CCM-10048: add functionality to simulate a guarduty scan

bhansell1 · bhansell1 · commit 18bcc74696dc · 2025-05-20T16:47:56.000+01:00
diff --git a/infrastructure/terraform/components/sandbox/module_backend_api.tf b/infrastructure/terraform/components/sandbox/module_backend_api.tf
@@ -22,4 +22,6 @@ module "backend_api" {
 
   kms_key_arn          = data.aws_kms_key.sandbox.arn
   dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn
+
+  test_environment_mock_guardduty_event_source = "test.guardduty"
 }
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_proof.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_proof.tf
@@ -3,7 +3,7 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = ["aws.guardduty"]
+    source      = compact(["aws.guardduty", var.test_environment_mock_guardduty_event_source])
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_upload.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_failed_for_upload.tf
@@ -3,7 +3,7 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_failed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is not NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = ["aws.guardduty"]
+    source      = compact(["aws.guardduty", var.test_environment_mock_guardduty_event_source])
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_proof.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_proof.tf
@@ -3,7 +3,7 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_proof
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = ["aws.guardduty"]
+    source      = compact(["aws.guardduty", var.test_environment_mock_guardduty_event_source])
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
diff --git a/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_upload.tf b/infrastructure/terraform/modules/backend-api/cloudwatch_event_rule_guardduty_quarantine_scan_passed_for_upload.tf
@@ -3,7 +3,7 @@ resource "aws_cloudwatch_event_rule" "guardduty_quarantine_scan_passed_for_uploa
   description = "Matches quarantine 'GuardDuty Malware Protection Object Scan Result' events where the scan result is NO_THREATS_FOUND"
 
   event_pattern = jsonencode({
-    source      = ["aws.guardduty"]
+    source      = compact(["aws.guardduty", var.test_environment_mock_guardduty_event_source])
     detail-type = ["GuardDuty Malware Protection Object Scan Result"]
     resources   = [aws_guardduty_malware_protection_plan.quarantine.arn]
     detail = {
diff --git a/infrastructure/terraform/modules/backend-api/outputs.tf b/infrastructure/terraform/modules/backend-api/outputs.tf
@@ -10,6 +10,10 @@ output "download_bucket_regional_domain_name" {
   value = module.s3bucket_download.bucket_regional_domain_name
 }
 
+output "guardduty_quarantine_arn" {
+  value = aws_guardduty_malware_protection_plan.quarantine.arn
+}
+
 output "internal_bucket_name" {
   value = module.s3bucket_internal.id
 }
diff --git a/infrastructure/terraform/modules/backend-api/variables.tf b/infrastructure/terraform/modules/backend-api/variables.tf
@@ -122,3 +122,9 @@ variable "log_subscription_role_arn" {
   description = "The ARN of the IAM role to use for the log subscription filter"
   default     = ""
 }
+
+variable "test_environment_mock_guardduty_event_source" {
+  type        = string
+  description = "Adds a new source to the EventBridge Guard Duty filter rules"
+  default     = ""
+}
diff --git a/package-lock.json b/package-lock.json
diff --git a/tests/test-team/global.d.ts b/tests/test-team/global.d.ts
@@ -13,6 +13,7 @@ declare global {
       TEMPLATES_INTERNAL_BUCKET_NAME: string;
       TEMPLATES_QUARANTINE_BUCKET_NAME: string;
       TEMPLATES_DOWNLOAD_BUCKET_NAME: string;
+      TEMPLATES_GUARDDUTY_RESOURCE_ARN: string;
     }
   }
 
diff --git a/tests/test-team/helpers/eventbridge/eventbridge-helper.ts b/tests/test-team/helpers/eventbridge/eventbridge-helper.ts
@@ -0,0 +1,69 @@
+import {
+  EventBridgeClient,
+  PutEventsCommand,
+} from '@aws-sdk/client-eventbridge';
+
+export class EventBridgeHelper {
+  readonly #client: EventBridgeClient;
+
+  constructor() {
+    this.#client = new EventBridgeClient({ region: 'eu-west-2' });
+  }
+
+  async publishGuardDutyEvent(
+    s3ObjectKey: string,
+    s3VersionId: string,
+    guardDutyScanResultStatus:
+      | 'NO_THREATS_FOUND'
+      | 'THREATS_FOUND'
+      | 'UNSUPPORTED'
+  ) {
+    const resp = await this.#client.send(
+      new PutEventsCommand({
+        Entries: [
+          this.createGuardDutyEvent(
+            s3ObjectKey,
+            guardDutyScanResultStatus,
+            s3VersionId
+          ),
+        ],
+      })
+    );
+
+    if (resp.FailedEntryCount && resp.FailedEntryCount > 0) {
+      throw new Error(
+        `Failed to publish ${guardDutyScanResultStatus} event for ${s3ObjectKey}`,
+        {
+          cause: resp,
+        }
+      );
+    }
+  }
+
+  private createGuardDutyEvent(
+    s3ObjectKey: string,
+    scanResultStatus: 'NO_THREATS_FOUND' | 'THREATS_FOUND' | 'UNSUPPORTED',
+    versionId: string
+  ) {
+    const SOURCE = 'test.guardduty';
+    const DETAIL_TYPE = 'GuardDuty Malware Protection Object Scan Result';
+
+    return {
+      Source: SOURCE,
+      DetailType: DETAIL_TYPE,
+      Detail: JSON.stringify({
+        schemaVersion: '1.0',
+        scanResultDetails: {
+          scanResultStatus: scanResultStatus,
+        },
+        s3ObjectDetails: {
+          bucketName: process.env.TEMPLATES_QUARANTINE_BUCKET_NAME,
+          objectKey: s3ObjectKey,
+          eTag: `test-etag-${Date.now()}`,
+          versionId: versionId,
+        },
+      }),
+      Resources: [process.env.TEMPLATES_GUARDDUTY_RESOURCE_ARN],
+    };
+  }
+}
diff --git a/tests/test-team/helpers/s3/s3-helper.ts b/tests/test-team/helpers/s3/s3-helper.ts
@@ -0,0 +1,20 @@
+import { HeadObjectCommand, S3Client } from '@aws-sdk/client-s3';
+
+export class S3Helper {
+  readonly #s3Client: S3Client;
+
+  constructor() {
+    this.#s3Client = new S3Client({ region: 'eu-west-2' });
+  }
+
+  async getVersionId(bucket: string, objectKey: string) {
+    const response = await this.#s3Client.send(
+      new HeadObjectCommand({
+        Bucket: bucket,
+        Key: objectKey,
+      })
+    );
+
+    return response.VersionId;
+  }
+}
diff --git a/tests/test-team/helpers/use-cases/index.ts b/tests/test-team/helpers/use-cases/index.ts
@@ -1,3 +1,4 @@
 export * from './simulate-failed-virus-scan';
 export * from './simulate-passed-validation';
+export * from './simulate-guard-duty-scan';
 export { UseCaseOrchestrator } from './use-case-orchestrator';
diff --git a/tests/test-team/helpers/use-cases/simulate-guard-duty-scan.ts b/tests/test-team/helpers/use-cases/simulate-guard-duty-scan.ts
@@ -0,0 +1,60 @@
+import { IUseCase } from './use-case-orchestrator';
+import { EventBridgeHelper } from '../eventbridge/eventbridge-helper';
+import { S3Helper } from '../s3/s3-helper';
+
+type Config = {
+  templateId: string;
+  templateOwner: string;
+  files: Array<{
+    name?: string;
+    currentVersion?: string;
+    eventType: 'THREATS_FOUND' | 'NO_THREATS_FOUND' | 'UNSUPPORTED';
+  }>;
+};
+
+export class SimulateGuardDutyScan implements IUseCase<void> {
+  readonly #eventBridgeHelper: EventBridgeHelper;
+  readonly #s3Helper: S3Helper;
+  readonly #config: Config;
+
+  constructor(config: Config) {
+    this.#config = config;
+    this.#eventBridgeHelper = new EventBridgeHelper();
+    this.#s3Helper = new S3Helper();
+  }
+
+  async execute() {
+    for (const file of this.#config.files) {
+      if (!file.name || !file.currentVersion) {
+        throw new Error('No file name or file currentVersion', {
+          cause: file,
+        });
+      }
+
+      const s3FilePath = this.s3ObjectPath(file.name, file.currentVersion);
+
+      const s3VersionId = await this.#s3Helper.getVersionId(
+        process.env.TEMPLATES_QUARANTINE_BUCKET_NAME,
+        s3FilePath
+      );
+
+      if (!s3VersionId) {
+        throw new Error(`Unable to get versionId for ${s3FilePath}`);
+      }
+
+      this.#eventBridgeHelper.publishGuardDutyEvent(
+        s3FilePath,
+        s3VersionId,
+        file.eventType
+      );
+    }
+  }
+
+  private s3ObjectPath(file: string, versionId: string) {
+    return `${this.parentFolderByFileType(file)}/${this.#config.templateOwner}/${this.#config.templateId}/${versionId}/${file}`;
+  }
+
+  private parentFolderByFileType(file: string) {
+    return file.endsWith('.pdf') ? 'pdf-template' : 'csv-test-data';
+  }
+}
diff --git a/tests/test-team/package.json b/tests/test-team/package.json
@@ -3,6 +3,7 @@
     "@aws-sdk/client-appsync": "3.775.0",
     "@aws-sdk/client-cognito-identity-provider": "3.775.0",
     "@aws-sdk/client-dynamodb": "3.775.0",
+    "@aws-sdk/client-eventbridge": "^3.775.0",
     "@aws-sdk/client-lambda": "3.775.0",
     "@aws-sdk/client-s3": "3.775.0",
     "@aws-sdk/client-sqs": "3.775.0",
diff --git a/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-file-validation.e2e.spec.ts b/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-file-validation.e2e.spec.ts
diff --git a/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-full.e2e.spec.ts b/tests/test-team/template-mgmt-e2e-tests/template-mgmt-letter-full.e2e.spec.ts
diff --git a/utils/backend-config/src/backend-config.ts b/utils/backend-config/src/backend-config.ts

Original file line number	Diff line number	Diff line change
`@@ -22,4 +22,6 @@ module "backend_api" {`
`22`	`22`
`23`	`23`	`kms_key_arn = data.aws_kms_key.sandbox.arn`
`24`	`24`	`dynamodb_kms_key_arn = data.aws_kms_key.sandbox.arn`
	`25`	`+`
	`26`	`+ test_environment_mock_guardduty_event_source = "test.guardduty"`
`25`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,10 @@ output "download_bucket_regional_domain_name" {`
`10`	`10`	`value = module.s3bucket_download.bucket_regional_domain_name`
`11`	`11`	`}`
`12`	`12`
	`13`	`+output "guardduty_quarantine_arn" {`
	`14`	`+ value = aws_guardduty_malware_protection_plan.quarantine.arn`
	`15`	`+}`
	`16`	`+`
`13`	`17`	`output "internal_bucket_name" {`
`14`	`18`	`value = module.s3bucket_internal.id`
`15`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ declare global {`
`13`	`13`	`TEMPLATES_INTERNAL_BUCKET_NAME: string;`
`14`	`14`	`TEMPLATES_QUARANTINE_BUCKET_NAME: string;`
`15`	`15`	`TEMPLATES_DOWNLOAD_BUCKET_NAME: string;`
	`16`	`+ TEMPLATES_GUARDDUTY_RESOURCE_ARN: string;`
`16`	`17`	`}`
`17`	`18`	`}`
`18`	`19`