fix its_key_is_value ignoring None values (#401)

* fix its_key_is_value ignoreing None values

* Changelog and tests

Co-authored-by: Emre Erkunt <[email protected]>

CHANGELOG.md

@@ -1,6 +1,7 @@
 # CHANGELOG
 
 ## Unreleased
+* Fixed a problem where [When its property has something](https://terraform-compliance.com/pages/bdd-references/when.html#when-its-property-has-something) ignored `None` values. ([#401](https://github.com/eerkunt/terraform-compliance/issues/401))
 * Improved silent mode (`-S`) with better output and formatting ([#398](https://github.com/eerkunt/terraform-compliance/issues/398)
 
 ## 1.3.5 (2020-10-14)

terraform_compliance/steps/when/its_key_is_value.py

@@ -58,6 +58,9 @@ def its_key_is_value(_step_obj, key, value, dict_value=None, address=Null):
             ):
                 found_list.append(obj)
 
+        elif object_key is None and match.equals('None', value):
+            found_list.append(obj)
+
     if found_list != []:
         _step_obj.context.stash = found_list
         _step_obj.context.addresses = get_resource_address_list_from_stash(found_list)
@@ -119,6 +122,9 @@ def its_key_is_not_value(_step_obj, key, value, dict_value=None, address=Null):
             if not match.contains(object_key, value) or (dict_value is not None and not match.equals(str(match.get(object_key, value)), dict_value)):
                 found_list.append(obj)
 
+        elif object_key is None and not match.equals('None', value):
+            found_list.append(obj)
+
     if found_list != []:
         _step_obj.context.stash = found_list
         _step_obj.context.addresses = get_resource_address_list_from_stash(found_list)

tests/functional/test_issue_401/.expected

@@ -0,0 +1,2 @@
+Failure: storage_encrypted property in aws_db_instance.default resource does not match with \^true\$ case insensitive regex. It is set to None.
+Failure: Forcefully failing the scenario on aws_db_instance \(aws_db_instance.default\) resource

tests/functional/test_issue_401/main.tf

@@ -0,0 +1,12 @@
+resource "aws_db_instance" "default" {
+  allocated_storage    = 20
+  storage_type         = "gp2"
+  engine               = "mysql"
+  engine_version       = "5.7"
+  instance_class       = "db.t2.micro"
+  name                 = "mydb"
+  username             = "foo"
+  password             = "foobarbaz"
+  parameter_group_name = "default.mysql5.7"
+  publicly_accessible = true
+}

tests/functional/test_issue_401/plan.out.json

@@ -0,0 +1 @@
+{"format_version":"0.1","terraform_version":"0.12.25","planned_values":{"root_module":{"resources":[{"address":"aws_db_instance.default","mode":"managed","type":"aws_db_instance","name":"default","provider_name":"aws","schema_version":1,"values":{"allocated_storage":20,"allow_major_version_upgrade":null,"auto_minor_version_upgrade":true,"copy_tags_to_snapshot":false,"delete_automated_backups":true,"deletion_protection":null,"domain":null,"domain_iam_role_name":null,"enabled_cloudwatch_logs_exports":null,"engine":"mysql","engine_version":"5.7","final_snapshot_identifier":null,"iam_database_authentication_enabled":null,"instance_class":"db.t2.micro","iops":null,"max_allocated_storage":null,"monitoring_interval":0,"name":"mydb","parameter_group_name":"default.mysql5.7","password":"foobarbaz","performance_insights_enabled":false,"publicly_accessible":true,"replicate_source_db":null,"s3_import":[],"security_group_names":null,"skip_final_snapshot":false,"snapshot_identifier":null,"storage_encrypted":null,"storage_type":"gp2","tags":null,"timeouts":null,"username":"foo"}}]}},"resource_changes":[{"address":"aws_db_instance.default","mode":"managed","type":"aws_db_instance","name":"default","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"allocated_storage":20,"allow_major_version_upgrade":null,"auto_minor_version_upgrade":true,"copy_tags_to_snapshot":false,"delete_automated_backups":true,"deletion_protection":null,"domain":null,"domain_iam_role_name":null,"enabled_cloudwatch_logs_exports":null,"engine":"mysql","engine_version":"5.7","final_snapshot_identifier":null,"iam_database_authentication_enabled":null,"instance_class":"db.t2.micro","iops":null,"max_allocated_storage":null,"monitoring_interval":0,"name":"mydb","parameter_group_name":"default.mysql5.7","password":"foobarbaz","performance_insights_enabled":false,"publicly_accessible":true,"replicate_source_db":null,"s3_import":[],"security_group_names":null,"skip_final_snapshot":false,"snapshot_identifier":null,"storage_encrypted":null,"storage_type":"gp2","tags":null,"timeouts":null,"username":"foo"},"after_unknown":{"address":true,"apply_immediately":true,"arn":true,"availability_zone":true,"backup_retention_period":true,"backup_window":true,"ca_cert_identifier":true,"character_set_name":true,"db_subnet_group_name":true,"endpoint":true,"hosted_zone_id":true,"id":true,"identifier":true,"identifier_prefix":true,"kms_key_id":true,"license_model":true,"maintenance_window":true,"monitoring_role_arn":true,"multi_az":true,"option_group_name":true,"performance_insights_kms_key_id":true,"performance_insights_retention_period":true,"port":true,"replicas":true,"resource_id":true,"s3_import":[],"status":true,"timezone":true,"vpc_security_group_ids":true}}}],"configuration":{"root_module":{"resources":[{"address":"aws_db_instance.default","mode":"managed","type":"aws_db_instance","name":"default","provider_config_key":"aws","expressions":{"allocated_storage":{"constant_value":20},"engine":{"constant_value":"mysql"},"engine_version":{"constant_value":"5.7"},"instance_class":{"constant_value":"db.t2.micro"},"name":{"constant_value":"mydb"},"parameter_group_name":{"constant_value":"default.mysql5.7"},"password":{"constant_value":"foobarbaz"},"publicly_accessible":{"constant_value":true},"storage_type":{"constant_value":"gp2"},"username":{"constant_value":"foo"}},"schema_version":1}]}}}

tests/functional/test_issue_401/test.feature

@@ -0,0 +1,13 @@
+Feature: Feature for testing its_key_is_value
+
+	Scenario: Ensure all data stored in the RDS is securely encrypted at rest
+		Given I have aws_db_instance defined
+		When its replicate_source_db is None
+		Then it must have storage_encrypted
+		And its value must be true
+
+
+	Scenario: Ensure all data stored in the RDS is securely encrypted at rest (not)
+		Given I have aws_db_instance defined
+		When its replicate_source_db is not notNone
+		Then it must fail