Testing a rule
If you've generated the rules using the template command, as shown in Writing a rule, then you can also benefit from using the testing functionality that comes with the SDK and the generated rules.
You may also write your own testing functionality or modify the one generated by the SDK, as you prefer. However, the instructions in this page would not apply.
Assuming you have written your rule based on the previous tutorial, open the main_test.rego file generated by the SDK's templating functionality and configure the fixture field with the name of the file inside your rules/my_rule/fixtures/ folder. The templating functionality has created one file per supported format and configured the tests to run against all of them, but you may remove fixture files as you desire.
Create or modify fixture files to store your resources under rules/my_rule/fixtures. These files can have any name, so take for example denied.tf and allowed.tf:
The file can have any name but pay close attention to the file extension. Be especially careful if you want to write a test for a fixture file containing Terraform Plan JSON Output, make sure the name of the file has the file extension .json.tfplan so that our testing library can differentiate between plain JSON and Terraform Plan JSON Output.
rules/my_rule/fixtures/denied.tf
1
resource "aws_redshift_cluster" "denied" {
2
cluster_identifier = "tf-redshift-cluster"
3
database_name = "mydb"
4
master_username = "foo"
5
master_password = "Mustbe8characters"
6
node_type = "dc1.large"
7
cluster_type = "single-node"
8
}
Copied!
rules/my_rule/fixtures/allowed.tf
1
resource "aws_redshift_cluster" "allowed" {
2
cluster_identifier = "tf-redshift-cluster"
3
database_name = "mydb"
4
master_username = "foo"
5
master_password = "Mustbe8characters"
6
node_type = "dc1.large"
7
cluster_type = "single-node"
8
tags {
9
owner = "snyk"
10
}
11
}
Copied!
In the want_msgs field of the test case, you should add the msg fields of the resources that you expect that your deny rule will evaluate/return, e.g. ["input.resource.aws_redshift_cluster[denied].tags"].
The want_msgs field should be an array containing hardcoded values corresponding to the computed msg field in the appropriate Rego rule.
rules/my_rule/main_test.rego
1
package rules
2
3
import data.lib
4
import data.lib.testing
5
6
test_my_rule {
7
# array containing test cases where the rule is allowed
8
allowed_test_cases := [{
9
"want_msgs": [],
10
"fixture": "allowed.tf",
11
}]
12
# array containing cases where the rule is denied
13
denied_test_cases := [{
14
"want_msgs": ["input.resource.aws_redshift_cluster[denied].tags"],
15
"fixture": "denied.tf",
16
}]
17
test_cases := array.concat(allowed_test_cases, denied_test_cases)
18
testing.evaluate_test_cases("my_rule", "./rules/my_rule/fixtures", test_cases)
19
}
Copied!
To run all tests, run the following command:
1
snyk-iac-rules test
Copied!
If your tests pass successfully, you will see an output similar to the following, assuming you have three different rules in your rules/ folder:
1
PASS: 3/3
Copied!
However, if any of them fail, you will see an output similar to the following:
1
data.rules.test_my_rule: FAIL (1.12234ms)
2
FAIL: 2/3
Copied!
If you have more than one rule in your rule/, folder you can target a specific test by running the following command:
1
snyk-iac-rules test --run test_my_rule
Copied!
This will output:
1
Executing Rego test cases...
2
data.rules.test_my_rule: FAIL (1.040468ms)
3
--------------------------------------------------------------------------------
4
FAIL: 1/1
Copied!
If you need more details about it, add the --explain notes option:
1
snyk-iac-rules test --run test_my_rule --explain notes
Copied!
This will output more details to debug the failed test.
If you have more than your generated rules in the current folder ,consider using the --ignore flag to exclude the folders and files irrelevant to testing (make sure to not exclude lib/ and rules if you used the template command). This can speed up the tests and also avoids running into problems where Rego is trying to evaluate non-Rego files.
Last modified 7d ago
Export as PDF
Copy link
Edit on GitHub