self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-19 16:53:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

Database: validate AWS Account ID (#19638)

Browse source 
When the AWS Account ID is provided, we must check that it is a valid
one.

AWS Account ID is a well documented field: 12-digit string

This check is meant to prevent typos when creating Databases mainly from
the Web UI in the context of Teleport Discover.
This commit is contained in:
Marco André Dinis 2022-12-28 12:42:39 +00:00 committed by GitHub
parent 8fe2a74d02
commit 6286488be3
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
27 changed files with 375 additions and 197 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
api/types/database.go
View file

@ -627,6 +627,13 @@ func (d *DatabaseV3) CheckAndSetDefaults() error {
}
}
// Validate AWS Specific configuration
if d.Spec.AWS.AccountID != "" {
if err := awsutils.IsValidAccountID(d.Spec.AWS.AccountID); err != nil {
return trace.BadParameter("invalid AWS Account ID: %v", err)
}
}
// Validate Cloud SQL specific configuration.
switch {
case d.Spec.GCP.ProjectID != "" && d.Spec.GCP.InstanceID == "":

96
api/types/database_test.go
View file

@ -19,25 +19,83 @@ package types
import (
"testing"
"github.com/gravitational/trace"
"github.com/stretchr/testify/require"
)
// TestDatabaseRDSEndpoint verifies AWS info is correctly populated
// based on the RDS endpoint.
func TestDatabaseRDSEndpoint(t *testing.T) {
database, err := NewDatabaseV3(Metadata{
Name: "rds",
}, DatabaseSpecV3{
Protocol: "postgres",
URI: "aurora-instance-1.abcdefghijklmnop.us-west-1.rds.amazonaws.com:5432",
})
require.NoError(t, err)
require.Equal(t, AWS{
Region: "us-west-1",
RDS: RDS{
InstanceID: "aurora-instance-1",
isBadParamErrFn := func(tt require.TestingT, err error, i ...interface{}) {
require.True(tt, trace.IsBadParameter(err), "expected bad parameter, got %v", err)
}
for _, tt := range []struct {
name string
spec DatabaseSpecV3
errorCheck require.ErrorAssertionFunc
expectedAWS AWS
}{
{
name: "aurora instance",
spec: DatabaseSpecV3{
Protocol: "postgres",
URI: "aurora-instance-1.abcdefghijklmnop.us-west-1.rds.amazonaws.com:5432",
},
errorCheck: require.NoError,
expectedAWS: AWS{
Region: "us-west-1",
RDS: RDS{
InstanceID: "aurora-instance-1",
},
},
},
}, database.GetAWS())
{
name: "invalid account id",
spec: DatabaseSpecV3{
Protocol: "postgres",
URI: "marcotest-db001.abcdefghijklmnop.us-east-1.rds.amazonaws.com:5432",
AWS: AWS{
AccountID: "invalid",
},
},
errorCheck: isBadParamErrFn,
},
{
name: "valid account id",
spec: DatabaseSpecV3{
Protocol: "postgres",
URI: "marcotest-db001.abcdefghijklmnop.us-east-1.rds.amazonaws.com:5432",
AWS: AWS{
AccountID: "123456789012",
},
},
errorCheck: require.NoError,
expectedAWS: AWS{
Region: "us-east-1",
RDS: RDS{
InstanceID: "marcotest-db001",
},
AccountID: "123456789012",
},
},
} {
tt := tt
t.Run(tt.name, func(t *testing.T) {
database, err := NewDatabaseV3(
Metadata{
Name: "rds",
},
tt.spec,
)
tt.errorCheck(t, err)
if err != nil {
return
}
require.Equal(t, tt.expectedAWS, database.GetAWS())
})
}
}
// TestDatabaseRDSProxyEndpoint verifies AWS info is correctly populated based
@ -354,7 +412,7 @@ func TestCassandraAWSEndpoint(t *testing.T) {
Protocol: "cassandra",
AWS: AWS{
Region: "us-west-1",
AccountID: "12345",
AccountID: "123456789012",
},
})
require.NoError(t, err)
@ -368,7 +426,7 @@ func TestCassandraAWSEndpoint(t *testing.T) {
Protocol: "cassandra",
URI: "cassandra.us-west-1.amazonaws.com:9142",
AWS: AWS{
AccountID: "12345",
AccountID: "123456789012",
},
})
require.NoError(t, err)
@ -383,7 +441,7 @@ func TestCassandraAWSEndpoint(t *testing.T) {
Protocol: "cassandra",
URI: "cassandra-fips.us-west-2.amazonaws.com:9142",
AWS: AWS{
AccountID: "12345",
AccountID: "123456789012",
},
})
require.NoError(t, err)
@ -413,11 +471,11 @@ func TestDatabaseFromRedshiftServerlessEndpoint(t *testing.T) {
Name: "test",
}, DatabaseSpecV3{
Protocol: "postgres",
URI: "my-workgroup.1234567890.us-east-1.redshift-serverless.amazonaws.com:5439",
URI: "my-workgroup.123456789012.us-east-1.redshift-serverless.amazonaws.com:5439",
})
require.NoError(t, err)
require.Equal(t, AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
RedshiftServerless: RedshiftServerless{
WorkgroupName: "my-workgroup",
@ -430,7 +488,7 @@ func TestDatabaseFromRedshiftServerlessEndpoint(t *testing.T) {
Name: "test",
}, DatabaseSpecV3{
Protocol: "postgres",
URI: "my-vpc-endpoint-xxxyyyzzz.1234567890.us-east-1.redshift-serverless.amazonaws.com:5439",
URI: "my-vpc-endpoint-xxxyyyzzz.123456789012.us-east-1.redshift-serverless.amazonaws.com:5439",
AWS: AWS{
RedshiftServerless: RedshiftServerless{
WorkgroupName: "my-workgroup",
@ -439,7 +497,7 @@ func TestDatabaseFromRedshiftServerlessEndpoint(t *testing.T) {
})
require.NoError(t, err)
require.Equal(t, AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
RedshiftServerless: RedshiftServerless{
WorkgroupName: "my-workgroup",

8
api/utils/aws/endpoint_test.go
View file

@ -465,21 +465,21 @@ func TestRedshiftServerlessEndpoint(t *testing.T) {
}{
{
name: "workgroup endpoint",
endpoint: "my-workgroup.1234567890.us-east-1.redshift-serverless.amazonaws.com:5439",
endpoint: "my-workgroup.123456789012.us-east-1.redshift-serverless.amazonaws.com:5439",
expectIsRedshiftServerlessEndpoint: true,
expectDetails: &RedshiftServerlessEndpointDetails{
WorkgroupName: "my-workgroup",
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
},
},
{
name: "vpc endpoint",
endpoint: "my-vpc-endpoint-xxxyyyzzz.1234567890.us-east-1.redshift-serverless.amazonaws.com",
endpoint: "my-vpc-endpoint-xxxyyyzzz.123456789012.us-east-1.redshift-serverless.amazonaws.com",
expectIsRedshiftServerlessEndpoint: true,
expectDetails: &RedshiftServerlessEndpointDetails{
EndpointName: "my-vpc",
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
},
},

37
api/utils/aws/identifiers.go Normal file
View file

@ -0,0 +1,37 @@
/*
Copyright 2022 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package aws
import (
"github.com/gravitational/trace"
)
// IsValidAccountID checks whether the accountID is a valid AWS Account ID
//
// https://docs.aws.amazon.com/accounts/latest/reference/manage-acct-identifiers.html
func IsValidAccountID(accountID string) error {
if len(accountID) != 12 {
return trace.BadParameter("must be 12-digit")
}
for _, d := range accountID {
if d < '0' || d > '9' {
return trace.BadParameter("must be 12-digit")
}
}
return nil
}

76
api/utils/aws/identifiers_test.go Normal file
View file

@ -0,0 +1,76 @@
/*
Copyright 2022 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package aws
import (
"testing"
"github.com/gravitational/trace"
"github.com/stretchr/testify/require"
)
func TestIsValidAccountID(t *testing.T) {
isBadParamErrFn := func(tt require.TestingT, err error, i ...interface{}) {
require.True(tt, trace.IsBadParameter(err), "expected bad parameter, got %v", err)
}
for _, tt := range []struct {
name string
accountID string
errCheck require.ErrorAssertionFunc
}{
{
name: "valid account id",
accountID: "123456789012",
errCheck: require.NoError,
},
{
name: "empty",
accountID: "",
errCheck: isBadParamErrFn,
},
{
name: "less digits",
accountID: "12345678901",
errCheck: isBadParamErrFn,
},
{
name: "more digits",
accountID: "1234567890123",
errCheck: isBadParamErrFn,
},
{
name: "invalid chars",
accountID: "12345678901A",
errCheck: isBadParamErrFn,
},
{
name: "invalid chars with emojis",
accountID: "12345678901✅",
errCheck: isBadParamErrFn,
},
{
name: "unicode digit is invalid",
accountID: "123456789৩", // ৩ is a valid unicode digit and its len("৩") is 3
errCheck: isBadParamErrFn,
},
} {
t.Run(tt.name, func(t *testing.T) {
tt.errCheck(t, IsValidAccountID(tt.accountID))
})
}
}

16
lib/cloud/aws/identity_test.go
View file

@ -40,37 +40,37 @@ func TestGetIdentity(t *testing.T) {
}{
{
description: "role identity",
inARN: "arn:aws:iam::1234567890:role/custom/path/EC2ReadOnly",
inARN: "arn:aws:iam::123456789012:role/custom/path/EC2ReadOnly",
outIdentity: Role{},
outName: "EC2ReadOnly",
outAccountID: "1234567890",
outAccountID: "123456789012",
outPartition: "aws",
outType: "role",
},
{
description: "assumed role identity",
inARN: "arn:aws:sts::1234567890:assumed-role/DatabaseAccess/i-1234567890",
inARN: "arn:aws:sts::123456789012:assumed-role/DatabaseAccess/i-1234567890",
outIdentity: Role{},
outName: "DatabaseAccess",
outAccountID: "1234567890",
outAccountID: "123456789012",
outPartition: "aws",
outType: "assumed-role",
},
{
description: "user identity",
inARN: "arn:aws-us-gov:iam::1234567890:user/custom/path/alice",
inARN: "arn:aws-us-gov:iam::123456789012:user/custom/path/alice",
outIdentity: User{},
outName: "alice",
outAccountID: "1234567890",
outAccountID: "123456789012",
outPartition: "aws-us-gov",
outType: "user",
},
{
description: "unsupported identity",
inARN: "arn:aws:iam::1234567890:group/readers",
inARN: "arn:aws:iam::123456789012:group/readers",
outIdentity: Unknown{},
outName: "readers",
outAccountID: "1234567890",
outAccountID: "123456789012",
outPartition: "aws",
outType: "group",
},

8
lib/cloud/mocks/aws_redshift_serverless.go
View file

@ -91,7 +91,7 @@ func RedshiftServerlessWorkgroup(name, region string) *redshiftserverless.Workgr
}},
CreationDate: aws.Time(sampleTime),
Endpoint: &redshiftserverless.Endpoint{
Address: aws.String(fmt.Sprintf("%v.1234567890.%v.redshift-serverless.amazonaws.com", name, region)),
Address: aws.String(fmt.Sprintf("%v.123456789012.%v.redshift-serverless.amazonaws.com", name, region)),
Port: aws.Int64(5439),
VpcEndpoints: []*redshiftserverless.VpcEndpoint{{
VpcEndpointId: aws.String("vpc-endpoint-id"),
@ -101,7 +101,7 @@ func RedshiftServerlessWorkgroup(name, region string) *redshiftserverless.Workgr
NamespaceName: aws.String("my-namespace"),
PubliclyAccessible: aws.Bool(true),
Status: aws.String("AVAILABLE"),
WorkgroupArn: aws.String(fmt.Sprintf("arn:aws:redshift-serverless:%v:1234567890:workgroup/some-uuid-for-%v", region, name)),
WorkgroupArn: aws.String(fmt.Sprintf("arn:aws:redshift-serverless:%v:123456789012:workgroup/some-uuid-for-%v", region, name)),
WorkgroupId: aws.String(fmt.Sprintf("some-uuid-for-%v", name)),
WorkgroupName: aws.String(name),
}
@ -110,8 +110,8 @@ func RedshiftServerlessWorkgroup(name, region string) *redshiftserverless.Workgr
// RedshiftServerlessEndpointAccess returns a sample redshiftserverless.EndpointAccess.
func RedshiftServerlessEndpointAccess(workgroup *redshiftserverless.Workgroup, name, region string) *redshiftserverless.EndpointAccess {
return &redshiftserverless.EndpointAccess{
Address: aws.String(fmt.Sprintf("%s-endpoint-xxxyyyzzz.1234567890.%s.redshift-serverless.amazonaws.com", name, region)),
EndpointArn: aws.String(fmt.Sprintf("arn:aws:redshift-serverless:%s:1234567890:managedvpcendpoint/some-uuid-for-%v", region, name)),
Address: aws.String(fmt.Sprintf("%s-endpoint-xxxyyyzzz.123456789012.%s.redshift-serverless.amazonaws.com", name, region)),
EndpointArn: aws.String(fmt.Sprintf("arn:aws:redshift-serverless:%s:123456789012:managedvpcendpoint/some-uuid-for-%v", region, name)),
EndpointCreateTime: aws.Time(sampleTime),
EndpointName: aws.String(name),
EndpointStatus: aws.String("AVAILABLE"),

50
lib/configurators/aws/aws_test.go
View file

@ -42,13 +42,13 @@ import (
)
func TestAWSIAMDocuments(t *testing.T) {
userTarget, err := awslib.IdentityFromArn("arn:aws:iam::1234567:user/example-user")
userTarget, err := awslib.IdentityFromArn("arn:aws:iam::123456789012:user/example-user")
require.NoError(t, err)
roleTarget, err := awslib.IdentityFromArn("arn:aws:iam::1234567:role/example-role")
roleTarget, err := awslib.IdentityFromArn("arn:aws:iam::123456789012:role/example-role")
require.NoError(t, err)
unknownIdentity, err := awslib.IdentityFromArn("arn:aws:iam::1234567:ec2/example-ec2")
unknownIdentity, err := awslib.IdentityFromArn("arn:aws:iam::123456789012:ec2/example-ec2")
require.NoError(t, err)
tests := map[string]struct {
@ -257,7 +257,7 @@ func TestAWSIAMDocuments(t *testing.T) {
"secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
},
Resources: []string{"arn:aws:secretsmanager:*:1234567:secret:teleport/*"},
Resources: []string{"arn:aws:secretsmanager:*:123456789012:secret:teleport/*"},
},
},
boundaryStatements: []*awslib.Statement{
@ -277,7 +277,7 @@ func TestAWSIAMDocuments(t *testing.T) {
"secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
},
Resources: []string{"arn:aws:secretsmanager:*:1234567:secret:teleport/*"},
Resources: []string{"arn:aws:secretsmanager:*:123456789012:secret:teleport/*"},
},
},
},
@ -321,15 +321,15 @@ func TestAWSIAMDocuments(t *testing.T) {
"secretsmanager:TagResource",
},
Resources: []string{
"arn:aws:secretsmanager:*:1234567:secret:teleport/*",
"arn:aws:secretsmanager:*:1234567:secret:my-prefix/*",
"arn:aws:secretsmanager:*:123456789012:secret:teleport/*",
"arn:aws:secretsmanager:*:123456789012:secret:my-prefix/*",
},
},
{
Effect: "Allow",
Actions: []string{"kms:GenerateDataKey", "kms:Decrypt"},
Resources: []string{
"arn:aws:kms:*:1234567:key/my-kms-id",
"arn:aws:kms:*:123456789012:key/my-kms-id",
},
},
},
@ -351,15 +351,15 @@ func TestAWSIAMDocuments(t *testing.T) {
"secretsmanager:TagResource",
},
Resources: []string{
"arn:aws:secretsmanager:*:1234567:secret:teleport/*",
"arn:aws:secretsmanager:*:1234567:secret:my-prefix/*",
"arn:aws:secretsmanager:*:123456789012:secret:teleport/*",
"arn:aws:secretsmanager:*:123456789012:secret:my-prefix/*",
},
},
{
Effect: "Allow",
Actions: []string{"kms:GenerateDataKey", "kms:Decrypt"},
Resources: []string{
"arn:aws:kms:*:1234567:key/my-kms-id",
"arn:aws:kms:*:123456789012:key/my-kms-id",
},
},
},
@ -389,7 +389,7 @@ func TestAWSIAMDocuments(t *testing.T) {
"secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
},
Resources: []string{"arn:aws:secretsmanager:*:1234567:secret:teleport/*"},
Resources: []string{"arn:aws:secretsmanager:*:123456789012:secret:teleport/*"},
},
},
boundaryStatements: []*awslib.Statement{
@ -408,7 +408,7 @@ func TestAWSIAMDocuments(t *testing.T) {
"secretsmanager:GetSecretValue", "secretsmanager:PutSecretValue",
"secretsmanager:TagResource",
},
Resources: []string{"arn:aws:secretsmanager:*:1234567:secret:teleport/*"},
Resources: []string{"arn:aws:secretsmanager:*:123456789012:secret:teleport/*"},
},
},
},
@ -451,15 +451,15 @@ func TestAWSIAMDocuments(t *testing.T) {
"secretsmanager:TagResource",
},
Resources: []string{
"arn:aws:secretsmanager:*:1234567:secret:teleport/*",
"arn:aws:secretsmanager:*:1234567:secret:my-prefix/*",
"arn:aws:secretsmanager:*:123456789012:secret:teleport/*",
"arn:aws:secretsmanager:*:123456789012:secret:my-prefix/*",
},
},
{
Effect: "Allow",
Actions: []string{"kms:GenerateDataKey", "kms:Decrypt"},
Resources: []string{
"arn:aws:kms:*:1234567:key/my-kms-id",
"arn:aws:kms:*:123456789012:key/my-kms-id",
},
},
},
@ -480,15 +480,15 @@ func TestAWSIAMDocuments(t *testing.T) {
"secretsmanager:TagResource",
},
Resources: []string{
"arn:aws:secretsmanager:*:1234567:secret:teleport/*",
"arn:aws:secretsmanager:*:1234567:secret:my-prefix/*",
"arn:aws:secretsmanager:*:123456789012:secret:teleport/*",
"arn:aws:secretsmanager:*:123456789012:secret:my-prefix/*",
},
},
{
Effect: "Allow",
Actions: []string{"kms:GenerateDataKey", "kms:Decrypt"},
Resources: []string{
"arn:aws:kms:*:1234567:key/my-kms-id",
"arn:aws:kms:*:123456789012:key/my-kms-id",
},
},
},
@ -842,26 +842,26 @@ func TestAWSPoliciesTarget(t *testing.T) {
targetPartitionID: "aws",
},
"UserARNFromFlags": {
flags: configurators.BootstrapFlags{AttachToUser: "arn:aws:iam::123456:user/example-user"},
flags: configurators.BootstrapFlags{AttachToUser: "arn:aws:iam::123456789012:user/example-user"},
targetType: awslib.User{},
targetName: "example-user",
targetAccountID: "123456",
targetAccountID: "123456789012",
targetPartitionID: "aws",
},
"RoleNameFromFlags": {
flags: configurators.BootstrapFlags{AttachToRole: "example-role"},
accountID: "123456",
accountID: "123456789012",
partitionID: "aws",
targetType: awslib.Role{},
targetName: "example-role",
targetAccountID: "123456",
targetAccountID: "123456789012",
targetPartitionID: "aws",
},
"RoleARNFromFlags": {
flags: configurators.BootstrapFlags{AttachToRole: "arn:aws:iam::123456:role/example-role"},
flags: configurators.BootstrapFlags{AttachToRole: "arn:aws:iam::123456789012:role/example-role"},
targetType: awslib.Role{},
targetName: "example-role",
targetAccountID: "123456",
targetAccountID: "123456789012",
targetPartitionID: "aws",
},
"UserFromIdentity": {

2
lib/services/database.go
View file

@ -799,7 +799,7 @@ func MetadataFromRDSProxy(rdsProxy *rds.DBProxy) (*types.AWS, error) {
// rds.DBProxy has no resource ID attribute. The resource ID can be found
// in the ARN, e.g.:
//
// arn:aws:rds:ca-central-1:1234567890:db-proxy:prx-xxxyyyzzz
// arn:aws:rds:ca-central-1:123456789012:db-proxy:prx-xxxyyyzzz
//
// In this example, the arn.Resource is "db-proxy:prx-xxxyyyzzz", where the
// resource type is "db-proxy" and the resource ID is "prx-xxxyyyzzz".

120
lib/services/database_test.go
View file

@ -204,7 +204,7 @@ func TestValidateDatabase(t *testing.T) {
Protocol: defaults.ProtocolCassandra,
AWS: types.AWS{
Region: "us-east-1",
AccountID: "1234567890",
AccountID: "123456789012",
},
},
expectError: false,
@ -421,7 +421,7 @@ func TestDatabaseFromAzureRedisEnterprise(t *testing.T) {
// TestDatabaseFromRDSInstance tests converting an RDS instance to a database resource.
func TestDatabaseFromRDSInstance(t *testing.T) {
instance := &rds.DBInstance{
DBInstanceArn: aws.String("arn:aws:rds:us-west-1:1234567890:db:instance-1"),
DBInstanceArn: aws.String("arn:aws:rds:us-west-1:123456789012:db:instance-1"),
DBInstanceIdentifier: aws.String("instance-1"),
DBClusterIdentifier: aws.String("cluster-1"),
DbiResourceId: aws.String("resource-1"),
@ -442,7 +442,7 @@ func TestDatabaseFromRDSInstance(t *testing.T) {
Description: "RDS instance in us-west-1",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-west-1",
labelEngine: RDSEnginePostgres,
labelEngineVersion: "13.0",
@ -453,7 +453,7 @@ func TestDatabaseFromRDSInstance(t *testing.T) {
Protocol: defaults.ProtocolPostgres,
URI: "localhost:5432",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-west-1",
RDS: types.RDS{
InstanceID: "instance-1",
@ -472,7 +472,7 @@ func TestDatabaseFromRDSInstance(t *testing.T) {
// TestDatabaseFromRDSInstance tests converting an RDS instance to a database resource.
func TestDatabaseFromRDSInstanceNameOverride(t *testing.T) {
instance := &rds.DBInstance{
DBInstanceArn: aws.String("arn:aws:rds:us-west-1:1234567890:db:instance-1"),
DBInstanceArn: aws.String("arn:aws:rds:us-west-1:123456789012:db:instance-1"),
DBInstanceIdentifier: aws.String("instance-1"),
DBClusterIdentifier: aws.String("cluster-1"),
DbiResourceId: aws.String("resource-1"),
@ -493,7 +493,7 @@ func TestDatabaseFromRDSInstanceNameOverride(t *testing.T) {
Description: "RDS instance in us-west-1",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-west-1",
labelEngine: RDSEnginePostgres,
labelEngineVersion: "13.0",
@ -505,7 +505,7 @@ func TestDatabaseFromRDSInstanceNameOverride(t *testing.T) {
Protocol: defaults.ProtocolPostgres,
URI: "localhost:5432",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-west-1",
RDS: types.RDS{
InstanceID: "instance-1",
@ -524,7 +524,7 @@ func TestDatabaseFromRDSInstanceNameOverride(t *testing.T) {
// TestDatabaseFromRDSCluster tests converting an RDS cluster to a database resource.
func TestDatabaseFromRDSCluster(t *testing.T) {
cluster := &rds.DBCluster{
DBClusterArn: aws.String("arn:aws:rds:us-east-1:1234567890:cluster:cluster-1"),
DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:cluster:cluster-1"),
DBClusterIdentifier: aws.String("cluster-1"),
DbClusterResourceId: aws.String("resource-1"),
IAMDatabaseAuthenticationEnabled: aws.Bool(true),
@ -544,7 +544,7 @@ func TestDatabaseFromRDSCluster(t *testing.T) {
}
expectedAWS := types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
RDS: types.RDS{
ClusterID: "cluster-1",
@ -559,7 +559,7 @@ func TestDatabaseFromRDSCluster(t *testing.T) {
Description: "Aurora cluster in us-east-1",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEngine: RDSEngineAuroraMySQL,
labelEngineVersion: "8.0.0",
@ -583,7 +583,7 @@ func TestDatabaseFromRDSCluster(t *testing.T) {
Description: "Aurora cluster in us-east-1 (reader endpoint)",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEngine: RDSEngineAuroraMySQL,
labelEngineVersion: "8.0.0",
@ -604,7 +604,7 @@ func TestDatabaseFromRDSCluster(t *testing.T) {
t.Run("custom endpoints", func(t *testing.T) {
expectedLabels := map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEngine: RDSEngineAuroraMySQL,
labelEngineVersion: "8.0.0",
@ -659,7 +659,7 @@ func TestDatabaseFromRDSCluster(t *testing.T) {
// TestDatabaseFromRDSClusterNameOverride tests converting an RDS cluster to a database resource with overridden name.
func TestDatabaseFromRDSClusterNameOverride(t *testing.T) {
cluster := &rds.DBCluster{
DBClusterArn: aws.String("arn:aws:rds:us-east-1:1234567890:cluster:cluster-1"),
DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:cluster:cluster-1"),
DBClusterIdentifier: aws.String("cluster-1"),
DbClusterResourceId: aws.String("resource-1"),
IAMDatabaseAuthenticationEnabled: aws.Bool(true),
@ -679,7 +679,7 @@ func TestDatabaseFromRDSClusterNameOverride(t *testing.T) {
}
expectedAWS := types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
RDS: types.RDS{
ClusterID: "cluster-1",
@ -694,7 +694,7 @@ func TestDatabaseFromRDSClusterNameOverride(t *testing.T) {
Description: "Aurora cluster in us-east-1",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEngine: RDSEngineAuroraMySQL,
labelEngineVersion: "8.0.0",
@ -719,7 +719,7 @@ func TestDatabaseFromRDSClusterNameOverride(t *testing.T) {
Description: "Aurora cluster in us-east-1 (reader endpoint)",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEngine: RDSEngineAuroraMySQL,
labelEngineVersion: "8.0.0",
@ -741,7 +741,7 @@ func TestDatabaseFromRDSClusterNameOverride(t *testing.T) {
t.Run("custom endpoints", func(t *testing.T) {
expectedLabels := map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEngine: RDSEngineAuroraMySQL,
labelEngineVersion: "8.0.0",
@ -797,7 +797,7 @@ func TestDatabaseFromRDSClusterNameOverride(t *testing.T) {
func TestDatabaseFromRDSProxy(t *testing.T) {
var port int64 = 9999
dbProxy := &rds.DBProxy{
DBProxyArn: aws.String("arn:aws:rds:ca-central-1:123456:db-proxy:prx-abcdef"),
DBProxyArn: aws.String("arn:aws:rds:ca-central-1:123456789012:db-proxy:prx-abcdef"),
DBProxyName: aws.String("testproxy"),
EngineFamily: aws.String(rds.EngineFamilyMysql),
Endpoint: aws.String("proxy.rds.test"),
@ -808,7 +808,7 @@ func TestDatabaseFromRDSProxy(t *testing.T) {
Endpoint: aws.String("custom.proxy.rds.test"),
DBProxyEndpointName: aws.String("custom"),
DBProxyName: aws.String("testproxy"),
DBProxyEndpointArn: aws.String("arn:aws:rds:ca-central-1:123456:db-proxy-endpoint:prx-endpoint-abcdef"),
DBProxyEndpointArn: aws.String("arn:aws:rds:ca-central-1:123456789012:db-proxy-endpoint:prx-endpoint-abcdef"),
TargetRole: aws.String(rds.DBProxyEndpointTargetRoleReadOnly),
}
@ -824,7 +824,7 @@ func TestDatabaseFromRDSProxy(t *testing.T) {
Labels: map[string]string{
"key": "val",
types.OriginLabel: types.OriginCloud,
labelAccountID: "123456",
labelAccountID: "123456789012",
labelRegion: "ca-central-1",
labelEngine: "MYSQL",
labelVPCID: "test-vpc-id",
@ -834,7 +834,7 @@ func TestDatabaseFromRDSProxy(t *testing.T) {
URI: "proxy.rds.test:9999",
AWS: types.AWS{
Region: "ca-central-1",
AccountID: "123456",
AccountID: "123456789012",
RDSProxy: types.RDSProxy{
ResourceID: "prx-abcdef",
Name: "testproxy",
@ -855,7 +855,7 @@ func TestDatabaseFromRDSProxy(t *testing.T) {
Labels: map[string]string{
"key": "val",
types.OriginLabel: types.OriginCloud,
labelAccountID: "123456",
labelAccountID: "123456789012",
labelRegion: "ca-central-1",
labelEngine: "MYSQL",
labelVPCID: "test-vpc-id",
@ -866,7 +866,7 @@ func TestDatabaseFromRDSProxy(t *testing.T) {
URI: "custom.proxy.rds.test:9999",
AWS: types.AWS{
Region: "ca-central-1",
AccountID: "123456",
AccountID: "123456789012",
RDSProxy: types.RDSProxy{
ResourceID: "prx-abcdef",
Name: "testproxy",
@ -946,7 +946,7 @@ func TestIsRDSClusterSupported(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
cluster := &rds.DBCluster{
DBClusterArn: aws.String("arn:aws:rds:us-east-1:1234567890:cluster:test"),
DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:cluster:test"),
DBClusterIdentifier: aws.String(test.name),
DbClusterResourceId: aws.String(uuid.New().String()),
Engine: aws.String(RDSEngineAuroraMySQL),
@ -996,7 +996,7 @@ func TestIsRDSInstanceSupported(t *testing.T) {
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
cluster := &rds.DBInstance{
DBInstanceArn: aws.String("arn:aws:rds:us-east-1:1234567890:instance:test"),
DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:instance:test"),
DBClusterIdentifier: aws.String(test.name),
DbiResourceId: aws.String(uuid.New().String()),
Engine: aws.String(test.engine),
@ -1025,7 +1025,7 @@ func TestDatabaseFromRedshiftCluster(t *testing.T) {
t.Run("success", func(t *testing.T) {
cluster := &redshift.Cluster{
ClusterIdentifier: aws.String("mycluster"),
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-east-1:1234567890:namespace:u-u-i-d"),
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-east-1:123456789012:namespace:u-u-i-d"),
Endpoint: &redshift.Endpoint{
Address: aws.String("localhost"),
Port: aws.Int64(5439),
@ -1046,7 +1046,7 @@ func TestDatabaseFromRedshiftCluster(t *testing.T) {
Description: "Redshift cluster in us-east-1",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
"key": "val",
"elasticbeanstalk:environment-id": "id",
@ -1055,7 +1055,7 @@ func TestDatabaseFromRedshiftCluster(t *testing.T) {
Protocol: defaults.ProtocolPostgres,
URI: "localhost:5439",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
Redshift: types.Redshift{
ClusterID: "mycluster",
@ -1073,7 +1073,7 @@ func TestDatabaseFromRedshiftCluster(t *testing.T) {
t.Run("success with name override", func(t *testing.T) {
cluster := &redshift.Cluster{
ClusterIdentifier: aws.String("mycluster"),
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-east-1:1234567890:namespace:u-u-i-d"),
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-east-1:123456789012:namespace:u-u-i-d"),
Endpoint: &redshift.Endpoint{
Address: aws.String("localhost"),
Port: aws.Int64(5439),
@ -1098,7 +1098,7 @@ func TestDatabaseFromRedshiftCluster(t *testing.T) {
Description: "Redshift cluster in us-east-1",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelTeleportDBName: "mycluster-override-2",
"key": "val",
@ -1108,7 +1108,7 @@ func TestDatabaseFromRedshiftCluster(t *testing.T) {
Protocol: defaults.ProtocolPostgres,
URI: "localhost:5439",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
Redshift: types.Redshift{
ClusterID: "mycluster",
@ -1134,7 +1134,7 @@ func TestDatabaseFromRedshiftCluster(t *testing.T) {
func TestDatabaseFromElastiCacheConfigurationEndpoint(t *testing.T) {
cluster := &elasticache.ReplicationGroup{
ARN: aws.String("arn:aws:elasticache:us-east-1:1234567890:replicationgroup:my-cluster"),
ARN: aws.String("arn:aws:elasticache:us-east-1:123456789012:replicationgroup:my-cluster"),
ReplicationGroupId: aws.String("my-cluster"),
Status: aws.String("available"),
TransitEncryptionEnabled: aws.Bool(true),
@ -1176,7 +1176,7 @@ func TestDatabaseFromElastiCacheConfigurationEndpoint(t *testing.T) {
Description: "ElastiCache cluster in us-east-1 (configuration endpoint)",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEndpointType: "configuration",
"key": "value",
@ -1185,7 +1185,7 @@ func TestDatabaseFromElastiCacheConfigurationEndpoint(t *testing.T) {
Protocol: defaults.ProtocolRedis,
URI: "configuration.localhost:6379",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
ElastiCache: types.ElastiCache{
ReplicationGroupID: "my-cluster",
@ -1204,7 +1204,7 @@ func TestDatabaseFromElastiCacheConfigurationEndpoint(t *testing.T) {
func TestDatabaseFromElastiCacheConfigurationEndpointNameOverride(t *testing.T) {
cluster := &elasticache.ReplicationGroup{
ARN: aws.String("arn:aws:elasticache:us-east-1:1234567890:replicationgroup:my-cluster"),
ARN: aws.String("arn:aws:elasticache:us-east-1:123456789012:replicationgroup:my-cluster"),
ReplicationGroupId: aws.String("my-cluster"),
Status: aws.String("available"),
TransitEncryptionEnabled: aws.Bool(true),
@ -1249,7 +1249,7 @@ func TestDatabaseFromElastiCacheConfigurationEndpointNameOverride(t *testing.T)
Description: "ElastiCache cluster in us-east-1 (configuration endpoint)",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEndpointType: "configuration",
labelTeleportDBName: "my-override-cluster-2",
@ -1259,7 +1259,7 @@ func TestDatabaseFromElastiCacheConfigurationEndpointNameOverride(t *testing.T)
Protocol: defaults.ProtocolRedis,
URI: "configuration.localhost:6379",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
ElastiCache: types.ElastiCache{
ReplicationGroupID: "my-cluster",
@ -1278,7 +1278,7 @@ func TestDatabaseFromElastiCacheConfigurationEndpointNameOverride(t *testing.T)
func TestDatabaseFromElastiCacheNodeGroups(t *testing.T) {
cluster := &elasticache.ReplicationGroup{
ARN: aws.String("arn:aws:elasticache:us-east-1:1234567890:replicationgroup:my-cluster"),
ARN: aws.String("arn:aws:elasticache:us-east-1:123456789012:replicationgroup:my-cluster"),
ReplicationGroupId: aws.String("my-cluster"),
Status: aws.String("available"),
TransitEncryptionEnabled: aws.Bool(true),
@ -1305,7 +1305,7 @@ func TestDatabaseFromElastiCacheNodeGroups(t *testing.T) {
Description: "ElastiCache cluster in us-east-1 (primary endpoint)",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEndpointType: "primary",
"key": "value",
@ -1314,7 +1314,7 @@ func TestDatabaseFromElastiCacheNodeGroups(t *testing.T) {
Protocol: defaults.ProtocolRedis,
URI: "primary.localhost:6379",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
ElastiCache: types.ElastiCache{
ReplicationGroupID: "my-cluster",
@ -1331,7 +1331,7 @@ func TestDatabaseFromElastiCacheNodeGroups(t *testing.T) {
Description: "ElastiCache cluster in us-east-1 (reader endpoint)",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEndpointType: "reader",
"key": "value",
@ -1340,7 +1340,7 @@ func TestDatabaseFromElastiCacheNodeGroups(t *testing.T) {
Protocol: defaults.ProtocolRedis,
URI: "reader.localhost:6379",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
ElastiCache: types.ElastiCache{
ReplicationGroupID: "my-cluster",
@ -1359,7 +1359,7 @@ func TestDatabaseFromElastiCacheNodeGroups(t *testing.T) {
func TestDatabaseFromElastiCacheNodeGroupsNameOverride(t *testing.T) {
cluster := &elasticache.ReplicationGroup{
ARN: aws.String("arn:aws:elasticache:us-east-1:1234567890:replicationgroup:my-cluster"),
ARN: aws.String("arn:aws:elasticache:us-east-1:123456789012:replicationgroup:my-cluster"),
ReplicationGroupId: aws.String("my-cluster"),
Status: aws.String("available"),
TransitEncryptionEnabled: aws.Bool(true),
@ -1389,7 +1389,7 @@ func TestDatabaseFromElastiCacheNodeGroupsNameOverride(t *testing.T) {
Description: "ElastiCache cluster in us-east-1 (primary endpoint)",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEndpointType: "primary",
labelTeleportDBName: "my-override-cluster-2",
@ -1399,7 +1399,7 @@ func TestDatabaseFromElastiCacheNodeGroupsNameOverride(t *testing.T) {
Protocol: defaults.ProtocolRedis,
URI: "primary.localhost:6379",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
ElastiCache: types.ElastiCache{
ReplicationGroupID: "my-cluster",
@ -1416,7 +1416,7 @@ func TestDatabaseFromElastiCacheNodeGroupsNameOverride(t *testing.T) {
Description: "ElastiCache cluster in us-east-1 (reader endpoint)",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEndpointType: "reader",
labelTeleportDBName: "my-override-cluster-2",
@ -1426,7 +1426,7 @@ func TestDatabaseFromElastiCacheNodeGroupsNameOverride(t *testing.T) {
Protocol: defaults.ProtocolRedis,
URI: "reader.localhost:6379",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
ElastiCache: types.ElastiCache{
ReplicationGroupID: "my-cluster",
@ -1445,7 +1445,7 @@ func TestDatabaseFromElastiCacheNodeGroupsNameOverride(t *testing.T) {
func TestDatabaseFromMemoryDBCluster(t *testing.T) {
cluster := &memorydb.Cluster{
ARN: aws.String("arn:aws:memorydb:us-east-1:1234567890:cluster:my-cluster"),
ARN: aws.String("arn:aws:memorydb:us-east-1:123456789012:cluster:my-cluster"),
Name: aws.String("my-cluster"),
Status: aws.String("available"),
TLSEnabled: aws.Bool(true),
@ -1462,7 +1462,7 @@ func TestDatabaseFromMemoryDBCluster(t *testing.T) {
Description: "MemoryDB cluster in us-east-1",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEndpointType: "cluster",
"key": "value",
@ -1471,7 +1471,7 @@ func TestDatabaseFromMemoryDBCluster(t *testing.T) {
Protocol: defaults.ProtocolRedis,
URI: "memorydb.localhost:6379",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
MemoryDB: types.MemoryDB{
ClusterName: "my-cluster",
@ -1496,7 +1496,7 @@ func TestDatabaseFromRedshiftServerlessWorkgroup(t *testing.T) {
Description: "Redshift Serverless workgroup in eu-west-2",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "eu-west-2",
labelEndpointType: "workgroup",
labelNamespace: "my-namespace",
@ -1505,9 +1505,9 @@ func TestDatabaseFromRedshiftServerlessWorkgroup(t *testing.T) {
},
}, types.DatabaseSpecV3{
Protocol: defaults.ProtocolPostgres,
URI: "my-workgroup.1234567890.eu-west-2.redshift-serverless.amazonaws.com:5439",
URI: "my-workgroup.123456789012.eu-west-2.redshift-serverless.amazonaws.com:5439",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "eu-west-2",
RedshiftServerless: types.RedshiftServerless{
WorkgroupName: "my-workgroup",
@ -1531,7 +1531,7 @@ func TestDatabaseFromRedshiftServerlessVPCEndpoint(t *testing.T) {
Description: "Redshift Serverless endpoint in eu-west-2",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "eu-west-2",
labelEndpointType: "vpc-endpoint",
labelWorkgroup: "my-workgroup",
@ -1541,9 +1541,9 @@ func TestDatabaseFromRedshiftServerlessVPCEndpoint(t *testing.T) {
},
}, types.DatabaseSpecV3{
Protocol: defaults.ProtocolPostgres,
URI: "my-endpoint-endpoint-xxxyyyzzz.1234567890.eu-west-2.redshift-serverless.amazonaws.com:5439",
URI: "my-endpoint-endpoint-xxxyyyzzz.123456789012.eu-west-2.redshift-serverless.amazonaws.com:5439",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "eu-west-2",
RedshiftServerless: types.RedshiftServerless{
WorkgroupName: "my-workgroup",
@ -1552,7 +1552,7 @@ func TestDatabaseFromRedshiftServerlessVPCEndpoint(t *testing.T) {
},
},
TLS: types.DatabaseTLS{
ServerName: "my-workgroup.1234567890.eu-west-2.redshift-serverless.amazonaws.com",
ServerName: "my-workgroup.123456789012.eu-west-2.redshift-serverless.amazonaws.com",
},
})
require.NoError(t, err)
@ -1564,7 +1564,7 @@ func TestDatabaseFromRedshiftServerlessVPCEndpoint(t *testing.T) {
func TestDatabaseFromMemoryDBClusterNameOverride(t *testing.T) {
cluster := &memorydb.Cluster{
ARN: aws.String("arn:aws:memorydb:us-east-1:1234567890:cluster:my-cluster"),
ARN: aws.String("arn:aws:memorydb:us-east-1:123456789012:cluster:my-cluster"),
Name: aws.String("my-cluster"),
Status: aws.String("available"),
TLSEnabled: aws.Bool(true),
@ -1584,7 +1584,7 @@ func TestDatabaseFromMemoryDBClusterNameOverride(t *testing.T) {
Description: "MemoryDB cluster in us-east-1",
Labels: map[string]string{
types.OriginLabel: types.OriginCloud,
labelAccountID: "1234567890",
labelAccountID: "123456789012",
labelRegion: "us-east-1",
labelEndpointType: "cluster",
labelTeleportDBName: "override-1",
@ -1594,7 +1594,7 @@ func TestDatabaseFromMemoryDBClusterNameOverride(t *testing.T) {
Protocol: defaults.ProtocolRedis,
URI: "memorydb.localhost:6379",
AWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
MemoryDB: types.MemoryDB{
ClusterName: "my-cluster",

2
lib/srv/app/aws/handler_test.go
View file

@ -323,7 +323,7 @@ func createSuite(t *testing.T, mockAWSHandler http.HandlerFunc, app types.Applic
Username: "user",
Expires: clock.Now().Add(time.Hour),
RouteToApp: tlsca.RouteToApp{
AWSRoleARN: "arn:aws:iam::123456789:role/test",
AWSRoleARN: "arn:aws:iam::123456789012:role/test",
},
}

4
lib/srv/app/cloud_test.go
View file

@ -165,7 +165,7 @@ func TestCloudGetFederationDuration(t *testing.T) {
req := &AWSSigninRequest{
Identity: &tlsca.Identity{
RouteToApp: tlsca.RouteToApp{
AWSRoleARN: "arn:aws:iam::123456789:role/test",
AWSRoleARN: "arn:aws:iam::123456789012:role/test",
},
Expires: test.expiresAt,
},
@ -269,7 +269,7 @@ func TestCloudGetAWSSigninToken(t *testing.T) {
req := &AWSSigninRequest{
Identity: &tlsca.Identity{
RouteToApp: tlsca.RouteToApp{
AWSRoleARN: "arn:aws:iam::123456789:role/test",
AWSRoleARN: "arn:aws:iam::123456789012:role/test",
},
Expires: time.Now().Add(24 * time.Hour),
},

2
lib/srv/db/ca_test.go
View file

@ -80,7 +80,7 @@ func TestInitCACert(t *testing.T) {
URI: "localhost:5432",
AWS: types.AWS{
Region: "us-east-1",
AccountID: "1234567890",
AccountID: "123456789012",
RedshiftServerless: types.RedshiftServerless{
WorkgroupName: "workgroup",
},

26
lib/srv/db/cloud/iam_test.go
View file

@ -46,25 +46,25 @@ func TestAWSIAM(t *testing.T) {
// Setup AWS database objects.
rdsInstance := &rds.DBInstance{
DBInstanceArn: aws.String("arn:aws:rds:us-west-1:1234567890:db:postgres-rds"),
DBInstanceArn: aws.String("arn:aws:rds:us-west-1:123456789012:db:postgres-rds"),
DBInstanceIdentifier: aws.String("postgres-rds"),
DbiResourceId: aws.String("db-xyz"),
}
auroraCluster := &rds.DBCluster{
DBClusterArn: aws.String("arn:aws:rds:us-east-1:1234567890:cluster:postgres-aurora"),
DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:cluster:postgres-aurora"),
DBClusterIdentifier: aws.String("postgres-aurora"),
DbClusterResourceId: aws.String("cluster-xyz"),
}
redshiftCluster := &redshift.Cluster{
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-east-2:1234567890:namespace:namespace-xyz"),
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-east-2:123456789012:namespace:namespace-xyz"),
ClusterIdentifier: aws.String("redshift-cluster-1"),
}
// Configure mocks.
stsClient := &mocks.STSMock{
ARN: "arn:aws:iam::1234567890:role/test-role",
ARN: "arn:aws:iam::123456789012:role/test-role",
}
rdsClient := &mocks.RDSMock{
@ -84,7 +84,7 @@ func TestAWSIAM(t *testing.T) {
}, types.DatabaseSpecV3{
Protocol: defaults.ProtocolPostgres,
URI: "localhost",
AWS: types.AWS{Region: "localhost", AccountID: "1234567890", RDS: types.RDS{InstanceID: "postgres-rds", ResourceID: "postgres-rds-resource-id"}},
AWS: types.AWS{Region: "localhost", AccountID: "123456789012", RDS: types.RDS{InstanceID: "postgres-rds", ResourceID: "postgres-rds-resource-id"}},
})
require.NoError(t, err)
@ -93,7 +93,7 @@ func TestAWSIAM(t *testing.T) {
}, types.DatabaseSpecV3{
Protocol: defaults.ProtocolPostgres,
URI: "localhost",
AWS: types.AWS{Region: "localhost", AccountID: "1234567890", RDS: types.RDS{ClusterID: "postgres-aurora", ResourceID: "postgres-aurora-resource-id"}},
AWS: types.AWS{Region: "localhost", AccountID: "123456789012", RDS: types.RDS{ClusterID: "postgres-aurora", ResourceID: "postgres-aurora-resource-id"}},
})
require.NoError(t, err)
@ -102,7 +102,7 @@ func TestAWSIAM(t *testing.T) {
}, types.DatabaseSpecV3{
Protocol: defaults.ProtocolPostgres,
URI: "localhost",
AWS: types.AWS{Region: "localhost", AccountID: "1234567890", RDSProxy: types.RDSProxy{Name: "rds-proxy", ResourceID: "rds-proxy-resource-id"}},
AWS: types.AWS{Region: "localhost", AccountID: "123456789012", RDSProxy: types.RDSProxy{Name: "rds-proxy", ResourceID: "rds-proxy-resource-id"}},
})
require.NoError(t, err)
@ -111,7 +111,7 @@ func TestAWSIAM(t *testing.T) {
}, types.DatabaseSpecV3{
Protocol: defaults.ProtocolPostgres,
URI: "localhost",
AWS: types.AWS{Region: "localhost", AccountID: "1234567890", Redshift: types.Redshift{ClusterID: "redshift-cluster-1"}},
AWS: types.AWS{Region: "localhost", AccountID: "123456789012", Redshift: types.Redshift{ClusterID: "redshift-cluster-1"}},
})
require.NoError(t, err)
@ -227,7 +227,7 @@ func TestAWSIAMNoPermissions(t *testing.T) {
// Create unauthorized mocks for AWS services.
stsClient := &mocks.STSMock{
ARN: "arn:aws:iam::1234567890:role/test-role",
ARN: "arn:aws:iam::123456789012:role/test-role",
}
// Make configurator.
configurator, err := NewIAM(ctx, IAMConfig{
@ -244,7 +244,7 @@ func TestAWSIAMNoPermissions(t *testing.T) {
}{
{
name: "RDS database",
meta: types.AWS{Region: "localhost", AccountID: "1234567890", RDS: types.RDS{InstanceID: "postgres-rds", ResourceID: "postgres-rds-resource-id"}},
meta: types.AWS{Region: "localhost", AccountID: "123456789012", RDS: types.RDS{InstanceID: "postgres-rds", ResourceID: "postgres-rds-resource-id"}},
clients: &clients.TestCloudClients{
RDS: &mocks.RDSMockUnauth{},
IAM: &mocks.IAMErrorMock{
@ -255,7 +255,7 @@ func TestAWSIAMNoPermissions(t *testing.T) {
},
{
name: "Aurora cluster",
meta: types.AWS{Region: "localhost", AccountID: "1234567890", RDS: types.RDS{ClusterID: "postgres-aurora", ResourceID: "postgres-aurora-resource-id"}},
meta: types.AWS{Region: "localhost", AccountID: "123456789012", RDS: types.RDS{ClusterID: "postgres-aurora", ResourceID: "postgres-aurora-resource-id"}},
clients: &clients.TestCloudClients{
RDS: &mocks.RDSMockUnauth{},
IAM: &mocks.IAMErrorMock{
@ -277,7 +277,7 @@ func TestAWSIAMNoPermissions(t *testing.T) {
},
{
name: "Redshift cluster",
meta: types.AWS{Region: "localhost", AccountID: "1234567890", Redshift: types.Redshift{ClusterID: "redshift-cluster-1"}},
meta: types.AWS{Region: "localhost", AccountID: "123456789012", Redshift: types.Redshift{ClusterID: "redshift-cluster-1"}},
clients: &clients.TestCloudClients{
Redshift: &mocks.RedshiftMockUnauth{},
IAM: &mocks.IAMErrorMock{
@ -288,7 +288,7 @@ func TestAWSIAMNoPermissions(t *testing.T) {
},
{
name: "IAM UnmodifiableEntityException",
meta: types.AWS{Region: "localhost", AccountID: "1234567890", Redshift: types.Redshift{ClusterID: "redshift-cluster-1"}},
meta: types.AWS{Region: "localhost", AccountID: "123456789012", Redshift: types.Redshift{ClusterID: "redshift-cluster-1"}},
clients: &clients.TestCloudClients{
Redshift: &mocks.RedshiftMockUnauth{},
IAM: &mocks.IAMErrorMock{

38
lib/srv/db/cloud/meta_test.go
View file

@ -41,14 +41,14 @@ func TestAWSMetadata(t *testing.T) {
DBInstances: []*rds.DBInstance{
// Standalone RDS instance.
{
DBInstanceArn: aws.String("arn:aws:rds:us-west-1:1234567890:db:postgres-rds"),
DBInstanceArn: aws.String("arn:aws:rds:us-west-1:123456789012:db:postgres-rds"),
DBInstanceIdentifier: aws.String("postgres-rds"),
DbiResourceId: aws.String("db-xyz"),
IAMDatabaseAuthenticationEnabled: aws.Bool(true),
},
// Instance that is a part of an Aurora cluster.
{
DBInstanceArn: aws.String("arn:aws:rds:us-east-1:1234567890:db:postgres-aurora-1"),
DBInstanceArn: aws.String("arn:aws:rds:us-east-1:123456789012:db:postgres-aurora-1"),
DBInstanceIdentifier: aws.String("postgres-aurora-1"),
DBClusterIdentifier: aws.String("postgres-aurora"),
},
@ -56,14 +56,14 @@ func TestAWSMetadata(t *testing.T) {
DBClusters: []*rds.DBCluster{
// Aurora cluster.
{
DBClusterArn: aws.String("arn:aws:rds:us-east-1:1234567890:cluster:postgres-aurora"),
DBClusterArn: aws.String("arn:aws:rds:us-east-1:123456789012:cluster:postgres-aurora"),
DBClusterIdentifier: aws.String("postgres-aurora"),
DbClusterResourceId: aws.String("cluster-xyz"),
},
},
DBProxies: []*rds.DBProxy{
{
DBProxyArn: aws.String("arn:aws:rds:us-east-1:1234567890:db-proxy:prx-resource-id"),
DBProxyArn: aws.String("arn:aws:rds:us-east-1:123456789012:db-proxy:prx-resource-id"),
DBProxyName: aws.String("rds-proxy"),
},
},
@ -79,11 +79,11 @@ func TestAWSMetadata(t *testing.T) {
redshift := &mocks.RedshiftMock{
Clusters: []*redshift.Cluster{
{
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-west-1:1234567890:namespace:namespace-id"),
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-west-1:123456789012:namespace:namespace-id"),
ClusterIdentifier: aws.String("redshift-cluster-1"),
},
{
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-east-2:0987654321:namespace:namespace-id"),
ClusterNamespaceArn: aws.String("arn:aws:redshift:us-east-2:210987654321:namespace:namespace-id"),
ClusterIdentifier: aws.String("redshift-cluster-2"),
},
},
@ -93,7 +93,7 @@ func TestAWSMetadata(t *testing.T) {
elasticache := &mocks.ElastiCacheMock{
ReplicationGroups: []*elasticache.ReplicationGroup{
{
ARN: aws.String("arn:aws:elasticache:us-west-1:123456789:replicationgroup:my-redis"),
ARN: aws.String("arn:aws:elasticache:us-west-1:123456789012:replicationgroup:my-redis"),
ReplicationGroupId: aws.String("my-redis"),
ClusterEnabled: aws.Bool(true),
TransitEncryptionEnabled: aws.Bool(true),
@ -106,7 +106,7 @@ func TestAWSMetadata(t *testing.T) {
memorydb := &mocks.MemoryDBMock{
Clusters: []*memorydb.Cluster{
{
ARN: aws.String("arn:aws:memorydb:us-west-1:123456789:cluster:my-cluster"),
ARN: aws.String("arn:aws:memorydb:us-west-1:123456789012:cluster:my-cluster"),
Name: aws.String("my-cluster"),
TLSEnabled: aws.Bool(true),
ACLName: aws.String("my-user-group"),
@ -148,7 +148,7 @@ func TestAWSMetadata(t *testing.T) {
},
outAWS: types.AWS{
Region: "us-west-1",
AccountID: "1234567890",
AccountID: "123456789012",
RDS: types.RDS{
InstanceID: "postgres-rds",
ResourceID: "db-xyz",
@ -165,7 +165,7 @@ func TestAWSMetadata(t *testing.T) {
},
outAWS: types.AWS{
Region: "us-east-1",
AccountID: "1234567890",
AccountID: "123456789012",
RDS: types.RDS{
ClusterID: "postgres-aurora",
ResourceID: "cluster-xyz",
@ -181,7 +181,7 @@ func TestAWSMetadata(t *testing.T) {
},
outAWS: types.AWS{
Region: "us-east-1",
AccountID: "1234567890",
AccountID: "123456789012",
RDS: types.RDS{
ClusterID: "postgres-aurora",
ResourceID: "cluster-xyz",
@ -196,7 +196,7 @@ func TestAWSMetadata(t *testing.T) {
},
},
outAWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-west-1",
Redshift: types.Redshift{
ClusterID: "redshift-cluster-1",
@ -211,7 +211,7 @@ func TestAWSMetadata(t *testing.T) {
},
},
outAWS: types.AWS{
AccountID: "0987654321",
AccountID: "210987654321",
Region: "us-east-2",
Redshift: types.Redshift{
ClusterID: "redshift-cluster-2",
@ -227,7 +227,7 @@ func TestAWSMetadata(t *testing.T) {
},
},
outAWS: types.AWS{
AccountID: "123456789",
AccountID: "123456789012",
Region: "us-west-1",
ElastiCache: types.ElastiCache{
ReplicationGroupID: "my-redis",
@ -246,7 +246,7 @@ func TestAWSMetadata(t *testing.T) {
},
},
outAWS: types.AWS{
AccountID: "123456789",
AccountID: "123456789012",
Region: "us-west-1",
MemoryDB: types.MemoryDB{
ClusterName: "my-cluster",
@ -265,7 +265,7 @@ func TestAWSMetadata(t *testing.T) {
},
},
outAWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
RDSProxy: types.RDSProxy{
Name: "rds-proxy",
@ -282,7 +282,7 @@ func TestAWSMetadata(t *testing.T) {
},
},
outAWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-east-1",
RDSProxy: types.RDSProxy{
Name: "rds-proxy",
@ -300,7 +300,7 @@ func TestAWSMetadata(t *testing.T) {
},
},
outAWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-west-1",
RedshiftServerless: types.RedshiftServerless{
WorkgroupName: "my-workgroup",
@ -317,7 +317,7 @@ func TestAWSMetadata(t *testing.T) {
},
},
outAWS: types.AWS{
AccountID: "1234567890",
AccountID: "123456789012",
Region: "us-west-1",
RedshiftServerless: types.RedshiftServerless{
WorkgroupName: "my-workgroup",

4
lib/srv/db/cloud/users/helpers_test.go
View file

@ -115,9 +115,9 @@ func TestSecretKeyFromAWSARN(t *testing.T) {
_, err := secretKeyFromAWSARN("invalid:arn")
require.True(t, trace.IsBadParameter(err))
key, err := secretKeyFromAWSARN("arn:aws-cn:elasticache:cn-north-1:1234567890:user:alice")
key, err := secretKeyFromAWSARN("arn:aws-cn:elasticache:cn-north-1:123456789012:user:alice")
require.NoError(t, err)
require.Equal(t, "elasticache/cn-north-1/1234567890/user/alice", key)
require.Equal(t, "elasticache/cn-north-1/123456789012/user/alice", key)
}
type mockUser struct {

6
lib/srv/db/cloud/users/users_test.go
View file

@ -135,7 +135,7 @@ func mustCreateElastiCacheDatabase(t *testing.T, name string, userGroupIDs ...st
Name: name,
}, types.DatabaseSpecV3{
Protocol: defaults.ProtocolRedis,
URI: "master.redis-cluster.1234567890.use1.cache.amazonaws.com:6379",
URI: "master.redis-cluster.123456789012.use1.cache.amazonaws.com:6379",
AWS: types.AWS{
ElastiCache: types.ElastiCache{
UserGroupIDs: userGroupIDs,
@ -176,7 +176,7 @@ func mustCreateRDSDatabase(t *testing.T, name string) types.Database {
func elastiCacheUser(name string, groupIDs ...string) *elasticache.User {
return &elasticache.User{
UserId: aws.String(name),
ARN: aws.String("arn:aws:elasticache:us-east-1:1234567890:user:" + name),
ARN: aws.String("arn:aws:elasticache:us-east-1:123456789012:user:" + name),
UserName: aws.String(name),
UserGroupIds: aws.StringSlice(groupIDs),
}
@ -184,7 +184,7 @@ func elastiCacheUser(name string, groupIDs ...string) *elasticache.User {
func memoryDBUser(name string, aclNames ...string) *memorydb.User {
return &memorydb.User{
ARN: aws.String("arn:aws:memorydb:us-east-1:1234567890:user/" + name),
ARN: aws.String("arn:aws:memorydb:us-east-1:123456789012:user/" + name),
Name: aws.String(name),
ACLNames: aws.StringSlice(aclNames),
}

14
lib/srv/db/common/auth_test.go
View file

@ -393,24 +393,24 @@ func TestRedshiftServerlessUsernameToRoleARN(t *testing.T) {
expectError bool
}{
{
inputUsername: "arn:aws:iam::1234567890:role/rolename",
expectRoleARN: "arn:aws:iam::1234567890:role/rolename",
inputUsername: "arn:aws:iam::123456789012:role/rolename",
expectRoleARN: "arn:aws:iam::123456789012:role/rolename",
},
{
inputUsername: "arn:aws:iam::1234567890:user/user",
inputUsername: "arn:aws:iam::123456789012:user/user",
expectError: true,
},
{
inputUsername: "arn:aws:not-iam::1234567890:role/rolename",
inputUsername: "arn:aws:not-iam::123456789012:role/rolename",
expectError: true,
},
{
inputUsername: "role/rolename",
expectRoleARN: "arn:aws:iam::1234567890:role/rolename",
expectRoleARN: "arn:aws:iam::123456789012:role/rolename",
},
{
inputUsername: "rolename",
expectRoleARN: "arn:aws:iam::1234567890:role/rolename",
expectRoleARN: "arn:aws:iam::123456789012:role/rolename",
},
{
inputUsername: "IAM:user",
@ -520,7 +520,7 @@ func newRedshiftServerlessDatabase(t *testing.T) types.Database {
Name: "test-database",
}, types.DatabaseSpecV3{
Protocol: defaults.ProtocolPostgres,
URI: "my-workgroup.1234567890.eu-west-2.redshift-serverless.amazonaws.com:5439",
URI: "my-workgroup.123456789012.eu-west-2.redshift-serverless.amazonaws.com:5439",
})
require.NoError(t, err)
return database

8
lib/srv/db/common/iam/aws_test.go
View file

@ -40,7 +40,7 @@ func TestGetAWSPolicyDocument(t *testing.T) {
Protocol: "postgres",
URI: "instance.abcdefghijklmnop.us-east-1.rds.amazonaws.com:5438",
AWS: types.AWS{
AccountID: "12345",
AccountID: "123456789012",
RDS: types.RDS{
ResourceID: "abcdef",
},
@ -54,7 +54,7 @@ func TestGetAWSPolicyDocument(t *testing.T) {
Protocol: "postgres",
URI: "my-proxy.proxy-abcdefghijklmnop.us-west-1.rds.amazonaws.com:5432",
AWS: types.AWS{
AccountID: "12345",
AccountID: "123456789012",
RDSProxy: types.RDSProxy{
ResourceID: "qwerty",
},
@ -102,7 +102,7 @@ func TestGetAWSPolicyDocument(t *testing.T) {
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:us-east-1:12345:dbuser:abcdef/*"
"Resource": "arn:aws:rds-db:us-east-1:123456789012:dbuser:abcdef/*"
}
]
}`,
@ -115,7 +115,7 @@ func TestGetAWSPolicyDocument(t *testing.T) {
{
"Effect": "Allow",
"Action": "rds-db:connect",
"Resource": "arn:aws:rds-db:us-west-1:12345:dbuser:qwerty/*"
"Resource": "arn:aws:rds-db:us-west-1:123456789012:dbuser:qwerty/*"
}
]
}`,

2
lib/srv/db/secrets/aws_mocks.go
View file

@ -44,7 +44,7 @@ func (c *MockSecretsManagerClientConfig) SetDefaults() {
c.Region = "us-east-1"
}
if c.Account == "" {
c.Account = "1234567890"
c.Account = "123456789012"
}
if c.Clock == nil {
c.Clock = clockwork.NewFakeClock()

2
lib/srv/db/secrets/aws_secrets_manager_test.go
View file

@ -77,7 +77,7 @@ func TestAWSSecretsManager(t *testing.T) {
SecretId: aws.String("teleport/key"),
})
require.NoError(t, err)
require.Equal(t, "arn:aws:kms:us-east-1:1234567890:alias/aws/secretsmanager", aws.StringValue(output1.KmsKeyId))
require.Equal(t, "arn:aws:kms:us-east-1:123456789012:alias/aws/secretsmanager", aws.StringValue(output1.KmsKeyId))
// Create secret for the second time with custom KMS. Create returns
// IsAlreadyExists but KMSKeyID should be updated.

2
lib/srv/discovery/fetchers/db/aws_elasticache_test.go
View file

@ -113,7 +113,7 @@ func TestElastiCacheFetcher(t *testing.T) {
func makeElastiCacheCluster(t *testing.T, name, region, env string, opts ...func(*elasticache.ReplicationGroup)) (*elasticache.ReplicationGroup, types.Database, []*elasticache.Tag) {
cluster := &elasticache.ReplicationGroup{
ARN: aws.String(fmt.Sprintf("arn:aws:elasticache:%s:123456789:replicationgroup:%s", region, name)),
ARN: aws.String(fmt.Sprintf("arn:aws:elasticache:%s:123456789012:replicationgroup:%s", region, name)),
ReplicationGroupId: aws.String(name),
Status: aws.String("available"),
TransitEncryptionEnabled: aws.Bool(true),

2
lib/srv/discovery/fetchers/db/aws_memorydb_test.go
View file

@ -112,7 +112,7 @@ func TestMemoryDBFetcher(t *testing.T) {
func makeMemoryDBCluster(t *testing.T, name, region, env string, opts ...func(*memorydb.Cluster)) (*memorydb.Cluster, types.Database, []*memorydb.Tag) {
cluster := &memorydb.Cluster{
ARN: aws.String(fmt.Sprintf("arn:aws:memorydb:%s:123456789:cluster:%s", region, name)),
ARN: aws.String(fmt.Sprintf("arn:aws:memorydb:%s:123456789012:cluster:%s", region, name)),
Name: aws.String(name),
Status: aws.String("available"),
TLSEnabled: aws.Bool(true),

4
lib/srv/discovery/fetchers/db/aws_rds_proxy_test.go
View file

@ -76,7 +76,7 @@ func TestRDSDBProxyFetcher(t *testing.T) {
func makeRDSProxy(t *testing.T, name, region, vpcID string) (*rds.DBProxy, types.Database) {
rdsProxy := &rds.DBProxy{
DBProxyArn: aws.String(fmt.Sprintf("arn:aws:rds:%s:1234567890:db-proxy:prx-%s", region, name)),
DBProxyArn: aws.String(fmt.Sprintf("arn:aws:rds:%s:123456789012:db-proxy:prx-%s", region, name)),
DBProxyName: aws.String(name),
EngineFamily: aws.String(rds.EngineFamilyMysql),
Endpoint: aws.String("localhost"),
@ -95,7 +95,7 @@ func makeRDSProxyCustomEndpoint(t *testing.T, rdsProxy *rds.DBProxy, name, regio
Endpoint: aws.String("localhost"),
DBProxyEndpointName: aws.String(name),
DBProxyName: rdsProxy.DBProxyName,
DBProxyEndpointArn: aws.String(fmt.Sprintf("arn:aws:rds:%v:123456:db-proxy-endpoint:prx-endpoint-%v", region, name)),
DBProxyEndpointArn: aws.String(fmt.Sprintf("arn:aws:rds:%v:123456789012:db-proxy-endpoint:prx-endpoint-%v", region, name)),
TargetRole: aws.String(rds.DBProxyEndpointTargetRoleReadOnly),
Status: aws.String("available"),
}

6
lib/srv/discovery/fetchers/db/aws_rds_test.go
View file

@ -220,7 +220,7 @@ func TestRDSFetchers(t *testing.T) {
func makeRDSInstance(t *testing.T, name, region string, labels map[string]string, opts ...func(*rds.DBInstance)) (*rds.DBInstance, types.Database) {
instance := &rds.DBInstance{
DBInstanceArn: aws.String(fmt.Sprintf("arn:aws:rds:%v:1234567890:db:%v", region, name)),
DBInstanceArn: aws.String(fmt.Sprintf("arn:aws:rds:%v:123456789012:db:%v", region, name)),
DBInstanceIdentifier: aws.String(name),
DbiResourceId: aws.String(uuid.New().String()),
Engine: aws.String(services.RDSEnginePostgres),
@ -242,7 +242,7 @@ func makeRDSInstance(t *testing.T, name, region string, labels map[string]string
func makeRDSCluster(t *testing.T, name, region string, labels map[string]string, opts ...func(*rds.DBCluster)) (*rds.DBCluster, types.Database) {
cluster := &rds.DBCluster{
DBClusterArn: aws.String(fmt.Sprintf("arn:aws:rds:%v:1234567890:cluster:%v", region, name)),
DBClusterArn: aws.String(fmt.Sprintf("arn:aws:rds:%v:123456789012:cluster:%v", region, name)),
DBClusterIdentifier: aws.String(name),
DbClusterResourceId: aws.String(uuid.New().String()),
Engine: aws.String(services.RDSEngineAuroraMySQL),
@ -266,7 +266,7 @@ func makeRDSCluster(t *testing.T, name, region string, labels map[string]string,
func makeRDSClusterWithExtraEndpoints(t *testing.T, name, region string, labels map[string]string, hasWriter bool) (*rds.DBCluster, types.Databases) {
cluster := &rds.DBCluster{
DBClusterArn: aws.String(fmt.Sprintf("arn:aws:rds:%v:1234567890:cluster:%v", region, name)),
DBClusterArn: aws.String(fmt.Sprintf("arn:aws:rds:%v:123456789012:cluster:%v", region, name)),
DBClusterIdentifier: aws.String(name),
DbClusterResourceId: aws.String(uuid.New().String()),
Engine: aws.String(services.RDSEngineAuroraMySQL),

2
lib/srv/discovery/fetchers/db/aws_redshift_test.go
View file

@ -90,7 +90,7 @@ func TestRedshiftFetcher(t *testing.T) {
func makeRedshiftCluster(t *testing.T, region, env string, opts ...func(*redshift.Cluster)) (*redshift.Cluster, types.Database) {
cluster := &redshift.Cluster{
ClusterIdentifier: aws.String(env),
ClusterNamespaceArn: aws.String(fmt.Sprintf("arn:aws:redshift:%s:1234567890:namespace:%s", region, env)),
ClusterNamespaceArn: aws.String(fmt.Sprintf("arn:aws:redshift:%s:123456789012:namespace:%s", region, env)),
ClusterStatus: aws.String("available"),
Endpoint: &redshift.Endpoint{
Address: aws.String("localhost"),

28
lib/utils/aws/aws_test.go
View file

@ -93,22 +93,22 @@ func TestExtractCredFromAuthHeader(t *testing.T) {
// TestFilterAWSRoles verifies filtering AWS role ARNs by AWS account ID.
func TestFilterAWSRoles(t *testing.T) {
acc1ARN1 := Role{
ARN: "arn:aws:iam::1234567890:role/EC2FullAccess",
ARN: "arn:aws:iam::123456789012:role/EC2FullAccess",
Display: "EC2FullAccess",
Name: "EC2FullAccess",
}
acc1ARN2 := Role{
ARN: "arn:aws:iam::1234567890:role/EC2ReadOnly",
ARN: "arn:aws:iam::123456789012:role/EC2ReadOnly",
Display: "EC2ReadOnly",
Name: "EC2ReadOnly",
}
acc1ARN3 := Role{
ARN: "arn:aws:iam::1234567890:role/path/to/customrole",
ARN: "arn:aws:iam::123456789012:role/path/to/customrole",
Display: "customrole",
Name: "path/to/customrole",
}
acc2ARN1 := Role{
ARN: "arn:aws:iam::0987654321:role/test-role",
ARN: "arn:aws:iam::210987654321:role/test-role",
Display: "test-role",
Name: "test-role",
}
@ -125,12 +125,12 @@ func TestFilterAWSRoles(t *testing.T) {
}{
{
name: "first account roles",
accountID: "1234567890",
accountID: "123456789012",
outARNs: Roles{acc1ARN1, acc1ARN2, acc1ARN3},
},
{
name: "second account roles",
accountID: "0987654321",
accountID: "210987654321",
outARNs: Roles{acc2ARN1},
},
{
@ -146,18 +146,18 @@ func TestFilterAWSRoles(t *testing.T) {
func TestRoles(t *testing.T) {
arns := []string{
"arn:aws:iam::1234567890:role/test-role",
"arn:aws:iam::1234567890:role/EC2FullAccess",
"arn:aws:iam::1234567890:role/path/to/EC2FullAccess",
"arn:aws:iam::123456789012:role/test-role",
"arn:aws:iam::123456789012:role/EC2FullAccess",
"arn:aws:iam::123456789012:role/path/to/EC2FullAccess",
}
roles := FilterAWSRoles(arns, "1234567890")
roles := FilterAWSRoles(arns, "123456789012")
require.Len(t, roles, 3)
t.Run("Sort", func(t *testing.T) {
roles.Sort()
require.Equal(t, "arn:aws:iam::1234567890:role/EC2FullAccess", roles[0].ARN)
require.Equal(t, "arn:aws:iam::1234567890:role/path/to/EC2FullAccess", roles[1].ARN)
require.Equal(t, "arn:aws:iam::1234567890:role/test-role", roles[2].ARN)
require.Equal(t, "arn:aws:iam::123456789012:role/EC2FullAccess", roles[0].ARN)
require.Equal(t, "arn:aws:iam::123456789012:role/path/to/EC2FullAccess", roles[1].ARN)
require.Equal(t, "arn:aws:iam::123456789012:role/test-role", roles[2].ARN)
})
t.Run("FindRoleByARN", func(t *testing.T) {
@ -170,7 +170,7 @@ func TestRoles(t *testing.T) {
})
t.Run("not found", func(t *testing.T) {
_, found := roles.FindRoleByARN("arn:aws:iam::1234567889:role/unknown")
_, found := roles.FindRoleByARN("arn:aws:iam::123456788912:role/unknown")
require.False(t, found)
})
})