From d8faca2b9833650caa860051197e0b21faaef1b8 Mon Sep 17 00:00:00 2001
From: Anna Shcherbak <Anna_Shcherbak@epam.com>
Date: Wed, 29 May 2024 21:41:57 +0300
Subject: [PATCH] skip: update autotest for directory

---
 .github/workflows/tf_testing.yml              |  2 +-
 .../green/account/securityhub.tf              |  1 -
 .../green/cloudtrail/cloudtrail.tf            | 59 +------------------
 auto_policy_testing/green/cloudtrail/iam.tf   | 49 +++++++++++++++
 .../green/common_resources/waf.tf             |  4 +-
 auto_policy_testing/green/directory/ba.sh     | 13 ++++
 .../green/directory/directory.tf              | 40 +++++++++++++
 auto_policy_testing/green/directory/main.tf   | 13 ++++
 .../green/directory/outputs.tf                |  5 ++
 .../green/directory/provider.tf               | 20 +++++++
 .../green/directory/variables.tf              |  5 ++
 .../red/directory/directory.tf                | 58 ------------------
 auto_policy_testing/scripts/iam_role_aws.py   | 46 ++++++++-------
 auto_policy_testing/scripts/main.py           | 12 ++--
 14 files changed, 180 insertions(+), 147 deletions(-)
 create mode 100644 auto_policy_testing/green/cloudtrail/iam.tf
 create mode 100755 auto_policy_testing/green/directory/ba.sh
 create mode 100644 auto_policy_testing/green/directory/directory.tf
 create mode 100644 auto_policy_testing/green/directory/main.tf
 create mode 100644 auto_policy_testing/green/directory/outputs.tf
 create mode 100644 auto_policy_testing/green/directory/provider.tf
 create mode 100644 auto_policy_testing/green/directory/variables.tf

diff --git a/.github/workflows/tf_testing.yml b/.github/workflows/tf_testing.yml
index d540139e1..dd3d048f9 100644
--- a/.github/workflows/tf_testing.yml
+++ b/.github/workflows/tf_testing.yml
@@ -22,7 +22,7 @@ env:
   CORE_TESTING_FOLDER: ${{ github.workspace }}
   OUTPUT_DIR: ${{ github.workspace }}/auto_policy_testing/output
   AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }}
-  resource_priority_list: 'fsx'
+  resource_priority_list: 'directory'
   RED: '\033[0;31m'
 
 jobs:
diff --git a/auto_policy_testing/green/account/securityhub.tf b/auto_policy_testing/green/account/securityhub.tf
index af490fd72..fc41fa2a0 100644
--- a/auto_policy_testing/green/account/securityhub.tf
+++ b/auto_policy_testing/green/account/securityhub.tf
@@ -8,5 +8,4 @@ resource "null_resource" "this" {
     when    = destroy
     command = "aws securityhub disable-security-hub"
   }
-
 }
\ No newline at end of file
diff --git a/auto_policy_testing/green/cloudtrail/cloudtrail.tf b/auto_policy_testing/green/cloudtrail/cloudtrail.tf
index 0b34c3e88..c98b1c59b 100644
--- a/auto_policy_testing/green/cloudtrail/cloudtrail.tf
+++ b/auto_policy_testing/green/cloudtrail/cloudtrail.tf
@@ -1,5 +1,5 @@
 resource "aws_cloudtrail" "this" {
-  name                          = "${module.naming.resource_prefix.cloud_trail}"
+  name                          = "${module.naming.resource_prefix.trail}"
   s3_bucket_name                = aws_s3_bucket.this.id
   cloud_watch_logs_group_arn    = "${aws_cloudwatch_log_group.this.arn}:*"
   cloud_watch_logs_role_arn     = aws_iam_role.this.arn
@@ -42,60 +42,5 @@ resource "aws_s3_bucket_policy" "this" {
 }
 
 resource "aws_cloudwatch_log_group" "this" {
-  name = "${module.naming.resource_prefix.cloud_trail}"
-}
-
-resource "aws_cloudwatch_log_stream" "this" {
-  name           = "${module.naming.resource_prefix.cloud_trail}"
-  log_group_name = aws_cloudwatch_log_group.this.name
-}
-
-resource "aws_iam_role" "this" {
-  name               = "${module.naming.resource_prefix.cloud_trail}"
-  assume_role_policy = <<-POLICY
-    {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "Service": "cloudtrail.amazonaws.com"
-          },
-          "Action": "sts:AssumeRole"
-        }
-      ]
-    }
-    POLICY
-}
-
-resource "aws_iam_role_policy" "this" {
-  name   = "${module.naming.resource_prefix.cloud_trail}"
-  role   = aws_iam_role.this.id
-  policy = <<-POLICY
-  {
-    "Version": "2012-10-17",
-    "Statement": [
-      {
-        "Sid": "AWSCloudTrailCreateLogStream2014110",
-        "Effect": "Allow",
-        "Action": [
-          "logs:CreateLogStream"
-        ],
-        "Resource": [
-          "arn:aws:logs:${var.region}:${data.aws_caller_identity.this.account_id}:log-group:${aws_cloudwatch_log_group.this.name}:log-stream:*"
-        ]
-      },
-      {
-        "Sid": "AWSCloudTrailPutLogEvents20141101",
-        "Effect": "Allow",
-        "Action": [
-          "logs:PutLogEvents"
-        ],
-        "Resource": [
-          "arn:aws:logs:${var.region}:${data.aws_caller_identity.this.account_id}:log-group:${aws_cloudwatch_log_group.this.name}:log-stream:*"
-        ]
-      }
-    ]
-  }
-  POLICY
+  name = "${module.naming.resource_prefix.cw_log_group}"
 }
diff --git a/auto_policy_testing/green/cloudtrail/iam.tf b/auto_policy_testing/green/cloudtrail/iam.tf
new file mode 100644
index 000000000..48719e2de
--- /dev/null
+++ b/auto_policy_testing/green/cloudtrail/iam.tf
@@ -0,0 +1,49 @@
+resource "aws_iam_role" "this" {
+  name               = "${module.naming.resource_prefix.iam_role}"
+  assume_role_policy = <<-POLICY
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "cloudtrail.amazonaws.com"
+          },
+          "Action": "sts:AssumeRole"
+        }
+      ]
+    }
+    POLICY
+}
+
+resource "aws_iam_role_policy" "this" {
+  name   = "${module.naming.resource_prefix.iam_policy}"
+  role   = aws_iam_role.this.id
+  policy = <<-POLICY
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AWSCloudTrailCreateLogStream2014110",
+        "Effect": "Allow",
+        "Action": [
+          "logs:CreateLogStream"
+        ],
+        "Resource": [
+          "arn:aws:logs:${var.region}:${data.aws_caller_identity.this.account_id}:log-group:${aws_cloudwatch_log_group.this.name}:log-stream:*"
+        ]
+      },
+      {
+        "Sid": "AWSCloudTrailPutLogEvents20141101",
+        "Effect": "Allow",
+        "Action": [
+          "logs:PutLogEvents"
+        ],
+        "Resource": [
+          "arn:aws:logs:${var.region}:${data.aws_caller_identity.this.account_id}:log-group:${aws_cloudwatch_log_group.this.name}:log-stream:*"
+        ]
+      }
+    ]
+  }
+  POLICY
+}
diff --git a/auto_policy_testing/green/common_resources/waf.tf b/auto_policy_testing/green/common_resources/waf.tf
index a69798a74..958599bff 100644
--- a/auto_policy_testing/green/common_resources/waf.tf
+++ b/auto_policy_testing/green/common_resources/waf.tf
@@ -1,5 +1,5 @@
 resource "aws_wafregional_ipset" "this" {
-  name =  module.naming.resource_prefix.waf_ip_set
+  name = module.naming.resource_prefix.waf_ip_set
 
   ip_set_descriptor {
     type  = "IPV4"
@@ -19,7 +19,7 @@ resource "aws_wafregional_rule" "this" {
 }
 
 resource "aws_wafregional_web_acl" "this" {
-  name        = "${module.naming.resource_prefix.waf_acl}"
+  name        = module.naming.resource_prefix.waf_acl
   metric_name = "WafACLMetricGreen"
 
   default_action {
diff --git a/auto_policy_testing/green/directory/ba.sh b/auto_policy_testing/green/directory/ba.sh
new file mode 100755
index 000000000..b69f317fa
--- /dev/null
+++ b/auto_policy_testing/green/directory/ba.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+SECURITY_GROUP_ID="sg-06309cf09c4be9423"
+
+RULE_IDS=$(aws ec2 describe-security-group-rules  --filters Name="group-id",Values="$SECURITY_GROUP_ID" --query 'SecurityGroupRules[?CidrIpv4==`0.0.0.0/0` && IsEgress==`false`]'.SecurityGroupRuleId --output text)
+
+for RULE_ID in $RULE_IDS
+do
+    OLD_RULE=$(aws ec2 describe-security-group-rules --security-group-rule-ids  $RULE_ID --output json --query "SecurityGroupRules[0].{IpProtocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,CidrIpv4:CidrIpv4}")
+    UPD_RULE=$(echo $OLD_RULE | sed 's|"0.0.0.0/0"|"10.0.2.0/24"|g')
+    aws ec2 modify-security-group-rules --group-id $SECURITY_GROUP_ID --security-group-rules "[{\"SecurityGroupRuleId\": \"$RULE_ID\",\"SecurityGroupRule\": $UPD_RULE}]"
+done
\ No newline at end of file
diff --git a/auto_policy_testing/green/directory/directory.tf b/auto_policy_testing/green/directory/directory.tf
new file mode 100644
index 000000000..f5e025c7d
--- /dev/null
+++ b/auto_policy_testing/green/directory/directory.tf
@@ -0,0 +1,40 @@
+
+resource "aws_directory_service_directory" "this" {
+  name     = "${module.naming.resource_prefix.directory}.com"
+  password = "#S1ncerely"
+  size     = "Small"
+
+  vpc_settings {
+    vpc_id = data.terraform_remote_state.common.outputs.vpc_id
+    subnet_ids = [
+      data.terraform_remote_state.common.outputs.vpc_subnet_1_id,
+      data.terraform_remote_state.common.outputs.vpc_subnet_3_id
+    ]
+  }
+}
+
+resource "null_resource" "this" {
+  depends_on = [
+    aws_directory_service_directory.this
+  ]
+  triggers = {
+    sg = aws_directory_service_directory.this.security_group_id
+  }
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+set -e
+
+SECURITY_GROUP_ID=${self.triggers.sg}
+
+RULE_IDS=$(aws ec2 describe-security-group-rules  --filters Name="group-id",Values="$SECURITY_GROUP_ID" --query 'SecurityGroupRules[?CidrIpv4==`0.0.0.0/0` && IsEgress==`false`]'.SecurityGroupRuleId --output text)
+
+for RULE_ID in $RULE_IDS
+do
+    OLD_RULE=$(aws ec2 describe-security-group-rules --security-group-rule-ids  $RULE_ID --output json --query "SecurityGroupRules[0].{IpProtocol:IpProtocol,FromPort:FromPort,ToPort:ToPort,CidrIpv4:CidrIpv4}")
+    UPD_RULE=$(echo $OLD_RULE | sed 's|"0.0.0.0/0"|"10.0.2.0/24"|g')
+    aws ec2 modify-security-group-rules --group-id $SECURITY_GROUP_ID --security-group-rules "[{\"SecurityGroupRuleId\": \"$RULE_ID\",\"SecurityGroupRule\": $UPD_RULE}]"
+done
+EOF
+  }
+}
\ No newline at end of file
diff --git a/auto_policy_testing/green/directory/main.tf b/auto_policy_testing/green/directory/main.tf
new file mode 100644
index 000000000..4fba53b14
--- /dev/null
+++ b/auto_policy_testing/green/directory/main.tf
@@ -0,0 +1,13 @@
+module "naming" {
+  source        = "../../shared_tf_modules/naming"
+  resource_type = basename(abspath(path.module))
+  status        = title(basename(dirname(abspath(path.module))))
+}
+
+data "terraform_remote_state" "common" {
+  backend = "local"
+
+  config = {
+    path = "../common_resources/terraform.tfstate"
+  }
+}
\ No newline at end of file
diff --git a/auto_policy_testing/green/directory/outputs.tf b/auto_policy_testing/green/directory/outputs.tf
new file mode 100644
index 000000000..bbef467fd
--- /dev/null
+++ b/auto_policy_testing/green/directory/outputs.tf
@@ -0,0 +1,5 @@
+output "directory" {
+  value = {
+    directory = aws_directory_service_directory.this.id
+  }
+}
diff --git a/auto_policy_testing/green/directory/provider.tf b/auto_policy_testing/green/directory/provider.tf
new file mode 100644
index 000000000..e9c3ea28f
--- /dev/null
+++ b/auto_policy_testing/green/directory/provider.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+  default_tags {
+    tags = module.naming.default_tags
+  }
+}
+
+provider "aws" {
+  region = var.region
+  alias  = "provider2"
+}
diff --git a/auto_policy_testing/green/directory/variables.tf b/auto_policy_testing/green/directory/variables.tf
new file mode 100644
index 000000000..2bd4793c8
--- /dev/null
+++ b/auto_policy_testing/green/directory/variables.tf
@@ -0,0 +1,5 @@
+variable "region" {
+  type        = string
+  description = "Region where resources will be created"
+  default     = "us-east-1"
+}
diff --git a/auto_policy_testing/red/directory/directory.tf b/auto_policy_testing/red/directory/directory.tf
index 25f858cf9..ef7b8360e 100644
--- a/auto_policy_testing/red/directory/directory.tf
+++ b/auto_policy_testing/red/directory/directory.tf
@@ -12,61 +12,3 @@ resource "aws_directory_service_directory" "this" {
     ]
   }
 }
-
-
-# # ecc-aws-147-ebs_volume_without_encrypt
-# # ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1
-# resource "aws_ebs_volume" "this" {
-#   availability_zone = data.aws_availability_zones.this.names[0]
-#   size              = 8
-#   type              = "io1"
-#   iops              = 100
-
-#   tags = {
-#     Name = "${module.naming.resource_prefix.ebs_volume}"
-#   }
-# }
-
-
-# # ecc-aws-076-ebs_snapshots_not_publicly_restorable
-# # ecc-aws-326-ebs_volume_encrypted_with_kms_cmk
-# # ecc-aws-328-unused_ebs_volumes
-# # ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2
-# # ecc-aws-379-ebs_snapshot_without_tag_information
-# # ecc-aws-378-ebs_without_tag_information
-# resource "aws_ebs_volume" "default_volume" {
-#   availability_zone = data.aws_availability_zones.this.names[0]
-#   size              = 8
-#   type              = "gp2"
-#   provider          = aws.provider2
-# }
-
-# resource "aws_ebs_snapshot" "this" {
-#   volume_id = aws_ebs_volume.default_volume.id
-#   provider  = aws.provider2
-# }
-
-# resource "null_resource" "this" {
-#   provisioner "local-exec" {
-#     command     = "aws ec2 modify-snapshot-attribute --snapshot-id ${aws_ebs_snapshot.this.id} --attribute createVolumePermission --operation-type add  --group-names all"
-#     interpreter = ["/bin/bash", "-c"]
-#   }
-#   depends_on = [aws_ebs_snapshot.this]
-# }
-
-
-# # ecc-aws-575-ebs_volumes_attached_to_stopped_ec2_instances
-# resource "aws_instance" "this" {
-#   ami           = data.aws_ami.this.id
-#   instance_type = "t2.micro"
-#   subnet_id     = data.aws_subnets.this.ids[0]
-
-#   tags = {
-#     Name = "${module.naming.resource_prefix.ec2_instance}"
-#   }
-# }
-
-# resource "aws_ec2_instance_state" "this" {
-#   instance_id = aws_instance.this.id
-#   state       = "stopped"
-# }
diff --git a/auto_policy_testing/scripts/iam_role_aws.py b/auto_policy_testing/scripts/iam_role_aws.py
index c42b6542e..7fb3d8d06 100644
--- a/auto_policy_testing/scripts/iam_role_aws.py
+++ b/auto_policy_testing/scripts/iam_role_aws.py
@@ -20,19 +20,21 @@ def check_role_exists(readonly_role_name_color):
     return role_exists
 
 
-def check_policy_exists(readonly_role_name, policy_name):
+def check_policy_exists(role_name, policy_name):
     client = boto3.client('iam')
     try:
-        response = client.get_role_policy(RoleName=readonly_role_name, PolicyName=policy_name)
+        response = client.get_role_policy(RoleName=role_name, PolicyName=policy_name)
         policy_exists = True
     except client.exceptions.NoSuchEntityException:
         policy_exists = False
     return policy_exists
 
 
-def create_delete_readonly_role_aws(create=False, delete=False, color = ''):
-    role_id = random.randint(100, 999)
-    readonly_role_name_color = f"{readonly_role_name}_{color}_{role_id}"
+def create_delete_readonly_role_aws(create=False, delete=False, color='', role_name=None):
+    if create:
+        role_id = random.randint(1000, 9999)
+        role_name = f"{readonly_role_name}_{color}_{role_id}"
+
     sts = boto3.client("sts")
     account_id = sts.get_caller_identity()["Account"]
     client = boto3.client('iam')
@@ -49,41 +51,41 @@ def create_delete_readonly_role_aws(create=False, delete=False, color = ''):
                 }
             ]
         }
-        if not check_role_exists(readonly_role_name_color):
+        if not check_role_exists(role_name):
             try:
                 role = client.create_role(
-                    RoleName=readonly_role_name_color, AssumeRolePolicyDocument=json.dumps(trust_policy)
+                    RoleName=role_name, AssumeRolePolicyDocument=json.dumps(trust_policy)
                 )
-                print(f"Created role {readonly_role_name_color}.")
+                print(f"Created role {role_name}.")
             except botocore.exceptions.ClientError:
-                print(f"Couldn't create role {readonly_role_name_color}.")
+                print(f"Couldn't create role {role_name}.")
                 raise
             else:
-                return role
+                return role.get("Role", {})
         else:
             try:
                 role = client.update_assume_role_policy(
-                    RoleName=readonly_role_name_color, PolicyDocument=json.dumps(trust_policy)
+                    RoleName=role_name, PolicyDocument=json.dumps(trust_policy)
                 )
-                print(f"Updated trust policy for role {readonly_role_name_color}.")
+                print(f"Updated trust policy for role {role_name}.")
             except botocore.exceptions.ClientError:
-                print(f"Couldn't update trust policy for role {readonly_role_name_color}.")
+                print(f"Couldn't update trust policy for role {role_name}.")
                 raise
             else:
-                return role
+                return role.get("Role", {})
     elif delete:
-        if check_role_exists(readonly_role_name_color):
+        if check_role_exists(role_name):
             try:
-                if check_policy_exists(readonly_role_name_color, policy_name):
-                    client.delete_role_policy(RoleName=readonly_role_name_color, PolicyName=policy_name)
-                client.delete_role(RoleName=readonly_role_name_color)
-                print(f"Deleted role {readonly_role_name_color}.")
+                if check_policy_exists(role_name, policy_name):
+                    client.delete_role_policy(RoleName=role_name, PolicyName=policy_name)
+                client.delete_role(RoleName=role_name)
+                print(f"Deleted role {role_name}.")
             except botocore.exceptions.ClientError:
-                print(f"Couldn't delete role {readonly_role_name_color}.")
+                print(f"Couldn't delete role {role_name}.")
                 raise
 
 
-def set_readonly_role_permissions_aws(resource, readonly_role_name):
+def set_readonly_role_permissions_aws(resource, role_name):
     root_path = Path(os.getcwd()).parents[1]
     iam_path = os.path.join(root_path, 'auto_policy_testing', 'iam', resource + '.json')
     with open(iam_path, 'r') as f:
@@ -91,7 +93,7 @@ def set_readonly_role_permissions_aws(resource, readonly_role_name):
 
     client = boto3.client('iam')
     response = client.put_role_policy(
-        RoleName=readonly_role_name,
+        RoleName=role_name,
         PolicyName=policy_name,
         PolicyDocument=json.dumps(inline_policy)
     )
diff --git a/auto_policy_testing/scripts/main.py b/auto_policy_testing/scripts/main.py
index 077d78789..6e0717bb8 100644
--- a/auto_policy_testing/scripts/main.py
+++ b/auto_policy_testing/scripts/main.py
@@ -49,7 +49,7 @@ def main():
         for resource in resource_priority_list:
             path = os.path.join(RULEPACK_TESTING_PATH, args.infra_color, resource)
             if args.cloud == "AWS" and args.sa:
-                iam_role_aws.set_readonly_role_permissions_aws(resource, role.get("Role", {}).get("RoleName", None))
+                iam_role_aws.set_readonly_role_permissions_aws(resource, role.get("RoleName", None))
             tf_up_subprocess_result, tf_up_error = tf_up(resource, path, args.cloud, args.infra_color)
             if tf_up_subprocess_result:
                 print("\nScan resources\n")
@@ -71,22 +71,22 @@ def main():
                     sys.exit(1)
             else:
                 print("Error during 'terraform apply' for '" + resource + "': \n" + tf_up_error)
-                tf_failed[resource] = "Error during 'terraform apply' for '" + resource + "': \n" + tf_up_error
+                tf_failed[str(resource)+"_up"] = "Error during 'terraform apply' for '" + resource + "': \n" + tf_up_error
 
             tf_down_subprocess_result, tf_down_error = tf_down(resource, path, args.cloud, args.infra_color)
             if not tf_down_subprocess_result:
                 print("Error during 'terraform destroy' for '" + resource + "': \n" + tf_down_error)
-                tf_failed[resource] = "Error during 'terraform destroy' for '" + resource + "': \n" + tf_down_error
+                tf_failed[str(resource)+"_down"] = "Error during 'terraform destroy' for '" + resource + "': \n" + tf_down_error
     else:
         print("Error during 'terraform apply' for 'common_resources': \n" + tf_up_common_error)
-        tf_failed['common_resources'] = "Error during 'terraform apply' for 'common_resources': \n" + tf_up_common_error
+        tf_failed['common_resources'+"_up"] = "Error during 'terraform apply' for 'common_resources': \n" + tf_up_common_error
 
     tf_down_common_subprocess_result, tf_down_common_error = common_tf_down(RULEPACK_TESTING_PATH, args.infra_color)
 
     if not tf_down_common_subprocess_result:
         print("Error during 'terraform destroy' for 'common_resources': \n" + tf_down_common_error)
         tf_failed[
-            'common_resources'] = "Error during 'terraform destroy' for 'common_resources': \n" + tf_down_common_error
+            'common_resources'+"_down"] = "Error during 'terraform destroy' for 'common_resources': \n" + tf_down_common_error
 
     if tf_up_subprocess_result:
         report.create_report(
@@ -95,7 +95,7 @@ def main():
             cloud=args.cloud)
 
     if args.cloud == "AWS" and args.sa:
-        iam_role_aws.create_delete_readonly_role_aws(delete=True, color=args.infra_color)
+        iam_role_aws.create_delete_readonly_role_aws(delete=True, color=args.infra_color, role_name=role.get("RoleName", None))
 
     with open(os.path.join(OUTPUT_DIR, '.tf_failed'), "w") as failed_file:
         for item, description in tf_failed.items():