Updates test for refactored module

plus3it · Dec 27, 2023 · e46dad3 · e46dad3
1 parent 71b954f
commit e46dad3
Show file tree

Hide file tree

Showing 5 changed files with 241 additions and 76 deletions.
diff --git a/tests/basic_create/main.tf b/tests/basic_create/main.tf
diff --git a/tests/defaults/main.tf b/tests/defaults/main.tf
@@ -0,0 +1,80 @@
+module "config" {
+  source = "../../"
+
+  config = {
+    configuration_recorder = {
+      name = "tardigrade-config-${random_string.this.result}"
+    }
+
+    delivery_channel = {
+      s3_bucket_name = aws_s3_bucket_policy.this.id
+    }
+  }
+}
+
+resource "aws_s3_bucket" "this" {
+  bucket        = "tardigrade-config-${random_string.this.result}"
+  force_destroy = true
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AWSConfigBucketPermissionsCheck",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:GetBucketAcl",
+        "Resource": aws_s3_bucket.this.arn,
+        "Condition": {
+          "StringEquals": {
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      },
+      {
+        "Sid": "AWSConfigBucketExistenceCheck",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:ListBucket",
+        "Resource": aws_s3_bucket.this.arn,
+        "Condition": {
+          "StringEquals": {
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      },
+      {
+        "Sid": "AWSConfigBucketDelivery",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:PutObject",
+        "Resource": "${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/Config/*",
+        "Condition": {
+          "StringEquals": {
+            "s3:x-amz-acl": "bucket-owner-full-control",
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "random_string" "this" {
+  length  = 6
+  numeric = false
+  upper   = false
+  special = false
+}
+
+data "aws_caller_identity" "current" {}
diff --git a/tests/exclude_specific_resources/main.tf b/tests/exclude_specific_resources/main.tf
@@ -1,25 +1,93 @@
-module "exclude_specific_resources" {
+module "config" {
   source = "../../"
 
-  name          = "tardigrade-config-${random_string.this.result}"
-  config_bucket = aws_s3_bucket.this.id
+  config = {
+    configuration_recorder = {
+      name            = "tardigrade-config-${random_string.this.result}"
+      recording_group = {
+        all_supported = false
 
-  exclude_resource_types = [
-    "AWS::EC2::Instance",
-    "AWS::CloudTrail::Trail",
-  ]
-}
+        exclusion_by_resource_types = {
+          resource_types = [
+            "AWS::SSM::ManagedInstanceInventory",
+          ]
+        }
 
-resource "random_string" "this" {
-  length  = 6
-  number  = false
-  upper   = false
-  special = false
+        recording_strategy = {
+          use_only = "EXCLUSION_BY_RESOURCE_TYPES"
+        }
+      }
+    }
+
+    delivery_channel = {
+      s3_bucket_name = aws_s3_bucket_policy.this.id
+    }
+  }
 }
 
 resource "aws_s3_bucket" "this" {
   bucket        = "tardigrade-config-${random_string.this.result}"
   force_destroy = true
 }
 
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AWSConfigBucketPermissionsCheck",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:GetBucketAcl",
+        "Resource": aws_s3_bucket.this.arn,
+        "Condition": {
+          "StringEquals": {
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      },
+      {
+        "Sid": "AWSConfigBucketExistenceCheck",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:ListBucket",
+        "Resource": aws_s3_bucket.this.arn,
+        "Condition": {
+          "StringEquals": {
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      },
+      {
+        "Sid": "AWSConfigBucketDelivery",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:PutObject",
+        "Resource": "${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/Config/*",
+        "Condition": {
+          "StringEquals": {
+            "s3:x-amz-acl": "bucket-owner-full-control",
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "random_string" "this" {
+  length  = 6
+  numeric = false
+  upper   = false
+  special = false
+}
+
 data "aws_caller_identity" "current" {}
diff --git a/tests/include_and_exclude/main.tf b/tests/include_and_exclude/main.tf
diff --git a/tests/include_specific_resources/main.tf b/tests/include_specific_resources/main.tf
@@ -1,25 +1,92 @@
-module "include_specific_resources" {
+module "config" {
   source = "../../"
 
-  name          = "tardigrade-config-${random_string.this.result}"
-  config_bucket = aws_s3_bucket.this.id
+  config = {
+    configuration_recorder = {
+      name            = "tardigrade-config-${random_string.this.result}"
+      recording_group = {
+        all_supported = false
 
-  include_resource_types = [
-    "AWS::EC2::Instance",
-    "AWS::CloudTrail::Trail",
-  ]
-}
+        recording_strategy = {
+          use_only = "INCLUSION_BY_RESOURCE_TYPES"
+        }
 
-resource "random_string" "this" {
-  length  = 6
-  number  = false
-  upper   = false
-  special = false
+        resource_types = [
+          "AWS::EC2::Instance",
+          "AWS::CloudTrail::Trail",
+        ]
+      }
+    }
+
+    delivery_channel = {
+      s3_bucket_name = aws_s3_bucket_policy.this.id
+    }
+  }
 }
 
 resource "aws_s3_bucket" "this" {
   bucket        = "tardigrade-config-${random_string.this.result}"
   force_destroy = true
 }
 
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AWSConfigBucketPermissionsCheck",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:GetBucketAcl",
+        "Resource": aws_s3_bucket.this.arn,
+        "Condition": {
+          "StringEquals": {
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      },
+      {
+        "Sid": "AWSConfigBucketExistenceCheck",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:ListBucket",
+        "Resource": aws_s3_bucket.this.arn,
+        "Condition": {
+          "StringEquals": {
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      },
+      {
+        "Sid": "AWSConfigBucketDelivery",
+        "Effect": "Allow",
+        "Principal": {
+          "Service": "config.amazonaws.com"
+        },
+        "Action": "s3:PutObject",
+        "Resource": "${aws_s3_bucket.this.arn}/AWSLogs/${data.aws_caller_identity.current.account_id}/Config/*",
+        "Condition": {
+          "StringEquals": {
+            "s3:x-amz-acl": "bucket-owner-full-control",
+            "AWS:SourceAccount": data.aws_caller_identity.current.account_id
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "random_string" "this" {
+  length  = 6
+  numeric = false
+  upper   = false
+  special = false
+}
+
 data "aws_caller_identity" "current" {}