r/aws_securityhub: Tests for aws_securityhub_account/aws_securityhub_…

…standard

aws/resource_aws_securityhub_account_test.go

@@ -0,0 +1,84 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSSecurityHubAccount_basic(t *testing.T) {
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckAWSSecurityHubAccountDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSSecurityHubAccountConfig(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSecurityHubAccountExists("aws_securityhub_account.example"),
+				),
+			},
+			{
+				ResourceName:      "aws_securityhub_account.example",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+		},
+	})
+}
+
+func testAccCheckAWSSecurityHubAccountExists(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		_, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).securityhubconn
+
+		_, err := conn.GetEnabledStandards(&securityhub.GetEnabledStandardsInput{})
+
+		if err != nil {
+			// Can only read enabled standards if Security Hub is enabled
+			if isAWSErr(err, "InvalidAccessException", "not subscribed to AWS Security Hub") {
+				return fmt.Errorf("Security Hub account not found")
+			}
+			return err
+		}
+
+		return nil
+	}
+}
+
+func testAccCheckAWSSecurityHubAccountDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).securityhubconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_securityhub_account" {
+			continue
+		}
+
+		_, err := conn.GetEnabledStandards(&securityhub.GetEnabledStandardsInput{})
+
+		if err != nil {
+			// Can only read enabled standards if Security Hub is enabled
+			if isAWSErr(err, "InvalidAccessException", "not subscribed to AWS Security Hub") {
+				return nil
+			}
+			return err
+		}
+
+		return fmt.Errorf("Security Hub account still exists")
+	}
+
+	return nil
+}
+
+func testAccAWSSecurityHubAccountConfig() string {
+	return `
+resource "aws_securityhub_account" "example" {}
+`
+}

aws/resource_aws_securityhub_standard.go

@@ -69,6 +69,10 @@ func resourceAwsSecurityHubStandardRead(d *schema.ResourceData, meta interface{}
 		return nil
 	}
 
+	standardsSubscription := resp.StandardsSubscriptions[0]
+
+	d.Set("standards_arn", standardsSubscription.StandardsArn)
+
 	return nil
 }
 

aws/resource_aws_securityhub_standard_test.go

@@ -0,0 +1,108 @@
+package aws
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/hashicorp/terraform/helper/resource"
+	"github.com/hashicorp/terraform/terraform"
+)
+
+func TestAccAWSSecurityHubStandard_basic(t *testing.T) {
+	var standardsSubscription *securityhub.StandardsSubscription
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccAWSSecurityHubStandardConfig_basic,
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckAWSSecurityHubStandardExists("aws_securityhub_standard.example", standardsSubscription),
+				),
+			},
+			{
+				ResourceName:      "aws_securityhub_standard.example",
+				ImportState:       true,
+				ImportStateVerify: true,
+			},
+			{
+				// Check Destroy - but only target the specific resource (otherwise Security Hub
+				// will be disabled and the destroy check will fail)
+				Config: testAccAWSSecurityHubStandardConfig_empty,
+				Check:  testAccCheckAWSSecurityHubStandardDestroy,
+			},
+		},
+	})
+}
+
+func testAccCheckAWSSecurityHubStandardExists(n string, standardsSubscription *securityhub.StandardsSubscription) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		conn := testAccProvider.Meta().(*AWSClient).securityhubconn
+
+		resp, err := conn.GetEnabledStandards(&securityhub.GetEnabledStandardsInput{
+			StandardsSubscriptionArns: []*string{aws.String(rs.Primary.ID)},
+		})
+
+		if err != nil {
+			return err
+		}
+
+		if len(resp.StandardsSubscriptions) == 0 {
+			return fmt.Errorf("Security Hub standard %s not found", rs.Primary.ID)
+		}
+
+		standardsSubscription = resp.StandardsSubscriptions[0]
+
+		return nil
+	}
+}
+
+func testAccCheckAWSSecurityHubStandardDestroy(s *terraform.State) error {
+	conn := testAccProvider.Meta().(*AWSClient).securityhubconn
+
+	for _, rs := range s.RootModule().Resources {
+		if rs.Type != "aws_securityhub_standard" {
+			continue
+		}
+
+		resp, err := conn.GetEnabledStandards(&securityhub.GetEnabledStandardsInput{
+			StandardsSubscriptionArns: []*string{aws.String(rs.Primary.ID)},
+		})
+
+		if err != nil {
+			if isAWSErr(err, securityhub.ErrCodeResourceNotFoundException, "") {
+				return nil
+			}
+			return err
+		}
+
+		if len(resp.StandardsSubscriptions) != 0 {
+			return fmt.Errorf("Security Hub standard %s still exists", rs.Primary.ID)
+		}
+
+		return nil
+	}
+
+	return nil
+}
+
+const testAccAWSSecurityHubStandardConfig_empty = `
+resource "aws_securityhub_account" "example" {}
+`
+
+const testAccAWSSecurityHubStandardConfig_basic = `
+resource "aws_securityhub_account" "example" {}
+
+resource "aws_securityhub_standard" "example" {
+  depends_on    = ["aws_securityhub_account.example"]
+  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
+}
+`