From 7c0d8ce216030bda4b3c5de027390c3939955a00 Mon Sep 17 00:00:00 2001 From: Pat Myron Date: Mon, 27 Dec 2021 12:56:52 -0800 Subject: [PATCH] mapping aws_networkfirewall (#249) https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall https://github.com/aws/aws-sdk-go/blob/main/models/apis/network-firewall/2020-11-12/api-2.json --- docs/rules/README.md | 13 +++ ...rkfirewall_firewall_invalid_description.go | 78 +++++++++++++++++ ...ll_firewall_invalid_firewall_policy_arn.go | 87 +++++++++++++++++++ ...s_networkfirewall_firewall_invalid_name.go | 87 +++++++++++++++++++ ...networkfirewall_firewall_invalid_vpc_id.go | 87 +++++++++++++++++++ ...all_firewall_policy_invalid_description.go | 78 +++++++++++++++++ ...rkfirewall_firewall_policy_invalid_name.go | 87 +++++++++++++++++++ ...ging_configuration_invalid_firewall_arn.go | 87 +++++++++++++++++++ ...firewall_resource_policy_invalid_policy.go | 87 +++++++++++++++++++ ...ll_resource_policy_invalid_resource_arn.go | 87 +++++++++++++++++++ ...firewall_rule_group_invalid_description.go | 78 +++++++++++++++++ ...networkfirewall_rule_group_invalid_name.go | 87 +++++++++++++++++++ ...etworkfirewall_rule_group_invalid_rules.go | 67 ++++++++++++++ ...networkfirewall_rule_group_invalid_type.go | 77 ++++++++++++++++ rules/models/mappings/network-firewall.hcl | 37 ++++++++ rules/models/provider.go | 13 +++ 16 files changed, 1137 insertions(+) create mode 100644 rules/models/aws_networkfirewall_firewall_invalid_description.go create mode 100644 rules/models/aws_networkfirewall_firewall_invalid_firewall_policy_arn.go create mode 100644 rules/models/aws_networkfirewall_firewall_invalid_name.go create mode 100644 rules/models/aws_networkfirewall_firewall_invalid_vpc_id.go create mode 100644 rules/models/aws_networkfirewall_firewall_policy_invalid_description.go create mode 100644 rules/models/aws_networkfirewall_firewall_policy_invalid_name.go create mode 100644 rules/models/aws_networkfirewall_logging_configuration_invalid_firewall_arn.go create mode 100644 rules/models/aws_networkfirewall_resource_policy_invalid_policy.go create mode 100644 rules/models/aws_networkfirewall_resource_policy_invalid_resource_arn.go create mode 100644 rules/models/aws_networkfirewall_rule_group_invalid_description.go create mode 100644 rules/models/aws_networkfirewall_rule_group_invalid_name.go create mode 100644 rules/models/aws_networkfirewall_rule_group_invalid_rules.go create mode 100644 rules/models/aws_networkfirewall_rule_group_invalid_type.go create mode 100644 rules/models/mappings/network-firewall.hcl diff --git a/docs/rules/README.md b/docs/rules/README.md index 971c436d..ce3b4909 100644 --- a/docs/rules/README.md +++ b/docs/rules/README.md @@ -772,6 +772,19 @@ These rules enforce best practices and naming conventions: |aws_msk_cluster_invalid_enhanced_monitoring|✔| |aws_msk_cluster_invalid_kafka_version|✔| |aws_network_acl_rule_invalid_rule_action|✔| +|aws_networkfirewall_firewall_invalid_description|✔| +|aws_networkfirewall_firewall_invalid_firewall_policy_arn|✔| +|aws_networkfirewall_firewall_invalid_name|✔| +|aws_networkfirewall_firewall_invalid_vpc_id|✔| +|aws_networkfirewall_firewall_policy_invalid_description|✔| +|aws_networkfirewall_firewall_policy_invalid_name|✔| +|aws_networkfirewall_logging_configuration_invalid_firewall_arn|✔| +|aws_networkfirewall_resource_policy_invalid_policy|✔| +|aws_networkfirewall_resource_policy_invalid_resource_arn|✔| +|aws_networkfirewall_rule_group_invalid_description|✔| +|aws_networkfirewall_rule_group_invalid_name|✔| +|aws_networkfirewall_rule_group_invalid_rules|✔| +|aws_networkfirewall_rule_group_invalid_type|✔| |aws_opsworks_application_invalid_type|✔| |aws_opsworks_instance_invalid_architecture|✔| |aws_opsworks_instance_invalid_auto_scaling_type|✔| diff --git a/rules/models/aws_networkfirewall_firewall_invalid_description.go b/rules/models/aws_networkfirewall_firewall_invalid_description.go new file mode 100644 index 00000000..1c3c9ba9 --- /dev/null +++ b/rules/models/aws_networkfirewall_firewall_invalid_description.go @@ -0,0 +1,78 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallFirewallInvalidDescriptionRule checks the pattern is valid +type AwsNetworkfirewallFirewallInvalidDescriptionRule struct { + resourceType string + attributeName string + max int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallFirewallInvalidDescriptionRule returns new rule with default attributes +func NewAwsNetworkfirewallFirewallInvalidDescriptionRule() *AwsNetworkfirewallFirewallInvalidDescriptionRule { + return &AwsNetworkfirewallFirewallInvalidDescriptionRule{ + resourceType: "aws_networkfirewall_firewall", + attributeName: "description", + max: 512, + pattern: regexp.MustCompile(`^.*$`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallFirewallInvalidDescriptionRule) Name() string { + return "aws_networkfirewall_firewall_invalid_description" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallFirewallInvalidDescriptionRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallFirewallInvalidDescriptionRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallFirewallInvalidDescriptionRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallFirewallInvalidDescriptionRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "description must be 512 characters or less", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^.*$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_firewall_invalid_firewall_policy_arn.go b/rules/models/aws_networkfirewall_firewall_invalid_firewall_policy_arn.go new file mode 100644 index 00000000..652f73e1 --- /dev/null +++ b/rules/models/aws_networkfirewall_firewall_invalid_firewall_policy_arn.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule checks the pattern is valid +type AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule returns new rule with default attributes +func NewAwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule() *AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule { + return &AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule{ + resourceType: "aws_networkfirewall_firewall", + attributeName: "firewall_policy_arn", + max: 256, + min: 1, + pattern: regexp.MustCompile(`^arn:aws.*`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule) Name() string { + return "aws_networkfirewall_firewall_invalid_firewall_policy_arn" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "firewall_policy_arn must be 256 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "firewall_policy_arn must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws.*`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_firewall_invalid_name.go b/rules/models/aws_networkfirewall_firewall_invalid_name.go new file mode 100644 index 00000000..ed0cecf2 --- /dev/null +++ b/rules/models/aws_networkfirewall_firewall_invalid_name.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallFirewallInvalidNameRule checks the pattern is valid +type AwsNetworkfirewallFirewallInvalidNameRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallFirewallInvalidNameRule returns new rule with default attributes +func NewAwsNetworkfirewallFirewallInvalidNameRule() *AwsNetworkfirewallFirewallInvalidNameRule { + return &AwsNetworkfirewallFirewallInvalidNameRule{ + resourceType: "aws_networkfirewall_firewall", + attributeName: "name", + max: 128, + min: 1, + pattern: regexp.MustCompile(`^[a-zA-Z0-9-]+$`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallFirewallInvalidNameRule) Name() string { + return "aws_networkfirewall_firewall_invalid_name" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallFirewallInvalidNameRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallFirewallInvalidNameRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallFirewallInvalidNameRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallFirewallInvalidNameRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "name must be 128 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "name must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^[a-zA-Z0-9-]+$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_firewall_invalid_vpc_id.go b/rules/models/aws_networkfirewall_firewall_invalid_vpc_id.go new file mode 100644 index 00000000..9ef4955f --- /dev/null +++ b/rules/models/aws_networkfirewall_firewall_invalid_vpc_id.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallFirewallInvalidVpcIDRule checks the pattern is valid +type AwsNetworkfirewallFirewallInvalidVpcIDRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallFirewallInvalidVpcIDRule returns new rule with default attributes +func NewAwsNetworkfirewallFirewallInvalidVpcIDRule() *AwsNetworkfirewallFirewallInvalidVpcIDRule { + return &AwsNetworkfirewallFirewallInvalidVpcIDRule{ + resourceType: "aws_networkfirewall_firewall", + attributeName: "vpc_id", + max: 128, + min: 1, + pattern: regexp.MustCompile(`^vpc-[0-9a-f]+$`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallFirewallInvalidVpcIDRule) Name() string { + return "aws_networkfirewall_firewall_invalid_vpc_id" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallFirewallInvalidVpcIDRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallFirewallInvalidVpcIDRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallFirewallInvalidVpcIDRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallFirewallInvalidVpcIDRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "vpc_id must be 128 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "vpc_id must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^vpc-[0-9a-f]+$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_firewall_policy_invalid_description.go b/rules/models/aws_networkfirewall_firewall_policy_invalid_description.go new file mode 100644 index 00000000..b8817f56 --- /dev/null +++ b/rules/models/aws_networkfirewall_firewall_policy_invalid_description.go @@ -0,0 +1,78 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule checks the pattern is valid +type AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule struct { + resourceType string + attributeName string + max int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallFirewallPolicyInvalidDescriptionRule returns new rule with default attributes +func NewAwsNetworkfirewallFirewallPolicyInvalidDescriptionRule() *AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule { + return &AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule{ + resourceType: "aws_networkfirewall_firewall_policy", + attributeName: "description", + max: 512, + pattern: regexp.MustCompile(`^.*$`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule) Name() string { + return "aws_networkfirewall_firewall_policy_invalid_description" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallFirewallPolicyInvalidDescriptionRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "description must be 512 characters or less", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^.*$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_firewall_policy_invalid_name.go b/rules/models/aws_networkfirewall_firewall_policy_invalid_name.go new file mode 100644 index 00000000..6a3df625 --- /dev/null +++ b/rules/models/aws_networkfirewall_firewall_policy_invalid_name.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallFirewallPolicyInvalidNameRule checks the pattern is valid +type AwsNetworkfirewallFirewallPolicyInvalidNameRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallFirewallPolicyInvalidNameRule returns new rule with default attributes +func NewAwsNetworkfirewallFirewallPolicyInvalidNameRule() *AwsNetworkfirewallFirewallPolicyInvalidNameRule { + return &AwsNetworkfirewallFirewallPolicyInvalidNameRule{ + resourceType: "aws_networkfirewall_firewall_policy", + attributeName: "name", + max: 128, + min: 1, + pattern: regexp.MustCompile(`^[a-zA-Z0-9-]+$`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallFirewallPolicyInvalidNameRule) Name() string { + return "aws_networkfirewall_firewall_policy_invalid_name" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallFirewallPolicyInvalidNameRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallFirewallPolicyInvalidNameRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallFirewallPolicyInvalidNameRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallFirewallPolicyInvalidNameRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "name must be 128 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "name must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^[a-zA-Z0-9-]+$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_logging_configuration_invalid_firewall_arn.go b/rules/models/aws_networkfirewall_logging_configuration_invalid_firewall_arn.go new file mode 100644 index 00000000..1963f2a8 --- /dev/null +++ b/rules/models/aws_networkfirewall_logging_configuration_invalid_firewall_arn.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule checks the pattern is valid +type AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule returns new rule with default attributes +func NewAwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule() *AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule { + return &AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule{ + resourceType: "aws_networkfirewall_logging_configuration", + attributeName: "firewall_arn", + max: 256, + min: 1, + pattern: regexp.MustCompile(`^arn:aws.*`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule) Name() string { + return "aws_networkfirewall_logging_configuration_invalid_firewall_arn" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "firewall_arn must be 256 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "firewall_arn must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws.*`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_resource_policy_invalid_policy.go b/rules/models/aws_networkfirewall_resource_policy_invalid_policy.go new file mode 100644 index 00000000..3eeef1a0 --- /dev/null +++ b/rules/models/aws_networkfirewall_resource_policy_invalid_policy.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallResourcePolicyInvalidPolicyRule checks the pattern is valid +type AwsNetworkfirewallResourcePolicyInvalidPolicyRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallResourcePolicyInvalidPolicyRule returns new rule with default attributes +func NewAwsNetworkfirewallResourcePolicyInvalidPolicyRule() *AwsNetworkfirewallResourcePolicyInvalidPolicyRule { + return &AwsNetworkfirewallResourcePolicyInvalidPolicyRule{ + resourceType: "aws_networkfirewall_resource_policy", + attributeName: "policy", + max: 395000, + min: 1, + pattern: regexp.MustCompile(`^.*\S.*$`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallResourcePolicyInvalidPolicyRule) Name() string { + return "aws_networkfirewall_resource_policy_invalid_policy" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallResourcePolicyInvalidPolicyRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallResourcePolicyInvalidPolicyRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallResourcePolicyInvalidPolicyRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallResourcePolicyInvalidPolicyRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "policy must be 395000 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "policy must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^.*\S.*$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_resource_policy_invalid_resource_arn.go b/rules/models/aws_networkfirewall_resource_policy_invalid_resource_arn.go new file mode 100644 index 00000000..c0a9da05 --- /dev/null +++ b/rules/models/aws_networkfirewall_resource_policy_invalid_resource_arn.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallResourcePolicyInvalidResourceArnRule checks the pattern is valid +type AwsNetworkfirewallResourcePolicyInvalidResourceArnRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallResourcePolicyInvalidResourceArnRule returns new rule with default attributes +func NewAwsNetworkfirewallResourcePolicyInvalidResourceArnRule() *AwsNetworkfirewallResourcePolicyInvalidResourceArnRule { + return &AwsNetworkfirewallResourcePolicyInvalidResourceArnRule{ + resourceType: "aws_networkfirewall_resource_policy", + attributeName: "resource_arn", + max: 256, + min: 1, + pattern: regexp.MustCompile(`^arn:aws.*`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallResourcePolicyInvalidResourceArnRule) Name() string { + return "aws_networkfirewall_resource_policy_invalid_resource_arn" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallResourcePolicyInvalidResourceArnRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallResourcePolicyInvalidResourceArnRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallResourcePolicyInvalidResourceArnRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallResourcePolicyInvalidResourceArnRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "resource_arn must be 256 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "resource_arn must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:aws.*`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_rule_group_invalid_description.go b/rules/models/aws_networkfirewall_rule_group_invalid_description.go new file mode 100644 index 00000000..db1e3bc3 --- /dev/null +++ b/rules/models/aws_networkfirewall_rule_group_invalid_description.go @@ -0,0 +1,78 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallRuleGroupInvalidDescriptionRule checks the pattern is valid +type AwsNetworkfirewallRuleGroupInvalidDescriptionRule struct { + resourceType string + attributeName string + max int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallRuleGroupInvalidDescriptionRule returns new rule with default attributes +func NewAwsNetworkfirewallRuleGroupInvalidDescriptionRule() *AwsNetworkfirewallRuleGroupInvalidDescriptionRule { + return &AwsNetworkfirewallRuleGroupInvalidDescriptionRule{ + resourceType: "aws_networkfirewall_rule_group", + attributeName: "description", + max: 512, + pattern: regexp.MustCompile(`^.*$`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallRuleGroupInvalidDescriptionRule) Name() string { + return "aws_networkfirewall_rule_group_invalid_description" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallRuleGroupInvalidDescriptionRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallRuleGroupInvalidDescriptionRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallRuleGroupInvalidDescriptionRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallRuleGroupInvalidDescriptionRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "description must be 512 characters or less", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^.*$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_rule_group_invalid_name.go b/rules/models/aws_networkfirewall_rule_group_invalid_name.go new file mode 100644 index 00000000..c8ba8b1b --- /dev/null +++ b/rules/models/aws_networkfirewall_rule_group_invalid_name.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallRuleGroupInvalidNameRule checks the pattern is valid +type AwsNetworkfirewallRuleGroupInvalidNameRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsNetworkfirewallRuleGroupInvalidNameRule returns new rule with default attributes +func NewAwsNetworkfirewallRuleGroupInvalidNameRule() *AwsNetworkfirewallRuleGroupInvalidNameRule { + return &AwsNetworkfirewallRuleGroupInvalidNameRule{ + resourceType: "aws_networkfirewall_rule_group", + attributeName: "name", + max: 128, + min: 1, + pattern: regexp.MustCompile(`^[a-zA-Z0-9-]+$`), + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallRuleGroupInvalidNameRule) Name() string { + return "aws_networkfirewall_rule_group_invalid_name" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallRuleGroupInvalidNameRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallRuleGroupInvalidNameRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallRuleGroupInvalidNameRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallRuleGroupInvalidNameRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "name must be 128 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "name must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^[a-zA-Z0-9-]+$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_rule_group_invalid_rules.go b/rules/models/aws_networkfirewall_rule_group_invalid_rules.go new file mode 100644 index 00000000..56ed45cd --- /dev/null +++ b/rules/models/aws_networkfirewall_rule_group_invalid_rules.go @@ -0,0 +1,67 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallRuleGroupInvalidRulesRule checks the pattern is valid +type AwsNetworkfirewallRuleGroupInvalidRulesRule struct { + resourceType string + attributeName string + max int +} + +// NewAwsNetworkfirewallRuleGroupInvalidRulesRule returns new rule with default attributes +func NewAwsNetworkfirewallRuleGroupInvalidRulesRule() *AwsNetworkfirewallRuleGroupInvalidRulesRule { + return &AwsNetworkfirewallRuleGroupInvalidRulesRule{ + resourceType: "aws_networkfirewall_rule_group", + attributeName: "rules", + max: 2000000, + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallRuleGroupInvalidRulesRule) Name() string { + return "aws_networkfirewall_rule_group_invalid_rules" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallRuleGroupInvalidRulesRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallRuleGroupInvalidRulesRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallRuleGroupInvalidRulesRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallRuleGroupInvalidRulesRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "rules must be 2000000 characters or less", + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_networkfirewall_rule_group_invalid_type.go b/rules/models/aws_networkfirewall_rule_group_invalid_type.go new file mode 100644 index 00000000..549ccfc8 --- /dev/null +++ b/rules/models/aws_networkfirewall_rule_group_invalid_type.go @@ -0,0 +1,77 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsNetworkfirewallRuleGroupInvalidTypeRule checks the pattern is valid +type AwsNetworkfirewallRuleGroupInvalidTypeRule struct { + resourceType string + attributeName string + enum []string +} + +// NewAwsNetworkfirewallRuleGroupInvalidTypeRule returns new rule with default attributes +func NewAwsNetworkfirewallRuleGroupInvalidTypeRule() *AwsNetworkfirewallRuleGroupInvalidTypeRule { + return &AwsNetworkfirewallRuleGroupInvalidTypeRule{ + resourceType: "aws_networkfirewall_rule_group", + attributeName: "type", + enum: []string{ + "STATELESS", + "STATEFUL", + }, + } +} + +// Name returns the rule name +func (r *AwsNetworkfirewallRuleGroupInvalidTypeRule) Name() string { + return "aws_networkfirewall_rule_group_invalid_type" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsNetworkfirewallRuleGroupInvalidTypeRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsNetworkfirewallRuleGroupInvalidTypeRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsNetworkfirewallRuleGroupInvalidTypeRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsNetworkfirewallRuleGroupInvalidTypeRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + found := false + for _, item := range r.enum { + if item == val { + found = true + } + } + if !found { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" is an invalid value as type`, truncateLongMessage(val)), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/mappings/network-firewall.hcl b/rules/models/mappings/network-firewall.hcl new file mode 100644 index 00000000..eda98776 --- /dev/null +++ b/rules/models/mappings/network-firewall.hcl @@ -0,0 +1,37 @@ +import = "aws-sdk-go/models/apis/network-firewall/2020-11-12/api-2.json" + +mapping "aws_networkfirewall_firewall" { + description = Description + firewall_policy_arn = ResourceArn + name = ResourceName + subnet_mapping = SubnetMappings + tags = TagList + vpc_id = VpcId +} + +mapping "aws_networkfirewall_firewall_policy" { + description = Description + firewall_policy = FirewallPolicy + name = ResourceName + tags = TagList +} + +mapping "aws_networkfirewall_logging_configuration" { + firewall_arn = ResourceArn + logging_configuration = LoggingConfiguration +} + +mapping "aws_networkfirewall_resource_policy" { + policy = PolicyString + resource_arn = ResourceArn +} + +mapping "aws_networkfirewall_rule_group" { + capacity = RuleCapacity + description = Description + name = ResourceName + rule_group = RuleGroup + rules = RulesString + tags = TagList + type = RuleGroupType +} diff --git a/rules/models/provider.go b/rules/models/provider.go index 0452e9c2..d918ea6a 100644 --- a/rules/models/provider.go +++ b/rules/models/provider.go @@ -700,6 +700,19 @@ var Rules = []tflint.Rule{ NewAwsMskClusterInvalidEnhancedMonitoringRule(), NewAwsMskClusterInvalidKafkaVersionRule(), NewAwsNetworkACLRuleInvalidRuleActionRule(), + NewAwsNetworkfirewallFirewallInvalidDescriptionRule(), + NewAwsNetworkfirewallFirewallInvalidFirewallPolicyArnRule(), + NewAwsNetworkfirewallFirewallInvalidNameRule(), + NewAwsNetworkfirewallFirewallInvalidVpcIDRule(), + NewAwsNetworkfirewallFirewallPolicyInvalidDescriptionRule(), + NewAwsNetworkfirewallFirewallPolicyInvalidNameRule(), + NewAwsNetworkfirewallLoggingConfigurationInvalidFirewallArnRule(), + NewAwsNetworkfirewallResourcePolicyInvalidPolicyRule(), + NewAwsNetworkfirewallResourcePolicyInvalidResourceArnRule(), + NewAwsNetworkfirewallRuleGroupInvalidDescriptionRule(), + NewAwsNetworkfirewallRuleGroupInvalidNameRule(), + NewAwsNetworkfirewallRuleGroupInvalidRulesRule(), + NewAwsNetworkfirewallRuleGroupInvalidTypeRule(), NewAwsOpsworksApplicationInvalidTypeRule(), NewAwsOpsworksInstanceInvalidArchitectureRule(), NewAwsOpsworksInstanceInvalidAutoScalingTypeRule(),