initial kubernetes support (continued)

- add Jon’s change for a relative directory resolve bug
- go.mod tidy
- don’t call os.exit() from run() when running unit tests
- simplify k8s normalization—no manual json parsing
- fix default AWS IaC type (was set to was instead of terraform)
- fixed JSON loading bug
- increased unit test coverage

go.mod

@@ -3,12 +3,12 @@ module github.com/accurics/terrascan
 go 1.14
 
 require (
+	github.com/ghodss/yaml v1.0.0
 	github.com/gorilla/mux v1.7.4
 	github.com/hashicorp/go-retryablehttp v0.6.6
 	github.com/hashicorp/go-version v1.2.0
 	github.com/hashicorp/hcl/v2 v2.3.0
 	github.com/hashicorp/terraform v0.12.28
-	github.com/mitchellh/go-homedir v1.1.0
 	github.com/open-policy-agent/opa v0.22.0
 	github.com/pelletier/go-toml v1.8.0
 	github.com/pkg/errors v0.9.1
@@ -17,11 +17,9 @@ require (
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/zclconf/go-cty v1.2.1
 	go.uber.org/zap v1.10.0
-	golang.org/x/net v0.0.0-20200625001655-4c5254603344 // indirect
+	golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect
 	golang.org/x/sys v0.0.0-20200814200057-3d37ad5750ed // indirect
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v2 v2.3.0
 	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776
-	k8s.io/apimachinery v0.18.8 // indirect
-	k8s.io/client-go v11.0.0+incompatible
 )

pkg/cli/run.go

@@ -17,6 +17,7 @@
 package cli
 
 import (
+	"flag"
 	"os"
 
 	"github.com/accurics/terrascan/pkg/runtime"
@@ -41,7 +42,7 @@ func Run(iacType, iacVersion, cloudType, iacFilePath, iacDirPath, configFile,
 	}
 	writer.Write(format, violations, os.Stdout)
 
-	if violations.ViolationStore.Count.TotalCount != 0 {
+	if violations.ViolationStore.Count.TotalCount != 0 && flag.Lookup("test.v") == nil {
 		os.Exit(3)
 	}
 }

pkg/cli/run_test.go

@@ -0,0 +1,56 @@
+/*
+    Copyright (C) 2020 Accurics, Inc.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+*/
+
+package cli
+
+import (
+	"testing"
+)
+
+func TestRun(t *testing.T) {
+	table := []struct {
+		name        string
+		iacType     string
+		iacVersion  string
+		cloudType   string
+		iacFilePath string
+		iacDirPath  string
+		configFile  string
+		want        string
+		wantErr     error
+	}{
+		{
+			name:       "normal terraform run",
+			cloudType:  "terraform",
+			iacDirPath: "testdata/run-test",
+			want:       "",
+			wantErr:    nil,
+		},
+		{
+			name:       "normal k8s run",
+			cloudType:  "k8s",
+			iacDirPath: "testdata/run-test",
+			want:       "",
+			wantErr:    nil,
+		},
+	}
+
+	for _, tt := range table {
+		t.Run(tt.name, func(t *testing.T) {
+			Run(tt.iacType, tt.iacVersion, tt.cloudType, tt.iacFilePath, tt.iacDirPath, tt.configFile, "", "")
+		})
+	}
+}

pkg/cli/testdata/run-test/main.tf

@@ -0,0 +1,76 @@
+# Specify the provider and access details
+provider "aws" {
+   region = "${var.aws_region}"
+}
+
+provider "kubernetes" {
+}
+
+# Create a VPC to launch our instances into
+resource "aws_vpc" "acme_root" {
+  cidr_block = "10.0.0.0/16"
+  tags = {
+    Name = "acme_root"
+  }
+}
+
+# Create an internet gateway to give our subnet access to the outside world
+resource "aws_internet_gateway" "acme_root" {
+  vpc_id = "${aws_vpc.acme_root.id}"
+  tags = {
+    Name = "acme_root"
+  }
+}
+
+# Grant the VPC internet access on its main route table
+resource "aws_route" "acme_root" {
+  route_table_id         = "${aws_vpc.acme_root.main_route_table_id}"
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = "${aws_internet_gateway.acme_root.id}"
+}
+
+# Create a subnet to launch our instances into
+resource "aws_subnet" "acme_web" {
+  vpc_id                  = "${aws_vpc.acme_root.id}"
+  cidr_block              = "10.0.1.0/24"
+  map_public_ip_on_launch = true
+  tags = {
+    Name = "acme_web"
+  }
+}
+
+resource "aws_key_pair" "auth" {
+  key_name   = "${var.key_name}"
+  public_key = "${file(var.public_key_path)}"
+}
+
+# resource "aws_s3_bucket" "acme_main" {
+#   bucket = "main-bucket"
+#   acl    = "private"
+# }
+
+resource "aws_ecr_repository" "scanOnPushDisabled" {
+  name                 = "test"
+
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+}
+
+resource "aws_ecr_repository_policy" "ecrRepoIsPublic" {
+  repository = "some-Repo-Name"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Sid": "new policy",
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": ["*"]
+        }
+    ]
+}
+EOF
+}

pkg/cli/testdata/run-test/test_pod.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: myapp-pod
+  labels:
+    app: myapp
+    test: someupdate
+    test2: someupdate3
+spec:
+  containers:
+  - name: myapp-container
+    image: busybox
+    command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600']
+    securityContext:
+      allowPrivilegeEscalation: true
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: myapp-deployment2
+  labels:
+    app: myapp
+    test: someupdate
+    test2: someupdate3
+spec:
+  template:
+    spec:
+      containers:
+      - name: myapp-container2
+        image: busybox
+        command: ['sh', '-c', 'echo Hello Kubernetes! && sleep 3600']
+        securityContext:
+          allowPrivilegeEscalation: true

pkg/cli/testdata/run-test/variable.tf

@@ -0,0 +1,35 @@
+variable "public_key_path" {
+  description = <<DESCRIPTION
+Path to the SSH public key to be used for authentication.
+Ensure this keypair is added to your local SSH agent so provisioners can
+connect.
+
+Example: ~/.ssh/terraform.pub
+DESCRIPTION
+default = "terraform-poc01.pub"
+}
+
+variable "key_name" {
+  description = "Desired name of AWS key pair"
+  default = "terraform-poc01"
+}
+
+variable "aws_region" {
+  description = "AWS region to launch servers."
+  default     = "ap-south-1"
+}
+
+# Ubuntu Precise 12.04 LTS (x64)
+variable "aws_amis" {
+  default = {
+    eu-west-1 = "ami-674cbc1e"
+    us-east-1 = "ami-1d4e7a66"
+    us-west-1 = "ami-969ab1f6"
+    us-west-2 = "ami-8803e0f0"
+    ap-south-1 = "ami-0123b531fc646552f"
+  }
+}
+
+variable "sample" {
+  default = "demo"
+}

pkg/cli/testdata/run-test/web.tf

@@ -0,0 +1,81 @@
+###
+# Our default security group to access
+# the instances over SSH and HTTP
+resource "aws_security_group" "acme_web" {
+  name        = "acme_web"
+  description = "Used in the terraform"
+  vpc_id      = "${aws_vpc.acme_root.id}"
+
+  tags = {
+    Name = "acme_web"
+  }
+
+  # SSH access from anywhere
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+
+  # HTTP access from the VPC
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # outbound internet access
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+}
+
+resource "aws_instance" "acem_web" {
+  # The connection block tells our provisioner how to
+  # communicate with the resource (instance)
+  # connection {
+  #   # The default username for our AMI
+  #   user = "ubuntu"
+  #   host = "acme"
+  #   # The connection will use the local SSH agent for authentication.
+  # }
+
+  tags = {
+    Name = "acem_web"
+  }
+
+  instance_type = "t2.micro"
+
+  # Lookup the correct AMI based on the region
+  # we specified
+  ami = "${lookup(var.aws_amis, var.aws_region)}"
+
+  # The name of our SSH keypair we created above.
+  key_name = "${aws_key_pair.auth.id}"
+
+  # Our Security group to allow HTTP and SSH access
+  vpc_security_group_ids = ["${aws_security_group.acme_web.id}"]
+
+  # We're going to launch into the same subnet as our ELB. In a production
+  # environment it's more common to have a separate private subnet for
+  # backend instances.
+  subnet_id = "${aws_subnet.acme_web.id}"
+
+  # We run a remote provisioner on the instance after creating it.
+  # In this case, we just install nginx and start it. By default,
+  # this should be on port 80
+  # provisioner "remote-exec" {
+  #   inline = [
+  #     "sudo apt-get -y update",
+  #     "sudo apt-get -y install nginx",
+  #     "sudo service nginx start",
+  #   ]
+  # }
+}

pkg/iac-providers/kubernetes/v1/load-dir.go

@@ -29,9 +29,9 @@ func (k *K8sV1) LoadIacDir(absRootDir string) (output.AllResourceConfigs, error)
 		return allResourcesConfig, err
 	}
 
-	for _, files := range fileMap {
+	for fileDir, files := range fileMap {
 		for i := range files {
-			file := filepath.Join(absRootDir, *files[i])
+			file := filepath.Join(fileDir, *files[i])
 
 			var configData output.AllResourceConfigs
 			if configData, err = k.LoadIacFile(file); err != nil {

pkg/iac-providers/kubernetes/v1/load-dir_test.go

@@ -58,7 +58,26 @@ func TestLoadIacDir(t *testing.T) {
 			dirPath: "./testdata/yaml-with-multiple-documents",
 			k8sV1:   K8sV1{},
 			wantErr: nil,
-		}}
+		},
+		{
+			name:    "pod with the yml extension",
+			dirPath: "./testdata/yaml-extension2",
+			k8sV1:   K8sV1{},
+			wantErr: nil,
+		},
+		{
+			name:    "yaml with no kind",
+			dirPath: "./testdata/yaml-extension2",
+			k8sV1:   K8sV1{},
+			wantErr: nil,
+		},
+		{
+			name:    "pod with the json extension",
+			dirPath: "./testdata/json-extension",
+			k8sV1:   K8sV1{},
+			wantErr: nil,
+		},
+	}
 
 	for _, tt := range table {
 		t.Run(tt.name, func(t *testing.T) {

pkg/iac-providers/kubernetes/v1/load-file.go

@@ -36,7 +36,7 @@ func (k *K8sV1) LoadIacFile(absRootPath string) (allResourcesConfig output.AllRe
 		config, err = k.normalize(doc)
 		if err != nil {
 			zap.S().Warn("unable to normalize data", zap.Error(err), zap.String("file", absRootPath))
-			return allResourcesConfig, err
+			continue
 		}
 
 		config.Line = doc.StartLine