From cc32bc9fca999cf373118935877dd378f805d280 Mon Sep 17 00:00:00 2001 From: Rafid Aslam Date: Tue, 24 Oct 2023 18:07:19 +0700 Subject: [PATCH] terraform_plan: Add `references_to` & `referenced_by` to direct_references --- .github/workflows/build_test.yml | 1 + .gitignore | 3 +- .../providers/terraform_plan/handler.py | 113 ++++++++++- ...int_config_refers_to_s3_bucket.tirith.json | 22 ++ .../elb_references_to_secroup.tirith.json | 23 +++ .../fixtures/elb_with_secgroup.tf | 38 ++++ .../fixtures/extra_elb_no_secgroup.tf | 54 +++++ .../fail_s3_referenced_by_to.tirith.json | 24 +++ ..._bucket_not_all_has_intelligent_tiering.tf | 25 +++ ..._bucket_with_intelligent_tiering_config.tf | 21 ++ ..._by_intelligent_tiering_config.tirith.json | 23 +++ ...tiering_config_err_tolerance_1.tirith.json | 23 +++ .../test_direct_references.py | 191 ++++++++++++++++++ 13 files changed, 559 insertions(+), 2 deletions(-) create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/at_least_one_aws_s3_bucket_int_config_refers_to_s3_bucket.tirith.json create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/elb_references_to_secroup.tirith.json create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/elb_with_secgroup.tf create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/extra_elb_no_secgroup.tf create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/fail_s3_referenced_by_to.tirith.json create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/s3_bucket_not_all_has_intelligent_tiering.tf create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/s3_bucket_with_intelligent_tiering_config.tf create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/s3_referenced_by_intelligent_tiering_config.tirith.json create mode 100644 tests/providers/terraform_plan/direct_references/fixtures/s3_referenced_by_intelligent_tiering_config_err_tolerance_1.tirith.json create mode 100644 tests/providers/terraform_plan/direct_references/test_direct_references.py diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index a26d9a70..2f85b5d3 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -12,6 +12,7 @@ jobs: steps: - uses: actions/checkout@v3 - uses: actions/setup-python@v4 + - uses: hashicorp/setup-terraform@v2 # For testing the terraform_plan provider with: python-version: ${{ matrix.python-version }} cache: 'pip' diff --git a/.gitignore b/.gitignore index 17a56250..eb9124c3 100644 --- a/.gitignore +++ b/.gitignore @@ -131,4 +131,5 @@ dmypy.json .pyre/ .DS_Store -.local \ No newline at end of file +.local +.test_tmp diff --git a/src/tirith/providers/terraform_plan/handler.py b/src/tirith/providers/terraform_plan/handler.py index bb6a8536..39b5afd1 100644 --- a/src/tirith/providers/terraform_plan/handler.py +++ b/src/tirith/providers/terraform_plan/handler.py @@ -205,7 +205,118 @@ def direct_dependencies_operator(input_data: dict, provider_inputs: dict, output ) +def direct_references_operator_referenced_by(input_data: dict, provider_inputs: dict, outputs: list): + # Verify that all of the terraform_resource_type instances are + # referenced by `referenced_by` + # Idea: + # - Get all of the resource_type instances id save it in a list + # - Iterate through all of the referenced_by instances, read what it references to, + # check if it is in the list of resource_type instances, if it is, pop the element + # - If the list is empty, then all of the resource_type instances are + # referenced by `referenced_by` return true, otherwise false + config_resources = input_data.get("configuration", {}).get("root_module", {}).get("resources", []) + resource_type = provider_inputs.get("terraform_resource_type") + referenced_by = provider_inputs.get("referenced_by") + + reference_target = set() + is_resource_found = False + + # Loop for adding reference_target + for config_resource in config_resources: + if config_resource.get("type") != resource_type: + continue + reference_target.add(config_resource.get("address")) + is_resource_found = True + + if not is_resource_found: + outputs.append( + { + "value": ProviderError(severity_value=1), + "err": f"resource_type: '{resource_type}' is not found (severity_value: 1)", + "meta": config_resources, + } + ) + return + + # Loop for removing reference_target + for config_resource in config_resources: + if config_resource.get("type") != referenced_by: + continue + + for expression_val_dict in config_resource.get("expressions", {}).values(): + if not isinstance(expression_val_dict, dict): + continue + + for reference in expression_val_dict.get("references", []): + if reference in reference_target: + reference_target.remove(reference) + + is_all_referenced = len(reference_target) == 0 + outputs.append({"value": is_all_referenced, "meta": config_resources}) + + +def direct_references_operator_references_to(input_data: dict, provider_inputs: dict, outputs: list): + # The exact opposite of `direct_references_operator_referenced_by` + config_resources = input_data.get("configuration", {}).get("root_module", {}).get("resources", []) + resource_type = provider_inputs.get("terraform_resource_type") + references_to = provider_inputs.get("references_to") + + resource_type_count = 0 + reference_count = 0 + is_resource_found = False + + for config_resource in config_resources: + if config_resource.get("type") != resource_type: + continue + is_resource_found = True + resource_type_count += 1 + + for expression_val_dict in config_resource.get("expressions", {}).values(): + if not isinstance(expression_val_dict, dict): + continue + + for reference in expression_val_dict.get("references", []): + reference_res_type = reference.split(".")[0] + if reference_res_type == references_to: + reference_count += 1 + # We break early because most of the times the references + # list contains something like this: + # ["aws_s3_bucket.a.id", "aws_s3_bucket.a"] + break + + if not is_resource_found: + outputs.append( + { + "value": ProviderError(severity_value=1), + "err": f"resource_type: '{resource_type}' is not found (severity_value: 1)", + "meta": config_resources, + } + ) + return + + is_all_resource_type_references_to = resource_type_count == reference_count + outputs.append({"value": is_all_resource_type_references_to, "meta": config_resources}) + + def direct_references_operator(input_data: dict, provider_inputs: dict, outputs: list): + referenced_by = provider_inputs.get("referenced_by") + references_to = provider_inputs.get("references_to") + + if referenced_by is not None and references_to is not None: + outputs.append( + { + "value": ProviderError(severity_value=99), + "err": "Only one of `referenced_by` or `references_to` must be provided in the provider input (severity_value: 99))", + } + ) + return + + if referenced_by is not None: + return direct_references_operator_referenced_by(input_data, provider_inputs, outputs) + + if references_to is not None: + return direct_references_operator_references_to(input_data, provider_inputs, outputs) + config_resources = input_data.get("configuration", {}).get("root_module", {}).get("resources", []) resource_type = provider_inputs.get("terraform_resource_type") @@ -241,7 +352,7 @@ def direct_references_operator(input_data: dict, provider_inputs: dict, outputs: outputs.append( { "value": ProviderError(severity_value=1), - "err": f"resource_type: '{resource_type}' is not found", + "err": f"resource_type: '{resource_type}' is not found (severity_value: 1)", "meta": config_resources, } ) diff --git a/tests/providers/terraform_plan/direct_references/fixtures/at_least_one_aws_s3_bucket_int_config_refers_to_s3_bucket.tirith.json b/tests/providers/terraform_plan/direct_references/fixtures/at_least_one_aws_s3_bucket_int_config_refers_to_s3_bucket.tirith.json new file mode 100644 index 00000000..ee67a8a3 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/at_least_one_aws_s3_bucket_int_config_refers_to_s3_bucket.tirith.json @@ -0,0 +1,22 @@ +{ + "meta": { + "required_provider": "stackguardian/terraform_plan", + "version": "v1" + }, + "evaluators": [ + { + "id": "s3HasLifeCycleIntelligentTiering", + "description": "Make sure IntelligentTieringConfig references to S3 bucket", + "provider_args": { + "operation_type": "direct_references", + "terraform_resource_type": "aws_s3_bucket_intelligent_tiering_configuration" + }, + "condition": { + "type": "Contains", + "value": "aws_s3_bucket", + "error_tolerance": 0 + } + } + ], + "eval_expression": "s3HasLifeCycleIntelligentTiering" +} diff --git a/tests/providers/terraform_plan/direct_references/fixtures/elb_references_to_secroup.tirith.json b/tests/providers/terraform_plan/direct_references/fixtures/elb_references_to_secroup.tirith.json new file mode 100644 index 00000000..05ab5a03 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/elb_references_to_secroup.tirith.json @@ -0,0 +1,23 @@ +{ + "meta": { + "required_provider": "stackguardian/terraform_plan", + "version": "v1" + }, + "evaluators": [ + { + "id": "elbRefsToSecGroup", + "description": "Make sure ELBs references to security groups", + "provider_args": { + "operation_type": "direct_references", + "terraform_resource_type": "aws_elb", + "references_to": "aws_security_group" + }, + "condition": { + "type": "Equals", + "value": true, + "error_tolerance": 0 + } + } + ], + "eval_expression": "elbRefsToSecGroup" +} diff --git a/tests/providers/terraform_plan/direct_references/fixtures/elb_with_secgroup.tf b/tests/providers/terraform_plan/direct_references/fixtures/elb_with_secgroup.tf new file mode 100644 index 00000000..033a3c1e --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/elb_with_secgroup.tf @@ -0,0 +1,38 @@ +provider "aws" { + region = "us-west-2" # Change this to your desired AWS region +} + +resource "aws_security_group" "elb_sg" { + name = "elb-sg" + description = "Security Group for ELB" + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # Allow all incoming HTTP traffic. Modify as needed. + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] # Allow all outgoing traffic. Modify as needed. + } +} + +resource "aws_elb" "example" { + name = "example-elb" + availability_zones = ["us-west-2a", "us-west-2b"] # Change these based on your region and requirements + + listener { + instance_port = 80 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + security_groups = [aws_security_group.elb_sg.id] + + # Optionally add health checks, instances, etc. +} diff --git a/tests/providers/terraform_plan/direct_references/fixtures/extra_elb_no_secgroup.tf b/tests/providers/terraform_plan/direct_references/fixtures/extra_elb_no_secgroup.tf new file mode 100644 index 00000000..cae9fa86 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/extra_elb_no_secgroup.tf @@ -0,0 +1,54 @@ +provider "aws" { + region = "us-west-2" # Change this to your desired AWS region +} + +resource "aws_security_group" "elb_sg" { + name = "elb-sg" + description = "Security Group for ELB" + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] # Allow all incoming HTTP traffic. Modify as needed. + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] # Allow all outgoing traffic. Modify as needed. + } +} + +resource "aws_elb" "example" { + name = "example-elb" + availability_zones = ["us-west-2a", "us-west-2b"] # Change these based on your region and requirements + + listener { + instance_port = 80 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + security_groups = [aws_security_group.elb_sg.id] + + # Optionally add health checks, instances, etc. +} + +resource "aws_elb" "something" { + name = "something-elb" + availability_zones = ["us-west-2a", "us-west-2b"] # Change these based on your region and requirements + + listener { + instance_port = 80 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + security_groups = [] + + # Optionally add health checks, instances, etc. +} diff --git a/tests/providers/terraform_plan/direct_references/fixtures/fail_s3_referenced_by_to.tirith.json b/tests/providers/terraform_plan/direct_references/fixtures/fail_s3_referenced_by_to.tirith.json new file mode 100644 index 00000000..02e365e0 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/fail_s3_referenced_by_to.tirith.json @@ -0,0 +1,24 @@ +{ + "meta": { + "required_provider": "stackguardian/terraform_plan", + "version": "v1" + }, + "evaluators": [ + { + "id": "s3HasLifeCycleIntelligentTiering", + "description": "Make sure all aws_s3_bucket are referenced by aws_s3_bucket_intelligent_tiering_configuration", + "provider_args": { + "operation_type": "direct_references", + "terraform_resource_type": "aws_s3_bucket", + "referenced_by": "aws_s3_bucket_intelligent_tiering_configuration", + "references_to": "aws_s3_bucket" + }, + "condition": { + "type": "Equals", + "value": true, + "error_tolerance": 0 + } + } + ], + "eval_expression": "s3HasLifeCycleIntelligentTiering" +} diff --git a/tests/providers/terraform_plan/direct_references/fixtures/s3_bucket_not_all_has_intelligent_tiering.tf b/tests/providers/terraform_plan/direct_references/fixtures/s3_bucket_not_all_has_intelligent_tiering.tf new file mode 100644 index 00000000..da341162 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/s3_bucket_not_all_has_intelligent_tiering.tf @@ -0,0 +1,25 @@ +provider "aws" { + region = "us-west-1" # Adjust the region as needed. +} + +resource "aws_s3_bucket_intelligent_tiering_configuration" "example-entire-bucket" { + bucket = aws_s3_bucket.example.id + name = "EntireBucket" + + tiering { + access_tier = "DEEP_ARCHIVE_ACCESS" + days = 180 + } + tiering { + access_tier = "ARCHIVE_ACCESS" + days = 125 + } +} + +resource "aws_s3_bucket" "example" { + bucket = "example" +} + +resource "aws_s3_bucket" "bb" { + bucket = "bb" +} diff --git a/tests/providers/terraform_plan/direct_references/fixtures/s3_bucket_with_intelligent_tiering_config.tf b/tests/providers/terraform_plan/direct_references/fixtures/s3_bucket_with_intelligent_tiering_config.tf new file mode 100644 index 00000000..0373ba72 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/s3_bucket_with_intelligent_tiering_config.tf @@ -0,0 +1,21 @@ +provider "aws" { + region = "us-west-1" # Adjust the region as needed. +} + +resource "aws_s3_bucket_intelligent_tiering_configuration" "example-entire-bucket" { + bucket = aws_s3_bucket.example.id + name = "EntireBucket" + + tiering { + access_tier = "DEEP_ARCHIVE_ACCESS" + days = 180 + } + tiering { + access_tier = "ARCHIVE_ACCESS" + days = 125 + } +} + +resource "aws_s3_bucket" "example" { + bucket = "example" +} diff --git a/tests/providers/terraform_plan/direct_references/fixtures/s3_referenced_by_intelligent_tiering_config.tirith.json b/tests/providers/terraform_plan/direct_references/fixtures/s3_referenced_by_intelligent_tiering_config.tirith.json new file mode 100644 index 00000000..b70044d2 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/s3_referenced_by_intelligent_tiering_config.tirith.json @@ -0,0 +1,23 @@ +{ + "meta": { + "required_provider": "stackguardian/terraform_plan", + "version": "v1" + }, + "evaluators": [ + { + "id": "s3HasLifeCycleIntelligentTiering", + "description": "Make sure all aws_s3_bucket are referenced by aws_s3_bucket_intelligent_tiering_configuration", + "provider_args": { + "operation_type": "direct_references", + "terraform_resource_type": "aws_s3_bucket", + "referenced_by": "aws_s3_bucket_intelligent_tiering_configuration" + }, + "condition": { + "type": "Equals", + "value": true, + "error_tolerance": 0 + } + } + ], + "eval_expression": "s3HasLifeCycleIntelligentTiering" +} diff --git a/tests/providers/terraform_plan/direct_references/fixtures/s3_referenced_by_intelligent_tiering_config_err_tolerance_1.tirith.json b/tests/providers/terraform_plan/direct_references/fixtures/s3_referenced_by_intelligent_tiering_config_err_tolerance_1.tirith.json new file mode 100644 index 00000000..f5e9c345 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/fixtures/s3_referenced_by_intelligent_tiering_config_err_tolerance_1.tirith.json @@ -0,0 +1,23 @@ +{ + "meta": { + "required_provider": "stackguardian/terraform_plan", + "version": "v1" + }, + "evaluators": [ + { + "id": "s3HasLifeCycleIntelligentTiering", + "description": "Make sure all aws_s3_bucket are referenced by aws_s3_bucket_intelligent_tiering_configuration", + "provider_args": { + "operation_type": "direct_references", + "terraform_resource_type": "aws_s3_bucket", + "referenced_by": "aws_s3_bucket_intelligent_tiering_configuration" + }, + "condition": { + "type": "Equals", + "value": true, + "error_tolerance": 1 + } + } + ], + "eval_expression": "s3HasLifeCycleIntelligentTiering" +} diff --git a/tests/providers/terraform_plan/direct_references/test_direct_references.py b/tests/providers/terraform_plan/direct_references/test_direct_references.py new file mode 100644 index 00000000..7f6ee814 --- /dev/null +++ b/tests/providers/terraform_plan/direct_references/test_direct_references.py @@ -0,0 +1,191 @@ +import json +import os +import shutil + +from subprocess import Popen +from tirith.core.core import start_policy_evaluation_from_dict + + +# TODO: Move these helper functions to a utils file +def load_json_from_fixtures(json_path): + current_path = os.path.dirname(os.path.abspath(__file__)) + with open(os.path.join(current_path, "fixtures", json_path)) as f: + return json.load(f) + + +def parse_json_file(file_path): + with open(file_path) as f: + return json.load(f) + + +def process_terraform_file_into_plan_dict(tf_filepath) -> dict: + """ + Process .tf file into a plan dict + + :param tf_filepath: path to .tf file + :return: plan dict + """ + current_path = os.path.dirname(os.path.abspath(__file__)) + test_tmp_dirpath = os.path.join(current_path, ".test_tmp") + if not os.path.exists(test_tmp_dirpath): + os.mkdir(test_tmp_dirpath) + copied_filepath = shutil.copy(tf_filepath, test_tmp_dirpath) + Popen( + "terraform init && terraform plan -out=tfplan && terraform show -json tfplan > plan.json", + cwd=test_tmp_dirpath, + shell=True, + ).wait() + plan_dict = parse_json_file(os.path.join(test_tmp_dirpath, "plan.json")) + os.remove(copied_filepath) + return plan_dict + + +def load_tf_plan_dict_from_fixtures(tf_plan_fixture_path): + current_path = os.path.dirname(os.path.abspath(__file__)) + tf_path = os.path.join(current_path, "fixtures", tf_plan_fixture_path) + return process_terraform_file_into_plan_dict(tf_path) + + +def tearDown(): + # TODO: Use this tearDown() + current_path = os.path.dirname(os.path.abspath(__file__)) + test_tmp_dirpath = os.path.join(current_path, "test_tmp") + shutil.rmtree(test_tmp_dirpath) + + +def test_direct_references_to_and_by_should_raise_error(): + """ + Test that a policy with both `references_to` and `referenced_by` raises an error + """ + policy = load_json_from_fixtures("fail_s3_referenced_by_to.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("extra_elb_no_secgroup.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == False + assert result["evaluators"][0]["result"][0]["message"] == ( + "Only one of `referenced_by` or " + "`references_to` must be provided in " + "the provider input (severity_value: " + "99))" + ) + + +def test_direct_references_to_should_fail(): + """ + Test that a policy with `references_to` fails when not all of the + `terraform_resource_type` references to `references_to` + """ + policy = load_json_from_fixtures("elb_references_to_secroup.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("extra_elb_no_secgroup.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == False + assert result["evaluators"][0]["passed"] == False + + +def test_direct_references_to_should_pass(): + """ + Test that a policy with `references_to` should pass when all of the + `terraform_resource_type` references to `references_to` + """ + policy = load_json_from_fixtures("elb_references_to_secroup.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("elb_with_secgroup.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == True + assert result["evaluators"][0]["passed"] == True + + +def test_direct_references_to_should_fail_when_no_resources_found(): + """ + Test that a policy with `references_to` should fail when + `terraform_resource_type` isn't found + """ + policy = load_json_from_fixtures("elb_references_to_secroup.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("s3_bucket_with_intelligent_tiering_config.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == False + assert result["evaluators"][0]["passed"] == False + + +def test_direct_referenced_by_should_fail_when_the_resource_isnt_found(): + """ + Test that a policy with `references_by` should fail when + `terraform_resource_type` is not found + """ + policy = load_json_from_fixtures("s3_referenced_by_intelligent_tiering_config.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("elb_with_secgroup.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == False + assert result["evaluators"][0]["passed"] == False + + +def test_direct_referenced_by_should_skip_when_the_resource_isnt_found_err_tolerance(): + """ + Test that a policy with `references_by` should fail when + `terraform_resource_type` is not found with `error_tolerance` set to 1 + """ + policy = load_json_from_fixtures("s3_referenced_by_intelligent_tiering_config_err_tolerance_1.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("elb_with_secgroup.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == None + assert result["evaluators"][0]["passed"] == None + + +def test_direct_referenced_by_should_fail(): + """ + Test that a policy with `references_by` should fail when one of the + `terraform_resource_type` is not referenced by `referenced_by` res type + """ + policy = load_json_from_fixtures("s3_referenced_by_intelligent_tiering_config.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("s3_bucket_not_all_has_intelligent_tiering.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == False + assert result["evaluators"][0]["passed"] == False + + +def test_direct_referenced_by_should_pass(): + """ + Test that a policy with `references_by` should pass when all of the + `terraform_resource_type` are referenced by `referenced_by` res type + """ + policy = load_json_from_fixtures("s3_referenced_by_intelligent_tiering_config.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("s3_bucket_with_intelligent_tiering_config.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == True + assert result["evaluators"][0]["passed"] == True + + +def test_old_direct_references_should_pass(): + """ + Test that the old way of specifying direct references still works + (without any `references_to` and `referenced_by`) + """ + policy = load_json_from_fixtures("at_least_one_aws_s3_bucket_int_config_refers_to_s3_bucket.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("s3_bucket_not_all_has_intelligent_tiering.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == True + assert result["evaluators"][0]["passed"] == True + + +def test_old_direct_references_should_fail_when_no_resource_type_is_found(): + """ + Test that the old way of specifying direct references still works + (without any `references_to` and `referenced_by`) + """ + policy = load_json_from_fixtures("at_least_one_aws_s3_bucket_int_config_refers_to_s3_bucket.tirith.json") + tf_plan_dict = load_tf_plan_dict_from_fixtures("elb_with_secgroup.tf") + + result = start_policy_evaluation_from_dict(policy, tf_plan_dict) + assert result["final_result"] == False + assert result["evaluators"][0]["passed"] == False + assert ( + result["evaluators"][0]["result"][0]["message"] + == "resource_type: 'aws_s3_bucket_intelligent_tiering_configuration' is not found (severity_value: 1)" + )