From eb3cb97115dc1b91fdbed61a6f2ee2fadeec05db Mon Sep 17 00:00:00 2001 From: Sergio Garcia <38561120+sergargar@users.noreply.github.com> Date: Wed, 18 Oct 2023 16:07:53 +0200 Subject: [PATCH] feat(vpc): add vpc, nacl or subnet names in findings (#2928) --- .../ec2_networkacl_allow_ingress_any_port.py | 6 +- ...c2_networkacl_allow_ingress_tcp_port_22.py | 4 +- ..._networkacl_allow_ingress_tcp_port_3389.py | 4 +- .../providers/aws/services/ec2/ec2_service.py | 6 ++ .../networkfirewall_in_all_vpc.py | 8 +- .../vpc_flow_logs_enabled.py | 8 +- .../providers/aws/services/vpc/vpc_service.py | 12 +++ .../vpc_subnet_different_az.py | 10 +-- .../vpc_subnet_no_public_ip_by_default.py | 8 +- .../vpc_subnet_separate_private_public.py | 16 ++-- .../networkfirewall_in_all_vpc_test.py | 76 +++++++++++++++++++ .../vpc_flow_logs_enabled_test.py | 15 +++- .../vpc_subnet_different_az_test.py | 17 ++++- ...vpc_subnet_no_public_ip_by_default_test.py | 10 ++- ...vpc_subnet_separate_private_public_test.py | 17 ++++- 15 files changed, 170 insertions(+), 47 deletions(-) diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py index 66b8bbfa..4df7961b 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_any_port/ec2_networkacl_allow_ingress_any_port.py @@ -15,13 +15,11 @@ class ec2_networkacl_allow_ingress_any_port(Check): report.resource_arn = network_acl.arn report.resource_tags = network_acl.tags report.status = "PASS" - report.status_extended = f"Network ACL {network_acl.id} does not have every port open to the Internet." + report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} does not have every port open to the Internet." # If some entry allows it, that ACL is not securely configured if check_network_acl(network_acl.entries, tcp_protocol, check_port): report.status = "FAIL" - report.status_extended = ( - f"Network ACL {network_acl.id} has every port open to the Internet." - ) + report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} has every port open to the Internet." findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py index 239c0a95..883c348e 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_22/ec2_networkacl_allow_ingress_tcp_port_22.py @@ -14,12 +14,12 @@ class ec2_networkacl_allow_ingress_tcp_port_22(Check): report.resource_arn = network_acl.arn report.resource_tags = network_acl.tags report.status = "PASS" - report.status_extended = f"Network ACL {network_acl.id} does not have SSH port 22 open to the Internet." + report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} does not have SSH port 22 open to the Internet." report.resource_id = network_acl.id # If some entry allows it, that ACL is not securely configured if check_network_acl(network_acl.entries, tcp_protocol, check_port): report.status = "FAIL" - report.status_extended = f"Network ACL {network_acl.id} has SSH port 22 open to the Internet." + report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} has SSH port 22 open to the Internet." findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py index 28422014..9ea10684 100644 --- a/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py +++ b/prowler/providers/aws/services/ec2/ec2_networkacl_allow_ingress_tcp_port_3389/ec2_networkacl_allow_ingress_tcp_port_3389.py @@ -14,12 +14,12 @@ class ec2_networkacl_allow_ingress_tcp_port_3389(Check): report.resource_arn = network_acl.arn report.resource_tags = network_acl.tags report.status = "PASS" - report.status_extended = f"Network ACL {network_acl.id} does not have Microsoft RDP port 3389 open to the Internet." + report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} does not have Microsoft RDP port 3389 open to the Internet." report.resource_id = network_acl.id # If some entry allows it, that ACL is not securely configured if check_network_acl(network_acl.entries, tcp_protocol, check_port): report.status = "FAIL" - report.status_extended = f"Network ACL {network_acl.id} has Microsoft RDP port 3389 open to the Internet." + report.status_extended = f"Network ACL {network_acl.name if network_acl.name else network_acl.id} has Microsoft RDP port 3389 open to the Internet." findings.append(report) return findings diff --git a/prowler/providers/aws/services/ec2/ec2_service.py b/prowler/providers/aws/services/ec2/ec2_service.py index 70e10f18..9805b783 100644 --- a/prowler/providers/aws/services/ec2/ec2_service.py +++ b/prowler/providers/aws/services/ec2/ec2_service.py @@ -157,10 +157,15 @@ class EC2(AWSService): if not self.audit_resources or ( is_resource_filtered(arn, self.audit_resources) ): + nacl_name = "" + for tag in nacl.get("Tags", []): + if tag["Key"] == "Name": + nacl_name = tag["Value"] self.network_acls.append( NetworkACL( id=nacl["NetworkAclId"], arn=arn, + name=nacl_name, region=regional_client.region, entries=nacl["Entries"], tags=nacl.get("Tags"), @@ -458,6 +463,7 @@ class SecurityGroup(BaseModel): class NetworkACL(BaseModel): id: str arn: str + name: str region: str entries: list[dict] tags: Optional[list] = [] diff --git a/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py b/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py index c9b4624b..20b0f507 100644 --- a/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py +++ b/prowler/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc.py @@ -15,15 +15,11 @@ class networkfirewall_in_all_vpc(Check): report.resource_arn = vpc.arn report.resource_tags = vpc.tags report.status = "FAIL" - report.status_extended = ( - f"VPC {vpc.id} does not have Network Firewall enabled." - ) + report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} does not have Network Firewall enabled." for firewall in networkfirewall_client.network_firewalls: if firewall.vpc_id == vpc.id: report.status = "PASS" - report.status_extended = ( - f"VPC {vpc.id} has Network Firewall enabled." - ) + report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has Network Firewall enabled." break findings.append(report) diff --git a/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py b/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py index 32a9282a..afdf74ec 100644 --- a/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py +++ b/prowler/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled.py @@ -12,10 +12,14 @@ class vpc_flow_logs_enabled(Check): report.resource_id = vpc.id report.resource_arn = vpc.arn report.status = "FAIL" - report.status_extended = f"VPC {vpc.id} Flow logs are disabled." + report.status_extended = ( + f"VPC {vpc.name if vpc.name else vpc.id} Flow logs are disabled." + ) if vpc.flow_log: report.status = "PASS" - report.status_extended = f"VPC {vpc.id} Flow logs are enabled." + report.status_extended = ( + f"VPC {vpc.name if vpc.name else vpc.id} Flow logs are enabled." + ) findings.append(report) diff --git a/prowler/providers/aws/services/vpc/vpc_service.py b/prowler/providers/aws/services/vpc/vpc_service.py index 0d7a81b8..9b601b61 100644 --- a/prowler/providers/aws/services/vpc/vpc_service.py +++ b/prowler/providers/aws/services/vpc/vpc_service.py @@ -38,9 +38,14 @@ class VPC(AWSService): if not self.audit_resources or ( is_resource_filtered(arn, self.audit_resources) ): + vpc_name = "" + for tag in vpc.get("Tags", []): + if tag["Key"] == "Name": + vpc_name = tag["Value"] self.vpcs[vpc["VpcId"]] = VPCs( arn=arn, id=vpc["VpcId"], + name=vpc_name, default=vpc["IsDefault"], cidr_block=vpc["CidrBlock"], region=regional_client.region, @@ -278,10 +283,15 @@ class VPC(AWSService): public = True if "NatGatewayId" in route: nat_gateway = True + subnet_name = "" + for tag in subnet.get("Tags", []): + if tag["Key"] == "Name": + subnet_name = tag["Value"] # Add it to to list of vpc_subnets and to the VPC object object = VpcSubnet( arn=subnet["SubnetArn"], id=subnet["SubnetId"], + name=subnet_name, default=subnet["DefaultForAz"], vpc_id=subnet["VpcId"], cidr_block=subnet.get("CidrBlock"), @@ -310,6 +320,7 @@ class VPC(AWSService): class VpcSubnet(BaseModel): arn: str id: str + name: str default: bool vpc_id: str cidr_block: Optional[str] @@ -324,6 +335,7 @@ class VpcSubnet(BaseModel): class VPCs(BaseModel): arn: str id: str + name: str default: bool cidr_block: str flow_log: bool = False diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py b/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py index d0f58a57..b4c928c5 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az.py @@ -10,7 +10,9 @@ class vpc_subnet_different_az(Check): report.region = vpc.region report.resource_tags = vpc.tags report.status = "FAIL" - report.status_extended = f"VPC {vpc.id} has no subnets." + report.status_extended = ( + f"VPC {vpc.name if vpc.name else vpc.id} has no subnets." + ) report.resource_id = vpc.id report.resource_arn = vpc.arn if vpc.subnets: @@ -21,12 +23,10 @@ class vpc_subnet_different_az(Check): and subnet.availability_zone != availability_zone ): report.status = "PASS" - report.status_extended = f"VPC {vpc.id} has subnets in more than one availability zone." + report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has subnets in more than one availability zone." break availability_zone = subnet.availability_zone - report.status_extended = ( - f"VPC {vpc.id} has only subnets in {availability_zone}." - ) + report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has only subnets in {availability_zone}." findings.append(report) diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py b/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py index 425cf0b7..c985ac78 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default.py @@ -14,14 +14,10 @@ class vpc_subnet_no_public_ip_by_default(Check): report.resource_arn = subnet.arn if subnet.mapPublicIpOnLaunch: report.status = "FAIL" - report.status_extended = ( - f"VPC subnet {subnet.id} assigns public IP by default." - ) + report.status_extended = f"VPC subnet {subnet.name if subnet.name else subnet.id} assigns public IP by default." else: report.status = "PASS" - report.status_extended = ( - f"VPC subnet {subnet.id} does NOT assign public IP by default." - ) + report.status_extended = f"VPC subnet {subnet.name if subnet.name else subnet.id} does NOT assign public IP by default." findings.append(report) return findings diff --git a/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py b/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py index 2b465574..8c9b77a0 100644 --- a/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py +++ b/prowler/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public.py @@ -10,7 +10,9 @@ class vpc_subnet_separate_private_public(Check): report.region = vpc.region report.resource_tags = vpc.tags report.status = "FAIL" - report.status_extended = f"VPC {vpc.id} has no subnets." + report.status_extended = ( + f"VPC {vpc.name if vpc.name else vpc.id} has no subnets." + ) report.resource_id = vpc.id report.resource_arn = vpc.arn if vpc.subnets: @@ -19,19 +21,13 @@ class vpc_subnet_separate_private_public(Check): for subnet in vpc.subnets: if subnet.public: public = True - report.status_extended = ( - f"VPC {vpc.id} has only public subnets." - ) + report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has only public subnets." if not subnet.public: private = True - report.status_extended = ( - f"VPC {vpc.id} has only private subnets." - ) + report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has only private subnets." if public and private: report.status = "PASS" - report.status_extended = ( - f"VPC {vpc.id} has private and public subnets." - ) + report.status_extended = f"VPC {vpc.name if vpc.name else vpc.id} has private and public subnets." findings.append(report) return findings diff --git a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py index b13edc0b..9e4e62ce 100644 --- a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py +++ b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py @@ -102,6 +102,7 @@ class Test_networkfirewall_in_all_vpc: vpc_client.vpcs = { VPC_ID_PROTECTED: VPCs( id=VPC_ID_PROTECTED, + name="", default=False, cidr_block="192.168.0.0/16", flow_log=False, @@ -111,6 +112,7 @@ class Test_networkfirewall_in_all_vpc: VpcSubnet( id="subnet-123456789", arn="arn_test", + name="", default=False, vpc_id=VPC_ID_PROTECTED, cidr_block="192.168.0.0/24", @@ -168,6 +170,7 @@ class Test_networkfirewall_in_all_vpc: vpc_client.vpcs = { VPC_ID_UNPROTECTED: VPCs( id=VPC_ID_UNPROTECTED, + name="", default=False, cidr_block="192.168.0.0/16", flow_log=False, @@ -177,6 +180,7 @@ class Test_networkfirewall_in_all_vpc: VpcSubnet( id="subnet-123456789", arn="arn_test", + name="", default=False, vpc_id=VPC_ID_UNPROTECTED, cidr_block="192.168.0.0/24", @@ -225,6 +229,74 @@ class Test_networkfirewall_in_all_vpc: assert result[0].resource_tags == [] assert result[0].resource_arn == "arn_test" + def test_vpcs_with_name_without_firewall(self): + networkfirewall_client = mock.MagicMock + networkfirewall_client.region = AWS_REGION + networkfirewall_client.network_firewalls = [] + vpc_client = mock.MagicMock + vpc_client.region = AWS_REGION + vpc_client.vpcs = { + VPC_ID_UNPROTECTED: VPCs( + id=VPC_ID_UNPROTECTED, + name="vpc_name", + default=False, + cidr_block="192.168.0.0/16", + flow_log=False, + region=AWS_REGION, + arn="arn_test", + subnets=[ + VpcSubnet( + id="subnet-123456789", + arn="arn_test", + name="", + default=False, + vpc_id=VPC_ID_UNPROTECTED, + cidr_block="192.168.0.0/24", + availability_zone="us-east-1a", + public=False, + nat_gateway=False, + region=AWS_REGION, + tags=[], + mapPublicIpOnLaunch=False, + ) + ], + tags=[], + ) + } + + audit_info = self.set_mocked_audit_info() + + with mock.patch( + "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info", + new=audit_info, + ): + with mock.patch( + "prowler.providers.aws.services.networkfirewall.networkfirewall_in_all_vpc.networkfirewall_in_all_vpc.vpc_client", + new=vpc_client, + ): + with mock.patch( + "prowler.providers.aws.services.networkfirewall.networkfirewall_in_all_vpc.networkfirewall_in_all_vpc.networkfirewall_client", + new=networkfirewall_client, + ): + # Test Check + from prowler.providers.aws.services.networkfirewall.networkfirewall_in_all_vpc.networkfirewall_in_all_vpc import ( + networkfirewall_in_all_vpc, + ) + + check = networkfirewall_in_all_vpc() + result = check.execute() + + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "VPC vpc_name does not have Network Firewall enabled." + ) + assert result[0].region == AWS_REGION + assert result[0].resource_id == VPC_ID_UNPROTECTED + assert result[0].resource_tags == [] + assert result[0].resource_arn == "arn_test" + def test_vpcs_with_and_without_firewall(self): networkfirewall_client = mock.MagicMock networkfirewall_client.region = AWS_REGION @@ -244,6 +316,7 @@ class Test_networkfirewall_in_all_vpc: vpc_client.vpcs = { VPC_ID_UNPROTECTED: VPCs( id=VPC_ID_UNPROTECTED, + name="", default=False, cidr_block="192.168.0.0/16", flow_log=False, @@ -253,6 +326,7 @@ class Test_networkfirewall_in_all_vpc: VpcSubnet( id="subnet-123456789", arn="arn_test", + name="", default=False, vpc_id=VPC_ID_UNPROTECTED, cidr_block="192.168.0.0/24", @@ -268,6 +342,7 @@ class Test_networkfirewall_in_all_vpc: ), VPC_ID_PROTECTED: VPCs( id=VPC_ID_PROTECTED, + name="", default=False, cidr_block="192.168.0.0/16", flow_log=False, @@ -277,6 +352,7 @@ class Test_networkfirewall_in_all_vpc: VpcSubnet( id="subnet-123456789", arn="arn_test", + name="", default=False, vpc_id=VPC_ID_PROTECTED, cidr_block="192.168.0.0/24", diff --git a/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py b/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py index 5f61e34f..8663300c 100644 --- a/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py +++ b/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py @@ -71,7 +71,17 @@ class Test_vpc_flow_logs_enabled: # Create VPC Mocked Resources ec2_client = client("ec2", region_name=AWS_REGION) - vpc = ec2_client.create_vpc(CidrBlock="10.0.0.0/16")["Vpc"] + vpc = ec2_client.create_vpc( + CidrBlock="10.0.0.0/16", + TagSpecifications=[ + { + "ResourceType": "vpc", + "Tags": [ + {"Key": "Name", "Value": "vpc_name"}, + ], + }, + ], + )["Vpc"] ec2_client.create_flow_logs( ResourceType="VPC", @@ -106,8 +116,7 @@ class Test_vpc_flow_logs_enabled: if result.resource_id == vpc["VpcId"]: assert result.status == "PASS" assert ( - result.status_extended - == f"VPC {vpc['VpcId']} Flow logs are enabled." + result.status_extended == "VPC vpc_name Flow logs are enabled." ) assert result.resource_id == vpc["VpcId"] diff --git a/tests/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az_test.py b/tests/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az_test.py index 99b38877..6ff54eb3 100644 --- a/tests/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az_test.py +++ b/tests/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az_test.py @@ -46,7 +46,16 @@ class Test_vpc_subnet_different_az: def test_vpc_subnet_different_az(self): ec2_client = client("ec2", region_name=AWS_REGION) vpc = ec2_client.create_vpc( - CidrBlock="172.28.7.0/24", InstanceTenancy="default" + CidrBlock="172.28.7.0/24", + InstanceTenancy="default", + TagSpecifications=[ + { + "ResourceType": "vpc", + "Tags": [ + {"Key": "Name", "Value": "vpc_name"}, + ], + }, + ], ) # VPC AZ 1 ec2_client.create_subnet( @@ -88,10 +97,12 @@ class Test_vpc_subnet_different_az: assert result.status == "PASS" assert ( result.status_extended - == f"VPC {vpc['Vpc']['VpcId']} has subnets in more than one availability zone." + == "VPC vpc_name has subnets in more than one availability zone." ) assert result.resource_id == vpc["Vpc"]["VpcId"] - assert result.resource_tags == [] + assert result.resource_tags == [ + {"Key": "Name", "Value": "vpc_name"} + ] assert result.region == AWS_REGION if not found: assert False diff --git a/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py b/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py index 217174d2..f0475ab2 100644 --- a/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py +++ b/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py @@ -52,6 +52,14 @@ class Test_vpc_subnet_no_public_ip_by_default: VpcId=vpc["Vpc"]["VpcId"], CidrBlock="172.28.7.192/26", AvailabilityZone=f"{AWS_REGION}a", + TagSpecifications=[ + { + "ResourceType": "subnet", + "Tags": [ + {"Key": "Name", "Value": "subnet_name"}, + ], + }, + ], ) ec2_client.modify_subnet_attribute( @@ -83,7 +91,7 @@ class Test_vpc_subnet_no_public_ip_by_default: assert result.status == "FAIL" assert ( result.status_extended - == f"VPC subnet {subnet_private['Subnet']['SubnetId']} assigns public IP by default." + == "VPC subnet subnet_name assigns public IP by default." ) @mock_ec2 diff --git a/tests/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public_test.py b/tests/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public_test.py index 626d883e..7732c9da 100644 --- a/tests/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public_test.py +++ b/tests/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public_test.py @@ -46,7 +46,16 @@ class Test_vpc_subnet_separate_private_public: def test_vpc_subnet_only_private(self): ec2_client = client("ec2", region_name=AWS_REGION) vpc = ec2_client.create_vpc( - CidrBlock="172.28.7.0/24", InstanceTenancy="default" + CidrBlock="172.28.7.0/24", + InstanceTenancy="default", + TagSpecifications=[ + { + "ResourceType": "vpc", + "Tags": [ + {"Key": "Name", "Value": "vpc_name"}, + ], + }, + ], ) # VPC Private subnet_private = ec2_client.create_subnet( @@ -92,10 +101,12 @@ class Test_vpc_subnet_separate_private_public: assert result.status == "FAIL" assert ( result.status_extended - == f"VPC {vpc['Vpc']['VpcId']} has only private subnets." + == "VPC vpc_name has only private subnets." ) assert result.resource_id == vpc["Vpc"]["VpcId"] - assert result.resource_tags == [] + assert result.resource_tags == [ + {"Key": "Name", "Value": "vpc_name"} + ] assert result.region == AWS_REGION if not found: assert False