Merge pull request #1891 from snyk/fix/terraform-plan-full-scan

fix: tf plan full scan

Author: rontalx

src/cli/commands/test/iac-local-execution/parsers/terraform-plan-parser.ts

@@ -5,7 +5,8 @@ import {
   TerraformPlanJson,
   TerraformPlanResource,
   ResourceActions,
-  VALID_RESOURCE_ACTIONS,
+  VALID_RESOURCE_ACTIONS_FOR_DELTA_SCAN,
+  VALID_RESOURCE_ACTIONS_FOR_FULL_SCAN,
   TerraformScanInput,
   TerraformPlanResourceChange,
   IaCErrorCodes,
@@ -35,19 +36,26 @@ function terraformPlanReducer(
 function resourceChangeReducer(
   scanInput: TerraformScanInput,
   resource: TerraformPlanResourceChange,
+  isFullScan: boolean,
 ): TerraformScanInput {
   // TODO: investigate if we need to address also `after_unknown` field.
   const { actions, after } = resource.change || { actions: [], after: {} };
-  if (isValidResourceActions(actions)) {
+  if (isValidResourceActions(actions, isFullScan)) {
     const resourceForReduction = { ...resource, values: after || {} };
     return terraformPlanReducer(scanInput, resourceForReduction);
   }
 
   return scanInput;
 }
 
-function isValidResourceActions(action: ResourceActions): boolean {
-  return VALID_RESOURCE_ACTIONS.some((validAction: string[]) => {
+function isValidResourceActions(
+  action: ResourceActions,
+  isFullScan: boolean,
+): boolean {
+  const VALID_ACTIONS = isFullScan
+    ? VALID_RESOURCE_ACTIONS_FOR_FULL_SCAN
+    : VALID_RESOURCE_ACTIONS_FOR_DELTA_SCAN;
+  return VALID_ACTIONS.some((validAction: string[]) => {
     if (action.length !== validAction.length) {
       return false;
     }
@@ -57,56 +65,28 @@ function isValidResourceActions(action: ResourceActions): boolean {
   });
 }
 
-function extractRootModuleResources(
-  terraformPlanJson: TerraformPlanJson,
-): Array<TerraformPlanResource> {
-  return terraformPlanJson.planned_values?.root_module?.resources || [];
-}
-
-function extractChildModulesResources(
-  terraformPlanJson: TerraformPlanJson,
-): Array<TerraformPlanResource> {
-  const childModules =
-    terraformPlanJson?.planned_values?.root_module?.child_modules || [];
-  const extractedChildModuleResources: Array<TerraformPlanResource> = [];
-  childModules.forEach((childModule) =>
-    childModule.resources.forEach((resource) =>
-      extractedChildModuleResources.push(resource),
-    ),
-  );
-  return extractedChildModuleResources;
-}
-
 function extractResourceChanges(
   terraformPlanJson: TerraformPlanJson,
 ): Array<TerraformPlanResourceChange> {
   return terraformPlanJson.resource_changes || [];
 }
 
-function extractResourcesForFullScan(
-  terraformPlanJson: TerraformPlanJson,
-): TerraformScanInput {
-  const rootModuleResources = extractRootModuleResources(terraformPlanJson);
-  const childModuleResources = extractChildModulesResources(terraformPlanJson);
-  return [
-    ...rootModuleResources,
-    ...childModuleResources,
-  ].reduce(terraformPlanReducer, { resource: {}, data: {} });
-}
-
-function extractResourcesForDeltaScan(
+function extractResourcesForScan(
   terraformPlanJson: TerraformPlanJson,
+  isFullScan = false,
 ): TerraformScanInput {
   const resourceChanges = extractResourceChanges(terraformPlanJson);
-  return resourceChanges.reduce(resourceChangeReducer, {
-    resource: {},
-    data: {},
-  });
+  return resourceChanges.reduce(
+    (memo, curr) => resourceChangeReducer(memo, curr, isFullScan),
+    {
+      resource: {},
+      data: {},
+    },
+  );
 }
 
 export function isTerraformPlan(terraformPlanJson: TerraformPlanJson): boolean {
   const missingRequiredFields =
-    !terraformPlanJson.planned_values?.root_module ||
     terraformPlanJson.resource_changes === undefined;
   return !missingRequiredFields;
 }
@@ -117,14 +97,10 @@ export function tryParsingTerraformPlan(
   { isFullScan }: { isFullScan: boolean } = { isFullScan: false },
 ): Array<IacFileParsed> {
   try {
-    const scannableInput = isFullScan
-      ? extractResourcesForFullScan(terraformPlanJson)
-      : extractResourcesForDeltaScan(terraformPlanJson);
-
     return [
       {
         ...terraformPlanFile,
-        jsonContent: scannableInput,
+        jsonContent: extractResourcesForScan(terraformPlanJson, isFullScan),
         engineType: EngineType.Terraform,
       },
     ];

src/cli/commands/test/iac-local-execution/types.ts

@@ -170,12 +170,6 @@ export interface TerraformPlanResourceChange
 
 export interface TerraformPlanJson {
   // there are more values, but these are the required ones for us to scan
-  planned_values: {
-    root_module: {
-      resources: Array<TerraformPlanResource>;
-      child_modules: Array<{ resources: Array<TerraformPlanResource> }>;
-    };
-  };
   resource_changes: Array<TerraformPlanResourceChange>;
 }
 export interface TerraformScanInput {
@@ -195,13 +189,19 @@ export type ResourceActions =
   | ['delete'];
 
 // we will be scanning the `create` & `update` actions only.
-export const VALID_RESOURCE_ACTIONS: ResourceActions[] = [
+export const VALID_RESOURCE_ACTIONS_FOR_DELTA_SCAN: ResourceActions[] = [
   ['create'],
   ['update'],
   ['create', 'delete'],
   ['delete', 'create'],
 ];
 
+// scans all actions including 'no-op' in order to iterate on all resources.
+export const VALID_RESOURCE_ACTIONS_FOR_FULL_SCAN: ResourceActions[] = [
+  ['no-op'],
+  ...VALID_RESOURCE_ACTIONS_FOR_DELTA_SCAN,
+];
+
 // Error codes used for Analytics & Debugging
 // Within a single module, increments are in 1.
 // Between modules, increments are in 10, according to the order of execution.

test/fixtures/iac/terraform-plan/expected-parser-results/delta-scan/tf-plan-create.resources.json

@@ -0,0 +1,155 @@
+{
+    "resource": {
+      "aws_codebuild_project": {
+        "terra_ci": {
+          "artifacts": [
+            {
+              "artifact_identifier": null,
+              "encryption_disabled": false,
+              "location": "terra-ci-artifacts-eu-west-1-000002",
+              "name": null,
+              "namespace_type": null,
+              "override_artifact_name": false,
+              "packaging": null,
+              "path": null,
+              "type": "S3"
+            }
+          ],
+          "badge_enabled": false,
+          "build_timeout": 10,
+          "cache": [],
+          "description": "Deploy environment configuration",
+          "environment": [
+            {
+              "certificate": null,
+              "compute_type": "BUILD_GENERAL1_SMALL",
+              "environment_variable": [],
+              "image": "aws/codebuild/amazonlinux2-x86_64-standard:2.0",
+              "image_pull_credentials_type": "CODEBUILD",
+              "privileged_mode": false,
+              "registry_credential": [],
+              "type": "LINUX_CONTAINER"
+            }
+          ],
+          "logs_config": [
+            {
+              "cloudwatch_logs": [
+                {
+                  "group_name": null,
+                  "status": "ENABLED",
+                  "stream_name": null
+                }
+              ],
+              "s3_logs": [
+                {
+                  "encryption_disabled": false,
+                  "location": null,
+                  "status": "DISABLED"
+                }
+              ]
+            }
+          ],
+          "name": "terra-ci-runner",
+          "queued_timeout": 480,
+          "secondary_artifacts": [],
+          "secondary_sources": [],
+          "source": [
+            {
+              "auth": [],
+              "buildspec": "version: 0.2\nphases:\n  install:\n    commands:\n      - make install_tools\n  build:\n    commands:\n      - make plan_local resource=$TERRA_CI_RESOURCE\nartifacts:\n  files:\n    - ./tfplan\n  name: $TERRA_CI_BUILD_NAME\n\n",
+              "git_clone_depth": 1,
+              "git_submodules_config": [],
+              "insecure_ssl": false,
+              "location": "https://github.com/p0tr3c-terraform/terra-ci-single-account.git",
+              "report_build_status": false,
+              "type": "GITHUB"
+            }
+          ],
+          "source_version": null,
+          "tags": null,
+          "vpc_config": []
+        }
+      },
+      "aws_iam_role": {
+        "terra_ci_job": {
+          "assume_role_policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"codebuild.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}\n",
+          "description": null,
+          "force_detach_policies": false,
+          "max_session_duration": 3600,
+          "name": "terra_ci_job",
+          "name_prefix": null,
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": null
+        },
+        "terra_ci_runner": {
+          "assume_role_policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"states.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}\n",
+          "description": null,
+          "force_detach_policies": false,
+          "max_session_duration": 3600,
+          "name": "terra_ci_runner",
+          "name_prefix": null,
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": null
+        }
+      },
+      "aws_iam_role_policy": {
+        "terra_ci_job": {
+          "name_prefix": null,
+          "role": "terra_ci_job"
+        },
+        "terra_ci_runner": {
+          "name_prefix": null,
+          "role": "terra_ci_runner"
+        }
+      },
+      "aws_iam_role_policy_attachment": {
+        "terra_ci_job_ecr_access": {
+          "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser",
+          "role": "terra_ci_job"
+        }
+      },
+      "aws_s3_bucket": {
+        "terra_ci": {
+          "acl": "private",
+          "bucket": "terra-ci-artifacts-eu-west-1-000002",
+          "bucket_prefix": null,
+          "cors_rule": [],
+          "force_destroy": false,
+          "grant": [],
+          "lifecycle_rule": [],
+          "logging": [],
+          "object_lock_configuration": [],
+          "policy": null,
+          "replication_configuration": [],
+          "server_side_encryption_configuration": [
+            {
+              "rule": [
+                {
+                  "apply_server_side_encryption_by_default": [
+                    {
+                      "kms_master_key_id": null,
+                      "sse_algorithm": "aws:kms"
+                    }
+                  ],
+                  "bucket_key_enabled": false
+                }
+              ]
+            }
+          ],
+          "tags": null,
+          "website": []
+        }
+      },
+      "aws_sfn_state_machine": {
+        "terra_ci_runner": {
+          "definition": "{\n  \"Comment\": \"Run Terragrunt Jobs\",\n  \"StartAt\": \"OnBranch?\",\n  \"States\": {\n    \"OnBranch?\": {\n      \"Type\": \"Choice\",\n      \"Choices\": [\n        {\n          \"Variable\": \"$.build.sourceversion\",\n          \"IsPresent\": true,\n          \"Next\": \"PlanBranch\"\n        }\n      ],\n      \"Default\": \"Plan\"\n    },\n    \"Plan\": {\n      \"Type\": \"Task\",\n      \"Resource\": \"arn:aws:states:::codebuild:startBuild.sync\",\n      \"Parameters\": {\n        \"ProjectName\": \"terra-ci-runner\",\n        \"EnvironmentVariablesOverride\": [\n          {\n            \"Name\": \"TERRA_CI_BUILD_NAME\",\n            \"Value.$\": \"$$.Execution.Name\"\n          },\n          {\n            \"Name\": \"TERRA_CI_RESOURCE\",\n            \"Value.$\": \"$.build.environment.terra_ci_resource\"\n          }\n        ]\n      },\n      \"End\": true\n    },\n    \"PlanBranch\": {\n      \"Type\": \"Task\",\n      \"Resource\": \"arn:aws:states:::codebuild:startBuild.sync\",\n      \"Parameters\": {\n        \"ProjectName\": \"terra-ci-runner\",\n        \"SourceVersion.$\": \"$.build.sourceversion\",\n        \"EnvironmentVariablesOverride\": [\n          {\n            \"Name\": \"TERRA_CI_RESOURCE\",\n            \"Value.$\": \"$.build.environment.terra_ci_resource\"\n          }\n        ]\n      },\n      \"End\": true\n    }\n  }\n}\n",
+          "name": "terra-ci-runner",
+          "tags": null,
+          "type": "STANDARD"
+        }
+      }
+    },
+    "data": {}
+  }

test/fixtures/iac/terraform-plan/expected-parser-results/delta-scan/tf-plan-destroy.resources.json

@@ -0,0 +1,4 @@
+{ 
+	"resource": {},
+	"data": {}
+}

test/fixtures/iac/terraform-plan/expected-parser-results/delta-scan/tf-plan-no-op.resources.json

@@ -0,0 +1,4 @@
+{ 
+	"resource": {},
+	"data": {}
+}

test/fixtures/iac/terraform-plan/expected-parser-results/delta-scan/tf-plan-update.resources.json

@@ -0,0 +1,86 @@
+{
+    "resource": {
+      "aws_codebuild_project": {
+        "some_projed": {
+          "arn": "arn:aws:codebuild:eu-west-1:719261439472:project/why-my-project-not-working",
+          "artifacts": [
+            {
+              "artifact_identifier": "",
+              "encryption_disabled": true,
+              "location": "terra-ci-artifacts-eu-west-1-000002",
+              "name": "why-my-project-not-working",
+              "namespace_type": "NONE",
+              "override_artifact_name": true,
+              "packaging": "NONE",
+              "path": "",
+              "type": "S3"
+            }
+          ],
+          "badge_enabled": false,
+          "badge_url": "",
+          "build_timeout": 10,
+          "cache": [
+            {
+              "location": "",
+              "modes": [],
+              "type": "NO_CACHE"
+            }
+          ],
+          "description": "Deploy environment configuration",
+          "encryption_key": "arn:aws:kms:eu-west-1:719261439472:alias/aws/s3",
+          "environment": [
+            {
+              "certificate": "",
+              "compute_type": "BUILD_GENERAL1_SMALL",
+              "environment_variable": [],
+              "image": "aws/codebuild/amazonlinux2-x86_64-standard:2.0",
+              "image_pull_credentials_type": "CODEBUILD",
+              "privileged_mode": false,
+              "registry_credential": [],
+              "type": "LINUX_CONTAINER"
+            }
+          ],
+          "id": "arn:aws:codebuild:eu-west-1:719261439472:project/why-my-project-not-working",
+          "logs_config": [
+            {
+              "cloudwatch_logs": [
+                {
+                  "group_name": "",
+                  "status": "ENABLED",
+                  "stream_name": ""
+                }
+              ],
+              "s3_logs": [
+                {
+                  "encryption_disabled": false,
+                  "location": "",
+                  "status": "DISABLED"
+                }
+              ]
+            }
+          ],
+          "name": "why-my-project-not-working",
+          "queued_timeout": 480,
+          "secondary_artifacts": [],
+          "secondary_sources": [],
+          "service_role": "arn:aws:iam::719261439472:role/terra_ci_job",
+          "source": [
+            {
+              "auth": [],
+              "buildspec": "version: 0.2\nphases:\n  install:\n    commands:\n      - make install_tools\n  build:\n    commands:\n      - make plan_local resource=$TERRA_CI_RESOURCE\nartifacts:\n  files:\n    - ./tfplan\n  name: $TERRA_CI_BUILD_NAME\n",
+              "git_clone_depth": 1,
+              "git_submodules_config": [],
+              "insecure_ssl": false,
+              "location": "https://github.com/p0tr3c-terraform/terra-ci-single-account.git",
+              "report_build_status": false,
+              "type": "GITHUB"
+            }
+          ],
+          "source_version": "",
+          "tags": {},
+          "vpc_config": []
+        }
+      }
+    },
+    "data": {}
+  }

test/fixtures/iac/terraform-plan/expected-parser-results/full-scan/tf-plan-create.resources.json

@@ -0,0 +1,155 @@
+{
+    "resource": {
+      "aws_codebuild_project": {
+        "terra_ci": {
+          "artifacts": [
+            {
+              "artifact_identifier": null,
+              "encryption_disabled": false,
+              "location": "terra-ci-artifacts-eu-west-1-000002",
+              "name": null,
+              "namespace_type": null,
+              "override_artifact_name": false,
+              "packaging": null,
+              "path": null,
+              "type": "S3"
+            }
+          ],
+          "badge_enabled": false,
+          "build_timeout": 10,
+          "cache": [],
+          "description": "Deploy environment configuration",
+          "environment": [
+            {
+              "certificate": null,
+              "compute_type": "BUILD_GENERAL1_SMALL",
+              "environment_variable": [],
+              "image": "aws/codebuild/amazonlinux2-x86_64-standard:2.0",
+              "image_pull_credentials_type": "CODEBUILD",
+              "privileged_mode": false,
+              "registry_credential": [],
+              "type": "LINUX_CONTAINER"
+            }
+          ],
+          "logs_config": [
+            {
+              "cloudwatch_logs": [
+                {
+                  "group_name": null,
+                  "status": "ENABLED",
+                  "stream_name": null
+                }
+              ],
+              "s3_logs": [
+                {
+                  "encryption_disabled": false,
+                  "location": null,
+                  "status": "DISABLED"
+                }
+              ]
+            }
+          ],
+          "name": "terra-ci-runner",
+          "queued_timeout": 480,
+          "secondary_artifacts": [],
+          "secondary_sources": [],
+          "source": [
+            {
+              "auth": [],
+              "buildspec": "version: 0.2\nphases:\n  install:\n    commands:\n      - make install_tools\n  build:\n    commands:\n      - make plan_local resource=$TERRA_CI_RESOURCE\nartifacts:\n  files:\n    - ./tfplan\n  name: $TERRA_CI_BUILD_NAME\n\n",
+              "git_clone_depth": 1,
+              "git_submodules_config": [],
+              "insecure_ssl": false,
+              "location": "https://github.com/p0tr3c-terraform/terra-ci-single-account.git",
+              "report_build_status": false,
+              "type": "GITHUB"
+            }
+          ],
+          "source_version": null,
+          "tags": null,
+          "vpc_config": []
+        }
+      },
+      "aws_iam_role": {
+        "terra_ci_job": {
+          "assume_role_policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"codebuild.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}\n",
+          "description": null,
+          "force_detach_policies": false,
+          "max_session_duration": 3600,
+          "name": "terra_ci_job",
+          "name_prefix": null,
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": null
+        },
+        "terra_ci_runner": {
+          "assume_role_policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Principal\": {\n        \"Service\": \"states.amazonaws.com\"\n      },\n      \"Action\": \"sts:AssumeRole\"\n    }\n  ]\n}\n",
+          "description": null,
+          "force_detach_policies": false,
+          "max_session_duration": 3600,
+          "name": "terra_ci_runner",
+          "name_prefix": null,
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": null
+        }
+      },
+      "aws_iam_role_policy": {
+        "terra_ci_job": {
+          "name_prefix": null,
+          "role": "terra_ci_job"
+        },
+        "terra_ci_runner": {
+          "name_prefix": null,
+          "role": "terra_ci_runner"
+        }
+      },
+      "aws_iam_role_policy_attachment": {
+        "terra_ci_job_ecr_access": {
+          "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser",
+          "role": "terra_ci_job"
+        }
+      },
+      "aws_s3_bucket": {
+        "terra_ci": {
+          "acl": "private",
+          "bucket": "terra-ci-artifacts-eu-west-1-000002",
+          "bucket_prefix": null,
+          "cors_rule": [],
+          "force_destroy": false,
+          "grant": [],
+          "lifecycle_rule": [],
+          "logging": [],
+          "object_lock_configuration": [],
+          "policy": null,
+          "replication_configuration": [],
+          "server_side_encryption_configuration": [
+            {
+              "rule": [
+                {
+                  "apply_server_side_encryption_by_default": [
+                    {
+                      "kms_master_key_id": null,
+                      "sse_algorithm": "aws:kms"
+                    }
+                  ],
+                  "bucket_key_enabled": false
+                }
+              ]
+            }
+          ],
+          "tags": null,
+          "website": []
+        }
+      },
+      "aws_sfn_state_machine": {
+        "terra_ci_runner": {
+          "definition": "{\n  \"Comment\": \"Run Terragrunt Jobs\",\n  \"StartAt\": \"OnBranch?\",\n  \"States\": {\n    \"OnBranch?\": {\n      \"Type\": \"Choice\",\n      \"Choices\": [\n        {\n          \"Variable\": \"$.build.sourceversion\",\n          \"IsPresent\": true,\n          \"Next\": \"PlanBranch\"\n        }\n      ],\n      \"Default\": \"Plan\"\n    },\n    \"Plan\": {\n      \"Type\": \"Task\",\n      \"Resource\": \"arn:aws:states:::codebuild:startBuild.sync\",\n      \"Parameters\": {\n        \"ProjectName\": \"terra-ci-runner\",\n        \"EnvironmentVariablesOverride\": [\n          {\n            \"Name\": \"TERRA_CI_BUILD_NAME\",\n            \"Value.$\": \"$$.Execution.Name\"\n          },\n          {\n            \"Name\": \"TERRA_CI_RESOURCE\",\n            \"Value.$\": \"$.build.environment.terra_ci_resource\"\n          }\n        ]\n      },\n      \"End\": true\n    },\n    \"PlanBranch\": {\n      \"Type\": \"Task\",\n      \"Resource\": \"arn:aws:states:::codebuild:startBuild.sync\",\n      \"Parameters\": {\n        \"ProjectName\": \"terra-ci-runner\",\n        \"SourceVersion.$\": \"$.build.sourceversion\",\n        \"EnvironmentVariablesOverride\": [\n          {\n            \"Name\": \"TERRA_CI_RESOURCE\",\n            \"Value.$\": \"$.build.environment.terra_ci_resource\"\n          }\n        ]\n      },\n      \"End\": true\n    }\n  }\n}\n",
+          "name": "terra-ci-runner",
+          "tags": null,
+          "type": "STANDARD"
+        }
+      }
+    },
+    "data": {}
+  }

test/fixtures/iac/terraform-plan/expected-parser-results/full-scan/tf-plan-destroy.resources.json

@@ -0,0 +1,4 @@
+{ 
+	"resource": {},
+	"data": {}
+}

test/fixtures/iac/terraform-plan/expected-parser-results/full-scan/tf-plan-no-op.resources.json

@@ -0,0 +1,225 @@
+{
+  "resource": {
+    "aws_codebuild_project": {
+      "terra_ci": {
+        "arn": "arn:aws:codebuild:eu-west-1:719261439472:project/terra-ci-runner",
+        "artifacts": [
+          {
+            "artifact_identifier": "",
+            "encryption_disabled": false,
+            "location": "terra-ci-artifacts-eu-west-1-000002",
+            "name": "terra-ci-runner",
+            "namespace_type": "NONE",
+            "override_artifact_name": false,
+            "packaging": "NONE",
+            "path": "",
+            "type": "S3"
+          }
+        ],
+        "badge_enabled": false,
+        "badge_url": "",
+        "build_timeout": 10,
+        "cache": [
+          {
+            "location": "",
+            "modes": [],
+            "type": "NO_CACHE"
+          }
+        ],
+        "description": "Deploy environment configuration",
+        "encryption_key": "arn:aws:kms:eu-west-1:719261439472:alias/aws/s3",
+        "environment": [
+          {
+            "certificate": "",
+            "compute_type": "BUILD_GENERAL1_SMALL",
+            "environment_variable": [],
+            "image": "aws/codebuild/amazonlinux2-x86_64-standard:2.0",
+            "image_pull_credentials_type": "CODEBUILD",
+            "privileged_mode": false,
+            "registry_credential": [],
+            "type": "LINUX_CONTAINER"
+          }
+        ],
+        "id": "arn:aws:codebuild:eu-west-1:719261439472:project/terra-ci-runner",
+        "logs_config": [
+          {
+            "cloudwatch_logs": [
+              {
+                "group_name": "",
+                "status": "ENABLED",
+                "stream_name": ""
+              }
+            ],
+            "s3_logs": [
+              {
+                "encryption_disabled": false,
+                "location": "",
+                "status": "DISABLED"
+              }
+            ]
+          }
+        ],
+        "name": "terra-ci-runner",
+        "queued_timeout": 480,
+        "secondary_artifacts": [],
+        "secondary_sources": [],
+        "service_role": "arn:aws:iam::719261439472:role/terra_ci_job",
+        "source": [
+          {
+            "auth": [],
+            "buildspec": "version: 0.2\nphases:\n  install:\n    commands:\n      - make install_tools\n  build:\n    commands:\n      - make plan_local resource=$TERRA_CI_RESOURCE\nartifacts:\n  files:\n    - ./tfplan\n  name: $TERRA_CI_BUILD_NAME\n\n",
+            "git_clone_depth": 1,
+            "git_submodules_config": [],
+            "insecure_ssl": false,
+            "location": "https://github.com/p0tr3c-terraform/terra-ci-single-account.git",
+            "report_build_status": false,
+            "type": "GITHUB"
+          }
+        ],
+        "source_version": "",
+        "tags": {},
+        "vpc_config": []
+      }
+    },
+    "aws_iam_role": {
+      "terra_ci_job": {
+        "arn": "arn:aws:iam::719261439472:role/terra_ci_job",
+        "assume_role_policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"codebuild.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}",
+        "create_date": "2021-05-01T15:08:15Z",
+        "description": "",
+        "force_detach_policies": false,
+        "id": "terra_ci_job",
+        "inline_policy": [
+          {
+            "name": "terraform-20210501150816628700000001",
+            "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"sts:AssumeRole\",\n      \"Resource\": \"arn:aws:iam::719261439472:role/ci\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Resource\": [\n        \"*\"\n      ],\n      \"Action\": [\n        \"logs:CreateLogGroup\",\n        \"logs:CreateLogStream\",\n        \"logs:PutLogEvents\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Resource\": [\n        \"arn:aws:s3:::terra-ci-artifacts-eu-west-1-000002\",\n        \"arn:aws:s3:::terra-ci-artifacts-eu-west-1-000002/*\"\n      ],\n      \"Action\": [\n        \"s3:ListBucket\",\n        \"s3:*Object\"\n      ]\n    }\n  ]\n}\n"
+          }
+        ],
+        "managed_policy_arns": [
+          "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser"
+        ],
+        "max_session_duration": 3600,
+        "name": "terra_ci_job",
+        "name_prefix": null,
+        "path": "/",
+        "permissions_boundary": null,
+        "tags": {},
+        "unique_id": "AROA2O52SSXYL7LBSM733"
+      },
+      "terra_ci_runner": {
+        "arn": "arn:aws:iam::719261439472:role/terra_ci_runner",
+        "assume_role_policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"states.amazonaws.com\"},\"Action\":\"sts:AssumeRole\"}]}",
+        "create_date": "2021-05-01T15:08:15Z",
+        "description": "",
+        "force_detach_policies": false,
+        "id": "terra_ci_runner",
+        "inline_policy": [
+          {
+            "name": "terraform-20210501150825425000000003",
+            "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"codebuild:StartBuild\",\n            \"codebuild:StopBuild\",\n            \"codebuild:BatchGetBuilds\"\n        ],\n        \"Resource\": [\n            \"arn:aws:codebuild:eu-west-1:719261439472:project/terra-ci-runner\"\n        ]\n    },\n    {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"events:PutTargets\",\n            \"events:PutRule\",\n            \"events:DescribeRule\"\n        ],\n        \"Resource\": [\n            \"arn:aws:events:eu-west-1:719261439472:rule/StepFunctionsGetEventForCodeBuildStartBuildRule\"\n        ]\n    }\n  ]\n}\n"
+          }
+        ],
+        "managed_policy_arns": [],
+        "max_session_duration": 3600,
+        "name": "terra_ci_runner",
+        "name_prefix": null,
+        "path": "/",
+        "permissions_boundary": null,
+        "tags": {},
+        "unique_id": "AROA2O52SSXYDBYYTG4OB"
+      }
+    },
+    "aws_iam_role_policy": {
+      "terra_ci_job": {
+        "id": "terra_ci_job:terraform-20210501150816628700000001",
+        "name": "terraform-20210501150816628700000001",
+        "name_prefix": null,
+        "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Effect\": \"Allow\",\n      \"Action\": \"sts:AssumeRole\",\n      \"Resource\": \"arn:aws:iam::719261439472:role/ci\"\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Resource\": [\n        \"*\"\n      ],\n      \"Action\": [\n        \"logs:CreateLogGroup\",\n        \"logs:CreateLogStream\",\n        \"logs:PutLogEvents\"\n      ]\n    },\n    {\n      \"Effect\": \"Allow\",\n      \"Resource\": [\n        \"arn:aws:s3:::terra-ci-artifacts-eu-west-1-000002\",\n        \"arn:aws:s3:::terra-ci-artifacts-eu-west-1-000002/*\"\n      ],\n      \"Action\": [\n        \"s3:ListBucket\",\n        \"s3:*Object\"\n      ]\n    }\n  ]\n}\n",
+        "role": "terra_ci_job"
+      },
+      "terra_ci_runner": {
+        "id": "terra_ci_runner:terraform-20210501150825425000000003",
+        "name": "terraform-20210501150825425000000003",
+        "name_prefix": null,
+        "policy": "{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"codebuild:StartBuild\",\n            \"codebuild:StopBuild\",\n            \"codebuild:BatchGetBuilds\"\n        ],\n        \"Resource\": [\n            \"arn:aws:codebuild:eu-west-1:719261439472:project/terra-ci-runner\"\n        ]\n    },\n    {\n        \"Effect\": \"Allow\",\n        \"Action\": [\n            \"events:PutTargets\",\n            \"events:PutRule\",\n            \"events:DescribeRule\"\n        ],\n        \"Resource\": [\n            \"arn:aws:events:eu-west-1:719261439472:rule/StepFunctionsGetEventForCodeBuildStartBuildRule\"\n        ]\n    }\n  ]\n}\n",
+        "role": "terra_ci_runner"
+      }
+    },
+    "aws_iam_role_policy_attachment": {
+      "terra_ci_job_ecr_access": {
+        "id": "terra_ci_job-20210501150817089800000002",
+        "policy_arn": "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser",
+        "role": "terra_ci_job"
+      }
+    },
+    "aws_s3_bucket": {
+      "terra_ci": {
+        "acceleration_status": "",
+        "acl": "private",
+        "arn": "arn:aws:s3:::terra-ci-artifacts-eu-west-1-000002",
+        "bucket": "terra-ci-artifacts-eu-west-1-000002",
+        "bucket_domain_name": "terra-ci-artifacts-eu-west-1-000002.s3.amazonaws.com",
+        "bucket_prefix": null,
+        "bucket_regional_domain_name": "terra-ci-artifacts-eu-west-1-000002.s3.eu-west-1.amazonaws.com",
+        "cors_rule": [],
+        "force_destroy": false,
+        "grant": [],
+        "hosted_zone_id": "Z1BKCTXD74EZPE",
+        "id": "terra-ci-artifacts-eu-west-1-000002",
+        "lifecycle_rule": [],
+        "logging": [],
+        "object_lock_configuration": [],
+        "policy": null,
+        "region": "eu-west-1",
+        "replication_configuration": [],
+        "request_payer": "BucketOwner",
+        "server_side_encryption_configuration": [
+          {
+            "rule": [
+              {
+                "apply_server_side_encryption_by_default": [
+                  {
+                    "kms_master_key_id": "",
+                    "sse_algorithm": "aws:kms"
+                  }
+                ],
+                "bucket_key_enabled": false
+              }
+            ]
+          }
+        ],
+        "tags": {},
+        "versioning": [
+          {
+            "enabled": false,
+            "mfa_delete": false
+          }
+        ],
+        "website": [],
+        "website_domain": null,
+        "website_endpoint": null
+      }
+    },
+    "aws_sfn_state_machine": {
+      "terra_ci_runner": {
+        "arn": "arn:aws:states:eu-west-1:719261439472:stateMachine:terra-ci-runner",
+        "creation_date": "2021-05-01T15:09:28Z",
+        "definition": "{\n  \"Comment\": \"Run Terragrunt Jobs\",\n  \"StartAt\": \"OnBranch?\",\n  \"States\": {\n    \"OnBranch?\": {\n      \"Type\": \"Choice\",\n      \"Choices\": [\n        {\n          \"Variable\": \"$.build.sourceversion\",\n          \"IsPresent\": true,\n          \"Next\": \"PlanBranch\"\n        }\n      ],\n      \"Default\": \"Plan\"\n    },\n    \"Plan\": {\n      \"Type\": \"Task\",\n      \"Resource\": \"arn:aws:states:::codebuild:startBuild.sync\",\n      \"Parameters\": {\n        \"ProjectName\": \"terra-ci-runner\",\n        \"EnvironmentVariablesOverride\": [\n          {\n            \"Name\": \"TERRA_CI_BUILD_NAME\",\n            \"Value.$\": \"$$.Execution.Name\"\n          },\n          {\n            \"Name\": \"TERRA_CI_RESOURCE\",\n            \"Value.$\": \"$.build.environment.terra_ci_resource\"\n          }\n        ]\n      },\n      \"End\": true\n    },\n    \"PlanBranch\": {\n      \"Type\": \"Task\",\n      \"Resource\": \"arn:aws:states:::codebuild:startBuild.sync\",\n      \"Parameters\": {\n        \"ProjectName\": \"terra-ci-runner\",\n        \"SourceVersion.$\": \"$.build.sourceversion\",\n        \"EnvironmentVariablesOverride\": [\n          {\n            \"Name\": \"TERRA_CI_RESOURCE\",\n            \"Value.$\": \"$.build.environment.terra_ci_resource\"\n          }\n        ]\n      },\n      \"End\": true\n    }\n  }\n}\n",
+        "id": "arn:aws:states:eu-west-1:719261439472:stateMachine:terra-ci-runner",
+        "logging_configuration": [
+          {
+            "include_execution_data": false,
+            "level": "OFF",
+            "log_destination": ""
+          }
+        ],
+        "name": "terra-ci-runner",
+        "role_arn": "arn:aws:iam::719261439472:role/terra_ci_runner",
+        "status": "ACTIVE",
+        "tags": {},
+        "type": "STANDARD"
+      }
+    }
+  },
+  "data": {}
+}

test/fixtures/iac/terraform-plan/expected-parser-results/full-scan/tf-plan-update.resources.json

@@ -0,0 +1,98 @@
+{
+    "resource": {
+      "aws_codebuild_project": {
+        "some_projed": {
+          "arn": "arn:aws:codebuild:eu-west-1:719261439472:project/why-my-project-not-working",
+          "artifacts": [
+            {
+              "artifact_identifier": "",
+              "encryption_disabled": true,
+              "location": "terra-ci-artifacts-eu-west-1-000002",
+              "name": "why-my-project-not-working",
+              "namespace_type": "NONE",
+              "override_artifact_name": true,
+              "packaging": "NONE",
+              "path": "",
+              "type": "S3"
+            }
+          ],
+          "badge_enabled": false,
+          "badge_url": "",
+          "build_timeout": 10,
+          "cache": [
+            {
+              "location": "",
+              "modes": [],
+              "type": "NO_CACHE"
+            }
+          ],
+          "description": "Deploy environment configuration",
+          "encryption_key": "arn:aws:kms:eu-west-1:719261439472:alias/aws/s3",
+          "environment": [
+            {
+              "certificate": "",
+              "compute_type": "BUILD_GENERAL1_SMALL",
+              "environment_variable": [],
+              "image": "aws/codebuild/amazonlinux2-x86_64-standard:2.0",
+              "image_pull_credentials_type": "CODEBUILD",
+              "privileged_mode": false,
+              "registry_credential": [],
+              "type": "LINUX_CONTAINER"
+            }
+          ],
+          "id": "arn:aws:codebuild:eu-west-1:719261439472:project/why-my-project-not-working",
+          "logs_config": [
+            {
+              "cloudwatch_logs": [
+                {
+                  "group_name": "",
+                  "status": "ENABLED",
+                  "stream_name": ""
+                }
+              ],
+              "s3_logs": [
+                {
+                  "encryption_disabled": false,
+                  "location": "",
+                  "status": "DISABLED"
+                }
+              ]
+            }
+          ],
+          "name": "why-my-project-not-working",
+          "queued_timeout": 480,
+          "secondary_artifacts": [],
+          "secondary_sources": [],
+          "service_role": "arn:aws:iam::719261439472:role/terra_ci_job",
+          "source": [
+            {
+              "auth": [],
+              "buildspec": "version: 0.2\nphases:\n  install:\n    commands:\n      - make install_tools\n  build:\n    commands:\n      - make plan_local resource=$TERRA_CI_RESOURCE\nartifacts:\n  files:\n    - ./tfplan\n  name: $TERRA_CI_BUILD_NAME\n",
+              "git_clone_depth": 1,
+              "git_submodules_config": [],
+              "insecure_ssl": false,
+              "location": "https://github.com/p0tr3c-terraform/terra-ci-single-account.git",
+              "report_build_status": false,
+              "type": "GITHUB"
+            }
+          ],
+          "source_version": "",
+          "tags": {},
+          "vpc_config": []
+        }
+      },
+      "aws_iam_user": {
+        "ci": {
+          "arn": "arn:aws:iam::719261439472:user/ci",
+          "force_destroy": false,
+          "id": "ci",
+          "name": "ci",
+          "path": "/",
+          "permissions_boundary": null,
+          "tags": {},
+          "unique_id": "AIDA2O52SSXYORYI4EPXD"
+        }
+      }
+    },
+    "data": {}
+  }

test/fixtures/iac/terraform-plan/tf-plan-create.json

@@ -6,7 +6,10 @@ import {
   IacFileParsed,
 } from '../../../../src/cli/commands/test/iac-local-execution/types';
 import { MissingRequiredFieldsInKubernetesYamlError } from '../../../../src/cli/commands/test/iac-local-execution/parsers/kubernetes-parser';
-import { expectedParsingResultDeltaScan } from './terraform-plan-parser.fixtures';
+import {
+  getExpectedResult,
+  PlanOutputCase,
+} from './terraform-plan-parser.fixtures';
 
 const kubernetesYamlFileContent = `
 apiVersion: v1
@@ -163,12 +166,15 @@ resource "aws_security_group" "allow_ssh" {
 }`;
 
 const terraformPlanFileContent = fs.readFileSync(
-  path.resolve(__dirname, '../../../fixtures/iac/terraform-plan/tf-plan.json'),
+  path.resolve(
+    __dirname,
+    '../../../fixtures/iac/terraform-plan/tf-plan-create.json',
+  ),
 );
 
 const terraformPlanJson = JSON.parse(terraformPlanFileContent.toString());
 const terraformPlanMissingFieldsJson = { ...terraformPlanJson };
-delete terraformPlanMissingFieldsJson.planned_values;
+delete terraformPlanMissingFieldsJson.resource_changes;
 const terraformPlanMissingFieldsFileContent = JSON.stringify(
   terraformPlanMissingFieldsJson,
 );
@@ -216,7 +222,7 @@ export const expectedTerraformParsingResult: IacFileParsed = {
 export const expectedTerraformJsonParsingResult: IacFileParsed = {
   ...terraformPlanDataStub,
   engineType: EngineType.Terraform,
-  jsonContent: expectedParsingResultDeltaScan,
+  jsonContent: getExpectedResult(false, PlanOutputCase.Create),
 };
 
 const invalidTerraformFileContent = `

test/fixtures/iac/terraform-plan/tf-plan-destroy.json

@@ -1,130 +1,62 @@
 /* eslint-disable @typescript-eslint/camelcase */
 import * as fs from 'fs';
 import * as path from 'path';
-import {
-  IacFileData,
-  TerraformPlanJson,
-  TerraformScanInput,
-} from '../../../../src/cli/commands/test/iac-local-execution/types';
-
-const tfPlanFixture = fs.readFileSync(
-  path.resolve(__dirname, '../../../fixtures/iac/terraform-plan/tf-plan.json'),
-);
-
-export const iacFileData: IacFileData = {
-  fileContent: tfPlanFixture.toString(),
-  filePath: 'dont-care',
-  fileType: 'json',
-};
-
-export const terraformPlanJson: TerraformPlanJson = JSON.parse(
-  iacFileData.fileContent,
-);
-
-const resource = {
-  ingress: {
-    cidr_blocks: ['0.0.0.0/0'],
-    description: null,
-    from_port: 0,
-    ipv6_cidr_blocks: null,
-    prefix_list_ids: null,
-    protocol: 'tcp',
-    self: false,
-    to_port: 65535,
-    type: 'ingress',
-  },
-};
-export const expectedParsingResultFullScan: TerraformScanInput = {
-  resource: {
-    aws_security_group: {
-      terra_ci_allow_outband: resource,
-      CHILD_MODULE_terra_ci_allow_outband_0: resource,
-    },
-  },
-  data: {},
-};
-
-export const expectedParsingResultDeltaScan: TerraformScanInput = {
-  resource: {
-    aws_security_group: {
-      some_updated_resource: resource,
-      some_created_resource: resource,
-    },
-    // "delete" | "create"
-    aws_iam_user_group_membership: {
-      some_delete_create_resource: {
-        groups: ['organization-administrators'],
-        user: 'p0tr3c',
-      },
-    },
-    // "create" | "delete"
-    aws_instance: {
-      some_create_delete_resource: {
-        ami: 'ami-0831162e2eb204b16',
-        associate_public_ip_address: true,
-        credit_specification: [],
-        disable_api_termination: null,
-        ebs_optimized: null,
-        get_password_data: false,
-        hibernation: null,
-        iam_instance_profile: null,
-        instance_initiated_shutdown_behavior: null,
-        instance_type: 't3.micro',
-        key_name: 'terra-ci',
-        monitoring: null,
-        source_dest_check: true,
-        subnet_id: 'subnet-050411f3bb5f9dbe4',
-        tags: null,
-        timeouts: null,
-        user_data: null,
-        user_data_base64: null,
-        volume_tags: null,
-        vpc_security_group_ids: ['sg-0455cfe38c670b7b3'],
-      },
-    },
-  },
-  data: {},
-};
-
-const withoutChildModules = (JSON.parse(
-  tfPlanFixture.toString(),
-) as unknown) as TerraformPlanJson;
-delete withoutChildModules.planned_values.root_module.child_modules;
-export const iacFileDataNoChildModules: IacFileData = {
-  fileContent: JSON.stringify(withoutChildModules),
-  filePath: 'dont-care',
-  fileType: 'json',
-};
-
-export const terraformPlanNoChildModulesJson = JSON.parse(
-  iacFileDataNoChildModules.fileContent,
-);
-
-export const expectedParsingResultWithoutChildModules: TerraformScanInput = {
-  resource: {
-    aws_security_group: {
-      terra_ci_allow_outband: resource,
-    },
-  },
-  data: {},
-};
-
-const planWithoutRootModule = (JSON.parse(
-  tfPlanFixture.toString(),
-) as unknown) as TerraformPlanJson;
-delete planWithoutRootModule.planned_values;
-export const iacFileDataWithoutRootModule: IacFileData = {
-  fileContent: JSON.stringify(planWithoutRootModule),
-  filePath: 'dont-care',
-  fileType: 'json',
-};
-
-const planWithoutResourceChanges = (JSON.parse(
-  tfPlanFixture.toString(),
-) as unknown) as TerraformPlanJson;
-delete planWithoutResourceChanges.resource_changes;
-export const iacFileDataWithoutResourceChanges: IacFileData = {
-  fileContent: JSON.stringify(planWithoutResourceChanges),
-  filePath: 'dont-care',
-  fileType: 'json',
-};
+import { IacFileData } from '../../../../src/cli/commands/test/iac-local-execution/types';
+
+export enum PlanOutputCase {
+  Create = 'tf-plan-create', // plan with create actions
+  Destroy = 'tf-plan-destroy', // plan with destroy actions
+  NoOp = 'tf-plan-no-op', // plan with no-op actions
+  Update = 'tf-plan-update', // plan with updates actions
+}
+
+export function getTfPlanData(planOutputCase: PlanOutputCase) {
+  const tfPlanFile = fs.readFileSync(
+    path.resolve(
+      __dirname,
+      `../../../fixtures/iac/terraform-plan/${planOutputCase}.json`,
+    ),
+  );
+
+  const iacFileData: IacFileData = {
+    fileContent: tfPlanFile.toString(),
+    filePath: 'dont-care',
+    fileType: 'json',
+  };
+
+  return iacFileData;
+}
+
+export function getExpectedResult(
+  isFullScan: boolean,
+  planOutputCase: PlanOutputCase,
+) {
+  const tfPlanExpectedResources = JSON.parse(
+    fs
+      .readFileSync(
+        path.resolve(
+          __dirname,
+          `../../../fixtures/iac/terraform-plan/expected-parser-results/${
+            isFullScan ? 'full-scan' : 'delta-scan'
+          }/${planOutputCase}.resources.json`,
+        ),
+      )
+      .toString(),
+  );
+
+  return tfPlanExpectedResources;
+}
+
+// For regression testing
+type ScanModeTestCase = [{ isFullScan: boolean }];
+type PlanOutputTestCase = [PlanOutputCase];
+export const scanModeCases: ScanModeTestCase[] = [
+  [{ isFullScan: false }],
+  [{ isFullScan: true }],
+];
+export const planOutputCases: PlanOutputTestCase[] = [
+  [PlanOutputCase.Create],
+  [PlanOutputCase.Destroy],
+  [PlanOutputCase.NoOp],
+  [PlanOutputCase.Update],
+];

test/fixtures/iac/terraform-plan/tf-plan-no-op.json

@@ -1,58 +1,60 @@
 import { tryParsingTerraformPlan } from '../../../../src/cli/commands/test/iac-local-execution/parsers/terraform-plan-parser';
 import {
-  iacFileData,
-  terraformPlanJson,
-  iacFileDataNoChildModules,
-  expectedParsingResultFullScan,
-  expectedParsingResultDeltaScan,
-  expectedParsingResultWithoutChildModules,
-  terraformPlanNoChildModulesJson,
+  getExpectedResult,
+  getTfPlanData,
+  scanModeCases,
+  planOutputCases,
 } from './terraform-plan-parser.fixtures';
-import { EngineType } from '../../../../src/cli/commands/test/iac-local-execution/types';
+import {
+  EngineType,
+  TerraformPlanJson,
+} from '../../../../src/cli/commands/test/iac-local-execution/types';
 
 describe('tryParsingTerraformPlan', () => {
-  describe('full scan', () => {
-    it('returns the expected resources', () => {
-      const parsedTerraformPlan = tryParsingTerraformPlan(
-        iacFileData,
-        terraformPlanJson,
-        { isFullScan: true },
-      );
-      expect(parsedTerraformPlan[0]).toEqual({
-        ...iacFileData,
-        engineType: EngineType.Terraform,
-        jsonContent: expectedParsingResultFullScan,
-      });
-    });
+  /* 
+    This are regression tests that iterate on major real terraform plan outputs.
+    Used Plan cases are:
+    1. Plan which creates new resources
+    2. Plan which deletes resources
+    3. Plan which doesn't do anything
+    4. Plan which updates resources
+    These tests validate that the correct resources are being extracted, based on the give scan mode (Full/Delta).
+    These tests do not cover scanning for finding vulnerabilites, but only for the resource extraction logic.
+  **/
+  describe('Parsing regression testing', () => {
+    describe.each(scanModeCases)('if: %p', (scanOptions) => {
+      test.each(planOutputCases)(
+        'for %p, it extracts the expected resources',
+        (planOutputType) => {
+          // Arrange
+          const iacFileData = getTfPlanData(planOutputType);
+          const expectedResources = getExpectedResult(
+            scanOptions.isFullScan,
+            planOutputType,
+          );
+          const terraformPlanJson: TerraformPlanJson = JSON.parse(
+            iacFileData.fileContent,
+          );
 
-    it('does not fail if no child-modules are present', () => {
-      const parsedTerraformPlan = tryParsingTerraformPlan(
-        iacFileDataNoChildModules,
-        terraformPlanNoChildModulesJson,
-        { isFullScan: true },
-      );
-      expect(parsedTerraformPlan[0]).toEqual({
-        ...iacFileDataNoChildModules,
-        engineType: EngineType.Terraform,
-        jsonContent: expectedParsingResultWithoutChildModules,
-      });
-    });
-  });
+          // Act
+          const parsedTerraformPlan = tryParsingTerraformPlan(
+            iacFileData,
+            terraformPlanJson,
+            scanOptions,
+          );
 
-  describe('default delta scan', () => {
-    it('returns the expected resources', () => {
-      const parsedTerraformPlan = tryParsingTerraformPlan(
-        iacFileData,
-        terraformPlanJson,
+          console.debug(
+            `scanOptions.isFullScan: ${scanOptions.isFullScan} && planOutputType: ${planOutputType}`,
+          );
+
+          // Assert
+          expect(parsedTerraformPlan[0]).toEqual({
+            ...iacFileData,
+            engineType: EngineType.Terraform,
+            jsonContent: expectedResources,
+          });
+        },
       );
-      expect(parsedTerraformPlan[0]).toEqual({
-        ...iacFileData,
-        engineType: EngineType.Terraform,
-        jsonContent: expectedParsingResultDeltaScan,
-      });
     });
   });
-
-  // TODO: add test for extracting a resource from a data input source
-  // deferred as it required to re-generate a new wasm fixture with a rule that applies to a data-source
 });

test/fixtures/iac/terraform-plan/tf-plan-update.json

@@ -223,55 +223,55 @@ Describe "Snyk iac test --experimental command"
     # Note that this now defaults to the delta scan, not the full scan.
     # in the future a flag will be added to control this functionality.
     It "finds issues in a Terraform plan file"
-      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan.json --experimental
+      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json --experimental
       The status should equal 1 # issues found
-      The output should include "Testing tf-plan.json"
+      The output should include "tf-plan-create.json"
 
       # Outputs issues
       The output should include "Infrastructure as code issues:"
       # Root module
       The output should include "✗ "
       The output should include "  introduced by"
 
-      The output should include "tf-plan.json for known issues, found"
+      The output should include "tf-plan-create.json for known issues, found"
     End
 
     It "finds issues in a Terraform plan file - full scan flag"
-      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan.json --experimental --scan=planned-values
+      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json --experimental --scan=planned-values
       The status should equal 1 # issues found
-      The output should include "Testing tf-plan.json"
+      The output should include "Testing tf-plan-create.json"
 
       # Outputs issues
       The output should include "Infrastructure as code issues:"
       # Root module
       The output should include "✗ "
       The output should include "  introduced by"
 
-      The output should include "tf-plan.json for known issues, found"
+      The output should include "tf-plan-create.json for known issues, found"
     End
 
     It "finds issues in a Terraform plan file - explicit delta scan with flag"
-      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan.json --experimental --scan=resource-changes
+      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json --experimental --scan=resource-changes
       The status should equal 1 # issues found
-      The output should include "Testing tf-plan.json"
+      The output should include "Testing tf-plan-create.json"
 
       # Outputs issues
       The output should include "Infrastructure as code issues:"
       # Root module
       The output should include "✗ "
       The output should include "  introduced by"
 
-      The output should include "tf-plan.json for known issues, found"
+      The output should include "tf-plan-create.json for known issues, found"
     End
 
     It "errors when a wrong value is passed to the --scan flag"
-      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan.json --experimental --scan=rsrc-changes
+      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json.json --experimental --scan=rsrc-changes
       The status should equal 2 # failure
       The output should include "Unsupported value"
     End
 
     It "errors when no value is provided to the --scan flag"
-      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan.json --experimental --scan
+      When run snyk iac test ../fixtures/iac/terraform-plan/tf-plan-create.json.json --experimental --scan
       The status should equal 2 # failure
       The output should include "Unsupported value"
     End