diff --git a/policies/s3/s3-bucket-block-public-read-access.sentinel b/policies/s3/s3-bucket-block-public-read-access.sentinel index 20e57dc4..bd5175e8 100644 --- a/policies/s3/s3-bucket-block-public-read-access.sentinel +++ b/policies/s3/s3-bucket-block-public-read-access.sentinel @@ -5,113 +5,222 @@ # Imports +import "tfconfig/v2" as tfconfig import "tfstate/v2" as tfstate -import "tfplan/v2" as tfplan import "tfresources" as tf import "report" as report import "collection" as collection import "collection/maps" as maps +import "strings" +import "types" # Constants const = { "policy_name": "s3-bucket-block-public-read-access", "message": "S3 general purpose buckets should block public read access. Refer to https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-2 for more details.", + "resource_aws_s3_bucket": "aws_s3_bucket", + "resource_aws_s3_bucket_policy": "aws_s3_bucket_policy", "resource_aws_iam_policy_document": "aws_iam_policy_document", "resource_aws_s3_public_access_block": "aws_s3_bucket_public_access_block", "resource_aws_s3_bucket_acl": "aws_s3_bucket_acl", "Allow": "Allow", + "address": "address", + "module_address": "module_address", + "module_prefix": "module.", + "values": "values", + "variable": "variable", + "references": "references", "acl_not_valid_values": ["public-read", "public-read-write", "authenticated-read", "aws-exec-read"], "access_control_policy_not_valid_values": ["FULL_CONTROL", "READ", "READ_ACP"], } # Functions -# Function to get violations for data source aws_iam_policy_document for s3 bucket policy -get_policy_document_violations = func(resources) { - return collection.reject(resources, func(res) { - statements = maps.get(res, "values.statement", []) - if statements is null { - return true +# Removes module address prefix from a resource +# and returns back the localized address for a module. +resource_address_without_module_address = func(res) { + resource_addr = res[const.address] + + # Check for root module + if not strings.has_prefix(resource_addr, const.module_prefix) { + return resource_addr + } + + module_addr_prefix = res[const.module_address] + "." + return strings.trim_prefix(resource_addr, module_addr_prefix) +} + +# Function to check if policy document has public read violations +has_public_read_policy_violation = func(res) { + policy = res.config.policy + if policy[const.references] is not defined or policy[const.references][1] not matches "^data.aws_iam_policy_document.(.*)$" { + return false + } + reference = policy[const.references][1] + + address = strings.trim_prefix(reference, "data.") + // Append the module address to the data source's local address + // in case of nested modules + if strings.has_prefix(res.module_address, const.module_prefix) { + address = res.module_address + "." + address + } + datasource = tf.state(tfstate.resources).mode("data").address(address).resources + if datasource is null or datasource is not defined or datasource is empty { + address = "data." + address + datasource = tf.config(tfconfig.resources).mode("data").address(address).resources + if datasource is null or datasource is not defined { + return false } - full_access = collection.find(statements, func(statement) { - actions = maps.get(statement, "actions", []) - return collection.find(actions, func(action) { - return action contains ":*" or action contains "s3:GetObject" or action contains "s3:GetBucket" - }) is defined and - maps.get(statement, "effect", "") == const.Allow - }) - return full_access is not defined or full_access is empty - }) -} - -# Function to get violations for resource aws_s3_bucket_public_access_block for s3 bucket -get_public_access_block_violations = func(resources) { - return collection.reject(resources, func(res) { - block_public_acls = maps.get(res, "values.block_public_acls", false) - ignore_public_acls = maps.get(res, "values.ignore_public_acls", false) - block_public_policy = maps.get(res, "values.block_public_policy", false) - restrict_public_buckets = maps.get(res, "values.restrict_public_buckets", false) - return block_public_acls and ignore_public_acls and block_public_policy and restrict_public_buckets - }) -} - -# Function to get violations for resource aws_s3_bucket_acl for s3 bucket -get_bucket_acl_violations = func(resources) { - return collection.reject(resources, func(res) { - acl_complaint = false - access_control_policy_complaint = false - - acl = maps.get(res, "values.acl", null) - if acl is not null { - if acl in const.acl_not_valid_values { - acl_complaint = false - } else { - acl_complaint = true + statements = datasource[0].config.statement + if statements is not defined { + return false + } + for statements as _, statement { + actions = maps.get(statement, "actions", {}) + effect = maps.get(statement, "effect", {}) + if (types.type_of(effect) is not "string" and effect.constant_value is const.Allow) or + (types.type_of(effect) is "string" and effect is const.Allow) { + if types.type_of(actions) is not "string" { + action_values = actions.constant_value + } else { + action_values = [actions] + } + if action_values is not defined { + continue + } + for action_values as _, action { + if action contains ":*" or action contains "s3:GetObject" or action contains "s3:GetBucket" { + return true + } + } } } - - access_control_policy = maps.get(res, "values.access_control_policy", []) - if access_control_policy is empty { - return acl_complaint + return false + } + + statements = datasource[0].values.statement + if statements is undefined { + return false + } + for statements as _, statement { + actions = maps.get(statement, "actions", []) + effect = maps.get(statement, "effect", "") + if effect is const.Allow { + for actions as _, action { + if action contains ":*" or action contains "s3:GetObject" or action contains "s3:GetBucket" { + return true + } + } } + } + return false +} +# Function to check if public access block has violations +has_public_access_block_violation = func(config) { + block_public_acls = maps.get(maps.get(config, "block_public_acls", {}), "constant_value", false) + ignore_public_acls = maps.get(maps.get(config, "ignore_public_acls", {}), "constant_value", false) + block_public_policy = maps.get(maps.get(config, "block_public_policy", {}), "constant_value", false) + restrict_public_buckets = maps.get(maps.get(config, "restrict_public_buckets", {}), "constant_value", false) + return not (block_public_acls and ignore_public_acls and block_public_policy and restrict_public_buckets) +} + +# Function to check if bucket ACL has violations +has_bucket_acl_violation = func(config) { + acl = maps.get(maps.get(config, "acl", {}), "constant_value", null) + if acl is not null and acl in const.acl_not_valid_values { + return true + } + access_control_policy = maps.get(maps.get(config, "access_control_policy", {}), "constant_value", []) + if access_control_policy is not empty { grant = maps.get(access_control_policy[0], "grant", []) - if grant is empty { - return acl_complaint + if grant is not empty { + permission = maps.get(grant[0], "permission", "") + if permission is not "" and permission in const.access_control_policy_not_valid_values { + return true + } } + } + return false +} - permission = maps.get(grant[0], "permission", "") - if permission is not "" and permission not in const.access_control_policy_not_valid_values { - access_control_policy_complaint = true - } +# Prefixes the referenced s3 bucket's address with +# the module address. This is done because resource +# addresses comprise of module addresses +sanitize_referenced_s3_bucket_address = func(res) { + module_addr = res[const.module_address] + if res.config.bucket.constant_value is defined { + return "" + } + + bucket_reference = res.config.bucket.references[1] + # Check for root module + if not strings.has_prefix(res[const.address], const.module_prefix) { + return bucket_reference + } + + return module_addr + "." + bucket_reference +} + +build_violation_object = func(resource_addr, module_addr, message) { + return { + "address": resource_addr, + "module_address": module_addr, + "message": message, + } +} + +# Variables + +config_resources = tf.config(tfconfig.resources) +s3_bucket_resources = config_resources.type(const.resource_aws_s3_bucket).resources + +# Get bucket policy resources that have violations +bucket_policy_violations = filter config_resources.type(const.resource_aws_s3_bucket_policy).resources as _, res { + has_public_read_policy_violation(res) +} - return acl_complaint or access_control_policy_complaint - }) +# Get public access block resources that have violations +public_access_block_violations = filter config_resources.type(const.resource_aws_s3_public_access_block).resources as _, res { + has_public_access_block_violation(res.config) } -iam_policy_document_resources = tf.state(tfstate.resources).type(const.resource_aws_iam_policy_document).resources -public_access_block_resources = tf.plan(tfplan.planned_values.resources).type(const.resource_aws_s3_public_access_block).resources -bucket_acl_resources = tf.plan(tfplan.planned_values.resources).type(const.resource_aws_s3_bucket_acl).resources +# Get bucket ACL resources that have violations +bucket_acl_violations = filter config_resources.type(const.resource_aws_s3_bucket_acl).resources as _, res { + has_bucket_acl_violation(res.config) +} -violations = [] -violations += get_policy_document_violations(iam_policy_document_resources) -violations += get_public_access_block_violations(public_access_block_resources) -violations += get_bucket_acl_violations(bucket_acl_resources) +# Get bucket addresses that have policy violations +bucket_addresses_with_policy_violations = map bucket_policy_violations as _, res { + sanitize_referenced_s3_bucket_address(res) +} + +# Get bucket addresses that have public access block violations +bucket_addresses_with_access_block_violations = map public_access_block_violations as _, res { + sanitize_referenced_s3_bucket_address(res) +} + +# Get bucket addresses that have ACL violations +bucket_addresses_with_acl_violations = map bucket_acl_violations as _, res { + sanitize_referenced_s3_bucket_address(res) +} + +# Find violations: buckets that have policy violations OR have access block violations OR have ACL violations +violations = filter s3_bucket_resources as _, res { + res.address in bucket_addresses_with_policy_violations or + res.address in bucket_addresses_with_access_block_violations or + res.address in bucket_addresses_with_acl_violations +} summary = { "policy_name": const.policy_name, "violations": map violations as _, v { - { - "address": v.address, - "module_address": v.module_address, - "message": const.message, - } + build_violation_object(v.address, v.module_address, const.message) }, } print(report.generate_policy_report(summary)) - main = rule { violations is empty } diff --git a/policies/s3/s3-bucket-block-public-write-access.sentinel b/policies/s3/s3-bucket-block-public-write-access.sentinel index 1c5ce570..9465a62a 100644 --- a/policies/s3/s3-bucket-block-public-write-access.sentinel +++ b/policies/s3/s3-bucket-block-public-write-access.sentinel @@ -5,99 +5,206 @@ # Imports +import "tfconfig/v2" as tfconfig import "tfstate/v2" as tfstate -import "tfplan/v2" as tfplan import "tfresources" as tf import "report" as report import "collection" as collection import "collection/maps" as maps +import "strings" +import "types" # Constants const = { "policy_name": "s3-bucket-block-public-write-access", "message": "S3 general purpose buckets should block public write access. Refer to https://docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-3 for more details.", + "resource_aws_s3_bucket": "aws_s3_bucket", + "resource_aws_s3_bucket_policy": "aws_s3_bucket_policy", "resource_aws_iam_policy_document": "aws_iam_policy_document", "resource_aws_s3_public_access_block": "aws_s3_bucket_public_access_block", "resource_aws_s3_bucket_acl": "aws_s3_bucket_acl", "Allow": "Allow", + "address": "address", + "module_address": "module_address", + "module_prefix": "module.", + "values": "values", + "variable": "variable", + "references": "references", "acl_not_valid_values": ["log-delivery-write", "public-read-write"], "access_control_policy_not_valid_values": ["FULL_CONTROL", "WRITE", "WRITE_ACP"], } # Functions -# Function to get violations for data source aws_iam_policy_document for s3 bucket policy -get_policy_document_violations = func(resources) { - return collection.reject(resources, func(res) { - statements = maps.get(res, "values.statement", []) - if statements is null { - return true - } - full_access = collection.find(statements, func(statement) { - actions = maps.get(statement, "actions", []) - return collection.find(actions, func(action) { - return action contains ":*" or action contains "s3:PutObject" - }) is defined and - maps.get(statement, "effect", "") == const.Allow - }) - return full_access is not defined or full_access is empty - }) -} +# Removes module address prefix from a resource +# and returns back the localized address for a module. +resource_address_without_module_address = func(res) { + resource_addr = res[const.address] -# Function to get violations for resource aws_s3_bucket_public_access_block for s3 bucket -get_public_access_block_violations = func(resources) { - return collection.reject(resources, func(res) { - block_public_acls = maps.get(res, "values.block_public_acls", false) - ignore_public_acls = maps.get(res, "values.ignore_public_acls", false) - block_public_policy = maps.get(res, "values.block_public_policy", false) - restrict_public_buckets = maps.get(res, "values.restrict_public_buckets", false) - return block_public_acls and ignore_public_acls and block_public_policy and restrict_public_buckets - }) + # Check for root module + if not strings.has_prefix(resource_addr, const.module_prefix) { + return resource_addr + } + + module_addr_prefix = res[const.module_address] + "." + return strings.trim_prefix(resource_addr, module_addr_prefix) } -# Function to get violations for resource aws_s3_bucket_acl for s3 bucket -get_bucket_acl_violations = func(resources) { - return collection.reject(resources, func(res) { - acl_complaint = false - access_control_policy_complaint = false - - acl = maps.get(res, "values.acl", null) - if acl is not null { - if acl in const.acl_not_valid_values { - acl_complaint = false - } else { - acl_complaint = true +# Function to check if policy document has public write violations +has_public_write_policy_violation = func(res) { + policy = res.config.policy + if policy[const.references] is not defined or policy[const.references][1] not matches "^data.aws_iam_policy_document.(.*)$" { + return false + } + reference = policy[const.references][1] + + address = strings.trim_prefix(reference, "data.") + // Append the module address to the data source's local address + // in case of nested modules + if strings.has_prefix(res.module_address, const.module_prefix) { + address = res.module_address + "." + address + } + datasource = tf.state(tfstate.resources).mode("data").address(address).resources + if datasource is null or datasource is not defined or datasource is empty { + address = "data." + address + datasource = tf.config(tfconfig.resources).mode("data").address(address).resources + if datasource is null or datasource is not defined { + return false + } + statements = datasource[0].config.statement + if statements is not defined { + return false + } + for statements as _, statement { + actions = maps.get(statement, "actions", {}) + effect = maps.get(statement, "effect", {}) + if (types.type_of(effect) is not "string" and effect.constant_value is const.Allow) or + (types.type_of(effect) is "string" and effect is const.Allow) { + if types.type_of(actions) is not "string" { + action_values = actions.constant_value + } else { + action_values = [actions] + } + if action_values is not defined { + continue + } + for action_values as _, action { + if action contains ":*" or action contains "s3:PutObject" { + return true + } + } } } - - access_control_policy = maps.get(res, "values.access_control_policy", []) - if access_control_policy is empty { - return acl_complaint + return false + } + + statements = datasource[0].values.statement + if statements is not defined { + return false + } + for statements as _, statement { + actions = maps.get(statement, "actions", []) + effect = maps.get(statement, "effect", "") + if effect is const.Allow { + for actions as _, action { + if action contains ":*" or action contains "s3:PutObject" { + return true + } + } } + } + return false +} + +# Function to check if public access block has violations +has_public_access_block_violation = func(config) { + block_public_acls = maps.get(maps.get(config, "block_public_acls", {}), "constant_value", false) + ignore_public_acls = maps.get(maps.get(config, "ignore_public_acls", {}), "constant_value", false) + block_public_policy = maps.get(maps.get(config, "block_public_policy", {}), "constant_value", false) + restrict_public_buckets = maps.get(maps.get(config, "restrict_public_buckets", {}), "constant_value", false) + return not (block_public_acls and ignore_public_acls and block_public_policy and restrict_public_buckets) +} + +# Function to check if bucket ACL has violations +has_bucket_acl_violation = func(config) { + acl = maps.get(maps.get(config, "acl", {}), "constant_value", null) + if acl is not null and acl in const.acl_not_valid_values { + return true + } + access_control_policy = maps.get(maps.get(config, "access_control_policy", {}), "constant_value", []) + if access_control_policy is not empty { grant = maps.get(access_control_policy[0], "grant", []) - if grant is empty { - return acl_complaint + if grant is not empty { + permission = maps.get(grant[0], "permission", "") + if permission is not "" and permission in const.access_control_policy_not_valid_values { + return true + } } + } + return false +} - permission = maps.get(grant[0], "permission", "") - if permission is not "" and permission not in const.access_control_policy_not_valid_values { - access_control_policy_complaint = true - } +# Prefixes the referenced s3 bucket's address with +# the module address. This is done because resource +# addresses comprise of module addresses +sanitize_referenced_s3_bucket_address = func(res) { + module_addr = res[const.module_address] + if res.config.bucket.constant_value is defined { + return "" + } + + bucket_reference = res.config.bucket.references[1] + # Check for root module + if not strings.has_prefix(res[const.address], const.module_prefix) { + return bucket_reference + } + + return module_addr + "." + bucket_reference +} + +# Variables - return acl_complaint or access_control_policy_complaint - }) +config_resources = tf.config(tfconfig.resources) +s3_bucket_resources = config_resources.type(const.resource_aws_s3_bucket).resources + +# Get bucket policy resources that have violations +bucket_policy_violations = filter config_resources.type(const.resource_aws_s3_bucket_policy).resources as _, res { + has_public_write_policy_violation(res) } -iam_policy_document_resources = tf.state(tfstate.resources).type(const.resource_aws_iam_policy_document).resources -public_access_block_resources = tf.plan(tfplan.planned_values.resources).type(const.resource_aws_s3_public_access_block).resources -bucket_acl_resources = tf.plan(tfplan.planned_values.resources).type(const.resource_aws_s3_bucket_acl).resources +# Get public access block resources that have violations +public_access_block_violations = filter config_resources.type(const.resource_aws_s3_public_access_block).resources as _, res { + has_public_access_block_violation(res.config) +} -violations = [] -violations += get_policy_document_violations(iam_policy_document_resources) -violations += get_public_access_block_violations(public_access_block_resources) -violations += get_bucket_acl_violations(bucket_acl_resources) +# Get bucket ACL resources that have violations +bucket_acl_violations = filter config_resources.type(const.resource_aws_s3_bucket_acl).resources as _, res { + has_bucket_acl_violation(res.config) +} + +# Get bucket addresses that have policy violations +bucket_addresses_with_policy_violations = map bucket_policy_violations as _, res { + sanitize_referenced_s3_bucket_address(res) +} + +# Get bucket addresses that have public access block violations +bucket_addresses_with_access_block_violations = map public_access_block_violations as _, res { + sanitize_referenced_s3_bucket_address(res) +} + +# Get bucket addresses that have ACL violations +bucket_addresses_with_acl_violations = map bucket_acl_violations as _, res { + sanitize_referenced_s3_bucket_address(res) +} + +# Find violations: buckets that have policy violations OR have access block violations OR have ACL violations +violations = filter s3_bucket_resources as _, res { + res.address in bucket_addresses_with_policy_violations or + res.address in bucket_addresses_with_access_block_violations or + res.address in bucket_addresses_with_acl_violations +} summary = { "policy_name": const.policy_name, diff --git a/policies/s3/s3-require-ssl.sentinel b/policies/s3/s3-require-ssl.sentinel index 960f8ebc..19399d6f 100644 --- a/policies/s3/s3-require-ssl.sentinel +++ b/policies/s3/s3-require-ssl.sentinel @@ -10,6 +10,7 @@ import "tfstate/v2" as tfstate import "tfresources" as tf import "report" as report import "strings" +import "types" import "collection" as collection import "collection/maps" as maps @@ -57,8 +58,19 @@ get_referenced_policy_statements = func(res) { if strings.has_prefix(res.module_address, const.module_prefix) { address = res.module_address + "." + address } - datasource = tf.state(tfstate.resources).mode("data").address(address).resources + if datasource is null or datasource is not defined or datasource is empty { + address = "data." + address + datasource = tf.config(tfconfig.resources).mode("data").address(address).resources + if datasource is null or datasource is not defined { + return [] + } + return filter datasource[0].config.statement as _, statement { + statement.actions.constant_value contains "*" or any statement.actions.constant_value as _, action { + strings.has_prefix(action, "s3:") + } + } + } return filter datasource[0].values.statement as _, statement { statement.actions contains "*" or any statement.actions as _, action { strings.has_prefix(action, "s3:") @@ -71,6 +83,12 @@ verify_ssl_status = func(conditions, desired_condition) { return false } return collection.find(conditions, func(condition) { + if (types.type_of(condition["test"]) is not "string" and types.type_of(condition["values"]) is not "string" and types.type_of(condition["variable"]) is not "string") { + return condition["test"].constant_value is "Bool" and + condition[const.values].constant_value contains desired_condition and + condition[const.variable].constant_value is "aws:SecureTransport" + + } return condition["test"] is "Bool" and condition[const.values] contains desired_condition and condition[const.variable] is "aws:SecureTransport" @@ -97,7 +115,7 @@ s3_bucket_resources = config_resources.type(const.resource_aws_s3_bucket).resour s3_bucket_policy_resources = config_resources.type(const.resource_aws_s3_bucket_policy).resources valid_bucket_policies = filter s3_bucket_policy_resources as _, res { any get_referenced_policy_statements(res) as _, stmt { - stmt["effect"] is "Deny" and is_ssl_disabled(stmt["condition"]) + (stmt["effect"] is "Deny" or (types.type_of(stmt["effect"]) is not "string" and stmt["effect"].constant_value is "Deny")) and (is_ssl_disabled(stmt["condition"])) } } s3_bucket_addresses = map valid_bucket_policies as _, res { diff --git a/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-access-control-policy-not-complaint.hcl b/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-access-control-policy-not-complaint.hcl index 0e3adf3d..d611ed11 100644 --- a/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-access-control-policy-not-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-access-control-policy-not-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-acl-not-complaint.hcl b/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-acl-not-complaint.hcl index 687ebed8..aaf8d199 100644 --- a/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-acl-not-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-acl-not-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-public-access-block-not-complaint.hcl b/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-public-access-block-not-complaint.hcl index ed527a93..5b22d7a8 100644 --- a/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-public-access-block-not-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-public-access-block-not-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-with-policy-document-not-complaint.hcl b/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-with-policy-document-not-complaint.hcl index f7acd3b1..37a7d188 100644 --- a/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-with-policy-document-not-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-read-access/failure-s3-bucket-with-policy-document-not-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..b92dccd6 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,67 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.insecure_bucket": { + "address": "aws_s3_bucket.insecure_bucket", + "config": { + "bucket": { + "constant_value": "insecure-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "insecure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_acl.example": { + "address": "aws_s3_bucket_acl.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.insecure_bucket.id", + "aws_s3_bucket.insecure_bucket", + ], + }, + "access_control_policy": { + "constant_value": [ + { + "grant": [ + { + "grantee": [ + { + "id": "owner-id", + "type": "CanonicalUser", + }, + ], + "permission": "READ", + }, + ], + "owner": [ + { + "id": "owner-id", + }, + ], + }, + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_acl", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index d87e73e3..00000000 --- a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,446 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_acl", - "values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "READ", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "READ", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - "after_unknown": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - { - "display_name": true, - }, - ], - }, - ], - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "expressions": { - "access_control_policy": [ - { - "grant": [ - { - "permission": { - "constant_value": "READ", - }, - }, - ], - "owner": [ - { - "id": { - "constant_value": "id", - }, - }, - ], - }, - ], - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - }, - "mode": "managed", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_acl", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_acl.example", - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - {}, - ], - }, - ], - }, - "type": "aws_s3_bucket_acl", - "values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "READ", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "READ", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - "after_sensitive": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - {}, - ], - }, - ], - }, - "after_unknown": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - { - "display_name": true, - }, - ], - }, - ], - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T10:03:50Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..c7c9277a --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,48 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.insecure_bucket": { + "address": "aws_s3_bucket.insecure_bucket", + "config": { + "bucket": { + "constant_value": "insecure-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "insecure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_acl.example": { + "address": "aws_s3_bucket_acl.example", + "config": { + "acl": { + "constant_value": "public-read", + }, + "bucket": { + "references": [ + "aws_s3_bucket.insecure_bucket.id", + "aws_s3_bucket.insecure_bucket", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_acl", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 6e0a6e18..00000000 --- a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,323 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_acl", - "values": { - "acl": "public-read", - "expected_bucket_owner": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "acl": "public-read", - "expected_bucket_owner": null, - }, - "after_unknown": { - "access_control_policy": true, - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "expressions": { - "acl": { - "constant_value": "public-read", - }, - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - }, - "mode": "managed", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_acl", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_acl.example", - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "access_control_policy": [], - }, - "type": "aws_s3_bucket_acl", - "values": { - "acl": "public-read", - "expected_bucket_owner": null, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "acl": "public-read", - "expected_bucket_owner": null, - }, - "after_sensitive": { - "access_control_policy": [], - }, - "after_unknown": { - "access_control_policy": true, - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T10:04:58Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..12213874 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,57 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.insecure_bucket": { + "address": "aws_s3_bucket.insecure_bucket", + "config": { + "bucket": { + "constant_value": "insecure-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "insecure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_public_access_block.example": { + "address": "aws_s3_bucket_public_access_block.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.insecure_bucket.id", + "aws_s3_bucket.insecure_bucket", + ], + }, + "block_public_acls": { + "constant_value": false, + }, + "block_public_policy": { + "constant_value": false, + }, + "ignore_public_acls": { + "constant_value": false, + }, + "restrict_public_buckets": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_public_access_block", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 46bcbce3..00000000 --- a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,334 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_public_access_block.secure_bucket": { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_public_access_block", - "values": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": false, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_public_access_block.secure_bucket": { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": false, - }, - "after_unknown": { - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_public_access_block", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "expressions": { - "block_public_acls": { - "constant_value": true, - }, - "block_public_policy": { - "constant_value": true, - }, - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - "ignore_public_acls": { - "constant_value": true, - }, - "restrict_public_buckets": { - "constant_value": false, - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_public_access_block", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_s3_bucket_public_access_block", - "values": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": false, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": false, - }, - "after_sensitive": {}, - "after_unknown": { - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_public_access_block", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T09:48:58Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..00ee8578 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,99 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.insecure_bucket": { + "address": "aws_s3_bucket.insecure_bucket", + "config": { + "bucket": { + "constant_value": "insecure-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "insecure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_policy.example": { + "address": "aws_s3_bucket_policy.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.insecure_bucket.id", + "aws_s3_bucket.insecure_bucket", + ], + }, + "policy": { + "references": [ + "data.aws_iam_policy_document.policy.json", + "data.aws_iam_policy_document.policy", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_policy", + }, + "data.aws_iam_policy_document.policy": { + "address": "data.aws_iam_policy_document.policy", + "config": { + "statement": [ + { + "actions": { + "constant_value": [ + "s3:GetObject", + "s3:GetBucket*", + ], + }, + "effect": { + "constant_value": "Allow", + }, + "principals": [ + { + "identifiers": { + "constant_value": [ + "*", + ], + }, + "type": { + "constant_value": "AWS", + }, + }, + ], + "resources": { + "constant_value": [ + "arn:aws:s3:::insecure-bucket", + "arn:aws:s3:::insecure-bucket/*", + ], + }, + "sid": { + "constant_value": "AllowPublicReadAccess", + }, + }, + ], + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "data", + "module_address": "", + "name": "policy", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_iam_policy_document", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 8faa76e2..00000000 --- a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,335 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "data.aws_iam_policy_document.example", - "expressions": { - "statement": [ - { - "actions": { - "constant_value": [ - "s3:GetBucket", - "s3:GetObject", - ], - }, - "effect": { - "constant_value": "Allow", - }, - "principals": [ - { - "identifiers": { - "constant_value": [ - "*", - ], - }, - "type": { - "constant_value": "AWS", - }, - }, - ], - "resources": { - "constant_value": [ - "arn:aws:s3:::*", - ], - }, - "sid": { - "constant_value": "1", - }, - }, - ], - }, - "mode": "data", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_iam_policy_document", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - ], - }, - }, - "prior_state": { - "format_version": "1.0", - "terraform_version": "1.9.4", - "values": { - "root_module": { - "resources": [ - { - "address": "data.aws_iam_policy_document.example", - "mode": "data", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false, - false, - ], - "condition": [], - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [ - { - "identifiers": [ - false, - ], - }, - ], - "resources": [ - false, - ], - }, - ], - }, - "type": "aws_iam_policy_document", - "values": { - "id": "3619922110", - "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\",\n \"s3:GetBucket\"\n ],\n \"Resource\": \"arn:aws:s3:::*\",\n \"Principal\": {\n \"AWS\": \"*\"\n }\n }\n ]\n}", - "minified_json": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"1\",\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:GetBucket\"],\"Resource\":\"arn:aws:s3:::*\",\"Principal\":{\"AWS\":\"*\"}}]}", - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "s3:GetBucket", - "s3:GetObject", - ], - "condition": [], - "effect": "Allow", - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [ - { - "identifiers": [ - "*", - ], - "type": "AWS", - }, - ], - "resources": [ - "arn:aws:s3:::*", - ], - "sid": "1", - }, - ], - "version": "2012-10-17", - }, - }, - ], - }, - }, - }, - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T09:55:44Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..07b74b71 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,67 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.secure_bucket": { + "address": "aws_s3_bucket.secure_bucket", + "config": { + "bucket": { + "constant_value": "my-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "secure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_acl.example": { + "address": "aws_s3_bucket_acl.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.secure_bucket.id", + "aws_s3_bucket.secure_bucket", + ], + }, + "access_control_policy": { + "constant_value": [ + { + "grant": [ + { + "grantee": [ + { + "id": "owner-id", + "type": "CanonicalUser", + }, + ], + "permission": "WRITE", + }, + ], + "owner": [ + { + "id": "owner-id", + }, + ], + }, + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_acl", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 77444168..00000000 --- a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,446 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_acl", - "values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "WRITE", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "WRITE", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - "after_unknown": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - { - "display_name": true, - }, - ], - }, - ], - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "expressions": { - "access_control_policy": [ - { - "grant": [ - { - "permission": { - "constant_value": "WRITE", - }, - }, - ], - "owner": [ - { - "id": { - "constant_value": "id", - }, - }, - ], - }, - ], - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - }, - "mode": "managed", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_acl", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_acl.example", - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - {}, - ], - }, - ], - }, - "type": "aws_s3_bucket_acl", - "values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "WRITE", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "WRITE", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - "after_sensitive": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - {}, - ], - }, - ], - }, - "after_unknown": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - { - "display_name": true, - }, - ], - }, - ], - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T10:03:16Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..a44d5d3a --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,48 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.secure_bucket": { + "address": "aws_s3_bucket.secure_bucket", + "config": { + "bucket": { + "constant_value": "my-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "secure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_acl.example": { + "address": "aws_s3_bucket_acl.example", + "config": { + "acl": { + "constant_value": "private", + }, + "bucket": { + "references": [ + "aws_s3_bucket.secure_bucket.id", + "aws_s3_bucket.secure_bucket", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_acl", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index a8dd7fd9..00000000 --- a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,323 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_acl", - "values": { - "acl": "private", - "expected_bucket_owner": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "acl": "private", - "expected_bucket_owner": null, - }, - "after_unknown": { - "access_control_policy": true, - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "expressions": { - "acl": { - "constant_value": "private", - }, - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - }, - "mode": "managed", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_acl", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_acl.example", - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "access_control_policy": [], - }, - "type": "aws_s3_bucket_acl", - "values": { - "acl": "private", - "expected_bucket_owner": null, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "acl": "private", - "expected_bucket_owner": null, - }, - "after_sensitive": { - "access_control_policy": [], - }, - "after_unknown": { - "access_control_policy": true, - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T10:00:33Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..88d9a464 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,57 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.secure_bucket": { + "address": "aws_s3_bucket.secure_bucket", + "config": { + "bucket": { + "constant_value": "my-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "secure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_public_access_block.example": { + "address": "aws_s3_bucket_public_access_block.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.secure_bucket.id", + "aws_s3_bucket.secure_bucket", + ], + }, + "block_public_acls": { + "constant_value": true, + }, + "block_public_policy": { + "constant_value": true, + }, + "ignore_public_acls": { + "constant_value": true, + }, + "restrict_public_buckets": { + "constant_value": true, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_public_access_block", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 845dea71..00000000 --- a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,334 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_public_access_block.secure_bucket": { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_public_access_block", - "values": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": true, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_public_access_block.secure_bucket": { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": true, - }, - "after_unknown": { - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_public_access_block", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "expressions": { - "block_public_acls": { - "constant_value": true, - }, - "block_public_policy": { - "constant_value": true, - }, - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - "ignore_public_acls": { - "constant_value": true, - }, - "restrict_public_buckets": { - "constant_value": true, - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_public_access_block", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_s3_bucket_public_access_block", - "values": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": true, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": true, - }, - "after_sensitive": {}, - "after_unknown": { - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_public_access_block", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T09:48:25Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..7f44e7d7 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,98 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.secure_bucket": { + "address": "aws_s3_bucket.secure_bucket", + "config": { + "bucket": { + "constant_value": "my-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "secure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_policy.example": { + "address": "aws_s3_bucket_policy.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.secure_bucket.id", + "aws_s3_bucket.secure_bucket", + ], + }, + "policy": { + "references": [ + "data.aws_iam_policy_document.policy.json", + "data.aws_iam_policy_document.policy", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_policy", + }, + "data.aws_iam_policy_document.policy": { + "address": "data.aws_iam_policy_document.policy", + "config": { + "statement": [ + { + "actions": { + "constant_value": [ + "s3:ListBucket", + ], + }, + "effect": { + "constant_value": "Allow", + }, + "principals": [ + { + "identifiers": { + "constant_value": [ + "*", + ], + }, + "type": { + "constant_value": "AWS", + }, + }, + ], + "resources": { + "constant_value": [ + "arn:aws:s3:::my-bucket", + "arn:aws:s3:::my-bucket/*", + ], + }, + "sid": { + "constant_value": "DenyPublicReadAccess", + }, + }, + ], + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "data", + "module_address": "", + "name": "policy", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_iam_policy_document", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 61efe171..00000000 --- a/policies/s3/test/s3-bucket-block-public-read-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,335 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "data.aws_iam_policy_document.example", - "expressions": { - "statement": [ - { - "actions": { - "constant_value": [ - "s3:GetBucket", - "s3:GetObject", - ], - }, - "effect": { - "constant_value": "Deny", - }, - "principals": [ - { - "identifiers": { - "constant_value": [ - "*", - ], - }, - "type": { - "constant_value": "AWS", - }, - }, - ], - "resources": { - "constant_value": [ - "arn:aws:s3:::*", - ], - }, - "sid": { - "constant_value": "1", - }, - }, - ], - }, - "mode": "data", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_iam_policy_document", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - ], - }, - }, - "prior_state": { - "format_version": "1.0", - "terraform_version": "1.9.4", - "values": { - "root_module": { - "resources": [ - { - "address": "data.aws_iam_policy_document.example", - "mode": "data", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false, - false, - ], - "condition": [], - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [ - { - "identifiers": [ - false, - ], - }, - ], - "resources": [ - false, - ], - }, - ], - }, - "type": "aws_iam_policy_document", - "values": { - "id": "3129023871", - "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"1\",\n \"Effect\": \"Deny\",\n \"Action\": [\n \"s3:GetObject\",\n \"s3:GetBucket\"\n ],\n \"Resource\": \"arn:aws:s3:::*\",\n \"Principal\": {\n \"AWS\": \"*\"\n }\n }\n ]\n}", - "minified_json": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"1\",\"Effect\":\"Deny\",\"Action\":[\"s3:GetObject\",\"s3:GetBucket\"],\"Resource\":\"arn:aws:s3:::*\",\"Principal\":{\"AWS\":\"*\"}}]}", - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "s3:GetBucket", - "s3:GetObject", - ], - "condition": [], - "effect": "Deny", - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [ - { - "identifiers": [ - "*", - ], - "type": "AWS", - }, - ], - "resources": [ - "arn:aws:s3:::*", - ], - "sid": "1", - }, - ], - "version": "2012-10-17", - }, - }, - ], - }, - }, - }, - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T09:56:24Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-access-control-policy-complaint.hcl b/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-access-control-policy-complaint.hcl index 94cb4d29..8cd5fcf3 100644 --- a/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-access-control-policy-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-access-control-policy-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-acl-complaint.hcl b/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-acl-complaint.hcl index 5cd761b8..b7485350 100644 --- a/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-acl-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-acl-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-success-s3-bucket-acl-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-success-s3-bucket-acl-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-public-access-block-complaint.hcl b/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-public-access-block-complaint.hcl index 045f8ff4..0e24c842 100644 --- a/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-public-access-block-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-public-access-block-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-with-policy-document-complaint.hcl b/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-with-policy-document-complaint.hcl index 83f41eba..26f0375b 100644 --- a/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-with-policy-document-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-read-access/success-s3-bucket-with-policy-document-complaint.hcl @@ -1,14 +1,12 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfconfig-v2.sentinel" } } - - mock "tfstate/v2" { module { source = "./mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfstate-v2.sentinel" diff --git a/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-access-control-policy-not-complaint.hcl b/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-access-control-policy-not-complaint.hcl index 0e3adf3d..d611ed11 100644 --- a/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-access-control-policy-not-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-access-control-policy-not-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-acl-not-complaint.hcl b/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-acl-not-complaint.hcl index 687ebed8..aaf8d199 100644 --- a/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-acl-not-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-acl-not-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-public-access-block-not-complaint.hcl b/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-public-access-block-not-complaint.hcl index ed527a93..5b22d7a8 100644 --- a/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-public-access-block-not-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-public-access-block-not-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-with-policy-document-not-complaint.hcl b/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-with-policy-document-not-complaint.hcl index f7acd3b1..37a7d188 100644 --- a/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-with-policy-document-not-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-write-access/failure-s3-bucket-with-policy-document-not-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..de7c6737 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,67 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.insecure_bucket": { + "address": "aws_s3_bucket.insecure_bucket", + "config": { + "bucket": { + "constant_value": "insecure-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "insecure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_acl.example": { + "address": "aws_s3_bucket_acl.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.insecure_bucket.id", + "aws_s3_bucket.insecure_bucket", + ], + }, + "access_control_policy": { + "constant_value": [ + { + "grant": [ + { + "grantee": [ + { + "id": "owner-id", + "type": "CanonicalUser", + }, + ], + "permission": "WRITE", + }, + ], + "owner": [ + { + "id": "owner-id", + }, + ], + }, + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_acl", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index db485caa..00000000 --- a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-access-control-policy-not-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,446 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_acl", - "values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "WRITE", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "READ", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - "after_unknown": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - { - "display_name": true, - }, - ], - }, - ], - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "expressions": { - "access_control_policy": [ - { - "grant": [ - { - "permission": { - "constant_value": "READ", - }, - }, - ], - "owner": [ - { - "id": { - "constant_value": "id", - }, - }, - ], - }, - ], - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - }, - "mode": "managed", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_acl", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_acl.example", - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - {}, - ], - }, - ], - }, - "type": "aws_s3_bucket_acl", - "values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "READ", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "READ", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - "after_sensitive": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - {}, - ], - }, - ], - }, - "after_unknown": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - { - "display_name": true, - }, - ], - }, - ], - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T10:03:50Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..176ca6f2 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,48 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.insecure_bucket": { + "address": "aws_s3_bucket.insecure_bucket", + "config": { + "bucket": { + "constant_value": "insecure-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "insecure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_acl.example": { + "address": "aws_s3_bucket_acl.example", + "config": { + "acl": { + "constant_value": "public-read-write", + }, + "bucket": { + "references": [ + "aws_s3_bucket.insecure_bucket.id", + "aws_s3_bucket.insecure_bucket", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_acl", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index b2494742..00000000 --- a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-acl-not-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,323 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_acl", - "values": { - "acl": "log-delivery-write", - "expected_bucket_owner": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "acl": "public-read", - "expected_bucket_owner": null, - }, - "after_unknown": { - "access_control_policy": true, - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "expressions": { - "acl": { - "constant_value": "public-read", - }, - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - }, - "mode": "managed", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_acl", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_acl.example", - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "access_control_policy": [], - }, - "type": "aws_s3_bucket_acl", - "values": { - "acl": "public-read", - "expected_bucket_owner": null, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "acl": "public-read", - "expected_bucket_owner": null, - }, - "after_sensitive": { - "access_control_policy": [], - }, - "after_unknown": { - "access_control_policy": true, - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T10:04:58Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..12213874 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,57 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.insecure_bucket": { + "address": "aws_s3_bucket.insecure_bucket", + "config": { + "bucket": { + "constant_value": "insecure-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "insecure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_public_access_block.example": { + "address": "aws_s3_bucket_public_access_block.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.insecure_bucket.id", + "aws_s3_bucket.insecure_bucket", + ], + }, + "block_public_acls": { + "constant_value": false, + }, + "block_public_policy": { + "constant_value": false, + }, + "ignore_public_acls": { + "constant_value": false, + }, + "restrict_public_buckets": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_public_access_block", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 46bcbce3..00000000 --- a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-public-access-block-not-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,334 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_public_access_block.secure_bucket": { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_public_access_block", - "values": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": false, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_public_access_block.secure_bucket": { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": false, - }, - "after_unknown": { - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_public_access_block", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "expressions": { - "block_public_acls": { - "constant_value": true, - }, - "block_public_policy": { - "constant_value": true, - }, - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - "ignore_public_acls": { - "constant_value": true, - }, - "restrict_public_buckets": { - "constant_value": false, - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_public_access_block", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_s3_bucket_public_access_block", - "values": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": false, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": false, - }, - "after_sensitive": {}, - "after_unknown": { - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_public_access_block", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T09:48:58Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..1ab3447d --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,99 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.insecure_bucket": { + "address": "aws_s3_bucket.insecure_bucket", + "config": { + "bucket": { + "constant_value": "insecure-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "insecure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_policy.example": { + "address": "aws_s3_bucket_policy.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.insecure_bucket.id", + "aws_s3_bucket.insecure_bucket", + ], + }, + "policy": { + "references": [ + "data.aws_iam_policy_document.policy.json", + "data.aws_iam_policy_document.policy", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_policy", + }, + "data.aws_iam_policy_document.policy": { + "address": "data.aws_iam_policy_document.policy", + "config": { + "statement": [ + { + "actions": { + "constant_value": [ + "s3:PutObject", + "s3:PutObjectAcl", + ], + }, + "effect": { + "constant_value": "Allow", + }, + "principals": [ + { + "identifiers": { + "constant_value": [ + "*", + ], + }, + "type": { + "constant_value": "AWS", + }, + }, + ], + "resources": { + "constant_value": [ + "arn:aws:s3:::insecure-bucket", + "arn:aws:s3:::insecure-bucket/*", + ], + }, + "sid": { + "constant_value": "AllowPublicWriteAccess", + }, + }, + ], + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "data", + "module_address": "", + "name": "policy", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_iam_policy_document", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 8faa76e2..00000000 --- a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-failure-s3-bucket-with-policy-document-not-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,335 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "data.aws_iam_policy_document.example", - "expressions": { - "statement": [ - { - "actions": { - "constant_value": [ - "s3:GetBucket", - "s3:GetObject", - ], - }, - "effect": { - "constant_value": "Allow", - }, - "principals": [ - { - "identifiers": { - "constant_value": [ - "*", - ], - }, - "type": { - "constant_value": "AWS", - }, - }, - ], - "resources": { - "constant_value": [ - "arn:aws:s3:::*", - ], - }, - "sid": { - "constant_value": "1", - }, - }, - ], - }, - "mode": "data", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_iam_policy_document", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - ], - }, - }, - "prior_state": { - "format_version": "1.0", - "terraform_version": "1.9.4", - "values": { - "root_module": { - "resources": [ - { - "address": "data.aws_iam_policy_document.example", - "mode": "data", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false, - false, - ], - "condition": [], - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [ - { - "identifiers": [ - false, - ], - }, - ], - "resources": [ - false, - ], - }, - ], - }, - "type": "aws_iam_policy_document", - "values": { - "id": "3619922110", - "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:GetObject\",\n \"s3:GetBucket\"\n ],\n \"Resource\": \"arn:aws:s3:::*\",\n \"Principal\": {\n \"AWS\": \"*\"\n }\n }\n ]\n}", - "minified_json": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"1\",\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:GetBucket\"],\"Resource\":\"arn:aws:s3:::*\",\"Principal\":{\"AWS\":\"*\"}}]}", - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "s3:GetBucket", - "s3:GetObject", - ], - "condition": [], - "effect": "Allow", - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [ - { - "identifiers": [ - "*", - ], - "type": "AWS", - }, - ], - "resources": [ - "arn:aws:s3:::*", - ], - "sid": "1", - }, - ], - "version": "2012-10-17", - }, - }, - ], - }, - }, - }, - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T09:55:44Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..449c21e3 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,67 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.secure_bucket": { + "address": "aws_s3_bucket.secure_bucket", + "config": { + "bucket": { + "constant_value": "my-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "secure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_acl.example": { + "address": "aws_s3_bucket_acl.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.secure_bucket.id", + "aws_s3_bucket.secure_bucket", + ], + }, + "access_control_policy": { + "constant_value": [ + { + "grant": [ + { + "grantee": [ + { + "id": "owner-id", + "type": "CanonicalUser", + }, + ], + "permission": "READ", + }, + ], + "owner": [ + { + "id": "owner-id", + }, + ], + }, + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_acl", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index aa02f87c..00000000 --- a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,446 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_acl", - "values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "READ", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "WRITE", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - "after_unknown": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - { - "display_name": true, - }, - ], - }, - ], - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "expressions": { - "access_control_policy": [ - { - "grant": [ - { - "permission": { - "constant_value": "WRITE", - }, - }, - ], - "owner": [ - { - "id": { - "constant_value": "id", - }, - }, - ], - }, - ], - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - }, - "mode": "managed", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_acl", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_acl.example", - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - {}, - ], - }, - ], - }, - "type": "aws_s3_bucket_acl", - "values": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "WRITE", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - "permission": "WRITE", - }, - ], - "owner": [ - { - "id": "id", - }, - ], - }, - ], - "acl": null, - "expected_bucket_owner": null, - }, - "after_sensitive": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - {}, - ], - }, - ], - }, - "after_unknown": { - "access_control_policy": [ - { - "grant": [ - { - "grantee": [], - }, - ], - "owner": [ - { - "display_name": true, - }, - ], - }, - ], - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T10:03:16Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..a44d5d3a --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,48 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.secure_bucket": { + "address": "aws_s3_bucket.secure_bucket", + "config": { + "bucket": { + "constant_value": "my-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "secure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_acl.example": { + "address": "aws_s3_bucket_acl.example", + "config": { + "acl": { + "constant_value": "private", + }, + "bucket": { + "references": [ + "aws_s3_bucket.secure_bucket.id", + "aws_s3_bucket.secure_bucket", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_acl", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index a8dd7fd9..00000000 --- a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-acl-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,323 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_acl", - "values": { - "acl": "private", - "expected_bucket_owner": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_acl.example": { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "acl": "private", - "expected_bucket_owner": null, - }, - "after_unknown": { - "access_control_policy": true, - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "expressions": { - "acl": { - "constant_value": "private", - }, - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - }, - "mode": "managed", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_acl", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_acl.example", - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "access_control_policy": [], - }, - "type": "aws_s3_bucket_acl", - "values": { - "acl": "private", - "expected_bucket_owner": null, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_acl.example", - "change": { - "actions": [ - "create", - ], - "after": { - "acl": "private", - "expected_bucket_owner": null, - }, - "after_sensitive": { - "access_control_policy": [], - }, - "after_unknown": { - "access_control_policy": true, - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_acl", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T10:00:33Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..88d9a464 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,57 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.secure_bucket": { + "address": "aws_s3_bucket.secure_bucket", + "config": { + "bucket": { + "constant_value": "my-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "secure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_public_access_block.example": { + "address": "aws_s3_bucket_public_access_block.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.secure_bucket.id", + "aws_s3_bucket.secure_bucket", + ], + }, + "block_public_acls": { + "constant_value": true, + }, + "block_public_policy": { + "constant_value": true, + }, + "ignore_public_acls": { + "constant_value": true, + }, + "restrict_public_buckets": { + "constant_value": true, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_public_access_block", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 845dea71..00000000 --- a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,334 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - "aws_s3_bucket_public_access_block.secure_bucket": { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket_public_access_block", - "values": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": true, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - "aws_s3_bucket_public_access_block.secure_bucket": { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": true, - }, - "after_unknown": { - "bucket": true, - "id": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_public_access_block", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "expressions": { - "block_public_acls": { - "constant_value": true, - }, - "block_public_policy": { - "constant_value": true, - }, - "bucket": { - "references": [ - "aws_s3_bucket.secure_bucket.id", - "aws_s3_bucket.secure_bucket", - ], - }, - "ignore_public_acls": { - "constant_value": true, - }, - "restrict_public_buckets": { - "constant_value": true, - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket_public_access_block", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": {}, - "type": "aws_s3_bucket_public_access_block", - "values": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": true, - }, - }, - ], - }, - }, - "relevant_attributes": [ - { - "attribute": [ - "id", - ], - "resource": "aws_s3_bucket.secure_bucket", - }, - ], - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - { - "address": "aws_s3_bucket_public_access_block.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "block_public_acls": true, - "block_public_policy": true, - "ignore_public_acls": true, - "restrict_public_buckets": true, - }, - "after_sensitive": {}, - "after_unknown": { - "bucket": true, - "id": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket_public_access_block", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T09:48:25Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..99626d80 --- /dev/null +++ b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfconfig-v2.sentinel @@ -0,0 +1,98 @@ +# Copyright (c) HashiCorp, Inc. +# SPDX-License-Identifier: BUSL-1.1 + +resources = { + "aws_s3_bucket.secure_bucket": { + "address": "aws_s3_bucket.secure_bucket", + "config": { + "bucket": { + "constant_value": "my-bucket", + }, + "force_destroy": { + "constant_value": false, + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "secure_bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_policy.example": { + "address": "aws_s3_bucket_policy.example", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.secure_bucket.id", + "aws_s3_bucket.secure_bucket", + ], + }, + "policy": { + "references": [ + "data.aws_iam_policy_document.policy.json", + "data.aws_iam_policy_document.policy", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_policy", + }, + "data.aws_iam_policy_document.policy": { + "address": "data.aws_iam_policy_document.policy", + "config": { + "statement": [ + { + "actions": { + "constant_value": [ + "s3:ListBucket", + ], + }, + "effect": { + "constant_value": "Deny", + }, + "principals": [ + { + "identifiers": { + "constant_value": [ + "*", + ], + }, + "type": { + "constant_value": "AWS", + }, + }, + ], + "resources": { + "constant_value": [ + "arn:aws:s3:::my-bucket", + "arn:aws:s3:::my-bucket/*", + ], + }, + "sid": { + "constant_value": "DenyPublicWriteAccess", + }, + }, + ], + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "data", + "module_address": "", + "name": "policy", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_iam_policy_document", + }, +} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfplan-v2.sentinel b/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfplan-v2.sentinel deleted file mode 100644 index 61efe171..00000000 --- a/policies/s3/test/s3-bucket-block-public-write-access/mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfplan-v2.sentinel +++ /dev/null @@ -1,335 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: BUSL-1.1 - -terraform_version = "1.9.4" - -planned_values = { - "outputs": {}, - "resources": { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "depends_on": [], - "deposed_key": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "tainted": false, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - }, -} - -variables = {} - -resource_changes = { - "aws_s3_bucket.secure_bucket": { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - }, - "deposed": "", - "index": null, - "mode": "managed", - "module_address": "", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, -} - -resource_drift = {} - -output_changes = {} - -raw = { - "complete": true, - "configuration": { - "provider_config": { - "aws": { - "expressions": { - "region": { - "constant_value": "us-east-2", - }, - }, - "full_name": "registry.terraform.io/hashicorp/aws", - "name": "aws", - }, - }, - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "expressions": { - "bucket": { - "constant_value": "my-bucket", - }, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_s3_bucket", - }, - { - "address": "data.aws_iam_policy_document.example", - "expressions": { - "statement": [ - { - "actions": { - "constant_value": [ - "s3:GetBucket", - "s3:GetObject", - ], - }, - "effect": { - "constant_value": "Deny", - }, - "principals": [ - { - "identifiers": { - "constant_value": [ - "*", - ], - }, - "type": { - "constant_value": "AWS", - }, - }, - ], - "resources": { - "constant_value": [ - "arn:aws:s3:::*", - ], - }, - "sid": { - "constant_value": "1", - }, - }, - ], - }, - "mode": "data", - "name": "example", - "provider_config_key": "aws", - "schema_version": 0, - "type": "aws_iam_policy_document", - }, - ], - }, - }, - "format_version": "1.2", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_s3_bucket.secure_bucket", - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "type": "aws_s3_bucket", - "values": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - }, - ], - }, - }, - "prior_state": { - "format_version": "1.0", - "terraform_version": "1.9.4", - "values": { - "root_module": { - "resources": [ - { - "address": "data.aws_iam_policy_document.example", - "mode": "data", - "name": "example", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "sensitive_values": { - "statement": [ - { - "actions": [ - false, - false, - ], - "condition": [], - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [ - { - "identifiers": [ - false, - ], - }, - ], - "resources": [ - false, - ], - }, - ], - }, - "type": "aws_iam_policy_document", - "values": { - "id": "3129023871", - "json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"1\",\n \"Effect\": \"Deny\",\n \"Action\": [\n \"s3:GetObject\",\n \"s3:GetBucket\"\n ],\n \"Resource\": \"arn:aws:s3:::*\",\n \"Principal\": {\n \"AWS\": \"*\"\n }\n }\n ]\n}", - "minified_json": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"1\",\"Effect\":\"Deny\",\"Action\":[\"s3:GetObject\",\"s3:GetBucket\"],\"Resource\":\"arn:aws:s3:::*\",\"Principal\":{\"AWS\":\"*\"}}]}", - "override_json": null, - "override_policy_documents": null, - "policy_id": null, - "source_json": null, - "source_policy_documents": null, - "statement": [ - { - "actions": [ - "s3:GetBucket", - "s3:GetObject", - ], - "condition": [], - "effect": "Deny", - "not_actions": [], - "not_principals": [], - "not_resources": [], - "principals": [ - { - "identifiers": [ - "*", - ], - "type": "AWS", - }, - ], - "resources": [ - "arn:aws:s3:::*", - ], - "sid": "1", - }, - ], - "version": "2012-10-17", - }, - }, - ], - }, - }, - }, - "resource_changes": [ - { - "address": "aws_s3_bucket.secure_bucket", - "change": { - "actions": [ - "create", - ], - "after": { - "bucket": "my-bucket", - "force_destroy": false, - "tags": null, - "timeouts": null, - }, - "after_sensitive": { - "cors_rule": [], - "grant": [], - "lifecycle_rule": [], - "logging": [], - "object_lock_configuration": [], - "replication_configuration": [], - "server_side_encryption_configuration": [], - "tags_all": {}, - "versioning": [], - "website": [], - }, - "after_unknown": { - "acceleration_status": true, - "acl": true, - "arn": true, - "bucket_domain_name": true, - "bucket_prefix": true, - "bucket_regional_domain_name": true, - "cors_rule": true, - "grant": true, - "hosted_zone_id": true, - "id": true, - "lifecycle_rule": true, - "logging": true, - "object_lock_configuration": true, - "object_lock_enabled": true, - "policy": true, - "region": true, - "replication_configuration": true, - "request_payer": true, - "server_side_encryption_configuration": true, - "tags_all": true, - "versioning": true, - "website": true, - "website_domain": true, - "website_endpoint": true, - }, - "before": null, - "before_sensitive": false, - }, - "mode": "managed", - "name": "secure_bucket", - "provider_name": "registry.terraform.io/hashicorp/aws", - "type": "aws_s3_bucket", - }, - ], - "terraform_version": "1.9.4", - "timestamp": "2025-02-10T09:56:24Z", -} diff --git a/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-access-control-policy-complaint.hcl b/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-access-control-policy-complaint.hcl index 94cb4d29..8cd5fcf3 100644 --- a/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-access-control-policy-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-access-control-policy-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-success-s3-bucket-access-control-policy-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-acl-complaint.hcl b/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-acl-complaint.hcl index 5cd761b8..b7485350 100644 --- a/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-acl-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-acl-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-success-s3-bucket-acl-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-success-s3-bucket-acl-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-public-access-block-complaint.hcl b/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-public-access-block-complaint.hcl index 045f8ff4..1375f398 100644 --- a/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-public-access-block-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-public-access-block-complaint.hcl @@ -1,14 +1,12 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfconfig-v2.sentinel" } } - - mock "tfstate/v2" { module { source = "./mocks/policy-success-s3-bucket-public-access-block-complaint/mock-tfstate-v2.sentinel" diff --git a/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-with-policy-document-complaint.hcl b/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-with-policy-document-complaint.hcl index 83f41eba..abc34678 100644 --- a/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-with-policy-document-complaint.hcl +++ b/policies/s3/test/s3-bucket-block-public-write-access/success-s3-bucket-with-policy-document-complaint.hcl @@ -1,9 +1,9 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 -mock "tfplan/v2" { +mock "tfconfig/v2" { module { - source = "./mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfplan-v2.sentinel" + source = "./mocks/policy-success-s3-bucket-with-policy-document-complaint/mock-tfconfig-v2.sentinel" } } diff --git a/policies/s3/test/s3-require-ssl/mocks/policy-success-s3-traffic-deny-enabled-with-datasource-in-config/mock-tfconfig-v2.sentinel b/policies/s3/test/s3-require-ssl/mocks/policy-success-s3-traffic-deny-enabled-with-datasource-in-config/mock-tfconfig-v2.sentinel new file mode 100644 index 00000000..3cc43378 --- /dev/null +++ b/policies/s3/test/s3-require-ssl/mocks/policy-success-s3-traffic-deny-enabled-with-datasource-in-config/mock-tfconfig-v2.sentinel @@ -0,0 +1,144 @@ +import "strings" + +providers = { + "aws": { + "alias": "", + "config": { + "region": { + "constant_value": "us-west-2", + }, + }, + "full_name": "registry.terraform.io/hashicorp/aws", + "module_address": "", + "name": "aws", + "provider_config_key": "aws", + "version_constraint": "", + }, +} + +resources = { + "aws_s3_bucket.bucket": { + "address": "aws_s3_bucket.bucket", + "config": { + "bucket": { + "constant_value": "my-new-bucket-1234567890", + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "bucket", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket", + }, + "aws_s3_bucket_policy.bucket_policy": { + "address": "aws_s3_bucket_policy.bucket_policy", + "config": { + "bucket": { + "references": [ + "aws_s3_bucket.bucket.id", + "aws_s3_bucket.bucket", + ], + }, + "policy": { + "references": [ + "data.aws_iam_policy_document.bucket_policy_document.json", + "data.aws_iam_policy_document.bucket_policy_document", + ], + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "bucket_policy", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_s3_bucket_policy", + }, + "data.aws_iam_policy_document.bucket_policy_document": { + "address": "data.aws_iam_policy_document.bucket_policy_document", + "config": { + "statement": [ + { + "actions": { + "constant_value": [ + "s3:*", + ], + }, + "condition": [ + { + "test": { + "constant_value": "Bool", + }, + "values": { + "constant_value": [ + "false", + ], + }, + "variable": { + "constant_value": "aws:SecureTransport", + }, + }, + ], + "effect": { + "constant_value": "Deny", + }, + "principals": [ + { + "identifiers": { + "constant_value": [ + "*", + ], + }, + "type": { + "constant_value": "*", + }, + }, + ], + "resources": { + "references": [ + "aws_s3_bucket.bucket.arn", + "aws_s3_bucket.bucket", + "aws_s3_bucket.bucket.arn", + "aws_s3_bucket.bucket", + ], + }, + "sid": { + "constant_value": "AllowTLSonly", + }, + }, + ], + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "data", + "module_address": "", + "name": "bucket_policy_document", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_iam_policy_document", + }, +} + +provisioners = {} + +variables = {} + +outputs = {} + +module_calls = {} + +strip_index = func(addr) { + s = strings.split(addr, ".") + for s as i, v { + s[i] = strings.split(v, "[")[0] + } + + return strings.join(s, ".") +} diff --git a/policies/s3/test/s3-require-ssl/mocks/policy-success-s3-traffic-deny-enabled-with-datasource-in-config/mock-tfstate-v2.sentinel b/policies/s3/test/s3-require-ssl/mocks/policy-success-s3-traffic-deny-enabled-with-datasource-in-config/mock-tfstate-v2.sentinel new file mode 100644 index 00000000..028a4531 --- /dev/null +++ b/policies/s3/test/s3-require-ssl/mocks/policy-success-s3-traffic-deny-enabled-with-datasource-in-config/mock-tfstate-v2.sentinel @@ -0,0 +1,5 @@ +terraform_version = undefined + +outputs = {} + +resources = {} diff --git a/policies/s3/test/s3-require-ssl/success-s3-traffic-deny-enabled-with-datasource-in-config.hcl b/policies/s3/test/s3-require-ssl/success-s3-traffic-deny-enabled-with-datasource-in-config.hcl new file mode 100644 index 00000000..1dab1573 --- /dev/null +++ b/policies/s3/test/s3-require-ssl/success-s3-traffic-deny-enabled-with-datasource-in-config.hcl @@ -0,0 +1,31 @@ +mock "tfconfig/v2" { + module { + source = "./mocks/policy-success-s3-traffic-deny-enabled-with-datasource-in-config/mock-tfconfig-v2.sentinel" + } +} + + +mock "tfstate/v2" { + module { + source = "./mocks/policy-success-s3-traffic-deny-enabled-with-datasource-in-config/mock-tfstate-v2.sentinel" + } +} + + +mock "tfresources" { + module { + source = "../../../../modules/tfresources/tfresources.sentinel" + } +} + +mock "report" { + module { + source = "../../../../modules/mocks/report/report.sentinel" + } +} + +test { + rules = { + main = true + } +} \ No newline at end of file