Merge pull request #21800 from hashicorp/svgpkg-semgrep

Linting: Restores more Semgrep rules

.semgrep.yml

@@ -43,27 +43,24 @@ rules:
     languages: [go]
     message: Prefer AWS Go SDK pointer conversion functions for dereferencing during assignment, e.g. aws.StringValue()
     paths:
-      exclude:
-        - aws/cloudfront_distribution_configuration_structure.go
-        - aws/data_source_aws_route_table.go
-        - aws/opsworks_layers.go
-        - aws/resource_aws_d*
-        - aws/resource_aws_e*
-        - aws/resource_aws_g*
-        - aws/resource_aws_i*
-        - aws/resource_aws_k*
-        - aws/resource_aws_l*
-        - aws/resource_aws_mq_broker.go
-        - aws/resource_aws_o*
-        - aws/resource_aws_r*
-        - aws/resource_aws_s*
-        - aws/structure.go
-        - aws/waf_helpers.go
-        - aws/internal/generators/
-        - aws/internal/keyvaluetags/
-        - providerlint/vendor/
       include:
-        - aws/
+        - internal/service
+      exclude:
+        - internal/service/ec2
+        - internal/service/elasticbeanstalk
+        - internal/service/elasticsearch
+        - internal/service/elb
+        - internal/service/emr
+        - internal/service/gamelift
+        - internal/service/iam
+        - internal/service/lambda
+        - internal/service/opsworks
+        - internal/service/rds
+        - internal/service/redshift
+        - internal/service/route53
+        - internal/service/s3
+        - internal/service/servicediscovery
+        - internal/service/ssm
     patterns:
       - pattern: '$LHS = *$RHS'
       - pattern-not: '*$LHS2 = *$RHS'
@@ -121,7 +118,7 @@ rules:
     message: Prefer AWS Go SDK pointer conversion aws.StringValue() function for dereferencing during d.SetId()
     paths:
       include:
-        - aws/
+        - internal/
     pattern: 'd.SetId(*$VALUE)'
     severity: WARNING
 
@@ -131,7 +128,7 @@ rules:
     message: Using AWS Go SDK pointer conversion, e.g. aws.String(), with immediate dereferencing is extraneous
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - pattern: '*aws.Bool($VALUE)'
@@ -146,7 +143,7 @@ rules:
     message: Calling a resource's Read method from within a data-source is discouraged
     paths:
       include:
-        - aws/data_source_aws_*.go
+        - internal/service/**/*_data_source.go
     patterns:
       - pattern-regex: '(resource.+Read|flatten.+Resource)'
       - pattern-inside: func $FUNCNAME(...) $RETURNTYPE { ... }
@@ -164,7 +161,7 @@ rules:
     message: Using `acctest.RandInt()` in constant or variable declaration will execute during compilation and not randomize, pass into string generating function instead
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - pattern: const $CONST = fmt.Sprintf(..., <... acctest.RandInt() ...>, ...)
@@ -176,7 +173,7 @@ rules:
     message: Using `acctest.RandString()` in constant or variable declaration will execute during compilation and not randomize, pass into string generating function instead
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - pattern: const $CONST = fmt.Sprintf(..., <... acctest.RandString(...) ...>, ...)
@@ -188,7 +185,7 @@ rules:
     message: Using `acctest.RandomWithPrefix()` in constant or variable declaration will execute during compilation and not randomize, pass into string generating function instead
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - pattern: const $CONST = fmt.Sprintf(..., <... acctest.RandomWithPrefix(...) ...>, ...)
@@ -200,7 +197,7 @@ rules:
     message: Prefer `flattenStringSet()` function for casting a list of string pointers to a set
     paths:
       include:
-        - aws/
+        - internal/
     pattern: schema.NewSet(schema.HashString, flattenStringList($APIOBJECT))
     severity: WARNING
 
@@ -209,7 +206,7 @@ rules:
     message: Prefer `expandStringSet()` function for casting a set to a list of string pointers
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - pattern: expandStringList($SET.List())
@@ -224,7 +221,7 @@ rules:
     message: Zero value conditional check after `d.GetOk()` is extraneous
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - pattern: if $VALUE, $OK := d.GetOk($KEY); $OK && $VALUE.(bool) { $BODY }
@@ -240,7 +237,7 @@ rules:
     message: AWS Go SDK pointer conversion function for `d.Set()` value is extraneous
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
           - pattern: d.Set($ATTRIBUTE, aws.BoolValue($APIOBJECT))
@@ -251,28 +248,29 @@ rules:
           - pattern: d.Set($ATTRIBUTE, aws.StringValue($APIOBJECT))
     severity: WARNING
 
-  - id: helper-schema-ResourceData-DataSource-Set-tags
-    languages: [go]
-    message: (schema.ResourceData).Set() call with the tags key should include IgnoreConfig in the value
-    paths:
-      include:
-        - aws/data_source*.go
-      exclude:
-        - aws/resource*.go
-    patterns:
-      - pattern-inside: func $READMETHOD(...) $ERRORTYPE { ... }
-      - pattern: if err := d.Set("tags", $TAGSMAP); err != nil { ... }
-      - pattern-not: if err := d.Set("tags", $KEYVALUETAGS.IgnoreAws().IgnoreConfig($CONFIG).Map()); err != nil { ... }
-    severity: WARNING
+  # Not sure why this isn't working
+  # - id: helper-schema-ResourceData-DataSource-Set-tags
+  #   languages: [go]
+  #   message: (schema.ResourceData).Set() call with the tags key should include IgnoreConfig in the value
+  #   paths:
+  #     include:
+  #       - internal/service/**/*_data_source.go
+  #     exclude:
+  #       - internal/service/**/*.go
+  #   patterns:
+  #     - pattern-inside: func $READMETHOD(...) $ERRORTYPE { ... }
+  #     - pattern: if err := d.Set("tags", $TAGSMAP); err != nil { ... }
+  #     - pattern-not: if err := d.Set("tags", $KEYVALUETAGS.IgnoreAws().IgnoreConfig($CONFIG).Map()); err != nil { ... }
+  #   severity: WARNING
 
   - id: helper-schema-ResourceData-Resource-Set-tags
     languages: [go]
     message: (schema.ResourceData).Set() call with the tags key should be preceded by a call to IgnoreConfig or include IgnoreConfig in the value in the case of ASG
     paths:
       include:
-        - aws/resource*.go
+        - internal/service/**/*.go
       exclude:
-        - aws/data_source*.go
+        - internal/service/**/*_data_source.go
     patterns:
       - pattern-inside: func $READMETHOD(...) $ERRORTYPE { ... }
       - pattern-either:
@@ -301,6 +299,9 @@ rules:
       - pattern-not: |
           tags = keyvaluetags.$VALUETAGS($RESOURCETAGS).IgnoreAws().IgnoreConfig($CONFIG)
           ...
+      - pattern-not: |
+          tags = $VALUETAGS($RESOURCETAGS).IgnoreAWS().IgnoreConfig($CONFIG).Ignore($IGNORE)
+          ...
     severity: WARNING
 
   - id: helper-schema-ResourceData-SetId-empty-without-IsNewResource-check
@@ -352,9 +353,9 @@ rules:
     paths:
       exclude:
         - "*_test.go"
-        - aws/internal/tfresource/*.go
+        - sweep.go
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - patterns:
@@ -434,7 +435,7 @@ rules:
       exclude:
         - "*_test.go"
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - patterns:
@@ -486,7 +487,7 @@ rules:
     message: Check for resource.NotFoundError errors with tfresource.NotFound()
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - patterns:
@@ -510,7 +511,7 @@ rules:
     message: Use time.Equal() instead of ==
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-either:
         - pattern: |
@@ -536,7 +537,7 @@ rules:
     message: Use lastPage for bool variable in pagination functions
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern: |
           $X.$Z(..., func(..., $Y bool) {
@@ -559,10 +560,10 @@ rules:
     languages: [go]
     message: Do not call `fmt.Print` and variant
     paths:
+      include:
+        - internal/
       exclude:
         - providerlint/vendor/
-      include:
-        - aws/
     patterns:
       - pattern-either:
         - pattern: |
@@ -595,7 +596,7 @@ rules:
     message: Use default email address or generate a random email address. https://github.com/hashicorp/terraform-provider-aws/blob/main/docs/contributing/running-and-writing-acceptance-tests.md#hardcoded-email-addresses
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern-regex: '[-_A-Za-z0-9.+]+@([-A-Za-z0-9]+\.)(com|net|org)'
       - pattern-not-regex: 'no-reply@hashicorp\.com'
@@ -607,7 +608,7 @@ rules:
     message: Generate random SSH keys using acctest.RandSSHKeyPair() or RandSSHKeyPairSize(). https://github.com/hashicorp/terraform-provider-aws/blob/main/docs/contributing/running-and-writing-acceptance-tests.md#hardcoded-ssh-key
     paths:
       include:
-        - aws/
+        - internal/
       exclude:
         - providerlint/vendor/
     patterns:
@@ -622,7 +623,7 @@ rules:
     message: Incorrect form of non-tags change detection. https://github.com/hashicorp/terraform-provider-aws/blob/main/docs/contributing/contribution-checklists.md#resource-tagging-code-implementation
     paths:
       include:
-        - aws/
+        - internal/
     patterns:
       - pattern: 'if d.HasChangeExcept("tags_all") {...}'
     severity: WARNING

internal/service/apigateway/flex.go

@@ -112,11 +112,11 @@ func FlattenThrottleSettings(settings *apigateway.ThrottleSettings) []map[string
 	if settings != nil {
 		r := make(map[string]interface{})
 		if settings.BurstLimit != nil {
-			r["burst_limit"] = *settings.BurstLimit
+			r["burst_limit"] = aws.Int64Value(settings.BurstLimit)
 		}
 
 		if settings.RateLimit != nil {
-			r["rate_limit"] = *settings.RateLimit
+			r["rate_limit"] = aws.Float64Value(settings.RateLimit)
 		}
 
 		result = append(result, r)

internal/service/autoscaling/launch_configuration.go

@@ -744,15 +744,11 @@ func readBlockDevicesFromLaunchConfiguration(d *schema.ResourceData, lc *autosca
 	if len(lc.BlockDeviceMappings) == 0 {
 		return nil, nil
 	}
-	rootDeviceName, err := fetchRootDeviceName(d.Get("image_id").(string), ec2conn)
+	v, err := fetchRootDeviceName(d.Get("image_id").(string), ec2conn)
 	if err != nil {
 		return nil, err
 	}
-	if rootDeviceName == nil {
-		// We do this so the value is empty so we don't have to do nil checks later
-		var blank string
-		rootDeviceName = &blank
-	}
+	rootDeviceName := aws.StringValue(v)
 
 	// Collect existing configured devices, so we can check
 	// existing value of delete_on_termination below
@@ -777,41 +773,41 @@ func readBlockDevicesFromLaunchConfiguration(d *schema.ResourceData, lc *autosca
 			}
 			bd["delete_on_termination"] = deleteOnTermination
 		} else if bdm.Ebs != nil && bdm.Ebs.DeleteOnTermination != nil {
-			bd["delete_on_termination"] = *bdm.Ebs.DeleteOnTermination
+			bd["delete_on_termination"] = aws.BoolValue(bdm.Ebs.DeleteOnTermination)
 		}
 
 		if bdm.Ebs != nil && bdm.Ebs.VolumeSize != nil {
-			bd["volume_size"] = *bdm.Ebs.VolumeSize
+			bd["volume_size"] = aws.Int64Value(bdm.Ebs.VolumeSize)
 		}
 		if bdm.Ebs != nil && bdm.Ebs.VolumeType != nil {
-			bd["volume_type"] = *bdm.Ebs.VolumeType
+			bd["volume_type"] = aws.StringValue(bdm.Ebs.VolumeType)
 		}
 		if bdm.Ebs != nil && bdm.Ebs.Iops != nil {
-			bd["iops"] = *bdm.Ebs.Iops
+			bd["iops"] = aws.Int64Value(bdm.Ebs.Iops)
 		}
 		if bdm.Ebs != nil && bdm.Ebs.Throughput != nil {
-			bd["throughput"] = *bdm.Ebs.Throughput
+			bd["throughput"] = aws.Int64Value(bdm.Ebs.Throughput)
 		}
 		if bdm.Ebs != nil && bdm.Ebs.Encrypted != nil {
-			bd["encrypted"] = *bdm.Ebs.Encrypted
+			bd["encrypted"] = aws.BoolValue(bdm.Ebs.Encrypted)
 		}
 
-		if bdm.DeviceName != nil && *bdm.DeviceName == *rootDeviceName {
+		if bdm.DeviceName != nil && aws.StringValue(bdm.DeviceName) == rootDeviceName {
 			blockDevices["root"] = bd
 		} else {
 			if bdm.DeviceName != nil {
-				bd["device_name"] = *bdm.DeviceName
+				bd["device_name"] = aws.StringValue(bdm.DeviceName)
 			}
 
 			if bdm.VirtualName != nil {
-				bd["virtual_name"] = *bdm.VirtualName
+				bd["virtual_name"] = aws.StringValue(bdm.VirtualName)
 				blockDevices["ephemeral"] = append(blockDevices["ephemeral"].([]map[string]interface{}), bd)
 			} else {
 				if bdm.Ebs != nil && bdm.Ebs.SnapshotId != nil {
-					bd["snapshot_id"] = *bdm.Ebs.SnapshotId
+					bd["snapshot_id"] = aws.StringValue(bdm.Ebs.SnapshotId)
 				}
 				if bdm.NoDevice != nil {
-					bd["no_device"] = *bdm.NoDevice
+					bd["no_device"] = aws.BoolValue(bdm.NoDevice)
 				}
 				blockDevices["ebs"] = append(blockDevices["ebs"].([]map[string]interface{}), bd)
 			}

internal/service/autoscaling/sweep.go

@@ -104,7 +104,7 @@ func sweepLaunchConfigurations(region string) error {
 	}
 
 	for _, lc := range resp.LaunchConfigurations {
-		name := *lc.LaunchConfigurationName
+		name := aws.StringValue(lc.LaunchConfigurationName)
 
 		log.Printf("[INFO] Deleting Launch Configuration: %s", name)
 		_, err := conn.DeleteLaunchConfiguration(