diff --git a/plugins/filters/extractTerraformChanges/README.md b/plugins/filters/extractTerraformChanges/README.md new file mode 100644 index 000000000..b75418278 --- /dev/null +++ b/plugins/filters/extractTerraformChanges/README.md @@ -0,0 +1,95 @@ +# extractTerraformChanges + +A GitStream filter that analyzes Terraform HCL file changes to extract the highest privilege level from modified JIT (Just-In-Time) access configurations. + +## Description + +This filter examines git diffs of Terraform HCL files to identify which JIT objects have been modified, then extracts the privilege levels from those objects and returns the highest privilege found. The privilege hierarchy is: `rw` (read-write) > `ro` (read-only). + +## Syntax + +```yaml +{{ | extractTerraformChanges }} +``` + +## Parameters + +| Name | Type | Description | +|------|------|-------------| +| `changes` | Array | Array of file change objects containing diff, original_content, and new_content | + +## Return Value + +- `"rw"` - If any modified JIT object contains read-write privileges +- `"ro"` - If modified JIT objects only contain read-only privileges +- `null` - If no JIT objects were modified or no privileges found + +## Examples + +### Basic Usage + +```yaml +automations: + check_terraform_privilege_changes: + if: + - {{ files | extractTerraformChanges == "rw" }} + run: + - action: add-label@v1 + args: + label: "high-privilege-change" +``` + +### Multiple Conditions + +```yaml +automations: + terraform_privilege_review: + if: + - {{ files | extractTerraformChanges != null }} + run: + - action: add-reviewers@v1 + args: + reviewers: ["security-team"] + - action: add-label@v1 + args: + label: "terraform-jit-change" +``` + +## Input Format + +The filter expects an array of file change objects with the following structure: + +```json +[ + { + "original_file": "path/to/file.hcl", + "new_file": "path/to/file.hcl", + "diff": "@@ -50,7 +50,7 @@\n- privileges = \"rw\"\n+ privileges = \"ro\"", + "original_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninputs = {\n jits = [\n {\n user = \"user_alpha\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n }\n ]\n}", + "new_content": "..." + } +] +``` + +## How It Works + +1. **Parse Diffs**: Analyzes git diff output to identify changed line numbers +2. **Parse HCL Content**: Extracts JIT objects from the original HCL content with their line ranges +3. **Match Changes**: Determines which JIT objects have been modified based on changed lines +4. **Extract Privileges**: Collects privilege levels from all modified JIT objects +5. **Return Highest**: Returns the highest privilege level found (`rw` > `ro`) + +## Use Cases + +- **Security Reviews**: Automatically flag changes that modify high-privilege access +- **Approval Workflows**: Require additional approvals for read-write privilege changes +- **Audit Trails**: Track modifications to database access configurations +- **Risk Assessment**: Identify potentially risky infrastructure changes + +## Notes + +- Only analyzes changes within `jits` arrays in HCL files +- Supports nested JIT object structures with `access` arrays +- Ignores changes outside of JIT configurations +- Returns immediately upon finding `rw` privileges (optimization) +- Handles malformed or incomplete input gracefully \ No newline at end of file diff --git a/plugins/filters/extractTerraformChanges/extract_terraform_changes.cm b/plugins/filters/extractTerraformChanges/extract_terraform_changes.cm new file mode 100644 index 000000000..57035e3cb --- /dev/null +++ b/plugins/filters/extractTerraformChanges/extract_terraform_changes.cm @@ -0,0 +1,15 @@ +manifest: + version: 1.0 + +automations: + linearb_hcl_review: + on: + - pr_created + - commit + if: + - {{ files | match(regex=r/production.*\.hcl/) | some }} + - {{ (source.diff.files | extractTerraformChanges) == 'ro' }} + run: + - action: add-comment@v1 + args: + comment: its an RO change diff --git a/plugins/filters/extractTerraformChanges/index.js b/plugins/filters/extractTerraformChanges/index.js new file mode 100644 index 000000000..a17df65d3 --- /dev/null +++ b/plugins/filters/extractTerraformChanges/index.js @@ -0,0 +1,179 @@ +/** + * @module extractTerraformChanges + * @description Extract the highest privilege level from modified JIT configurations in Terraform HCL files. + * Analyzes git diffs to identify which JIT objects were changed and returns the highest + * privilege level found (rw > ro). + * @param {Array} changes - Array of file change objects with diff, original_content, and new_content + * @returns {string|null} The highest privilege level found ('rw' or 'ro'), or null if no privileges found + * @example {{ source.diff.files | extractTerraformChanges }} + * @license MIT +**/ + +module.exports = (changes) => { + if (!changes || !Array.isArray(changes) || changes.length === 0) { + return null; + } + + let highestPrivilege = null; + + for (const change of changes) { + if (!change.diff || !change.original_content) { + continue; + } + + const changedLines = parseChangedLines(change.diff); + if (changedLines.length === 0) { + continue; + } + + const originalJitObjects = parseJitObjects(change.original_content); + const newJitObjects = change.new_content ? parseJitObjects(change.new_content) : []; + const modifiedPrivileges = getModifiedPrivileges(originalJitObjects, newJitObjects, changedLines); + + for (const privilege of modifiedPrivileges) { + if (privilege === 'rw') { + return 'rw'; // rw is highest, can return immediately + } else if (privilege === 'ro' && !highestPrivilege) { + highestPrivilege = 'ro'; + } + } + } + + return highestPrivilege; +}; + +/** + * Parse git diff to extract changed line numbers + * @param {string} diff - Git diff string + * @returns {Array} Array of changed line numbers (1-based) + */ +function parseChangedLines(diff) { + const changedLines = []; + const lines = diff.split('\n'); + let currentLine = 0; + + for (const line of lines) { + // Parse hunk headers like "@@ -50,7 +50,7 @@" + const hunkMatch = line.match(/^@@ -(\d+),?\d* \+(\d+),?\d* @@/); + if (hunkMatch) { + currentLine = parseInt(hunkMatch[2], 10); + continue; + } + + // Track line numbers for context and additions + if (line.startsWith(' ') || line.startsWith('+')) { + if (line.startsWith('+') && !line.startsWith('+++')) { + changedLines.push(currentLine); + } + if (!line.startsWith('-')) { + currentLine++; + } + } else if (line.startsWith('-') && !line.startsWith('---')) { + changedLines.push(currentLine); + } + } + + return changedLines; +} + +/** + * Parse HCL content to extract JIT objects with their line ranges and privileges + * @param {string} content - HCL file content + * @returns {Array} Array of JIT objects with line ranges and privileges + */ +function parseJitObjects(content) { + const lines = content.split('\n'); + const jitObjects = []; + let inJitsArray = false; + let braceLevel = 0; + let currentJit = null; + + for (let i = 0; i < lines.length; i++) { + const line = lines[i]; + const lineNumber = i + 1; + + // Look for the start of jits array + if (line.trim().includes('jits = [')) { + inJitsArray = true; + continue; + } + + if (!inJitsArray) { + continue; + } + + // Track brace levels to identify JIT object boundaries + const openBraces = (line.match(/{/g) || []).length; + const closeBraces = (line.match(/}/g) || []).length; + + if (openBraces > 0 && braceLevel === 0) { + // Start of new JIT object + currentJit = { + startLine: lineNumber, + endLine: lineNumber, + privileges: [] + }; + braceLevel += openBraces - closeBraces; + } else if (currentJit) { + braceLevel += openBraces - closeBraces; + currentJit.endLine = lineNumber; + + // Look for privileges in this line + const privilegeMatch = line.match(/privileges\s*=\s*"(rw|ro)"/); + if (privilegeMatch) { + currentJit.privileges.push(privilegeMatch[1]); + } + + // End of JIT object + if (braceLevel === 0) { + jitObjects.push(currentJit); + currentJit = null; + } + } + + // Check if we've left the jits array + if (line.trim() === ']' && braceLevel === 0) { + inJitsArray = false; + break; + } + } + + return jitObjects; +} + +/** + * Get privileges from JIT objects that have been modified + * @param {Array} originalJitObjects - Array of JIT objects from original content with line ranges + * @param {Array} newJitObjects - Array of JIT objects from new content with line ranges + * @param {Array} changedLines - Array of changed line numbers + * @returns {Array} Array of privilege strings from modified objects + */ +function getModifiedPrivileges(originalJitObjects, newJitObjects, changedLines) { + const privileges = []; + + // Check original JIT objects for modifications + for (const jit of originalJitObjects) { + // Check if any changed line falls within this JIT object's range + const isModified = changedLines.some(lineNum => + lineNum >= jit.startLine && lineNum <= jit.endLine + ); + + if (isModified) { + privileges.push(...jit.privileges); + } + } + + // Also check new JIT objects for modifications to capture privilege upgrades (ro->rw) + for (const jit of newJitObjects) { + // Check if any changed line falls within this JIT object's range + const isModified = changedLines.some(lineNum => + lineNum >= jit.startLine && lineNum <= jit.endLine + ); + + if (isModified) { + privileges.push(...jit.privileges); + } + } + + return privileges; +} diff --git a/plugins/filters/extractTerraformChanges/pr_with_ro_change.json b/plugins/filters/extractTerraformChanges/pr_with_ro_change.json new file mode 100644 index 000000000..d43e4ee02 --- /dev/null +++ b/plugins/filters/extractTerraformChanges/pr_with_ro_change.json @@ -0,0 +1,9 @@ +[ + { + "original_file": "production/t1.hcl", + "new_file": "production/t1.hcl", + "diff": "@@ -56,7 +56,7 @@ inputs = {\n },\n {\n user = \"user_beta\"\n- default_ttl = 60 * 60 * 6\n+ default_ttl = 60 * 60 * 7\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n@@ -84,14 +84,13 @@ inputs = {\n },\n {\n user = \"user_delta\"\n- default_ttl = 60 * 60 * 8\n+ default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n- schema = \"monitoring\"\n privileges = \"ro\"\n }\n ]\n", + "original_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninclude \"dependencies\" {\n path = find_in_parent_folders(\"dependencies.hcl\")\n}\n\nlocals {\n service = read_terragrunt_config(find_in_parent_folders(\"service.hcl\")).locals\n}\n\nterraform {\n source = \"${get_repo_root()}/modules/vault-database\"\n}\n\ndependency \"rds\" {\n config_path = \"../rds\"\n mock_outputs = {\n engine = \"mariadb\"\n address = \"dummy-endpoint.rds.amazonaws.com\"\n }\n mock_outputs_allowed_terraform_commands = [\"validate\", \"fmt\", \"init\", \"plan\", \"providers\", \"show\", \"refresh\"]\n}\n\ninputs = {\n domain_name = local.service.account.vault_domain_name\n env = local.service.account.env\n azuread_oidc = dependency.vault_azuread.outputs.accessor\n timestamp = timestamp()\n rotate_on_create = true\n\n db = {\n username = \"vault\"\n password = \"vault\"\n name = local.service.name\n endpoint = dependency.rds.outputs.address\n engine = dependency.rds.outputs.engine\n database_name = local.service.name\n }\n\n jits = [\n {\n user = \"user_alpha\"\n default_ttl = 60 * 60 * 24\n max_ttl = 60 * 60 * 24 * 30\n type = \"temporary\"\n expires = \"2026-04-01\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_beta\"\n default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n schema = \"sales\"\n privileges = \"ro\"\n }\n ]\n },\n {\n user = \"user_gamma\"\n default_ttl = 60 * 60 * 12\n max_ttl = 60 * 60 * 24 * 14\n type = \"temporary\"\n expires = \"2025-10-15\"\n access = [\n {\n tables = [\"*\"]\n schema = \"analytics\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_delta\"\n default_ttl = 60 * 60 * 8\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n schema = \"monitoring\"\n privileges = \"ro\"\n }\n ]\n }\n ]\n}\n", + "new_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninclude \"dependencies\" {\n path = find_in_parent_folders(\"dependencies.hcl\")\n}\n\nlocals {\n service = read_terragrunt_config(find_in_parent_folders(\"service.hcl\")).locals\n}\n\nterraform {\n source = \"${get_repo_root()}/modules/vault-database\"\n}\n\ndependency \"rds\" {\n config_path = \"../rds\"\n mock_outputs = {\n engine = \"mariadb\"\n address = \"dummy-endpoint.rds.amazonaws.com\"\n }\n mock_outputs_allowed_terraform_commands = [\"validate\", \"fmt\", \"init\", \"plan\", \"providers\", \"show\", \"refresh\"]\n}\n\ninputs = {\n domain_name = local.service.account.vault_domain_name\n env = local.service.account.env\n azuread_oidc = dependency.vault_azuread.outputs.accessor\n timestamp = timestamp()\n rotate_on_create = true\n\n db = {\n username = \"vault\"\n password = \"vault\"\n name = local.service.name\n endpoint = dependency.rds.outputs.address\n engine = dependency.rds.outputs.engine\n database_name = local.service.name\n }\n\n jits = [\n {\n user = \"user_alpha\"\n default_ttl = 60 * 60 * 24\n max_ttl = 60 * 60 * 24 * 30\n type = \"temporary\"\n expires = \"2026-04-01\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_beta\"\n default_ttl = 60 * 60 * 7\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n schema = \"sales\"\n privileges = \"ro\"\n }\n ]\n },\n {\n user = \"user_gamma\"\n default_ttl = 60 * 60 * 12\n max_ttl = 60 * 60 * 24 * 14\n type = \"temporary\"\n expires = \"2025-10-15\"\n access = [\n {\n tables = [\"*\"]\n schema = \"analytics\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_delta\"\n default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n privileges = \"ro\"\n }\n ]\n }\n ]\n}\n" + } +] diff --git a/plugins/filters/extractTerraformChanges/pr_with_ro_to_rw_change.json b/plugins/filters/extractTerraformChanges/pr_with_ro_to_rw_change.json new file mode 100644 index 000000000..ca1b4eb57 --- /dev/null +++ b/plugins/filters/extractTerraformChanges/pr_with_ro_to_rw_change.json @@ -0,0 +1,9 @@ +[ + { + "original_file": "production/t1.hcl", + "new_file": "production/t1.hcl", + "diff": "@@ -64,7 +64,7 @@ inputs = {\n {\n tables = [\"orders\", \"transactions\"]\n schema = \"sales\"\n- privileges = \"ro\"\n+ privileges = \"rw\"\n }\n ]\n },\n", + "original_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninclude \"dependencies\" {\n path = find_in_parent_folders(\"dependencies.hcl\")\n}\n\nlocals {\n service = read_terragrunt_config(find_in_parent_folders(\"service.hcl\")).locals\n}\n\nterraform {\n source = \"${get_repo_root()}/modules/vault-database\"\n}\n\ndependency \"rds\" {\n config_path = \"../rds\"\n mock_outputs = {\n engine = \"mariadb\"\n address = \"dummy-endpoint.rds.amazonaws.com\"\n }\n mock_outputs_allowed_terraform_commands = [\"validate\", \"fmt\", \"init\", \"plan\", \"providers\", \"show\", \"refresh\"]\n}\n\ninputs = {\n domain_name = local.service.account.vault_domain_name\n env = local.service.account.env\n azuread_oidc = dependency.vault_azuread.outputs.accessor\n timestamp = timestamp()\n rotate_on_create = true\n\n db = {\n username = \"vault\"\n password = \"vault\"\n name = local.service.name\n endpoint = dependency.rds.outputs.address\n engine = dependency.rds.outputs.engine\n database_name = local.service.name\n }\n\n jits = [\n {\n user = \"user_alpha\"\n default_ttl = 60 * 60 * 24\n max_ttl = 60 * 60 * 24 * 30\n type = \"temporary\"\n expires = \"2026-04-01\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_beta\"\n default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n schema = \"sales\"\n privileges = \"ro\"\n }\n ]\n },\n {\n user = \"user_gamma\"\n default_ttl = 60 * 60 * 12\n max_ttl = 60 * 60 * 24 * 14\n type = \"temporary\"\n expires = \"2025-10-15\"\n access = [\n {\n tables = [\"*\"]\n schema = \"analytics\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_delta\"\n default_ttl = 60 * 60 * 8\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n schema = \"monitoring\"\n privileges = \"ro\"\n }\n ]\n }\n ]\n}\n", + "new_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninclude \"dependencies\" {\n path = find_in_parent_folders(\"dependencies.hcl\")\n}\n\nlocals {\n service = read_terragrunt_config(find_in_parent_folders(\"service.hcl\")).locals\n}\n\nterraform {\n source = \"${get_repo_root()}/modules/vault-database\"\n}\n\ndependency \"rds\" {\n config_path = \"../rds\"\n mock_outputs = {\n engine = \"mariadb\"\n address = \"dummy-endpoint.rds.amazonaws.com\"\n }\n mock_outputs_allowed_terraform_commands = [\"validate\", \"fmt\", \"init\", \"plan\", \"providers\", \"show\", \"refresh\"]\n}\n\ninputs = {\n domain_name = local.service.account.vault_domain_name\n env = local.service.account.env\n azuread_oidc = dependency.vault_azuread.outputs.accessor\n timestamp = timestamp()\n rotate_on_create = true\n\n db = {\n username = \"vault\"\n password = \"vault\"\n name = local.service.name\n endpoint = dependency.rds.outputs.address\n engine = dependency.rds.outputs.engine\n database_name = local.service.name\n }\n\n jits = [\n {\n user = \"user_alpha\"\n default_ttl = 60 * 60 * 24\n max_ttl = 60 * 60 * 24 * 30\n type = \"temporary\"\n expires = \"2026-04-01\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_beta\"\n default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n schema = \"sales\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_gamma\"\n default_ttl = 60 * 60 * 12\n max_ttl = 60 * 60 * 24 * 14\n type = \"temporary\"\n expires = \"2025-10-15\"\n access = [\n {\n tables = [\"*\"]\n schema = \"analytics\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_delta\"\n default_ttl = 60 * 60 * 8\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n schema = \"monitoring\"\n privileges = \"ro\"\n }\n ]\n }\n ]\n}\n" + } +] diff --git a/plugins/filters/extractTerraformChanges/pr_with_rw_change.json b/plugins/filters/extractTerraformChanges/pr_with_rw_change.json new file mode 100644 index 000000000..34033ef0b --- /dev/null +++ b/plugins/filters/extractTerraformChanges/pr_with_rw_change.json @@ -0,0 +1,9 @@ +[ + { + "original_file": "production/t1.hcl", + "new_file": "production/t1.hcl", + "diff": "@@ -50,7 +50,7 @@ inputs = {\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n- privileges = \"rw\"\n+ privileges = \"ro\"\n }\n ]\n },\n@@ -63,7 +63,6 @@ inputs = {\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n- schema = \"sales\"\n privileges = \"ro\"\n }\n ]\n", + "original_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninclude \"dependencies\" {\n path = find_in_parent_folders(\"dependencies.hcl\")\n}\n\nlocals {\n service = read_terragrunt_config(find_in_parent_folders(\"service.hcl\")).locals\n}\n\nterraform {\n source = \"${get_repo_root()}/modules/vault-database\"\n}\n\ndependency \"rds\" {\n config_path = \"../rds\"\n mock_outputs = {\n engine = \"mariadb\"\n address = \"dummy-endpoint.rds.amazonaws.com\"\n }\n mock_outputs_allowed_terraform_commands = [\"validate\", \"fmt\", \"init\", \"plan\", \"providers\", \"show\", \"refresh\"]\n}\n\ninputs = {\n domain_name = local.service.account.vault_domain_name\n env = local.service.account.env\n azuread_oidc = dependency.vault_azuread.outputs.accessor\n timestamp = timestamp()\n rotate_on_create = true\n\n db = {\n username = \"vault\"\n password = \"vault\"\n name = local.service.name\n endpoint = dependency.rds.outputs.address\n engine = dependency.rds.outputs.engine\n database_name = local.service.name\n }\n\n jits = [\n {\n user = \"user_alpha\"\n default_ttl = 60 * 60 * 24\n max_ttl = 60 * 60 * 24 * 30\n type = \"temporary\"\n expires = \"2026-04-01\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_beta\"\n default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n schema = \"sales\"\n privileges = \"ro\"\n }\n ]\n },\n {\n user = \"user_gamma\"\n default_ttl = 60 * 60 * 12\n max_ttl = 60 * 60 * 24 * 14\n type = \"temporary\"\n expires = \"2025-10-15\"\n access = [\n {\n tables = [\"*\"]\n schema = \"analytics\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_delta\"\n default_ttl = 60 * 60 * 8\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n schema = \"monitoring\"\n privileges = \"ro\"\n }\n ]\n }\n ]\n}\n", + "new_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninclude \"dependencies\" {\n path = find_in_parent_folders(\"dependencies.hcl\")\n}\n\nlocals {\n service = read_terragrunt_config(find_in_parent_folders(\"service.hcl\")).locals\n}\n\nterraform {\n source = \"${get_repo_root()}/modules/vault-database\"\n}\n\ndependency \"rds\" {\n config_path = \"../rds\"\n mock_outputs = {\n engine = \"mariadb\"\n address = \"dummy-endpoint.rds.amazonaws.com\"\n }\n mock_outputs_allowed_terraform_commands = [\"validate\", \"fmt\", \"init\", \"plan\", \"providers\", \"show\", \"refresh\"]\n}\n\ninputs = {\n domain_name = local.service.account.vault_domain_name\n env = local.service.account.env\n azuread_oidc = dependency.vault_azuread.outputs.accessor\n timestamp = timestamp()\n rotate_on_create = true\n\n db = {\n username = \"vault\"\n password = \"vault\"\n name = local.service.name\n endpoint = dependency.rds.outputs.address\n engine = dependency.rds.outputs.engine\n database_name = local.service.name\n }\n\n jits = [\n {\n user = \"user_alpha\"\n default_ttl = 60 * 60 * 24\n max_ttl = 60 * 60 * 24 * 30\n type = \"temporary\"\n expires = \"2026-04-01\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"ro\"\n }\n ]\n },\n {\n user = \"user_beta\"\n default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n privileges = \"ro\"\n }\n ]\n },\n {\n user = \"user_gamma\"\n default_ttl = 60 * 60 * 12\n max_ttl = 60 * 60 * 24 * 14\n type = \"temporary\"\n expires = \"2025-10-15\"\n access = [\n {\n tables = [\"*\"]\n schema = \"analytics\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_delta\"\n default_ttl = 60 * 60 * 8\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n schema = \"monitoring\"\n privileges = \"ro\"\n }\n ]\n }\n ]\n}\n" + } +] diff --git a/plugins/filters/extractTerraformChanges/reference.md b/plugins/filters/extractTerraformChanges/reference.md new file mode 100644 index 000000000..2af74e842 --- /dev/null +++ b/plugins/filters/extractTerraformChanges/reference.md @@ -0,0 +1,21 @@ + + +## extractTerraformChanges + +Extract the highest privilege level from modified JIT configurations in Terraform HCL source.diff.files. + +**Returns**: Returns `rw` for read-write privileges, `ro` for read-only privileges, or `null` if no privileges found +**License**: MIT + +## Parameters + +| Name | Type | Required | Description | +|------|------|----------|-------------| +| changes | Array | Yes | `source.diff.files` context | + + +**Example** + +```js +{{ (source.diff.files | extractTerraformChanges) == 'ro' }} +``` diff --git a/plugins/filters/extractTerraformChanges/test.js b/plugins/filters/extractTerraformChanges/test.js new file mode 100644 index 000000000..332e0a7c9 --- /dev/null +++ b/plugins/filters/extractTerraformChanges/test.js @@ -0,0 +1,213 @@ +/** + * Test file for extractTerraformChanges + */ + +const extractTerraformChanges = require('./index.js'); +const fs = require('fs'); +const path = require('path'); + +// Load test data +const rwChangeData = JSON.parse(fs.readFileSync(path.join(__dirname, 'pr_with_rw_change.json'), 'utf8')); +const roChangeData = JSON.parse(fs.readFileSync(path.join(__dirname, 'pr_with_ro_change.json'), 'utf8')); +const roToRwChangeData = JSON.parse(fs.readFileSync(path.join(__dirname, 'pr_with_ro_to_rw_change.json'), 'utf8')); + +// Test cases +const testCases = [ + { + name: "PR with RW privilege change", + input: rwChangeData, + expected: "rw", + description: "Should return 'rw' when a JIT object with rw privileges is modified (changed from rw to ro)" + }, + { + name: "PR with RO privilege change", + input: roChangeData, + expected: "ro", + description: "Should return 'ro' when only JIT objects with ro privileges are modified (TTL changes)" + }, + { + name: "PR with RO to RW privilege change", + input: roToRwChangeData, + expected: "rw", + description: "Should return 'rw' when a JIT object with rw privileges is modified (changed from rw to ro)" + }, + { + name: "Empty input", + input: [], + expected: null, + description: "Should return null for empty input array" + }, + { + name: "Null input", + input: null, + expected: null, + description: "Should return null for null input" + }, + { + name: "Invalid input", + input: "not an array", + expected: null, + description: "Should return null for non-array input" + }, + { + name: "Change without diff", + input: [{ + original_file: "test.hcl", + new_file: "test.hcl", + original_content: "some content", + new_content: "some other content" + }], + expected: null, + description: "Should return null when diff is missing" + }, + { + name: "Change without original content", + input: [{ + original_file: "test.hcl", + new_file: "test.hcl", + diff: "@@ -1,1 +1,1 @@\n-old\n+new", + new_content: "some content" + }], + expected: null, + description: "Should return null when original_content is missing" + }, + { + name: "Changes outside JIT objects", + input: [{ + original_file: "test.hcl", + new_file: "test.hcl", + diff: "@@ -1,3 +1,3 @@\n include \"root\" {\n- path = find_in_parent_folders(\"root.hcl\")\n+ path = find_in_parent_folders(\"new_root.hcl\")\n }", + original_content: `include "root" { + path = find_in_parent_folders("root.hcl") +} + +inputs = { + jits = [ + { + user = "test_user" + access = [ + { + tables = ["*"] + privileges = "rw" + } + ] + } + ] +}`, + new_content: `include "root" { + path = find_in_parent_folders("new_root.hcl") +} + +inputs = { + jits = [ + { + user = "test_user" + access = [ + { + tables = ["*"] + privileges = "rw" + } + ] + } + ] +}` + }], + expected: null, + description: "Should return null when changes are outside JIT objects" + }, + { + name: "Mixed privilege changes", + input: [{ + original_file: "test.hcl", + new_file: "test.hcl", + diff: "@@ -10,7 +10,7 @@\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user2\"\n- default_ttl = 3600\n+ default_ttl = 7200\n access = [\n {\n privileges = \"ro\"", + original_content: `inputs = { + jits = [ + { + user = "user1" + access = [ + { + tables = ["*"] + privileges = "rw" + } + ] + }, + { + user = "user2" + default_ttl = 3600 + access = [ + { + tables = ["logs"] + privileges = "ro" + } + ] + } + ] +}`, + new_content: `inputs = { + jits = [ + { + user = "user1" + access = [ + { + tables = ["*"] + privileges = "rw" + } + ] + }, + { + user = "user2" + default_ttl = 7200 + access = [ + { + tables = ["logs"] + privileges = "ro" + } + ] + } + ] +}` + }], + expected: "ro", + description: "Should return 'ro' when only the JIT object with ro privileges is modified" + } +]; + +// Run the tests +let passed = 0; +let failed = 0; + +console.log('Running tests for extractTerraformChanges\n'); + +testCases.forEach(test => { + try { + const result = extractTerraformChanges(test.input); + const success = result === test.expected; + + if (success) { + console.log(`✅ PASS: ${test.name}`); + console.log(` ${test.description}`); + passed++; + } else { + console.log(`❌ FAIL: ${test.name}`); + console.log(` ${test.description}`); + console.log(` Expected: ${test.expected}`); + console.log(` Actual: ${result}`); + failed++; + } + } catch (error) { + console.log(`❌ ERROR: ${test.name}`); + console.log(` ${test.description}`); + console.log(` Error: ${error.message}`); + failed++; + } + console.log(''); +}); + +console.log(`Test Summary: ${passed} passed, ${failed} failed`); + +if (failed > 0) { + process.exit(1); +} else { + console.log('All tests passed successfully!'); +}