Proper way to do negative testing #156
Comments
|
Hello, You structured the test correctly, but unfortunately some terraform-compliance internals fails while mounting Thus, it is possible to create a test starting to search for Looking into this right now. |
|
Fixed in d0aa707, will release new version in few minutes. |
|
Could you please have a try with https://github.com/eerkunt/terraform-compliance/releases/tag/1.0.49 version. Here is the test I have used ; terraform filedata "aws_iam_policy_document" "attached_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
identifiers = ["ec2.amazonaws.com"]
type = "Service"
}
}
}
resource "aws_iam_role" "attached_role" {
name = "instance-attached-role"
assume_role_policy = data.aws_iam_policy_document.attached_policy.json
}
resource "aws_instance" "my_instance_with_attached_role" {
ami = "some-ami"
instance_type = "t2.micro"
iam_instance_profile = aws_iam_role.attached_role.arn
}bdd featureFeature: EC2 containers should not have a role attached to them unless threat model requires it
In order to improve security
As engineers
We'll not attach IAM Roles to EC2's unless otherwise Threat Modeled
Scenario: Fail if an EC2 has an IAM Role Attached to it
Given I have AWS EC2 instance defined
When it contains aws_iam_role
Then the scenario should fail |
eerkunt
added
the
waiting for confirmation
|
Thank you for making the change so quickly! I'm getting recursion error now on the same feature files and tf files as before I had to upgrade terraform to Here are the commands I'm using function terraform {
docker run --rm -v $(pwd):/app/ -w /app/ --e "AWS_ACCESS_KEY_ID=$AWSKEYID" -e "AWS_SECRET_ACCESS_KEY=$AWSACCESSKEY" -e "TF_VAR_SSH_PUB=$TF_VAR_SSH_PUB" -e "TF_VAR_SSH_PRI=$TF_VAR_SSH_PRI" -i -t hashicorp/terraform:0.12.8 "$@";
}
function terraform-compliance {
docker run --rm -v $(pwd):/target -e "AWS_ACCESS_KEY_ID=$AWSKEYID" -e "AWS_SECRET_ACCESS_KEY=$AWSACCESSKEY" -i -t eerkunt/terraform-compliance:1.0.49 "$@";
}Here is what I'm running terraform plan --out=plan.out && terraform-compliance -f Security/ -p plan.out and here is what's coming out ...
Feature: Resources should be properly tagged # /target/Security/tags.feature
In order to keep track of resource ownership
As engineers
We'll enforce tagging on all resources
Scenario: Ensure all resources have tags
Given I have resource that supports tags defined
Then it must contain tags
RecursionError: maximum recursion depth exceeded while calling a Python object
And its value must not be null
... |
|
Hmm this is weird, is it possible to share your |
eerkunt
added
bug
require more data
|
It looks like this A->B and B->A resource mounting is breaking too many things. Removing the release for now. |
|
Will fix this with a more proper solution and then release a dev release for you to test. |
|
No worries. However, here is my provider "aws" {
region = "${var.aws_region}"
}
resource "aws_key_pair" "deployer" {
key_name = "${var.project}-${var.environment}-${var.application}-SSHKey-GitLab"
public_key = "${var.SSH_PUB}"
}
resource "aws_security_group" "instance" {
name = "terraform-example-instance"
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["1.2.3.4/32"]
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["1.2.3.4/32"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "allow_all"
}
}
resource "aws_instance" "demo-prod-AppOne" {
ami = "ami-04b762b4289fba92b"
instance_type = "t2.micro"
vpc_security_group_ids = [aws_security_group.instance.id]
key_name = "${var.project}-${var.environment}-${var.application}-SSHKey-GitLab"
iam_instance_profile = "EC2-S3-READONLY"
user_data = <<-EOF
#!/bin/bash
yum update -y
amazon-linux-extras install -y lamp-mariadb10.2-php7.2 php7.2
yum install -y httpd mariadb-server
systemctl start httpd
systemctl enable httpd
usermod -a -G apache ec2-user
chown -R ec2-user:apache /var/www
chmod 2775 /var/www
find /var/www -type d -exec chmod 2775 {} \;
find /var/www -type f -exec chmod 0664 {} \;
echo "<?php phpinfo(); ?>" > /var/www/html/phpinfo.php
cat /tmp/index.php > /var/www/html/index.php
EOF
provisioner "file" {
source = "./app/index.php"
destination = "/tmp/index.php"
connection {
type = "ssh"
user = "ec2-user"
private_key = "${var.SSH_PRI}"
host = aws_instance.demo-prod-AppOne.public_ip
}
}
tags = {
Name = "${var.project}-${var.environment}-${var.application}",
Env2 = "Prod"
}
}
output "public_ip" {
value = aws_instance.demo-prod-AppOne.public_ip
description = "The public IP of the web server"
}
|
|
Thanks 🎉 This will help a lot. |
eerkunt
added
enhancement
and removed
require more data
|
Fix is introduced in 1f8774f, will be released with few more other fixes. |
eerkunt
added
the
ready for release
|
Please have a try and let me know for your case. |
eerkunt
added
waiting for confirmation
|
@joubin any luck ? |
|
Assuming this issue as resolved. Please dont hesitate to re-open it of the problem still occurs. Thanks 🎉 |
Is there a good way to do the above. Basically, if an AWS EC2 Instance
have aIAM Role attached, the test should fail.The text was updated successfully, but these errors were encountered: