Merge branch 'master' into fix-issue-279

Author: eerkunt

CHANGELOG.md

@@ -1,5 +1,13 @@
 # CHANGELOG
 
+## 1.2.5 (unreleased)
+* Fixed a bug where some empty found values would be treated as not found. ([#249](https://github.com/eerkunt/terraform-compliance/issues/249))
+* Improved some error messages that might create some confusion about the failure results. ([#284](https://github.com/eerkunt/terraform-compliance/issues/284))
+* Fixed a problem where using `@warning` tag was causing a problem where error messages was hidden on `-q` usage.
+
+## 1.2.4 (2020-06-03)
+* Add ability to reference a git repo by branch name and directory via `<repo>.git//<directory>?ref=<branch-name`. ([#218](https://github.com/eerkunt/terraform-compliance/issues/218))
+
 ## 1.2.3 (2020-05-25)
 * Fixed a crash where some module outputs could not be processed. ([#275](https://github.com/eerkunt/terraform-compliance/issues/275))
 

docs/pages/usage/index.md

@@ -70,6 +70,18 @@ or if the repository is a private repository ;
 The authentication to that git repository will be handled via your `~/.ssh/config`. If you are using a different
 ssh key for this repository then you also need to provide `-i` parameter to pointing your private key.
 
+New in `1.2.4`, a repository can be referenced by branch name and directory. This uses syntax similar to Terraform
+[Modules in Package Sub-directories](https://www.terraform.io/docs/modules/sources.html#modules-in-package-sub-directories).
+The reference must include `//` after `.git` and end with `?ref=<branch-name>` or `?ref=<tag>`.
+```
+[~] $ terraform-compliance -f git:ssh://github.com/user/repo.git//directory?ref=v1.0.0 ...
+```
+The directory is optional.
+```
+[~] $ terraform-compliance -f git:ssh://github.com/user/repo.git//?ref=staging ...
+```
+
+
 ### -p / --planfile
 {: .d-inline-block }
 REQUIRED

requirements.txt

@@ -1,12 +1,12 @@
 radish-bdd==0.13.1
 mock==4.0.2
-gitpython==3.1.2
+gitpython==3.1.3
 netaddr==0.7.19
 colorful==0.5.4
 filetype==1.0.7
 junit-xml==1.9
 emoji==0.5.4
 lxml==4.5.1
 ddt==1.4.1
-pytest==5.4.2
+pytest==5.4.3
 nose==1.3.7

terraform_compliance/common/error_handling.py

@@ -51,7 +51,7 @@ def _process(self):
         # Prepare message
         msg = []
         for msg_index in range(0,len(self.message)):
-            if self.exit_on_failure is False:
+            if self.exit_on_failure is False or self.no_failure is True:
                 msg_header = '{}{}'.format(self.exception_name,
                                            colorful.bold_white(':')) if msg_index == 0 else ' '*(len(self.exception_name)+1)
                 msg.append('\t\t{} {}'.format(colorful.bold_red(msg_header), colorful.red(self.message[msg_index])))
@@ -62,7 +62,7 @@ def _process(self):
                                                                             colorful.bold_white(':'),
                                                                             self.message[msg_index]))
 
-        if self.exit_on_failure is False:
+        if self.exit_on_failure is False or (self.no_failure is True and msg):
             for message in msg:
                 console_write(message)
 

terraform_compliance/main.py

@@ -61,14 +61,34 @@ def cli(arghandling=ArgHandling(), argparser=ArgumentParser(prog=__app_name__,
     if args.ssh_key:
         ssh_cmd = {'GIT_SSH_COMMAND': 'ssh -l {} -i {}'.format('git', args.ssh_key)}
 
+    features_dir = '/'
     # A remote repository used here
     if args.features.startswith(('http', 'https', 'ssh')):
-        features_git_repo = args.features
+        # Default to master branch and full repository
+        if args.features.endswith('.git'):
+            features_git_repo = args.features
+            features_git_branch = 'master'
+
+        # Optionally allow for directory and branch
+        elif '.git//' in args.features and '?ref=' in args.features:
+            # Split on .git/
+            features_git_list = args.features.split('.git/', 1)
+            # Everything up to .git is the repository
+            features_git_repo = features_git_list[0] + '.git'
+
+            # Split the directory and branch ref
+            features_git_list = features_git_list[1].split('?ref=', 1)
+            features_dir = features_git_list[0]
+            features_git_branch = features_git_list[1]
+
+        else:  # invalid
+            raise ValueError("Bad feature directory:" + args.features)
+
+        # Clone repository
         args.features = mkdtemp()
+        Repo.clone_from(url=features_git_repo, to_path=args.features, env=ssh_cmd, depth=1, branch=features_git_branch)
 
-        Repo.clone_from(url=features_git_repo, to_path=args.features, env=ssh_cmd)
-
-    features_directory = os.path.join(os.path.abspath(args.features))
+    features_directory = os.path.join(os.path.abspath(args.features) + features_dir)
 
     commands = ['radish',
                 '--write-steps-once',

terraform_compliance/steps/then/it_must_contain_something.py

@@ -40,6 +40,7 @@ def it_must_contain_something(_step_obj, something, inherited_values=Null):
 
                     if isinstance(found_key, dict):
                         found_value = jsonify(found_key.get(something, found_key))
+                        found_value = found_value if found_value not in ([], '') else found_key
                     else:
                         found_value = found_key
             elif isinstance(values, list):
@@ -137,6 +138,7 @@ def it_must_not_contain_something(_step_obj, something, inherited_values=Null):
 
                     if isinstance(found_key, dict):
                         found_value = jsonify(found_key.get(something, found_key))
+                        found_value = found_value if found_value not in ([], '') else found_key
                     else:
                         found_value = found_key
             elif isinstance(values, list):

terraform_compliance/steps/when/its_key_is_value.py

@@ -69,7 +69,10 @@ def to_lower_key(d):
         _step_obj.context.stash = found_list
         _step_obj.context.addresses = get_resource_address_list_from_stash(found_list)
     else:
-        if dict_value is None:
+        if object_key is Null:
+            skip_step(_step_obj, message='Could not find {} in {}.'.format(key,
+                                                                           ', '.join(_step_obj.context.addresses)))
+        elif dict_value is None:
             skip_step(_step_obj, message='Can not find {} {} in {}.'.format(value, orig_key,
                                                                             ', '.join(_step_obj.context.addresses)))
         else:
@@ -126,7 +129,10 @@ def its_key_is_not_value(_step_obj, key, value, dict_value=None, address=Null):
         _step_obj.context.stash = found_list
         _step_obj.context.addresses = get_resource_address_list_from_stash(found_list)
     else:
-        if dict_value is None:
+        if object_key is Null:
+            skip_step(_step_obj, message='Could not find {} in {}.'.format(key,
+                                                                     ', '.join(_step_obj.context.addresses)))
+        elif dict_value is None:
             skip_step(_step_obj, message='Found {} {} in {}.'.format(value, orig_key,
                                                                      ', '.join(_step_obj.context.addresses)))
         else:

tests/functional/test_issue-249-bad_feature/.expected

@@ -0,0 +1 @@
+Failure: module.alb.aws_alb.alb \(aws_alb\) does not have bad_something_waf_custom property.

tests/functional/test_issue-249-bad_feature/.failure

@@ -0,0 +1,18 @@
+# Fixed version of the features provided on issue 249. 
+# Bad feature: Last line changed to something that's not in tags
+Feature: Resources should be properly tagged
+  In order to keep track of resource ownership
+  As engineers
+  We'll enforce tagging on all resources
+
+# Check required tag for ALB and CF
+  Scenario: Ensure that waf_policy for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it contains tags
+    Then it must contain waf_policy
+    And its value must match the "^(internal|external|custom)$" regex
+
+  Scenario: Ensure that waf_custom for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it contains tags
+    Then it must contain bad_something_waf_custom

tests/functional/test_issue-249-bad_feature/plan.out.json

@@ -0,0 +1,19 @@
+# Fixed version of the features provided on issue 249
+# Has: "when it contains" steps are changed to "when it has"
+Feature: Resources should be properly tagged
+  In order to keep track of resource ownership
+  As engineers
+  We'll enforce tagging on all resources
+
+# Check required tag for ALB and CF
+  Scenario: Ensure that waf_policy for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it has tags
+    Then it must contain tags
+    Then it must contain waf_policy
+    And its value must match the "^(internal|external|custom)$" regex
+
+  Scenario: Ensure that waf_custom for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it has tags
+    Then it must contain waf_custom

tests/functional/test_issue-249-bad_feature/test.feature

@@ -0,0 +1,2 @@
+Failure: waf_policy property exists in module.alb.aws_alb.alb \(aws_alb\).
+Failure: waf_custom property exists in module.alb.aws_alb.alb \(aws_alb\).

tests/functional/test_issue-249-has/plan.out.json

@@ -0,0 +1,17 @@
+# Fixed version of the features provided on issue 249
+# Must not: Testing must not changes
+Feature: Resources should be properly tagged
+  In order to keep track of resource ownership
+  As engineers
+  We'll enforce tagging on all resources
+
+# Check required tag for ALB and CF
+  Scenario: Ensure that waf_policy for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it contains tags
+    Then it must not contain waf_policy
+
+  Scenario: Ensure that waf_custom for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it contains tags
+    Then it must not contain waf_custom

tests/functional/test_issue-249-has/test.feature

@@ -0,0 +1,18 @@
+# Fixed version of the features provided on issue 249
+# Must not: Testing must not changes
+# Bad feature: Last line changed to something that's not in tags
+Feature: Resources should be properly tagged
+  In order to keep track of resource ownership
+  As engineers
+  We'll enforce tagging on all resources
+
+# Check required tag for ALB and CF
+  Scenario: Ensure that waf_policy for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it contains tags
+    Then it must not contain bad_waf_policy
+
+  Scenario: Ensure that waf_custom for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it contains tags
+    Then it must not contain bad_something_waf_custom

tests/functional/test_issue-249-must_not/.expected

@@ -0,0 +1,17 @@
+# Fixed version of the features provided on issue 249
+Feature: Resources should be properly tagged
+  In order to keep track of resource ownership
+  As engineers
+  We'll enforce tagging on all resources
+
+# Check required tag for ALB and CF
+  Scenario: Ensure that waf_policy for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it contains tags
+    Then it must contain waf_policy
+    And its value must match the "^(internal|external|custom)$" regex
+
+  Scenario: Ensure that waf_custom for ALB/CF tag is defined
+    Given I have aws_alb defined
+    When it contains tags
+    Then it must contain waf_custom

tests/functional/test_issue-249-must_not/.failure

@@ -0,0 +1 @@
+SKIPPING: Could not find permissions in aws_s3_bucket.bucket.

tests/functional/test_issue-249-must_not/plan.out.json

@@ -0,0 +1,59 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket = "mybucket"
+
+  grant {
+    id          = "current_user_id"
+    type        = "CanonicalUser"
+    permissions = ["FULL_CONTROL"]
+  }
+
+  grant {
+    type        = "Group"
+    permissions = ["READ", "WRITE"]
+    uri         = "http://acs.amazonaws.com/groups/s3/LogDelivery"
+  }
+}
+
+# Create a new load balancer
+resource "aws_elb" "bar" {
+  name               = "foobar-terraform-elb"
+  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]
+
+  access_logs {
+    bucket        = "foo"
+    bucket_prefix = "bar"
+    interval      = 60
+  }
+
+  listener {
+    instance_port     = 8000
+    instance_protocol = "http"
+    lb_port           = 80
+    lb_protocol       = "http"
+  }
+
+  listener {
+    instance_port      = 8000
+    instance_protocol  = "http"
+    lb_port            = 443
+    lb_protocol        = "https"
+    ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
+  }
+
+  health_check {
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 3
+    target              = "HTTP:8000/"
+    interval            = 30
+  }
+
+  cross_zone_load_balancing   = true
+  idle_timeout                = 400
+  connection_draining         = true
+  connection_draining_timeout = 400
+
+  tags = {
+    Name = "foobar-terraform-elb"
+  }
+}

tests/functional/test_issue-249-must_not/test.feature

@@ -0,0 +1 @@
+{"format_version":"0.1","terraform_version":"0.12.25","planned_values":{"root_module":{"resources":[{"address":"aws_elb.bar","mode":"managed","type":"aws_elb","name":"bar","provider_name":"aws","schema_version":0,"values":{"access_logs":[{"bucket":"foo","bucket_prefix":"bar","enabled":true,"interval":60}],"availability_zones":["us-west-2a","us-west-2b","us-west-2c"],"connection_draining":true,"connection_draining_timeout":400,"cross_zone_load_balancing":true,"health_check":[{"healthy_threshold":2,"interval":30,"target":"HTTP:8000/","timeout":3,"unhealthy_threshold":2}],"idle_timeout":400,"listener":[{"instance_port":8000,"instance_protocol":"http","lb_port":443,"lb_protocol":"https","ssl_certificate_id":"arn:aws:iam::123456789012:server-certificate/certName"},{"instance_port":8000,"instance_protocol":"http","lb_port":80,"lb_protocol":"http","ssl_certificate_id":""}],"name":"foobar-terraform-elb","name_prefix":null,"tags":{"Name":"foobar-terraform-elb"}}},{"address":"aws_s3_bucket.bucket","mode":"managed","type":"aws_s3_bucket","name":"bucket","provider_name":"aws","schema_version":0,"values":{"acl":"private","bucket":"mybucket","bucket_prefix":null,"cors_rule":[],"force_destroy":false,"grant":[{"id":"","permissions":["READ","WRITE"],"type":"Group","uri":"http://acs.amazonaws.com/groups/s3/LogDelivery"},{"id":"current_user_id","permissions":["FULL_CONTROL"],"type":"CanonicalUser","uri":""}],"lifecycle_rule":[],"logging":[],"object_lock_configuration":[],"policy":null,"replication_configuration":[],"server_side_encryption_configuration":[],"tags":null,"website":[]}}]}},"resource_changes":[{"address":"aws_elb.bar","mode":"managed","type":"aws_elb","name":"bar","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"access_logs":[{"bucket":"foo","bucket_prefix":"bar","enabled":true,"interval":60}],"availability_zones":["us-west-2a","us-west-2b","us-west-2c"],"connection_draining":true,"connection_draining_timeout":400,"cross_zone_load_balancing":true,"health_check":[{"healthy_threshold":2,"interval":30,"target":"HTTP:8000/","timeout":3,"unhealthy_threshold":2}],"idle_timeout":400,"listener":[{"instance_port":8000,"instance_protocol":"http","lb_port":443,"lb_protocol":"https","ssl_certificate_id":"arn:aws:iam::123456789012:server-certificate/certName"},{"instance_port":8000,"instance_protocol":"http","lb_port":80,"lb_protocol":"http","ssl_certificate_id":""}],"name":"foobar-terraform-elb","name_prefix":null,"tags":{"Name":"foobar-terraform-elb"}},"after_unknown":{"access_logs":[{}],"arn":true,"availability_zones":[false,false,false],"dns_name":true,"health_check":[{}],"id":true,"instances":true,"internal":true,"listener":[{},{}],"security_groups":true,"source_security_group":true,"source_security_group_id":true,"subnets":true,"tags":{},"zone_id":true}}},{"address":"aws_s3_bucket.bucket","mode":"managed","type":"aws_s3_bucket","name":"bucket","provider_name":"aws","change":{"actions":["create"],"before":null,"after":{"acl":"private","bucket":"mybucket","bucket_prefix":null,"cors_rule":[],"force_destroy":false,"grant":[{"id":"","permissions":["READ","WRITE"],"type":"Group","uri":"http://acs.amazonaws.com/groups/s3/LogDelivery"},{"id":"current_user_id","permissions":["FULL_CONTROL"],"type":"CanonicalUser","uri":""}],"lifecycle_rule":[],"logging":[],"object_lock_configuration":[],"policy":null,"replication_configuration":[],"server_side_encryption_configuration":[],"tags":null,"website":[]},"after_unknown":{"acceleration_status":true,"arn":true,"bucket_domain_name":true,"bucket_regional_domain_name":true,"cors_rule":[],"grant":[{"permissions":[false,false]},{"permissions":[false]}],"hosted_zone_id":true,"id":true,"lifecycle_rule":[],"logging":[],"object_lock_configuration":[],"region":true,"replication_configuration":[],"request_payer":true,"server_side_encryption_configuration":[],"versioning":true,"website":[],"website_domain":true,"website_endpoint":true}}}],"configuration":{"root_module":{"resources":[{"address":"aws_elb.bar","mode":"managed","type":"aws_elb","name":"bar","provider_config_key":"aws","expressions":{"access_logs":[{"bucket":{"constant_value":"foo"},"bucket_prefix":{"constant_value":"bar"},"interval":{"constant_value":60}}],"availability_zones":{"constant_value":["us-west-2a","us-west-2b","us-west-2c"]},"connection_draining":{"constant_value":true},"connection_draining_timeout":{"constant_value":400},"cross_zone_load_balancing":{"constant_value":true},"health_check":[{"healthy_threshold":{"constant_value":2},"interval":{"constant_value":30},"target":{"constant_value":"HTTP:8000/"},"timeout":{"constant_value":3},"unhealthy_threshold":{"constant_value":2}}],"idle_timeout":{"constant_value":400},"listener":[{"instance_port":{"constant_value":8000},"instance_protocol":{"constant_value":"http"},"lb_port":{"constant_value":80},"lb_protocol":{"constant_value":"http"}},{"instance_port":{"constant_value":8000},"instance_protocol":{"constant_value":"http"},"lb_port":{"constant_value":443},"lb_protocol":{"constant_value":"https"},"ssl_certificate_id":{"constant_value":"arn:aws:iam::123456789012:server-certificate/certName"}}],"name":{"constant_value":"foobar-terraform-elb"},"tags":{"constant_value":{"Name":"foobar-terraform-elb"}}},"schema_version":0},{"address":"aws_s3_bucket.bucket","mode":"managed","type":"aws_s3_bucket","name":"bucket","provider_config_key":"aws","expressions":{"bucket":{"constant_value":"mybucket"},"grant":[{"id":{"constant_value":"current_user_id"},"permissions":{"constant_value":["FULL_CONTROL"]},"type":{"constant_value":"CanonicalUser"}},{"permissions":{"constant_value":["READ","WRITE"]},"type":{"constant_value":"Group"},"uri":{"constant_value":"http://acs.amazonaws.com/groups/s3/LogDelivery"}}]},"schema_version":0}]}}}

tests/functional/test_issue-249-must_not_bad_feature/plan.out.json

@@ -0,0 +1,15 @@
+Feature: Feature for issue 284
+	In order to something
+	As engineers
+	We'll enforce something else
+
+	Scenario Outline: Ensure S3 Bucket's ACL grant does not include write permissions, test2
+		Given I have aws_s3_bucket defined
+		When it has grant
+		And its permissions does not include <value>
+	Examples:
+	| value           |
+	| WRITE_ACP       |
+	| WRITE_bidi      |
+	| FULL_CONTROL_d  |
+	| Something_bad	  |