Test cases for cloudfront_distributions_https_enabled #301
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| } | ||
| report = self.check.execute(self.mock_session) | ||
|
|
||
| assert report.status == CheckStatus.PASSED # Report status not downgraded for failed resources |
Contributor
There was a problem hiding this comment.
assert report.status == CheckStatus.FAILED
is should fail if any distributiion fails
There was a problem hiding this comment.
Currently, the cloudfront_distributions_https_enabled check sets the overall report.status to PASSED by default and does not change it even if some CloudFront distributions fail the HTTPS requirement (i.e., they allow HTTP via allow-all policy or have no protocol policy defined).
This causes test cases to fail when we assert:
assert report.status == CheckStatus.FAILED
even though individual distributions are correctly marked as FAILED.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR adds the cloudfront_distributions_https_enabled check, which verifies that AWS CloudFront distributions enforce HTTPS by requiring secure viewer protocol policies (https-only or redirect-to-https). Distributions allowing unencrypted HTTP (e.g., allow-all) are flagged as non-compliant.
It includes:
A new test class (TestCloudFrontDistributionsHTTPSEnabled) with comprehensive unit tests for the check implementation.
Test cases cover:
No distributions: The check returns NOT_APPLICABLE when no CloudFront distributions exist in the account.
Distributions enforcing HTTPS: Distributions using https-only policies result in a PASSED status.
Distributions allowing HTTP: Distributions with policies like allow-all are correctly identified, resulting in a FAILED status.
Client errors: The check gracefully handles AWS ClientError exceptions during API calls, returning an UNKNOWN status.
HTTPS policy enforcement: Ensures each distribution’s ViewerProtocolPolicy is verified, and no duplicate results are reported.
These tests ensure the check robustly identifies insecure CloudFront configurations and handles edge cases appropriately.
License
I confirm that my contribution is made under the terms of the Apache 2.0 license.