diff --git a/docs/rules/README.md b/docs/rules/README.md index a871cf1f..7d572bf3 100644 --- a/docs/rules/README.md +++ b/docs/rules/README.md @@ -623,6 +623,10 @@ These rules enforce best practices and naming conventions: |aws_glue_trigger_invalid_type|✔| |aws_glue_user_defined_function_invalid_owner_type|✔| |aws_guardduty_detector_invalid_finding_publishing_frequency|✔| +|aws_guardduty_filter_invalid_action|✔| +|aws_guardduty_filter_invalid_description|✔| +|aws_guardduty_filter_invalid_detector_id|✔| +|aws_guardduty_filter_invalid_name|✔| |aws_guardduty_invite_accepter_invalid_detector_id|✔| |aws_guardduty_ipset_invalid_detector_id|✔| |aws_guardduty_ipset_invalid_format|✔| @@ -630,6 +634,9 @@ These rules enforce best practices and naming conventions: |aws_guardduty_ipset_invalid_name|✔| |aws_guardduty_member_invalid_detector_id|✔| |aws_guardduty_member_invalid_email|✔| +|aws_guardduty_organization_configuration_invalid_detector_id|✔| +|aws_guardduty_publishing_destination_invalid_destination_type|✔| +|aws_guardduty_publishing_destination_invalid_detector_id|✔| |aws_guardduty_threatintelset_invalid_detector_id|✔| |aws_guardduty_threatintelset_invalid_format|✔| |aws_guardduty_threatintelset_invalid_location|✔| diff --git a/rules/models/aws_guardduty_filter_invalid_action.go b/rules/models/aws_guardduty_filter_invalid_action.go new file mode 100644 index 00000000..1a42354a --- /dev/null +++ b/rules/models/aws_guardduty_filter_invalid_action.go @@ -0,0 +1,95 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsGuarddutyFilterInvalidActionRule checks the pattern is valid +type AwsGuarddutyFilterInvalidActionRule struct { + resourceType string + attributeName string + max int + min int + enum []string +} + +// NewAwsGuarddutyFilterInvalidActionRule returns new rule with default attributes +func NewAwsGuarddutyFilterInvalidActionRule() *AwsGuarddutyFilterInvalidActionRule { + return &AwsGuarddutyFilterInvalidActionRule{ + resourceType: "aws_guardduty_filter", + attributeName: "action", + max: 300, + min: 1, + enum: []string{ + "NOOP", + "ARCHIVE", + }, + } +} + +// Name returns the rule name +func (r *AwsGuarddutyFilterInvalidActionRule) Name() string { + return "aws_guardduty_filter_invalid_action" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsGuarddutyFilterInvalidActionRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsGuarddutyFilterInvalidActionRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsGuarddutyFilterInvalidActionRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsGuarddutyFilterInvalidActionRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "action must be 300 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "action must be 1 characters or higher", + attribute.Expr, + ) + } + found := false + for _, item := range r.enum { + if item == val { + found = true + } + } + if !found { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" is an invalid value as action`, truncateLongMessage(val)), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_guardduty_filter_invalid_description.go b/rules/models/aws_guardduty_filter_invalid_description.go new file mode 100644 index 00000000..04dc1b15 --- /dev/null +++ b/rules/models/aws_guardduty_filter_invalid_description.go @@ -0,0 +1,67 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsGuarddutyFilterInvalidDescriptionRule checks the pattern is valid +type AwsGuarddutyFilterInvalidDescriptionRule struct { + resourceType string + attributeName string + max int +} + +// NewAwsGuarddutyFilterInvalidDescriptionRule returns new rule with default attributes +func NewAwsGuarddutyFilterInvalidDescriptionRule() *AwsGuarddutyFilterInvalidDescriptionRule { + return &AwsGuarddutyFilterInvalidDescriptionRule{ + resourceType: "aws_guardduty_filter", + attributeName: "description", + max: 512, + } +} + +// Name returns the rule name +func (r *AwsGuarddutyFilterInvalidDescriptionRule) Name() string { + return "aws_guardduty_filter_invalid_description" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsGuarddutyFilterInvalidDescriptionRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsGuarddutyFilterInvalidDescriptionRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsGuarddutyFilterInvalidDescriptionRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsGuarddutyFilterInvalidDescriptionRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "description must be 512 characters or less", + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_guardduty_filter_invalid_detector_id.go b/rules/models/aws_guardduty_filter_invalid_detector_id.go new file mode 100644 index 00000000..30aa24e0 --- /dev/null +++ b/rules/models/aws_guardduty_filter_invalid_detector_id.go @@ -0,0 +1,76 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsGuarddutyFilterInvalidDetectorIDRule checks the pattern is valid +type AwsGuarddutyFilterInvalidDetectorIDRule struct { + resourceType string + attributeName string + max int + min int +} + +// NewAwsGuarddutyFilterInvalidDetectorIDRule returns new rule with default attributes +func NewAwsGuarddutyFilterInvalidDetectorIDRule() *AwsGuarddutyFilterInvalidDetectorIDRule { + return &AwsGuarddutyFilterInvalidDetectorIDRule{ + resourceType: "aws_guardduty_filter", + attributeName: "detector_id", + max: 300, + min: 1, + } +} + +// Name returns the rule name +func (r *AwsGuarddutyFilterInvalidDetectorIDRule) Name() string { + return "aws_guardduty_filter_invalid_detector_id" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsGuarddutyFilterInvalidDetectorIDRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsGuarddutyFilterInvalidDetectorIDRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsGuarddutyFilterInvalidDetectorIDRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsGuarddutyFilterInvalidDetectorIDRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "detector_id must be 300 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "detector_id must be 1 characters or higher", + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_guardduty_filter_invalid_name.go b/rules/models/aws_guardduty_filter_invalid_name.go new file mode 100644 index 00000000..381db5c1 --- /dev/null +++ b/rules/models/aws_guardduty_filter_invalid_name.go @@ -0,0 +1,76 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsGuarddutyFilterInvalidNameRule checks the pattern is valid +type AwsGuarddutyFilterInvalidNameRule struct { + resourceType string + attributeName string + max int + min int +} + +// NewAwsGuarddutyFilterInvalidNameRule returns new rule with default attributes +func NewAwsGuarddutyFilterInvalidNameRule() *AwsGuarddutyFilterInvalidNameRule { + return &AwsGuarddutyFilterInvalidNameRule{ + resourceType: "aws_guardduty_filter", + attributeName: "name", + max: 64, + min: 3, + } +} + +// Name returns the rule name +func (r *AwsGuarddutyFilterInvalidNameRule) Name() string { + return "aws_guardduty_filter_invalid_name" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsGuarddutyFilterInvalidNameRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsGuarddutyFilterInvalidNameRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsGuarddutyFilterInvalidNameRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsGuarddutyFilterInvalidNameRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "name must be 64 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "name must be 3 characters or higher", + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_guardduty_organization_configuration_invalid_detector_id.go b/rules/models/aws_guardduty_organization_configuration_invalid_detector_id.go new file mode 100644 index 00000000..50e44f9d --- /dev/null +++ b/rules/models/aws_guardduty_organization_configuration_invalid_detector_id.go @@ -0,0 +1,76 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule checks the pattern is valid +type AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule struct { + resourceType string + attributeName string + max int + min int +} + +// NewAwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule returns new rule with default attributes +func NewAwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule() *AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule { + return &AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule{ + resourceType: "aws_guardduty_organization_configuration", + attributeName: "detector_id", + max: 300, + min: 1, + } +} + +// Name returns the rule name +func (r *AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule) Name() string { + return "aws_guardduty_organization_configuration_invalid_detector_id" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "detector_id must be 300 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "detector_id must be 1 characters or higher", + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_guardduty_publishing_destination_invalid_destination_type.go b/rules/models/aws_guardduty_publishing_destination_invalid_destination_type.go new file mode 100644 index 00000000..a52ce212 --- /dev/null +++ b/rules/models/aws_guardduty_publishing_destination_invalid_destination_type.go @@ -0,0 +1,94 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "fmt" + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule checks the pattern is valid +type AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule struct { + resourceType string + attributeName string + max int + min int + enum []string +} + +// NewAwsGuarddutyPublishingDestinationInvalidDestinationTypeRule returns new rule with default attributes +func NewAwsGuarddutyPublishingDestinationInvalidDestinationTypeRule() *AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule { + return &AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule{ + resourceType: "aws_guardduty_publishing_destination", + attributeName: "destination_type", + max: 300, + min: 1, + enum: []string{ + "S3", + }, + } +} + +// Name returns the rule name +func (r *AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule) Name() string { + return "aws_guardduty_publishing_destination_invalid_destination_type" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsGuarddutyPublishingDestinationInvalidDestinationTypeRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "destination_type must be 300 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "destination_type must be 1 characters or higher", + attribute.Expr, + ) + } + found := false + for _, item := range r.enum { + if item == val { + found = true + } + } + if !found { + runner.EmitIssueOnExpr( + r, + fmt.Sprintf(`"%s" is an invalid value as destination_type`, truncateLongMessage(val)), + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/aws_guardduty_publishing_destination_invalid_detector_id.go b/rules/models/aws_guardduty_publishing_destination_invalid_detector_id.go new file mode 100644 index 00000000..ad3c563b --- /dev/null +++ b/rules/models/aws_guardduty_publishing_destination_invalid_detector_id.go @@ -0,0 +1,76 @@ +// This file generated by `generator/`. DO NOT EDIT + +package models + +import ( + "log" + + hcl "github.com/hashicorp/hcl/v2" + "github.com/terraform-linters/tflint-plugin-sdk/tflint" +) + +// AwsGuarddutyPublishingDestinationInvalidDetectorIDRule checks the pattern is valid +type AwsGuarddutyPublishingDestinationInvalidDetectorIDRule struct { + resourceType string + attributeName string + max int + min int +} + +// NewAwsGuarddutyPublishingDestinationInvalidDetectorIDRule returns new rule with default attributes +func NewAwsGuarddutyPublishingDestinationInvalidDetectorIDRule() *AwsGuarddutyPublishingDestinationInvalidDetectorIDRule { + return &AwsGuarddutyPublishingDestinationInvalidDetectorIDRule{ + resourceType: "aws_guardduty_publishing_destination", + attributeName: "detector_id", + max: 300, + min: 1, + } +} + +// Name returns the rule name +func (r *AwsGuarddutyPublishingDestinationInvalidDetectorIDRule) Name() string { + return "aws_guardduty_publishing_destination_invalid_detector_id" +} + +// Enabled returns whether the rule is enabled by default +func (r *AwsGuarddutyPublishingDestinationInvalidDetectorIDRule) Enabled() bool { + return true +} + +// Severity returns the rule severity +func (r *AwsGuarddutyPublishingDestinationInvalidDetectorIDRule) Severity() string { + return tflint.ERROR +} + +// Link returns the rule reference link +func (r *AwsGuarddutyPublishingDestinationInvalidDetectorIDRule) Link() string { + return "" +} + +// Check checks the pattern is valid +func (r *AwsGuarddutyPublishingDestinationInvalidDetectorIDRule) Check(runner tflint.Runner) error { + log.Printf("[TRACE] Check `%s` rule", r.Name()) + + return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error { + var val string + err := runner.EvaluateExpr(attribute.Expr, &val, nil) + + return runner.EnsureNoError(err, func() error { + if len(val) > r.max { + runner.EmitIssueOnExpr( + r, + "detector_id must be 300 characters or less", + attribute.Expr, + ) + } + if len(val) < r.min { + runner.EmitIssueOnExpr( + r, + "detector_id must be 1 characters or higher", + attribute.Expr, + ) + } + return nil + }) + }) +} diff --git a/rules/models/mappings/guardduty.hcl b/rules/models/mappings/guardduty.hcl index 63f69b8e..33f44900 100644 --- a/rules/models/mappings/guardduty.hcl +++ b/rules/models/mappings/guardduty.hcl @@ -5,6 +5,16 @@ mapping "aws_guardduty_detector" { finding_publishing_frequency = FindingPublishingFrequency } +mapping "aws_guardduty_filter" { + detector_id = DetectorId + name = FilterName + description = FilterDescription + rank = FilterRank + action = FilterAction + tags = TagMap + finding_criteria = FindingCriteria +} + mapping "aws_guardduty_invite_accepter" { detector_id = DetectorId master_account_id = String @@ -27,6 +37,16 @@ mapping "aws_guardduty_member" { disable_email_notification = Boolean } +mapping "aws_guardduty_organization_configuration" { + detector_id = DetectorId + datasources = OrganizationDataSourceConfigurations +} + +mapping "aws_guardduty_publishing_destination" { + detector_id = DetectorId + destination_type = DestinationType +} + mapping "aws_guardduty_threatintelset" { activate = Boolean detector_id = DetectorId diff --git a/rules/models/provider.go b/rules/models/provider.go index 195e0857..6c84668e 100644 --- a/rules/models/provider.go +++ b/rules/models/provider.go @@ -551,6 +551,10 @@ var Rules = []tflint.Rule{ NewAwsGlueTriggerInvalidTypeRule(), NewAwsGlueUserDefinedFunctionInvalidOwnerTypeRule(), NewAwsGuarddutyDetectorInvalidFindingPublishingFrequencyRule(), + NewAwsGuarddutyFilterInvalidActionRule(), + NewAwsGuarddutyFilterInvalidDescriptionRule(), + NewAwsGuarddutyFilterInvalidDetectorIDRule(), + NewAwsGuarddutyFilterInvalidNameRule(), NewAwsGuarddutyInviteAccepterInvalidDetectorIDRule(), NewAwsGuarddutyIpsetInvalidDetectorIDRule(), NewAwsGuarddutyIpsetInvalidFormatRule(), @@ -558,6 +562,9 @@ var Rules = []tflint.Rule{ NewAwsGuarddutyIpsetInvalidNameRule(), NewAwsGuarddutyMemberInvalidDetectorIDRule(), NewAwsGuarddutyMemberInvalidEmailRule(), + NewAwsGuarddutyOrganizationConfigurationInvalidDetectorIDRule(), + NewAwsGuarddutyPublishingDestinationInvalidDestinationTypeRule(), + NewAwsGuarddutyPublishingDestinationInvalidDetectorIDRule(), NewAwsGuarddutyThreatintelsetInvalidDetectorIDRule(), NewAwsGuarddutyThreatintelsetInvalidFormatRule(), NewAwsGuarddutyThreatintelsetInvalidLocationRule(),