diff --git a/tests/advanced.tftest.hcl b/tests/advanced.tftest.hcl new file mode 100644 index 0000000..4f072ab --- /dev/null +++ b/tests/advanced.tftest.hcl @@ -0,0 +1,340 @@ +run "setup" { + module { + source = "./tests/network" + } +} + +run "advanced_security_group_with_rules" { + variables { + name = "basic-security-group-2" + description = "This is a test security group." + + vpc_id = run.setup.vpc_id + ingress_rules = [ + # Different To/From ports + { + from_port = 3306 + to_port = 54321 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/8"] + }, + + # Allow other SG instead of CIDR + { + port = 3306 + protocol = "udp" + source_security_group_id = run.setup.security_group_id + }, + + # Using self + { + port = 3306 + protocol = "udp" + self = true + }, + + # Using prefix list + { + port = 443 + protocol = "tcp" + prefix_list_ids = [run.setup.prefix_list_id] + } + ] + + egress_rules = [ + # Different To/From ports + { + from_port = 3306 + to_port = 54321 + protocol = "tcp" + cidr_blocks = ["10.0.0.0/8"] + }, + + # Allow other SG instead of CIDR + { + port = 3306 + protocol = "udp" + source_security_group_id = run.setup.security_group_id + }, + + # Using self + { + port = 3306 + protocol = "udp" + self = true + }, + + # Using prefix list + { + port = 443 + protocol = "tcp" + prefix_list_ids = [run.setup.prefix_list_id] + } + ] + } + + assert { + condition = length(output.security_group_id) >= 0 + error_message = "Expected security group to be created." + } + + ### Ingress rules checks + assert { + condition = length(aws_security_group_rule.main_ingress) == 4 + error_message = "Expected security group to have 5 ingress rules." + } + + ### Assert different from / to ports + assert { + condition = aws_security_group_rule.main_ingress[0].protocol == "tcp" + error_message = "Expected standard protocol to be tcp." + } + + assert { + condition = length(aws_security_group_rule.main_ingress[0].cidr_blocks) == 1 + error_message = "Expected one cidr block." + } + + assert { + condition = aws_security_group_rule.main_ingress[0].cidr_blocks[0] == "10.0.0.0/8" + error_message = "Incorrect cidr block entry." + } + + assert { + condition = aws_security_group_rule.main_ingress[0].from_port == 3306 + error_message = "Incorrect from port." + } + + assert { + condition = aws_security_group_rule.main_ingress[0].to_port == 54321 + error_message = "Incorrect to port." + } + + ### Assert SG instead of CIDR + assert { + condition = aws_security_group_rule.main_ingress[1].protocol == "udp" + error_message = "Incorrect protocol." + } + + assert { + condition = aws_security_group_rule.main_ingress[1].cidr_blocks == null + error_message = "Expected no cidr blocks." + } + + assert { + condition = aws_security_group_rule.main_ingress[1].source_security_group_id == run.setup.security_group_id + error_message = "Expected security group." + } + + assert { + condition = aws_security_group_rule.main_ingress[1].from_port == 3306 + error_message = "Incorrect from port." + } + + assert { + condition = aws_security_group_rule.main_ingress[1].to_port == 3306 + error_message = "Incorrect to port." + } + + ### Assert self + assert { + condition = aws_security_group_rule.main_ingress[2].protocol == "udp" + error_message = "Incorrect protocol." + } + + assert { + condition = aws_security_group_rule.main_ingress[2].cidr_blocks == null + error_message = "Expected no cidr blocks." + } + + assert { + condition = aws_security_group_rule.main_ingress[2].source_security_group_id == null + error_message = "Expected no source security group." + } + + assert { + condition = aws_security_group_rule.main_ingress[2].self == true + error_message = "Expected self to be true." + } + + assert { + condition = aws_security_group_rule.main_ingress[2].from_port == 3306 + error_message = "Incorrect from port." + } + + assert { + condition = aws_security_group_rule.main_ingress[2].to_port == 3306 + error_message = "Incorrect to port." + } + + ### Assert prefix list + assert { + condition = aws_security_group_rule.main_ingress[3].protocol == "tcp" + error_message = "Incorrect protocol." + } + + assert { + condition = aws_security_group_rule.main_ingress[3].cidr_blocks == null + error_message = "Expected no cidr blocks." + } + + assert { + condition = aws_security_group_rule.main_ingress[3].source_security_group_id == null + error_message = "Expected no source security group." + } + + assert { + condition = aws_security_group_rule.main_ingress[3].self == false + error_message = "Expected self to be false." + } + + assert { + condition = length(aws_security_group_rule.main_ingress[3].prefix_list_ids) == 1 + error_message = "Incorrect prefix list ids." + } + + assert { + condition = aws_security_group_rule.main_ingress[3].prefix_list_ids[0] == run.setup.prefix_list_id + error_message = "Incorrect prefix list ids entry." + } + + assert { + condition = aws_security_group_rule.main_ingress[3].from_port == 443 + error_message = "Incorrect from port." + } + + assert { + condition = aws_security_group_rule.main_ingress[3].to_port == 443 + error_message = "Incorrect to port." + } + + ### Egress rules checks + assert { + condition = length(aws_security_group_rule.main_egress) == 4 + error_message = "Expected security group to have 5 egress rules." + } + + ### Assert different from / to ports + assert { + condition = aws_security_group_rule.main_egress[0].protocol == "tcp" + error_message = "Expected standard protocol to be tcp." + } + + assert { + condition = length(aws_security_group_rule.main_egress[0].cidr_blocks) == 1 + error_message = "Expected one cidr block." + } + + assert { + condition = aws_security_group_rule.main_egress[0].cidr_blocks[0] == "10.0.0.0/8" + error_message = "Incorrect cidr block entry." + } + + assert { + condition = aws_security_group_rule.main_egress[0].from_port == 3306 + error_message = "Incorrect from port." + } + + assert { + condition = aws_security_group_rule.main_egress[0].to_port == 54321 + error_message = "Incorrect to port." + } + + ### Assert SG instead of CIDR + assert { + condition = aws_security_group_rule.main_egress[1].protocol == "udp" + error_message = "Incorrect protocol." + } + + assert { + condition = aws_security_group_rule.main_egress[1].cidr_blocks == null + error_message = "Expected no cidr blocks." + } + + assert { + condition = aws_security_group_rule.main_egress[1].source_security_group_id == run.setup.security_group_id + error_message = "Expected security group." + } + + assert { + condition = aws_security_group_rule.main_egress[1].from_port == 3306 + error_message = "Incorrect from port." + } + + assert { + condition = aws_security_group_rule.main_egress[1].to_port == 3306 + error_message = "Incorrect to port." + } + + ### Assert self + assert { + condition = aws_security_group_rule.main_egress[2].protocol == "udp" + error_message = "Incorrect protocol." + } + + assert { + condition = aws_security_group_rule.main_egress[2].cidr_blocks == null + error_message = "Expected no cidr blocks." + } + + assert { + condition = aws_security_group_rule.main_egress[2].source_security_group_id == null + error_message = "Expected no source security group." + } + + assert { + condition = aws_security_group_rule.main_egress[2].self == true + error_message = "Expected self to be true." + } + + assert { + condition = aws_security_group_rule.main_egress[2].from_port == 3306 + error_message = "Incorrect from port." + } + + assert { + condition = aws_security_group_rule.main_egress[2].to_port == 3306 + error_message = "Incorrect to port." + } + + ### Assert prefix list + assert { + condition = aws_security_group_rule.main_egress[3].protocol == "tcp" + error_message = "Incorrect protocol." + } + + assert { + condition = aws_security_group_rule.main_egress[3].cidr_blocks == null + error_message = "Expected no cidr blocks." + } + + assert { + condition = aws_security_group_rule.main_egress[3].source_security_group_id == null + error_message = "Expected no source security group." + } + + assert { + condition = aws_security_group_rule.main_egress[3].self == false + error_message = "Expected self to be false." + } + + assert { + condition = length(aws_security_group_rule.main_egress[3].prefix_list_ids) == 1 + error_message = "Incorrect prefix list ids." + } + + assert { + condition = aws_security_group_rule.main_egress[3].prefix_list_ids[0] == run.setup.prefix_list_id + error_message = "Incorrect prefix list ids entry." + } + + assert { + condition = aws_security_group_rule.main_egress[3].from_port == 443 + error_message = "Incorrect from port." + } + + assert { + condition = aws_security_group_rule.main_egress[3].to_port == 443 + error_message = "Incorrect to port." + } +} diff --git a/tests/basic.tftest.hcl b/tests/basic.tftest.hcl index 1b2aa5a..9a2a3db 100644 --- a/tests/basic.tftest.hcl +++ b/tests/basic.tftest.hcl @@ -34,155 +34,71 @@ run "basic_security_group_with_rules" { assert { condition = length(output.security_group_id) >= 0 - error_message = "Expected SG to be created." + error_message = "Expected security group to be created." } assert { condition = length(aws_security_group.main.tags) == 3 - error_message = "Expected SG to have 3 tags in total." + error_message = "Expected security group to have 3 tags in total." } assert { - condition = length(aws_security_group_rule.main_ingress) == length(var.ingress_rules) - error_message = "Expected SG to have 1 ingress rule." + condition = length(aws_security_group_rule.main_ingress) == 1 + error_message = "Expected security group to have 1 ingress rule." } assert { - condition = length(aws_security_group_rule.main_egress) == length(var.egress_rules) - error_message = "Expected SG to have 1 egress rule." + condition = aws_security_group_rule.main_ingress[0].protocol == "tcp" + error_message = "Expected standard protocol to be tcp." } -} - -run "advanced_security_group_with_rules" { - variables { - name = "basic-security-group-2" - description = "This is a test security group." - - vpc_id = run.setup.vpc_id - ingress_rules = [ - # To/From ports are the same - { - port = 3306 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - }, - - # Different To/From ports - { - from_port = 3306 - to_port = 54321 - protocol = "tcp" - cidr_blocks = ["127.0.0.0/8", "10.0.0.0/8"] - }, - - # Allow other SG instead of CIDR - { - port = 3306 - protocol = "udp" - source_security_group_id = run.setup.security_group_id - }, - - # Using self - { - port = 3306 - protocol = "udp" - self = true - }, - - # Using prefix list - { - port = 443 - protocol = "tcp" - prefix_list_ids = [run.setup.prefix_list_id] - } - ] - - egress_rules = [ - # To/From ports are the same - { - port = 3306 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - }, - - # Different To/From ports - { - from_port = 3306 - to_port = 54321 - protocol = "tcp" - cidr_blocks = ["127.0.0.0/8", "10.0.0.0/8"] - }, - - # Allow other SG instead of CIDR - { - port = 3306 - protocol = "udp" - source_security_group_id = run.setup.security_group_id - }, - # Using self - { - port = 3306 - protocol = "udp" - self = true - }, + assert { + condition = length(aws_security_group_rule.main_ingress[0].cidr_blocks) == 1 + error_message = "Expected one cidr block." + } - # Using prefix list - { - port = 443 - protocol = "tcp" - prefix_list_ids = [run.setup.prefix_list_id] - } - ] + assert { + condition = aws_security_group_rule.main_ingress[0].cidr_blocks[0] == "0.0.0.0/0" + error_message = "Expected cidr block entry to be 0.0.0.0/0." } assert { - condition = length(output.security_group_id) >= 0 - error_message = "Expected SG to be created." + condition = aws_security_group_rule.main_ingress[0].from_port == 80 + error_message = "Expected standard from port to be 80." } assert { - condition = length(aws_security_group_rule.main_ingress) == length(var.ingress_rules) - error_message = "Expected SG to have 1 ingress rule." + condition = aws_security_group_rule.main_ingress[0].to_port == 80 + error_message = "Expected standard to port to be 80." } assert { - condition = length(aws_security_group_rule.main_egress) == length(var.egress_rules) - error_message = "Expected SG to have 1 egress rule." + condition = length(aws_security_group_rule.main_egress) == 1 + error_message = "Expected security group to have 1 egress rule." } -} -run "security_group_rule_validations" { - command = plan + assert { + condition = aws_security_group_rule.main_egress[0].protocol == "tcp" + error_message = "Expected standard protocol to be tcp." + } - variables { - name = "basic-security-group-3" - description = "This is a test security group." + assert { + condition = length(aws_security_group_rule.main_egress[0].cidr_blocks) == 1 + error_message = "Expected one cidr block." + } - vpc_id = run.setup.vpc_id - ingress_rules = [ - # Self & CIDR Blocks are not possible - { - port = 3306 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - self = true - } - ] + assert { + condition = aws_security_group_rule.main_egress[0].cidr_blocks[0] == "0.0.0.0/0" + error_message = "Expected cidr block entry to be 0.0.0.0/0." + } - egress_rules = [ - # port and to_port not possible - { - port = 3306 - to_port = 3307 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] - } - ] + assert { + condition = aws_security_group_rule.main_egress[0].from_port == 80 + error_message = "Expected standard from port to be 80." } - expect_failures = [ - var.ingress_rules, - var.egress_rules - ] + assert { + condition = aws_security_group_rule.main_egress[0].to_port == 80 + error_message = "Expected standard to port to be 80." + } } diff --git a/tests/validation.tftest.hcl b/tests/validation.tftest.hcl new file mode 100644 index 0000000..f9bfd35 --- /dev/null +++ b/tests/validation.tftest.hcl @@ -0,0 +1,40 @@ +run "setup" { + module { + source = "./tests/network" + } +} + +run "security_group_rule_validations" { + command = plan + + variables { + name = "basic-security-group-3" + description = "This is a test security group." + + vpc_id = run.setup.vpc_id + ingress_rules = [ + # Self & CIDR Blocks are not possible + { + port = 3306 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + self = true + } + ] + + egress_rules = [ + # port and to_port not possible + { + port = 3306 + to_port = 3307 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + ] + } + + expect_failures = [ + var.ingress_rules, + var.egress_rules + ] +}