Updating rules for redshift to handle lists of parameters

stelligent · Apr 20, 2020 · b255773 · b255773
1 parent d348075
commit b255773
Show file tree

Hide file tree

Showing 7 changed files with 119 additions and 35 deletions.
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/rule.yml b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/rule.yml
@@ -12,9 +12,7 @@ rules:
     resource: aws_redshift_parameter_group
     severity: WARNING
     assertions:
-      - key: parameter
-        op: present
-      - every:
+      - exactly-one:
           key: parameter
           expressions:
             - key: name

diff --git a/...raform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform11/require_ssl.tf b/...raform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform11/require_ssl.tf
diff --git a/...raform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform12/require_ssl.tf b/...raform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform12/require_ssl.tf
@@ -1,27 +1,50 @@
-# Warn
+# Test that require_ssl parameter is present and set to true
+# https://www.terraform.io/docs/providers/aws/r/redshift_parameter_group.html
+
+# WARN require_ssl is not set
 resource "aws_redshift_parameter_group" "parameter_and_require_ssl_not_set" {
   name   = "foobar"
   family = "redshift-1.0"
 }
 
-# Warn
+# WARN: require_ssl is false
 resource "aws_redshift_parameter_group" "require_ssl_set_to_false" {
   name   = "foobar"
   family = "redshift-1.0"
 
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "true"
+  }
+
   parameter {
     name  = "require_ssl"
     value = "false"
   }
+
+  parameter {
+    name  = "query_group"
+    value = "example"
+  }
 }
 
-# Pass
+# PASS: require_ssl is set to true
 resource "aws_redshift_parameter_group" "require_ssl_set_to_true" {
   name   = "foobar"
   family = "redshift-1.0"
 
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "true"
+  }
+
   parameter {
     name  = "require_ssl"
     value = "true"
   }
+
+  parameter {
+    name  = "query_group"
+    value = "example"
+  }
 }
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/test.yml b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/test.yml
@@ -1,6 +1,6 @@
 ---
 version: 1
-description: Terraform 11 and 12 tests
+description: Terraform 12 tests
 type: Terraform
 files:
   - "*.tf"
@@ -11,5 +11,4 @@ tests:
     warnings: 2
     failures: 0
     tags:
-      - "terraform11"
       - "terraform12"
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/rule.yml b/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/rule.yml
@@ -0,0 +1,22 @@
+---
+version: 1
+description: Terraform rules
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+rules:
+
+  - id: REDSHIFT_CLUSTER_PARAMETER_GROUP_USER_ACTIVITY_LOGGING
+    message: RedshiftCluster Parameter Group should set enable_user_activity_logging to true
+    resource: aws_redshift_parameter_group
+    severity: FAILURE
+    assertions:
+      - exactly-one:
+          key: parameter
+          expressions:
+            - key: name
+              op: eq
+              value: enable_user_activity_logging
+            - key: value
+              op: is-true
diff --git a/...form/aws/redshift/redshift_parameter_group/user_logging/tests/terraform12/user_logging.tf b/...form/aws/redshift/redshift_parameter_group/user_logging/tests/terraform12/user_logging.tf
@@ -0,0 +1,55 @@
+# Test that user activity logging is enabled
+# https://www.terraform.io/docs/providers/aws/r/redshift_parameter_group.html
+
+# FAIL: enable_user_activity_logging is not set
+resource "aws_redshift_parameter_group" "logging_not_set" {
+  name   = "foobar"
+  family = "redshift-1.0"
+
+  parameter {
+    name  = "require_ssl"
+    value = "true"
+  }
+}
+
+# FAIL: enable_user_activity_logging is false
+resource "aws_redshift_parameter_group" "logging_set_to_false" {
+  name   = "foobar"
+  family = "redshift-1.0"
+
+  parameter {
+    name  = "require_ssl"
+    value = "false"
+  }
+
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "false"
+  }
+
+  parameter {
+    name  = "query_group"
+    value = "example"
+  }
+}
+
+# PASS: enable_user_activity_logging is set to true
+resource "aws_redshift_parameter_group" "logging_set_to_true" {
+  name   = "foobar"
+  family = "redshift-1.0"
+
+  parameter {
+    name  = "require_ssl"
+    value = "true"
+  }
+
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "true"
+  }
+
+  parameter {
+    name  = "query_group"
+    value = "example"
+  }
+}
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/test.yml b/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/test.yml
@@ -0,0 +1,14 @@
+---
+version: 1
+description: Terraform 12 tests
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+tests:
+  -
+    ruleId: REDSHIFT_CLUSTER_PARAMETER_GROUP_USER_ACTIVITY_LOGGING
+    warnings: 0
+    failures: 2
+    tags:
+      - "terraform12"