search

terraform-compliance / cli

a lightweight, security focused, BDD test framework against terraform.
https://terraform-compliance.com
MIT License
1.34k stars 151 forks source link

How do I define a scenario for a required related resource #645

Open murcikan-scottlogic opened 2 years ago

murcikan-scottlogic commented 2 years ago

Is there a way to define a required related resource e.g. 

GIVEN I have aws_s3_bucket defined
THEN aws_s3_bucket_server_side_encryption_configuration resource must exist
AND it must have bucket
AND it must be in {aws_s3_bucket_server_side_encryption_configuration.values.bucket}

This issue is rather similar but given this TF:

resource "aws_s3_bucket" "bckt1" {
  bucket = "bucket_1"
}

resource "aws_s3_bucket" "bckt2" {
  bucket = "bucket_2"
}

resource "aws_s3_bucket_server_side_encryption_configuration" "sse1" {
  bucket = aws_s3_bucket.bckt1.id
  rule {}
}

the following scenario succeeds:

@noskip
  Scenario: Ensure all S3 buckets have server side encryption
    Given I have aws_s3_bucket defined
    Given I have aws_s3_bucket_server_side_encryption_configuration defined
    Then it must have bucket
    Then it must be in {aws_s3_bucket_server_side_encryption_configuration.values.bucket}

even though bucket_2 doesn't have a corresponding server side encryption.

I would like to make sure that standalone logging, versioning, encryption and similar s3 bucket resources exist for every s3 bucket.