Custom Scenarion in encryption at rest feature throws AttributeError

[vrbcntrl]

Hi,
I wrote a custom Scenario shown below to test aws_emr_security_configuration encryption at rest
`Feature: Resources should use encryption at rest while they are created
In order to improve security
As engineers
We'll enforce encryption at rest

Scenario: AWS EMR Encryption at Rest
Given I have AWS EMR Security Configuration instance defined
When it contains configuration
Then encryption must be enabled`

main.tf
`resource "aws_emr_security_configuration" "foo" {
name = "emrsc_other"

configuration = <<EOF
{
"EncryptionConfiguration": {
"AtRestEncryptionConfiguration": {
"S3EncryptionConfiguration": {
"EncryptionMode": "SSE-S3"
},
"LocalDiskEncryptionConfiguration": {
"EncryptionKeyProviderType": "AwsKms",
"AwsKmsKey": "arn:aws:kms:us-west-2:187416307283:alias/tf_emr_test_key"
}
},
"EnableInTransitEncryption": false,
"EnableAtRestEncryption": true
}
}
EOF
}
when I run my test against the above template with my feature, I get AttributeError: 'str' object has no attribute 'keys' console outputRunning tests.
Feature: Resources should use encryption at rest while they are created # C:\Training\AWS\Cloud-CustomRules\Terraform-Compliance\rules\encryption_at_rest.feature
In order to improve security
As engineers
We'll enforce encryption at rest

Scenario: AWS EMR Encryption at Rest
    Given I have AWS EMR Security Configuration instance defined
    When it contains configuration
    Then encryption must be enabled
      AttributeError: 'str' object has no attribute 'keys'

1 features (0 passed, 1 failed)
1 scenarios (0 passed, 1 failed)
3 steps (2 passed, 1 failed)
Run 1556667708 finished within a moment
Cleaning up.`

Not sure what is wrong here, i guess may be I am not reading the EnableAtRestEncryption property correctly?

any help is appreciated. Thanks!

[eerkunt]

Thanks for reporting @vrbcntrl. The problem is due to inline configuration in terraform. Unfortunately, inline configuration is not supported, since it may vary a lot!

This feature might be supported after having #72 and #66.

[vrbcntrl]

Thank you @eerkunt for the response. I'll wait for the update from you then :)

[eerkunt]

This should be fixed in 1.0.0. Please let us know if it doesn't work for you.

[vrbcntrl]

Hi @eerkunt ,

I have again tested this use case with 1.0.4, unfortunately it still throws me a different error now

Scenario: AWS EMR Encryption at Rest Given I have aws_emr_security_configuration defined When it contains configuration Then encryption must be enabled KeyError: 'type'

Please find my tf template, out file and the results in the attachments.
In this case also, I have 2 encryption properties that I want to test, but I suppose I cant use the above scenario, so I have also tried the scenario outline just like I have tried in #93 but that also throws me error...

aws_emr_security_configuration.zip

[eerkunt]

Thanks for trying it again. #101 introduces a fix and enhancement on these kind of conditions. Now we support heredoc json strings. Please have a try with 1.0.5 and let me know if it doesn't work for you ?

[vrbcntrl]

Thanks @eerkunt for fixing the issue. The new version 1.0.5 works fine if I wanted to test a single encryption property i.e 'aws_emr_security_configuration': 'EnableAtRestEncryption' because this is configure in init.py , however I have 2 encryption properties in the same json as shown below
"EnableInTransitEncryption": false, "EnableAtRestEncryption": false

so I tried to test them using the same technique used for #93 , however it didn't work :(

` Scenario Ouline: AWS EMR Encryption at Rest
Given I have aws_emr_security_configuration defined
When it contains configuration
Then it must contain

Examples:
| encryption |
| EnableInTransitEncryption |
| EnableAtRestEncryption |`

I got the below error:

`Error Oracle says:
There is no step defintion for 'Then it must contain '.
All steps should be declared in a module located in c:\users\vrb.cntrl\appdata\local\programs\python\python37\lib\site-packages\terraform_compliance\steps.
For example you could do:

@step(r"Then it must contain ")
def my_step(step):
raise NotImplementedError("This step is not implemented yet")`

so, if you could let me know how to test the 2 or 3 related properties in the same resource, that would be really helpful...thanks in advance!

[eerkunt]

There are multiple problems here.

1. Your BDD test is wrong, there are both some typos and it s not structured correctly. I think you are trying to achieve this ;

  Scenario Outline: AWS EMR Encryption at Rest and In-Flight
    Given I have aws_emr_security_configuration defined
    When it contains configuration
    Then it must contain <encryption>
    Then its value must match the "<value>" regex

    Examples:
      | encryption                | value |
      | EnableInTransitEncryption | true  |
      | EnableAtRestEncryption    | true  |

2. There was a case where Boolean values were not checked on Then its value must match the "<value>" regex step. It is not fixed on Feature/improved regex matching #103.

Could you please try with 1.0.6 and the BDD test above together ?

[vrbcntrl]

Thank you so much @eerkunt .
I have tested the above BDD with v 1.0.7 and both positive and negatives tests are working as expected.
I also tested the use case mentioned in #93 and it is also working fine.

Thanks again!