mapping aws_acmpca_certificate and aws_acmpca_certificate_authority_c…

…ertificate (#218) * mapping aws_acmpca_certificate and aws_acmpca_certificate_authority_certificate https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate_authority_certificate https://github.com/aws/aws-sdk-go/blob/main/models/apis/acm-pca/2017-08-22/api-2.json * hcl formatting * go generate https://stackoverflow.com/questions/3796927/how-to-git-clone-including-submodules
terraform-linters · Dec 23, 2021 · a10e60a · a10e60a
1 parent 58e127b
commit a10e60a
Show file tree

Hide file tree

Showing 6 changed files with 273 additions and 0 deletions.
diff --git a/docs/rules/README.md b/docs/rules/README.md
@@ -71,7 +71,10 @@ These rules enforce best practices and naming conventions:
 |aws_acm_certificate_invalid_certificate_body|✔|
 |aws_acm_certificate_invalid_certificate_chain|✔|
 |aws_acm_certificate_invalid_private_key|✔|
+|aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn|✔|
 |aws_acmpca_certificate_authority_invalid_type|✔|
+|aws_acmpca_certificate_invalid_certificate_authority_arn|✔|
+|aws_acmpca_certificate_invalid_signing_algorithm|✔|
 |aws_alb_invalid_ip_address_type|✔|
 |aws_alb_invalid_load_balancer_type|✔|
 |aws_alb_listener_invalid_protocol|✔|

diff --git a/.../models/aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn.go b/.../models/aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn.go
@@ -0,0 +1,87 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule checks the pattern is valid
+type AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+	pattern       *regexp.Regexp
+}
+
+// NewAwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule returns new rule with default attributes
+func NewAwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule() *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule {
+	return &AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule{
+		resourceType:  "aws_acmpca_certificate_authority_certificate",
+		attributeName: "certificate_authority_arn",
+		max:           200,
+		min:           5,
+		pattern:       regexp.MustCompile(`^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+	}
+}
+
+// Name returns the rule name
+func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Name() string {
+	return "aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"certificate_authority_arn must be 200 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"certificate_authority_arn must be 5 characters or higher",
+					attribute.Expr,
+				)
+			}
+			if !r.pattern.MatchString(val) {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/aws_acmpca_certificate_invalid_certificate_authority_arn.go b/rules/models/aws_acmpca_certificate_invalid_certificate_authority_arn.go
@@ -0,0 +1,87 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule checks the pattern is valid
+type AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+	pattern       *regexp.Regexp
+}
+
+// NewAwsAcmpcaCertificateInvalidCertificateAuthorityArnRule returns new rule with default attributes
+func NewAwsAcmpcaCertificateInvalidCertificateAuthorityArnRule() *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule {
+	return &AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule{
+		resourceType:  "aws_acmpca_certificate",
+		attributeName: "certificate_authority_arn",
+		max:           200,
+		min:           5,
+		pattern:       regexp.MustCompile(`^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+	}
+}
+
+// Name returns the rule name
+func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Name() string {
+	return "aws_acmpca_certificate_invalid_certificate_authority_arn"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"certificate_authority_arn must be 200 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"certificate_authority_arn must be 5 characters or higher",
+					attribute.Expr,
+				)
+			}
+			if !r.pattern.MatchString(val) {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/aws_acmpca_certificate_invalid_signing_algorithm.go b/rules/models/aws_acmpca_certificate_invalid_signing_algorithm.go
@@ -0,0 +1,81 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsAcmpcaCertificateInvalidSigningAlgorithmRule checks the pattern is valid
+type AwsAcmpcaCertificateInvalidSigningAlgorithmRule struct {
+	resourceType  string
+	attributeName string
+	enum          []string
+}
+
+// NewAwsAcmpcaCertificateInvalidSigningAlgorithmRule returns new rule with default attributes
+func NewAwsAcmpcaCertificateInvalidSigningAlgorithmRule() *AwsAcmpcaCertificateInvalidSigningAlgorithmRule {
+	return &AwsAcmpcaCertificateInvalidSigningAlgorithmRule{
+		resourceType:  "aws_acmpca_certificate",
+		attributeName: "signing_algorithm",
+		enum: []string{
+			"SHA256WITHECDSA",
+			"SHA384WITHECDSA",
+			"SHA512WITHECDSA",
+			"SHA256WITHRSA",
+			"SHA384WITHRSA",
+			"SHA512WITHRSA",
+		},
+	}
+}
+
+// Name returns the rule name
+func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Name() string {
+	return "aws_acmpca_certificate_invalid_signing_algorithm"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			found := false
+			for _, item := range r.enum {
+				if item == val {
+					found = true
+				}
+			}
+			if !found {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" is an invalid value as signing_algorithm`, truncateLongMessage(val)),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/mappings/acm-pca.hcl b/rules/models/mappings/acm-pca.hcl
@@ -1,9 +1,21 @@
 import = "aws-sdk-go/models/apis/acm-pca/2017-08-22/api-2.json"
 
+mapping "aws_acmpca_certificate" {
+  certificate_authority_arn   = Arn
+  certificate_signing_request = CsrBlob
+  signing_algorithm           = SigningAlgorithm
+}
+
 mapping "aws_acmpca_certificate_authority" {
   type = CertificateAuthorityType
 }
 
+mapping "aws_acmpca_certificate_authority_certificate" {
+  certificate_authority_arn = Arn
+  certificate               = CertificateBodyBlob
+  certificate_chain         = CertificateChainBlob
+}
+
 test "aws_acmpca_certificate_authority" "type" {
   ok = "SUBORDINATE"
   ng = "ORDINATE"

diff --git a/rules/models/provider.go b/rules/models/provider.go
@@ -9,7 +9,10 @@ var Rules = []tflint.Rule{
 	NewAwsAcmCertificateInvalidCertificateBodyRule(),
 	NewAwsAcmCertificateInvalidCertificateChainRule(),
 	NewAwsAcmCertificateInvalidPrivateKeyRule(),
+	NewAwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule(),
 	NewAwsAcmpcaCertificateAuthorityInvalidTypeRule(),
+	NewAwsAcmpcaCertificateInvalidCertificateAuthorityArnRule(),
+	NewAwsAcmpcaCertificateInvalidSigningAlgorithmRule(),
 	NewAwsALBInvalidIPAddressTypeRule(),
 	NewAwsALBInvalidLoadBalancerTypeRule(),
 	NewAwsALBListenerInvalidProtocolRule(),