Adding tests for external ALB and NLB

trussworks · Aug 11, 2020 · 39ae2a2 · 39ae2a2
1 parent 58323fb
commit 39ae2a2
Show file tree

Hide file tree

Showing 8 changed files with 175 additions and 0 deletions.
diff --git a/examples/alb_remote/main.tf b/examples/alb_remote/main.tf
@@ -0,0 +1,16 @@
+# Testing the log bucket has a certain policy. Spinning up an ALB won't work as the
+# s3 prefix is different since the ALB will be using local Account ID, not the
+# external_account
+module "aws_logs" {
+  source = "../../"
+
+  s3_bucket_name    = var.test_name
+  alb_logs_prefixes = var.alb_logs_prefixes
+  region            = var.region
+  allow_alb         = true
+  default_allow     = false
+
+  alb_account = var.alb_external_account
+
+  force_destroy = var.force_destroy
+}
diff --git a/examples/alb_remote/providers.tf b/examples/alb_remote/providers.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  version = "~> 2.70"
+}
diff --git a/examples/alb_remote/variables.tf b/examples/alb_remote/variables.tf
@@ -0,0 +1,23 @@
+variable "test_name" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
+
+variable "vpc_azs" {
+  type = list(string)
+}
+
+variable "force_destroy" {
+  type = bool
+}
+
+variable "alb_external_account" {
+  type = string
+}
+
+variable "alb_logs_prefixes" {
+  type = list(string)
+}
diff --git a/examples/nlb_remote/main.tf b/examples/nlb_remote/main.tf
@@ -0,0 +1,16 @@
+# Testing the log bucket has a certain policy. Spinning up an ALB won't work as the
+# s3 prefix is different since the ALB will be using local Account ID, not the
+# external_account
+module "aws_logs" {
+  source = "../../"
+
+  s3_bucket_name    = var.test_name
+  nlb_logs_prefixes = var.nlb_logs_prefixes
+  region            = var.region
+  allow_nlb         = true
+  default_allow     = false
+
+  nlb_account = var.nlb_external_account
+
+  force_destroy = var.force_destroy
+}
diff --git a/examples/nlb_remote/providers.tf b/examples/nlb_remote/providers.tf
@@ -0,0 +1,3 @@
+provider "aws" {
+  version = "~> 2.70"
+}
diff --git a/examples/nlb_remote/variables.tf b/examples/nlb_remote/variables.tf
@@ -0,0 +1,23 @@
+variable "test_name" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
+
+variable "vpc_azs" {
+  type = list(string)
+}
+
+variable "force_destroy" {
+  type = bool
+}
+
+variable "nlb_external_account" {
+  type = string
+}
+
+variable "nlb_logs_prefixes" {
+  type = list(string)
+}
diff --git a/test/terraform_aws_logs_alb_test.go b/test/terraform_aws_logs_alb_test.go
@@ -9,8 +9,27 @@ import (
 	"github.com/gruntwork-io/terratest/modules/random"
 	"github.com/gruntwork-io/terratest/modules/terraform"
 	test_structure "github.com/gruntwork-io/terratest/modules/test-structure"
+	"github.com/stretchr/testify/require"
 )
 
+func AssertS3BucketPolicyAllowExternalALB(t *testing.T, region string, bucketName string, prefix string, externalAccount string) {
+	pattern := fmt.Sprintf(`"Action":"s3:PutObject","Resource":"arn:aws:s3:::%s/%s/AWSLogs/%s/*"`, bucketName, prefix, externalAccount)
+	err := AssertS3BucketPolicyContains(t, region, bucketName, pattern)
+	require.NoError(t, err)
+
+}
+
+func AssertS3BucketPolicyContains(t *testing.T, region string, bucketName string, pattern string) error {
+	policy, err := aws.GetS3BucketPolicyE(t, region, bucketName)
+	require.NoError(t, err)
+
+	if !strings.Contains(policy, pattern) {
+		return fmt.Errorf("could not find pattern: %s in policy: %s", pattern, policy)
+	}
+
+	return nil
+}
+
 func TestTerraformAwsLogsAlb(t *testing.T) {
 	t.Parallel()
 
@@ -62,3 +81,35 @@ func TestTerraformAwsLogsAlbRootPrefix(t *testing.T) {
 	defer terraform.Destroy(t, terraformOptions)
 	terraform.InitAndApply(t, terraformOptions)
 }
+
+func TestTerraformAwsLogsAlbAccount(t *testing.T) {
+	t.Parallel()
+
+	tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, "../", "examples/alb_remote")
+	testName := fmt.Sprintf("terratest-aws-logs-%s", strings.ToLower(random.UniqueId()))
+	awsRegion := "us-west-2"
+	externalAlbAccount := "222222222222"
+	prefix := "alb"
+	vpcAzs := aws.GetAvailabilityZones(t, awsRegion)[:3]
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: tempTestFolder,
+		Vars: map[string]interface{}{
+			"region":               awsRegion,
+			"vpc_azs":              vpcAzs,
+			"alb_external_account": externalAlbAccount,
+			"test_name":            testName,
+			"force_destroy":        true,
+			"alb_logs_prefixes":    []string{prefix},
+		},
+		EnvVars: map[string]string{
+			"AWS_DEFAULT_REGION": awsRegion,
+		},
+	}
+
+	defer terraform.Destroy(t, terraformOptions)
+	terraform.InitAndApply(t, terraformOptions)
+
+	// let us check to make sure the resource contains the alb_account
+	AssertS3BucketPolicyAllowExternalALB(t, awsRegion, testName, prefix, externalAlbAccount)
+}
diff --git a/test/terraform_aws_logs_nlb_test.go b/test/terraform_aws_logs_nlb_test.go
@@ -9,8 +9,16 @@ import (
 	"github.com/gruntwork-io/terratest/modules/random"
 	"github.com/gruntwork-io/terratest/modules/terraform"
 	test_structure "github.com/gruntwork-io/terratest/modules/test-structure"
+	"github.com/stretchr/testify/require"
 )
 
+func AssertS3BucketPolicyAllowExternalNLB(t *testing.T, region string, bucketName string, prefix string, externalAccount string) {
+	pattern := fmt.Sprintf(`"Action":"s3:PutObject","Resource":"arn:aws:s3:::%s/%s/AWSLogs/%s/*"`, bucketName, prefix, externalAccount)
+	err := AssertS3BucketPolicyContains(t, region, bucketName, pattern)
+	require.NoError(t, err)
+
+}
+
 func TestTerraformAwsLogsNlb(t *testing.T) {
 	t.Parallel()
 
@@ -62,3 +70,35 @@ func TestTerraformAwsLogsNlbRootPrefix(t *testing.T) {
 	defer terraform.Destroy(t, terraformOptions)
 	terraform.InitAndApply(t, terraformOptions)
 }
+
+func TestTerraformAwsLogsNlbAccount(t *testing.T) {
+	t.Parallel()
+
+	tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, "../", "examples/nlb_remote")
+	testName := fmt.Sprintf("terratest-aws-logs-%s", strings.ToLower(random.UniqueId()))
+	awsRegion := "us-west-2"
+	externalAlbAccount := "222222222222"
+	prefix := "nlb"
+	vpcAzs := aws.GetAvailabilityZones(t, awsRegion)[:3]
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: tempTestFolder,
+		Vars: map[string]interface{}{
+			"region":               awsRegion,
+			"vpc_azs":              vpcAzs,
+			"nlb_external_account": externalAlbAccount,
+			"test_name":            testName,
+			"force_destroy":        true,
+			"nlb_logs_prefixes":    []string{prefix},
+		},
+		EnvVars: map[string]string{
+			"AWS_DEFAULT_REGION": awsRegion,
+		},
+	}
+
+	defer terraform.Destroy(t, terraformOptions)
+	terraform.InitAndApply(t, terraformOptions)
+
+	// let us check to make sure the resource contains the alb_account
+	AssertS3BucketPolicyAllowExternalALB(t, awsRegion, testName, prefix, externalAlbAccount)
+}