Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to configure two different encryption properties for a same resource in __init__.py #93

Closed
vrbcntrl opened this issue Jun 12, 2019 · 4 comments
Closed

Not able to configure two different encryption properties for a same resource in __init__.py #93

vrbcntrl opened this issue Jun 12, 2019 · 4 comments

Comments

@vrbcntrl
Copy link
Contributor

Hi,

Currently I am testing a use case where in I have transit_encryption_enabled and at_rest_encryption_enabled properties configured under resource aws_elasticache_replication_group. so test these 2 test cases, I have added the necessary scenarios in the encryption_at_rest and encryption_in_flight scenario files and also added the necessary configuration in the init.py file as shown below
`encryption_property = {
"aws_elasticache_replication_group": "transit_encryption_enabled",
"aws_elasticache_replication_group": "at_rest_encryption_enabled"
}

resource_name = {
"AWS Elastic Cache": "aws_elasticache_replication_group"

`
but when I run the encryption_at_rest and encryption_in_flight scenarios separately, the at_rest scenario works fine as expected and the in_flight scenario test always PASSED. so I tried to debug the steps.py and found that print statement shown below is always returning the at_rest_encryption_enabled, which is wrong
@then(u'encryption is enabled')
@then(u'encryption must be enabled')
def encryption_is_enabled(step_obj):
prop = encryption_property[step_obj.context.resource_type]
print('encryption property : '+prop)
step_obj.context.stash.property(prop).should_equal(True)

so I have commented the at_rest property as shown below and the test cases works as expected.

encryption_property = {
"aws_elasticache_replication_group": "transit_encryption_enabled"
#"aws_elasticache_replication_group": "at_rest_encryption_enabled"
}

so , this seems to be an issue ...please let me know if I am doing anything wrong here...thanks in advance!
@eerkunt
Copy link
Member

eerkunt commented Jun 12, 2019

Hi @vrbcntrl,

In case encryption_property does not have what you want for using encryption is enabled step, you can also drill down the resource with @when(u'it contain {something:ANY}') and @then(u'it must {condition:ANY} have {proto:ANY} protocol and port {port} for {cidr:ANY}') steps.

As a similar example for aws_elb ;

Scenario: TLS enforcement on ELB resources
    Given I have AWS ELB resource defined
    When it contains listener
    Then it must contain ssl_certificate_id

I also added

"aws_elasticache_replication_group": "at_rest_encryption_enabled"

to terraform-compliance 1.0.0 which will be released soon.

For the CHANGELOG, you can have a peek on https://github.com/eerkunt/terraform-compliance/blob/feature/1.0.0/CHANGELOG.md

@vrbcntrl
Copy link
Contributor Author

Hi @eerkunt , thanks for your prompt response.

My test case is as follows:

encryption_at_rest.feature

Scenario: AWS Elastic Cache
Given I have AWS Elastic Cache defined
Then encryption must be enabled

encryption_in_flight.feature

Scenario: AWS Elastic Cache
Given I have AWS Elastic Cache defined
Then encryption must be enabled

when I run the above 2 scenarios, separately, the first one i.e at_rest scenario works as expected, however the in_flight scenario always PASSED regardless of the transit_encryption_enabled value (true|false), but if I comment the at_rest_encryption_enabled property as shown below, the in_flight scenario works as expected.
encryption_property = {
"aws_elasticache_replication_group": "transit_encryption_enabled",

"aws_elasticache_replication_group": "at_rest_encryption_enabled"

}

So, I hope this helps to understand the issue.

@eerkunt
Copy link
Member

eerkunt commented Jun 13, 2019

Hi @vrbcntrl,

That is quite normal, because you are running the same test against a same resource. You need to change one of your tests to cover both in-flight and at-rest encryption tests.

Currently, at_rest_encryption_enabled will be used for

Then encryption must be enabled

scenarios for aws_elasticache_replication_group

@eerkunt eerkunt closed this as completed Jun 20, 2019
@vrbcntrl
Copy link
Contributor Author

Hi @eerkunt ,
I am able to cover both the encryption properties in a single test using Scenario Outline show below
` Scenario Outline: AWS Elastic Cache Replication Group
Given I have aws_elasticache_replication_group defined
Then it must contain

Examples:
| encryption |
| at_rest_encryption_enabled |
| transit_encryption_enabled |`

please let me know if there is any other better way...i am trying avoid the need for creating a new step :)

@vrbcntrl vrbcntrl mentioned this issue Jun 23, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eerkunt @vrbcntrl