From b255773e03e37842b39b630dc597e3d0e271b629 Mon Sep 17 00:00:00 2001
From: Keith Monihen <kmonihen@hosting.com>
Date: Mon, 20 Apr 2020 16:28:51 -0400
Subject: [PATCH] Updating rules for redshift to handle lists of parameters

---
 .../require_ssl/rule.yml                      |  4 +-
 .../tests/terraform11/require_ssl.tf          | 27 ---------
 .../tests/terraform12/require_ssl.tf          | 29 +++++++++-
 .../require_ssl/tests/test.yml                |  3 +-
 .../user_logging/rule.yml                     | 22 ++++++++
 .../tests/terraform12/user_logging.tf         | 55 +++++++++++++++++++
 .../user_logging/tests/test.yml               | 14 +++++
 7 files changed, 119 insertions(+), 35 deletions(-)
 delete mode 100644 cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform11/require_ssl.tf
 create mode 100644 cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/rule.yml
 create mode 100644 cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/terraform12/user_logging.tf
 create mode 100644 cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/test.yml

diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/rule.yml b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/rule.yml
index f962cc2..9794a16 100644
--- a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/rule.yml
+++ b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/rule.yml
@@ -12,9 +12,7 @@ rules:
     resource: aws_redshift_parameter_group
     severity: WARNING
     assertions:
-      - key: parameter
-        op: present
-      - every:
+      - exactly-one:
           key: parameter
           expressions:
             - key: name
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform11/require_ssl.tf b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform11/require_ssl.tf
deleted file mode 100644
index b33357e..0000000
--- a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform11/require_ssl.tf
+++ /dev/null
@@ -1,27 +0,0 @@
-# Warn
-resource "aws_redshift_parameter_group" "parameter_and_require_ssl_not_set" {
-  name   = "foobar"
-  family = "redshift-1.0"
-}
-
-# Warn
-resource "aws_redshift_parameter_group" "require_ssl_set_to_false" {
-  name   = "foobar"
-  family = "redshift-1.0"
-
-  parameter {
-    name  = "require_ssl"
-    value = "false"
-  }
-}
-
-# Pass
-resource "aws_redshift_parameter_group" "require_ssl_set_to_true" {
-  name   = "foobar"
-  family = "redshift-1.0"
-
-  parameter {
-    name  = "require_ssl"
-    value = "true"
-  }
-}
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform12/require_ssl.tf b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform12/require_ssl.tf
index b33357e..8786e83 100644
--- a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform12/require_ssl.tf
+++ b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/terraform12/require_ssl.tf
@@ -1,27 +1,50 @@
-# Warn
+# Test that require_ssl parameter is present and set to true
+# https://www.terraform.io/docs/providers/aws/r/redshift_parameter_group.html
+
+# WARN require_ssl is not set
 resource "aws_redshift_parameter_group" "parameter_and_require_ssl_not_set" {
   name   = "foobar"
   family = "redshift-1.0"
 }
 
-# Warn
+# WARN: require_ssl is false
 resource "aws_redshift_parameter_group" "require_ssl_set_to_false" {
   name   = "foobar"
   family = "redshift-1.0"
 
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "true"
+  }
+
   parameter {
     name  = "require_ssl"
     value = "false"
   }
+
+  parameter {
+    name  = "query_group"
+    value = "example"
+  }
 }
 
-# Pass
+# PASS: require_ssl is set to true
 resource "aws_redshift_parameter_group" "require_ssl_set_to_true" {
   name   = "foobar"
   family = "redshift-1.0"
 
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "true"
+  }
+
   parameter {
     name  = "require_ssl"
     value = "true"
   }
+
+  parameter {
+    name  = "query_group"
+    value = "example"
+  }
 }
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/test.yml b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/test.yml
index ad63170..6d79cb3 100644
--- a/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/test.yml
+++ b/cli/assets/terraform/aws/redshift/redshift_parameter_group/require_ssl/tests/test.yml
@@ -1,6 +1,6 @@
 ---
 version: 1
-description: Terraform 11 and 12 tests
+description: Terraform 12 tests
 type: Terraform
 files:
   - "*.tf"
@@ -11,5 +11,4 @@ tests:
     warnings: 2
     failures: 0
     tags:
-      - "terraform11"
       - "terraform12"
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/rule.yml b/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/rule.yml
new file mode 100644
index 0000000..e16c611
--- /dev/null
+++ b/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/rule.yml
@@ -0,0 +1,22 @@
+---
+version: 1
+description: Terraform rules
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+rules:
+
+  - id: REDSHIFT_CLUSTER_PARAMETER_GROUP_USER_ACTIVITY_LOGGING
+    message: RedshiftCluster Parameter Group should set enable_user_activity_logging to true
+    resource: aws_redshift_parameter_group
+    severity: FAILURE
+    assertions:
+      - exactly-one:
+          key: parameter
+          expressions:
+            - key: name
+              op: eq
+              value: enable_user_activity_logging
+            - key: value
+              op: is-true
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/terraform12/user_logging.tf b/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/terraform12/user_logging.tf
new file mode 100644
index 0000000..fb32475
--- /dev/null
+++ b/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/terraform12/user_logging.tf
@@ -0,0 +1,55 @@
+# Test that user activity logging is enabled
+# https://www.terraform.io/docs/providers/aws/r/redshift_parameter_group.html
+
+# FAIL: enable_user_activity_logging is not set
+resource "aws_redshift_parameter_group" "logging_not_set" {
+  name   = "foobar"
+  family = "redshift-1.0"
+
+  parameter {
+    name  = "require_ssl"
+    value = "true"
+  }
+}
+
+# FAIL: enable_user_activity_logging is false
+resource "aws_redshift_parameter_group" "logging_set_to_false" {
+  name   = "foobar"
+  family = "redshift-1.0"
+
+  parameter {
+    name  = "require_ssl"
+    value = "false"
+  }
+
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "false"
+  }
+
+  parameter {
+    name  = "query_group"
+    value = "example"
+  }
+}
+
+# PASS: enable_user_activity_logging is set to true
+resource "aws_redshift_parameter_group" "logging_set_to_true" {
+  name   = "foobar"
+  family = "redshift-1.0"
+
+  parameter {
+    name  = "require_ssl"
+    value = "true"
+  }
+
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "true"
+  }
+
+  parameter {
+    name  = "query_group"
+    value = "example"
+  }
+}
diff --git a/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/test.yml b/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/test.yml
new file mode 100644
index 0000000..2d16a3f
--- /dev/null
+++ b/cli/assets/terraform/aws/redshift/redshift_parameter_group/user_logging/tests/test.yml
@@ -0,0 +1,14 @@
+---
+version: 1
+description: Terraform 12 tests
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+tests:
+  -
+    ruleId: REDSHIFT_CLUSTER_PARAMETER_GROUP_USER_ACTIVITY_LOGGING
+    warnings: 0
+    failures: 2
+    tags:
+      - "terraform12"