Skip to content

Commit

Permalink
skip: added test for acm-*
Browse files Browse the repository at this point in the history
  • Loading branch information
anna-shcherbak committed May 10, 2024
1 parent ebd2c68 commit 328df3e
Show file tree
Hide file tree
Showing 16 changed files with 241 additions and 38 deletions.
76 changes: 38 additions & 38 deletions .github/workflows/tf_testing.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,47 +22,47 @@ env:
CORE_TESTING_FOLDER: ${{ github.workspace }}
OUTPUT_DIR: ${{ github.workspace }}/auto_policy_testing/output
AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }}
resource_priority_list: 'account'
resource_priority_list: 'acm'
RED: '\033[0;31m'

jobs:
# terraform_test_policy_green_flights:
# permissions:
# contents: 'read'
# id-token: 'write'
# runs-on: ubuntu-22.04
# steps:
# - name: Git clone the repository
# uses: actions/checkout@v4
# - name: configure aws credentials
# uses: aws-actions/configure-aws-credentials@v4
# with:
# role-to-assume: ${{ secrets.CI_ASSUME_ROLE }}
# role-session-name: ECC-AWS-RULEPACK_CI-GREEN
# aws-region: ${{ vars.AWS_REGION }}
# - name: Install dependencies
# shell: bash
# working-directory: auto_policy_testing/scripts
# run: |
# pip install -r requirements.txt
# - name: terraform_test_policy_green_flights
# shell: bash
# working-directory: auto_policy_testing/scripts
# run: |
# python main.py \
# --cloud AWS \
# --infra_color green \
# -l $resource_priority_list \
# --base_dir $GITHUB_WORKSPACE \
# --output_dir $OUTPUT_DIR \
# --sa "github_ci_readonly_ecc-aws-rulepack"
# echo -e "${RED}Failed policies:"
# cat $OUTPUT_DIR/.failed
# echo -e "${RED}Failed terraforms:"
# cat $OUTPUT_DIR/.tf_failed
# test -s $OUTPUT_DIR/.failed && exit 1
# test -s $OUTPUT_DIR/.tf_failed && exit 1
# exit 0
terraform_test_policy_green_flights:
permissions:
contents: 'read'
id-token: 'write'
runs-on: ubuntu-22.04
steps:
- name: Git clone the repository
uses: actions/checkout@v4
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.CI_ASSUME_ROLE }}
role-session-name: ECC-AWS-RULEPACK_CI-GREEN
aws-region: ${{ vars.AWS_REGION }}
- name: Install dependencies
shell: bash
working-directory: auto_policy_testing/scripts
run: |
pip install -r requirements.txt
- name: terraform_test_policy_green_flights
shell: bash
working-directory: auto_policy_testing/scripts
run: |
python main.py \
--cloud AWS \
--infra_color green \
-l $resource_priority_list \
--base_dir $GITHUB_WORKSPACE \
--output_dir $OUTPUT_DIR \
--sa "github_ci_readonly_ecc-aws-rulepack"
echo -e "${RED}Failed policies:"
cat $OUTPUT_DIR/.failed
echo -e "${RED}Failed terraforms:"
cat $OUTPUT_DIR/.tf_failed
test -s $OUTPUT_DIR/.failed && exit 1
test -s $OUTPUT_DIR/.tf_failed && exit 1
exit 0
terraform_test_policy_red_flights:
permissions:
Expand Down
38 changes: 38 additions & 0 deletions auto_policy_testing/green/acm/acm.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
resource "tls_private_key" "this" {
algorithm = "RSA"
rsa_bits = 2048
}

resource "tls_self_signed_cert" "this" {
private_key_pem = tls_private_key.this.private_key_pem

subject {
common_name = "${module.naming.resource_prefix.acm}1.com"
organization = "ACME Examples, Inc"
}

validity_period_hours = 800

allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
}

resource "aws_acm_certificate" "this1" {
private_key = tls_private_key.this.private_key_pem
certificate_body = tls_self_signed_cert.this.cert_pem
}

resource "aws_acm_certificate" "this2" {
domain_name = "${module.naming.resource_prefix.acm}2.com"
validation_method = "DNS"

options {
certificate_transparency_logging_preference = "ENABLED"
}
lifecycle {
create_before_destroy = true
}
}
29 changes: 29 additions & 0 deletions auto_policy_testing/green/acm/elb.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
resource "aws_lb" "this" {
name = module.naming.resource_prefix.lb
internal = true
load_balancer_type = "application"
subnets = [
data.terraform_remote_state.common.outputs.vpc_subnet_1_id,
data.terraform_remote_state.common.outputs.vpc_subnet_3_id
]
}

resource "aws_lb_target_group" "this" {
name = module.naming.resource_prefix.lb
port = 80
protocol = "HTTP"
vpc_id = data.terraform_remote_state.common.outputs.vpc_id
}

resource "aws_lb_listener" "this" {
load_balancer_arn = aws_lb.this.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = aws_acm_certificate.this1.arn

default_action {
type = "forward"
target_group_arn = aws_lb_target_group.this.arn
}
}
13 changes: 13 additions & 0 deletions auto_policy_testing/green/acm/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
module "naming" {
source = "../../shared_tf_modules/naming"
resource_type = basename(abspath(path.module))
status = title(basename(dirname(abspath(path.module))))
}

data "terraform_remote_state" "common" {
backend = "local"

config = {
path = "../common_resources/terraform.tfstate"
}
}
6 changes: 6 additions & 0 deletions auto_policy_testing/green/acm/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
output "acm" {
value = {
acm-certificate = aws_acm_certificate.this1.arn
ecc-aws-528-acm_certificate_transparency_logging_enabled = aws_acm_certificate.this2.arn
}
}
16 changes: 16 additions & 0 deletions auto_policy_testing/green/acm/provider.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5"
}
}
}

provider "aws" {
region = var.region
default_tags {
tags = module.naming.default_tags
}
}

5 changes: 5 additions & 0 deletions auto_policy_testing/green/acm/veriables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
variable "region" {
type = string
description = "Region where resources will be created"
default = "us-east-1"
}
4 changes: 4 additions & 0 deletions auto_policy_testing/green/common_resources/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,10 @@ output "vpc_subnet_2_id" {
value = aws_subnet.subnet2.id
}

output "vpc_subnet_3_id" {
value = aws_subnet.subnet3.id
}

output "kms_key_arn" {
value = aws_kms_key.this.arn
}
6 changes: 6 additions & 0 deletions auto_policy_testing/green/common_resources/vpc.tf
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,10 @@ resource "aws_subnet" "subnet2" {
vpc_id = aws_vpc.this.id
cidr_block = "10.0.2.0/24"
availability_zone = data.aws_availability_zones.this.names[0]
}

resource "aws_subnet" "subnet3" {
vpc_id = aws_vpc.this.id
cidr_block = "10.0.3.0/24"
availability_zone = data.aws_availability_zones.this.names[1]
}
38 changes: 38 additions & 0 deletions auto_policy_testing/red/acm/acm.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
resource "tls_private_key" "this" {
algorithm = "RSA"
rsa_bits = 1024
}

resource "tls_self_signed_cert" "this" {
private_key_pem = tls_private_key.this.private_key_pem

subject {
common_name = "*.${module.naming.resource_prefix.acm}.com"
}

allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
validity_period_hours = 12
}

resource "aws_acm_certificate" "this" {
private_key = tls_private_key.this.private_key_pem
certificate_body = tls_self_signed_cert.this.cert_pem
}

data "external" "this" {
program = ["bash", "-c", "aws acm request-certificate --domain-name ${module.naming.resource_prefix.acm}.c1 --validation-method DNS | jq -r -c '{arn: .CertificateArn}'"]
}

resource "null_resource" "this" {
triggers = {
cert_arn = data.external.this.result["arn"]
}
provisioner "local-exec" {
when = destroy
command = "aws acm delete-certificate --certificate-arn ${self.triggers.cert_arn}"
}
}
13 changes: 13 additions & 0 deletions auto_policy_testing/red/acm/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
module "naming" {
source = "../../shared_tf_modules/naming"
resource_type = basename(abspath(path.module))
status = title(basename(dirname(abspath(path.module))))
}

data "terraform_remote_state" "common" {
backend = "local"

config = {
path = "../common_resources/terraform.tfstate"
}
}
7 changes: 7 additions & 0 deletions auto_policy_testing/red/acm/outputs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
output "acm" {
value = {
acm-certificate = aws_acm_certificate.this.arn
ecc-aws-109-invalid_or_failed_certificates_are_removed_from_acm = data.external.this.result["arn"]
ecc-aws-393-acm_without_tag_information = data.external.this.result["arn"]
}
}
20 changes: 20 additions & 0 deletions auto_policy_testing/red/acm/provider.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5"
}
}
}

provider "aws" {
region = var.region
default_tags {
tags = module.naming.default_tags
}
}

provider "aws" {
region = var.region
alias = "provider2"
}
5 changes: 5 additions & 0 deletions auto_policy_testing/red/acm/veriables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
variable "region" {
type = string
description = "Region where resources will be created"
default = "us-east-1"
}
1 change: 1 addition & 0 deletions auto_policy_testing/scripts/exception_rules.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
"ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account",
"ecc-aws-046-ensure_no_root_account_access_key_exists",
"ecc-aws-059-config_enabled_all_regions",
"ecc-aws-115-expired_certificates_are_removed_from_acm",
"ecc-aws-128-expired_route53_domain_names",
"ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks",
"ecc-aws-145-organizations_changes_alarm_exists",
Expand Down
2 changes: 2 additions & 0 deletions auto_policy_testing/shared_tf_modules/naming/outputs.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
output "resource_prefix" {
value = {
acm = "${local.suffix}.${local.compliance_status}"
elasticsearch = "${local.suffix}-elasticsearch-${local.compliance_status}"
glue_security_configuration = "${local.suffix}_${var.resource_type}_glue_security_configuration_${local.compliance_status}"
glue_job = "${local.suffix}_${var.resource_type}_glue_job_${local.compliance_status}"
Expand All @@ -10,6 +11,7 @@ output "resource_prefix" {
event_bus = "${local.suffix}_${var.resource_type}_event_bus_${local.compliance_status}"
firehose = "${local.suffix}_${var.resource_type}_firehose_${local.compliance_status}"
efs = "${local.suffix}_${var.resource_type}_efs_${local.compliance_status}"
lb = "${local.suffix}-${var.resource_type}-lb-${local.compliance_status}"
dlm_policy = "${local.suffix}_${var.resource_type}_dlm_policy_${local.compliance_status}"
beanstalk = "${local.suffix}_${var.resource_type}_beanstalk_${local.compliance_status}"
beanstalk_env = "${local.suffix}-beanstalk-env-${local.compliance_status}"
Expand Down

0 comments on commit 328df3e

Please sign in to comment.