diff --git a/docs/rules/README.md b/docs/rules/README.md index bb07849b..a148c524 100644 --- a/docs/rules/README.md +++ b/docs/rules/README.md @@ -536,10 +536,14 @@ These rules enforce best practices and naming conventions: |aws_ecs_task_definition_invalid_network_mode|✔| |aws_ecs_task_definition_invalid_pid_mode|✔| |aws_ecs_task_set_invalid_launch_type|✔| +|aws_efs_access_point_invalid_file_system_id|✔| +|aws_efs_backup_policy_invalid_file_system_id|✔| |aws_efs_file_system_invalid_creation_token|✔| |aws_efs_file_system_invalid_kms_key_id|✔| |aws_efs_file_system_invalid_performance_mode|✔| |aws_efs_file_system_invalid_throughput_mode|✔| +|aws_efs_file_system_policy_invalid_file_system_id|✔| +|aws_efs_file_system_policy_invalid_policy|✔| |aws_efs_mount_target_invalid_file_system_id|✔| |aws_efs_mount_target_invalid_ip_address|✔| |aws_efs_mount_target_invalid_subnet_id|✔| diff --git a/rules/models/aws_efs_access_point_invalid_file_system_id.go b/rules/models/aws_efs_access_point_invalid_file_system_id.go new file mode 100644 index 00000000..b96b755f --- /dev/null +++ b/rules/models/aws_efs_access_point_invalid_file_system_id.go @@ -0,0 +1,78 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsEfsAccessPointInvalidFileSystemIDRule checks the pattern is valid +type AwsEfsAccessPointInvalidFileSystemIDRule struct { + resourceType string + attributeName string + max int + pattern *regexp.Regexp +} + +// NewAwsEfsAccessPointInvalidFileSystemIDRule returns new rule with default attributes +func NewAwsEfsAccessPointInvalidFileSystemIDRule() *AwsEfsAccessPointInvalidFileSystemIDRule { + return &AwsEfsAccessPointInvalidFileSystemIDRule{ + resourceType: "aws_efs_access_point", + attributeName: "file_system_id", + max: 128, + pattern: regexp.MustCompile(`^(arn:aws[-a-z]*:elasticfilesystem:[0-9a-z-:]+:file-system/fs-[0-9a-f]{8,40}|fs-[0-9a-f]{8,40})$`), + } +} + +// Name returns the rule name +func (r *AwsEfsAccessPointInvalidFileSystemIDRule) Name() string { + return "aws_efs_access_point_invalid_file_system_id" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsEfsAccessPointInvalidFileSystemIDRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsEfsAccessPointInvalidFileSystemIDRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsEfsAccessPointInvalidFileSystemIDRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsEfsAccessPointInvalidFileSystemIDRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "file_system_id must be 128 characters or less", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^(arn:aws[-a-z]*:elasticfilesystem:[0-9a-z-:]+:file-system/fs-[0-9a-f]{8,40}|fs-[0-9a-f]{8,40})$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_efs_backup_policy_invalid_file_system_id.go b/rules/models/aws_efs_backup_policy_invalid_file_system_id.go new file mode 100644 index 00000000..a684b0cc --- /dev/null +++ b/rules/models/aws_efs_backup_policy_invalid_file_system_id.go @@ -0,0 +1,78 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsEfsBackupPolicyInvalidFileSystemIDRule checks the pattern is valid +type AwsEfsBackupPolicyInvalidFileSystemIDRule struct { + resourceType string + attributeName string + max int + pattern *regexp.Regexp +} + +// NewAwsEfsBackupPolicyInvalidFileSystemIDRule returns new rule with default attributes +func NewAwsEfsBackupPolicyInvalidFileSystemIDRule() *AwsEfsBackupPolicyInvalidFileSystemIDRule { + return &AwsEfsBackupPolicyInvalidFileSystemIDRule{ + resourceType: "aws_efs_backup_policy", + attributeName: "file_system_id", + max: 128, + pattern: regexp.MustCompile(`^(arn:aws[-a-z]*:elasticfilesystem:[0-9a-z-:]+:file-system/fs-[0-9a-f]{8,40}|fs-[0-9a-f]{8,40})$`), + } +} + +// Name returns the rule name +func (r *AwsEfsBackupPolicyInvalidFileSystemIDRule) Name() string { + return "aws_efs_backup_policy_invalid_file_system_id" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsEfsBackupPolicyInvalidFileSystemIDRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsEfsBackupPolicyInvalidFileSystemIDRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsEfsBackupPolicyInvalidFileSystemIDRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsEfsBackupPolicyInvalidFileSystemIDRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "file_system_id must be 128 characters or less", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^(arn:aws[-a-z]*:elasticfilesystem:[0-9a-z-:]+:file-system/fs-[0-9a-f]{8,40}|fs-[0-9a-f]{8,40})$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_efs_file_system_policy_invalid_file_system_id.go b/rules/models/aws_efs_file_system_policy_invalid_file_system_id.go new file mode 100644 index 00000000..1da08fe0 --- /dev/null +++ b/rules/models/aws_efs_file_system_policy_invalid_file_system_id.go @@ -0,0 +1,78 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsEfsFileSystemPolicyInvalidFileSystemIDRule checks the pattern is valid +type AwsEfsFileSystemPolicyInvalidFileSystemIDRule struct { + resourceType string + attributeName string + max int + pattern *regexp.Regexp +} + +// NewAwsEfsFileSystemPolicyInvalidFileSystemIDRule returns new rule with default attributes +func NewAwsEfsFileSystemPolicyInvalidFileSystemIDRule() *AwsEfsFileSystemPolicyInvalidFileSystemIDRule { + return &AwsEfsFileSystemPolicyInvalidFileSystemIDRule{ + resourceType: "aws_efs_file_system_policy", + attributeName: "file_system_id", + max: 128, + pattern: regexp.MustCompile(`^(arn:aws[-a-z]*:elasticfilesystem:[0-9a-z-:]+:file-system/fs-[0-9a-f]{8,40}|fs-[0-9a-f]{8,40})$`), + } +} + +// Name returns the rule name +func (r *AwsEfsFileSystemPolicyInvalidFileSystemIDRule) Name() string { + return "aws_efs_file_system_policy_invalid_file_system_id" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsEfsFileSystemPolicyInvalidFileSystemIDRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsEfsFileSystemPolicyInvalidFileSystemIDRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsEfsFileSystemPolicyInvalidFileSystemIDRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsEfsFileSystemPolicyInvalidFileSystemIDRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "file_system_id must be 128 characters or less", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^(arn:aws[-a-z]*:elasticfilesystem:[0-9a-z-:]+:file-system/fs-[0-9a-f]{8,40}|fs-[0-9a-f]{8,40})$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_efs_file_system_policy_invalid_policy.go b/rules/models/aws_efs_file_system_policy_invalid_policy.go new file mode 100644 index 00000000..6464977d --- /dev/null +++ b/rules/models/aws_efs_file_system_policy_invalid_policy.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsEfsFileSystemPolicyInvalidPolicyRule checks the pattern is valid +type AwsEfsFileSystemPolicyInvalidPolicyRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsEfsFileSystemPolicyInvalidPolicyRule returns new rule with default attributes +func NewAwsEfsFileSystemPolicyInvalidPolicyRule() *AwsEfsFileSystemPolicyInvalidPolicyRule { + return &AwsEfsFileSystemPolicyInvalidPolicyRule{ + resourceType: "aws_efs_file_system_policy", + attributeName: "policy", + max: 20000, + min: 1, + pattern: regexp.MustCompile(`^[\s\S]+$`), + } +} + +// Name returns the rule name +func (r *AwsEfsFileSystemPolicyInvalidPolicyRule) Name() string { + return "aws_efs_file_system_policy_invalid_policy" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsEfsFileSystemPolicyInvalidPolicyRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsEfsFileSystemPolicyInvalidPolicyRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsEfsFileSystemPolicyInvalidPolicyRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsEfsFileSystemPolicyInvalidPolicyRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "policy must be 20000 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "policy must be 1 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^[\s\S]+$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/mappings/efs.hcl b/rules/models/mappings/efs.hcl index 906e4a22..818bff0e 100644 --- a/rules/models/mappings/efs.hcl +++ b/rules/models/mappings/efs.hcl @@ -1,5 +1,17 @@ import = "aws-sdk-go/models/apis/elasticfilesystem/2015-02-01/api-2.json" +mapping "aws_efs_access_point" { + file_system_id = FileSystemId + posix_user = PosixUser + root_directory = RootDirectory + tags = Tags +} + +mapping "aws_efs_backup_policy" { + file_system_id = FileSystemId + backup_policy = BackupPolicy +} + mapping "aws_efs_file_system" { creation_token = CreationToken encrypted = Encrypted @@ -10,6 +22,12 @@ mapping "aws_efs_file_system" { throughput_mode = ThroughputMode } +mapping "aws_efs_file_system_policy" { + file_system_id = FileSystemId + bypass_policy_lockout_safety_check = BypassPolicyLockoutSafetyCheck + policy = Policy +} + mapping "aws_efs_mount_target" { file_system_id = FileSystemId subnet_id = SubnetId diff --git a/rules/models/provider.go b/rules/models/provider.go index b4fea1f0..7c8e39a0 100644 --- a/rules/models/provider.go +++ b/rules/models/provider.go @@ -464,10 +464,14 @@ var Rules = []tflint.Rule{ NewAwsEcsTaskDefinitionInvalidNetworkModeRule(), NewAwsEcsTaskDefinitionInvalidPidModeRule(), NewAwsEcsTaskSetInvalidLaunchTypeRule(), + NewAwsEfsAccessPointInvalidFileSystemIDRule(), + NewAwsEfsBackupPolicyInvalidFileSystemIDRule(), NewAwsEfsFileSystemInvalidCreationTokenRule(), NewAwsEfsFileSystemInvalidKmsKeyIDRule(), NewAwsEfsFileSystemInvalidPerformanceModeRule(), NewAwsEfsFileSystemInvalidThroughputModeRule(), + NewAwsEfsFileSystemPolicyInvalidFileSystemIDRule(), + NewAwsEfsFileSystemPolicyInvalidPolicyRule(), NewAwsEfsMountTargetInvalidFileSystemIDRule(), NewAwsEfsMountTargetInvalidIPAddressRule(), NewAwsEfsMountTargetInvalidSubnetIDRule(),