feat: add tests for AWS ECS (#169)

* feat: add tests for AWS ECS Signed-off-by: Vishal Choudhary <[email protected]> * fix: update message in validating policy Signed-off-by: Vishal Choudhary <[email protected]> * feat: linting Signed-off-by: Vishal Choudhary <[email protected]> --------- Signed-off-by: Vishal Choudhary <[email protected]> Co-authored-by: Charles-Edouard Brétéché <[email protected]>
kyverno · Nov 1, 2023 · dd3b385 · dd3b385
1 parent 2825860
commit dd3b385
Show file tree

Hide file tree

Showing 17 changed files with 1,180 additions and 0 deletions.
diff --git a/pkg/commands/scan/command_test.go b/pkg/commands/scan/command_test.go
@@ -92,6 +92,41 @@ func Test_Execute(t *testing.T) {
 		policies:      []string{"../../../test/commands/scan/tf-ec2/policy.yaml"},
 		out:           "../../../test/commands/scan/tf-ec2/out.txt",
 		wantErr:       false,
+	}, {
+		name:          "tf-ecs-cluster-1",
+		payload:       "../../../test/commands/scan/tf-ecs-cluster/payload.json",
+		preprocessors: []string{"planned_values.root_module.resources"},
+		policies:      []string{"../../../test/commands/scan/tf-ecs-cluster/01-policy.yaml"},
+		out:           "../../../test/commands/scan/tf-ecs-cluster/01-out.txt",
+		wantErr:       false,
+	}, {
+		name:          "tf-ecs-cluster-2",
+		payload:       "../../../test/commands/scan/tf-ecs-cluster/payload.json",
+		preprocessors: []string{"planned_values.root_module.resources"},
+		policies:      []string{"../../../test/commands/scan/tf-ecs-cluster/02-policy.yaml"},
+		out:           "../../../test/commands/scan/tf-ecs-cluster/02-out.txt",
+		wantErr:       false,
+	}, {
+		name:          "tf-ecs-service-1",
+		payload:       "../../../test/commands/scan/tf-ecs-service/payload.json",
+		preprocessors: []string{"planned_values.root_module.resources"},
+		policies:      []string{"../../../test/commands/scan/tf-ecs-service/01-policy.yaml"},
+		out:           "../../../test/commands/scan/tf-ecs-service/01-out.txt",
+		wantErr:       false,
+	}, {
+		name:          "tf-ecs-service-2",
+		payload:       "../../../test/commands/scan/tf-ecs-service/payload.json",
+		preprocessors: []string{"planned_values.root_module.resources"},
+		policies:      []string{"../../../test/commands/scan/tf-ecs-service/02-policy.yaml"},
+		out:           "../../../test/commands/scan/tf-ecs-service/02-out.txt",
+		wantErr:       false,
+	}, {
+		name:          "tf-ecs-task-definition",
+		payload:       "../../../test/commands/scan/tf-ecs-task-definition/payload.json",
+		preprocessors: []string{"planned_values.root_module.resources"},
+		policies:      []string{"../../../test/commands/scan/tf-ecs-task-definition/policy.yaml"},
+		out:           "../../../test/commands/scan/tf-ecs-task-definition/out.txt",
+		wantErr:       false,
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/test/commands/scan/tf-ecs-cluster/01-out.txt b/test/commands/scan/tf-ecs-cluster/01-out.txt
@@ -0,0 +1,6 @@
+Loading policies ...
+Loading payload ...
+Pre processing ...
+Running ( evaluating 3 resources against 1 policy ) ...
+- required-container-insights / required-container-insights / (unknown) PASSED
+Done
diff --git a/test/commands/scan/tf-ecs-cluster/01-policy.yaml b/test/commands/scan/tf-ecs-cluster/01-policy.yaml
@@ -0,0 +1,20 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: required-container-insights
+spec:
+  rules:
+    - name: required-container-insights
+      match:
+        any:
+        - type: aws_ecs_cluster
+      assert:
+        all:
+        - message: "Container insights should be enabled on ECS cluster"
+          check:
+            values:
+              ~.setting: 
+                name: containerInsights
+                value: enabled
+
+
diff --git a/test/commands/scan/tf-ecs-cluster/02-out.txt b/test/commands/scan/tf-ecs-cluster/02-out.txt
@@ -0,0 +1,6 @@
+Loading policies ...
+Loading payload ...
+Pre processing ...
+Running ( evaluating 3 resources against 1 policy ) ...
+- ecs-cluster-enable-logging / ecs-cluster-enable-logging / (unknown) PASSED
+Done
diff --git a/test/commands/scan/tf-ecs-cluster/02-policy.yaml b/test/commands/scan/tf-ecs-cluster/02-policy.yaml
@@ -0,0 +1,21 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: ecs-cluster-enable-logging
+spec:
+  rules:
+    - name: ecs-cluster-enable-logging
+      match:
+        any:
+        - type: aws_ecs_cluster
+      context:
+      - name: forbidden_values
+        variable: ["NONE"]
+      assert:
+        all:
+        - message: "ECS Cluster should enable logging of ECS Exec"
+          check:
+            values:
+              ~.configuration: 
+                ~.execute_command_configuration:
+                  (contains($forbidden_values, @.logging)): false
diff --git a/test/commands/scan/tf-ecs-cluster/main.tf b/test/commands/scan/tf-ecs-cluster/main.tf
@@ -0,0 +1,29 @@
+resource "aws_kms_key" "example" {
+  description             = "example"
+  deletion_window_in_days = 7
+}
+
+resource "aws_cloudwatch_log_group" "example" {
+  name = "example"
+}
+
+resource "aws_ecs_cluster" "test" {
+  name = "example"
+
+  configuration {
+    execute_command_configuration {
+      kms_key_id = aws_kms_key.example.arn
+      logging    = "OVERRIDE"
+
+      log_configuration {
+        cloud_watch_encryption_enabled = true
+        cloud_watch_log_group_name     = aws_cloudwatch_log_group.example.name
+      }
+    }
+  }
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}