-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Ignore rule length style rule for test files
- Loading branch information
1 parent
5491fd1
commit e9b3cce
Showing
19 changed files
with
639 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
package spacelift | ||
|
||
# Test case for blast radius below threshold for tracked run. | ||
test_check_blast_radius_below_threshold_tracked_run { | ||
inp := { | ||
"spacelift": {"run": {"type": "TRACKED"}}, | ||
"terraform": {"resource_changes": [{ | ||
"address": "aws_s3_bucket.my_bucket", | ||
"type": "aws_s3_bucket", | ||
"change": {"actions": ["delete"]}, | ||
}]}, | ||
} | ||
count(deny) == 0 with input as inp | ||
count(warn) == 0 with input as inp | ||
} | ||
|
||
# Test case for blast radius below threshold for proposed run. | ||
test_check_blast_radius_below_threshold_proposed_run { | ||
inp := { | ||
"spacelift": {"run": {"type": "PROPOSED"}}, | ||
"terraform": {"resource_changes": [{ | ||
"address": "aws_s3_bucket.my_bucket", | ||
"type": "aws_s3_bucket", | ||
"change": {"actions": ["delete"]}, | ||
}]}, | ||
} | ||
count(deny) == 0 with input as inp | ||
count(warn) == 0 with input as inp | ||
} | ||
|
||
# Test case for blast radius threshold exceeded for tracked run. | ||
test_check_blast_radius_threshold_exceeded_tracked_run { | ||
inp := { | ||
"spacelift": {"run": {"type": "TRACKED"}}, | ||
"terraform": {"resource_changes": [{ | ||
"address": "aws_ecs_cluster.one", | ||
"type": "aws_ecs_cluster", | ||
"change": {"actions": ["delete"]}, | ||
}]}, | ||
} | ||
warn["change blast radius too high (200/100)"] with input as inp | ||
count(deny) == 0 with input as inp | ||
} | ||
|
||
# Test case for blast radius threshold exceeded for proposed run. | ||
test_check_blast_radius_threshold_exceeded_proposed_run { | ||
inp := { | ||
"spacelift": {"run": {"type": "PROPOSED"}}, | ||
"terraform": {"resource_changes": [{ | ||
"address": "aws_ecs_cluster.one", | ||
"type": "aws_ecs_cluster", | ||
"change": {"actions": ["delete"]}, | ||
}]}, | ||
} | ||
deny["change blast radius too high (200/100)"] with input as inp | ||
count(warn) == 0 with input as inp | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package spacelift | ||
|
||
# Test for failed checkov checks. | ||
test_checkov_less_than_10_failed_checks { | ||
inp := {"third_party_metadata": {"custom": {"checkov": {"results": {"failed_checks": [ | ||
{"check_id": "CKV_AWS_1"}, | ||
{"check_id": "CKV_AWS_2"}, | ||
{"check_id": "CKV_AWS_3"}, | ||
{"check_id": "CKV_AWS_4"}, | ||
{"check_id": "CKV_AWS_5"}, | ||
{"check_id": "CKV_AWS_6"}, | ||
{"check_id": "CKV_AWS_7"}, | ||
{"check_id": "CKV_AWS_8"}, | ||
{"check_id": "CKV_AWS_9"}, | ||
]}}}}} | ||
warn["You have a couple of failed checks: 9"] with input as inp | ||
} | ||
|
||
test_checkov_no_failed_checks { | ||
count(warn) == 0 with input as {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
package spacelift | ||
|
||
# Test case warning for a tracked run. | ||
test_warn_tracked_runs { | ||
inp := { | ||
"spacelift": {"run": {"type": "TRACKED"}}, | ||
"terraform": {"resource_changes": [{ | ||
"address": "aws_iam_user.user_1", | ||
"type": "aws_iam_user", | ||
"change": {"actions": ["create"]}, | ||
}]}, | ||
} | ||
count(deny) == 0 with input as inp | ||
warn["Do not create IAM users: (aws_iam_user.user_1)"] with input as inp | ||
} | ||
|
||
# Test case deny for a proposed run. | ||
test_deny_proposed_runs { | ||
inp := { | ||
"spacelift": {"run": {"type": "PROPOSED"}}, | ||
"terraform": {"resource_changes": [{ | ||
"address": "aws_iam_user.user_1", | ||
"type": "aws_iam_user", | ||
"change": {"actions": ["create"]}, | ||
}]}, | ||
} | ||
count(warn) == 0 with input as inp | ||
deny["Do not create IAM users: (aws_iam_user.user_1)"] with input as inp | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
package spacelift | ||
|
||
# Test case for denying creation of resource type. | ||
test_deny_creation_of_resource_type { | ||
deny["Static AWS credentials are evil (aws_iam_access_key.key_1)"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "aws_iam_access_key.key_1", | ||
"type": "aws_iam_access_key", | ||
"change": {"actions": ["create"]}, | ||
}]}} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package spacelift | ||
|
||
# Test case for denying creation of aws resources. | ||
test_deny_creation_of_aws_resource { | ||
deny["We have moved to GCP, find an equivalent there (aws_iam_access_key.key_1)"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "aws_iam_access_key.key_1", | ||
"type": "aws_iam_access_key", | ||
"change": {"actions": ["create"]}, | ||
"provider_name": "aws", | ||
}]}} | ||
} | ||
|
||
# Test case for allowing deletion of aws resources. | ||
test_allow_deletion_of_aws_resource { | ||
inp := {"terraform": {"resource_changes": [{ | ||
"address": "aws_iam_access_key.key_1", | ||
"type": "aws_iam_access_key", | ||
"change": {"actions": ["update"]}, | ||
}]}} | ||
count(deny) == 0 with input as inp | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
package spacelift | ||
|
||
# Test case for denying creation of controlled resource type. | ||
test_deny_creation_of_controlled_resource_type { | ||
deny["Resource 'aws_s3_bucket.bucket_1' cannot be created directly. Module(s) 'terraform-aws-modules/s3-bucket/aws' must be used instead"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "aws_s3_bucket.bucket_1", | ||
"type": "aws_s3_bucket", | ||
"change": {"actions": ["create"]}, | ||
}]}} | ||
} | ||
|
||
# Test case for update creation of controlled resource type. | ||
test_deny_update_of_controlled_resource_type { | ||
deny["Resource 'aws_s3_bucket.bucket_1' cannot be created directly. Module(s) 'terraform-aws-modules/s3-bucket/aws' must be used instead"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "aws_s3_bucket.bucket_1", | ||
"type": "aws_s3_bucket", | ||
"change": {"actions": ["update"]}, | ||
}]}} | ||
} | ||
|
||
# Test case for allowing deletion of controlled resource type. | ||
test_allow_deletion_of_controlled_resource_type { | ||
count(deny) == 0 with input as {"terraform": {"resource_changes": [{ | ||
"address": "aws_s3_bucket.bucket_1", | ||
"type": "aws_s3_bucket", | ||
"change": {"actions": ["delete"]}, | ||
}]}} | ||
} | ||
|
||
# Test case for allowing creation of uncontrolled resource type. | ||
test_allow_creation_of_uncontrolled_resource_type { | ||
count(deny) == 0 with input as {"terraform": {"resource_changes": [{ | ||
"address": "aws_ecs_cluster.one", | ||
"type": "aws_ecs_cluster", | ||
"change": {"actions": ["create"]}, | ||
}]}} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
package spacelift | ||
|
||
# Test case for denying creation of a password with less than 16 characters. | ||
test_deny_creation_of_password_with_less_than_16_characters { | ||
deny["We require that passwords have at least 16 characters (random_password.password_1)"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "random_password.password_1", | ||
"type": "random_password", | ||
"change": { | ||
"actions": ["create"], | ||
"after": {"length": 1}, | ||
}, | ||
}]}} | ||
} | ||
|
||
# Test case for warning creation of a password between 16 and 20 characters. | ||
test_warn_creation_of_password_between_16_and_20_characters { | ||
warn["We advise that passwords have at least 20 characters (random_password.password_1)"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "random_password.password_1", | ||
"type": "random_password", | ||
"change": { | ||
"actions": ["create"], | ||
"after": {"length": 18}, | ||
}, | ||
}]}} | ||
} | ||
|
||
# Test case for allowing creation of a password longer than 20 characters. | ||
test_allow_creation_of_password_longer_than_20_characters { | ||
count(warn) == 0 with input as {"terraform": {"resource_changes": [{ | ||
"address": "random_password.password_1", | ||
"type": "random_password", | ||
"change": { | ||
"actions": ["create"], | ||
"after": {"length": 21}, | ||
}, | ||
}]}} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
package spacelift | ||
|
||
# Test case for denying creation of a resource with no enforced tags. | ||
test_deny_creation_of_resource_with_no_enforced_tags { | ||
deny["resource \"random_password.password_1\" does not have all suggested tags (Name, env, owner)"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "random_password.password_1", | ||
"type": "random_password", | ||
"change": { | ||
"actions": ["create"], | ||
"after": {"tags_all": [{"test": "test"}]}, | ||
}, | ||
}]}} | ||
} | ||
|
||
# Test case for allowing creation of a resource with enforced tags. | ||
test_allow_creation_of_resource_with_enforced_tags { | ||
count(deny) == 0 with input as {"terraform": {"resource_changes": [{ | ||
"address": "random_password.password_1", | ||
"type": "random_password", | ||
"change": { | ||
"actions": ["create"], | ||
"after": {"tags_all": { | ||
"Name": "name", | ||
"env": "testing", | ||
"owner": "spacelift.io", | ||
}}, | ||
}, | ||
}]}} | ||
} | ||
|
||
# Test case for allowing creation of a resource with partial enforced tags. | ||
test_allow_creation_of_resource_with_partial_enforced_tags { | ||
deny["resource \"random_password.password_1\" does not have all suggested tags (env)"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "random_password.password_1", | ||
"type": "random_password", | ||
"change": { | ||
"actions": ["create"], | ||
"after": {"tags_all": { | ||
"Name": "name", | ||
"owner": "spacelift.io", | ||
}}, | ||
}, | ||
}]}} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
package spacelift | ||
|
||
# Test case for denying resources with a certain resource type that will be deleted before created. | ||
test_deny_non_create_before_destroy_lifecycle { | ||
deny["Always create before deleting (aws_batch_compute_environment.test_1)"] with input as {"terraform": {"resource_changes": [{ | ||
"address": "aws_batch_compute_environment.test_1", | ||
"type": "aws_batch_compute_environment", | ||
"change": {"actions": ["delete", "create"]}, | ||
}]}} | ||
} | ||
|
||
# Test case for allowing resources with a certain resource type that will be created before deleted. | ||
test_allow_create_before_destroy_lifecycle { | ||
count(deny) == 0 with input as {"terraform": {"resource_changes": [{ | ||
"address": "aws_batch_compute_environment.test_1", | ||
"type": "aws_batch_compute_environment", | ||
"change": {"actions": ["create", "delete"]}, | ||
}]}} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package spacelift | ||
|
||
# Test case for denying when monthly estimated cost exceeds a certain threshold. | ||
test_deny_infracost_monthly_cost_exceeds_threshold { | ||
deny["monthly cost greater than $100 ($101.00)"] with input as {"third_party_metadata": {"infracost": {"projects": [{"breakdown": {"totalMonthlyCost": 101.00}}]}}} | ||
} | ||
|
||
# Test case for not denying when monthly estimated cost is below a certain threshold. | ||
test_not_deny_infracost_monthly_cost_is_below_threshold { | ||
count(deny) == 0 with input as {"third_party_metadata": {"infracost": {"projects": [{"breakdown": {"totalMonthlyCost": 99.00}}]}}} | ||
} | ||
|
||
# Test case for warning when monthly costs increased more than a certain percentage. | ||
test_warn_infracost_monthly_cost_increase_percentage_exceeds_threshold { | ||
warn["monthly cost increase greater than 5% (395.05%)"] with input as {"third_party_metadata": {"infracost": {"projects": [{"breakdown": {"totalMonthlyCost": 5.00}, "pastBreakdown": {"totalMonthlyCost": 1.01}}]}}} | ||
} | ||
|
||
# Test case for not warning when monthly costs increased less than a certain percentage. | ||
test_not_warn_infracost_monthly_cost_increase_percentage_does_not_exceed_threshold { | ||
count(warn) == 0 with input as {"third_party_metadata": {"infracost": {"projects": [{"breakdown": {"totalMonthlyCost": 40.10}, "pastBreakdown": {"totalMonthlyCost": 40.00}}]}}} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
package spacelift | ||
|
||
# Test case for warning with severity counters. | ||
test_warn_severity_counters { | ||
warn["You have: 1 info issues, 2 low issues, 3 medium issues"] with input as {"third_party_metadata": {"custom": {"kics": {"severity_counters": { | ||
"INFO": 1, | ||
"LOW": 2, | ||
"MEDIUM": 3, | ||
"HIGH": 0, | ||
}}}}} | ||
} | ||
|
||
# Test case for denying with high severity issues. | ||
test_deny_for_high_severity_issue { | ||
deny["The number of violated policies 10 is higher than the threshold 0"] with input as {"third_party_metadata": {"custom": {"kics": {"severity_counters": { | ||
"INFO": 1, | ||
"LOW": 2, | ||
"MEDIUM": 3, | ||
"HIGH": 10, | ||
}}}}} | ||
} |
17 changes: 17 additions & 0 deletions
17
plan/require-human-review-for-drift-detection-reconciliation_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
package spacelift | ||
|
||
# Test case for drift reconciliation runs requiring manual approval | ||
test_warn_drift_reconciliation_runs_requires_manual_approval { | ||
warn["Drift reconciliation requires manual approval"] with input as {"spacelift": {"run": { | ||
"drift_detection": true, | ||
"type": "TRACKED", | ||
}}} | ||
} | ||
|
||
# Test case for non drift reconciliation requiring manual approval | ||
test_non_drift_reconciliation_runs_require_no_manual_approval { | ||
count(warn) == 0 with input as {"spacelift": {"run": { | ||
"drift_detection": false, | ||
"type": "TRACKED", | ||
}}} | ||
} |
13 changes: 13 additions & 0 deletions
13
plan/require-human-review-for-unreachable-ansible-hosts_test.rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
package spacelift | ||
|
||
# Test case for warning when some ansible hosts were unreachable. | ||
test_warn_ansible_host_are_unreachable { | ||
warn["Some hosts were unreachable"] with input as {"ansible": {"dark": {"test": true}}} | ||
} | ||
|
||
# | ||
|
||
# Test case for no warning when all ansible hosts were reachable. | ||
test_no_warn_all_ansible_host_are_reachable { | ||
count(warn) == 0 with input as {"ansible": {"dark": {}}} | ||
} |
Oops, something went wrong.