tests for matching ECS queries

Author: ViktorLindstrm

ql/test/queries-tests/CloudFormation/ECS/ContainerInsights/ContainerInsights.expected

@@ -0,0 +1 @@
+| ecs.yml:41:5:47:2 | CloudFormation ECS Cluster | ECS Cluster should have cluster settings enabled |

ql/test/queries-tests/CloudFormation/ECS/ContainerInsights/ContainerInsights.qlref

@@ -0,0 +1 @@
+security/CloudFormation/ECS/ContainerInsights.ql

ql/test/queries-tests/CloudFormation/ECS/ContainerInsights/ecs.yml

@@ -0,0 +1,71 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Infrastructure for the ECS Fargate deployment pattern workshop service.'
+
+Resources:
+  #------------------------------------------------
+  # ECS task definition
+  #------------------------------------------------
+  ComponentTaskDefinition:
+    Type: 'AWS::ECS::TaskDefinition'
+    Properties:
+      ContainerDefinitions:
+        - Image: !Sub '${image}:${version}'
+          Name: !Ref Component
+          PortMappings:
+            - ContainerPort: 443
+          LogConfiguration:
+            LogDriver: 'awslogs'
+            Options:
+              awslogs-create-group: true
+              awslogs-region: !Ref AWS::Region
+              awslogs-group: !Sub '/fargate/${Component}'
+              awslogs-stream-prefix: !Ref Component
+          Environment:
+            # Normally mandatory (but e.g. SHORTNAME and FLAVOUR may not always be applicable)
+          Secrets:
+            # Normally mandatory (but e.g. SHORTNAME and FLAVOUR may not always be applicable)
+            - Name: 'AWS_ACCESS_KEY_ID'
+              ValueFrom: arn:aws:secretsmanager:region:account-id:secret:aws-key-id
+              Name: 'AWS_SECRET_ACCESS_KEY'
+              ValueFrom: arn:aws:secretsmanager:region:account-id:secret:aws-secret-key
+      Cpu: 512
+      ExecutionRoleArn: !GetAtt ComponentTaskDefinitionExecutionRole.Arn
+      TaskRoleArn: !GetAtt ComponentTaskDefinitionRole.Arn
+      Family: !Ref Component
+      Memory: 1024
+      RequiresCompatibilities:
+        - 'FARGATE'
+
+
+  ClusterService:
+    Type: 'AWS::ECS::Cluster'
+    Properties:
+      ClusterName: !Sub 'group${UserPartition}-ecs-fargate-ws-cluster'
+  #------------------------------------------------
+  # ECS Service
+  #------------------------------------------------
+  ComponentEcsService:
+    Type: 'AWS::ECS::Service'
+    DependsOn: ListenerRule
+    Properties:
+      Cluster:
+        Fn::ImportValue: !Sub 'group$-ecs-fargate-cluster-arn'
+      DesiredCount: 1
+      LaunchType: 'FARGATE'
+      LoadBalancers:
+        - ContainerName: !Ref Component
+          ContainerPort: !Ref ContainerPort
+          TargetGroupArn: !Ref ComponentTargetGroup
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: 'ENABLED'
+          SecurityGroups:
+            - !Ref ComponentEcsServiceSecurityGroup
+            - !Ref CiSecurityGroupId
+          Subnets:
+            - !Ref Subnet1
+      ServiceName: !Sub '${RegionalPrefix}-${Component}-${Version}-${Launch}'
+      TaskDefinition: !Ref ComponentTaskDefinition
+      PropagateTags: 'TASK_DEFINITION'
+      # Note: The value has been lowered from the recommended 180, for production use please choose this value wisely.
+      HealthCheckGracePeriodSeconds: 90

ql/test/queries-tests/CloudFormation/ECS/ContainerInsights/something.tf

@@ -0,0 +1 @@
+| ecs.yml:11:7:33:2 | CloudFormation Resource Properties | ContainerDefinitions must have a log configuration |

ql/test/queries-tests/CloudFormation/ECS/LogConfiguration/LogConfiguration.expected

@@ -0,0 +1 @@
+security/CloudFormation/ECS/LogConfiguration.ql

ql/test/queries-tests/CloudFormation/ECS/LogConfiguration/LogConfiguration.qlref

@@ -0,0 +1,64 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Infrastructure for the ECS Fargate deployment pattern workshop service.'
+
+Resources:
+  #------------------------------------------------
+  # ECS task definition
+  #------------------------------------------------
+  ComponentTaskDefinition:
+    Type: 'AWS::ECS::TaskDefinition'
+    Properties:
+      ContainerDefinitions:
+        - Image: !Sub '${image}:${version}'
+          Name: !Ref Component
+          PortMappings:
+            - ContainerPort: 443
+          Environment:
+            # Normally mandatory (but e.g. SHORTNAME and FLAVOUR may not always be applicable)
+          Secrets:
+            # Normally mandatory (but e.g. SHORTNAME and FLAVOUR may not always be applicable)
+            - Name: 'AWS_ACCESS_KEY_ID'
+              ValueFrom: arn:aws:secretsmanager:region:account-id:secret:aws-key-id
+              Name: 'AWS_SECRET_ACCESS_KEY'
+              ValueFrom: arn:aws:secretsmanager:region:account-id:secret:aws-secret-key
+      Cpu: 512
+      ExecutionRoleArn: !GetAtt ComponentTaskDefinitionExecutionRole.Arn
+      TaskRoleArn: !GetAtt ComponentTaskDefinitionRole.Arn
+      Family: !Ref Component
+      Memory: 1024
+      RequiresCompatibilities:
+        - 'FARGATE'
+
+
+  ClusterService:
+    Type: 'AWS::ECS::Cluster'
+    Properties:
+      ClusterName: !Sub 'group${UserPartition}-ecs-fargate-ws-cluster'
+  #------------------------------------------------
+  # ECS Service
+  #------------------------------------------------
+  ComponentEcsService:
+    Type: 'AWS::ECS::Service'
+    DependsOn: ListenerRule
+    Properties:
+      Cluster:
+        Fn::ImportValue: !Sub 'group$-ecs-fargate-cluster-arn'
+      DesiredCount: 1
+      LaunchType: 'FARGATE'
+      LoadBalancers:
+        - ContainerName: !Ref Component
+          ContainerPort: !Ref ContainerPort
+          TargetGroupArn: !Ref ComponentTargetGroup
+      NetworkConfiguration:
+        AwsvpcConfiguration:
+          AssignPublicIp: 'ENABLED'
+          SecurityGroups:
+            - !Ref ComponentEcsServiceSecurityGroup
+            - !Ref CiSecurityGroupId
+          Subnets:
+            - !Ref Subnet1
+      ServiceName: !Sub '${RegionalPrefix}-${Component}-${Version}-${Launch}'
+      TaskDefinition: !Ref ComponentTaskDefinition
+      PropagateTags: 'TASK_DEFINITION'
+      # Note: The value has been lowered from the recommended 180, for production use please choose this value wisely.
+      HealthCheckGracePeriodSeconds: 90

ql/test/queries-tests/CloudFormation/ECS/LogConfiguration/ecs.yml

@@ -0,0 +1 @@
+| ecs.yml:9:5:42:2 | CloudFormation ECS Task Definition | ContainerDefinitions must not run as root or be privileged when networkmode Host is used |

ql/test/queries-tests/CloudFormation/ECS/LogConfiguration/something.tf

@@ -0,0 +1 @@
+security/CloudFormation/ECS/NetworkMode.ql