Add AWS CFT as an IaC Provider #815
Conversation
|
@amirbenv Kindly have a look at this PR. |
sigmabaryon
force-pushed
the
iac-provider-cft
branch
2 times, most recently
from
0c29f46
to
166c63b
Compare
There was a problem hiding this comment.
Hi @mahendrabagul, @sigmabaryon,
Please add headers missing in go files for config mappers.
Codecov Report
@@ Coverage Diff @@
## master #815 +/- ##
==========================================
+ Coverage 74.95% 78.22% +3.27%
==========================================
Files 113 162 +49
Lines 3466 4354 +888
==========================================
+ Hits 2598 3406 +808
- Misses 676 734 +58
- Partials 192 214 +22
|
| case YAMLExtension: | ||
| fallthrough | ||
| case YAMLExtension2: | ||
| iacDocuments, err = utils.LoadYAML(absFilePath) |
There was a problem hiding this comment.
utils.LoadYAML is not very useful here, because the number of iac documents is always going to be 1.
Also, using this function is adding extra code as it removes the intrinsic tags.
There was a problem hiding this comment.
I agree with @patilpankaj212. It is not necessary to use utils.LoadYAML(). In this particular case. The file data is being parsed multiple number of times which redundant and unnecessary.
We can implement our own loader and optimize.
| // intrinsic tags for cloudformation templates | ||
| // (!Ref, !Fn::<> etc are removed and resolved to a string | ||
| // which disables parameter resolution by goformation) | ||
| if fileExt != JSONExtension { |
There was a problem hiding this comment.
we should be able to avoid this step by using a different yaml loader.
| typeOnly bool | ||
| want output.AllResourceConfigs | ||
| wantErr error | ||
| }{} |
There was a problem hiding this comment.
please add unit tests.
| // Map transforms the provider specific template to terrascan native format. | ||
| func (m cftMapper) Map(doc *utils.IacDocument, params ...map[string]interface{}) (output.AllResourceConfigs, error) { | ||
| allRC := make(map[string][]output.ResourceConfig) | ||
| t, err := extractTemplate(doc) |
There was a problem hiding this comment.
any unmarshalling errors by the goformation library are also logged to console. eg:
ERROR: json: cannot unmarshal string into Go struct field SecurityGroup_Ingress.Properties.SecurityGroupIngress.FromPort of type int
we should see how these logs can be suppressed.
|
CFT supports modules https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/modules.html |
|
|
||
| // aws_iam_role_policy as a SubResource | ||
| // multiple Policies can be defined for a resource in cft | ||
| if r.Policies != nil { |
There was a problem hiding this comment.
is it required to create a separate resource for policies when the policy could be part of iam role properties?
There was a problem hiding this comment.
It is required because Policy is just a property in CloudFormation but a resource in terraform. There are many other resources where this is the case.
There was a problem hiding this comment.
Thanks @sigmabaryon. In that case should it also be part of the respective cft resource properties? What is your opinion on this @kanchwala-yusuf ?
Co-authored-by: Mahendra Bagul <bagulm123@gmail.com>
mahendrabagul
force-pushed
the
iac-provider-cft
branch
from
26b76cc
to
8cebb68
Compare
| for i := 1; i < len(dirList); i++ { | ||
| dir := dirList[i] | ||
| t.Run(dir, func(t *testing.T) { | ||
| _, gotErr := cftv1.LoadIacDir(dir, false) |
There was a problem hiding this comment.
we should be verifying the output of LoadDir to an expected output.
| dir := dirList[i] | ||
| t.Run(dir, func(t *testing.T) { | ||
| _, gotErr := cftv1.LoadIacDir(dir, false) | ||
| _, ok := gotErr.(*multierror.Error) |
There was a problem hiding this comment.
this assertion doesn't seem to be correct, we are just expecting the type of error to be multi-error. we should be asserting on expected errors (if any)
| } | ||
| } | ||
|
|
||
| func TestCFTMapper(t *testing.T) { |
There was a problem hiding this comment.
I think the right place for mapper tests is in mapper package.
mahendrabagul
force-pushed
the
iac-provider-cft
branch
from
0898808
to
6292a6d
Compare
mahendrabagul
force-pushed
the
iac-provider-cft
branch
2 times, most recently
from
5efeac3
to
84f2681
Compare
mahendrabagul
force-pushed
the
iac-provider-cft
branch
from
84f2681
to
2874061
Compare
|
Kudos, SonarCloud Quality Gate passed!
|
The PR adds AWS CFT as an IaC Provider for terrascan. Here is a quick run:
This allows terrascan users to validate their CF templates against the existing policies for AWS. For example: