From aa9dcf676476512d9c23583fb5627ce52a243b01 Mon Sep 17 00:00:00 2001 From: Emre Erkunt Date: Tue, 3 Mar 2020 13:26:15 +0000 Subject: [PATCH] 1.1.10 Fixed a problem whee matching functions does not work properly and some types are mismatched --- CHANGELOG.md | 4 +++ terraform_compliance/common/helper.py | 3 ++ terraform_compliance/steps/steps.py | 30 +++++++++---------- tests/functional/test_issue-sgr/main.tf | 26 ++++++++++++++++ tests/functional/test_issue-sgr/plan.out.json | 1 + tests/functional/test_issue-sgr/test.feature | 6 ++++ 6 files changed, 55 insertions(+), 15 deletions(-) create mode 100644 tests/functional/test_issue-sgr/main.tf create mode 100644 tests/functional/test_issue-sgr/plan.out.json create mode 100644 tests/functional/test_issue-sgr/test.feature diff --git a/CHANGELOG.md b/CHANGELOG.md index 71832cf4..bad4d9b2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # CHANGELOG +## 1.1.10 (2020-03-03) +* Fixed a problem where int, bool and float types was not properly filtered and matched. +* Fixed a problem where filtering functions does not work properly. + ## 1.1.9 (2020-02-25) * Fixed a problem where a property within the terraform plan fails to get parsed if it is list of lists. ([#221](https://github.com/eerkunt/terraform-compliance/issues/221)) diff --git a/terraform_compliance/common/helper.py b/terraform_compliance/common/helper.py index 79c7ef99..7981de40 100644 --- a/terraform_compliance/common/helper.py +++ b/terraform_compliance/common/helper.py @@ -118,6 +118,9 @@ def seek_regex_key_in_dict_values(haystack, key_name, needle, key_matched=None): found = list() if isinstance(haystack, dict): for key, value in haystack.items(): + if isinstance(value, (bool, int, float)): + value = str(value) + if key.lower() == key_name.lower() or key_matched is not None: if isinstance(value, str): matches = re.match(regex, value) diff --git a/terraform_compliance/steps/steps.py b/terraform_compliance/steps/steps.py index 3cf10940..a756046f 100644 --- a/terraform_compliance/steps/steps.py +++ b/terraform_compliance/steps/steps.py @@ -169,23 +169,23 @@ def its_key_is_value(_step_obj, key, value): found_list = [] for obj in _step_obj.context.stash: - object_key = obj.get(key, Null) + object_key = obj.get('values', {}) + if isinstance(object_key, list): + object_keys = [] + for object_key_element in object_key: + if isinstance(object_key_element, dict): + filtered_key = object_key_element.get(key) + if isinstance(filtered_key, str) and filtered_key.lower() == value.lower(): + found_list.append(object_key_element) + else: + object_keys.append(object_key_element.get(key, Null)) - if object_key is Null: - object_key = obj.get('values', {}) - if isinstance(object_key, list): - object_keys = [] - for object_key_element in object_key: - if isinstance(object_key_element, dict): - filtered_key = object_key_element.get(key) - if isinstance(filtered_key, str) and filtered_key.lower() == value.lower(): - found_list.append(object_key_element) - else: - object_keys.append(object_key_element.get(key, Null)) + object_key = [keys for keys in object_keys if keys is not Null] + else: + object_key = object_key.get(key, Null) - object_key = [keys for keys in object_keys if keys is not Null] - else: - object_key = object_key.get(key, Null) + if object_key is Null: + object_key = obj.get(key, Null) if isinstance(object_key, str): if "[" in object_key: diff --git a/tests/functional/test_issue-sgr/main.tf b/tests/functional/test_issue-sgr/main.tf new file mode 100644 index 00000000..7d5b2860 --- /dev/null +++ b/tests/functional/test_issue-sgr/main.tf @@ -0,0 +1,26 @@ +resource "aws_vpc" "fail" { + cidr_block = "10.0.0.0/16" +} + +resource "aws_security_group_rule" "pass" { + type = "ingress" + from_port = 1 + to_port = 1 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "sg-123456" +} + +resource "aws_security_group_rule" "fail" { + type = "egress" + from_port = 2 + to_port = 2 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_group_id = "sg-123456" +} + + +resource "aws_internet_gateway" "gw" { + vpc_id = aws_vpc.fail.id +} diff --git a/tests/functional/test_issue-sgr/plan.out.json b/tests/functional/test_issue-sgr/plan.out.json new file mode 100644 index 00000000..1e5bdf0c --- /dev/null +++ b/tests/functional/test_issue-sgr/plan.out.json @@ -0,0 +1 @@ +{"format_version":"0.1","terraform_version":"0.12.21","planned_values":{"root_module":{"resources":[{"address":"aws_internet_gateway.gw","mode":"managed","type":"aws_internet_gateway","name":"gw","provider_name":"aws","schema_version":0,"values":{"tags":null}},{"address":"aws_security_group.allow_tls","mode":"managed","type":"aws_security_group","name":"allow_tls","provider_name":"aws","schema_version":1,"values":{"description":"Allow TLS inbound traffic","ingress":[{"cidr_blocks":["0.0.0.0/0"],"description":"","from_port":1,"ipv6_cidr_blocks":[],"prefix_list_ids":[],"protocol":"tcp","security_groups":[],"self":false,"to_port":3000}],"name":"allow_tls","name_prefix":null,"revoke_rules_on_delete":false,"tags":null,"timeouts":null}},{"address":"aws_security_group_rule.allow_all","mode":"managed","type":"aws_security_group_rule","name":"allow_all","provider_name":"aws","schema_version":2,"values":{"cidr_blocks":["0.0.0.0/0"],"description":null,"from_port":0,"ipv6_cidr_blocks":null,"prefix_list_ids":null,"protocol":"tcp","security_group_id":"sg-123456","self":false,"to_port":65535,"type":"ingress"}},{"address":"aws_vpc.fail","mode":"managed","type":"aws_vpc","name":"fail","provider_name":"aws","schema_version":1,"values":{"assign_generated_ipv6_cidr_block":false,"cidr_block":"10.0.0.0/16","enable_dns_support":true,"instance_tenancy":"default","tags":null}}]}},"resource_changes":[{"address":"aws_internet_gateway.gw","mode":"managed","type":"aws_internet_gateway","name":"gw","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"tags":null},"after_unknown":{"id":true,"owner_id":true,"vpc_id":true}}},{"address":"aws_security_group.allow_tls","mode":"managed","type":"aws_security_group","name":"allow_tls","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"description":"Allow TLS inbound traffic","ingress":[{"cidr_blocks":["0.0.0.0/0"],"description":"","from_port":1,"ipv6_cidr_blocks":[],"prefix_list_ids":[],"protocol":"tcp","security_groups":[],"self":false,"to_port":3000}],"name":"allow_tls","name_prefix":null,"revoke_rules_on_delete":false,"tags":null,"timeouts":null},"after_unknown":{"arn":true,"egress":true,"id":true,"ingress":[{"cidr_blocks":[false],"ipv6_cidr_blocks":[],"prefix_list_ids":[],"security_groups":[]}],"owner_id":true,"vpc_id":true}}},{"address":"aws_security_group_rule.allow_all","mode":"managed","type":"aws_security_group_rule","name":"allow_all","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"cidr_blocks":["0.0.0.0/0"],"description":null,"from_port":0,"ipv6_cidr_blocks":null,"prefix_list_ids":null,"protocol":"tcp","security_group_id":"sg-123456","self":false,"to_port":65535,"type":"ingress"},"after_unknown":{"cidr_blocks":[false],"id":true,"source_security_group_id":true}}},{"address":"aws_vpc.fail","mode":"managed","type":"aws_vpc","name":"fail","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"assign_generated_ipv6_cidr_block":false,"cidr_block":"10.0.0.0/16","enable_dns_support":true,"instance_tenancy":"default","tags":null},"after_unknown":{"arn":true,"default_network_acl_id":true,"default_route_table_id":true,"default_security_group_id":true,"dhcp_options_id":true,"enable_classiclink":true,"enable_classiclink_dns_support":true,"enable_dns_hostnames":true,"id":true,"ipv6_association_id":true,"ipv6_cidr_block":true,"main_route_table_id":true,"owner_id":true}}}],"configuration":{"root_module":{"resources":[{"address":"aws_internet_gateway.gw","mode":"managed","type":"aws_internet_gateway","name":"gw","provider_config_key":"aws","expressions":{"vpc_id":{"references":["aws_vpc.fail"]}},"schema_version":0},{"address":"aws_security_group.allow_tls","mode":"managed","type":"aws_security_group","name":"allow_tls","provider_config_key":"aws","expressions":{"description":{"constant_value":"Allow TLS inbound traffic"},"name":{"constant_value":"allow_tls"},"vpc_id":{"references":["aws_vpc.fail"]}},"schema_version":1},{"address":"aws_security_group_rule.allow_all","mode":"managed","type":"aws_security_group_rule","name":"allow_all","provider_config_key":"aws","expressions":{"cidr_blocks":{"constant_value":["0.0.0.0/0"]},"from_port":{"constant_value":0},"protocol":{"constant_value":"tcp"},"security_group_id":{"constant_value":"sg-123456"},"to_port":{"constant_value":65535},"type":{"constant_value":"ingress"}},"schema_version":2},{"address":"aws_vpc.fail","mode":"managed","type":"aws_vpc","name":"fail","provider_config_key":"aws","expressions":{"cidr_block":{"constant_value":"10.0.0.0/16"}},"schema_version":1}]}}} diff --git a/tests/functional/test_issue-sgr/test.feature b/tests/functional/test_issue-sgr/test.feature new file mode 100644 index 00000000..a7154bc3 --- /dev/null +++ b/tests/functional/test_issue-sgr/test.feature @@ -0,0 +1,6 @@ +Feature: test + + Scenario: No 0.0.0.0/0 for ingress on rule + Given I have aws_security_group_rule defined + When its type is ingress + Then its from_port must be 0