diff --git a/aws/awschecks/awschecks.go b/aws/awschecks/awschecks.go index f3285bc..5eba58d 100644 --- a/aws/awschecks/awschecks.go +++ b/aws/awschecks/awschecks.go @@ -4,8 +4,8 @@ import ( "fmt" "reflect" - "github.com/aws/aws-sdk-go-v2/service/ec2/types" ec2Types "github.com/aws/aws-sdk-go-v2/service/ec2/types" + "github.com/padok-team/yatas-aws/logger" "github.com/padok-team/yatas/plugins/commons" ) @@ -22,6 +22,10 @@ type CheckDefinition struct { func CheckResources(checkConfig commons.CheckConfig, resources []interface{}, checkDefinitions []CheckDefinition) { for _, checkDefinition := range checkDefinitions { + // if !checkConfig.ConfigYatas.CheckExclude(checkDefinition.Title) && checkConfig.ConfigYatas.CheckInclude(checkDefinition.Title) { + // checkConfig.Wg.Add(1) + // logger.Logger.Info("Running check: " + checkDefinition.Title) + // } check := createCheck(checkDefinition) for _, resource := range resources { result := checkResource(resource, checkDefinition.ConditionFn, checkDefinition.SuccessMessage, checkDefinition.FailureMessage) @@ -33,6 +37,7 @@ func CheckResources(checkConfig commons.CheckConfig, resources []interface{}, ch func createCheck(checkDefinition CheckDefinition) commons.Check { var check commons.Check + logger.Logger.Info("Creating check: " + checkDefinition.Title) check.InitCheck(checkDefinition.Description, checkDefinition.Description, checkDefinition.Title, checkDefinition.Tags) return check } @@ -61,27 +66,3 @@ func getResourceID(resource interface{}) string { return "" } } - -func Ec2MonitoringEnabledCondition(resource interface{}) bool { - instance, ok := resource.(*types.Instance) - if !ok { - return false - } - return instance.Monitoring.State == types.MonitoringStateEnabled -} - -func Ec2PublicIPCondition(resource interface{}) bool { - instance, ok := resource.(*types.Instance) - if !ok { - return false - } - return instance.PublicIpAddress == nil -} - -func Ec2RunningInVPCCondition(resource interface{}) bool { - instance, ok := resource.(*types.Instance) - if !ok { - return false - } - return instance.VpcId != nil && *instance.VpcId != "" -} diff --git a/aws/ec2/ec2.go b/aws/ec2/ec2.go index a584ec7..a823320 100644 --- a/aws/ec2/ec2.go +++ b/aws/ec2/ec2.go @@ -22,7 +22,7 @@ func RunChecks(wa *sync.WaitGroup, s aws.Config, c *commons.Config, queue chan [ Title: "AWS_EC2_001", Description: "Check if all instances have monitoring enabled", Tags: []string{"Security", "Good Practice"}, - ConditionFn: awschecks.Ec2MonitoringEnabledCondition, + ConditionFn: Ec2MonitoringEnabledCondition, SuccessMessage: "EC2 instance has monitoring enabled", FailureMessage: "EC2 instance has no monitoring enabled", }, @@ -30,7 +30,7 @@ func RunChecks(wa *sync.WaitGroup, s aws.Config, c *commons.Config, queue chan [ Title: "AWS_EC2_002", Description: "Check if all instances have a public IP", Tags: []string{"Security", "Good Practice"}, - ConditionFn: awschecks.Ec2PublicIPCondition, + ConditionFn: Ec2PublicIPCondition, SuccessMessage: "EC2 instance has no public IP", FailureMessage: "EC2 instance has a public IP", }, @@ -38,7 +38,7 @@ func RunChecks(wa *sync.WaitGroup, s aws.Config, c *commons.Config, queue chan [ Title: "AWS_EC2_003", Description: "Check if instances are running in a Virtual Private Cloud (VPC)", Tags: []string{"Security", "Good Practice"}, - ConditionFn: awschecks.Ec2RunningInVPCCondition, + ConditionFn: Ec2RunningInVPCCondition, SuccessMessage: "EC2 instance is running in a VPC", FailureMessage: "EC2 instance is not running in a VPC", }, @@ -49,11 +49,8 @@ func RunChecks(wa *sync.WaitGroup, s aws.Config, c *commons.Config, queue chan [ for _, instance := range instances { resources = append(resources, instance) } - checkConfig.Wg.Add(3) go awschecks.CheckResources(checkConfig, resources, ec2Checks) - go commons.CheckTest(checkConfig.Wg, c, "AWS_EC2_001", CheckIfEC2PublicIP)(checkConfig, instances, "AWS_EC2_001") - go commons.CheckTest(checkConfig.Wg, c, "AWS_EC2_002", CheckIfMonitoringEnabled)(checkConfig, instances, "AWS_EC2_002") go func() { for t := range checkConfig.Queue { diff --git a/aws/ec2/ec2Conditions.go b/aws/ec2/ec2Conditions.go new file mode 100644 index 0000000..13e38cb --- /dev/null +++ b/aws/ec2/ec2Conditions.go @@ -0,0 +1,31 @@ +package ec2 + +import ( + "github.com/aws/aws-sdk-go-v2/service/ec2/types" +) + +func Ec2MonitoringEnabledCondition(resource interface{}) bool { + instance, ok := resource.(*types.Instance) + if !ok { + return false + } + return instance.Monitoring.State == types.MonitoringStateEnabled +} + +func Ec2PublicIPCondition(resource interface{}) bool { + instance, ok := resource.(*types.Instance) + if !ok { + return false + } + return instance.PublicIpAddress == nil +} + +func Ec2RunningInVPCCondition(resource interface{}) bool { + instance, ok := resource.(*types.Instance) + if !ok { + return false + } + return instance.VpcId != nil && *instance.VpcId != "" +} + +// Generate unit test functions for each condition diff --git a/aws/ec2/ec2Conditions_test.go b/aws/ec2/ec2Conditions_test.go new file mode 100644 index 0000000..8705947 --- /dev/null +++ b/aws/ec2/ec2Conditions_test.go @@ -0,0 +1,95 @@ +package ec2 + +import ( + "testing" + + "github.com/aws/aws-sdk-go-v2/service/ec2/types" +) + +// Generate unit tests for EC2 + +func TestEc2MonitoringEnabledCondition(t *testing.T) { + type args struct { + resource interface{} + } + tests := []struct { + name string + args args + want bool + }{ + { + name: "TestEc2MonitoringEnabledCondition", + args: args{ + resource: &types.Instance{ + Monitoring: &types.Monitoring{ + State: types.MonitoringStateEnabled, + }, + }, + }, + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Ec2MonitoringEnabledCondition(tt.args.resource); got != tt.want { + t.Errorf("Ec2MonitoringEnabledCondition() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestEc2PublicIPCondition(t *testing.T) { + type args struct { + resource interface{} + } + tests := []struct { + name string + args args + want bool + }{ + { + name: "TestEc2PublicIPCondition", + args: args{ + resource: &types.Instance{ + PublicIpAddress: nil, + }, + }, + want: true, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Ec2PublicIPCondition(tt.args.resource); got != tt.want { + t.Errorf("Ec2PublicIPCondition() = %v, want %v", got, tt.want) + } + }) + } +} + +func TestEc2RunningInVPCCondition(t *testing.T) { + type args struct { + resource interface{} + } + tests := []struct { + name string + args args + want bool + }{ + { + name: "TestEc2RunningInVPCCondition", + args: args{ + resource: &types.Instance{ + VpcId: nil, + }, + }, + want: false, + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := Ec2RunningInVPCCondition(tt.args.resource); got != tt.want { + t.Errorf("Ec2RunningInVPCCondition() = %v, want %v", got, tt.want) + } + }) + } +} diff --git a/aws/ec2/ec2Monitoring.go b/aws/ec2/ec2Monitoring.go deleted file mode 100644 index 429ec92..0000000 --- a/aws/ec2/ec2Monitoring.go +++ /dev/null @@ -1,23 +0,0 @@ -package ec2 - -import ( - "github.com/aws/aws-sdk-go-v2/service/ec2/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func CheckIfMonitoringEnabled(checkConfig commons.CheckConfig, instances []types.Instance, testName string) { - var check commons.Check - check.InitCheck("EC2s have the monitoring option enabled", "Check if all instances have monitoring enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.Monitoring.State != types.MonitoringStateEnabled { - Message := "EC2 instance " + *instance.InstanceId + " has no monitoring enabled" - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.InstanceId} - check.AddResult(result) - } else { - Message := "EC2 instance " + *instance.InstanceId + " has monitoring enabled" - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.InstanceId} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/ec2/ec2Monitoring_test.go b/aws/ec2/ec2Monitoring_test.go deleted file mode 100644 index d7dcdb4..0000000 --- a/aws/ec2/ec2Monitoring_test.go +++ /dev/null @@ -1,104 +0,0 @@ -package ec2 - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/ec2/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func TestCheckIfMonitoringEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.Instance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "TestCheckIfMonitoringEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.Instance{ - { - InstanceId: aws.String("i-12345678"), - PublicIpAddress: aws.String("192828282828"), - Monitoring: &types.Monitoring{ - State: types.MonitoringStateEnabled, - }, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfMonitoringEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckifEC2MonitoringEnabled() = %v, want %v", check.Status, "PASS") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - - } -} - -func TestCheckIfMonitoringEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.Instance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "TestCheckIfMonitoringEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.Instance{ - { - InstanceId: aws.String("i-12345678"), - PublicIpAddress: aws.String("192828282828"), - Monitoring: &types.Monitoring{ - State: types.MonitoringStateDisabled, - }, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfMonitoringEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckifEC2MonitoringEnabled() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - - } -} diff --git a/aws/ec2/ec2PublicIp.go b/aws/ec2/ec2PublicIp.go deleted file mode 100644 index 3819805..0000000 --- a/aws/ec2/ec2PublicIp.go +++ /dev/null @@ -1,23 +0,0 @@ -package ec2 - -import ( - "github.com/aws/aws-sdk-go-v2/service/ec2/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func CheckIfEC2PublicIP(checkConfig commons.CheckConfig, instances []types.Instance, testName string) { - var check commons.Check - check.InitCheck("EC2s don't have a public IP", "Check if all instances have a public IP", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.PublicIpAddress != nil { - Message := "EC2 instance " + *instance.InstanceId + " has a public IP" + *instance.PublicIpAddress - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.InstanceId} - check.AddResult(result) - } else { - Message := "EC2 instance " + *instance.InstanceId + " has no public IP " - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.InstanceId} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/ec2/ec2PublicIp_test.go b/aws/ec2/ec2PublicIp_test.go deleted file mode 100644 index c58261a..0000000 --- a/aws/ec2/ec2PublicIp_test.go +++ /dev/null @@ -1,95 +0,0 @@ -package ec2 - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/ec2/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func TestCheckIfEC2PublicIPFAIL(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.Instance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "TestCheckIfEC2PublicIP", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.Instance{ - { - InstanceId: aws.String("i-12345678"), - PublicIpAddress: aws.String("192828282828"), - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfEC2PublicIP(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckifEC2PublicIP() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func TestCheckIfEC2PublicIP(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.Instance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "TestCheckIfEC2PublicIP", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.Instance{ - { - InstanceId: aws.String("i-12345678"), - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfEC2PublicIP(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckifEC2PublicIP() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/lambda/lambda.go b/aws/lambda/lambda.go index 0634136..302c45d 100644 --- a/aws/lambda/lambda.go +++ b/aws/lambda/lambda.go @@ -18,7 +18,7 @@ func RunChecks(wa *sync.WaitGroup, s aws.Config, c *commons.Config, queue chan [ go commons.CheckTest(checkConfig.Wg, c, "AWS_LMD_001", CheckIfLambdaPrivate)(checkConfig, lambdas, "AWS_LMD_001") go commons.CheckTest(checkConfig.Wg, c, "AWS_LMD_002", CheckIfLambdaInSecurityGroup)(checkConfig, lambdas, "AWS_LMD_002") go commons.CheckTest(checkConfig.Wg, c, "AWS_LMD_003", CheckIfLambdaNoErrors)(checkConfig, lambdas, "AWS_LMD_003") - go commons.CheckTest(checkConfig.Wg, c, "AWS_LMD_004", CheckIfLambdaNoSecrets)(checkConfig, lambdas, "AWS_LMD_004") + // go commons.CheckTest(checkConfig.Wg, c, "AWS_LMD_004", CheckIfLambdaNoSecrets)(checkConfig, lambdas, "AWS_LMD_004") go commons.CheckTest(checkConfig.Wg, c, "AWS_LMD_005", CheckIfLambdaUrlAuth)(checkConfig, lambdaUrlConfigs, "AWS_LMD_005") go func() { for t := range checkConfig.Queue { diff --git a/aws/rds/rds.go b/aws/rds/rds.go index 4e7c647..22987a9 100644 --- a/aws/rds/rds.go +++ b/aws/rds/rds.go @@ -5,43 +5,258 @@ import ( "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/rds" + "github.com/aws/aws-sdk-go-v2/service/rds/types" + "github.com/padok-team/yatas-aws/aws/awschecks" "github.com/padok-team/yatas/plugins/commons" + "github.com/padok-team/yatas/plugins/logger" ) func RunChecks(wa *sync.WaitGroup, s aws.Config, c *commons.Config, queue chan []commons.Check) { - var checkConfig commons.CheckConfig checkConfig.Init(c) var checks []commons.Check - svc := rds.NewFromConfig(s) + svc := rds.NewFromConfig(s) instances := GetListRDS(svc) clusters := GetListDBClusters(svc) - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_001", checkIfEncryptionEnabled)(checkConfig, instances, "AWS_RDS_001") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_002", checkIfBackupEnabled)(checkConfig, instances, "AWS_RDS_002") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_003", checkIfAutoUpgradeEnabled)(checkConfig, instances, "AWS_RDS_003") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_004", checkIfRDSPrivateEnabled)(checkConfig, instances, "AWS_RDS_004") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_005", CheckIfLoggingEnabled)(checkConfig, instances, "AWS_RDS_005") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_006", CheckIfDeleteProtectionEnabled)(checkConfig, instances, "AWS_RDS_006") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_007", checkIfClusterAutoUpgradeEnabled)(checkConfig, clusters, "AWS_RDS_007") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_008", checkIfClusterBackupEnabled)(checkConfig, clusters, "AWS_RDS_008") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_009", CheckIfClusterDeleteProtectionEnabled)(checkConfig, clusters, "AWS_RDS_009") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_010", checkIfClusterEncryptionEnabled)(checkConfig, clusters, "AWS_RDS_010") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_011", CheckIfClusterLoggingEnabled)(checkConfig, clusters, "AWS_RDS_011") - go commons.CheckTest(checkConfig.Wg, c, "AWS_RDS_012", checkIfClusterRDSPrivateEnabled)(checkConfig, clusters, "AWS_RDS_012") + rdsChecks := []awschecks.CheckDefinition{ + { + Title: "AWS_RDS_001", + Description: "Check if encryption is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfEncryptionEnabled, + SuccessMessage: "RDS instance is encrypted", + FailureMessage: "RDS instance is not encrypted", + }, + { + Title: "AWS_RDS_002", + Description: "Check if backup is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfBackupEnabled, + SuccessMessage: "RDS instance has backup enabled", + FailureMessage: "RDS instance has no backup enabled", + }, + { + Title: "AWS_RDS_003", + Description: "Check if auto upgrade is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfAutoUpgradeEnabled, + SuccessMessage: "RDS instance has auto upgrade enabled", + FailureMessage: "RDS instance has no auto upgrade enabled", + }, + { + Title: "AWS_RDS_004", + Description: "Check if RDS instance is private", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfRDSPrivateEnabled, + SuccessMessage: "RDS instance is private", + FailureMessage: "RDS instance is not private", + }, + { + Title: "AWS_RDS_005", + Description: "Check if logging is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfLoggingEnabled, + SuccessMessage: "RDS instance has logging enabled", + FailureMessage: "RDS instance has no logging enabled", + }, + { + Title: "AWS_RDS_006", + Description: "Check if delete protection is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfDeleteProtectionEnabled, + SuccessMessage: "RDS instance has delete protection enabled", + FailureMessage: "RDS instance has no delete protection enabled", + }, + } + + rdsClusterChecks := []awschecks.CheckDefinition{ + { + Title: "AWS_RDS_007", + Description: "Check if cluster auto upgrade is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfClusterAutoUpgradeEnabled, + SuccessMessage: "RDS cluster has auto upgrade enabled", + FailureMessage: "RDS cluster has no auto upgrade enabled", + }, + { + Title: "AWS_RDS_008", + Description: "Check if cluster backup is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfClusterBackupEnabled, + SuccessMessage: "RDS cluster has backup enabled", + FailureMessage: "RDS cluster has no backup enabled", + }, + { + Title: "AWS_RDS_009", + Description: "Check if cluster delete protection is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfClusterDeleteProtectionEnabled, + SuccessMessage: "RDS cluster has delete protection enabled", + FailureMessage: "RDS cluster has no delete protection enabled", + }, + { + Title: "AWS_RDS_010", + Description: "Check if cluster encryption is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfClusterEncryptionEnabled, + SuccessMessage: "RDS cluster is encrypted", + FailureMessage: "RDS cluster is not encrypted", + }, + { + Title: "AWS_RDS_011", + Description: "Check if cluster logging is enabled", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfClusterLoggingEnabled, + SuccessMessage: "RDS cluster has logging enabled", + FailureMessage: "RDS cluster has no logging enabled", + }, + { + Title: "AWS_RDS_012", + Description: "Check if cluster RDS instance is private", + Tags: []string{"Security", "Good Practice"}, + ConditionFn: CheckIfClusterRDSPrivateEnabled, + SuccessMessage: "RDS cluster instance is private", + FailureMessage: "RDS cluster instance is not private", + }, + } + + // Convert instances to a slice of interfaces + var resources []interface{} + for _, instance := range instances { + resources = append(resources, instance) + } + + var clusterResources []interface{} + for _, cluster := range clusters { + clusterResources = append(clusterResources, cluster) + } + + checkConfig.Wg.Add(12) + go awschecks.CheckResources(checkConfig, resources, rdsChecks) + go awschecks.CheckResources(checkConfig, clusterResources, rdsClusterChecks) go func() { for t := range checkConfig.Queue { t.EndCheck() checks = append(checks, t) - checkConfig.Wg.Done() } }() checkConfig.Wg.Wait() - + logger.Logger().Info("RDS checks done") + logger.Logger().Info("Lenght of checks: ", len(checks)) queue <- checks } + +// Example of a condition function +func CheckIfEncryptionEnabled(resource interface{}) bool { + instance, ok := resource.(types.DBInstance) + if !ok { + return false + } + + return instance.StorageEncrypted +} + +func CheckIfBackupEnabled(resource interface{}) bool { + instance, ok := resource.(types.DBInstance) + if !ok { + return false + } + + return instance.BackupRetentionPeriod != 0 +} + +func CheckIfAutoUpgradeEnabled(resource interface{}) bool { + instance, ok := resource.(types.DBInstance) + if !ok { + return false + } + + return instance.AutoMinorVersionUpgrade +} + +func CheckIfRDSPrivateEnabled(resource interface{}) bool { + instance, ok := resource.(types.DBInstance) + if !ok { + return false + } + + return !instance.PubliclyAccessible +} + +func CheckIfLoggingEnabled(resource interface{}) bool { + instance, ok := resource.(types.DBInstance) + if !ok { + return false + } + + return len(instance.EnabledCloudwatchLogsExports) > 0 +} + +func CheckIfDeleteProtectionEnabled(resource interface{}) bool { + instance, ok := resource.(types.DBInstance) + if !ok { + return false + } + + return instance.DeletionProtection +} + +func CheckIfClusterAutoUpgradeEnabled(resource interface{}) bool { + cluster, ok := resource.(types.DBCluster) + if !ok { + return false + } + + return cluster.AutoMinorVersionUpgrade +} + +func CheckIfClusterBackupEnabled(resource interface{}) bool { + cluster, ok := resource.(types.DBCluster) + if !ok { + return false + } + + return *cluster.BackupRetentionPeriod != 0 +} + +func CheckIfClusterDeleteProtectionEnabled(resource interface{}) bool { + cluster, ok := resource.(types.DBCluster) + if !ok { + return false + } + + return *cluster.DeletionProtection +} + +func CheckIfClusterEncryptionEnabled(resource interface{}) bool { + cluster, ok := resource.(types.DBCluster) + if !ok { + return false + } + + return cluster.StorageEncrypted +} + +func CheckIfClusterLoggingEnabled(resource interface{}) bool { + cluster, ok := resource.(types.DBCluster) + if !ok { + return false + } + + return len(cluster.EnabledCloudwatchLogsExports) > 0 +} + +func CheckIfClusterRDSPrivateEnabled(resource interface{}) bool { + cluster, ok := resource.(types.DBCluster) + if !ok { + return false + } + + return cluster.PubliclyAccessible != nil && !*cluster.PubliclyAccessible +} diff --git a/aws/rds/rdsAutoUpgrade.go b/aws/rds/rdsAutoUpgrade.go deleted file mode 100644 index d35b8d3..0000000 --- a/aws/rds/rdsAutoUpgrade.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func checkIfAutoUpgradeEnabled(checkConfig commons.CheckConfig, instances []types.DBInstance, testName string) { - var check commons.Check - check.InitCheck("RDS have minor versions automatically updated", "Check if RDS minor auto upgrade is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if !instance.AutoMinorVersionUpgrade { - Message := "RDS auto upgrade is not enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } else { - Message := "RDS auto upgrade is enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsAutoUpgrade_test.go b/aws/rds/rdsAutoUpgrade_test.go deleted file mode 100644 index 40daba6..0000000 --- a/aws/rds/rdsAutoUpgrade_test.go +++ /dev/null @@ -1,101 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func Test_checkIfAutoUpgradeEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfAutoUpgradeEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - AutoMinorVersionUpgrade: true, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfAutoUpgradeEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfAutoUpgrade() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func Test_checkIfAutoUpgradeEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfAutoUpgradeEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - AutoMinorVersionUpgrade: false, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfAutoUpgradeEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - t.Logf("%v", check) - if check.Status != "FAIL" { - t.Errorf("CheckIfAutoUpgrade() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsBackup.go b/aws/rds/rdsBackup.go deleted file mode 100644 index 2639a8a..0000000 --- a/aws/rds/rdsBackup.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func checkIfBackupEnabled(checkConfig commons.CheckConfig, instances []types.DBInstance, testName string) { - var check commons.Check - check.InitCheck("RDS are backedup automatically with PITR", "Check if RDS backup is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.BackupRetentionPeriod == 0 { - Message := "RDS backup is not enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } else { - Message := "RDS backup is enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsBackup_test.go b/aws/rds/rdsBackup_test.go deleted file mode 100644 index 84dd0ac..0000000 --- a/aws/rds/rdsBackup_test.go +++ /dev/null @@ -1,100 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func Test_checkIfBackupEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfBackupEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - BackupRetentionPeriod: 7, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfBackupEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfBackup() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func Test_checkIfBackupEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfBackupEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - BackupRetentionPeriod: 0, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfBackupEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfBackup() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsClusterAutoUpgrade.go b/aws/rds/rdsClusterAutoUpgrade.go deleted file mode 100644 index 09de005..0000000 --- a/aws/rds/rdsClusterAutoUpgrade.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func checkIfClusterAutoUpgradeEnabled(checkConfig commons.CheckConfig, instances []types.DBCluster, testName string) { - var check commons.Check - check.InitCheck("Aurora Clusters have minor versions automatically updated", "Check if Aurora RDS minor auto upgrade is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if !instance.AutoMinorVersionUpgrade { - Message := "RDS auto upgrade is not enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } else { - Message := "RDS auto upgrade is enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsClusterAutoUpgrade_test.go b/aws/rds/rdsClusterAutoUpgrade_test.go deleted file mode 100644 index e3f97e6..0000000 --- a/aws/rds/rdsClusterAutoUpgrade_test.go +++ /dev/null @@ -1,101 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func Test_checkIfClusterAutoUpgradeEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - clusters []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfAutoUpgradeEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - clusters: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - AutoMinorVersionUpgrade: true, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfClusterAutoUpgradeEnabled(tt.args.checkConfig, tt.args.clusters, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfAutoUpgrade() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func Test_checkIfClusterAutoUpgradeEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - clusters []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfAutoUpgradeEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - clusters: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - AutoMinorVersionUpgrade: false, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfClusterAutoUpgradeEnabled(tt.args.checkConfig, tt.args.clusters, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - t.Logf("%v", check) - if check.Status != "FAIL" { - t.Errorf("CheckIfAutoUpgrade() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsClusterBackup.go b/aws/rds/rdsClusterBackup.go deleted file mode 100644 index 6efc40d..0000000 --- a/aws/rds/rdsClusterBackup.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func checkIfClusterBackupEnabled(checkConfig commons.CheckConfig, instances []types.DBCluster, testName string) { - var check commons.Check - check.InitCheck("Aurora RDS are backedup automatically with PITR", "Check if Aurora RDS backup is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.BackupRetentionPeriod == nil || *instance.BackupRetentionPeriod == 0 { - Message := "RDS backup is not enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } else { - Message := "RDS backup is enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsClusterBackup_test.go b/aws/rds/rdsClusterBackup_test.go deleted file mode 100644 index 30042a1..0000000 --- a/aws/rds/rdsClusterBackup_test.go +++ /dev/null @@ -1,100 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func Test_checkIfClusterBackupEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfBackupEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - BackupRetentionPeriod: aws.Int32(1), - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfClusterBackupEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfBackup() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func Test_checkIfClusterBackupEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfBackupEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - BackupRetentionPeriod: aws.Int32(0), - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfClusterBackupEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfBackup() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsClusterDeleteProtected.go b/aws/rds/rdsClusterDeleteProtected.go deleted file mode 100644 index 4c8ea30..0000000 --- a/aws/rds/rdsClusterDeleteProtected.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func CheckIfClusterDeleteProtectionEnabled(checkConfig commons.CheckConfig, instances []types.DBCluster, testName string) { - var check commons.Check - check.InitCheck("Aurora RDS have the deletion protection enabled", "Check if Aurora RDS delete protection is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.DeletionProtection != nil && *instance.DeletionProtection { - Message := "RDS delete protection is enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } else { - Message := "RDS delete protection is not enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsClusterDeleteProtected_test.go b/aws/rds/rdsClusterDeleteProtected_test.go deleted file mode 100644 index 0ab99fc..0000000 --- a/aws/rds/rdsClusterDeleteProtected_test.go +++ /dev/null @@ -1,100 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func TestCheckIfClusterDeleteProtectionEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfDeleteProtectionEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - DeletionProtection: aws.Bool(true), - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfClusterDeleteProtectionEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfDeleteProtected() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func TestCheckIfClusterDeleteProtectionEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfDeleteProtectionEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - DeletionProtection: aws.Bool(false), - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfClusterDeleteProtectionEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfDeleteProtected() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsClusterEncryption.go b/aws/rds/rdsClusterEncryption.go deleted file mode 100644 index 56bc2e3..0000000 --- a/aws/rds/rdsClusterEncryption.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func checkIfClusterEncryptionEnabled(checkConfig commons.CheckConfig, instances []types.DBCluster, testName string) { - var check commons.Check - check.InitCheck("Aurora RDS are encrypted", "Check if Aurora RDS encryption is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if !instance.StorageEncrypted { - Message := "RDS encryption is not enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } else { - Message := "RDS encryption is enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsClusterEncryption_test.go b/aws/rds/rdsClusterEncryption_test.go deleted file mode 100644 index 75385e9..0000000 --- a/aws/rds/rdsClusterEncryption_test.go +++ /dev/null @@ -1,98 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func Test_checkIfClusterEncryptionEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfEncryptionEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfClusterEncryptionEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func Test_checkIfClusterEncryptionEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfEncryptionEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: false, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfClusterEncryptionEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsClusterLogging.go b/aws/rds/rdsClusterLogging.go deleted file mode 100644 index 7812777..0000000 --- a/aws/rds/rdsClusterLogging.go +++ /dev/null @@ -1,38 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func CheckIfClusterLoggingEnabled(checkConfig commons.CheckConfig, instances []types.DBCluster, testName string) { - var check commons.Check - check.InitCheck("Aurora RDS logs are exported to cloudwatch", "Check if Aurora RDS logging is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.EnabledCloudwatchLogsExports != nil { - found := false - for _, export := range instance.EnabledCloudwatchLogsExports { - if export == "audit" { - Message := "RDS logging is enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - found = true - - break - - } - } - if !found { - Message := "RDS logging is not enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - continue - } - } else { - Message := "RDS logging is not enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsClusterLogging_test.go b/aws/rds/rdsClusterLogging_test.go deleted file mode 100644 index 1544104..0000000 --- a/aws/rds/rdsClusterLogging_test.go +++ /dev/null @@ -1,102 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func TestCheckIfClusterLoggingEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfLoggingEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - EnabledCloudwatchLogsExports: []string{ - "audit", - }, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfClusterLoggingEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func TestCheckIfClusterLoggingEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfLoggingEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - EnabledCloudwatchLogsExports: nil, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfClusterLoggingEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsClusterPrivate.go b/aws/rds/rdsClusterPrivate.go deleted file mode 100644 index c3b177d..0000000 --- a/aws/rds/rdsClusterPrivate.go +++ /dev/null @@ -1,26 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func checkIfClusterRDSPrivateEnabled(checkConfig commons.CheckConfig, instances []types.DBCluster, testName string) { - var check commons.Check - check.InitCheck("Aurora RDS aren't publicly accessible", "Check if Aurora RDS private is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.PubliclyAccessible != nil && *instance.PubliclyAccessible { - Message := "RDS private is not enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - - } else { - - Message := "RDS private is enabled on " + *instance.DBClusterIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBClusterArn} - check.AddResult(result) - - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsClusterPrivate_test.go b/aws/rds/rdsClusterPrivate_test.go deleted file mode 100644 index b91ee60..0000000 --- a/aws/rds/rdsClusterPrivate_test.go +++ /dev/null @@ -1,102 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func Test_checkIfClusterRDSPrivateEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfRDSPrivateEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - PubliclyAccessible: aws.Bool(false), - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfClusterRDSPrivateEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - - }) - } -} - -func Test_checkIfClusterRDSPrivateEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBCluster - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfRDSPrivateEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBCluster{ - { - DBClusterIdentifier: aws.String("test"), - DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - PubliclyAccessible: aws.Bool(true), - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfClusterRDSPrivateEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - - }) - } -} diff --git a/aws/rds/rdsDeleteProtected.go b/aws/rds/rdsDeleteProtected.go deleted file mode 100644 index d616c41..0000000 --- a/aws/rds/rdsDeleteProtected.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func CheckIfDeleteProtectionEnabled(checkConfig commons.CheckConfig, instances []types.DBInstance, testName string) { - var check commons.Check - check.InitCheck("RDS have the deletion protection enabled", "Check if RDS delete protection is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.DeletionProtection { - Message := "RDS delete protection is enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } else { - Message := "RDS delete protection is not enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsDeleteProtected_test.go b/aws/rds/rdsDeleteProtected_test.go deleted file mode 100644 index 7a1ae69..0000000 --- a/aws/rds/rdsDeleteProtected_test.go +++ /dev/null @@ -1,100 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func TestCheckIfDeleteProtectionEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfDeleteProtectionEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - DeletionProtection: true, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfDeleteProtectionEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfDeleteProtected() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func TestCheckIfDeleteProtectionEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfDeleteProtectionEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - DeletionProtection: false, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfDeleteProtectionEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfDeleteProtected() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsEncryption.go b/aws/rds/rdsEncryption.go deleted file mode 100644 index f075621..0000000 --- a/aws/rds/rdsEncryption.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func checkIfEncryptionEnabled(checkConfig commons.CheckConfig, instances []types.DBInstance, testName string) { - var check commons.Check - check.InitCheck("RDS are encrypted", "Check if RDS encryption is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if !instance.StorageEncrypted { - Message := "RDS encryption is not enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } else { - Message := "RDS encryption is enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsEncryption_test.go b/aws/rds/rdsEncryption_test.go deleted file mode 100644 index eb3a72e..0000000 --- a/aws/rds/rdsEncryption_test.go +++ /dev/null @@ -1,98 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func Test_checkIfEncryptionEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfEncryptionEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfEncryptionEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func Test_checkIfEncryptionEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfEncryptionEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: false, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfEncryptionEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsLogging.go b/aws/rds/rdsLogging.go deleted file mode 100644 index 138b8e4..0000000 --- a/aws/rds/rdsLogging.go +++ /dev/null @@ -1,38 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func CheckIfLoggingEnabled(checkConfig commons.CheckConfig, instances []types.DBInstance, testName string) { - var check commons.Check - check.InitCheck("RDS logs are exported to cloudwatch", "Check if RDS logging is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.EnabledCloudwatchLogsExports != nil { - found := false - for _, export := range instance.EnabledCloudwatchLogsExports { - if export == "audit" { - Message := "RDS logging is enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - found = true - - break - - } - } - if !found { - Message := "RDS logging is not enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - continue - } - } else { - Message := "RDS logging is not enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsLogging_test.go b/aws/rds/rdsLogging_test.go deleted file mode 100644 index 3ddc76b..0000000 --- a/aws/rds/rdsLogging_test.go +++ /dev/null @@ -1,102 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func TestCheckIfLoggingEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfLoggingEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - EnabledCloudwatchLogsExports: []string{ - "audit", - }, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfLoggingEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} - -func TestCheckIfLoggingEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfLoggingEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - EnabledCloudwatchLogsExports: nil, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - CheckIfLoggingEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - }) - } -} diff --git a/aws/rds/rdsPrivate.go b/aws/rds/rdsPrivate.go deleted file mode 100644 index dce5403..0000000 --- a/aws/rds/rdsPrivate.go +++ /dev/null @@ -1,23 +0,0 @@ -package rds - -import ( - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func checkIfRDSPrivateEnabled(checkConfig commons.CheckConfig, instances []types.DBInstance, testName string) { - var check commons.Check - check.InitCheck("RDS aren't publicly accessible", "Check if RDS private is enabled", testName, []string{"Security", "Good Practice"}) - for _, instance := range instances { - if instance.PubliclyAccessible { - Message := "RDS private is not enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "FAIL", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } else { - Message := "RDS private is enabled on " + *instance.DBInstanceIdentifier - result := commons.Result{Status: "OK", Message: Message, ResourceID: *instance.DBInstanceArn} - check.AddResult(result) - } - } - checkConfig.Queue <- check -} diff --git a/aws/rds/rdsPrivate_test.go b/aws/rds/rdsPrivate_test.go deleted file mode 100644 index 18774d4..0000000 --- a/aws/rds/rdsPrivate_test.go +++ /dev/null @@ -1,102 +0,0 @@ -package rds - -import ( - "sync" - "testing" - - "github.com/aws/aws-sdk-go-v2/aws" - "github.com/aws/aws-sdk-go-v2/service/rds/types" - "github.com/padok-team/yatas/plugins/commons" -) - -func Test_checkIfRDSPrivateEnabled(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfRDSPrivateEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - PubliclyAccessible: false, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfRDSPrivateEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "OK" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "OK") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - - }) - } -} - -func Test_checkIfRDSPrivateEnabledFail(t *testing.T) { - type args struct { - checkConfig commons.CheckConfig - instances []types.DBInstance - testName string - } - tests := []struct { - name string - args args - }{ - { - name: "Test_checkIfRDSPrivateEnabled", - args: args{ - checkConfig: commons.CheckConfig{ - Wg: &sync.WaitGroup{}, - Queue: make(chan commons.Check, 1), - }, - instances: []types.DBInstance{ - { - DBInstanceIdentifier: aws.String("test"), - DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:test"), - StorageEncrypted: true, - PubliclyAccessible: true, - }, - }, - }, - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - checkIfRDSPrivateEnabled(tt.args.checkConfig, tt.args.instances, tt.args.testName) - tt.args.checkConfig.Wg.Add(1) - go func() { - for check := range tt.args.checkConfig.Queue { - if check.Status != "FAIL" { - t.Errorf("CheckIfRDSPrivate() = %v, want %v", check.Status, "FAIL") - } - tt.args.checkConfig.Wg.Done() - } - }() - tt.args.checkConfig.Wg.Wait() - - }) - } -}