diff --git a/docs/rules/README.md b/docs/rules/README.md index 0f7b9e4b..39c3dc52 100644 --- a/docs/rules/README.md +++ b/docs/rules/README.md @@ -71,7 +71,10 @@ These rules enforce best practices and naming conventions: |aws_acm_certificate_invalid_certificate_body|✔| |aws_acm_certificate_invalid_certificate_chain|✔| |aws_acm_certificate_invalid_private_key|✔| +|aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn|✔| |aws_acmpca_certificate_authority_invalid_type|✔| +|aws_acmpca_certificate_invalid_certificate_authority_arn|✔| +|aws_acmpca_certificate_invalid_signing_algorithm|✔| |aws_alb_invalid_ip_address_type|✔| |aws_alb_invalid_load_balancer_type|✔| |aws_alb_listener_invalid_protocol|✔| diff --git a/rules/models/aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn.go b/rules/models/aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn.go new file mode 100644 index 00000000..53239372 --- /dev/null +++ b/rules/models/aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule checks the pattern is valid +type AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule returns new rule with default attributes +func NewAwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule() *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule { + return &AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule{ + resourceType: "aws_acmpca_certificate_authority_certificate", + attributeName: "certificate_authority_arn", + max: 200, + min: 5, + pattern: regexp.MustCompile(`^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$`), + } +} + +// Name returns the rule name +func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Name() string { + return "aws_acmpca_certificate_authority_certificate_invalid_certificate_authority_arn" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "certificate_authority_arn must be 200 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "certificate_authority_arn must be 5 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_acmpca_certificate_invalid_certificate_authority_arn.go b/rules/models/aws_acmpca_certificate_invalid_certificate_authority_arn.go new file mode 100644 index 00000000..8289da85 --- /dev/null +++ b/rules/models/aws_acmpca_certificate_invalid_certificate_authority_arn.go @@ -0,0 +1,87 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + "regexp" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule checks the pattern is valid +type AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule struct { + resourceType string + attributeName string + max int + min int + pattern *regexp.Regexp +} + +// NewAwsAcmpcaCertificateInvalidCertificateAuthorityArnRule returns new rule with default attributes +func NewAwsAcmpcaCertificateInvalidCertificateAuthorityArnRule() *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule { + return &AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule{ + resourceType: "aws_acmpca_certificate", + attributeName: "certificate_authority_arn", + max: 200, + min: 5, + pattern: regexp.MustCompile(`^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$`), + } +} + +// Name returns the rule name +func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Name() string { + return "aws_acmpca_certificate_invalid_certificate_authority_arn" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsAcmpcaCertificateInvalidCertificateAuthorityArnRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "certificate_authority_arn must be 200 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "certificate_authority_arn must be 5 characters or higher", + attribute.Expr, + ) + } + if !r.pattern.MatchString(val) { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:[\w+=/,.@-]+:[\w+=/,.@-]*:[0-9]*:[\w+=,.@-]+(/[\w+=,.@-]+)*$`), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_acmpca_certificate_invalid_signing_algorithm.go b/rules/models/aws_acmpca_certificate_invalid_signing_algorithm.go new file mode 100644 index 00000000..20c4bab0 --- /dev/null +++ b/rules/models/aws_acmpca_certificate_invalid_signing_algorithm.go @@ -0,0 +1,81 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsAcmpcaCertificateInvalidSigningAlgorithmRule checks the pattern is valid +type AwsAcmpcaCertificateInvalidSigningAlgorithmRule struct { + resourceType string + attributeName string + enum []string +} + +// NewAwsAcmpcaCertificateInvalidSigningAlgorithmRule returns new rule with default attributes +func NewAwsAcmpcaCertificateInvalidSigningAlgorithmRule() *AwsAcmpcaCertificateInvalidSigningAlgorithmRule { + return &AwsAcmpcaCertificateInvalidSigningAlgorithmRule{ + resourceType: "aws_acmpca_certificate", + attributeName: "signing_algorithm", + enum: []string{ + "SHA256WITHECDSA", + "SHA384WITHECDSA", + "SHA512WITHECDSA", + "SHA256WITHRSA", + "SHA384WITHRSA", + "SHA512WITHRSA", + }, + } +} + +// Name returns the rule name +func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Name() string { + return "aws_acmpca_certificate_invalid_signing_algorithm" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsAcmpcaCertificateInvalidSigningAlgorithmRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + found := false + for _, item := range r.enum { + if item == val { + found = true + } + } + if !found { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" is an invalid value as signing_algorithm`, truncateLongMessage(val)), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/mappings/acm-pca.hcl b/rules/models/mappings/acm-pca.hcl index cd1cf8e3..3aa57998 100644 --- a/rules/models/mappings/acm-pca.hcl +++ b/rules/models/mappings/acm-pca.hcl @@ -1,9 +1,21 @@ import = "aws-sdk-go/models/apis/acm-pca/2017-08-22/api-2.json" +mapping "aws_acmpca_certificate" { + certificate_authority_arn = Arn + certificate_signing_request = CsrBlob + signing_algorithm = SigningAlgorithm +} + mapping "aws_acmpca_certificate_authority" { type = CertificateAuthorityType } +mapping "aws_acmpca_certificate_authority_certificate" { + certificate_authority_arn = Arn + certificate = CertificateBodyBlob + certificate_chain = CertificateChainBlob +} + test "aws_acmpca_certificate_authority" "type" { ok = "SUBORDINATE" ng = "ORDINATE" diff --git a/rules/models/provider.go b/rules/models/provider.go index db20e6d8..59d35b22 100644 --- a/rules/models/provider.go +++ b/rules/models/provider.go @@ -9,7 +9,10 @@ var Rules = []tflint.Rule{ NewAwsAcmCertificateInvalidCertificateBodyRule(), NewAwsAcmCertificateInvalidCertificateChainRule(), NewAwsAcmCertificateInvalidPrivateKeyRule(), + NewAwsAcmpcaCertificateAuthorityCertificateInvalidCertificateAuthorityArnRule(), NewAwsAcmpcaCertificateAuthorityInvalidTypeRule(), + NewAwsAcmpcaCertificateInvalidCertificateAuthorityArnRule(), + NewAwsAcmpcaCertificateInvalidSigningAlgorithmRule(), NewAwsALBInvalidIPAddressTypeRule(), NewAwsALBInvalidLoadBalancerTypeRule(), NewAwsALBListenerInvalidProtocolRule(),