Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: setup tests for examples of checks #297

Merged
merged 2 commits into from
Dec 4, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions .github/workflows/test-go.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,17 @@ jobs:
- name: Run tests
run: make test
shell: bash

integration:
name: Integration Test
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}

- name: Run integration tests
run: make test-integration

6 changes: 5 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ REGISTRY_PORT=5111
test:
go test -v ./...

.PHONY: integration-test
test-integration:
go test -v -timeout 5m -tags=integration ./integration/...

.PHONY: rego
rego: fmt-rego test-rego

Expand Down Expand Up @@ -33,7 +37,7 @@ outdated-api-updated:
sed -i.bak "s|recommendedVersions :=.*|recommendedVersions := $(OUTDATE_API_DATA)|" $(DYNAMIC_REGO_FOLDER)/outdated_api.rego && rm $(DYNAMIC_REGO_FOLDER)/outdated_api.rego.bak

.PHONY: docs
docs:
docs: fmt-examples
go run ./cmd/avd_generator

.PHONY: docs-test
Expand Down
10 changes: 9 additions & 1 deletion avd_docs/aws/cloudtrail/AVD-AWS-0015/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,18 @@
Use Customer managed key

```hcl
resource "aws_kms_key" "trail" {
enable_key_rotation = true
}
resource "aws_kms_alias" "trail" {
name = "alias/trail"
target_key_id = aws_kms_key.trail.key_id
}

resource "aws_cloudtrail" "good_example" {
is_multi_region_trail = true
enable_log_file_validation = true
kms_key_id = var.kms_id
kms_key_id = aws_kms_alias.trail.arn

event_selector {
read_write_type = "All"
Expand Down
10 changes: 9 additions & 1 deletion avd_docs/aws/cloudwatch/AVD-AWS-0017/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,18 @@
Enable CMK encryption of CloudWatch Log Groups

```hcl
resource "aws_kms_key" "cloudwatch" {
enable_key_rotation = true
}

resource "aws_kms_alias" "cloudwatch" {
name = "alias/cloudwatch"
target_key_id = aws_kms_key.cloudwatch.key_id
}
resource "aws_cloudwatch_log_group" "good_example" {
name = "good_example"

kms_key_id = aws_kms_key.log_key.arn
kms_key_id = aws_kms_alias.cloudwatch.arn
}
```

Expand Down
9 changes: 8 additions & 1 deletion avd_docs/aws/ec2/AVD-AWS-0027/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,12 +13,19 @@ Resources:
```
```yaml
Resources:
MyKey:
Type: AWS::KMS::Key
Properties:
KeyPolicy:
Version: "2012-10-17"
Id: key-default-1

GoodExample:
DeletionPolicy: Snapshot
Type: AWS::EC2::Volume
Properties:
Encrypted: true
KmsKeyId: MyStack:Key
KmsKeyId: !Ref MyKey
Size: 100
```

Expand Down
3 changes: 3 additions & 0 deletions avd_docs/aws/ec2/AVD-AWS-0101/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ Create a non-default vpc for resources to be created in

```hcl
# no aws default vpc present
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
```

#### Remediation Links
Expand Down
2 changes: 1 addition & 1 deletion avd_docs/aws/ec2/AVD-AWS-0102/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Resources:
Rule:
Type: AWS::EC2::NetworkAclEntry
Properties:
NetworkAclId: null
NetworkAclId: !Ref NetworkACL
Protocol: 6
Ref: NetworkACL
RuleAction: allow
Expand Down
3 changes: 3 additions & 0 deletions avd_docs/aws/ec2/AVD-AWS-0105/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ Resources:
NetworkAclId: !Ref NetworkACL
Protocol: 6
RuleAction: allow
PortRange:
From: 22
To: 22
```


2 changes: 2 additions & 0 deletions avd_docs/aws/ec2/AVD-AWS-0107/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,8 @@ Resources:
SecurityGroupIngress:
- CidrIp: 127.0.0.1/32
IpProtocol: "6"
FromPort: 22
ToPort: 22
```


4 changes: 2 additions & 2 deletions avd_docs/aws/ec2/AVD-AWS-0107/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,9 @@ resource "aws_security_group_rule" "good_example" {
}
```
```hcl
resource "aws_security_group_rule" "allow_partner_rsync" {
resource "aws_security_group_rule" "example" {
type = "ingress"
security_group_id = aws_security_group.….id
security_group_id = "sg-123456"
from_port = 22
to_port = 22
protocol = "tcp"
Expand Down
2 changes: 1 addition & 1 deletion avd_docs/aws/ecs/AVD-AWS-0036/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ resource "aws_ecs_task_definition" "good_example" {
{
"name": "my_service",
"essential": true,
"memory": 256,
"memory": "256",
"environment": [
{ "name": "ENVIRONMENT", "value": "development" }
]
Expand Down
8 changes: 4 additions & 4 deletions avd_docs/aws/eks/AVD-AWS-0039/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,10 @@ Resources:
Type: AWS::EKS::Cluster
Properties:
EncryptionConfig:
Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
- Provider:
KeyArn: alias/eks-kms
Resources:
- secrets
Name: goodExample
ResourcesVpcConfig:
SecurityGroupIds:
Expand Down
6 changes: 5 additions & 1 deletion avd_docs/aws/eks/AVD-AWS-0039/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,15 @@
Enable encryption of EKS secrets

```hcl
resource "aws_kms_key" "eks" {
enable_key_rotation = true
}

resource "aws_eks_cluster" "good_example" {
encryption_config {
resources = ["secrets"]
provider {
key_arn = var.kms_arn
key_arn = aws_kms_key.eks.arn
}
}

Expand Down
8 changes: 6 additions & 2 deletions avd_docs/aws/iam/AVD-AWS-0141/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,12 @@
Use lower privileged accounts instead, so only required privileges are available.

```hcl
resource "aws_iam_access_key" "good_example" {
user = "lowprivuser"
resource "aws_iam_user" "test" {
name = "lowprivuser"
}

resource "aws_iam_access_key" "test" {
user = aws_iam_user.test.name
}
```

Expand Down
8 changes: 0 additions & 8 deletions avd_docs/aws/lambda/AVD-AWS-0066/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,17 +10,9 @@ Resources:
S3Bucket: my-bucket
S3Key: function.zip
Handler: index.handler
Role: arn:aws:iam::123456789012:role/lambda-role
Runtime: nodejs12.x
Timeout: 5
TracingConfig:
Mode: Active
VpcConfig:
SecurityGroupIds:
- sg-085912345678492fb
SubnetIds:
- subnet-071f712345678e7c8
- subnet-07fd123456788a036
```


6 changes: 5 additions & 1 deletion avd_docs/aws/redshift/AVD-AWS-0085/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,11 @@ AWSTemplateFormatVersion: "2010-09-09"

Description: Good example of redshift sgr

Resources: null
myCluster:
Type: AWS::Redshift::Cluster

Properties:
DBName: mydb
```


22 changes: 4 additions & 18 deletions avd_docs/aws/s3/AVD-AWS-0089/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,13 @@ Resources:
Type: AWS::S3::Bucket
Properties:
LoggingConfiguration:
DestinationBucketName: logging-bucket
DestinationBucketName: !Ref TestLoggingBucket
LogFilePrefix: accesslogs/
```
```yaml
Resources:
GoodExample:

TestLoggingBucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: Private
BucketName: my-s3-bucket-${BucketSuffix}
LoggingConfiguration:
DestinationBucketName:
- EnvironmentMapping
- s3
- logging
LogFilePrefix: s3-logs/AWSLogs/${AWS::AccountId}/my-s3-bucket-${BucketSuffix}
PublicAccessBlockConfiguration:
BlockPublicAcls: true
BlockPublicPolicy: true
IgnorePublicAcls: true
RestrictPublicBuckets: true
AccessControl: LogDeliveryWrite
```


34 changes: 26 additions & 8 deletions avd_docs/aws/s3/AVD-AWS-0089/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,24 +2,42 @@
Add a logging block to the resource to enable access logging

```hcl
resource "aws_s3_bucket" "good_example" {
resource "aws_s3_bucket" "this" {
bucket = "test-bucket"
logging {
target_bucket = "target-bucket"
target_bucket = aws_s3_bucket.log_bucket.id
target_prefix = "log/"
}
}

resource "aws_s3_bucket" "log_bucket" {
bucket = "test-log-bucket"
}

resource "aws_s3_bucket_acl" "log_bucket" {
acl = "log-delivery-write"
bucket = aws_s3_bucket.log_bucket.id
}
```
```hcl
resource "aws_s3_bucket" "example" {
bucket = "yournamehere"

# ... other configuration ...
resource "aws_s3_bucket" "this" {
bucket = "test-bucket"
}

resource "aws_s3_bucket_logging" "example" {
bucket = aws_s3_bucket.example.id
resource "aws_s3_bucket_logging" "this" {
bucket = aws_s3_bucket.this.id
target_bucket = aws_s3_bucket.log_bucket.id
target_prefix = "log/"
}

resource "aws_s3_bucket" "log_bucket" {
bucket = "test-log-bucket"
}

resource "aws_s3_bucket_acl" "log_bucket" {
acl = "log-delivery-write"
bucket = aws_s3_bucket.log_bucket.id
}
```

#### Remediation Links
Expand Down
2 changes: 1 addition & 1 deletion avd_docs/aws/sns/AVD-AWS-0095/CloudFormation.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ Turn on SNS Topic encryption
```yaml
Resources:
GoodTopic:
Type: AWS::SQS::Topic
Type: AWS::SNS::Topic
Properties:
KmsMasterKeyId: some-key
TopicName: blah
Expand Down
1 change: 1 addition & 0 deletions avd_docs/azure/keyvault/AVD-AZU-0017/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ resource "azuread_application" "myapp" {

resource "azuread_application_password" "myapp" {
application_object_id = azuread_application.myapp.object_id
end_date = "2024-12-18T00:00:00Z"
}

resource "azurerm_key_vault_secret" "myapp_pass" {
Expand Down
7 changes: 6 additions & 1 deletion avd_docs/google/storage/AVD-GCP-0001/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,13 @@
Restrict public access to the bucket.

```hcl
resource "google_storage_bucket" "test" {
name = "test"
location = "US"
}

resource "google_storage_bucket_iam_binding" "binding" {
bucket = google_storage_bucket.default.name
bucket = google_storage_bucket.test.name
role = "roles/storage.admin"
members = [
"user:jane@example.com",
Expand Down
10 changes: 5 additions & 5 deletions avd_docs/nifcloud/computing/AVD-NIF-0001/Terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@
Set a more restrictive cidr range

```hcl
resource "nifcloud_security_group_rule" "good_example" {
type = "IN"
cidr_ip = "10.0.0.0/16"
resource "nifcloud_security_group_rule" "example" {
group_name = "allowtcp"
availability_zone = "east-11"
}
```
```hcl
resource "nifcloud_security_group_rule" "allow_partner_rsync" {
resource "nifcloud_security_group_rule" "example" {
type = "IN"
security_group_names = [nifcloud_security_group..group_name]
security_group_names = [nifcloud_security_group.example.group_name]
from_port = 22
to_port = 22
protocol = "TCP"
Expand Down
2 changes: 1 addition & 1 deletion checks/cloud/aws/apigateway/no_public_access.rego
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ deny contains res if {
isManaged(api)
some method in api.resources[_].methods
method_is_not_option(method)
apikey_is_not_required(api)
apikey_is_not_required(method)
method.authorizationtype.value == authorization_none
res := result.new("Authorization is not enabled for this method.", method.authorizationtype)
}
Expand Down
Loading
Loading