feat(vpc): add vpc, nacl or subnet names in findings (#2928)

2026-02-10 23:05:05 +00:00 · 2023-10-18 16:07:53 +02:00
parent 236f57ab0e
commit eb3cb97115
15 changed files with 170 additions and 47 deletions
--- a/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py
+++ b/tests/providers/aws/services/networkfirewall/networkfirewall_in_all_vpc/networkfirewall_in_all_vpc_test.py
@@ -102,6 +102,7 @@ class Test_networkfirewall_in_all_vpc:
        vpc_client.vpcs = {
            VPC_ID_PROTECTED: VPCs(
                id=VPC_ID_PROTECTED,
+                name="",
                default=False,
                cidr_block="192.168.0.0/16",
                flow_log=False,
@@ -111,6 +112,7 @@ class Test_networkfirewall_in_all_vpc:
                    VpcSubnet(
                        id="subnet-123456789",
                        arn="arn_test",
+                        name="",
                        default=False,
                        vpc_id=VPC_ID_PROTECTED,
                        cidr_block="192.168.0.0/24",
@@ -168,6 +170,7 @@ class Test_networkfirewall_in_all_vpc:
        vpc_client.vpcs = {
            VPC_ID_UNPROTECTED: VPCs(
                id=VPC_ID_UNPROTECTED,
+                name="",
                default=False,
                cidr_block="192.168.0.0/16",
                flow_log=False,
@@ -177,6 +180,7 @@ class Test_networkfirewall_in_all_vpc:
                    VpcSubnet(
                        id="subnet-123456789",
                        arn="arn_test",
+                        name="",
                        default=False,
                        vpc_id=VPC_ID_UNPROTECTED,
                        cidr_block="192.168.0.0/24",
@@ -225,6 +229,74 @@ class Test_networkfirewall_in_all_vpc:
                    assert result[0].resource_tags == []
                    assert result[0].resource_arn == "arn_test"

+    def test_vpcs_with_name_without_firewall(self):
+        networkfirewall_client = mock.MagicMock
+        networkfirewall_client.region = AWS_REGION
+        networkfirewall_client.network_firewalls = []
+        vpc_client = mock.MagicMock
+        vpc_client.region = AWS_REGION
+        vpc_client.vpcs = {
+            VPC_ID_UNPROTECTED: VPCs(
+                id=VPC_ID_UNPROTECTED,
+                name="vpc_name",
+                default=False,
+                cidr_block="192.168.0.0/16",
+                flow_log=False,
+                region=AWS_REGION,
+                arn="arn_test",
+                subnets=[
+                    VpcSubnet(
+                        id="subnet-123456789",
+                        arn="arn_test",
+                        name="",
+                        default=False,
+                        vpc_id=VPC_ID_UNPROTECTED,
+                        cidr_block="192.168.0.0/24",
+                        availability_zone="us-east-1a",
+                        public=False,
+                        nat_gateway=False,
+                        region=AWS_REGION,
+                        tags=[],
+                        mapPublicIpOnLaunch=False,
+                    )
+                ],
+                tags=[],
+            )
+        }
+
+        audit_info = self.set_mocked_audit_info()
+
+        with mock.patch(
+            "prowler.providers.aws.lib.audit_info.audit_info.current_audit_info",
+            new=audit_info,
+        ):
+            with mock.patch(
+                "prowler.providers.aws.services.networkfirewall.networkfirewall_in_all_vpc.networkfirewall_in_all_vpc.vpc_client",
+                new=vpc_client,
+            ):
+                with mock.patch(
+                    "prowler.providers.aws.services.networkfirewall.networkfirewall_in_all_vpc.networkfirewall_in_all_vpc.networkfirewall_client",
+                    new=networkfirewall_client,
+                ):
+                    # Test Check
+                    from prowler.providers.aws.services.networkfirewall.networkfirewall_in_all_vpc.networkfirewall_in_all_vpc import (
+                        networkfirewall_in_all_vpc,
+                    )
+
+                    check = networkfirewall_in_all_vpc()
+                    result = check.execute()
+
+                    assert len(result) == 1
+                    assert result[0].status == "FAIL"
+                    assert (
+                        result[0].status_extended
+                        == "VPC vpc_name does not have Network Firewall enabled."
+                    )
+                    assert result[0].region == AWS_REGION
+                    assert result[0].resource_id == VPC_ID_UNPROTECTED
+                    assert result[0].resource_tags == []
+                    assert result[0].resource_arn == "arn_test"
+
    def test_vpcs_with_and_without_firewall(self):
        networkfirewall_client = mock.MagicMock
        networkfirewall_client.region = AWS_REGION
@@ -244,6 +316,7 @@ class Test_networkfirewall_in_all_vpc:
        vpc_client.vpcs = {
            VPC_ID_UNPROTECTED: VPCs(
                id=VPC_ID_UNPROTECTED,
+                name="",
                default=False,
                cidr_block="192.168.0.0/16",
                flow_log=False,
@@ -253,6 +326,7 @@ class Test_networkfirewall_in_all_vpc:
                    VpcSubnet(
                        id="subnet-123456789",
                        arn="arn_test",
+                        name="",
                        default=False,
                        vpc_id=VPC_ID_UNPROTECTED,
                        cidr_block="192.168.0.0/24",
@@ -268,6 +342,7 @@ class Test_networkfirewall_in_all_vpc:
            ),
            VPC_ID_PROTECTED: VPCs(
                id=VPC_ID_PROTECTED,
+                name="",
                default=False,
                cidr_block="192.168.0.0/16",
                flow_log=False,
@@ -277,6 +352,7 @@ class Test_networkfirewall_in_all_vpc:
                    VpcSubnet(
                        id="subnet-123456789",
                        arn="arn_test",
+                        name="",
                        default=False,
                        vpc_id=VPC_ID_PROTECTED,
                        cidr_block="192.168.0.0/24",
--- a/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py
+++ b/tests/providers/aws/services/vpc/vpc_flow_logs_enabled/vpc_flow_logs_enabled_test.py
@@ -71,7 +71,17 @@ class Test_vpc_flow_logs_enabled:
        # Create VPC Mocked Resources
        ec2_client = client("ec2", region_name=AWS_REGION)

-        vpc = ec2_client.create_vpc(CidrBlock="10.0.0.0/16")["Vpc"]
+        vpc = ec2_client.create_vpc(
+            CidrBlock="10.0.0.0/16",
+            TagSpecifications=[
+                {
+                    "ResourceType": "vpc",
+                    "Tags": [
+                        {"Key": "Name", "Value": "vpc_name"},
+                    ],
+                },
+            ],
+        )["Vpc"]

        ec2_client.create_flow_logs(
            ResourceType="VPC",
@@ -106,8 +116,7 @@ class Test_vpc_flow_logs_enabled:
                if result.resource_id == vpc["VpcId"]:
                    assert result.status == "PASS"
                    assert (
-                        result.status_extended
-                        == f"VPC {vpc['VpcId']} Flow logs are enabled."
+                        result.status_extended == "VPC vpc_name Flow logs are enabled."
                    )
                    assert result.resource_id == vpc["VpcId"]

--- a/tests/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az_test.py
+++ b/tests/providers/aws/services/vpc/vpc_subnet_different_az/vpc_subnet_different_az_test.py
@@ -46,7 +46,16 @@ class Test_vpc_subnet_different_az:
    def test_vpc_subnet_different_az(self):
        ec2_client = client("ec2", region_name=AWS_REGION)
        vpc = ec2_client.create_vpc(
-            CidrBlock="172.28.7.0/24", InstanceTenancy="default"
+            CidrBlock="172.28.7.0/24",
+            InstanceTenancy="default",
+            TagSpecifications=[
+                {
+                    "ResourceType": "vpc",
+                    "Tags": [
+                        {"Key": "Name", "Value": "vpc_name"},
+                    ],
+                },
+            ],
        )
        # VPC AZ 1
        ec2_client.create_subnet(
@@ -88,10 +97,12 @@ class Test_vpc_subnet_different_az:
                        assert result.status == "PASS"
                        assert (
                            result.status_extended
-                            == f"VPC {vpc['Vpc']['VpcId']} has subnets in more than one availability zone."
+                            == "VPC vpc_name has subnets in more than one availability zone."
                        )
                        assert result.resource_id == vpc["Vpc"]["VpcId"]
-                        assert result.resource_tags == []
+                        assert result.resource_tags == [
+                            {"Key": "Name", "Value": "vpc_name"}
+                        ]
                        assert result.region == AWS_REGION
                if not found:
                    assert False
--- a/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py
+++ b/tests/providers/aws/services/vpc/vpc_subnet_no_public_ip_by_default/vpc_subnet_no_public_ip_by_default_test.py
@@ -52,6 +52,14 @@ class Test_vpc_subnet_no_public_ip_by_default:
            VpcId=vpc["Vpc"]["VpcId"],
            CidrBlock="172.28.7.192/26",
            AvailabilityZone=f"{AWS_REGION}a",
+            TagSpecifications=[
+                {
+                    "ResourceType": "subnet",
+                    "Tags": [
+                        {"Key": "Name", "Value": "subnet_name"},
+                    ],
+                },
+            ],
        )

        ec2_client.modify_subnet_attribute(
@@ -83,7 +91,7 @@ class Test_vpc_subnet_no_public_ip_by_default:
                        assert result.status == "FAIL"
                        assert (
                            result.status_extended
-                            == f"VPC subnet {subnet_private['Subnet']['SubnetId']} assigns public IP by default."
+                            == "VPC subnet subnet_name assigns public IP by default."
                        )

    @mock_ec2
--- a/tests/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public_test.py
+++ b/tests/providers/aws/services/vpc/vpc_subnet_separate_private_public/vpc_subnet_separate_private_public_test.py
@@ -46,7 +46,16 @@ class Test_vpc_subnet_separate_private_public:
    def test_vpc_subnet_only_private(self):
        ec2_client = client("ec2", region_name=AWS_REGION)
        vpc = ec2_client.create_vpc(
-            CidrBlock="172.28.7.0/24", InstanceTenancy="default"
+            CidrBlock="172.28.7.0/24",
+            InstanceTenancy="default",
+            TagSpecifications=[
+                {
+                    "ResourceType": "vpc",
+                    "Tags": [
+                        {"Key": "Name", "Value": "vpc_name"},
+                    ],
+                },
+            ],
        )
        # VPC Private
        subnet_private = ec2_client.create_subnet(
@@ -92,10 +101,12 @@ class Test_vpc_subnet_separate_private_public:
                        assert result.status == "FAIL"
                        assert (
                            result.status_extended
-                            == f"VPC {vpc['Vpc']['VpcId']} has only private subnets."
+                            == "VPC vpc_name has only private subnets."
                        )
                        assert result.resource_id == vpc["Vpc"]["VpcId"]
-                        assert result.resource_tags == []
+                        assert result.resource_tags == [
+                            {"Key": "Name", "Value": "vpc_name"}
+                        ]
                        assert result.region == AWS_REGION
                if not found:
                    assert False