-
Notifications
You must be signed in to change notification settings - Fork 61
/
Copy pathresource_opensearch_audit_config_test.go
189 lines (169 loc) · 5.74 KB
/
resource_opensearch_audit_config_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
package provider
import (
"context"
"os"
"testing"
elastic7 "github.com/olivere/elastic/v7"
"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
)
func TestAccOpensearchOpenSearchSecurityAuditConfig(t *testing.T) {
provider := Provider()
diags := provider.Configure(context.Background(), &terraform.ResourceConfig{})
if diags.HasError() {
t.Skipf("err: %#v", diags)
}
resource.ParallelTest(t, resource.TestCase{
PreCheck: func() {
testAccPreCheck(t)
},
Providers: testAccOpendistroProviders,
Steps: []resource.TestStep{
{
Config: testAccOpenSearchSecurityAuditConfigResource(),
Check: resource.ComposeTestCheckFunc(
testCheckOpensearchSecurityAuditConfigExists("opensearch_audit_config.test"),
testCheckOpensearchSecurityAuditConfigConnects("opensearch_audit_config.test"),
resource.TestCheckResourceAttr("opensearch_audit_config.test", "enabled", "true"),
resource.TestCheckResourceAttr("opensearch_audit_config.test", "audit.#", "1"),
resource.TestCheckResourceAttr("opensearch_audit_config.test", "audit.0.enable_rest", "true"),
resource.TestCheckResourceAttr("opensearch_audit_config.test", "audit.0.disabled_rest_categories.#", "2"),
resource.TestCheckTypeSetElemAttr("opensearch_audit_config.test", "audit.0.disabled_rest_categories.*", "AUTHENTICATED"),
resource.TestCheckTypeSetElemAttr("opensearch_audit_config.test", "audit.0.disabled_rest_categories.*", "GRANTED_PRIVILEGES"),
resource.TestCheckResourceAttr("opensearch_audit_config.test", "compliance.#", "1"),
resource.TestCheckResourceAttr("opensearch_audit_config.test", "compliance.0.enabled", "true"),
),
},
{
Config: testAccOpenSearchSecurityAuditConfigResourceUpdated(),
Check: resource.ComposeTestCheckFunc(
resource.TestCheckResourceAttr("opensearch_audit_config.test", "enabled", "false"),
testCheckOpensearchRoleExists("opensearch_audit_config.test"),
resource.TestCheckResourceAttr("opensearch_audit_config.test", "audit.0.disabled_rest_categories.#", "1"),
),
},
},
})
}
func testAccOpenSearchSecurityAuditConfigResource() string {
return `
resource "opensearch_audit_config" "test" {
enabled = true
audit {
enable_rest = true
disabled_rest_categories = ["GRANTED_PRIVILEGES", "AUTHENTICATED"]
enable_transport = true
disabled_transport_categories = ["GRANTED_PRIVILEGES", "AUTHENTICATED"]
resolve_bulk_requests = true
log_request_body = true
resolve_indices = true
exclude_sensitive_headers = true
ignore_users = ["dashboardserver"]
ignore_requests = ["SearchRequest", "indices:data/read/*", "/_cluster/health"]
}
compliance {
enabled = true
internal_config = true
external_config = false
read_metadata_only = true
read_ignore_users = ["read-ignore-1"]
read_watched_field {
index = "read-index-1"
fields = ["field-1", "field-2"]
}
read_watched_field {
index = "read-index-2"
fields = ["field-3"]
}
write_metadata_only = true
write_log_diffs = false
write_watched_indices = ["write-index-1", "write-index-2", "log-*", "*"]
write_ignore_users = ["write-ignore-1"]
}
}`
}
func testAccOpenSearchSecurityAuditConfigResourceUpdated() string {
return `
resource "opensearch_audit_config" "test" {
enabled = false
audit {
enable_rest = true
disabled_rest_categories = ["GRANTED_PRIVILEGES"]
enable_transport = true
disabled_transport_categories = ["GRANTED_PRIVILEGES", "AUTHENTICATED"]
resolve_bulk_requests = true
log_request_body = true
resolve_indices = true
exclude_sensitive_headers = true
ignore_users = ["dashboardserver"]
ignore_requests = ["SearchRequest", "indices:data/read/*", "/_cluster/health"]
}
compliance {
enabled = true
internal_config = true
external_config = false
read_metadata_only = true
read_ignore_users = ["read-ignore-1"]
read_watched_field {
index = "read-index-1"
fields = ["field-1", "field-2"]
}
read_watched_field {
index = "read-index-2"
fields = ["field-3"]
}
write_metadata_only = true
write_log_diffs = false
write_watched_indices = ["write-index-1", "write-index-2", "log-*", "*"]
write_ignore_users = ["write-ignore-1"]
}
}
`
}
func testCheckOpensearchSecurityAuditConfigExists(name string) resource.TestCheckFunc {
return func(s *terraform.State) error {
for _, rs := range s.RootModule().Resources {
if rs.Type != "opensearch_audit_config" {
continue
}
meta := testAccOpendistroProvider.Meta()
var err error
if err != nil {
return err
}
_, err = resourceOpensearchGetAuditConfig(meta.(*ProviderConf))
if err != nil {
return err
}
return nil
}
return nil
}
}
func testCheckOpensearchSecurityAuditConfigConnects(name string) resource.TestCheckFunc {
return func(s *terraform.State) error {
for _, rs := range s.RootModule().Resources {
if rs.Type != "opensearch_audit_config" {
continue
}
username := rs.Primary.Attributes["username"]
password := rs.Primary.Attributes["password"]
var err error
if err != nil {
return err
}
var client *elastic7.Client
client, err = elastic7.NewClient(
elastic7.SetURL(os.Getenv("OPENSEARCH_URL")),
elastic7.SetBasicAuth(username, password))
if err == nil {
_, err = client.ClusterHealth().Do(context.TODO())
}
if err != nil {
return err
}
return nil
}
return nil
}
}