如何检查我的 CDK 堆栈中的所有资源是否都具有某些属性?
[英]How do I check if all resources in my CDK stack have certain properties?
问题描述
I'm fairly new to the AWS CDK.
我是 AWS CDK 的新手。 I just found out about the aws-cdk/assert module, which is a good reason for me to get more into test-driven development.我刚刚发现了 aws-cdk/assert 模块,这是我深入研究测试驱动开发的一个很好的理由。 My main difficulty right now is that I don't entirely understand how to test if all resources of a certain type pass a test.我现在的主要困难是我不完全了解如何测试某种类型的所有资源是否都通过了测试。 I'm only able to test if there is any resource matching.我只能测试是否有任何资源匹配。
Right now I have a combination of expectCDK(stack).to(countResources('AWS::S3::Bucket', 2)) to see if I produce the expected number of buckets, followed by two separate tests to check of they both are private and encrypted.现在我有expectCDK(stack).to(countResources('AWS::S3::Bucket', 2))的组合来查看我是否产生了预期数量的桶,然后是两个单独的测试来检查它们是私有和加密的。
If I use the following code, it will pass because it simply looks for any resource that has a match (one out of two)如果我使用以下代码,它将通过,因为它只是查找任何具有匹配项的资源(二选一)
expectCDK(stack).to(haveResource('AWS::S3::Bucket', {
"AccessControl": "Private",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
}
}))
Right now it's just two test buckets, but I want to make "least privilege principle" checks for IAM roles later.现在它只是两个测试桶,但我想稍后对 IAM 角色进行“最小特权原则”检查。 Given that solutions can have a lot of different roles, I don't want to skip any of them.鉴于解决方案可以有很多不同的角色,我不想跳过其中任何一个。
Is there a clever way to test if all my buckets are private and encrypted?有没有一种聪明的方法来测试我的所有存储桶是否都是私有和加密的? I wouldn't mind writing testing the synthesized template, but I feel like the expectCDK is a bit closer to the source.我不介意编写测试合成模板,但我觉得 expectCDK 更接近源代码。
2 个解决方案
解决方案1
1 2021-03-29 22:52:06
I was able to accomplish this with a little be of complexity:我能够稍微复杂地完成此操作:
test("no s3 buckets should be public", () => {
expect(stack).not.toHaveResourceLike("AWS::S3::Bucket", {
PublicAccessBlockConfiguration: ABSENT,
});
expect(stack).not.toHaveResourceLike("AWS::S3::Bucket", {
PublicAccessBlockConfiguration: notMatching(
exactValue({
BlockPublicAcls: true,
BlockPublicPolicy: true,
IgnorePublicAcls: true,
RestrictPublicBuckets: true,
})
),
});
});
test("all s3 buckets should be s3_managed encrypted", () => {
expect(stack).not.toHaveResourceLike("AWS::S3::Bucket", {
BucketEncryption: ABSENT,
});
expect(stack).not.toHaveResourceLike("AWS::S3::Bucket", {
BucketEncryption: notMatching(
exactValue({
ServerSideEncryptionConfiguration: [
{
ServerSideEncryptionByDefault: {
SSEAlgorithm: "AES256",
},
},
],
})
),
});
});
解决方案2
0 2020-10-19 19:22:04
This may be late but this may be what you are looking for:这可能会迟到,但这可能是您要找的:
"AccessControl": "Private",
"BucketEncryption": {
"ServerSideEncryptionConfiguration": [
{
"ServerSideEncryptionByDefault": {
"SSEAlgorithm": "AES256"
}
}
]
},
"VersioningConfiguration": {
"Status": "Enabled"
}
}))
Cheers !干杯!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.