Tests for CloudFormation lib

Author: ViktorLindstrm

ql/test/library-tests/aws/cloudformation/AST.expected

@@ -1,18 +1,61 @@
 cloudformation
+| IAMRole.yml:1:1:18:74 | CloudFormation Document |
+| IngressEgressResources.yml:1:1:19:21 | CloudFormation Document |
+| ecs.yml:1:1:92:40 | CloudFormation Document |
+| lambda.yml:1:1:21:18 | CloudFormation Document |
 | s3.json:1:1:77:1 | CloudFormation Document |
 | s3.yml:1:1:42:59 | CloudFormation Document |
+| securitygroup.yml:1:1:16:24 | CloudFormation Document |
 resources
+| IAMRole.yml:5:5:18:74 | CloudFormation IAM Role |
+| IngressEgressResources.yml:7:5:13:2 | CloudFormation EC2 Security Group Ingress |
+| IngressEgressResources.yml:14:5:19:21 | CloudFormation EC2 Security Group Egress |
+| ecs.yml:6:5:38:2 | CloudFormation ECS Task Set |
+| ecs.yml:39:5:66:2 | CloudFormation ECS Task Definition |
+| ecs.yml:67:5:92:40 | CloudFormation Resource |
+| lambda.yml:5:5:21:18 | CloudFormation Lambda Function |
 | s3.json:4:21:15:9 | CloudFormation S3 Bucket |
 | s3.json:16:25:47:9 | CloudFormation S3 Bucket Policy |
 | s3.yml:4:5:12:2 | CloudFormation S3 Bucket |
 | s3.yml:13:5:28:28 | CloudFormation S3 Bucket Policy |
+| securitygroup.yml:7:5:16:24 | CloudFormation EC2 Security Group |
 resourceProperties
+| IAMRole.yml:7:7:18:74 | CloudFormation Resource Properties |
+| IngressEgressResources.yml:9:7:13:2 | CloudFormation Resource Properties |
+| IngressEgressResources.yml:16:7:19:21 | CloudFormation Resource Properties |
+| ecs.yml:8:7:38:2 | CloudFormation Resource Properties |
+| ecs.yml:41:7:66:2 | CloudFormation Resource Properties |
+| ecs.yml:70:7:92:40 | CloudFormation Resource Properties |
+| lambda.yml:7:7:21:18 | CloudFormation Resource Properties |
 | s3.json:6:27:12:13 | CloudFormation Resource Properties |
 | s3.json:18:27:46:13 | CloudFormation Resource Properties |
 | s3.yml:6:7:10:4 | CloudFormation Resource Properties |
 | s3.yml:15:7:28:28 | CloudFormation Resource Properties |
+| securitygroup.yml:9:7:16:24 | CloudFormation Resource Properties |
 s3
 | s3.json:4:21:15:9 | CloudFormation S3 Bucket |
 | s3.yml:4:5:12:2 | CloudFormation S3 Bucket |
 s3Policy
 | s3.yml:4:5:12:2 | CloudFormation S3 Bucket | s3.yml:13:5:28:28 | CloudFormation S3 Bucket Policy |
+lambda
+| lambda.yml:5:5:21:18 | CloudFormation Lambda Function |
+ec2SecurityGroup
+| securitygroup.yml:7:5:16:24 | CloudFormation EC2 Security Group |
+ec2SecurityGroupIngress
+| IngressEgressResources.yml:7:5:13:2 | CloudFormation EC2 Security Group Ingress |
+ec2SecurityGroupEgress
+| IngressEgressResources.yml:14:5:19:21 | CloudFormation EC2 Security Group Egress |
+iamRole
+| IAMRole.yml:5:5:18:74 | CloudFormation IAM Role |
+iamStatement
+| IAMRole.yml:9:9:16:6 | Version ... -10-17' |
+| s3.yml:16:9:28:6 | Id: MyPolicy |
+ecsService
+| ecs.yml:67:5:92:40 | CloudFormation Resource |
+ecsCluster
+ecsTaskSet
+| ecs.yml:6:5:38:2 | CloudFormation ECS Task Set |
+taskDefinition
+| ecs.yml:39:5:66:2 | CloudFormation ECS Task Definition |
+containerDefinition
+| ecs.yml:41:7:66:2 | CloudFormation Resource Properties |

ql/test/library-tests/aws/cloudformation/AST.ql

@@ -11,3 +11,17 @@ query predicate s3(CloudFormation::S3Bucket n) { any() }
 query predicate s3Policy(CloudFormation::S3Bucket n, CloudFormation::S3BucketPolicy p) {
   p = n.getBucketPolicy()
 }
+
+query predicate lambda(CloudFormation::LambdaFunction n) { any() }
+
+query predicate ec2SecurityGroup(CloudFormation::EC2SecurityGroup n) { any() }
+query predicate ec2SecurityGroupIngress(CloudFormation::EC2SecurityGroupIngress n) { any() }
+query predicate ec2SecurityGroupEgress(CloudFormation::EC2SecurityGroupEgress n) { any() }
+query predicate iamRole(CloudFormation::IAMRole n) { any() }
+query predicate iamStatement(CloudFormation::IAMStatement p){ any() }
+
+query predicate ecsService(CloudFormation::ECSService p){ any() }
+query predicate ecsCluster(CloudFormation::ECSCluster p){ any() }
+query predicate ecsTaskSet(CloudFormation::ECSTaskSet p){ any() }
+query predicate taskDefinition(CloudFormation::TaskDefinition p){ any() }
+query predicate containerDefinition(CloudFormation::ContainerDefinition p){ any() }

ql/test/library-tests/aws/cloudformation/IAMRole.yml

@@ -0,0 +1,18 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Security: Account Enable Guardduty'
+Resources:
+  LambdaRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      RoleName: SecurityGuardDutyLambdaRole
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+        - Effect: Allow
+          Principal:
+            Service: 'lambda.amazonaws.com'
+          Action:
+          - 'sts:AssumeRole'
+      Path: '/'
+      ManagedPolicyArns:
+      - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'

ql/test/library-tests/aws/cloudformation/IngressEgressResources.yml

@@ -0,0 +1,22 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+Description: PositionAndJourney Statistics Service
+
+Resources:
+  IngressInbound:
+    Type: 'AWS::EC2::SecurityGroupIngress'
+    Properties:
+      IpProtocol: tcp
+      CidrIp: 0.0.0.0/0
+      FromPort: '6370'
+      ToPort: '6379'
+  EgressOutbound:
+    Type: 'AWS::EC2::SecurityGroupEgress'
+    Properties:
+      IpProtocol: tcp
+      CidrIp: 0.0.0.0/0
+      FromPort: '6370'
+      ToPort: '6379'
+
+
+

ql/test/library-tests/aws/cloudformation/ecs.yml

@@ -0,0 +1,92 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Infrastructure for the ECS Fargate deployment pattern workshop service.'
+Parameters:
+Resources:
+  TaskSet:
+    Type: 'AWS::ECS::TaskSet'
+    Properties:
+      Cluster: !Ref 'Cluster'
+      Service: !Ref 'Service'
+      TaskDefinition: !Ref 'TaskDefinition'
+      LaunchType: 'FARGATE'
+      NetworkConfiguration:
+        AwsVpcConfiguration:
+          AssignPublicIp: 'ENABLED'
+          SecurityGroups:
+            - !Ref 'SecurityGroup'
+          Subnets:
+            - !Ref 'SubnetA'
+            - !Ref 'SubnetB'
+            - !Ref 'SubnetC'
+      LoadBalancers:
+        - ContainerName: !Ref 'ContainerName'
+          ContainerPort: !Ref 'ContainerPort'
+          TargetGroupArn: !Ref 'TargetGroup'
+      PlatformVersion: 'LATEST'
+      Scale: !Ref 'Scale'
+      ServiceRegistries:
+        - ContainerName: !Ref 'ContainerName'
+          ContainerPort: !Ref 'ContainerPort'
+          RegistryArn: !Ref 'ServiceDiscoveryRegistry'
+      HealthCheckGracePeriodSeconds: 90
+      SchedulingStrategy: 'REPLICA'
+      ServiceDiscovery: !Ref 'ServiceDiscovery'
+
+  #------------------------------------------------
+  # ECS task definition
+  #------------------------------------------------
+  ComponentTaskDefinition:
+    Type: 'AWS::ECS::TaskDefinition'
+    Properties:
+      ContainerDefinitions:
+        - Image: !Ref Container
+          Name: !Ref Component
+          PortMappings:
+            - ContainerPort: !Ref ContainerPort
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-create-group: true
+              awslogs-region: !Ref AWS::Region
+              awslogs-group: !Sub '/fargate/logs'
+              awslogs-stream-prefix: !Ref Component
+          Environment:
+            # Normally mandatory (but e.g. SHORTNAME and FLAVOUR may not always be applicable)
+      Cpu: 512
+      ExecutionRoleArn: !GetAtt ComponentTaskDefinitionExecutionRole.Arn
+      TaskRoleArn: !GetAtt ComponentTaskDefinitionRole.Arn
+      Family: !Ref Component
+      Memory: 1024
+      RequiresCompatibilities:
+        - 'FARGATE'
+
+  #------------------------------------------------
+  # ECS Service
+  #------------------------------------------------
+  ComponentEcsService:
+    Type: 'AWS::ECS::Service'
+    DependsOn: DummyListenerRule
+    Properties:
+      Cluster:
+        Fn::ImportValue: 'ecs-fargate-ws-cluster-arn'
+      DesiredCount: 1
+      LaunchType: 'FARGATE'
+      LoadBalancers:
+        - ContainerName: !Ref Component
+          ContainerPort: !Ref ContainerPort
+          TargetGroupArn: !Ref ComponentTargetGroup
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: 'ENABLED'
+          SecurityGroups:
+            - !Ref ComponentEcsServiceSecurityGroup
+            - !Ref CiSecurityGroupId
+          Subnets:
+            - !Ref PrivateA
+            - !Ref PrivateB
+            - !Ref PrivateC
+      ServiceName: !Ref Service
+      TaskDefinition: !Ref ComponentTaskDefinition
+      PropagateTags: 'TASK_DEFINITION'
+      # Note: The value has been lowered from the recommended 180, for production use please choose this value wisely.
+      HealthCheckGracePeriodSeconds: 90

ql/test/library-tests/aws/cloudformation/lambda.yml

@@ -0,0 +1,21 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Security: Account Enable Guardduty'
+Resources:
+  LambdaFunctionEnableGuardDuty:
+    Type: 'AWS::Lambda::Function'
+    Properties:
+      Code:
+        ZipFile: |
+          'use strict';
+          const AWS = require('aws-sdk');
+          const response = require('cfn-response');
+      Handler: 'index.handler'
+      MemorySize: 128
+      Role: !GetAtt 'LambdaRole.Arn'
+      Runtime: 'nodejs16.x'
+      Tags: 
+        - Key: 'wcar-service'
+          Value: 'provisioning-security-guardduty'
+        - Key: 'team'
+          Value: 'sec-ops'    
+      Timeout: 120

ql/test/library-tests/aws/cloudformation/securitygroup.yml

@@ -0,0 +1,16 @@
+AWSTemplateFormatVersion: "2010-09-09"
+Metadata:
+  Description: 'AWS CloudFormation Template To fs2 messaging test'
+
+Resources:
+  SecurityGroup:
+    Type: AWS::EC2::SecurityGroup
+    Properties:
+      GroupDescription: "Vpc Security Group"
+      SecurityGroupEgress:
+        - IpProtocol: "tcp"
+          CidrIp: "0.0.0.0/0"
+          FromPort: 1337
+          ToPort: 1337
+          Description: "For RDS"
+      VpcId: !Ref VpcId