skip: update autotest for directory

.github/workflows/tf_testing.yml

@@ -22,7 +22,7 @@ env:
   CORE_TESTING_FOLDER: ${{ github.workspace }}
   OUTPUT_DIR: ${{ github.workspace }}/auto_policy_testing/output
   AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }}
-  resource_priority_list: 'fsx'
+  resource_priority_list: 'directory'
   RED: '\033[0;31m'
 
 jobs:

auto_policy_testing/green/account/securityhub.tf

@@ -8,5 +8,4 @@ resource "null_resource" "this" {
     when    = destroy
     command = "aws securityhub disable-security-hub"
   }
-
 }

auto_policy_testing/green/cloudtrail/cloudtrail.tf

@@ -1,5 +1,5 @@
 resource "aws_cloudtrail" "this" {
-  name                          = "${module.naming.resource_prefix.cloud_trail}"
+  name                          = "${module.naming.resource_prefix.trail}"
   s3_bucket_name                = aws_s3_bucket.this.id
   cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.this.arn}:*"
   cloud_watch_logs_role_arn     = aws_iam_role.this.arn
@@ -42,60 +42,5 @@ resource "aws_s3_bucket_policy" "this" {
 }
 
 resource "aws_cloudwatch_log_group" "this" {
-  name = "${module.naming.resource_prefix.cloud_trail}"
-}
-
-resource "aws_cloudwatch_log_stream" "this" {
-  name           = "${module.naming.resource_prefix.cloud_trail}"
-  log_group_name = aws_cloudwatch_log_group.this.name
-}
-
-resource "aws_iam_role" "this" {
-  name               = "${module.naming.resource_prefix.cloud_trail}"
-  assume_role_policy = <<-POLICY
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "Service": "cloudtrail.amazonaws.com"
-          },
-          "Action": "sts:AssumeRole"
-        }
-      ]
-    }
-    POLICY
-}
-
-resource "aws_iam_role_policy" "this" {
-  name   = "${module.naming.resource_prefix.cloud_trail}"
-  role   = aws_iam_role.this.id
-  policy = <<-POLICY
-  {
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Sid": "AWSCloudTrailCreateLogStream2014110",
-        "Effect": "Allow",
-        "Action": [
-          "logs:CreateLogStream"
-        ],
-        "Resource": [
-          "arn:aws:logs:${var.region}:${data.aws_caller_identity.this.account_id}:log-group:${aws_cloudwatch_log_group.this.name}:log-stream:*"
-        ]
-      },
-      {
-        "Sid": "AWSCloudTrailPutLogEvents20141101",
-        "Effect": "Allow",
-        "Action": [
-          "logs:PutLogEvents"
-        ],
-        "Resource": [
-          "arn:aws:logs:${var.region}:${data.aws_caller_identity.this.account_id}:log-group:${aws_cloudwatch_log_group.this.name}:log-stream:*"
-        ]
-      }
-    ]
-  }
-  POLICY
+  name = "${module.naming.resource_prefix.cw_log_group}"
 }

auto_policy_testing/green/cloudtrail/iam.tf

@@ -0,0 +1,49 @@
+resource "aws_iam_role" "this" {
+  name               = "${module.naming.resource_prefix.iam_role}"
+  assume_role_policy = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "cloudtrail.amazonaws.com"
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+    POLICY
+}
+
+resource "aws_iam_role_policy" "this" {
+  name   = "${module.naming.resource_prefix.iam_policy}"
+  role   = aws_iam_role.this.id
+  policy = <<-POLICY
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AWSCloudTrailCreateLogStream2014110",
+        "Effect": "Allow",
+        "Action": [
+          "logs:CreateLogStream"
+        ],
+        "Resource": [
+          "arn:aws:logs:${var.region}:${data.aws_caller_identity.this.account_id}:log-group:${aws_cloudwatch_log_group.this.name}:log-stream:*"
+        ]
+      },
+      {
+        "Sid": "AWSCloudTrailPutLogEvents20141101",
+        "Effect": "Allow",
+        "Action": [
+          "logs:PutLogEvents"
+        ],
+        "Resource": [
+          "arn:aws:logs:${var.region}:${data.aws_caller_identity.this.account_id}:log-group:${aws_cloudwatch_log_group.this.name}:log-stream:*"
+        ]
+      }
+    ]
+  }
+  POLICY
+}

auto_policy_testing/green/common_resources/waf.tf

@@ -1,5 +1,5 @@
 resource "aws_wafregional_ipset" "this" {
-  name =  module.naming.resource_prefix.waf_ip_set
+  name = module.naming.resource_prefix.waf_ip_set
 
   ip_set_descriptor {
     type  = "IPV4"
@@ -19,7 +19,7 @@ resource "aws_wafregional_rule" "this" {
 }
 
 resource "aws_wafregional_web_acl" "this" {
-  name        = "${module.naming.resource_prefix.waf_acl}"
+  name        = module.naming.resource_prefix.waf_acl
   metric_name = "WafACLMetricGreen"
 
   default_action {

auto_policy_testing/green/directory/ba.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+SECURITY_GROUP_ID="sg-06309cf09c4be9423"
+
+RULE_IDS=$(aws ec2 describe-security-group-rules  --filters Name="group-id",Values="$SECURITY_GROUP_ID" --query 'SecurityGroupRules[?CidrIpv4==`0.0.0.0/0` && IsEgress==`false`]'.SecurityGroupRuleId --output text)
+
+for RULE_ID in $RULE_IDS
+do
+    OLD_RULE=$(aws ec2 describe-security-group-rules --security-group-rule-ids  $RULE_ID --output json --query "SecurityGroupRules[0].{IpProtocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,CidrIpv4:CidrIpv4}")
+    UPD_RULE=$(echo $OLD_RULE | sed 's|"0.0.0.0/0"|"10.0.2.0/24"|g')
+    aws ec2 modify-security-group-rules --group-id $SECURITY_GROUP_ID --security-group-rules "[{\"SecurityGroupRuleId\": \"$RULE_ID\",\"SecurityGroupRule\": $UPD_RULE}]"
+done

auto_policy_testing/green/directory/directory.tf

@@ -0,0 +1,40 @@
+
+resource "aws_directory_service_directory" "this" {
+  name     = "${module.naming.resource_prefix.directory}.com"
+  password = "#S1ncerely"
+  size     = "Small"
+
+  vpc_settings {
+    vpc_id = data.terraform_remote_state.common.outputs.vpc_id
+    subnet_ids = [
+      data.terraform_remote_state.common.outputs.vpc_subnet_1_id,
+      data.terraform_remote_state.common.outputs.vpc_subnet_3_id
+    ]
+  }
+}
+
+resource "null_resource" "this" {
+  depends_on = [
+    aws_directory_service_directory.this
+  ]
+  triggers = {
+    sg = aws_directory_service_directory.this.security_group_id
+  }
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+set -e
+
+SECURITY_GROUP_ID=${self.triggers.sg}
+
+RULE_IDS=$(aws ec2 describe-security-group-rules  --filters Name="group-id",Values="$SECURITY_GROUP_ID" --query 'SecurityGroupRules[?CidrIpv4==`0.0.0.0/0` && IsEgress==`false`]'.SecurityGroupRuleId --output text)
+
+for RULE_ID in $RULE_IDS
+do
+    OLD_RULE=$(aws ec2 describe-security-group-rules --security-group-rule-ids  $RULE_ID --output json --query "SecurityGroupRules[0].{IpProtocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,CidrIpv4:CidrIpv4}")
+    UPD_RULE=$(echo $OLD_RULE | sed 's|"0.0.0.0/0"|"10.0.2.0/24"|g')
+    aws ec2 modify-security-group-rules --group-id $SECURITY_GROUP_ID --security-group-rules "[{\"SecurityGroupRuleId\": \"$RULE_ID\",\"SecurityGroupRule\": $UPD_RULE}]"
+done
+EOF
+  }
+}

auto_policy_testing/green/directory/main.tf

@@ -0,0 +1,13 @@
+module "naming" {
+  source        = "../../shared_tf_modules/naming"
+  resource_type = basename(abspath(path.module))
+  status        = title(basename(dirname(abspath(path.module))))
+}
+
+data "terraform_remote_state" "common" {
+  backend = "local"
+
+  config = {
+    path = "../common_resources/terraform.tfstate"
+  }
+}

auto_policy_testing/green/directory/outputs.tf

@@ -0,0 +1,5 @@
+output "directory" {
+  value = {
+    directory = aws_directory_service_directory.this.id
+  }
+}

auto_policy_testing/green/directory/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+  default_tags {
+    tags = module.naming.default_tags
+  }
+}
+
+provider "aws" {
+  region = var.region
+  alias  = "provider2"
+}

auto_policy_testing/green/directory/variables.tf

@@ -0,0 +1,5 @@
+variable "region" {
+  type        = string
+  description = "Region where resources will be created"
+  default     = "us-east-1"
+}

auto_policy_testing/red/directory/directory.tf

@@ -12,61 +12,3 @@ resource "aws_directory_service_directory" "this" {
     ]
   }
 }
-
-
-# # ecc-aws-147-ebs_volume_without_encrypt
-# # ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1
-# resource "aws_ebs_volume" "this" {
-#   availability_zone = data.aws_availability_zones.this.names[0]
-#   size              = 8
-#   type              = "io1"
-#   iops              = 100
-
-#   tags = {
-#     Name = "${module.naming.resource_prefix.ebs_volume}"
-#   }
-# }
-
-
-# # ecc-aws-076-ebs_snapshots_not_publicly_restorable
-# # ecc-aws-326-ebs_volume_encrypted_with_kms_cmk
-# # ecc-aws-328-unused_ebs_volumes
-# # ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2
-# # ecc-aws-379-ebs_snapshot_without_tag_information
-# # ecc-aws-378-ebs_without_tag_information
-# resource "aws_ebs_volume" "default_volume" {
-#   availability_zone = data.aws_availability_zones.this.names[0]
-#   size              = 8
-#   type              = "gp2"
-#   provider          = aws.provider2
-# }
-
-# resource "aws_ebs_snapshot" "this" {
-#   volume_id = aws_ebs_volume.default_volume.id
-#   provider  = aws.provider2
-# }
-
-# resource "null_resource" "this" {
-#   provisioner "local-exec" {
-#     command     = "aws ec2 modify-snapshot-attribute --snapshot-id ${aws_ebs_snapshot.this.id} --attribute createVolumePermission --operation-type add  --group-names all"
-#     interpreter = ["/bin/bash", "-c"]
-#   }
-#   depends_on = [aws_ebs_snapshot.this]
-# }
-
-
-# # ecc-aws-575-ebs_volumes_attached_to_stopped_ec2_instances
-# resource "aws_instance" "this" {
-#   ami           = data.aws_ami.this.id
-#   instance_type = "t2.micro"
-#   subnet_id     = data.aws_subnets.this.ids[0]
-
-#   tags = {
-#     Name = "${module.naming.resource_prefix.ec2_instance}"
-#   }
-# }
-
-# resource "aws_ec2_instance_state" "this" {
-#   instance_id = aws_instance.this.id
-#   state       = "stopped"
-# }