Add --minimum-failure-severity flag, sets minimum issue severity for non-zero exit

[nicolajv]

Resolves #1556

Add the --minimum-severity option allowing only certain severities to result in a non-zero exit code

[wata727]

Thank you for your contributions. Left some comments.

By the way, the naming may have room for improvement. The --minimum-seveirty is the same as present in tfsec, but tfsec filters the issues. This difference in behavior may confuse users.

We have several options:

1. Filter issues like tfsec
2. Rename (e.g. Ben's suggestion is --min-failure, any other good name would be nice)
3. Assume no confusion and adopt --minimum-severity

What do you think?

[wata727]

The severity numbers are not intentional and are assigned mechanically, so avoid comparing them.

[bendrucker]

Well they are defined in order, just arguably backwards, and definitely not the way this code expects:

https://github.com/terraform-linters/tflint-plugin-sdk/blob/3721c4b92974d442bb3b0985f327b1b929a0e579/tflint/issue.go#L4-L13

Error is 0 and Notice is 2.

They're also re-declared which should be resolved:

tflint/tflint/issue.go

Lines 24 to 31 in 7b4785d

	const (
	// ERROR is possible errors
	ERROR Severity = iota
	// WARNING doesn't cause problem immediately, but not good
	WARNING
	// NOTICE is not important, it's mentioned
	NOTICE
	)

[nicolajv]

Ah I made a hasty assumption here, my bad! I do think it would make more sense to have them in an order from info to error, which would allow for these kinds of comparisons. For now I've implemented a function to convert them to the values I need, but it of course necessitates changing that method if you were to add new severities... But in general it looks like sweeping changes would be needed to add new severities, since there are switch statements using them all over the codebase.
I also removed the redeclared severity constant and references the SDK everywhere instead. Let me know if this is something that should be saved for another PR 🤪

[bendrucker]

My thought was minimum-failure-severity would be appropriate (as opposed to my original suggestion with error. I would assume --minimum-severity filters out issues below the specified severity from the output. Error is ambiguous (also the name of a severity) and failure is the best alternative I can up with to describe a non-zero exit code. It's fairly commonly used in high ranking pages in a Google search for bash non-zero exit code, maybe as much as error:

https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
https://www.cyberciti.biz/faq/bash-get-exit-code-of-command/
https://tldp.org/LDP/abs/html/exit-status.html

[bendrucker]

Well they are defined in order, just arguably backwards, and definitely not the way this code expects:

https://github.com/terraform-linters/tflint-plugin-sdk/blob/3721c4b92974d442bb3b0985f327b1b929a0e579/tflint/issue.go#L4-L13

Error is 0 and Notice is 2.

They're also re-declared which should be resolved:

tflint/tflint/issue.go

Lines 24 to 31 in 7b4785d

	const (
	// ERROR is possible errors
	ERROR Severity = iota
	// WARNING doesn't cause problem immediately, but not good
	WARNING
	// NOTICE is not important, it's mentioned
	NOTICE
	)

[bendrucker]

This should be handled alongside the severity type, e.g. func NewSeverity(s string) (Severity, error). An error would be returned if s is not a recognized severity. Handling it here is too error prone, e.g. if a new severity is added someone has to find and update this code.

[bendrucker]

I guess with the addition of choice to the struct tag an update is required anyway, but it would still be good to not hardcode this. At a minimum these severity codes should be exported/referenced instead of directly hardcoding the ints.

[nicolajv]

Like I mentioned above I think adding a new severity would be a task requiring many changes anyway, but I do agree the logic around severity should not be in inspect.go. I the functions which handle the conversion from the string into Severity and into in32 for comparison into the issue.go file. Not sure if this is the best space for it, but that seemed to be the home of severity.
I also removed the redeclaration of severity and changed references to point to the declaration in the SDK.

[nicolajv]

Thank you for your contributions. Left some comments.

By the way, the naming may have room for improvement. The --minimum-seveirty is the same as present in tfsec, but tfsec filters the issues. This difference in behavior may confuse users.

We have several options:

1. Filter issues like tfsec
2. Rename (e.g. Ben's suggestion is --min-failure, any other good name would be nice)
3. Assume no confusion and adopt --minimum-severity

What do you think?

I went with minimum-failure-severity for now as suggested by bendrucker. Makes sense to me to avoid the overlap with tfsec, especially as I think this feature should definitely not filter out issues; the use case this is important for is running in CI where you want to fail on a certain level of severity but continue and just print on the lower ones.

[wata727]

👍

[bendrucker]

Nice work on all the refactoring!

[sergei-ivanov]

Somehow this new flag does not seem to be working as expected in the latest release. If I only have a bunch of warnings, I get return code zero, no matter what I set minimum-failure-severity to. If I have any errors, I always have a non-zero return code.

[bendrucker]

Can you open an issue? There are integration tests against this behavior so it's not obvious how it wouldn't be working.