@step(u'its value {condition:ANY} match the "{search_regex}" regex') is not working as expected

[vrbcntrl]

Hi,

I am trying to test an use case in v 1.0.16 , where I want to FAIL the test if the Action attribute value is other than abc123

so I wrote the below Scenario

 Scenario Outline: AWS KMS Key Policy is too permissive
    Given I have aws_kms_key defined
    When it contains policy
    Then it must contain Statement
    Then it must contain Action
    Then its value must match the "<value>" regex

    Examples:
      | value |
      | abc123  |

and my plan.out.json is like this

{
	"format_version": "0.1",
	"terraform_version": "0.12.1",
	"planned_values": {
		"root_module": {
			"resources": [
				{
					"address": "aws_kms_key.example",
					"mode": "managed",
					"type": "aws_kms_key",
					"name": "example",
					"provider_name": "aws",
					"schema_version": 0,
					"values": {
						"deletion_window_in_days": null,
						"description": "example",
						"enable_key_rotation": false,
						"is_enabled": true,
						"policy": "{\r\n  \"Version\": \"2012-10-17\",\r\n  \"Statement\": [\r\n    \r\n     {\r\n      \"Sid\": \"Allow use of the key\",\r\n      \"Effect\": \"Allow\",\r\n      \"Principal\": {\r\n        \"AWS\": [\r\n          \"arn:aws:iam::redacted:role/example\",\r\n          \"arn:aws:iam::redacted:user/alice\",\r\n          \"arn:aws:iam::redacted:user/bob\"\r\n        ]\r\n      },\r\n      \"Action\": [\r\n        \"kms:ReEncrypt*\",\r\n        \"kms:GenerateDataKey*\",\r\n        \"kms:DescribeKey\"\r\n      ],\r\n      \"Resource\": \"*\"\r\n    }\r\n    \r\n  ]\r\n}",
						"tags": null
					}
				}
			]
		}
	}

when I run my BDD, it always pass, irrespective of the Action attribute value

[vrbcntrl]

plan.zip

I have attached the plan json in case you want to refer to it.

Thanks!

[eerkunt]

Thanks for reporting, this is weird that is passes on tests but fails on you.

Will have a look

[eerkunt]

Can you please try with 1.0.17 ? This was quite an edge case that we have missed on implementing it. Thanks for the finding!

[vrbcntrl]

Thanks for the fix. I have tested this use case with 1.0.17 and this is what I got

Scenario: AWS KMS Key Policy is too permissive
       Given I have aws_kms_key defined
       When it contains policy
       Then it must contain Statement
       And it must contain Action
       And Then its value must match the "^(kms\:Encrypt\|kms\:Decrypt)$" regex
         Failure: Action property in aws_kms_key.example resource does not match with ^(kms\:Encrypt\|kms\:Decrypt)$ regex. It is set to kms:Encrypt.

Not sure why its still failing when my Action attribute has kms:Encrypt shown below

"Action": [
        "kms:Encrypt"
      ]

Basically, I want to FAIL the test when Action attribute contains anything other than kms:Encrypt or kms:Decrypt

do you see any problem with my regex ^(kms\:Encrypt\|kms\:Decrypt)$ ?

The regex with out the OR condition works fine i.e ^(kms\:Encrypt)$ is matching the value kms:Encrypt, but I want the OR condition also in regex

any help with the regex is appreciated.

[eerkunt]

Just tested against your code, ^(kms:Encrypt|kms:Decrypt)$ works for me ? Because this is not a Scenario Outline you don't need to escape | (PIPE) character.

The reason why we escape is that it was messing up the table structure defining Examples.

[vrbcntrl]

Thank you @eerkunt
Yes, the regex works fine for my use case.
Thanks for the clarification on escaping the pipe(|) with Scenario Outline.