Adding ability to filter resources by property value (elmundio87#23)

Matt Holmes · Edmund Dipple · commit 716bf2b9b719 · 2017-08-31T16:02:02.000+01:00
* Adding ability to filter resources by property value, get a properties value for additional validation and validate json
diff --git a/terraform_validate/fixtures/invalid_json/1.tf b/terraform_validate/fixtures/invalid_json/1.tf
@@ -0,0 +1,49 @@
+variable "bucket_name" {
+  default = "defaultvalue"
+}
+
+resource "aws_s3_bucket" "invalidjson" {
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "enforceTLS",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::examplebucketname/*",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      }
+POLICY
+}
+
+resource "aws_s3_bucket" "validjsonwithvariable" {
+  policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "enforceTLS",
+      "Effect": "Deny",
+      "Principal": "*",
+      "Action": "s3:*",
+      "Resource": "arn:aws:s3:::${var.bucket_name}/*",
+      "Condition": {
+        "Bool": {
+          "aws:SecureTransport": "false"
+        }
+      }
+    }]
+}
+POLICY
+}
+
+resource "aws_s2_bucket" "blankpolicy" {
+  policy = ""
+}
+
+resource "aws_s2_bucket" "nopolicy" {}
diff --git a/terraform_validate/fixtures/with_property/1.tf b/terraform_validate/fixtures/with_property/1.tf
@@ -0,0 +1,23 @@
+resource "aws_s3_bucket" "private_bucket" {
+  acl = "private"
+
+  policy = <<POLICY
+{INVALID JSON {}
+POLICY
+}
+
+resource "aws_s3_bucket" "public_bucket" {
+  acl = "public"
+}
+
+resource "aws_s3_bucket" "tagged_bucket" {
+  tags {
+    Tag1      = "Tag1"
+    CustomTag = "CustomValue"
+    Tag2      = "Tag2"
+  }
+
+  policy = <<POLICY
+{INVALID JSON {}
+POLICY
+}
diff --git a/terraform_validate/functional_test.py b/terraform_validate/functional_test.py
@@ -164,6 +164,12 @@ def test_nested_resource_property_value_matches_regex(self):
         with self.assertRaisesRegexp(AssertionError, expected_error):
             validator.resources('aws_instance').property('nested_resource').property('value').should_match_regex('[a-z]')
 
+    def test_resource_property_invalid_json(self):
+        validator = t.Validator(os.path.join(self.path, "fixtures/invalid_json"))
+        expected_error = self.error_list_format("[aws_s3_bucket.invalidjson.policy] is not valid json")
+        with self.assertRaisesRegexp(AssertionError, expected_error):
+            validator.resources('aws_s3_bucket').property('policy').should_contain_valid_json()
+
     def test_variable_substitution(self):
         validator = t.Validator(os.path.join(self.path, "fixtures/variable_substitution"))
         validator.enable_variable_expansion()
@@ -174,7 +180,6 @@ def test_variable_substitution(self):
         validator.disable_variable_expansion()
         validator.resources('aws_instance').property('value').should_equal('${var.test_variable}')
 
-
     def test_missing_variable_substitution(self):
         validator = t.Validator(os.path.join(self.path, "fixtures/missing_variable"))
         validator.enable_variable_expansion()
@@ -380,3 +385,23 @@ def test_encryption_scenario(self):
         with self.assertRaisesRegexp(AssertionError,expected_error):
             validator.resources("aws_ebs_volume_invalid2").should_have_properties("encrypted")
             validator.resources("aws_ebs_volume_invalid2").property("encrypted")
+
+    def test_with_property(self):
+        validator = t.Validator(os.path.join(self.path, "fixtures/with_property"))
+        
+        expected_error = self.error_list_format("[aws_s3_bucket.private_bucket.policy] is not valid json")
+
+        private_buckets = validator.resources("aws_s3_bucket").with_property("acl", "private")
+
+        with self.assertRaisesRegexp(AssertionError, expected_error):
+            private_buckets.property("policy").should_contain_valid_json()
+
+    def test_with_nested_property(self):
+        validator = t.Validator(os.path.join(self.path, "fixtures/with_property"))
+        
+        expected_error = self.error_list_format("[aws_s3_bucket.tagged_bucket.policy] is not valid json")
+
+        tagged_buckets = validator.resources("aws_s3_bucket").with_property("tags", ".*'CustomTag':.*'CustomValue'.*")
+
+        with self.assertRaisesRegexp(AssertionError, expected_error):
+            tagged_buckets.property("policy").should_contain_valid_json()
diff --git a/terraform_validate/terraform_validate.py b/terraform_validate/terraform_validate.py
@@ -2,6 +2,7 @@
 import os
 import re
 import warnings
+import json
 
 # def deprecated(func):
 #     '''This is a decorator which can be used to mark functions
@@ -69,6 +70,9 @@ def __init__(self, validator):
         self.properties = []
         self.validator = validator
 
+    def tfproperties(self):
+        return self.properties
+
     def property(self, property_name):
         errors = []
         list = TerraformPropertyList(self.validator)
@@ -234,6 +238,18 @@ def should_match_regex(self,regex):
         if len(errors) > 0:
             raise AssertionError("\n".join(sorted(errors)))
 
+    def should_contain_valid_json(self):
+        errors = []
+        for property in self.properties:
+            actual_property_value = self.validator.substitute_variable_values_in_string(property.property_value)
+            try:
+                json_object = json.loads(actual_property_value)
+            except:
+                errors.append("[{0}.{1}.{2}] is not valid json".format(property.resource_type, property.resource_name, property.property_name))
+
+        if len(errors) > 0:
+            raise AssertionError("\n".join(sorted(errors)))
+
     def bool2str(self,bool):
         if str(bool).lower() in ["true"]:
             return "True"
@@ -254,6 +270,8 @@ def __init__(self,resource_type,resource_name,property_name,property_value):
         self.property_name = property_name
         self.property_value = property_value
 
+    def get_property_value(self, validator):
+        return validator.substitute_variable_values_in_string(self.property_value)
 
 class TerraformResource:
 
@@ -266,7 +284,7 @@ class TerraformResourceList:
 
     def __init__(self, validator, resource_types, resources):
         self.resource_list = []
-
+        
         if type(resource_types) is not list:
             all_resource_types = list(resources.keys())
             regex = resource_types
@@ -280,6 +298,7 @@ def __init__(self, validator, resource_types, resources):
                 for resource in resources[resource_type]:
                     self.resource_list.append(TerraformResource(resource_type,resource,resources[resource_type][resource]))
 
+        self.resource_types = resource_types
         self.validator = validator
 
     def property(self, property_name):
@@ -309,6 +328,20 @@ def find_property(self, regex):
                                                              resource.config[property]))
         return list
 
+    def with_property(self, property_name, regex):
+        list = TerraformResourceList(self.validator, self.resource_types, {})
+        
+        if len(self.resource_list) > 0:
+            for resource in self.resource_list:
+                for property in resource.config:
+                    if(property == property_name):
+                        tf_property = TerraformProperty(resource.type,resource.name,property_name,resource.config[property_name])
+                        actual_property_value = self.validator.substitute_variable_values_in_string(tf_property.property_value)
+                        if self.validator.matches_regex_pattern(actual_property_value, regex):
+                            list.resource_list.append(resource)
+        
+        return list
+
     def should_have_properties(self, properties_list):
         errors = []
 
