From b7bb4bbd57526c9c93bfbaa6fc673e46559a7497 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 6 Jun 2023 16:56:59 +0200 Subject: [PATCH] fix(aws): Add missing resources ARN (#2453) --- .../codebuild_project_older_90_days.py | 2 +- ...build_project_user_controlled_buildspec.py | 2 +- .../services/codebuild/codebuild_service.py | 10 ++-- .../codebuild_project_older_90_days_test.py | 41 +++++++++++----- ..._project_user_controlled_buildspec_test.py | 49 ++++++++++++------- 5 files changed, 69 insertions(+), 35 deletions(-) diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py b/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py index 68744533..f4762d98 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days.py @@ -11,7 +11,7 @@ class codebuild_project_older_90_days(Check): report = Check_Report_AWS(self.metadata()) report.region = project.region report.resource_id = project.name - report.resource_arn = "" + report.resource_arn = project.arn report.status = "PASS" report.status_extended = ( f"CodeBuild project {project.name} has been invoked in the last 90 days" diff --git a/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py b/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py index 73928192..4dd97a35 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py +++ b/prowler/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec.py @@ -11,7 +11,7 @@ class codebuild_project_user_controlled_buildspec(Check): report = Check_Report_AWS(self.metadata()) report.region = project.region report.resource_id = project.name - report.resource_arn = "" + report.resource_arn = project.arn report.status = "PASS" report.status_extended = f"CodeBuild project {project.name} does not use an user controlled buildspec" if project.buildspec: diff --git a/prowler/providers/aws/services/codebuild/codebuild_service.py b/prowler/providers/aws/services/codebuild/codebuild_service.py index e885fe29..6592401f 100644 --- a/prowler/providers/aws/services/codebuild/codebuild_service.py +++ b/prowler/providers/aws/services/codebuild/codebuild_service.py @@ -14,6 +14,7 @@ class Codebuild: self.service = "codebuild" self.session = audit_info.audit_session self.audited_account = audit_info.audited_account + self.audited_partition = audit_info.audited_partition self.audit_resources = audit_info.audit_resources self.regional_clients = generate_regional_clients(self.service, audit_info) self.projects = [] @@ -38,12 +39,14 @@ class Codebuild: list_projects_paginator = regional_client.get_paginator("list_projects") for page in list_projects_paginator.paginate(): for project in page["projects"]: + project_arn = f"arn:{self.audited_partition}:codebuild:{regional_client.region}:{self.audited_account}:project/{project}" if not self.audit_resources or ( - is_resource_filtered(project, self.audit_resources) + is_resource_filtered(project_arn, self.audit_resources) ): self.projects.append( - CodebuildProject( + Project( name=project, + arn=project_arn, region=regional_client.region, last_invoked_time=None, buildspec=None, @@ -84,8 +87,9 @@ class Codebuild: @dataclass -class CodebuildProject: +class Project: name: str + arn: str region: str last_invoked_time: Optional[datetime.datetime] buildspec: Optional[str] diff --git a/tests/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days_test.py b/tests/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days_test.py index 065ebb03..d5f5f114 100644 --- a/tests/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days_test.py +++ b/tests/providers/aws/services/codebuild/codebuild_project_older_90_days/codebuild_project_older_90_days_test.py @@ -2,15 +2,21 @@ from datetime import datetime, timedelta, timezone from re import search from unittest import mock -from prowler.providers.aws.services.codebuild.codebuild_service import CodebuildProject +from prowler.providers.aws.services.codebuild.codebuild_service import Project + +AWS_REGION = "eu-west-1" +AWS_ACCOUNT_NUMBER = "123456789012" class Test_codebuild_project_older_90_days: def test_project_not_built_in_last_90_days(self): codebuild_client = mock.MagicMock + project_name = "test-project" + project_arn = f"arn:aws:codebuild:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:project/{project_name}" codebuild_client.projects = [ - CodebuildProject( - name="test", + Project( + name=project_name, + arn=project_arn, region="eu-west-1", last_invoked_time=datetime.now(timezone.utc) - timedelta(days=100), buildspec=None, @@ -32,14 +38,20 @@ class Test_codebuild_project_older_90_days: assert search( "has not been invoked in the last 90 days", result[0].status_extended ) - assert result[0].resource_id == "test" - assert result[0].resource_arn == "" + assert result[0].resource_id == project_name + assert result[0].resource_arn == project_arn def test_project_not_built(self): codebuild_client = mock.MagicMock + project_name = "test-project" + project_arn = f"arn:aws:codebuild:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:project/{project_name}" codebuild_client.projects = [ - CodebuildProject( - name="test", region="eu-west-1", last_invoked_time=None, buildspec=None + Project( + name=project_name, + arn=project_arn, + region="eu-west-1", + last_invoked_time=None, + buildspec=None, ) ] with mock.patch( @@ -56,14 +68,17 @@ class Test_codebuild_project_older_90_days: assert len(result) == 1 assert result[0].status == "FAIL" assert search("has never been built", result[0].status_extended) - assert result[0].resource_id == "test" - assert result[0].resource_arn == "" + assert result[0].resource_id == project_name + assert result[0].resource_arn == project_arn def test_project_built_in_last_90_days(self): codebuild_client = mock.MagicMock + project_name = "test-project" + project_arn = f"arn:aws:codebuild:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:project/{project_name}" codebuild_client.projects = [ - CodebuildProject( - name="test", + Project( + name=project_name, + arn=project_arn, region="eu-west-1", last_invoked_time=datetime.now(timezone.utc) - timedelta(days=10), buildspec=None, @@ -85,5 +100,5 @@ class Test_codebuild_project_older_90_days: assert search( "has been invoked in the last 90 days", result[0].status_extended ) - assert result[0].resource_id == "test" - assert result[0].resource_arn == "" + assert result[0].resource_id == project_name + assert result[0].resource_arn == project_arn diff --git a/tests/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec_test.py b/tests/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec_test.py index f6c645c6..5a809e87 100644 --- a/tests/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec_test.py +++ b/tests/providers/aws/services/codebuild/codebuild_project_user_controlled_buildspec/codebuild_project_user_controlled_buildspec_test.py @@ -1,15 +1,21 @@ from re import search from unittest import mock -from prowler.providers.aws.services.codebuild.codebuild_service import CodebuildProject +from prowler.providers.aws.services.codebuild.codebuild_service import Project + +AWS_REGION = "eu-west-1" +AWS_ACCOUNT_NUMBER = "123456789012" class Test_codebuild_project_user_controlled_buildspec: def test_project_not_buildspec(self): codebuild_client = mock.MagicMock + project_name = "test-project" + project_arn = f"arn:aws:codebuild:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:project/{project_name}" codebuild_client.projects = [ - CodebuildProject( - name="test", + Project( + name=project_name, + arn=project_arn, region="eu-west-1", last_invoked_time=None, buildspec=None, @@ -32,14 +38,17 @@ class Test_codebuild_project_user_controlled_buildspec: "does not use an user controlled buildspec", result[0].status_extended, ) - assert result[0].resource_id == "test" - assert result[0].resource_arn == "" + assert result[0].resource_id == project_name + assert result[0].resource_arn == project_arn def test_project_buildspec_not_yaml(self): codebuild_client = mock.MagicMock + project_name = "test-project" + project_arn = f"arn:aws:codebuild:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:project/{project_name}" codebuild_client.projects = [ - CodebuildProject( - name="test", + Project( + name=project_name, + arn=project_arn, region="eu-west-1", last_invoked_time=None, buildspec="arn:aws:s3:::my-codebuild-sample2/buildspec.out", @@ -62,14 +71,17 @@ class Test_codebuild_project_user_controlled_buildspec: "does not use an user controlled buildspec", result[0].status_extended, ) - assert result[0].resource_id == "test" - assert result[0].resource_arn == "" + assert result[0].resource_id == project_name + assert result[0].resource_arn == project_arn def test_project_valid_buildspec(self): codebuild_client = mock.MagicMock + project_name = "test-project" + project_arn = f"arn:aws:codebuild:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:project/{project_name}" codebuild_client.projects = [ - CodebuildProject( - name="test", + Project( + name=project_name, + arn=project_arn, region="eu-west-1", last_invoked_time=None, buildspec="arn:aws:s3:::my-codebuild-sample2/buildspec.yaml", @@ -91,14 +103,17 @@ class Test_codebuild_project_user_controlled_buildspec: assert search( "uses an user controlled buildspec", result[0].status_extended ) - assert result[0].resource_id == "test" - assert result[0].resource_arn == "" + assert result[0].resource_id == project_name + assert result[0].resource_arn == project_arn def test_project_invalid_buildspec_without_extension(self): codebuild_client = mock.MagicMock + project_name = "test-project" + project_arn = f"arn:aws:codebuild:{AWS_REGION}:{AWS_ACCOUNT_NUMBER}:project/{project_name}" codebuild_client.projects = [ - CodebuildProject( - name="test", + Project( + name=project_name, + arn=project_arn, region="eu-west-1", last_invoked_time=None, buildspec="arn:aws:s3:::my-codebuild-sample2/buildspecyaml", @@ -121,5 +136,5 @@ class Test_codebuild_project_user_controlled_buildspec: "does not use an user controlled buildspec", result[0].status_extended, ) - assert result[0].resource_id == "test" - assert result[0].resource_arn == "" + assert result[0].resource_id == project_name + assert result[0].resource_arn == project_arn