skip: update autotest for directory

epam · May 29, 2024 · 8db67cd · 8db67cd
1 parent 68a56d0
commit 8db67cd
Show file tree

Hide file tree

Showing 9 changed files with 113 additions and 87 deletions.
diff --git a/auto_policy_testing/green/account/securityhub.tf b/auto_policy_testing/green/account/securityhub.tf
@@ -8,5 +8,4 @@ resource "null_resource" "this" {
     when    = destroy
     command = "aws securityhub disable-security-hub"
   }
-
 }
diff --git a/auto_policy_testing/green/directory/directory.tf b/auto_policy_testing/green/directory/directory.tf
@@ -0,0 +1,40 @@
+
+resource "aws_directory_service_directory" "this" {
+  name     = "${module.naming.resource_prefix.directory}.com"
+  password = "#S1ncerely"
+  size     = "Small"
+
+  vpc_settings {
+    vpc_id = data.terraform_remote_state.common.outputs.vpc_id
+    subnet_ids = [
+      data.terraform_remote_state.common.outputs.vpc_subnet_1_id,
+      data.terraform_remote_state.common.outputs.vpc_subnet_3_id
+    ]
+  }
+}
+
+resource "null_resource" "this" {
+  depends_on = [
+    aws_directory_service_directory.this
+  ]
+  triggers = {
+    sg = aws_directory_service_directory.this.security_group_id
+  }
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+set -e
+
+SECURITY_GROUP_ID=${self.triggers.sg}
+
+RULE_IDS=$(aws ec2 describe-security-group-rules  --filters Name="group-id",Values="$SECURITY_GROUP_ID" --query 'SecurityGroupRules[?CidrIpv4==`0.0.0.0/0` && IsEgress==`false`]'.SecurityGroupRuleId --output text)
+
+for RULE_ID in $RULE_IDS
+do
+    OLD_RULE=$(aws ec2 describe-security-group-rules --security-group-rule-ids  $RULE_ID --output json --query "SecurityGroupRules[0].{IpProtocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,CidrIpv4:CidrIpv4}")
+    UPD_RULE=$(echo $OLD_RULE | sed 's|"0.0.0.0/0"|"10.0.2.0/24"|g')
+    aws ec2 modify-security-group-rules --group-id $SECURITY_GROUP_ID --security-group-rules "[{\"SecurityGroupRuleId\": \"$RULE_ID\",\"SecurityGroupRule\": $UPD_RULE}]"
+done
+EOF
+  }
+}
diff --git a/auto_policy_testing/green/directory/main.tf b/auto_policy_testing/green/directory/main.tf
@@ -0,0 +1,13 @@
+module "naming" {
+  source        = "../../shared_tf_modules/naming"
+  resource_type = basename(abspath(path.module))
+  status        = title(basename(dirname(abspath(path.module))))
+}
+
+data "terraform_remote_state" "common" {
+  backend = "local"
+
+  config = {
+    path = "../common_resources/terraform.tfstate"
+  }
+}
diff --git a/auto_policy_testing/green/directory/outputs.tf b/auto_policy_testing/green/directory/outputs.tf
@@ -0,0 +1,5 @@
+output "directory" {
+  value = {
+    directory = aws_directory_service_directory.this.id
+  }
+}
diff --git a/auto_policy_testing/green/directory/provider.tf b/auto_policy_testing/green/directory/provider.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+  default_tags {
+    tags = module.naming.default_tags
+  }
+}
+
+provider "aws" {
+  region = var.region
+  alias  = "provider2"
+}
diff --git a/auto_policy_testing/green/directory/variables.tf b/auto_policy_testing/green/directory/variables.tf
@@ -0,0 +1,5 @@
+variable "region" {
+  type        = string
+  description = "Region where resources will be created"
+  default     = "us-east-1"
+}
diff --git a/auto_policy_testing/red/directory/directory.tf b/auto_policy_testing/red/directory/directory.tf
@@ -12,61 +12,3 @@ resource "aws_directory_service_directory" "this" {
     ]
   }
 }
-
-
-# # ecc-aws-147-ebs_volume_without_encrypt
-# # ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1
-# resource "aws_ebs_volume" "this" {
-#   availability_zone = data.aws_availability_zones.this.names[0]
-#   size              = 8
-#   type              = "io1"
-#   iops              = 100
-
-#   tags = {
-#     Name = "${module.naming.resource_prefix.ebs_volume}"
-#   }
-# }
-
-
-# # ecc-aws-076-ebs_snapshots_not_publicly_restorable
-# # ecc-aws-326-ebs_volume_encrypted_with_kms_cmk
-# # ecc-aws-328-unused_ebs_volumes
-# # ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2
-# # ecc-aws-379-ebs_snapshot_without_tag_information
-# # ecc-aws-378-ebs_without_tag_information
-# resource "aws_ebs_volume" "default_volume" {
-#   availability_zone = data.aws_availability_zones.this.names[0]
-#   size              = 8
-#   type              = "gp2"
-#   provider          = aws.provider2
-# }
-
-# resource "aws_ebs_snapshot" "this" {
-#   volume_id = aws_ebs_volume.default_volume.id
-#   provider  = aws.provider2
-# }
-
-# resource "null_resource" "this" {
-#   provisioner "local-exec" {
-#     command     = "aws ec2 modify-snapshot-attribute --snapshot-id ${aws_ebs_snapshot.this.id} --attribute createVolumePermission --operation-type add  --group-names all"
-#     interpreter = ["/bin/bash", "-c"]
-#   }
-#   depends_on = [aws_ebs_snapshot.this]
-# }
-
-
-# # ecc-aws-575-ebs_volumes_attached_to_stopped_ec2_instances
-# resource "aws_instance" "this" {
-#   ami           = data.aws_ami.this.id
-#   instance_type = "t2.micro"
-#   subnet_id     = data.aws_subnets.this.ids[0]
-
-#   tags = {
-#     Name = "${module.naming.resource_prefix.ec2_instance}"
-#   }
-# }
-
-# resource "aws_ec2_instance_state" "this" {
-#   instance_id = aws_instance.this.id
-#   state       = "stopped"
-# }
diff --git a/auto_policy_testing/scripts/iam_role_aws.py b/auto_policy_testing/scripts/iam_role_aws.py
@@ -20,19 +20,21 @@ def check_role_exists(readonly_role_name_color):
     return role_exists
 
 
-def check_policy_exists(readonly_role_name, policy_name):
+def check_policy_exists(role_name, policy_name):
     client = boto3.client('iam')
     try:
-        response = client.get_role_policy(RoleName=readonly_role_name, PolicyName=policy_name)
+        response = client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
         policy_exists = True
     except client.exceptions.NoSuchEntityException:
         policy_exists = False
     return policy_exists
 
 
-def create_delete_readonly_role_aws(create=False, delete=False, color = ''):
-    role_id = random.randint(100, 999)
-    readonly_role_name_color = f"{readonly_role_name}_{color}_{role_id}"
+def create_delete_readonly_role_aws(create=False, delete=False, color='', role_name=None):
+    if create:
+        role_id = random.randint(1000, 9999)
+        role_name = f"{readonly_role_name}_{color}_{role_id}"
+
     sts = boto3.client("sts")
     account_id = sts.get_caller_identity()["Account"]
     client = boto3.client('iam')
@@ -49,49 +51,49 @@ def create_delete_readonly_role_aws(create=False, delete=False, color = ''):
                 }
             ]
         }
-        if not check_role_exists(readonly_role_name_color):
+        if not check_role_exists(role_name):
             try:
                 role = client.create_role(
-                    RoleName=readonly_role_name_color, AssumeRolePolicyDocument=json.dumps(trust_policy)
+                    RoleName=role_name, AssumeRolePolicyDocument=json.dumps(trust_policy)
                 )
-                print(f"Created role {readonly_role_name_color}.")
+                print(f"Created role {role_name}.")
             except botocore.exceptions.ClientError:
-                print(f"Couldn't create role {readonly_role_name_color}.")
+                print(f"Couldn't create role {role_name}.")
                 raise
             else:
-                return role
+                return role.get("Role", {})
         else:
             try:
                 role = client.update_assume_role_policy(
-                    RoleName=readonly_role_name_color, PolicyDocument=json.dumps(trust_policy)
+                    RoleName=role_name, PolicyDocument=json.dumps(trust_policy)
                 )
-                print(f"Updated trust policy for role {readonly_role_name_color}.")
+                print(f"Updated trust policy for role {role_name}.")
             except botocore.exceptions.ClientError:
-                print(f"Couldn't update trust policy for role {readonly_role_name_color}.")
+                print(f"Couldn't update trust policy for role {role_name}.")
                 raise
             else:
-                return role
+                return role.get("Role", {})
     elif delete:
-        if check_role_exists(readonly_role_name_color):
+        if check_role_exists(role_name):
             try:
-                if check_policy_exists(readonly_role_name_color, policy_name):
-                    client.delete_role_policy(RoleName=readonly_role_name_color, PolicyName=policy_name)
-                client.delete_role(RoleName=readonly_role_name_color)
-                print(f"Deleted role {readonly_role_name_color}.")
+                if check_policy_exists(role_name, policy_name):
+                    client.delete_role_policy(RoleName=role_name, PolicyName=policy_name)
+                client.delete_role(RoleName=role_name)
+                print(f"Deleted role {role_name}.")
             except botocore.exceptions.ClientError:
-                print(f"Couldn't delete role {readonly_role_name_color}.")
+                print(f"Couldn't delete role {role_name}.")
                 raise
 
 
-def set_readonly_role_permissions_aws(resource, readonly_role_name):
+def set_readonly_role_permissions_aws(resource, role_name):
     root_path = Path(os.getcwd()).parents[1]
     iam_path = os.path.join(root_path, 'auto_policy_testing', 'iam', resource + '.json')
     with open(iam_path, 'r') as f:
         inline_policy = json.load(f)
 
     client = boto3.client('iam')
     response = client.put_role_policy(
-        RoleName=readonly_role_name,
+        RoleName=role_name,
         PolicyName=policy_name,
         PolicyDocument=json.dumps(inline_policy)
     )
diff --git a/auto_policy_testing/scripts/main.py b/auto_policy_testing/scripts/main.py
@@ -49,7 +49,7 @@ def main():
         for resource in resource_priority_list:
             path = os.path.join(RULEPACK_TESTING_PATH, args.infra_color, resource)
             if args.cloud == "AWS" and args.sa:
-                iam_role_aws.set_readonly_role_permissions_aws(resource, role.get("Role", {}).get("RoleName", None))
+                iam_role_aws.set_readonly_role_permissions_aws(resource, role.get("RoleName", None))
             tf_up_subprocess_result, tf_up_error = tf_up(resource, path, args.cloud, args.infra_color)
             if tf_up_subprocess_result:
                 print("\nScan resources\n")
@@ -71,22 +71,22 @@ def main():
                     sys.exit(1)
             else:
                 print("Error during 'terraform apply' for '" + resource + "': \n" + tf_up_error)
-                tf_failed[resource] = "Error during 'terraform apply' for '" + resource + "': \n" + tf_up_error
+                tf_failed[str(resource)+"_up"] = "Error during 'terraform apply' for '" + resource + "': \n" + tf_up_error
 
             tf_down_subprocess_result, tf_down_error = tf_down(resource, path, args.cloud, args.infra_color)
             if not tf_down_subprocess_result:
                 print("Error during 'terraform destroy' for '" + resource + "': \n" + tf_down_error)
-                tf_failed[resource] = "Error during 'terraform destroy' for '" + resource + "': \n" + tf_down_error
+                tf_failed[str(resource)+"_down"] = "Error during 'terraform destroy' for '" + resource + "': \n" + tf_down_error
     else:
         print("Error during 'terraform apply' for 'common_resources': \n" + tf_up_common_error)
-        tf_failed['common_resources'] = "Error during 'terraform apply' for 'common_resources': \n" + tf_up_common_error
+        tf_failed['common_resources'+"_up"] = "Error during 'terraform apply' for 'common_resources': \n" + tf_up_common_error
 
     tf_down_common_subprocess_result, tf_down_common_error = common_tf_down(RULEPACK_TESTING_PATH, args.infra_color)
 
     if not tf_down_common_subprocess_result:
         print("Error during 'terraform destroy' for 'common_resources': \n" + tf_down_common_error)
         tf_failed[
-            'common_resources'] = "Error during 'terraform destroy' for 'common_resources': \n" + tf_down_common_error
+            'common_resources'+"_down"] = "Error during 'terraform destroy' for 'common_resources': \n" + tf_down_common_error
 
     if tf_up_subprocess_result:
         report.create_report(
@@ -95,7 +95,7 @@ def main():
             cloud=args.cloud)
 
     if args.cloud == "AWS" and args.sa:
-        iam_role_aws.create_delete_readonly_role_aws(delete=True, color=args.infra_color)
+        iam_role_aws.create_delete_readonly_role_aws(delete=True, color=args.infra_color, role_name=role.get("RoleName", None))
 
     with open(os.path.join(OUTPUT_DIR, '.tf_failed'), "w") as failed_file:
         for item, description in tf_failed.items():
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,5 +8,4 @@ resource "null_resource" "this" { @@
         when    = destroy
         command = "aws securityhub disable-security-hub"
       }
     }