From 691003c4020033e9a94a27911b7ad2c8979b2c5f Mon Sep 17 00:00:00 2001 From: Pat Myron Date: Tue, 21 Dec 2021 13:45:55 -0800 Subject: [PATCH 1/2] mapping aws_acm_certificate and aws_acm_certificate_validation https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate_validation https://github.com/aws/aws-sdk-go/blob/main/models/apis/acm/2015-12-08/api-2.json --- rules/models/mappings/acm.hcl | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/models/mappings/acm.hcl b/rules/models/mappings/acm.hcl index 89b7d08b..1a946a40 100644 --- a/rules/models/mappings/acm.hcl +++ b/rules/models/mappings/acm.hcl @@ -7,5 +7,10 @@ mapping "aws_acm_certificate" { private_key = PrivateKey certificate_body = CertificateBody certificate_chain = CertificateChain + certificate_authority_arn = Arn tags = TagList } + +mapping "aws_acm_certificate_validation" { + certificate_arn = Arn +} From 9ba26549f2093d161f300a5d40423028c9c775bd Mon Sep 17 00:00:00 2001 From: Pat Myron Date: Tue, 21 Dec 2021 18:11:03 -0500 Subject: [PATCH 2/2] go generate https://stackoverflow.com/questions/3796927/how-to-git-clone-including-submodules --- docs/rules/README.md | 2 + ...icate_invalid_certificate_authority_arn.go | 87 +++++++++++++++++++ ...cate_validation_invalid_certificate_arn.go | 87 +++++++++++++++++++ rules/models/provider.go | 2 + 4 files changed, 178 insertions(+) create mode 100644 rules/models/aws_acm_certificate_invalid_certificate_authority_arn.go create mode 100644 rules/models/aws_acm_certificate_validation_invalid_certificate_arn.go diff --git a/docs/rules/README.md b/docs/rules/README.md index 507d6ebc..2516fdc6 100644 --- a/docs/rules/README.md +++ b/docs/rules/README.md @@ -68,9 +68,11 @@ These rules enforce best practices and naming conventions: |Rule|Enabled by default| | --- | --- | +|aws_acm_certificate_invalid_certificate_authority_arn|✔| |aws_acm_certificate_invalid_certificate_body|✔| |aws_acm_certificate_invalid_certificate_chain|✔| |aws_acm_certificate_invalid_private_key|✔| +|aws_acm_certificate_validation_invalid_certificate_arn|✔| |aws_acmpca_certificate_authority_invalid_type|✔| |aws_alb_invalid_ip_address_type|✔| |aws_alb_invalid_load_balancer_type|✔| diff --git a/rules/models/aws_acm_certificate_invalid_certificate_authority_arn.go b/rules/models/aws_acm_certificate_invalid_certificate_authority_arn.go new file mode 100644 index 00000000..8c127635 --- /dev/null +++ b/rules/models/aws_acm_certificate_invalid_certificate_authority_arn.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsAcmCertificateInvalidCertificateAuthorityArnRule checks the pattern is valid +type AwsAcmCertificateInvalidCertificateAuthorityArnRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsAcmCertificateInvalidCertificateAuthorityArnRule returns new rule with default attributes +func NewAwsAcmCertificateInvalidCertificateAuthorityArnRule() *AwsAcmCertificateInvalidCertificateAuthorityArnRule { + return &AwsAcmCertificateInvalidCertificateAuthorityArnRule{ + resourceType: "aws_acm_certificate", + attributeName: "certificate_authority_arn", + max: 2048, + min: 20, + pattern: regexp.MustCompile(`^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`), + } +} + +// Name returns the rule name +func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Name() string { + return "aws_acm_certificate_invalid_certificate_authority_arn" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "certificate_authority_arn must be 2048 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "certificate_authority_arn must be 20 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_acm_certificate_validation_invalid_certificate_arn.go b/rules/models/aws_acm_certificate_validation_invalid_certificate_arn.go new file mode 100644 index 00000000..a416a99f --- /dev/null +++ b/rules/models/aws_acm_certificate_validation_invalid_certificate_arn.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsAcmCertificateValidationInvalidCertificateArnRule checks the pattern is valid +type AwsAcmCertificateValidationInvalidCertificateArnRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsAcmCertificateValidationInvalidCertificateArnRule returns new rule with default attributes +func NewAwsAcmCertificateValidationInvalidCertificateArnRule() *AwsAcmCertificateValidationInvalidCertificateArnRule { + return &AwsAcmCertificateValidationInvalidCertificateArnRule{ + resourceType: "aws_acm_certificate_validation", + attributeName: "certificate_arn", + max: 2048, + min: 20, + pattern: regexp.MustCompile(`^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`), + } +} + +// Name returns the rule name +func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Name() string { + return "aws_acm_certificate_validation_invalid_certificate_arn" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "certificate_arn must be 2048 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "certificate_arn must be 20 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/provider.go b/rules/models/provider.go index 8dea368b..1b51a97c 100644 --- a/rules/models/provider.go +++ b/rules/models/provider.go @@ -6,9 +6,11 @@ import "github.com/terraform-linters/tflint-plugin-sdk/tflint" // Rules is a list of rules generated from aws-sdk-go var Rules = []tflint.Rule{ + NewAwsAcmCertificateInvalidCertificateAuthorityArnRule(), NewAwsAcmCertificateInvalidCertificateBodyRule(), NewAwsAcmCertificateInvalidCertificateChainRule(), NewAwsAcmCertificateInvalidPrivateKeyRule(), + NewAwsAcmCertificateValidationInvalidCertificateArnRule(), NewAwsAcmpcaCertificateAuthorityInvalidTypeRule(), NewAwsALBInvalidIPAddressTypeRule(), NewAwsALBInvalidLoadBalancerTypeRule(),