use strict; use warnings; # -*- coding: utf-8 -*- =head1 DESCRIPTION Tests for encryption configuration in terraform templates =cut # use os; # use unittest; # use terraform_validate; package TestEncryption { #our @ISA = qw(PSEUDO_PYTHON); our $TERRAFORM_LOCATION; sub TERRAFORM_LOCATION :lvalue { $TERRAFORM_LOCATION }; sub True(){"True"}; sub False(){"False"}; sub dir { return "[@_]" }; sub new {unittest->TestCase} # Set this before running the Test Case TERRAFORM_LOCATION = ''; sub test_aws_alb_listener_port { my ($self) = @_; # Assert that listener port is 443 $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_alb_listener', )->property('port')->should_equal('443'); } sub test_aws_alb_listener_protocol { my ($self) = @_; # Assert that protocol is not http $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_alb_listener')->property('protocol')->should_not_equal('http'); $self->v->resources( 'aws_alb_listener')->property('protocol')->should_not_equal('HTTP'); } sub test_aws_alb_listener_ssl_policy { my ($self) = @_; # Assert that old ssl policies are not used $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_alb_listener')->property( 'ssl_policy')->should_not_equal('ELBSecurityPolicy-2015-05'); $self->v->resources( 'aws_alb_listener')->property( 'ssl_policy')->should_not_equal('ELBSecurityPolicy-TLS-1-0-2015-04'); } sub test_aws_alb_listener_certificate { my ($self) = @_; # Assert that certificate_arn is set $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_alb_listener')->should_have_properties(['certificate_arn']); } sub test_aws_ami_ebs_block_device_encryption { my ($self) = @_; # Assert ami 'ebs_block_device' blocks are encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_ami')->property( 'ebs_block_device')->property('encrypted')->should_equal(True); } sub test_aws_ami_ebs_block_device_kms { my ($self) = @_; # Assert ami 'ebs_block_device' blocks has KMS $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_ami')->property( 'ebs_block_device')->should_have_properties(['kms_key_id']); } sub test_aws_ami_copy_encryption { my ($self) = @_; # Assert resources are encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_ami_copy')->property('encrypted')->should_equal(True); } sub test_aws_ami_copy_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_ami_copy')->should_have_properties(['kms_key_id']); } sub test_aws_api_gateway_domain_name_certificate { my ($self) = @_; # Assert that certificate settings have been configured $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_api_gateway_domain_name')->should_have_properties( [ 'certificate_name', 'certificate_body', 'certificate_chain', 'certificate_private_key', ]); } sub test_aws_instance_ebs_block_device_encrypted { my ($self) = @_; # Assert ec2 instance 'ebs_block_device' is encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_instance')->property( 'ebs_block_device')->property('encrypted')->should_equal(True); } sub test_aws_cloudfront_distribution_origin_protocol_policy { my ($self) = @_; # Assert that origin receives https only traffic $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_cloudfront_distribution')->property( 'origin')->property( 'custom_origin_config')->property( 'origin_protocol_policy')->should_equal('https-only'); } sub test_aws_cloudfront_distribution_def_cache_viewer_prot_policy { my ($self) = @_; # Assert that cache protocol doesn't allow all $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_cloudfront_distribution')->property( 'default_cache_behavior')->property( 'viewer_protocol_policy')->should_not_equal('allow-all'); } sub test_aws_cloudfront_distribution_cache_beh_viewer_proto_policy { my ($self) = @_; # Assert that cache protocol doesn't allow all $self->v->enable_variable_expansion(); $self->v->resources( 'aws_cloudfront_distribution')->property( 'cache_behavior')->property( 'viewer_protocol_policy')->should_not_equal('allow-all'); } sub test_aws_cloudtrail_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_cloudtrail')->should_have_properties(['kms_key_id']); } sub test_aws_codebuild_project_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_codebuild_project')->should_have_properties(['encryption_key']); } sub test_aws_codepipeline_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_codepipeline')->should_have_properties(['encryption_key']); } sub test_aws_db_instance_encrypted { my ($self) = @_; # Assert that DB is encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_db_instance')->property('storage_encrypted')->should_equal(True); } sub test_aws_db_instance_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_db_instance')->should_have_properties(['kms_key_id']); } sub test_aws_dms_endpoint_ssl_mode { my ($self) = @_; # Assert that SSL is verified $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_dms_endpoint')->property( 'ssl_mode')->should_equal('verify-full'); } sub test_aws_dms_endpoint_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_dms_endpoint')->should_have_properties( [ 'kms_key_arn', ]); } sub test_aws_dms_endpoint_certificate { my ($self) = @_; # Assert that SSL cert has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_dms_endpoint')->should_have_properties( [ 'certificate_arn', ]); } sub test_aws_dms_replication_instance_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_dms_replication_instance')->should_have_properties( ['kms_key_arn']); } sub test_aws_ebs_volume_encryption { my ($self) = @_; # Assert that all resources of type 'aws_ebs_volume' are encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_ebs_volume')->property('encrypted')->should_equal(True); } sub test_aws_ebs_volume_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_ebs_volume')->should_have_properties(['kms_key_id']); } sub test_aws_efs_file_system_encryption { my ($self) = @_; # Assert that all resources of type 'aws_efs_file_system' are encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_efs_file_system')->property('encrypted')->should_equal(True); } sub test_aws_efs_file_system_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_efs_file_system')->should_have_properties(['kms_key_id']); } sub test_aws_elastictranscoder_pipeline_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_elastictranscoder_pipeline')->should_have_properties( ['aws_kms_key_arn']); } sub test_aws_elb_listener_port_80 { my ($self) = @_; # Assert ELB listener port is not 80 (http) $self->v->enable_variable_expansion(); $self->v->resources( 'aws_elb')->property( 'listener')->property('lb_port')->should_not_equal(80); } sub test_aws_elb_listener_port_21 { my ($self) = @_; # Assert ELB listener port is not 21 ftp $self->v->enable_variable_expansion(); $self->v->resources( 'aws_elb')->property( 'listener')->property('lb_port')->should_not_equal(21); } sub test_aws_elb_listener_port_23 { my ($self) = @_; # Assert ELB listener port is not 23 telnet $self->v->enable_variable_expansion(); $self->v->resources( 'aws_elb')->property( 'listener')->property('lb_port')->should_not_equal(23); } sub test_aws_elb_listener_port_5900 { my ($self) = @_; # Assert ELB listener port is not 5900 VNC $self->v->enable_variable_expansion(); $self->v->resources( 'aws_elb')->property( 'listener')->property('lb_port')->should_not_equal(5900); } sub test_aws_kinesis_firehose_delivery_stream_s3_kms { my ($self) = @_; # Assert ELB listener port is not 80 (http) $self->v->enable_variable_expansion(); $self->v->resources( 'aws_kinesis_firehose_delivery_stream')->property( 's3_configuration')->should_have_properties(['kms_key_arn']); } sub test_aws_kinesis_firehose_delivery_stream_extended_s3_kms { my ($self) = @_; # Assert ELB listener port is not 80 (http) $self->v->enable_variable_expansion(); $self->v->resources( 'aws_kinesis_firehose_delivery_stream')->property( 'extended_s3_configuration')->should_have_properties( ['kms_key_arn']); } sub test_aws_lambda_function_kms { my ($self) = @_; # Assert that a KMS key has been provided $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_lambda_function')->should_have_properties( ['kms_key_arn']); } sub test_aws_opsworks_application_encryption { my ($self) = @_; # Assert resource is encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_opsworks_application')->property( 'enable_ssl')->should_equal(True); } sub test_aws_rds_cluster_encryption { my ($self) = @_; # Assert resource is encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_rds_cluster')->property( 'storage_encrypted')->should_equal(True); } sub test_aws_rds_cluster_kms { my ($self) = @_; # Assert resource has a KMS with CMKs $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_rds_cluster')->should_have_properties( ['kms_key_id']); } sub test_aws_redshift_cluster_encryption { my ($self) = @_; # Assert resource is encrypted $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_redshift_cluster')->property( 'encrypted')->should_equal(True); } sub test_aws_redshift_cluster_kms { my ($self) = @_; # Assert resource has a KMS with CMKs $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_redshift_cluster')->should_have_properties( ['kms_key_id']); } sub test_aws_s3_bucket_object_encryption { my ($self) = @_; # Assert resource is encrypted with KMS $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_s3_bucket_object')->property( 'server_side_encryption')->should_equal('aws:kms'); } sub test_aws_s3_bucket_object_kms { my ($self) = @_; # Assert resource has a KMS with CMKs $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_s3_bucket_object')->should_have_properties( ['kms_key_id']); } sub test_aws_sqs_queue_kms { my ($self) = @_; # Assert resource has a KMS with CMK $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_sqs_queue')->should_have_properties( ['kms_master_key_id', 'kms_data_key_reuse_period_seconds']); } sub test_aws_ssm_parameter_encryption { my ($self) = @_; # Assert resource is encrypted with KMS $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_ssm_parameter')->property( 'type')->should_equal('SecureString'); } sub test_aws_ssm_parameter_kms { my ($self) = @_; # Assert resource has a KMS with CMK $self->v->error_if_property_missing(); $self->v->enable_variable_expansion(); $self->v->resources( 'aws_ssm_parameter')->should_have_properties( ['key_id']); return dir($self->v->resources( 'aws_ssm_parameter')->should_have_properties( ['key_id'])); } }