mapping aws_acm_certificate and aws_acm_certificate_validation

docs/rules/README.md

@@ -70,9 +70,11 @@ These rules enforce best practices and naming conventions:
 | --- | --- |
 |aws_accessanalyzer_analyzer_invalid_analyzer_name|✔|
 |aws_accessanalyzer_analyzer_invalid_type|✔|
+|aws_acm_certificate_invalid_certificate_authority_arn|✔|
 |aws_acm_certificate_invalid_certificate_body|✔|
 |aws_acm_certificate_invalid_certificate_chain|✔|
 |aws_acm_certificate_invalid_private_key|✔|
+|aws_acm_certificate_validation_invalid_certificate_arn|✔|
 |aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn|✔|
 |aws_acmpca_certificate_authority_invalid_type|✔|
 |aws_acmpca_certificate_invalid_certificate_authority_arn|✔|

rules/models/aws_acm_certificate_invalid_certificate_authority_arn.go

@@ -0,0 +1,87 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsAcmCertificateInvalidCertificateAuthorityArnRule checks the pattern is valid
+type AwsAcmCertificateInvalidCertificateAuthorityArnRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+	pattern       *regexp.Regexp
+}
+
+// NewAwsAcmCertificateInvalidCertificateAuthorityArnRule returns new rule with default attributes
+func NewAwsAcmCertificateInvalidCertificateAuthorityArnRule() *AwsAcmCertificateInvalidCertificateAuthorityArnRule {
+	return &AwsAcmCertificateInvalidCertificateAuthorityArnRule{
+		resourceType:  "aws_acm_certificate",
+		attributeName: "certificate_authority_arn",
+		max:           2048,
+		min:           20,
+		pattern:       regexp.MustCompile(`^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+	}
+}
+
+// Name returns the rule name
+func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Name() string {
+	return "aws_acm_certificate_invalid_certificate_authority_arn"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"certificate_authority_arn must be 2048 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"certificate_authority_arn must be 20 characters or higher",
+					attribute.Expr,
+				)
+			}
+			if !r.pattern.MatchString(val) {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}

rules/models/aws_acm_certificate_validation_invalid_certificate_arn.go

@@ -0,0 +1,87 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsAcmCertificateValidationInvalidCertificateArnRule checks the pattern is valid
+type AwsAcmCertificateValidationInvalidCertificateArnRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+	pattern       *regexp.Regexp
+}
+
+// NewAwsAcmCertificateValidationInvalidCertificateArnRule returns new rule with default attributes
+func NewAwsAcmCertificateValidationInvalidCertificateArnRule() *AwsAcmCertificateValidationInvalidCertificateArnRule {
+	return &AwsAcmCertificateValidationInvalidCertificateArnRule{
+		resourceType:  "aws_acm_certificate_validation",
+		attributeName: "certificate_arn",
+		max:           2048,
+		min:           20,
+		pattern:       regexp.MustCompile(`^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+	}
+}
+
+// Name returns the rule name
+func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Name() string {
+	return "aws_acm_certificate_validation_invalid_certificate_arn"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsAcmCertificateValidationInvalidCertificateArnRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"certificate_arn must be 2048 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"certificate_arn must be 20 characters or higher",
+					attribute.Expr,
+				)
+			}
+			if !r.pattern.MatchString(val) {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}

rules/models/mappings/acm.hcl

@@ -7,5 +7,10 @@ mapping "aws_acm_certificate" {
   private_key               = PrivateKey
   certificate_body          = CertificateBody
   certificate_chain         = CertificateChain
+  certificate_authority_arn = Arn
   tags                      = TagList
 }
+
+mapping "aws_acm_certificate_validation" {
+  certificate_arn = Arn
+}

rules/models/provider.go

@@ -8,9 +8,11 @@ import "github.com/terraform-linters/tflint-plugin-sdk/tflint"
 var Rules = []tflint.Rule{
 	NewAwsAccessanalyzerAnalyzerInvalidAnalyzerNameRule(),
 	NewAwsAccessanalyzerAnalyzerInvalidTypeRule(),
+	NewAwsAcmCertificateInvalidCertificateAuthorityArnRule(),
 	NewAwsAcmCertificateInvalidCertificateBodyRule(),
 	NewAwsAcmCertificateInvalidCertificateChainRule(),
 	NewAwsAcmCertificateInvalidPrivateKeyRule(),
+	NewAwsAcmCertificateValidationInvalidCertificateArnRule(),
 	NewAwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule(),
 	NewAwsAcmpcaCertificateAuthorityInvalidTypeRule(),
 	NewAwsAcmpcaCertificateInvalidCertificateAuthorityArnRule(),