccb5e7f3b772e03deb6ac2f34acf4d4d837e7 Mon Sep 17 00:00:00 2001 From: Sreenivas Ganesan Date: Fri, 22 Nov 2024 15:13:49 -0500 Subject: [PATCH] update TF plan cfn-guard test examples --- .../check-s3-tags-present-tests.yaml | 142 ++++++++++++++++++ .../check-s3-tags-present.guard | 30 ++++ 2 files changed, 172 insertions(+) create mode 100644 guard-examples/terraform-infra-related/check-s3-tags-present-tests.yaml create mode 100644 guard-examples/terraform-infra-related/check-s3-tags-present.guard diff --git a/guard-examples/terraform-infra-related/check-s3-tags-present-tests.yaml b/guard-examples/terraform-infra-related/check-s3-tags-present-tests.yaml new file mode 100644 index 000000000..8107eb514 --- /dev/null +++ b/guard-examples/terraform-infra-related/check-s3-tags-present-tests.yaml @@ -0,0 +1,142 @@ +--- +- name: Terraform plan JSON for S3 with non-empty tags - PASS + input: + { + "format_version": "1.1", + "terraform_version": "1.2.9", + "planned_values": { + "root_module": { + "resources": [{ + "address": "aws_s3_bucket.test_my_bucket", + "mode": "managed", + "type": "aws_s3_bucket", + "name": "test_my_bucket", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "bucket": "my-tf-test-bucket", + "bucket_prefix": null, + "force_destroy": false, + "tags": { + "Environment": "Dev", + "Name": "My bucket" + }, + "tags_all": { + "Environment": "Dev", + "Name": "My bucket" + }, + "timeouts": null + }, + "sensitive_values": { + "cors_rule": [], + "grant": [], + "lifecycle_rule": [], + "logging": [], + "object_lock_configuration": [], + "replication_configuration": [], + "server_side_encryption_configuration": [], + "tags": {}, + "tags_all": {}, + "versioning": [], + "website": [] + } + }] + } + } + } + expectations: + rules: + assert_all_s3_resources_have_non_empty_tags: PASS + +- name: Terraform plan JSON for S3 with empty tags - FAIL + input: + { + "format_version": "1.1", + "terraform_version": "1.2.9", + "planned_values": { + "root_module": { + "resources": [{ + "address": "aws_s3_bucket.test_my_bucket", + "mode": "managed", + "type": "aws_s3_bucket", + "name": "test_my_bucket", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "bucket": "my-tf-test-bucket", + "bucket_prefix": null, + "force_destroy": false, + "tags": {}, + "tags_all": { + "Environment": "Dev", + "Name": "My bucket" + }, + "timeouts": null + }, + "sensitive_values": { + "cors_rule": [], + "grant": [], + "lifecycle_rule": [], + "logging": [], + "object_lock_configuration": [], + "replication_configuration": [], + "server_side_encryption_configuration": [], + "tags": {}, + "tags_all": {}, + "versioning": [], + "website": [] + } + }] + } + } + } + expectations: + rules: + assert_all_s3_resources_have_non_empty_tags: FAIL + + +- name: Terraform plan JSON for S3 with null tags - FAIL + input: + { + "format_version": "1.1", + "terraform_version": "1.2.9", + "planned_values": { + "root_module": { + "resources": [{ + "address": "aws_s3_bucket.test_my_bucket", + "mode": "managed", + "type": "aws_s3_bucket", + "name": "test_my_bucket", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "bucket": "my-tf-test-bucket", + "bucket_prefix": null, + "force_destroy": false, + "tags": null, + "tags_all": { + "Environment": "Dev", + "Name": "My bucket" + }, + "timeouts": null + }, + "sensitive_values": { + "cors_rule": [], + "grant": [], + "lifecycle_rule": [], + "logging": [], + "object_lock_configuration": [], + "replication_configuration": [], + "server_side_encryption_configuration": [], + "tags": {}, + "tags_all": {}, + "versioning": [], + "website": [] + } + }] + } + } + } + expectations: + rules: + assert_all_s3_resources_have_non_empty_tags: FAIL diff --git a/guard-examples/terraform-infra-related/check-s3-tags-present.guard b/guard-examples/terraform-infra-related/check-s3-tags-present.guard new file mode 100644 index 000000000..65767e00b --- /dev/null +++ b/guard-examples/terraform-infra-related/check-s3-tags-present.guard @@ -0,0 +1,30 @@ +# +# This will retrieve all the resources of type 'aws_s3_bucket' from the Terraform plan +# input json. In this case we are using the values from the planned values section +# of the generated Terraform plan JSON file. +# +let s3_bucket = planned_values.root_module.resources[ + type == 'aws_s3_bucket' +] + +# +# Here is a sample Terraform template with S3 resource with tags +# this would PASS the rule assert_all_s3_resources_have_non_empty_tags +# +# resource "aws_s3_bucket" "test_my_bucket" { +# bucket = "my-tf-test-bucket" +# tags = { +# Name = "My bucket" +# Environment = "Dev" +# } +# } + + +# This rule will return +# 1) SKIP if there are no resources that were selected, protected by the guard clause !empty +# 2) FAIL if any one resource did have empty tags or did not have tags specified at all +# 3) PASS when ALL resource do have non-empty tags +# +rule assert_all_s3_resources_have_non_empty_tags when %s3_bucket !empty { + %s3_bucket.values.tags.* != 'null' +}