feat: added tests (#36)

.projenrc.js

@@ -5,16 +5,16 @@ const { UpgradeDependenciesSchedule } = require('projen/lib/javascript');
 const project = new awscdk.AwsCdkConstructLibrary({
   author: 'Stefan Freitag',
   authorAddress: '[email protected]',
-  cdkVersion: '2.87.0',
+  cdkVersion: '2.88.0',
   defaultReleaseBranch: 'main',
   name: 'terraform-backend-s3-bucket',
   description: 'Creates an S3 bucket and a DynamoDB table for Terraform state and lock management.',
   repositoryUrl:
     'https://github.com/stefanfreitag/terraform-backend-s3-bucket.git',
   codeCov: true,
   devDeps: [
-    '@aws-cdk/integ-tests-alpha@2.87.0-alpha.0',
-    '@aws-cdk/integ-runner@2.87.0-alpha.0',
+    '@aws-cdk/integ-tests-alpha@2.88.0-alpha.0',
+    '@aws-cdk/integ-runner@2.88.0-alpha.0',
     '[email protected]',
     'ts-node',
   ],
@@ -38,6 +38,16 @@ const project = new awscdk.AwsCdkConstructLibrary({
     module: 'terraform_backend_s3_bucket',
     distName: 'terraform-backend-s3-bucket',
   },
+  tsconfigDev: {
+    compilerOptions: {
+      ignoreDeprecations: '5.0',
+    },
+  },
+  tsconfig: {
+    compilerOptions: {
+      ignoreDeprecations: '5.0',
+    },
+  },
 });
 
 const common_exclude = ['.history/'];

README.md

@@ -1,10 +1,8 @@
 # Terraform Backend S3 Bucket
 
-Provides a CDK construct for Terraform state management. The construct consists
-of
+Provides a CDK construct for Terraform state management.
 
-- S3 bucket
-- DynamoDB table.
+The documentation is available [here](https://stefanfreitag.github.io/terraform-backend-s3-bucket/).
 
 ## Contributing
 

docs/features.md

@@ -1,7 +1,9 @@
 # Features
 
-- [[S3.1] S3 Block Public Access setting should be enabled](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-1)
-- [[S3.5] S3 buckets should require requests to use Secure Socket Layer](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-1)
+- [[S3.2] S3 buckets should prohibit public read access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-2)
+- [[S3.3] S3 buckets should prohibit public write access](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-3)
+- [[S3.4] S3 buckets should have server-side encryption enabled](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-4)
+- [[S3.5] S3 buckets should require requests to use Secure Socket Layer](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-5)
 - [[S3.14] S3 buckets should use versioning](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-14)
 - A lifecycle policy for non-current versions of objects  
   [[S3.10] S3 buckets with versioning enabled should have lifecycle policies configured](https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-10)

src/terraformStateBackend.ts

@@ -20,6 +20,7 @@ export class TerraformStateBackend extends Construct {
       enforceSSL: true,
       objectOwnership: s3.ObjectOwnership.BUCKET_OWNER_ENFORCED,
       removalPolicy: RemovalPolicy.DESTROY,
+      encryption: s3.BucketEncryption.KMS_MANAGED,
       lifecycleRules: [
         {
           enabled: true,

test/integ.terraformStateBackend.ts

@@ -22,8 +22,9 @@ class StackUnderTest extends cdk.Stack {
 // Beginning of the test suite
 const app = new cdk.App();
 
-const stack = new StackUnderTest(app, 'terraform-state-backend', {});
+const stack = new StackUnderTest(app, 'terraform-state-backend', { description: 'Integration test for Terraform State Backend' });
 const integ = new IntegTest(app, 'MyTestCase', {
+
   regions: ['eu-central-1'],
   testCases: [stack],
 });

test/terraformStateBackend.test.ts

@@ -85,39 +85,105 @@ describe('Ensure passing HIPAASecurityChecks', () => {
 describe('Bucket Configuration', () => {
   let stack: cdk.Stack;
 
+  let backend: TerraformStateBackend;
   beforeEach(() => {
     const app = new cdk.App();
 
     stack = new cdk.Stack(app, 'stack', {});
-    new TerraformStateBackend(stack, 'backend', {
+    backend = new TerraformStateBackend(stack, 'backend', {
       bucketName: '',
       tableName: '',
     });
   });
 
-  test('Versioning is enabled', () => {
+  test('[S3.2] S3 buckets should prohibit public read access', () => {
     assertions.Template.fromStack(stack).hasResourceProperties(
       'AWS::S3::Bucket',
       {
-        VersioningConfiguration: { Status: 'Enabled' },
+        PublicAccessBlockConfiguration: {
+          BlockPublicAcls: true,
+          BlockPublicPolicy: true,
+          IgnorePublicAcls: true,
+          RestrictPublicBuckets: true,
+        },
       },
     );
   });
 
-  test('Public access is blocked', () => {
+  //TODO
+  test('[S3.4] S3 buckets should have server-side encryption enabled', () => {
     assertions.Template.fromStack(stack).hasResourceProperties(
       'AWS::S3::Bucket',
       {
-        PublicAccessBlockConfiguration: {
-          BlockPublicAcls: true,
-          BlockPublicPolicy: true,
-          IgnorePublicAcls: true,
-          RestrictPublicBuckets: true,
+        BucketEncryption: {
+          ServerSideEncryptionConfiguration: [
+            { ServerSideEncryptionByDefault: { SSEAlgorithm: 'aws:kms' } },
+          ],
         },
       },
     );
   });
 
+  test('[S3.5] S3 buckets should require requests to use Secure Socket Layer', () => {
+    const template = assertions.Template.fromStack(stack);
+    template.resourceCountIs('AWS::S3::BucketPolicy', 1);
+
+    const logicalId = stack.getLogicalId(backend.bucket.node.defaultChild as cdk.CfnResource);
+
+    template.hasResourceProperties(
+      'AWS::S3::BucketPolicy',
+      {
+        PolicyDocument: {
+          Statement: [
+            {
+              Action: 's3:*',
+              Condition: {
+                Bool: {
+                  'aws:SecureTransport': 'false',
+                },
+              },
+              Effect: 'Deny',
+              Principal: {
+                AWS: '*',
+              },
+              Resource: [
+                {
+                  'Fn::GetAtt': [
+                    logicalId,
+                    'Arn',
+                  ],
+                },
+                {
+                  'Fn::Join': [
+                    '',
+                    [
+                      {
+                        'Fn::GetAtt': [
+                          logicalId,
+                          'Arn',
+                        ],
+                      },
+                      '/*',
+                    ],
+                  ],
+                },
+              ],
+            },
+          ],
+        },
+      },
+    );
+  });
+
+  test('[S3.14] S3 buckets should use versioning', () => {
+    assertions.Template.fromStack(stack).hasResourceProperties(
+      'AWS::S3::Bucket',
+      {
+        VersioningConfiguration: { Status: 'Enabled' },
+      },
+    );
+  });
+
   test('Lifecycle policy is defined', () => {
     assertions.Template.fromStack(stack).hasResourceProperties(
       'AWS::S3::Bucket',