[
{
"path": ".devcontainer/Dockerfile",
"content": "FROM stelligent/vscode-remote-config-lint:latest\n"
},
{
"path": ".devcontainer/build/Dockerfile",
"content": "FROM ubuntu:latest\n\n# Avoid warnings by switching to noninteractive\nENV DEBIAN_FRONTEND=noninteractive\n\n# Install packages\nRUN apt-get update \\\n\t\t# Install apt-utils and suppress package configuration warning\n\t\t&& apt-get -y install --no-install-recommends apt-utils dialog 2>&1 \\\n\t\t# Install build tools\n\t\t&& apt-get install -y \\\n\t\tbc \\\n\t\tunzip \\\n\t\twget \\\n\t\tgit \\\n\t\tg++ \\\n\t\tgcc \\\n\t\tlibc6-dev \\\n\t\tmake \\\n\t\tpkg-config \\\n\t\tca-certificates \\\n\t\tgnupg-agent \\\n\t\t# Cleanup apt lists\n\t\t&& rm -rf /var/lib/apt/lists/*\n\n# Install Go\nENV GOLANG_VERSION 1.13.7\nRUN set -eux; \\\n\tgoRelArch='linux-amd64'; \\\n\tgoRelSha256='b3dd4bd781a0271b33168e627f7f43886b4c5d1c794a4015abf34e99c6526ca3'; \\\n\turl=\"https://golang.org/dl/go${GOLANG_VERSION}.${goRelArch}.tar.gz\"; \\\n\twget -O go.tgz \"$url\"; \\\n\techo \"${goRelSha256} *go.tgz\" | sha256sum -c -; \\\n\ttar -C /usr/local -xzf go.tgz; \\\n\trm go.tgz\nENV GOPATH /go\nENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH\nRUN mkdir -p \"$GOPATH/src\" \"$GOPATH/bin\" && chmod -R 777 \"$GOPATH\"\nENV GO111MODULE=on\n\n# Install VS Code Go Dependencies\nRUN go get -x -d github.com/stamblerre/gocode \\\n\t&& go build -o gocode-gomod github.com/stamblerre/gocode \\\n\t&& mv gocode-gomod $GOPATH/bin/ \\\n\t&& go get -u -v \\\n\tgolang.org/x/tools/gopls \\\n\tgithub.com/mdempsky/gocode \\\n\t# Workaround for https://github.com/uudashr/gopkgs/issues/25\n\tgithub.com/uudashr/gopkgs/v2/cmd/gopkgs \\\n\tgithub.com/sqs/goreturns \\\n\tgolang.org/x/lint/golint \\\n\tgithub.com/ramya-rao-a/go-outline \\\n\t&& go get github.com/go-delve/delve/cmd/dlv\n\n# Create a non-root user\nARG USERNAME=config-lint-dev\nARG USER_UID=1000\nARG USER_GID=$USER_UID\nRUN groupadd --gid $USER_GID $USERNAME \\\n && useradd --uid $USER_UID --gid $USER_GID --shell /bin/bash -m $USERNAME\n\n# Prompt gpg window inside container for signing commits & setup folder permissions for non-root user\nRUN echo 'export GPG_TTY=\"$(tty)\"' >> /home/$USERNAME/.bashrc \\\n && mkdir /home/$USERNAME/.gnupg \\\n && chown -R $USERNAME:$USERNAME /home/$USERNAME/.gnupg\n\n# Persist bash history between runs\nRUN SNIPPET=\"export PROMPT_COMMAND='history -a' && export HISTFILE=/commandhistory/.bash_history\" \\\n && mkdir /commandhistory \\\n && touch /commandhistory/.bash_history \\\n && chown -R $USERNAME /commandhistory \\\n && echo $SNIPPET >> \"/home/$USERNAME/.bashrc\"\n\n# Add non-root user to $GOPATH\nRUN chown -R $USERNAME $GOPATH \\\n\t\t# Add write permission for /go/pkg\n\t\t&& chmod -R a+w /go/pkg\n\n# Install Terraform\nARG TERRAFORM_VERSION=0.12.20\nRUN cd /tmp \\\n\t&& wget https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip \\\n\t&& unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip \\\n\t&& mv terraform /usr/local/bin/ \\\n\t&& rm terraform_${TERRAFORM_VERSION}_linux_amd64.zip\n\n# Enter container as non-root user\nUSER $USERNAME\n"
},
{
"path": ".devcontainer/build/dockerhub.sh",
"content": "#!/bin/bash -ex\n\nset +x\nif [[ -z ${DOCKER_ORG} ]];\nthen\n echo DOCKER_ORG must be set in the environment\n exit 1\nfi\nif [[ -z ${GITHUB_SHA} ]];\nthen\n echo GITHUB_SHA must be set in the environment\n exit 1\nfi\nset -x\n\nCOMMIT_HASH=${GITHUB_SHA:0:8}\n\n# publish vscode-remote docker image to DockerHub, https://hub.docker.com/r/stelligent/vscode-remote-config-lint\ndocker build -t $DOCKER_ORG/vscode-remote-config-lint:${COMMIT_HASH} --file .devcontainer/build/Dockerfile .\ndocker tag $DOCKER_ORG/vscode-remote-config-lint:${COMMIT_HASH} $DOCKER_ORG/vscode-remote-config-lint:latest\ndocker push $DOCKER_ORG/vscode-remote-config-lint:${COMMIT_HASH}\ndocker push $DOCKER_ORG/vscode-remote-config-lint:latest"
},
{
"path": ".devcontainer/devcontainer.json",
"content": "{\n\t\"name\": \"config-lint Development\",\n\t\"dockerFile\": \"Dockerfile\",\n\t\"appPort\": 9000,\n\t\"remote.containers.workspaceMountConsistency\": \"consistent\",\n\t\"mounts\": [\n\t\t// Bash History\n\t\t\"source=config-lint-bash_history,target=/commandhistory,type=volume\"\n\t],\n\t\"runArgs\": [\n\t\t// SSH\n\t\t\"-v\", \"${localEnv:HOME}/.ssh:/home/config-lint-dev/.ssh:ro\",\n\t\t// GPG\n\t\t\"-v\", \"${localEnv:HOME}/.gnupg/private-keys-v1.d:/home/config-lint-dev/.gnupg/private-keys-v1.d:ro\",\n\t\t\"-v\", \"${localEnv:HOME}/.gnupg/pubring.kbx:/home/config-lint-dev/.gnupg/pubring.kbx:ro\",\n\t\t\"-v\", \"${localEnv:HOME}/.gnupg/trustdb.gpg:/home/config-lint-dev/.gnupg/trustdb.gpg:ro\"\n\t],\n\t\"extensions\": [\n\t\t// General\n\t\t\"CoenraadS.bracket-pair-colorizer\",\n\t\t\"fabiospampinato.vscode-diff\",\n\t\t\"mrmlnc.vscode-duplicate\",\n\t\t\"ms-azuretools.vscode-docker\",\n\t\t\"wayou.vscode-todo-highlight\",\n\t\t// Go\n\t\t\"ms-vscode.go\",\n\t\t// Terraform\n\t\t\"mauve.terraform\",\n\t\t// JSON\n\t\t\"mohsen1.prettify-json\",\n\t\t// YAML\n\t\t\"redhat.vscode-yaml\"\n\t],\n\t\"settings\": {\n\t\t// Bracket Pair Colorizer\n\t\t\"bracketPairColorizer.forceUniqueOpeningColor\": false,\n\t\t\"bracketPairColorizer.colorMode\": \"Consecutive\",\n\t\t\"bracketPairColorizer.highlightActiveScope\": true,\n\t\t\"bracketPairColorizer.activeScopeCSS\": [\n\t\t\t\"borderStyle : solid\",\n\t\t\t\"borderWidth : 1px\",\n\t\t\t\"borderColor : {color}; opacity: 0.5\",\n\t\t\t\"backgroundColor : {color}\"\n\t\t],\n\t\t\"editor.matchBrackets\": \"never\",\n\t\t\"bracketPairColorizer.showBracketsInGutter\": true,\n\t\t// Go\n\t\t\"go.gopath\": \"/go\",\n\t\t\"go.inferGopath\": true,\n\t\t\"go.useLanguageServer\": true,\n\t\t\"[go]\": {\n\t\t\t\t\"editor.insertSpaces\": true,\n\t\t\t\t\"editor.tabSize\": 4,\n\t\t\t\t\"editor.formatOnSave\": true,\n\t\t\t\t\"editor.codeActionsOnSave\": {\n\t\t\t\t\t\t\"source.organizeImports\": true\n\t\t\t\t}\n\t\t},\n\t\t\"gopls\": {\n\t\t\t\t\"usePlaceholders\": true\n\t\t},\n\t\t// Terraform\n\t\t\"[terraform]\": {\n\t\t\t\"editor.formatOnSave\": true\n\t\t},\n\t\t\"terraform.languageServer\": {\n\t\t\t\"enabled\": false,\n\t\t\t\"args\": []\n\t\t},\n\t\t\"terraform.indexing\": {\n\t\t\t\"enabled\": false,\n\t\t\t\"liveIndexing\": false\n\t\t},\n\t\t// YAML\n\t\t\"[yaml]\": {\n\t\t\t\"editor.insertSpaces\": true,\n\t\t\t\"editor.tabSize\": 2\n\t\t},\n\t\t\"yaml.format.enable\": true,\n\t\t\"yaml.format.singleQuote\": true,\n\t\t\"yaml.format.bracketSpacing\": true,\n\t\t\"yaml.format.printWidth\": 120,\n\t\t\"yaml.format.proseWrap\": \"always\",\n\t\t// TODO\n\t\t\"todohighlight.isEnable\": true,\n\t\t\"todohighlight.isCaseSensitive\": false\n\t},\n\t\"postCreateCommand\": \"make deps\"\n}\n"
},
{
"path": ".dockerhub/Dockerfile",
"content": "FROM scratch\nCOPY config-lint /\nENTRYPOINT [\"/config-lint\"] \n"
},
{
"path": ".github/workflows/build.yml",
"content": "name: Build\n\non:\n push:\n branches-ignore:\n - 'master'\n tags-ignore:\n - '**'\n paths-ignore:\n - 'docs/**'\n - '**.md'\n pull_request:\n branches:\n - master\n\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - \n name: checkout\n uses: actions/checkout@master\n -\n name: setup go\n uses: actions/setup-go@v1\n with:\n go-version: '1.13'\n -\n name: dependencies\n run: |\n go mod download\n - \n name: build\n run: |\n export GOPATH=/home/runner/go\n export PATH=\"$PATH:$GOPATH/bin\"\n make build\n - \n name: test\n run: |\n export GOPATH=/home/runner/go\n export PATH=\"$PATH:$GOPATH/bin\"\n make test\n make smoke-test\n"
},
{
"path": ".github/workflows/build_and_deploy.yml",
"content": "name: Build & Deploy\n\non:\n push:\n tags:\n - 'v*.*.*'\n\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n -\n name: checkout\n uses: actions/checkout@master\n -\n name: setup go\n uses: actions/setup-go@v1\n with:\n go-version: '1.13'\n -\n name: dependencies\n run: |\n go mod download\n -\n name: docker login\n env:\n DOCKER_USER: ${{ secrets.docker_user }}\n DOCKER_PASSWORD: ${{ secrets.docker_password }}\n run: |\n echo $DOCKER_PASSWORD | docker login -u $DOCKER_USER --password-stdin\n -\n name: build\n run: |\n export GOPATH=/home/runner/go\n export PATH=\"$PATH:$GOPATH/bin\"\n make build\n - \n name: test\n run: |\n export GOPATH=/home/runner/go\n export PATH=\"$PATH:$GOPATH/bin\"\n make test\n make smoke-test\n - \n name: release\n uses: goreleaser/goreleaser-action@v1\n with:\n args: release --skip-validate\n env:\n GITHUB_TOKEN: ${{ secrets.gh_actions_token }}\n"
},
{
"path": ".github/workflows/bump_version.yml",
"content": "# Push with a commit message containing `#major` to bump major version\n# and update the major version number here.\n\n# MAJOR Version: 1.x\n\nname: Bump Version\n\non:\n push:\n branches:\n - master\n tags-ignore:\n - '**'\n paths-ignore:\n - 'docs/**'\n - '**.md'\n - '.devcontainer/**'\n\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@master\n with:\n fetch-depth: '0'\n - name: Bump version and push tag\n uses: anothrNick/github-tag-action@1.19.0\n env:\n GITHUB_TOKEN: ${{ secrets.gh_actions_token }}\n WITH_V: true\n DEFAULT_BUMP: minor\n"
},
{
"path": ".github/workflows/vscode_remote_development.yml",
"content": "name: VS Code DockerHub Build & Push\n\non:\n push:\n branches:\n - 'master'\n paths:\n - '.devcontainer/**'\n\njobs:\n build:\n runs-on: ubuntu-latest\n steps:\n -\n name: checkout\n uses: actions/checkout@master\n -\n name: docker login\n env:\n DOCKER_USER: ${{ secrets.docker_user }}\n DOCKER_PASSWORD: ${{ secrets.docker_password }}\n run: |\n echo $DOCKER_PASSWORD | docker login -u $DOCKER_USER --password-stdin\n -\n name: Build & Push to DockerHub\n env:\n DOCKER_ORG: stelligent\n run: bash ./.devcontainer/build/dockerhub.sh\n"
},
{
"path": ".gitignore",
"content": "# Local dev\ndist/\n.bundle\n.DS_Store\n.vscode/**/*\n.release/\n.idea/\n.DS_Store\n.test/\n*/coverage.out\n*/*packr.go\n**/*.log\n**/*.pem\n**/*.retry\n**/*.sw*\n**/local.json\n\n# Binaries for programs and plugins\n*.exe\n*.exe~\n*.dll\n*.so\n*.dylib\n\n# Test binary, build with `go test -c`\n*.test\n\n# Output of the go coverage tool, specifically when used with LiteIDE\n*.out\n\n# Project-local glide cache, RE: https://github.com/Masterminds/glide/issues/736\n.glide/\n\n# Dependency directories (remove the comment below to include it)\nvendor/\n"
},
{
"path": ".goreleaser.yml",
"content": "builds:\n-\n main: ./cli\n env:\n - CGO_ENABLED=0\n goos:\n - linux\n - darwin\n - windows\n goarch:\n - 386\n - amd64\n - arm\n - arm64\narchives:\n - id: archive\n name_template: '{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}'\n replacements:\n darwin: Darwin\n linux: Linux\n windows: Windows\n 386: i386\n amd64: x86_64\n format_overrides:\n - goos: windows\n format: zip\nchecksum:\n name_template: 'checksums.txt'\nsnapshot:\n name_template: \"{{ .Tag }}-next\"\nchangelog:\n sort: asc\n filters:\n exclude:\n - '^docs:'\n - '^test:'\nbrews:\n -\n github:\n owner: stelligent\n name: homebrew-tap\n commit_author:\n name: goreleaserbot\n email: goreleaser@stelligent.com\n folder: Formula\n homepage: https://github.com/stelligent/config-lint\n description: Validate configuration files using rules specified in YAML\n test: |\n system \"#{bin}/config-lint -version\"\ndockers:\n - \n dockerfile: .dockerhub/Dockerfile\n image_templates:\n - \"stelligent/config-lint:{{ .Tag }}\"\n - \"stelligent/config-lint:latest\"\n"
},
{
"path": "CONTRIBUTING.md",
"content": "# Contributing to config-lint\n\nHelp wanted! We'd love your contributions to config-lint. Please review the following guidelines before contributing. Also, feel free to propose changes to these guidelines by updating this file and submitting a pull request.\n\n- [I have a question](#questions)\n- [I found a bug](#bugs)\n- [I have a feature request](#features)\n- [I have a contribution to share](#process)\n\n## Have a Question?\n\nPlease don't open a GitHub issue for questions about how to use config-lint, as the goal is to use issues for managing bugs and feature requests.\n\nUntil we have a better way to communicate with users, please use the [Stelligent contact page](https://stelligent.com/contact/) if you have any questions.\n\n## Found a Bug?\n\nIf you've identified a bug in config-lint, please [submit an issue](#issue) to our GitHub repo:\n[stelligent/config-lint](https://github.com/stelligent/config-lint/issues/new). Please also feel free to submit a [Pull Request](#pr) with a fix for the bug!\n\n## Have a Feature Request?\n\nAll feature requests should start with [submitting an issue](#issue) documenting the user story and acceptance criteria. Again, feel free to submit a [Pull Request](#pr) with a proposed implementation of the feature.\n\n## Ready to Contribute!\n\n### Create an issue\n\nBefore submitting a new issue, please search the issues to make sure there isn't a similar issue doesn't already exist.\n\nAssuming no existing issues exist, please ensure you include the following bits of information when submitting the issue to ensure we can quickly reproduce your issue:\n\n- The version of config-lint.\n- The platform (Linux, OS X, Windows).\n- The complete rule file(s) used if not using a built-in ruleset.\n- The complete code the rule is running against.\n- The complete command that was executed.\n- Any output from the command.\n- Details of the expected results and how they differed from the actual results.\n\nWe may have additional questions and will communicate through the GitHub issue, so please respond back to our questions to help reproduce and resolve the issue as quickly as possible.\n\nNew issues can be created with in our [GitHub\nrepo](https://github.com/stelligent/config-lint/issues/new).\n\n### Pull Requests\n\nPull requests should target the `master` branch. Ensure you have a successful build for your branch. Please also reference the issue from the description of the pull request using [special keyword\nsyntax](https://help.github.com/articles/closing-issues-via-commit-messages/) to auto close the issue when the PR is merged. For example, include the phrase `fixes #14` in the PR description to have issue #14 auto close.\n\n### Styleguide\n\nWhen submitting code, please make every effort to follow existing conventions and style in order to keep the code as readable as possible. \n\nHere are a few points to keep in mind:\n\n- Please run `make lint` before committing to ensure code aligns\n with go standards.\n- Please run `make cyclo` before committing to ensure cyclomatic complexity is lower than 15.\n- Pleae ensure any new code is well tested and running `make test` is successful.\n- Dependencies are managed with [go modules](https://blog.golang.org/using-go-modules) and dependency requirements are defined in [go.mod](go.mod)\n\n### License\n\nBy contributing your code, you agree to license your contribution under the\nterms of the [MIT License](LICENSE).\n\nAll files are released with the MIT license."
},
{
"path": "LICENSE.md",
"content": "MIT License\n\nCopyright (c) 2018-2020 Stelligent\nPortions copyright 2019 Liam Galvin (https://github.com/liamg/tfsec)\n\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n"
},
{
"path": "Makefile",
"content": "# Versioning based on latest git tag.\nVERSION := $(shell git tag -l --sort=creatordate | grep \"^v[0-9]*.[0-9]*.[0-9]*$$\" | tail -1)\nBUILD_DIR = .release\nGOLDFLAGS = \"-X main.version=$(VERSION)\"\n\nCLI_FILES = $(shell find cli linter assertion -name \\*.go)\n\ndefault: all\n\ndevdeps:\n\t@echo \"=== dev dependencies ===\"\n\t@go get \"github.com/gobuffalo/packr/...\"\n\t@go get -u golang.org/x/lint/golint\n\t@go get \"github.com/fzipp/gocyclo\"\n\ndeps:\n\t@echo \"=== dependencies ===\"\n\tgo mod download\n\ngen:\n\t@echo \"=== generating ===\"\n\t@go get \"github.com/gobuffalo/packr/...\"\n\t@go generate ./...\n\nlint: gen\n\t@echo \"=== linting ===\"\n\t@go vet ./...\n\t@go get -u golang.org/x/lint/golint\n\t@golint $(go list ./... | grep -v /vendor/)\n\ncyclo:\n\t@echo \"=== cyclomatic complexity ===\"\n\t@go get \"github.com/fzipp/gocyclo\"\n\t@gocyclo -over 15 assertion linter cli || echo \"WARNING: cyclomatic complexity is high\"\n\ntest: lint cyclo\n\t@echo \"=== testing ===\"\n\t@go test -v ./...\n\ntesttf: lint cyclo\n\t@echo \"=== testing Terraform Built In Rules ===\"\n\t@go test -v ./cli/... -run TestTerraformBuiltInRules\n\n$(BUILD_DIR)/config-lint: $(CLI_FILES)\n\t@echo \"=== building config-lint - $@ ===\"\n\tmkdir -p $(BUILD_DIR)\n\tGOOS=$(GOOS) GOARCH=$(GOARCH) go build -ldflags=$(GOLDFLAGS) -o $(BUILD_DIR)/config-lint cli/*.go\n\nbuild: gen $(BUILD_DIR)/config-lint\n\nall: clean deps test build smoke-test\ndev: deps devdeps\n\nclean:\n\t@echo \"=== cleaning ===\"\n\trm -rf $(BUILD_DIR)\n\trm -rf vendor\n\trm -f cli/*-packr.go\n\ncover-assertion:\n\t@cd assertion && go test -coverprofile=coverage.out && go tool cover -html=coverage.out\n\ncover-linter:\n\t@cd linter && go test -coverprofile=coverage.out && go tool cover -html=coverage.out\n\ncover-cli:\n\t@cd cli && go test -coverprofile=coverage.out && go tool cover -html=coverage.out\n\nsmoke-test:\n\t@$(BUILD_DIR)/config-lint -terraform cli/testdata/smoketest_tf12.tf\n\t@$(BUILD_DIR)/config-lint -tfparser tf11 -terraform cli/testdata/smoketest_tf11.tf\n\t@$(BUILD_DIR)/config-lint -tfparser tf11 -terraform -profile cli/testdata/profile-exceptions.yml cli/testdata/smoketest_exceptions.tf\n"
},
{
"path": "README.md",
"content": "[](https://img.shields.io/github/v/release/stelligent/config-lint?color=%233D9970)\n[](https://github.com/stelligent/config-lint/workflows/Build%20%26%20Deploy/badge.svg)\n[](https://goreportcard.com/report/github.com/stelligent/config-lint)\n\n# š config-lint š\n\nA command line tool to validate configuration files using rules specified in YAML. The configuration files can be one of several formats: Terraform, JSON, YAML, with support for Kubernetes. There are built-in rules provided for Terraform, and custom files can be used for other formats.\n\nš [Documentation](https://stelligent.github.io/config-lint)\n\nš· [Contributing](CONTRIBUTING.md)\n\nš [Issues & Bugs](https://github.com/stelligent/config-lint/issues)\n\n## Blog Posts\n\nāļø [config-lint: Up and Running](https://stelligent.com/2020/04/17/config-lint-up-and-running/)\n\n\nāļø [Development Acceleration Through VS Code Remote Containers](https://stelligent.com/2020/04/10/development-acceleration-through-vs-code-remote-containers-setting-up-a-foundational-configuration/)\n\n## Quick Start\n\nInstall the latest version of config-lint on macOS using [Homebrew](https://brew.sh/):\n\n``` bash\nbrew tap stelligent/tap\nbrew install config-lint\n```\n\nOr manually on Linux:\n\n``` bash\ncurl -L https://github.com/stelligent/config-lint/releases/latest/download/config-lint_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin config-lint\nchmod +rx /usr/local/bin/config-lint\n```\n\nRun the built-in ruleset against your Terraform files. For instance if you want to run config-lint against our [example files](example-files/):\n\n``` bash\nconfig-lint -terraform example-files/config\n```\n\nYou will see failure and warning violations in the output like this:\n``` bash\n[\n {\n \"AssertionMessage\": \"viewer_certificate[].cloudfront_default_certificate | [0] should be 'false', not ''\",\n \"Category\": \"resource\",\n \"CreatedAt\": \"2020-04-15T19:24:33Z\",\n \"Filename\": \"example-files/config/cloudfront.tf\",\n \"LineNumber\": 10,\n \"ResourceID\": \"s3_distribution\",\n \"ResourceType\": \"aws_cloudfront_distribution\",\n \"RuleID\": \"CLOUDFRONT_MINIMUM_SSL\",\n \"RuleMessage\": \"CloudFront Distribution must use TLS 1.2\",\n \"Status\": \"FAILURE\"\n },\n ...\n```\n\nYou can find more install options in our [installation guide](/docs/install.md)."
},
{
"path": "assertion/compare.go",
"content": "package assertion\n\nimport (\n\t\"strconv\"\n\t\"time\"\n)\n\nfunc intCompare(n1 int, n2 int) int {\n\tif n1 < n2 {\n\t\treturn -1\n\t}\n\tif n1 > n2 {\n\t\treturn 1\n\t}\n\treturn 0\n}\n\nfunc daysOld(data interface{}) int {\n\tif stringValue, ok := data.(string); ok {\n\t\tlayout := \"2006-01-02T15:04:05Z\"\n\t\tt, err := time.Parse(layout, stringValue)\n\t\tif err != nil {\n\t\t\treturn 0\n\t\t}\n\t\tdays := int(time.Since(t).Hours() / 24.0)\n\t\tDebugf(\"Date: %v Days ago: %d\\n\", data, days)\n\t\treturn days\n\t}\n\treturn 0\n}\n\nfunc compare(data interface{}, value string, valueType string) int {\n\tswitch valueType {\n\tcase \"size\":\n\t\tn, _ := strconv.Atoi(value)\n\t\tl := 0\n\t\tswitch v := data.(type) {\n\t\tcase []interface{}:\n\t\t\tl = len(v)\n\t\tcase map[string]interface{}:\n\t\t\tl = len(v)\n\t\t}\n\t\treturn intCompare(l, n)\n\tcase \"integer\":\n\t\tswitch v := data.(type) {\n\t\tcase float64:\n\t\t\tn1 := int(v)\n\t\t\tn2, _ := strconv.Atoi(value)\n\t\t\treturn intCompare(n1, n2)\n\t\tcase int:\n\t\t\tn2, _ := strconv.Atoi(value)\n\t\t\treturn intCompare(v, n2)\n\t\tcase string:\n\t\t\tn1, _ := strconv.Atoi(v)\n\t\t\tn2, _ := strconv.Atoi(value)\n\t\t\treturn intCompare(n1, n2)\n\t\t}\n\t\treturn 0\n\tcase \"age\":\n\t\tn, _ := strconv.Atoi(value)\n\t\treturn intCompare(daysOld(data), n)\n\tdefault:\n\t\ttmp, _ := JSONStringify(data)\n\t\ts := unquoted(tmp)\n\t\tif s > value {\n\t\t\treturn 1\n\t\t}\n\t\tif s < value {\n\t\t\treturn -1\n\t\t}\n\t\treturn 0\n\t}\n}\n"
},
{
"path": "assertion/compare_test.go",
"content": "package assertion\n\nimport (\n\t\"github.com/stretchr/testify/assert\"\n\t\"testing\"\n\t\"time\"\n)\n\nfunc TestDaysOldForToday(t *testing.T) {\n\tnow := time.Now().Format(\"2006-01-02T15:04:05Z\")\n\tassert.Equal(t, 0, daysOld(now), \"Expecting daysOld to return 0\")\n}\n\nfunc TestDaysOldFor90DaysAgo(t *testing.T) {\n\tthen := time.Now().Add(-time.Duration(90) * time.Hour * 24).Format(\"2006-01-02T15:04:05Z\")\n\tassert.Equal(t, 90, daysOld(then), \"Expecting daysOld to return 90\")\n}\n"
},
{
"path": "assertion/contains.go",
"content": "package assertion\n\nimport (\n\t\"strings\"\n)\n\nfunc interfaceListContains(v []interface{}, key, value string) (MatchResult, error) {\n\tfor _, element := range v {\n\t\tif stringElement, isString := element.(string); isString {\n\t\t\tif stringElement == value {\n\t\t\t\treturn matches()\n\t\t\t}\n\t\t\tif strings.Contains(stringElement, value) {\n\t\t\t\treturn matches()\n\t\t\t}\n\t\t}\n\t}\n\treturn doesNotMatch(\"%v does not contain %v\", key, value)\n}\n\nfunc stringListContains(v []string, key, value string) (MatchResult, error) {\n\tfor _, stringElement := range v {\n\t\tif stringElement == value {\n\t\t\treturn matches()\n\t\t}\n\t\tif strings.Contains(stringElement, value) {\n\t\t\treturn matches()\n\t\t}\n\t}\n\treturn doesNotMatch(\"%v does not contain %v\", key, value)\n}\n\nfunc stringContains(v string, key, value string) (MatchResult, error) {\n\tif strings.Contains(v, value) {\n\t\treturn matches()\n\t}\n\treturn doesNotMatch(\"%v does not contain %v\", key, value)\n}\n\nfunc defaultContains(data interface{}, key, value string) (MatchResult, error) {\n\tsearchResult, err := JSONStringify(data)\n\tif err != nil {\n\t\treturn matchError(err)\n\t}\n\tif strings.Contains(searchResult, value) {\n\t\treturn matches()\n\t}\n\treturn doesNotMatch(\"%v does not contain %v\", key, value)\n}\n\nfunc contains(data interface{}, key, value string) (MatchResult, error) {\n\tswitch v := data.(type) {\n\tcase []interface{}:\n\t\treturn interfaceListContains(v, key, value)\n\tcase []string:\n\t\treturn stringListContains(v, key, value)\n\tcase string:\n\t\treturn stringContains(v, key, value)\n\tdefault:\n\t\treturn defaultContains(v, key, value)\n\t}\n}\n\nfunc doesNotContain(data interface{}, key, value string) (MatchResult, error) {\n\tm, err := contains(data, key, value)\n\tif err != nil {\n\t\treturn matchError(err)\n\t}\n\tif m.Match {\n\t\treturn doesNotMatch(\"%v should not contain %v\", key, value)\n\t}\n\treturn matches()\n}\n\nfunc startsWith(data interface{}, key, prefix string) (MatchResult, error) {\n\tswitch v := data.(type) {\n\tcase string:\n\t\tif strings.HasPrefix(v, prefix) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v does not start with %v\", key, prefix)\n\tdefault:\n\t\treturn doesNotMatch(\"%v is not a string %v\", key, prefix)\n\t}\n}\n\nfunc endsWith(data interface{}, key, suffix string) (MatchResult, error) {\n\tswitch v := data.(type) {\n\tcase string:\n\t\tif strings.HasSuffix(v, suffix) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v does not end with %v\", key, suffix)\n\tdefault:\n\t\treturn doesNotMatch(\"%v is not a string %v\", key, suffix)\n\t}\n}\n"
},
{
"path": "assertion/contains_test.go",
"content": "package assertion\n\nimport (\n\t\"github.com/stretchr/testify/assert\"\n\t\"testing\"\n)\n\n// The non error cases are covered in match_test\n\nfunc TestContainsWithNonJSONType(t *testing.T) {\n\tvar complexNumber complex128\n\t_, err := contains(complexNumber, \"foo\", \"1\")\n\tif err == nil {\n\t\tt.Errorf(\"Expecting contains to return an error for non JSON encodable data\")\n\t}\n}\n\nfunc TestDoesNotContainWithNonJSONType(t *testing.T) {\n\tvar complexNumber complex128\n\t_, err := doesNotContain(complexNumber, \"foo\", \"1\")\n\tif err == nil {\n\t\tt.Errorf(\"Expecting doesNotContain to return an error for non JSON encodable data\")\n\t}\n}\n\nfunc TestContainsWithString(t *testing.T) {\n\ts := \"s3:Get*\"\n\tmatch, err := contains(s, \"Action\", \"*\")\n\tassert.Nil(t, err, \"Expecting no error from contains\")\n\tassert.True(t, match.Match, \"Expecting match for string\")\n}\n\nfunc TestContainsWithSliceOfStrings(t *testing.T) {\n\ts := []string{\"s3:Get*\"}\n\tmatch, err := contains(s, \"Action\", \"*\")\n\tassert.Nil(t, err, \"Expecting no error from contains\")\n\tassert.True(t, match.Match, \"Expecting match for string\")\n}\n"
},
{
"path": "assertion/expression.go",
"content": "package assertion\n\nfunc searchAndMatch(expression Expression, resource Resource) (MatchResult, error) {\n\tv, err := SearchData(expression.Key, resource.Properties)\n\tif err != nil {\n\t\treturn matchError(err)\n\t}\n\tmatch, err := isMatch(v, expression)\n\tDebugf(\"ResourceID: %s Type: %s %v\\n\",\n\t\tresource.ID,\n\t\tresource.Type,\n\t\tmatch)\n\treturn match, err\n}\n\nfunc orExpression(expressions []Expression, resource Resource) (MatchResult, error) {\n\tfor _, childExpression := range expressions {\n\t\tmatch, err := booleanExpression(childExpression, resource)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\tif match.Match {\n\t\t\treturn matches()\n\t\t}\n\t}\n\treturn doesNotMatch(\"Or expression fails\") // TODO needs more information\n}\n\nfunc xorExpression(expressions []Expression, resource Resource) (MatchResult, error) {\n\tmatchCount := 0\n\tfor _, childExpression := range expressions {\n\t\tmatch, err := booleanExpression(childExpression, resource)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\tif match.Match {\n\t\t\tmatchCount++\n\t\t}\n\t}\n\tif matchCount == 1 {\n\t\treturn matches()\n\t}\n\treturn doesNotMatch(\"Xor expression fails\") // TODO needs more information\n}\n\nfunc andExpression(expressions []Expression, resource Resource) (MatchResult, error) {\n\tfor _, childExpression := range expressions {\n\t\tmatch, err := booleanExpression(childExpression, resource)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\tif !match.Match {\n\t\t\treturn doesNotMatch(\"And expression fails: %s\", match.Message)\n\t\t}\n\t}\n\treturn matches()\n}\n\nfunc notExpression(expressions []Expression, resource Resource) (MatchResult, error) {\n\t// more than one child filter treated as not any\n\tfor _, childExpression := range expressions {\n\t\tmatch, err := booleanExpression(childExpression, resource)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\tif match.Match {\n\t\t\treturn doesNotMatch(\"Not expression fails\") // TODO needs more information\n\t\t}\n\t}\n\treturn matches()\n}\n\nfunc collectResources(key string, resource Resource) ([]Resource, error) {\n\tresources := make([]Resource, 0)\n\tvalue, err := SearchData(key, resource.Properties)\n\tif err != nil {\n\t\treturn resources, err\n\t}\n\tif collection, ok := value.([]interface{}); ok {\n\t\tfor _, properties := range collection {\n\t\t\tcollectionResource := Resource{\n\t\t\t\tID: resource.ID,\n\t\t\t\tType: resource.Type,\n\t\t\t\tProperties: properties,\n\t\t\t\tFilename: resource.Filename,\n\t\t\t}\n\t\t\tresources = append(resources, collectionResource)\n\t\t}\n\t}\n\treturn resources, nil\n}\n\nfunc everyExpression(collectionExpression CollectionExpression, resource Resource) (MatchResult, error) {\n\tresources, err := collectResources(collectionExpression.Key, resource)\n\tif err != nil {\n\t\treturn matchError(err)\n\t}\n\tfor _, collectionResource := range resources {\n\t\tmatch, err := andExpression(collectionExpression.Expressions, collectionResource)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\tif !match.Match {\n\t\t\t// at least one element is false, so entire expression is false\n\t\t\treturn doesNotMatch(\"Every expression fails: %s\", match.Message)\n\t\t}\n\t}\n\t// every element passes, so entire expression is true\n\treturn matches()\n}\n\nfunc someExpression(collectionExpression CollectionExpression, resource Resource) (MatchResult, error) {\n\tresources, err := collectResources(collectionExpression.Key, resource)\n\tif err != nil {\n\t\treturn matchError(err)\n\t}\n\tfor _, collectionResource := range resources {\n\t\tmatch, err := andExpression(collectionExpression.Expressions, collectionResource)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\t// at least one element passes, so entire expression is true\n\t\tif match.Match {\n\t\t\treturn matches()\n\t\t}\n\t}\n\t// no element passes, so entire expression is false\n\treturn doesNotMatch(\"Some expression fails\") // TODO needs more information\n}\n\nfunc noneExpression(collectionExpression CollectionExpression, resource Resource) (MatchResult, error) {\n\tresources, err := collectResources(collectionExpression.Key, resource)\n\tif err != nil {\n\t\treturn matchError(err)\n\t}\n\tfor _, collectionResource := range resources {\n\t\tmatch, err := andExpression(collectionExpression.Expressions, collectionResource)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\t// at least one element passes, so entire expression is false\n\t\tif match.Match {\n\t\t\treturn doesNotMatch(\"None expression fails: %s\", match.Message)\n\t\t}\n\t}\n\t// no element passes, so entire expression is true\n\treturn matches()\n}\n\nfunc exactlyOneExpression(collectionExpression CollectionExpression, resource Resource) (MatchResult, error) {\n\tresources, err := collectResources(collectionExpression.Key, resource)\n\tif err != nil {\n\t\treturn matchError(err)\n\t}\n\tmatchCount := 0\n\tfor _, collectionResource := range resources {\n\t\tmatch, err := andExpression(collectionExpression.Expressions, collectionResource)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\tif match.Match {\n\t\t\tmatchCount++\n\t\t}\n\t}\n\tif matchCount == 1 {\n\t\treturn matches()\n\t}\n\treturn doesNotMatch(\"ExactlyOne expression fails\")\n}\n\nfunc booleanExpression(expression Expression, resource Resource) (MatchResult, error) {\n\tif expression.Or != nil && len(expression.Or) > 0 {\n\t\treturn orExpression(expression.Or, resource)\n\t}\n\tif expression.Xor != nil && len(expression.Xor) > 0 {\n\t\treturn xorExpression(expression.Xor, resource)\n\t}\n\tif expression.And != nil && len(expression.And) > 0 {\n\t\treturn andExpression(expression.And, resource)\n\t}\n\tif expression.Not != nil && len(expression.Not) > 0 {\n\t\treturn notExpression(expression.Not, resource)\n\t}\n\tif expression.Every.Key != \"\" {\n\t\treturn everyExpression(expression.Every, resource)\n\t}\n\tif expression.Some.Key != \"\" {\n\t\treturn someExpression(expression.Some, resource)\n\t}\n\tif expression.None.Key != \"\" {\n\t\treturn noneExpression(expression.None, resource)\n\t}\n\tif expression.ExactlyOne.Key != \"\" {\n\t\treturn exactlyOneExpression(expression.ExactlyOne, resource)\n\t}\n\treturn searchAndMatch(expression, resource)\n}\n\n// ExcludeResource when resource.ID included in list of exceptions\nfunc ExcludeResource(rule Rule, resource Resource) bool {\n\tfor _, id := range rule.Except {\n\t\tif id == resource.ID {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// FilterResourceExceptions filters out resources that should not be validated\nfunc FilterResourceExceptions(rule Rule, resources []Resource) []Resource {\n\tif rule.Except == nil || len(rule.Except) == 0 {\n\t\treturn resources\n\t}\n\tfiltered := make([]Resource, 0)\n\tfor _, resource := range resources {\n\t\tif ExcludeResource(rule, resource) {\n\t\t\tfiltered = append(filtered, resource)\n\t\t}\n\t}\n\treturn filtered\n}\n\n// CheckExpression validates a single Resource using a single Expression\nfunc CheckExpression(rule Rule, expression Expression, resource Resource) (Result, error) {\n\tresult := Result{\n\t\tStatus: \"OK\",\n\t\tMessage: \"\",\n\t}\n\tmatch, err := booleanExpression(expression, resource)\n\tif err != nil {\n\t\tDebugJSON(\"Error: \", err)\n\t\tresult.Status = \"FAILURE\"\n\t\tresult.Message = err.Error()\n\t\treturn result, err\n\t}\n\tif !match.Match {\n\t\tif rule.Severity == \"\" {\n\t\t\tresult.Status = \"FAILURE\"\n\t\t} else {\n\t\t\tresult.Status = rule.Severity\n\t\t}\n\t\tresult.Message = match.Message\n\t}\n\treturn result, nil\n}\n"
},
{
"path": "assertion/expression_test.go",
"content": "package assertion\n\nimport (\n\t\"encoding/json\"\n\t\"testing\"\n)\n\ntype ExpressionTestCase struct {\n\tRule Rule\n\tResource Resource\n\tExpectedStatus string\n}\n\nfunc TestCheckExpression(t *testing.T) {\n\n\tsimpleTestResource := Resource{\n\t\tID: \"a_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{\n\t\t\t\"instance_type\": \"t2.micro\",\n\t\t\t\"ami\": \"ami-f2d3638a\",\n\t\t},\n\t\tFilename: \"test.tf\",\n\t}\n\tresourceWithTags := Resource{\n\t\tID: \"another_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{\n\t\t\t\"instance_type\": \"t2.micro\",\n\t\t\t\"ami\": \"ami-f2d3638a\",\n\t\t\t\"tags\": map[string]interface{}{\n\t\t\t\t\"Environment\": \"Development\",\n\t\t\t\t\"Project\": \"Web\",\n\t\t\t},\n\t\t},\n\t\tFilename: \"test.tf\",\n\t}\n\tresourceWithRootVolume := Resource{\n\t\tID: \"another_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{\n\t\t\t\"instance_type\": \"t2.micro\",\n\t\t\t\"ami\": \"ami-f2d3638a\",\n\t\t\t\"root_block_device\": map[string]interface{}{\n\t\t\t\t\"volume_size\": \"1000\",\n\t\t\t},\n\t\t},\n\t\tFilename: \"test.tf\",\n\t}\n\n\ttestCases := map[string]ExpressionTestCase{\n\t\t\"testEq\": {\n\t\t\tRule{\n\t\t\t\tID: \"test1\",\n\t\t\t\tMessage: \"test rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\tValue: \"t2.micro\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"OK\",\n\t\t},\n\t\t\"testOr\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tOr: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"t2.micro\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"m4.large\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"OK\",\n\t\t},\n\t\t\"testOrFails\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tOr: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"t2.nano\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"m4.large\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"FAILURE\",\n\t\t},\n\t\t\"testXor\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tXor: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"t2.micro\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"m4.large\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"OK\",\n\t\t},\n\t\t\"testXorFails\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tXor: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"t2.micro\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"t2.micro\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"FAILURE\",\n\t\t},\n\t\t\"testXorFailsAgain\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tXor: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"m3.large\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"c4.large\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"FAILURE\",\n\t\t},\n\t\t\"testAnd\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tAnd: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"t2.micro\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"ami\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"ami-f2d3638a\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"OK\",\n\t\t},\n\t\t\"testAndFails\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tAnd: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"m3.medium\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"ami\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"ami-f2d3638a\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"FAILURE\",\n\t\t},\n\t\t\"testNot\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tNot: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"c4.large\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"OK\",\n\t\t},\n\t\t\"testNotFails\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tNot: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\tValue: \"t2.micro\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"FAILURE\",\n\t\t},\n\t\t\"testNestedNot\": {\n\t\t\tRule{\n\t\t\t\tID: \"TEST1\",\n\t\t\t\tMessage: \"Test Rule\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tNot: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tOr: []Expression{\n\t\t\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\t\t\tValue: \"t2.micro\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\t\t\tKey: \"instance_type\",\n\t\t\t\t\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\t\t\t\t\tValue: \"m3.medium\",\n\t\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tsimpleTestResource,\n\t\t\t\"FAILURE\",\n\t\t},\n\t\t\"testSizeFails\": {\n\t\t\tRule{\n\t\t\t\tID: \"TESTCOUNT\",\n\t\t\t\tMessage: \"Test Resource Count Fails\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tKey: \"tags\",\n\t\t\t\t\t\tValueType: \"size\",\n\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\tValue: \"3\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tresourceWithTags,\n\t\t\t\"FAILURE\",\n\t\t},\n\t\t\"testSizeOK\": {\n\t\t\tRule{\n\t\t\t\tID: \"TESTCOUNT\",\n\t\t\t\tMessage: \"Test Resource Count OK\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tKey: \"tags\",\n\t\t\t\t\t\tValueType: \"size\",\n\t\t\t\t\t\tOp: \"eq\",\n\t\t\t\t\t\tValue: \"2\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tresourceWithTags,\n\t\t\t\"OK\",\n\t\t},\n\t\t\"testIntegerFails\": {\n\t\t\tRule{\n\t\t\t\tID: \"TESTCOUNT\",\n\t\t\t\tMessage: \"Test integer Fails\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tKey: \"root_block_device.volume_size\",\n\t\t\t\t\t\tValueType: \"integer\",\n\t\t\t\t\t\tOp: \"le\",\n\t\t\t\t\t\tValue: \"500\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tresourceWithRootVolume,\n\t\t\t\"FAILURE\",\n\t\t},\n\t\t\"testIntegerOK\": {\n\t\t\tRule{\n\t\t\t\tID: \"TESTCOUNT\",\n\t\t\t\tMessage: \"Test integer OK\",\n\t\t\t\tSeverity: \"FAILURE\",\n\t\t\t\tResource: \"aws_instance\",\n\t\t\t\tAssertions: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tKey: \"root_block_device.volume_size\",\n\t\t\t\t\t\tValueType: \"integer\",\n\t\t\t\t\t\tOp: \"le\",\n\t\t\t\t\t\tValue: \"2000\",\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t\tresourceWithRootVolume,\n\t\t\t\"OK\",\n\t\t},\n\t}\n\n\tfor k, tc := range testCases {\n\t\texpressionResult, err := CheckExpression(tc.Rule, tc.Rule.Assertions[0], tc.Resource)\n\t\tFailTestIfError(err, \"TestSimple\", t)\n\t\tif expressionResult.Status != tc.ExpectedStatus {\n\t\t\tt.Errorf(\"%s Failed Expected '%s' to be '%s'\", k, expressionResult.Status, tc.ExpectedStatus)\n\t\t}\n\t}\n}\n\nfunc TestNestedBooleans(t *testing.T) {\n\trule := Rule{\n\t\tID: \"TEST1\",\n\t\tMessage: \"Do not allow access to port 22 from 0.0.0.0/0\",\n\t\tSeverity: \"NOT_COMPLIANT\",\n\t\tResource: \"aws_instance\",\n\t\tAssertions: []Expression{\n\t\t\tExpression{\n\t\t\t\tNot: []Expression{\n\t\t\t\t\tExpression{\n\t\t\t\t\t\tAnd: []Expression{\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"ipPermissions[].fromPort[]\",\n\t\t\t\t\t\t\t\tOp: \"contains\",\n\t\t\t\t\t\t\t\tValue: \"22\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t\tExpression{\n\t\t\t\t\t\t\t\tKey: \"ipPermissions[].ipRanges[]\",\n\t\t\t\t\t\t\t\tOp: \"contains\",\n\t\t\t\t\t\t\t\tValue: \"0.0.0.0/0\",\n\t\t\t\t\t\t\t},\n\t\t\t\t\t\t},\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t},\n\t\t},\n\t}\n\tresource := Resource{\n\t\tID: \"a_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{},\n\t\tFilename: \"test.tf\",\n\t}\n\tresourceJSON := `{\n \"description\": \"2017-12-03T03:14:29.856Z\",\n \"groupName\": \"test-8246\",\n \"ipPermissions\": [\n {\n \"fromPort\": \"22\",\n \"ipProtocol\": \"tcp\",\n \"toPort\": \"22\",\n \"ipv4Ranges\": [\n {\n \"cidrIp\": \"0.0.0.0/0\"\n }\n ],\n \"ipRanges\": [\n \"0.0.0.0/0\"\n ]\n }\n ]\n }`\n\terr := json.Unmarshal([]byte(resourceJSON), &resource.Properties)\n\tif err != nil {\n\t\tt.Error(\"Error parsing resource JSON\")\n\t}\n\texpressionResult, err := CheckExpression(rule, rule.Assertions[0], resource)\n\tFailTestIfError(err, \"TestNestedBoolean\", t)\n\tif expressionResult.Status != \"NOT_COMPLIANT\" {\n\t\tt.Error(\"Expecting nested boolean to return NOT_COMPLIANT\")\n\t}\n}\n\nfunc TestExceptions(t *testing.T) {\n\trule := Rule{\n\t\tID: \"EXCEPT\",\n\t\tExcept: []string{\"200\", \"300\"},\n\t}\n\tresources := []Resource{\n\t\tResource{ID: \"100\"},\n\t\tResource{ID: \"200\"},\n\t\tResource{ID: \"300\"},\n\t\tResource{ID: \"400\"},\n\t}\n\tfilteredResources := FilterResourceExceptions(rule, resources)\n\tif len(filteredResources) != 2 {\n\t\tt.Error(\"Expecting exceptions to be removed from resource list\")\n\t}\n}\n\nfunc TestNoExceptions(t *testing.T) {\n\trule := Rule{\n\t\tID: \"EXCEPT\",\n\t\tExcept: []string{},\n\t}\n\tresources := []Resource{\n\t\tResource{ID: \"100\"},\n\t\tResource{ID: \"200\"},\n\t\tResource{ID: \"300\"},\n\t\tResource{ID: \"400\"},\n\t}\n\tfilteredResources := FilterResourceExceptions(rule, resources)\n\tif len(filteredResources) != 4 {\n\t\tt.Error(\"Expecting no exceptions to return all resources\")\n\t}\n}\n\nfunc TestUsingFixtures(t *testing.T) {\n\tfixtureFilenames := []string{\n\t\t\"./testdata/collection-assertions.yaml\",\n\t\t\"./testdata/has-properties.yaml\",\n\t\t\"./testdata/conditions.yaml\",\n\t\t\"./testdata/default-severity.yaml\",\n\t}\n\n\tfor _, filename := range fixtureFilenames {\n\t\tRunTestCasesFromFixture(filename, t)\n\t}\n}\n"
},
{
"path": "assertion/has_properties.go",
"content": "package assertion\n\nimport (\n\t\"strings\"\n)\n\nfunc hasProperties(data interface{}, list string) (MatchResult, error) {\n\tfor _, key := range strings.Split(list, \",\") {\n\t\tif m, ok := data.(map[string]interface{}); ok {\n\t\t\tif _, ok := m[key]; !ok {\n\t\t\t\treturn doesNotMatch(\"should have property %v\", key)\n\t\t\t}\n\t\t}\n\t}\n\treturn matches()\n}\n"
},
{
"path": "assertion/helper_test.go",
"content": "package assertion\n\nimport (\n\t\"github.com/ghodss/yaml\"\n\t\"io/ioutil\"\n\t\"testing\"\n)\n\ntype (\n\t// FixtureTestCases is used to read a set of test cases from a YAML file\n\tFixtureTestCases struct {\n\t\tDescription string\n\t\tTestCases []FixtureTestCase `json:\"test_cases\"`\n\t}\n\n\t// FixtureTestCase describes a single test case\n\tFixtureTestCase struct {\n\t\tName string\n\t\tRule Rule\n\t\tResource Resource\n\t\tResult string\n\t}\n)\n\n// FailTestIfError is a helper to check err and call test Error if it is not nil\nfunc FailTestIfError(err error, message string, t *testing.T) {\n\tif err != nil {\n\t\tt.Error(message + \":\" + err.Error())\n\t}\n}\n\n// LoadTestCasesFromFixture reads YAML data describing test cases\nfunc LoadTestCasesFromFixture(filename string, t *testing.T) FixtureTestCases {\n\tvar testCases FixtureTestCases\n\tcontent, err := ioutil.ReadFile(filename)\n\tif err != nil {\n\t\tt.Errorf(\"Unable to read fixture file: %s\", filename)\n\t\treturn testCases\n\t}\n\terr = yaml.Unmarshal(content, &testCases)\n\tif err != nil {\n\t\tt.Errorf(\"Unable to parse fixture file: %s\", filename)\n\t\treturn testCases\n\t}\n\treturn testCases\n}\n\n// RunTestCasesFromFixture loads a YAML file describing test cases and runs them\nfunc RunTestCasesFromFixture(filename string, t *testing.T) {\n\tfixture := LoadTestCasesFromFixture(filename, t)\n\tfor _, testCase := range fixture.TestCases {\n\t\tstatus, _, err := CheckRule(testCase.Rule, testCase.Resource, mockExternalRuleInvoker())\n\t\tFailTestIfError(err, testCase.Name, t)\n\t\tif status != testCase.Result {\n\t\t\tt.Errorf(\"Test case %s returned %s expecting %s\", testCase.Name, status, testCase.Result)\n\t\t}\n\t}\n}\n"
},
{
"path": "assertion/invoke.go",
"content": "package assertion\n\nimport (\n\t\"bytes\"\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"net/http\"\n)\n\n// InvokeViolation has message describing a single validation error\ntype InvokeViolation struct {\n\tMessage string\n}\n\n// InvokeResponse contains a collection of validation errors\ntype InvokeResponse struct {\n\tViolations []InvokeViolation\n}\n\n// StandardExternalRuleInvoker implements an external HTTP or HTTPS call\ntype StandardExternalRuleInvoker struct {\n}\n\nfunc makeViolation(rule Rule, resource Resource, message string) Violation {\n\treturn Violation{\n\t\tRuleID: rule.ID,\n\t\tStatus: rule.Severity,\n\t\tResourceID: resource.ID,\n\t\tResourceType: resource.Type,\n\t\tCategory: resource.Category,\n\t\tFilename: resource.Filename,\n\t\tRuleMessage: rule.Message,\n\t\tAssertionMessage: message,\n\t\tCreatedAt: currentTime(),\n\t}\n}\n\nfunc makeViolations(rule Rule, resource Resource, message string) []Violation {\n\tv := makeViolation(rule, resource, message)\n\treturn []Violation{v}\n}\n\n// Invoke an external API to validate a Resource\nfunc (e StandardExternalRuleInvoker) Invoke(rule Rule, resource Resource) (string, []Violation, error) {\n\tstatus := \"OK\"\n\tviolations := make([]Violation, 0)\n\tvar payload interface{}\n\tpayload = resource\n\tif rule.Invoke.Payload != \"\" {\n\t\tp, err := SearchData(rule.Invoke.Payload, resource.Properties)\n\t\tif err != nil {\n\t\t\treturn status, violations, err\n\t\t}\n\t\tpayload = p\n\t}\n\tpayloadJSON, err := JSONStringify(payload)\n\tif err != nil {\n\t\tviolations := makeViolations(rule, resource, fmt.Sprintf(\"Unable to create JSON payload: %s\", err.Error()))\n\t\treturn rule.Severity, violations, err\n\t}\n\tDebugf(\"Invoke %s on %s\\n\", rule.Invoke.URL, payloadJSON)\n\thttpResponse, err := http.Post(rule.Invoke.URL, \"application/json\", bytes.NewBuffer([]byte(payloadJSON)))\n\tif err != nil {\n\t\tviolations := makeViolations(rule, resource, fmt.Sprintf(\"Invoke failed: %s\", err.Error()))\n\t\treturn rule.Severity, violations, err\n\t}\n\tif httpResponse.StatusCode != 200 {\n\t\tviolations := makeViolations(rule, resource, fmt.Sprintf(\"Invoke failed, StatusCode: %d\", httpResponse.StatusCode))\n\t\treturn rule.Severity, violations, nil\n\t}\n\tdefer httpResponse.Body.Close()\n\tbody, err := ioutil.ReadAll(httpResponse.Body)\n\tif err != nil {\n\t\tviolations := makeViolations(rule, resource, \"Invoke response cannot be read\")\n\t\treturn rule.Severity, violations, nil\n\t}\n\tDebugf(\"Invoke body: %s\\n\", string(body))\n\tvar invokeResponse InvokeResponse\n\terr = json.Unmarshal(body, &invokeResponse)\n\tif err != nil {\n\t\tviolations := makeViolations(rule, resource, \"Invoke response cannot be parsed\")\n\t\treturn rule.Severity, violations, nil\n\t}\n\tfor _, violation := range invokeResponse.Violations {\n\t\tstatus = rule.Severity\n\t\tv := makeViolation(rule, resource, violation.Message)\n\t\tviolations = append(violations, v)\n\t}\n\treturn status, violations, nil\n}\n"
},
{
"path": "assertion/invoke_test.go",
"content": "package assertion\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"io/ioutil\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n)\n\nfunc TestInvokeOK(t *testing.T) {\n\n\tts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintln(w, \"{}\")\n\t}))\n\tdefer ts.Close()\n\n\ti := StandardExternalRuleInvoker{}\n\trule := Rule{\n\t\tInvoke: InvokeRuleAPI{\n\t\t\tURL: ts.URL,\n\t\t},\n\t}\n\tresource := Resource{}\n\tstatus, violations, err := i.Invoke(rule, resource)\n\tassert.Equal(t, \"OK\", status, \"Expecting Invoke to return 'OK'\")\n\tassert.Equal(t, 0, len(violations), \"Expecting Invoke to return no violations\")\n\tassert.Nil(t, err, \"Expecting Invoke to not return an error\")\n}\n\nfunc TestInvokeWithViolations(t *testing.T) {\n\tresponse := InvokeResponse{\n\t\tViolations: []InvokeViolation{\n\t\t\tInvokeViolation{Message: \"Something is not right\"},\n\t\t},\n\t}\n\tjsonData, err := json.Marshal(response)\n\tassert.Nil(t, err, \"Failed to marshal test response\")\n\tts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintln(w, string(jsonData))\n\t}))\n\tdefer ts.Close()\n\n\ti := StandardExternalRuleInvoker{}\n\trule := Rule{\n\t\tSeverity: \"FAILURE\",\n\t\tInvoke: InvokeRuleAPI{\n\t\t\tURL: ts.URL,\n\t\t},\n\t}\n\tresource := Resource{}\n\tstatus, violations, err := i.Invoke(rule, resource)\n\tassert.Equal(t, \"FAILURE\", status, \"Expecting Invoke to return 'FAILURE'\")\n\tassert.Equal(t, 1, len(violations), \"Expecting Invoke to return 1 violation\")\n\tassert.Nil(t, err, \"Expecting Invoke to not return an error\")\n}\n\nfunc TestInvokeSendsMetadata(t *testing.T) {\n\n\tvar invokedResource Resource\n\tts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tbody, _ := ioutil.ReadAll(r.Body)\n\t\t_ = json.Unmarshal(body, &invokedResource)\n\t\tfmt.Fprintln(w, \"{}\")\n\t}))\n\tdefer ts.Close()\n\n\ti := StandardExternalRuleInvoker{}\n\trule := Rule{\n\t\tInvoke: InvokeRuleAPI{\n\t\t\tURL: ts.URL,\n\t\t},\n\t}\n\tresource := Resource{\n\t\tFilename: \"example.tf\",\n\t}\n\ti.Invoke(rule, resource)\n\tassert.Equal(t, resource.Filename, invokedResource.Filename, \"Expecting filename metadata in request body\")\n}\n"
},
{
"path": "assertion/ip_operations.go",
"content": "package assertion\n\nimport (\n\t\"fmt\"\n\t\"math\"\n\t\"net\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nvar rfc1918PrivateCIDRs = []string{\"10.0.0.0/8\", \"172.16.0.0/12\", \"192.168.0.0/16\"}\n\nfunc getIPObject(addressString string) (net.IP, error) {\n\tif !strings.Contains(addressString, \"/\") {\n\t\taddressString = fmt.Sprintf(\"%s/32\", addressString)\n\t}\n\tipAddress, _, err := net.ParseCIDR(addressString)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\treturn ipAddress, nil\n}\n\nfunc isSubnet(ipAddressStr string, supernet string) bool {\n\tipAddress, parseError := getIPObject(ipAddressStr)\n\tif parseError != nil {\n\t\tDebugf(\"%v\", parseError)\n\t\treturn false\n\t}\n\t_, superNetwork, err := net.ParseCIDR(supernet)\n\tif err != nil {\n\t\tDebugf(\"error parsing supernet: %v\", err)\n\t}\n\treturn superNetwork.Contains(ipAddress)\n}\n\nfunc isPrivateIP(ipAddressStr string) bool {\n\tfor _, cidr := range rfc1918PrivateCIDRs {\n\t\tif isSubnet(ipAddressStr, cidr) {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc maxHostCount(ruleCidr string, hostLimitStr string) bool {\n\tif !strings.Contains(ruleCidr, \"/\") {\n\t\truleCidr = fmt.Sprintf(\"%s/32\", ruleCidr)\n\t}\n\thostLimit, convErr := strconv.Atoi(hostLimitStr)\n\tif convErr != nil {\n\t\tDebugf(\"error converting %v to int\", hostLimitStr)\n\t\thostLimit = 0\n\t}\n\t_, network, err := net.ParseCIDR(ruleCidr)\n\tif err != nil {\n\t\tDebugf(\"error parsing ruleCidr: %v\", ruleCidr)\n\t\treturn false\n\t}\n\tnetmaskOnes, _ := network.Mask.Size()\n\treturn hostCountByNetmaskOnes(netmaskOnes) <= hostLimit\n}\n\nfunc hostCountByNetmaskOnes(netmaskOnes int) int {\n\treturn int(math.Pow(float64(2), float64(32-netmaskOnes)))\n}\n"
},
{
"path": "assertion/ip_operations_test.go",
"content": "package assertion\n\nimport (\n\t\"testing\"\n)\n\nvar ipTests = []struct {\n\tvalue string\n\tsupernet string\n\texpectedResult bool\n}{\n\t{\"1.1.1.1\", \"10.0.0.0/8\", false},\n\t{\"1.1.1.1/32\", \"10.0.0.0/8\", false},\n\t{\"10.1.0.0/16\", \"10.0.0.0/8\", true},\n\t{\"10.1.1.1/32\", \"10.0.0.0/8\", true},\n\t{\"10.1.1.1\", \"10.0.0.0/8\", true},\n}\n\nfunc TestIsSubnet(t *testing.T) {\n\tfor _, input := range ipTests {\n\t\tt.Run(input.value, func(t *testing.T) {\n\t\t\tresult := isSubnet(input.value, input.supernet)\n\t\t\tif result != input.expectedResult {\n\t\t\t\tt.Errorf(\"got %v, want %v\", result, input.expectedResult)\n\t\t\t}\n\t\t})\n\t}\n}\n\nvar privateIPTests = []struct {\n\tvalue string\n\texpectedResult bool\n}{\n\t{\"1.1.1.1\", false},\n\t{\"1.1.1.1/32\", false},\n\t{\"10.1.0.0/16\", true},\n\t{\"10.1.1.1/32\", true},\n\t{\"10.1.1.1\", true},\n\t{\"172.16.0.0/12\", true},\n\t{\"172.0.0.0/8\", false},\n\t{\"172.16.1.1\", true},\n\t{\"172.15.1.1\", false},\n\t{\"192.168.1.1\", true},\n\t{\"52.1.1.1\", false},\n\t{\"sg-1234567\", false},\n}\n\nfunc TestIsPrivateIp(t *testing.T) {\n\tfor _, input := range privateIPTests {\n\t\tt.Run(input.value, func(t *testing.T) {\n\t\t\tresult := isPrivateIP(input.value)\n\t\t\tif result != input.expectedResult {\n\t\t\t\tt.Errorf(\"got %v, want %v\", result, input.expectedResult)\n\t\t\t}\n\t\t})\n\t}\n}\n\nvar maxHostCountTests = []struct {\n\tvalue string\n\tmax string\n\texpectedResult bool\n}{\n\t{\"10.0.0.0/8\", \"1000\", false},\n\t{\"10.0.0.0/23\", \"500\", false},\n\t{\"10.1.0.0/16\", \"65600\", true},\n\t{\"10.1.1.1/32\", \"2\", true},\n\t{\"10.1.1.1/32\", \"1\", true},\n\t{\"10.1.1.1\", \"1\", true},\n\t{\"sg-1234567\", \"0\", false},\n}\n\nfunc TestMaxHostCount(t *testing.T) {\n\tfor _, input := range maxHostCountTests {\n\t\tt.Run(input.value, func(t *testing.T) {\n\t\t\tresult := maxHostCount(input.value, input.max)\n\t\t\tif result != input.expectedResult {\n\t\t\t\tt.Errorf(\"got %v, want %v\", result, input.expectedResult)\n\t\t\t}\n\t\t})\n\t}\n}\n"
},
{
"path": "assertion/log.go",
"content": "package assertion\n\nimport \"fmt\"\n\nvar (\n\tisDebug = false\n)\n\n// SetDebug turns verbose logging on or off\nfunc SetDebug(b bool) {\n\tisDebug = b\n}\n\n// Debugf prints a formatted string when verbose logging is turned on\nfunc Debugf(format string, args ...interface{}) {\n\tif isDebug == false {\n\t\treturn\n\t}\n\tfmt.Printf(format, args...)\n}\n\nfunc DebugJSON(title string, object interface{}) {\n\tif isDebug == false {\n\t\treturn\n\t}\n\ts, _ := JSONStringify(object)\n\tfmt.Println(title)\n\tfmt.Println(s)\n}\n"
},
{
"path": "assertion/match.go",
"content": "package assertion\n\nimport (\n\t\"fmt\"\n\t\"regexp\"\n\t\"strings\"\n)\n\nfunc matches() (MatchResult, error) {\n\treturn MatchResult{Match: true, Message: \"\"}, nil\n}\n\nfunc doesNotMatch(format string, args ...interface{}) (MatchResult, error) {\n\treturn MatchResult{\n\t\tMatch: false,\n\t\tMessage: fmt.Sprintf(format, args...),\n\t}, nil\n}\n\nfunc matchError(err error) (MatchResult, error) {\n\treturn MatchResult{\n\t\tMatch: false,\n\t\tMessage: err.Error(),\n\t}, err\n}\n\nfunc isMatch(data interface{}, expression Expression) (MatchResult, error) {\n\t// FIXME eliminate searchResult this when all operations converted to use data\n\t// individual ops can call JSONStringify as needed\n\tsearchResult, err := JSONStringify(data)\n\tif err != nil {\n\t\treturn matchError(err)\n\t}\n\tsearchResult = unquoted(searchResult)\n\tkey := expression.Key\n\top := expression.Op\n\tvalue := expression.Value\n\tvalueType := expression.ValueType\n\n\tswitch op {\n\tcase \"eq\":\n\t\tif compare(data, value, valueType) == 0 {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v(%v) should be equal to %v\", key, searchResult, value)\n\tcase \"ne\":\n\t\tif compare(data, value, valueType) != 0 {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v(%v) should not be equal to %v\", key, searchResult, value)\n\tcase \"lt\":\n\t\tif compare(data, value, valueType) < 0 {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v(%v) should be less than %v\", key, searchResult, value)\n\tcase \"le\":\n\t\tif compare(data, value, valueType) <= 0 {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v(%v) should be less than or equal to %v\", key, searchResult, value)\n\tcase \"gt\":\n\t\tif compare(data, value, valueType) > 0 {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v(%v) should be greater than %v\", key, searchResult, value)\n\tcase \"ge\":\n\t\tif compare(data, value, valueType) >= 0 {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v(%v) should be greater than or equal to %v\", key, searchResult, value)\n\tcase \"in\":\n\t\tfor _, v := range strings.Split(value, \",\") {\n\t\t\tif v == searchResult {\n\t\t\t\treturn matches()\n\t\t\t}\n\t\t}\n\t\treturn doesNotMatch(\"%v(%v) should be in %v\", key, searchResult, value)\n\tcase \"not-in\":\n\t\tfor _, v := range strings.Split(value, \",\") {\n\t\t\tif v == searchResult {\n\t\t\t\treturn doesNotMatch(\"%v(%v) should not be in %v\", key, searchResult, value)\n\t\t\t}\n\t\t}\n\t\treturn matches()\n\tcase \"absent\":\n\t\tif isAbsent(searchResult) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be absent\", key)\n\tcase \"present\":\n\t\tif isPresent(searchResult) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be present\", key)\n\tcase \"null\":\n\t\tif data == nil {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be null\", key)\n\tcase \"not-null\":\n\t\tif data != nil {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should not be null\", key)\n\tcase \"empty\":\n\t\tif isEmpty(data) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be empty\", key)\n\tcase \"not-empty\":\n\t\tif !isEmpty(data) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should not be empty\", key)\n\tcase \"is-array\":\n\t\tif isArray(data) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be an array\", key)\n\tcase \"is-not-array\":\n\t\tif !isArray(data) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should not be an array\", key)\n\tcase \"intersect\":\n\t\tif jsonListsIntersect(searchResult, value) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should intersect with %v\", key, value)\n\tcase \"contains\":\n\t\treturn contains(data, key, value)\n\tcase \"not-contains\":\n\t\treturn doesNotContain(data, key, value)\n\tcase \"does-not-contain\":\n\t\treturn doesNotContain(data, key, value)\n\tcase \"starts-with\":\n\t\treturn startsWith(data, key, value)\n\tcase \"ends-with\":\n\t\treturn endsWith(data, key, value)\n\tcase \"regex\":\n\t\tre, err := regexp.Compile(value)\n\t\tif err != nil {\n\t\t\treturn matchError(err)\n\t\t}\n\t\tif re.MatchString(searchResult) {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v(%v) should match %v\", key, searchResult, value)\n\tcase \"has-properties\":\n\t\treturn hasProperties(data, value)\n\tcase \"is-true\":\n\t\tif searchResult == \"true\" {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be 'true', not '%v'\", key, value)\n\tcase \"is-false\":\n\t\tif searchResult == \"false\" {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be 'false', not '%v'\", key, value)\n\tcase \"is-subnet\":\n\t\tisSubnet := isSubnet(searchResult, value)\n\t\tif isSubnet {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be a subnet of %v\", searchResult, value)\n\tcase \"is-private-ip\":\n\t\tisPrivate := isPrivateIP(searchResult)\n\t\tif isPrivate {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be a private ip\", searchResult)\n\tcase \"max-host-count\":\n\t\thostCountWithinLimit := maxHostCount(searchResult, value)\n\t\tif hostCountWithinLimit {\n\t\t\treturn matches()\n\t\t}\n\t\treturn doesNotMatch(\"%v should be less than or equal to %v\", searchResult, value)\n\t}\n\treturn doesNotMatch(\"unknown op %v\", op)\n}\n"
},
{
"path": "assertion/match_test.go",
"content": "package assertion\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"testing\"\n)\n\ntype MatchTestCase struct {\n\tSearchResult interface{}\n\tOp string\n\tValue string\n\tValueType string\n\tExpectedResult bool\n}\n\nfunc getQuotesRight(jsonString string) string {\n\tif len(jsonString) == 0 {\n\t\treturn jsonString\n\t}\n\tif jsonString[0] != '[' {\n\t\tjsonString = quoted(jsonString)\n\t}\n\treturn jsonString\n}\n\nfunc unmarshal(s string) (interface{}, error) {\n\tvar searchResult interface{}\n\tjsonString := getQuotesRight(s)\n\tif len(jsonString) > 0 {\n\t\terr := json.Unmarshal([]byte(jsonString), &searchResult)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t}\n\treturn searchResult, nil\n}\n\nfunc TestIsMatch(t *testing.T) {\n\n\tsliceOfTags := []interface{}{\"Foo\", \"Bar\"}\n\temptySlice := []interface{}{}\n\tanotherSlice := []interface{}{\"One\", \"Two\"}\n\tstringSlice := []string{\"One\", \"Two\"}\n\n\ttestCases := map[string]MatchTestCase{\n\t\t\"eqTrue\": {\"Foo\", \"eq\", \"Foo\", \"\", true},\n\t\t\"eqFalse\": {\"Foo\", \"eq\", \"Bar\", \"\", false},\n\t\t\"eqIntegerTrue\": {22, \"eq\", \"22\", \"integer\", true},\n\t\t\"eqIntegerFalse\": {80, \"eq\", \"22\", \"integer\", false},\n\t\t\"neFalse\": {\"Foo\", \"ne\", \"Foo\", \"\", false},\n\t\t\"neTrue\": {\"Foo\", \"ne\", \"Bar\", \"\", true},\n\t\t\"inTrue\": {\"Foo\", \"in\", \"Foo,Bar,Baz\", \"\", true},\n\t\t\"inFalse\": {\"Foo\", \"in\", \"Bar,Baz\", \"\", false},\n\t\t\"notInFalse\": {\"Foo\", \"not-in\", \"Foo,Bar,Baz\", \"\", false},\n\t\t\"notInTrue\": {\"Foo\", \"not-in\", \"Bar,Baz\", \"\", true},\n\t\t\"absentFalse\": {\"Foo\", \"absent\", \"\", \"\", false},\n\t\t\"absentTrueForEmptyString\": {\"\", \"absent\", \"\", \"\", true},\n\t\t\"absentTrueForNull\": {\"null\", \"absent\", \"\", \"\", true},\n\t\t\"absentTrueForEmptyArray\": {\"[]\", \"absent\", \"\", \"\", true},\n\t\t\"presentTrue\": {sliceOfTags, \"present\", \"\", \"\", true},\n\t\t\"presentStringTrue\": {\"Foo\", \"present\", \"\", \"\", true},\n\t\t\"presentFalseForNil\": {nil, \"present\", \"\", \"\", false},\n\t\t\"presentFalseForEmptyString\": {\"\", \"present\", \"\", \"\", false},\n\t\t\"presentFalseForNull\": {\"null\", \"present\", \"\", \"\", false},\n\t\t\"presentFalseForEmptyArray\": {\"[]\", \"present\", \"\", \"\", false},\n\t\t\"containsTrueForString\": {\"Foo\", \"contains\", \"oo\", \"\", true},\n\t\t\"containsFalseForString\": {\"Foo\", \"contains\", \"aa\", \"\", false},\n\t\t\"containsTrueForSlice\": {sliceOfTags, \"contains\", \"Bar\", \"\", true},\n\t\t\"containsFalseForSubstring\": {sliceOfTags, \"contains\", \"abc\", \"\", false},\n\t\t\"containsTrueForSliceOfStrings\": {stringSlice, \"contains\", \"One\", \"\", true},\n\t\t\"containsFalseForSliceOfStrings\": {stringSlice, \"contains\", \"Three\", \"\", false},\n\t\t\"containsTrueForInt\": {1, \"contains\", \"1\", \"\", true},\n\t\t\"containsFalseForInt\": {1, \"contains\", \"One\", \"\", false},\n\t\t\"notContainsFalseForString\": {\"Foo\", \"does-not-contain\", \"oo\", \"\", false},\n\t\t\"notContainsTrueForString\": {\"Foo\", \"does-not-contain\", \"aa\", \"\", true},\n\t\t\"notContainsFalseForSlice\": {sliceOfTags, \"does-not-contain\", \"Bar\", \"\", false},\n\t\t\"notContainsTrueForSubstring\": {sliceOfTags, \"does-not-contain\", \"abc\", \"\", true},\n\t\t\"regexTrueForEndOfString\": {\"Foo\", \"regex\", \"o$\", \"\", true},\n\t\t\"regexFalseForEndOfString\": {\"Bar\", \"regex\", \"o$\", \"\", false},\n\t\t\"regExTrueForBeginningOfString\": {\"Foo\", \"regex\", \"^F\", \"\", true},\n\t\t\"regExFalseForBeginningOfString\": {\"Foo\", \"regex\", \"^B\", \"\", false},\n\t\t\"reqExFalseForEntireString\": {\"Foo\", \"regex\", \"^Bar$\", \"\", false},\n\t\t\"regExIgnoreCaseTrue\": {\"HTTPS\", \"regex\", \"(?i)https\", \"\", true},\n\t\t\"regexIgnoreCaseFalse\": {\"HTTP\", \"regex\", \"(?i)https\", \"\", false},\n\t\t\"ltTrue\": {\"a\", \"lt\", \"b\", \"\", true},\n\t\t\"ltFalse\": {\"a\", \"lt\", \"a\", \"\", false},\n\t\t\"leTrue\": {\"a\", \"le\", \"a\", \"\", true},\n\t\t\"leFalse\": {\"b\", \"le\", \"a\", \"\", false},\n\t\t\"gtTrue\": {\"b\", \"gt\", \"a\", \"\", true},\n\t\t\"gtFalse\": {\"b\", \"gt\", \"b\", \"\", false},\n\t\t\"geTrue\": {\"b\", \"ge\", \"b\", \"\", true},\n\t\t\"geFalse\": {\"b\", \"ge\", \"c\", \"\", false},\n\t\t\"nullTrue\": {\"\", \"null\", \"\", \"\", true},\n\t\t\"nullFalse\": {\"1\", \"null\", \"\", \"\", false},\n\t\t\"notNullFalse\": {\"\", \"not-null\", \"\", \"\", false},\n\t\t\"notNullTrue\": {\"1\", \"not-null\", \"\", \"\", true},\n\t\t\"emptyTrueForEmptyString\": {\"\", \"empty\", \"\", \"\", true},\n\t\t\"emptyFalseForString\": {\"Foo\", \"empty\", \"\", \"\", false},\n\t\t\"emptyTrueForEmptySlice\": {emptySlice, \"empty\", \"\", \"\", true},\n\t\t\"emptyFalseForSlice\": {sliceOfTags, \"empty\", \"\", \"\", false},\n\t\t\"notEmptyFalseForEmptyString\": {\"\", \"not-empty\", \"\", \"\", false},\n\t\t\"notEmptyTrueForString\": {\"Foo\", \"not-empty\", \"\", \"\", true},\n\t\t\"notEmptyFalseForEmptySlice\": {emptySlice, \"not-empty\", \"\", \"\", false},\n\t\t\"notEmptyTrueForSlice\": {sliceOfTags, \"not-empty\", \"\", \"\", true},\n\t\t\"intersectTrue\": {\"[\\\"one\\\",\\\"two\\\"]\", \"intersect\", \"[\\\"two\\\",\\\"three\\\"]\", \"\", true},\n\t\t\"intersectFalse\": {\"[\\\"one\\\",\\\"two\\\"]\", \"intersect\", \"[\\\"three\\\",\\\"four\\\"]\", \"\", false},\n\t\t\"eqSizeTrue\": {anotherSlice, \"eq\", \"2\", \"size\", true},\n\t\t\"eqSizeFalse\": {anotherSlice, \"eq\", \"3\", \"size\", false},\n\t\t\"isTrue\": {\"true\", \"is-true\", \"\", \"\", true},\n\t\t\"isNotTrue\": {\"false\", \"is-true\", \"\", \"\", false},\n\t\t\"isFalse\": {\"false\", \"is-false\", \"\", \"\", true},\n\t\t\"isNotFalse\": {\"100\", \"is-false\", \"\", \"\", false},\n\t\t\"startsWithTrue\": {\"FooBar\", \"starts-with\", \"Foo\", \"\", true},\n\t\t\"startsWithFalse\": {\"FooBar\", \"starts-with\", \"Bar\", \"\", false},\n\t\t\"startsWithNonString\": {1, \"starts-with\", \"Foo\", \"\", false},\n\t\t\"endsWithTrue\": {\"FooBar\", \"ends-with\", \"Bar\", \"\", true},\n\t\t\"endsWithFalse\": {\"FooBar\", \"ends-with\", \"Foo\", \"\", false},\n\t\t\"endsartWithNonString\": {1, \"ends-with\", \"Foo\", \"\", false},\n\t\t\"isArrayTrue\": {sliceOfTags, \"is-array\", \"\", \"\", true},\n\t\t\"isArrayFalse\": {\"Foo\", \"is-array\", \"\", \"\", false},\n\t\t\"isNotArrayTrue\": {sliceOfTags, \"is-not-array\", \"\", \"\", false},\n\t\t\"isNotArrayFalse\": {\"Foo\", \"is-not-array\", \"\", \"\", true},\n\t}\n\tfor k, tc := range testCases {\n\t\tvar m MatchResult\n\t\tvar err error\n\t\texpression := Expression{\n\t\t\tKey: \"key\",\n\t\t\tOp: tc.Op,\n\t\t\tValue: tc.Value,\n\t\t\tValueType: tc.ValueType,\n\t\t}\n\t\tif s, isString := tc.SearchResult.(string); isString {\n\t\t\tsearchResult, err := unmarshal(s)\n\t\t\tif err != nil {\n\t\t\t\tfmt.Println(err)\n\t\t\t\tt.Errorf(\"Unable to parse %s\\n\", tc.SearchResult)\n\t\t\t}\n\t\t\tm, err = isMatch(searchResult, expression)\n\t\t} else {\n\t\t\tm, err = isMatch(tc.SearchResult, expression)\n\t\t}\n\t\tif err != nil {\n\t\t\tt.Errorf(\"%s Failed with error: %s\", k, err.Error())\n\t\t}\n\t\tif m.Match != tc.ExpectedResult {\n\t\t\tt.Errorf(\"%s Failed Expected '%s' %s '%s' to be %t\", k, tc.SearchResult, tc.Op, tc.Value, tc.ExpectedResult)\n\t\t}\n\t}\n}\n"
},
{
"path": "assertion/rules.go",
"content": "package assertion\n\nimport (\n\t\"errors\"\n\t\"github.com/ghodss/yaml\"\n)\n\n// ParseRules converts YAML string content to a Result\nfunc ParseRules(rules string) (RuleSet, error) {\n\tr := RuleSet{}\n\terr := yaml.Unmarshal([]byte(rules), &r)\n\treturn r, err\n}\n\n// FilterRulesByTag selects a subset of rules based on a tag\nfunc FilterRulesByTag(rules []Rule, tags []string) []Rule {\n\tfilteredRules := make([]Rule, 0)\n\tfor _, rule := range rules {\n\t\tif tags == nil || listsIntersect(tags, rule.Tags) {\n\t\t\tfilteredRules = append(filteredRules, rule)\n\t\t}\n\t}\n\treturn filteredRules\n}\n\n// FilterRulesByID selectes a subset of rules based on ID\nfunc FilterRulesByID(rules []Rule, ruleIDs []string, ignoreRuleIDs []string) []Rule {\n\tif len(ruleIDs) == 0 && len(ignoreRuleIDs) == 0 {\n\t\treturn rules\n\t}\n\tfilteredRules := make([]Rule, 0)\n\tfor _, rule := range rules {\n\t\tinclude := false\n\t\tfor _, id := range ruleIDs {\n\t\t\tif id == rule.ID {\n\t\t\t\tinclude = true\n\t\t\t}\n\t\t}\n\t\tif len(ignoreRuleIDs) > 0 {\n\t\t\tinclude = true\n\t\t\tfor _, id := range ignoreRuleIDs {\n\t\t\t\tif id == rule.ID {\n\t\t\t\t\tinclude = false\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\tif include {\n\t\t\tfilteredRules = append(filteredRules, rule)\n\t\t}\n\t}\n\treturn filteredRules\n}\n\nfunc uniqueRules(list []Rule) []Rule {\n\trules := make([]Rule, 0)\n\tkeys := make(map[string]bool, 0)\n\tfor _, rule := range list {\n\t\tif _, ok := keys[rule.ID]; !ok {\n\t\t\tkeys[rule.ID] = true\n\t\t\trules = append(rules, rule)\n\t\t}\n\t}\n\treturn rules\n}\n\n// FilterRulesByTagAndID filters by both tag and id\nfunc FilterRulesByTagAndID(rules []Rule, tags []string, ruleIds []string, ignoreRuleIds []string) []Rule {\n\tif len(tags) == 0 && len(ruleIds) == 0 && len(ignoreRuleIds) == 0 {\n\t\treturn rules\n\t}\n\tif len(tags) == 0 {\n\t\treturn FilterRulesByID(rules, ruleIds, ignoreRuleIds)\n\t}\n\tif len(ruleIds) == 0 {\n\t\treturn FilterRulesByTag(rules, tags)\n\t}\n\treturn uniqueRules(append(FilterRulesByID(rules, ruleIds, ignoreRuleIds), FilterRulesByTag(rules, tags)...))\n}\n\n// ResolveRules loads any dynamic values for a collection or rules\nfunc ResolveRules(rules []Rule, valueSource ValueSource) ([]Rule, []Violation) {\n\tresolvedRules := []Rule{}\n\tviolations := []Violation{}\n\tfor _, rule := range rules {\n\t\tr, vs := ResolveRule(rule, valueSource)\n\t\tresolvedRules = append(resolvedRules, r)\n\t\tviolations = append(violations, vs...)\n\t}\n\treturn resolvedRules, violations\n}\n\n// ResolveRule loads any dynamic values for a single Rule\nfunc ResolveRule(rule Rule, valueSource ValueSource) (Rule, []Violation) {\n\tresolvedRule := rule\n\tresolvedRule.Assertions = []Expression{}\n\tviolations := []Violation{}\n\tfor _, assertion := range rule.Assertions {\n\t\tvalue, err := valueSource.GetValue(assertion)\n\t\tif err != nil {\n\t\t\tDebugf(\"ResolveRule error: %s\\n\", err.Error())\n\t\t\tviolations = append(violations, Violation{\n\t\t\t\tCategory: \"load\",\n\t\t\t\tRuleID: \"RULE_RESOLVE\",\n\t\t\t\tResourceID: rule.ID,\n\t\t\t\tResourceType: \"rule\",\n\t\t\t\tStatus: \"FAILURE\",\n\t\t\t\tRuleMessage: \"Unable to resolve value in rule\",\n\t\t\t\tAssertionMessage: err.Error(),\n\t\t\t\tCreatedAt: currentTime(),\n\t\t\t})\n\t\t}\n\t\tresolvedAssertion := assertion\n\t\tresolvedAssertion.Value = value\n\t\tresolvedAssertion.ValueFrom = ValueFrom{}\n\t\tresolvedRule.Assertions = append(resolvedRule.Assertions, resolvedAssertion)\n\t}\n\treturn resolvedRule, violations\n}\n\n// CheckRule returns a list of violations for a single Rule applied to a single Resource\nfunc CheckRule(rule Rule, resource Resource, e ExternalRuleInvoker) (string, []Violation, error) {\n\treturnStatus := \"OK\"\n\tviolations := make([]Violation, 0)\n\tif ExcludeResource(rule, resource) {\n\t\tDebugf(\"Ignoring resource: %s\", resource.ID)\n\t\treturn returnStatus, violations, nil\n\t}\n\tif rule.Invoke.URL != \"\" {\n\t\treturn e.Invoke(rule, resource)\n\t}\n\tmatch, err := andExpression(rule.Conditions, resource)\n\tif err != nil {\n\t\treturn \"FAILURE\", violations, err\n\t}\n\tif !match.Match {\n\t\treturn returnStatus, violations, nil\n\t}\n\tfor _, ruleAssertion := range rule.Assertions {\n\t\tDebugf(\"Checking Category: %s, Type: %s, Id: %s\\n\", resource.Category, resource.Type, resource.ID)\n\t\texpressionResult, err := CheckExpression(rule, ruleAssertion, resource)\n\t\tif err != nil {\n\t\t\treturn \"FAILURE\", violations, err\n\t\t}\n\t\tif expressionResult.Status != \"OK\" {\n\t\t\t// If the rule has category (e.g. Terraform rules), then return violations for that category only.\n\t\t\t// If the rule has no category it will be applied to all resources as normal.\n\t\t\tif rule.Category != \"\" && rule.Category != resource.Category {\n\t\t\t break\n\t\t\t}\n\t\t\treturnStatus = expressionResult.Status\n\t\t\tv := Violation{\n\t\t\t\tRuleID: rule.ID,\n\t\t\t\tResourceID: resource.ID,\n\t\t\t\tResourceType: resource.Type,\n\t\t\t\tCategory: resource.Category,\n\t\t\t\tStatus: expressionResult.Status,\n\t\t\t\tRuleMessage: rule.Message,\n\t\t\t\tAssertionMessage: expressionResult.Message,\n\t\t\t\tFilename: resource.Filename,\n\t\t\t\tLineNumber: resource.LineNumber,\n\t\t\t\tCreatedAt: currentTime(),\n\t\t\t}\n\t\t\tviolations = append(violations, v)\n\t\t}\n\t}\n\treturn returnStatus, violations, nil\n}\n\n// Join two RuleSets together\nfunc JoinRuleSets(firstSet RuleSet, secondSet RuleSet) (RuleSet, error) {\n\t// if one of the sets is empty, return the other\n\t// if both are empty, an empty set is returned\n\tif len(firstSet.Rules) == 0 {\n\t\treturn secondSet, nil\n\t} else if len(secondSet.Rules) == 0 {\n\t\treturn firstSet, nil\n\t}\n\n\t// RuleSets must match Type and Version\n\t// Description will be taken from the first given rule set\n\tif firstSet.Type != secondSet.Type || firstSet.Version != secondSet.Version {\n\t\treturn firstSet, errors.New(\"RuleSet Type and Version must match\")\n\t} else {\n\t\tjoinedSet := RuleSet{}\n\t\tjoinedSet.Type = firstSet.Type\n\t\tjoinedSet.Description = firstSet.Description\n\t\tjoinedSet.Files = append(firstSet.Files, secondSet.Files...)\n\t\tjoinedSet.Rules = append(firstSet.Rules, secondSet.Rules...)\n\t\tjoinedSet.Version = firstSet.Version\n\t\tjoinedSet.Resources = append(firstSet.Resources, secondSet.Resources...)\n\t\tjoinedSet.Columns = append(firstSet.Columns, secondSet.Columns...)\n\t\treturn joinedSet, nil\n\t}\n}\n"
},
{
"path": "assertion/rules_test.go",
"content": "package assertion\n\nimport (\n\t\"errors\"\n\t\"testing\"\n)\n\n// TestValueSource provides test values\n\ntype TestValueSource struct{}\n\nfunc (t TestValueSource) GetValue(expression Expression) (string, error) {\n\tif expression.Value != \"\" {\n\t\treturn expression.Value, nil\n\t}\n\treturn \"m3.medium\", nil\n}\n\nfunc testValueSource() ValueSource {\n\treturn TestValueSource{}\n}\n\n// TestValueSourceWithError simulates errors for value provider\n\ntype TestValueSourceWithError struct{}\n\nfunc (t TestValueSourceWithError) GetValue(expression Expression) (string, error) {\n\treturn \"\", errors.New(\"GET_VALUE_ERROR\")\n}\n\nfunc testValueSourceWithError() ValueSource {\n\treturn TestValueSourceWithError{}\n}\n\n// MockExternalRuleInvoker simulates invocation of external endpoints to get values\n\ntype MockExternalRuleInvoker int\n\nfunc mockExternalRuleInvoker() *MockExternalRuleInvoker {\n\tvar m MockExternalRuleInvoker\n\treturn &m\n}\n\nfunc (e *MockExternalRuleInvoker) Invoke(Rule, Resource) (string, []Violation, error) {\n\t*e++\n\tnoViolations := make([]Violation, 0)\n\treturn \"OK\", noViolations, nil\n}\n\nvar content = `Rules:\n - id: TEST1\n message: Test message\n resource: aws_instance\n severity: WARNING\n assertions:\n - key: instance_type\n op: in\n value: t2.micro\n tags:\n - ec2\n - id: TEST2\n message: Test message\n resource: aws_s3_bucket\n severity: WARNING\n assertions:\n - key: name\n op: eq\n value: bucket1\n tags:\n - s3\n - id: TEST3\n message: Test message\n resource: aws_ebs_volume\n severity: WARNING\n assertions:\n - key: size\n op: le\n value: 1000\n value_type: integer\n tags:\n - ebs\n`\n\nfunc MustParseRules(content string, t *testing.T) RuleSet {\n\tr, err := ParseRules(content)\n\tif err != nil {\n\t\tt.Error(\"Unable to parse:\" + content)\n\t}\n\treturn r\n}\n\nfunc TestParseRules(t *testing.T) {\n\tr := MustParseRules(content, t)\n\tif len(r.Rules) != 3 {\n\t\tt.Error(\"Expected to parse 3 rules\")\n\t}\n}\n\ntype FilterTestCase struct {\n\tTags []string\n\tIds []string\n\tIgnoreIds []string\n\tExpectedRules []string\n}\n\nfunc TestFilterRules(t *testing.T) {\n\n\tvar emptyTags []string\n\tvar emptyIds []string\n\n\ttestCases := map[string]FilterTestCase{\n\t\t\"allRules\": FilterTestCase{emptyTags, emptyIds, emptyIds, []string{\"TEST1\", \"TEST2\", \"TEST3\"}},\n\t\t\"tags\": FilterTestCase{[]string{\"s3\"}, emptyIds, emptyIds, []string{\"TEST2\"}},\n\t\t\"rules\": FilterTestCase{emptyTags, []string{\"TEST1\"}, emptyIds, []string{\"TEST1\"}},\n\t\t\"both\": FilterTestCase{[]string{\"s3\"}, []string{\"TEST1\"}, emptyIds, []string{\"TEST1\", \"TEST2\"}},\n\t\t\"overlap\": FilterTestCase{[]string{\"s3\"}, []string{\"TEST2\"}, emptyIds, []string{\"TEST2\"}},\n\t\t\"exclude\": FilterTestCase{emptyTags, emptyIds, []string{\"TEST1\"}, []string{\"TEST2\", \"TEST3\"}},\n\t}\n\tfor k, tc := range testCases {\n\t\tr := FilterRulesByTagAndID(MustParseRules(content, t).Rules, tc.Tags, tc.Ids, tc.IgnoreIds)\n\t\tif len(r) != len(tc.ExpectedRules) {\n\t\t\tt.Errorf(\"Expected %s to include %d rules not %d\\n\", k, len(tc.ExpectedRules), len(r))\n\t\t}\n\t}\n}\n\nfunc TestFilterRulesByTagAndID(t *testing.T) {\n\ttags := []string{\"s3\"}\n\tids := []string{\"TEST3\"}\n\tr := FilterRulesByTagAndID(MustParseRules(content, t).Rules, tags, ids, []string{})\n\tif len(r) != 2 {\n\t\tt.Error(\"Expected filterRulesByTag to return 2 rules\")\n\t}\n\tfor _, rule := range r {\n\t\tif rule.ID != \"TEST2\" && rule.ID != \"TEST3\" {\n\t\t\tt.Error(\"Expected filterRulesByTagAndID to select correct rules\")\n\t\t}\n\t}\n}\n\nvar ruleWithMultipleFilters = `Rules:\n - id: TEST1\n message: Test message\n resource: aws_instance\n severity: FAILURE\n assertions:\n - key: instance_type\n op: eq\n value: t2.micro\n - key: ami\n op: eq\n value: ami-000000\n`\n\nfunc TestRuleWithMultipleFilter(t *testing.T) {\n\trules := MustParseRules(ruleWithMultipleFilters, t)\n\tresource := Resource{\n\t\tID: \"a_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{\"instance_type\": \"t2.micro\", \"ami\": \"ami-000000\"},\n\t\tFilename: \"test.tf\",\n\t}\n\tstatus, violations, err := CheckRule(rules.Rules[0], resource, mockExternalRuleInvoker())\n\tif err != nil {\n\t\tt.Error(\"Error in CheckRule:\" + err.Error())\n\t}\n\tif status != \"OK\" {\n\t\tt.Error(\"Expecting multiple rule to match\")\n\t}\n\tif len(violations) != 0 {\n\t\tt.Error(\"Expecting multiple rule to have zero violations\")\n\t}\n}\n\nfunc TestMultipleFiltersWithSingleFailure(t *testing.T) {\n\trules := MustParseRules(ruleWithMultipleFilters, t)\n\tresource := Resource{\n\t\tID: \"a_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{\"instance_type\": \"t2.micro\", \"ami\": \"ami-111111\"},\n\t\tFilename: \"test.tf\",\n\t}\n\tstatus, violations, err := CheckRule(rules.Rules[0], resource, mockExternalRuleInvoker())\n\tif err != nil {\n\t\tt.Error(\"Error in CheckRule:\" + err.Error())\n\t}\n\tif status != \"FAILURE\" {\n\t\tt.Error(\"Expecting multiple rule to return FAILURE\")\n\t}\n\tif len(violations) != 1 {\n\t\tt.Error(\"Expecting multiple rule to have one violation\")\n\t}\n}\n\nfunc TestMultipleFiltersWithMultipleFailures(t *testing.T) {\n\trules := MustParseRules(ruleWithMultipleFilters, t)\n\tresource := Resource{\n\t\tID: \"a_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{\"instance_type\": \"c3.medium\", \"ami\": \"ami-111111\"},\n\t\tFilename: \"test.tf\",\n\t}\n\tstatus, violations, err := CheckRule(rules.Rules[0], resource, mockExternalRuleInvoker())\n\tif err != nil {\n\t\tt.Error(\"Error in CheckRule:\" + err.Error())\n\t}\n\tif status != \"FAILURE\" {\n\t\tt.Error(\"Expecting multiple rule to return FAILURE\")\n\t}\n\tif len(violations) != 2 {\n\t\tt.Error(\"Expecting multiple rule to have two violations\")\n\t}\n}\n\nvar ruleWithValueFrom = `Rules:\n - id: FROM1\n message: Test value_from\n severity: FAILURE\n resource: aws_instance\n assertions:\n - key: instance_type\n op: in\n value_from:\n bucket: config-rules-for-lambda\n key: instance-types\n`\n\nfunc TestValueFrom(t *testing.T) {\n\trules := MustParseRules(ruleWithValueFrom, t)\n\tresource := Resource{\n\t\tID: \"a_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{\"instance_type\": \"m3.medium\"},\n\t\tFilename: \"test.tf\",\n\t}\n\tresolved, violations := ResolveRules(rules.Rules, testValueSource())\n\tif len(violations) != 0 {\n\t\tt.Errorf(\"Expecting ResolveRules to return 0 violations: %v\", violations)\n\t}\n\tstatus, violations, err := CheckRule(resolved[0], resource, mockExternalRuleInvoker())\n\tif err != nil {\n\t\tt.Error(\"Error in CheckRule:\" + err.Error())\n\t}\n\tif status != \"OK\" {\n\t\tt.Error(\"Expecting value_from to match\")\n\t}\n\tif len(violations) != 0 {\n\t\tt.Error(\"Expecting value_from test to have 0 violations\")\n\t}\n}\n\nfunc TestResolveRuleError(t *testing.T) {\n\trules := MustParseRules(ruleWithValueFrom, t)\n\t_, violations := ResolveRules(rules.Rules, testValueSourceWithError())\n\tif len(violations) != 1 {\n\t\tt.Errorf(\"Expecting ResolveRules to return 1 violations: %v\", violations)\n\t} else {\n\t\truleID := violations[0].RuleID\n\t\tif ruleID != \"RULE_RESOLVE\" {\n\t\t\tt.Errorf(\"Expected RULE_RESOLVE violation, not %s\", ruleID)\n\t\t}\n\t}\n}\n\nvar ruleWithInvoke = `Rules:\n - id: FROM1\n message: Test value_from\n severity: FAILURE\n resource: aws_instance\n invoke:\n url: http://localhost\n`\n\nfunc TestInvokeRule(t *testing.T) {\n\trules := MustParseRules(ruleWithInvoke, t)\n\tresource := Resource{\n\t\tID: \"a_test_resource\",\n\t\tType: \"aws_instance\",\n\t\tProperties: map[string]interface{}{\"instance_type\": \"m3.medium\"},\n\t\tFilename: \"test.tf\",\n\t}\n\tresolved, _ := ResolveRules(rules.Rules, testValueSource())\n\tcounter := mockExternalRuleInvoker()\n\tCheckRule(resolved[0], resource, counter)\n\tif *counter != 1 {\n\t\tt.Error(\"Expecting external rule engine to be invoked\")\n\t}\n}\n"
},
{
"path": "assertion/search.go",
"content": "package assertion\n\nimport (\n\t\"github.com/jmespath/go-jmespath\"\n)\n\n// SearchData applies a JMESPath to a JSON object\nfunc SearchData(expression string, data interface{}) (interface{}, error) {\n\tif len(expression) == 0 {\n\t\treturn \"null\", nil\n\t}\n\n\treturn jmespath.Search(expression, data)\n}\n"
},
{
"path": "assertion/testdata/collection-assertions.yaml",
"content": "---\ndescription: Test collection assertions\ntest_cases:\n\n - name: every_OK\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - every:\n key: \"keys(@)\"\n expressions:\n - key: \"@\"\n op: in\n value: Foo,Bar\n resource:\n id: collection_id\n type: example\n properties:\n Foo:\n - A\n - B\n - C\n Bar:\n - D\n - E\n result: OK\n\n - name: every_FAILURE\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - every:\n key: \"keys(@)\"\n expressions:\n - key: \"@\"\n op: in\n value: Foo,Bar\n resource:\n id: collection_id\n type: example\n properties:\n Foo:\n - A\n - B\n - C\n Bar:\n - D\n - E\n Baz:\n - F\n result: FAILURE\n\n - name: every_multiple_assertions_FAILURE\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - every:\n key: locations\n expressions:\n - key: city\n op: present\n - key: state\n op: present\n resource:\n id: collection_id\n type: example\n properties:\n locations:\n - city: Seattle\n state: WA\n - city: San Francisco\n result: FAILURE\n\n - name: some_OK\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - some:\n key: \"keys(@)\"\n expressions:\n - key: \"@\"\n op: in\n value: Foo,Bar\n resource:\n id: collection_id\n type: example\n properties:\n Foo:\n - A\n - B\n - C\n Baz:\n - D\n - E\n result: OK\n\n - name: some_FAILURE\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - some:\n key: \"keys(@)\"\n expressions:\n - key: \"@\"\n op: in\n value: Foo,Bar\n resource:\n id: collection_id\n type: example\n properties:\n Baz:\n - A\n result: FAILURE\n\n - name: none_OK\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - none:\n key: \"keys(@)\"\n expressions:\n - key: \"@\"\n op: in\n value: Foo,Bar\n resource:\n id: collection_id\n type: example\n properties:\n Baz:\n - A\n - B\n result: OK\n\n - name: none_with_multiple_assertions_OK\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - none:\n key: \"ipPermissions[]\"\n expressions:\n - key: \"fromPort\"\n op: eq\n value: 22\n value_type: integer\n - key: \"ipRanges[]\"\n op: contains\n value: 0.0.0.0/0\n resource:\n id: collection_id\n type: sample\n properties:\n ipPermissions:\n - fromPort: 80\n ipRanges:\n - 0.0.0.0/0\n result: OK\n\n - name: none_FAILURE\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - none:\n key: \"keys(@)\"\n expressions:\n - key: \"@\"\n op: in\n value: Foo,Bar\n resource:\n id: collection_id\n type: example\n properties:\n Foo:\n - A\n Bar:\n - B\n result: FAILURE\n\n - name: none_with_multiple_assertions_FAILURE\n rule:\n id: COLLECTION\n message: Invalid key\n severity: FAILURE\n resource: sample\n assertions:\n - none:\n key: \"ipPermissions[]\"\n expressions:\n - key: \"fromPort\"\n op: eq\n value: 22\n value_type: integer\n - key: \"ipRanges[]\"\n op: contains\n value: 0.0.0.0/0\n resource:\n id: collection_id\n type: sample\n properties:\n ipPermissions:\n - fromPort: 22\n ipRanges:\n - 0.0.0.0/0\n result: FAILURE\n\n - name: one_OK\n rule:\n id: COLLECTION\n message: Duplicate names\n severity: FAILURE\n resource: example\n assertions:\n - exactly-one:\n key: \"tags[]\"\n expressions:\n - key: name\n op: eq\n value: A\n resource:\n id: collection_id\n type: example\n properties:\n tags:\n - name: A\n - name: B\n result: OK\n\n - name: one_FAILURE\n rule:\n id: COLLECTION\n message: Duplicate names\n severity: FAILURE\n resource: example\n assertions:\n - exactly-one:\n key: \"tags[]\"\n expressions:\n - key: name\n op: eq\n value: B\n resource:\n id: collection_id\n type: example\n properties:\n tags:\n - name: A\n - name: B\n - name: B\n result: FAILURE\n\n"
},
{
"path": "assertion/testdata/conditions.yaml",
"content": "---\ndescription: Test conditions\ntest_cases:\n\n - name: conditions_false\n rule:\n id: CONDITIONS_1\n message: Missing properties\n severity: FAILURE\n resource: sample\n conditions:\n - key: example.name\n eq: first\n assertions:\n - key: example\n op: has-properties\n value: name,id\n resource:\n id: p1\n type: sample\n properties:\n example:\n name: first\n id: 1\n result: OK\n\n - name: conditions_ignore\n rule:\n id: PROPERTIES_2\n message: Ignore using condition\n severity: FAILURE\n resource: sample\n conditions:\n - key: example.name\n op: eq\n value: second\n assertions:\n - key: example\n op: has-properties\n value: name,id,description\n resource:\n id: p1\n type: sample\n properties:\n example:\n name: first\n id: 1\n result: OK\n\n - name: conditions_FAILURE\n rule:\n id: PROPERTIES_2\n message: Missing properties\n severity: FAILURE\n resource: sample\n conditions:\n - key: example.name\n op: eq\n value: first\n assertions:\n - key: example\n op: has-properties\n value: name,id,description\n resource:\n id: p1\n type: sample\n properties:\n example:\n name: first\n id: 1\n result: FAILURE\n"
},
{
"path": "assertion/testdata/default-severity.yaml",
"content": "---\ndescription: Test uses default severity\ntest_cases:\n\n - name: default-severity-FAILURE\n rule:\n id: PROPERTIES_1\n message: Missing properties\n resource: sample\n assertions:\n - key: example\n op: has-properties\n value: name,id\n resource:\n id: p1\n type: sample\n properties:\n example:\n name: first\n result: FAILURE\n"
},
{
"path": "assertion/testdata/has-properties.yaml",
"content": "---\ndescription: Test has-properties operator\ntest_cases:\n\n - name: has-properties_OK\n rule:\n id: PROPERTIES_1\n message: Missing properties\n severity: FAILURE\n resource: sample\n assertions:\n - key: example\n op: has-properties\n value: name,id\n resource:\n id: p1\n type: sample\n properties:\n example:\n name: first\n id: 1\n result: OK\n\n - name: has-properties_FAILURE\n rule:\n id: PROPERTIES_2\n message: Missing properties\n severity: FAILURE\n resource: sample\n assertions:\n - key: example\n op: has-properties\n value: name,id,description\n resource:\n id: p1\n type: sample\n properties:\n example:\n name: first\n id: 1\n result: FAILURE\n"
},
{
"path": "assertion/types.go",
"content": "package assertion\n\ntype (\n\n\t// Resource describes a resource to be linted\n\tResource struct {\n\t\tID string `cty:\"aws_instance\"`\n\t\tType string\n\t\tCategory string // default is \"resource\", can be \"data\", \"provider\" for Terraform\n\t\tProperties interface{}\n\t\tFilename string\n\t\tLineNumber int\n\t}\n\n\t// RuleSet describes a collection of rules for a Linter\n\tRuleSet struct {\n\t\tType string\n\t\tDescription string\n\t\tFiles []string\n\t\tRules []Rule\n\t\tVersion string\n\t\tResources []ResourceConfig\n\t\tColumns []ColumnConfig\n\t\tSource string\n\t}\n\n\t// Rule is part of a RuleSet\n\tRule struct {\n\t\tID string\n\t\tMessage string\n\t\tSeverity string\n\t\tResource string\n\t\tResources []string\n\t\tExceptResources []string `json:\"except_resources\"`\n\t\tCategory string // default is \"resource\", can be \"data\", \"provider\", \"module\" for Terraform\n\t\tConditions []Expression\n\t\tAssertions []Expression\n\t\tExcept []string\n\t\tTags []string\n\t\tInvoke InvokeRuleAPI\n\t}\n\n\t// Expression expression for a Rule\n\tExpression struct {\n\t\tKey string\n\t\tOp string\n\t\tValue string\n\t\tValueType string `json:\"value_type\"`\n\t\tValueFrom ValueFrom `json:\"value_from\"`\n\t\tOr []Expression\n\t\tXor []Expression\n\t\tAnd []Expression\n\t\tNot []Expression\n\t\tEvery CollectionExpression\n\t\tSome CollectionExpression\n\t\tNone CollectionExpression\n\t\tExactlyOne CollectionExpression `json:\"exactly-one\"`\n\t}\n\n\t// CollectionExpression assertion for every element of a collection\n\tCollectionExpression struct {\n\t\tKey string\n\t\tExpressions []Expression\n\t}\n\n\t// ValueFrom describes a external source for values\n\tValueFrom struct {\n\t\tURL string\n\t\tVariable string\n\t}\n\n\t// InvokeRuleAPI describes an external API for linting a resource\n\tInvokeRuleAPI struct {\n\t\tURL string\n\t\tPayload string\n\t}\n\n\t// ResourceConfig describes how to discover resouces in a YAML file\n\tResourceConfig struct {\n\t\tID string\n\t\tType string\n\t\tKey string\n\t}\n\n\t// ColumnConfig describes how to discover resources in a CSV file\n\tColumnConfig struct {\n\t\tName string\n\t}\n\n\t// ValidationReport summarizes validation for resources using rules\n\tValidationReport struct {\n\t\tFilesScanned []string\n\t\tViolations []Violation\n\t\tResourcesScanned []ScannedResource\n\t}\n\n\t// Violation has details for a failed assertion\n\tViolation struct {\n\t\tRuleID string\n\t\tResourceID string\n\t\tResourceType string\n\t\tCategory string\n\t\tStatus string\n\t\tRuleMessage string\n\t\tAssertionMessage string\n\t\tFilename string\n\t\tLineNumber int\n\t\tCreatedAt string\n\t}\n\n\t// ScannedResource has details for each resource scanned\n\tScannedResource struct {\n\t\tResourceID string\n\t\tResourceType string\n\t\tRuleID string\n\t\tStatus string\n\t\tFilename string\n\t\tLineNumber int\n\t}\n\n\t// ValueSource interface to fetch dynamic values\n\tValueSource interface {\n\t\tGetValue(Expression) (string, error)\n\t}\n\n\t// ExternalRuleInvoker defines an interface for invoking an external API\n\tExternalRuleInvoker interface {\n\t\tInvoke(Rule, Resource) (string, []Violation, error)\n\t}\n\n\t// MatchResult has a true/false result, but also includes a message for better reporting\n\tMatchResult struct {\n\t\tMatch bool\n\t\tMessage string\n\t}\n\n\t// Result returns a status, along with a message\n\tResult struct {\n\t\tStatus string\n\t\tMessage string\n\t}\n)\n"
},
{
"path": "assertion/util.go",
"content": "package assertion\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"path/filepath\"\n\t\"time\"\n)\n\nfunc unquoted(s string) string {\n\tif s[0] == '\"' {\n\t\treturn s[1 : len(s)-1]\n\t}\n\treturn s\n}\n\nfunc quoted(s string) string {\n\treturn fmt.Sprintf(\"\\\"%s\\\"\", s)\n}\n\nfunc isAbsent(s string) bool {\n\tif s == \"\" || s == \"null\" || s == \"[]\" {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc isPresent(s string) bool {\n\treturn !isAbsent(s)\n}\n\nfunc isEmpty(data interface{}) bool {\n\tswitch v := data.(type) {\n\tcase nil:\n\t\treturn true\n\tcase string:\n\t\treturn len(v) == 0\n\tcase []interface{}:\n\t\treturn len(v) == 0\n\tcase []map[string]interface{}:\n\t\treturn len(v) == 0\n\tdefault:\n\t\tDebugf(\"isEmpty default: %v %T\\n\", data, data)\n\t\treturn false\n\t}\n}\n\nfunc isArray(data interface{}) bool {\n\tswitch data.(type) {\n\tcase nil:\n\t\treturn false\n\tcase string:\n\t\treturn false\n\tcase []interface{}:\n\t\treturn true\n\tcase []map[string]interface{}:\n\t\treturn true\n\tdefault:\n\t\treturn false\n\t}\n}\n\nfunc listsIntersect(list1 []string, list2 []string) bool {\n\tfor _, a := range list1 {\n\t\tfor _, b := range list2 {\n\t\t\tif a == b {\n\t\t\t\treturn true\n\t\t\t}\n\t\t}\n\t}\n\treturn false\n}\n\nfunc jsonListsIntersect(s1 string, s2 string) bool {\n\tvar a1 []string\n\tvar a2 []string\n\terr := json.Unmarshal([]byte(s1), &a1)\n\tif err != nil {\n\t\treturn false\n\t}\n\terr = json.Unmarshal([]byte(s2), &a2)\n\tif err != nil {\n\t\treturn false\n\t}\n\treturn listsIntersect(a1, a2)\n}\n\n// ShouldIncludeFile return true if a filename matches one of a list of patterns\nfunc ShouldIncludeFile(patterns []string, filename string) (bool, error) {\n\tif filename == \"-\" { // always permit stdin\n\t\treturn true, nil\n\t}\n\tfor _, pattern := range patterns {\n\t\t_, file := filepath.Split(filename)\n\t\tmatched, err := filepath.Match(pattern, file)\n\t\tif err != nil {\n\t\t\treturn false, err\n\t\t}\n\t\tif matched {\n\t\t\treturn true, nil\n\t\t}\n\t}\n\treturn false, nil\n}\n\n// FilterResourcesByType filters a list of resources that match a single resource type\nfunc FilterResourcesByType(resources []Resource, resourceType string, resourceCategory string) []Resource {\n\tif resourceType == \"*\" {\n\t\treturn resources\n\t}\n\tfiltered := make([]Resource, 0)\n\tfor _, resource := range resources {\n\t\tif resource.Type == resourceType && categoryMatches(resourceCategory, resource.Category) {\n\t\t\tfiltered = append(filtered, resource)\n\t\t}\n\t}\n\treturn filtered\n}\n\n// FilterResourcesByTypes filters a list of resources that match a slice of resource types\nfunc FilterResourcesByTypes(resources []Resource, resourceTypes []string, resourceCategory string) []Resource {\n\tfiltered := make([]Resource, 0)\n\tfor _, resource := range resources {\n\t\tif SliceContains(resourceTypes, resource.Type) && categoryMatches(resourceCategory, resource.Category) {\n\t\t\tfiltered = append(filtered, resource)\n\t\t}\n\t}\n\treturn filtered\n}\n\nfunc categoryMatches(c1, c2 string) bool {\n\tif c1 == \"\" || c1 == \"*\" {\n\t\treturn true\n\t}\n\treturn c1 == c2\n}\n\n// JSONStringify converts a JSON object into an indented string suitable for printing\nfunc JSONStringify(data interface{}) (string, error) {\n\tb, err := json.MarshalIndent(data, \"\", \" \")\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn string(b), nil\n}\n\nfunc currentTime() string {\n\treturn time.Now().UTC().Format(time.RFC3339)\n}\n\nfunc SliceContains(list []string, value string) bool {\n\tfor _, item := range list {\n\t\tif item == value {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// Exclude resources\nfunc ExcludeResourceTypes(resources []Resource, resourceTypes []string, resourceCategory string) []Resource {\n\tfiltered := make([]Resource, 0)\n\tfor _, resource := range resources {\n\t\tif !SliceContains(resourceTypes, resource.Type) && categoryMatches(resourceCategory, resource.Category) {\n\t\t\tfiltered = append(filtered, resource)\n\t\t}\n\t}\n\treturn filtered\n}\n\n// FilterResourcesForRule returns resources applicable to the given rule\nfunc FilterResourcesForRule(resources []Resource, rule Rule) []Resource {\n\tif len(rule.Resources) > 0 {\n\t\tDebugf(\"filtering rule resources on Resources slice\")\n\t\treturn FilterResourcesByTypes(resources, rule.Resources, rule.Category)\n\t}\n\tif rule.Resource != \"\" && rule.Resource != \"*\" {\n\t\tDebugf(\"filtering rule resources on Resource string\")\n\t\treturn FilterResourcesByType(resources, rule.Resource, rule.Category)\n\t}\n\tif len(rule.ExceptResources) > 0 {\n\t\tDebugf(\"filtering rule resources on ExceptResources slice\")\n\t\treturn ExcludeResourceTypes(resources, rule.ExceptResources, rule.Category)\n\t}\n\t// default is to match all resources\n\treturn resources\n}\n"
},
{
"path": "assertion/util_test.go",
"content": "package assertion\n\nimport (\n\t\"strings\"\n\t\"testing\"\n)\n\nfunc TestUnquotedWithoutQuotes(t *testing.T) {\n\tif unquoted(\"Foo\") != \"Foo\" {\n\t\tt.Errorf(\"Unquoted for not quoted string fails\")\n\t}\n}\n\nfunc TestUnquotedWithQuotes(t *testing.T) {\n\tif unquoted(\"\\\"Foo\\\"\") != \"Foo\" {\n\t\tt.Errorf(\"Unquoted for quoted string fails\")\n\t}\n}\n\nfunc TestIsAbsentEmptyString(t *testing.T) {\n\tif isAbsent(\"\") != true {\n\t\tt.Errorf(\"isAbsent for empty string fails\")\n\t}\n}\n\nfunc TestIsAbsentEmptyArray(t *testing.T) {\n\tif isAbsent(\"[]\") != true {\n\t\tt.Errorf(\"isAbsent for empty array fails\")\n\t}\n}\n\nfunc TestIsAbsentNull(t *testing.T) {\n\tif isAbsent(\"null\") != true {\n\t\tt.Errorf(\"isAbsent for null fails\")\n\t}\n}\n\nfunc TestIsAbsentFalse(t *testing.T) {\n\tif isAbsent(\"something\") != false {\n\t\tt.Errorf(\"isAbsent for value fails\")\n\t}\n}\n\nfunc TestIntersectTrue(t *testing.T) {\n\ta := []string{\"foo\", \"bar\"}\n\tb := []string{\"bar\", \"baz\"}\n\tif listsIntersect(a, b) != true {\n\t\tt.Errorf(\"listsIntersect should return true fails\")\n\t}\n}\n\nfunc TestIntersectFalse(t *testing.T) {\n\ta := []string{\"foo\", \"bar\"}\n\tb := []string{\"baz\"}\n\tif listsIntersect(a, b) != false {\n\t\tt.Errorf(\"listsIntersect should return false fails\")\n\t}\n}\n\nfunc TestJSONListsIntersectTrue(t *testing.T) {\n\ts1 := \"[ \\\"foo\\\", \\\"bar\\\" ]\"\n\ts2 := \"[ \\\"baz\\\", \\\"bar\\\" ]\"\n\tif jsonListsIntersect(s1, s2) != true {\n\t\tt.Errorf(\"JSONIntersect should return true\")\n\t}\n}\n\nfunc TestShouldIncludeFile(t *testing.T) {\n\tpatterns := []string{\"*.tf\", \"*.yml\"}\n\tinclude, err := ShouldIncludeFile(patterns, \"instance.tf\")\n\tif err != nil {\n\t\tt.Errorf(\"ShouldIncludeFile generated an unexpected error: %v\", err)\n\t}\n\tif !include {\n\t\tt.Errorf(\"ShouldIncludeFile failed to include file with matching pattern\")\n\t}\n}\n\nfunc TestShouldNotIncludeFile(t *testing.T) {\n\tpatterns := []string{\"*.tf\", \"*.yml\"}\n\tinclude, err := ShouldIncludeFile(patterns, \"instance.config\")\n\tif err != nil {\n\t\tt.Errorf(\"ShouldIncludeFile generated an unexpected error: %v\", err)\n\t}\n\tif include {\n\t\tt.Errorf(\"ShouldIncludeFile failed to exclude file with no matching pattern\")\n\t}\n}\n\nfunc TestFilterShouldIncludeResources(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\"},\n\t\tResource{Type: \"volume\"},\n\t}\n\tfiltered := FilterResourcesByType(resources, \"instance\", \"*\")\n\tif len(filtered) != 1 {\n\t\tt.Errorf(\"FilterResourcesByType expected to match one resource\")\n\t}\n}\n\nfunc TestFilterShouldExcludeResources(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\"},\n\t\tResource{Type: \"volume\"},\n\t}\n\tfiltered := FilterResourcesByType(resources, \"database\", \"*\")\n\tif len(filtered) != 0 {\n\t\tt.Errorf(\"FilterResourcesByType expected to match no resources\")\n\t}\n}\n\nfunc TestFilterShouldIncludeAllResources(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\"},\n\t\tResource{Type: \"volume\"},\n\t}\n\tfiltered := FilterResourcesByType(resources, \"*\", \"*\")\n\tif len(filtered) != len(resources) {\n\t\tt.Errorf(\"FilterResourcesByType expected to include all resources\")\n\t}\n}\n\nfunc TestFilterShouldMatchCategoryForResources(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\", Category: \"resource\"},\n\t\tResource{Type: \"template_file\", Category: \"data\"},\n\t}\n\tfiltered := FilterResourcesByType(resources, \"template_file\", \"data\")\n\tif len(filtered) != 1 {\n\t\tt.Errorf(\"FilterResourcesByType expected to match one resource\")\n\t}\n}\n\nfunc TestSliceContainsTrue(t *testing.T) {\n\ttest := []string{\"x\", \"y\", \"z\"}\n\tisPresent := SliceContains(test, \"x\")\n\tif isPresent != true {\n\t\tt.Errorf(\"SliceContains expected to return true when a value is present\")\n\t}\n}\n\nfunc TestSliceContainsFalse(t *testing.T) {\n\ttest := []string{\"x\", \"y\", \"z\"}\n\tisPresent := SliceContains(test, \"a\")\n\tif isPresent != false {\n\t\tt.Errorf(\"SliceContains expected to return false when a value is not present\")\n\t}\n}\n\nfunc TestFilterPluralShouldMatchMultipleResources(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\", Category: \"resource\"},\n\t\tResource{Type: \"bucket\", Category: \"resource\"},\n\t}\n\tfiltered := FilterResourcesByTypes(resources, []string{\"instance\", \"bucket\"}, \"resource\")\n\tif len(filtered) != 2 {\n\t\tt.Errorf(\"FilterResourcesByTypes expected to match multiple types\")\n\t}\n}\n\nfunc TestFilterPluralShouldNotHaveUnlistedResources(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\", Category: \"resource\"},\n\t\tResource{Type: \"bucket\", Category: \"resource\"},\n\t}\n\tresourceTypes := []string{\"instance\"}\n\tfiltered := FilterResourcesByTypes(resources, resourceTypes, \"resource\")\n\tif len(filtered) != 1 {\n\t\tt.Errorf(\"FilterResourcesByTypes expected to match only %s\", strings.Join(resourceTypes, \", \"))\n\t}\n}\n\nfunc TestFilterResourcesForRuleSlice(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\", Category: \"resource\"},\n\t\tResource{Type: \"bucket\", Category: \"resource\"},\n\t}\n\trule := Rule{\n\t\tResources: []string{\n\t\t\t\"instance\",\n\t\t\t\"bucket\",\n\t\t},\n\t}\n\tfiltered := FilterResourcesForRule(resources, rule)\n\tif len(filtered) != 2 {\n\t\tt.Errorf(\"FilterResourcesForRule expected to return both resource types\")\n\t}\n}\n\nfunc TestFilterResourcesForRuleString(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\", Category: \"resource\"},\n\t\tResource{Type: \"bucket\", Category: \"resource\"},\n\t}\n\trule := Rule{\n\t\tResource: \"instance\",\n\t}\n\tfiltered := FilterResourcesForRule(resources, rule)\n\tif len(filtered) != 1 {\n\t\tt.Errorf(\"FilterResourcesForRule only expected to return one type\")\n\t}\n}\n\nfunc TestFilterResourcesForWildcard(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\", Category: \"resource\"},\n\t\tResource{Type: \"bucket\", Category: \"resource\"},\n\t}\n\trule := Rule{\n\t\tResource: \"*\",\n\t}\n\tfiltered := FilterResourcesForRule(resources, rule)\n\tif len(filtered) != 2 {\n\t\tt.Errorf(\"FilterResourcesForRule expected all resources to match\")\n\t}\n}\n\nfunc TestFilterResourcesForDefault(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\", Category: \"resource\"},\n\t\tResource{Type: \"bucket\", Category: \"resource\"},\n\t}\n\trule := Rule{}\n\tfiltered := FilterResourcesForRule(resources, rule)\n\tif len(filtered) != 2 {\n\t\tt.Errorf(\"FilterResourcesForRule expected all resources to match\")\n\t}\n}\n\nfunc TestFilterExcludeResourcesForRuleString(t *testing.T) {\n\tresources := []Resource{\n\t\tResource{Type: \"instance\", Category: \"resource\"},\n\t\tResource{Type: \"bucket\", Category: \"resource\"},\n\t}\n\trule := Rule{\n\t\tExceptResources: []string{\n\t\t\t\"instance\",\n\t\t\t\"security_group\",\n\t\t},\n\t}\n\tfiltered := FilterResourcesForRule(resources, rule)\n\tif len(filtered) != 1 {\n\t\tt.Errorf(\"FilterResourcesForRule expected to return one type\")\n\t}\n\tif len(filtered) > 0 && filtered[0].Type != \"bucket\" {\n\t\tt.Errorf(\"FilterResourcesForRule expected to return bucket\")\n\t}\n}\n"
},
{
"path": "assertion/value.go",
"content": "package assertion\n\nimport (\n\t\"bytes\"\n\t\"errors\"\n\t\"fmt\"\n\t\"github.com/aws/aws-sdk-go/aws\"\n\t\"github.com/aws/aws-sdk-go/aws/session\"\n\t\"github.com/aws/aws-sdk-go/service/s3\"\n\t\"io/ioutil\"\n\t\"net/http\"\n\t\"net/url\"\n\t\"strings\"\n)\n\n// StandardValueSource can fetch values from external sources\ntype StandardValueSource struct {\n\tVariables map[string]string\n}\n\n// GetValue looks up external values when an Expression includes a ValueFrom attribute\nfunc (v StandardValueSource) GetValue(expression Expression) (string, error) {\n\tif expression.ValueFrom.URL != \"\" {\n\t\tDebugf(\"Getting value_from %s\\n\", expression.ValueFrom.URL)\n\t\tparsedURL, err := url.Parse(expression.ValueFrom.URL)\n\t\tif err != nil {\n\t\t\treturn \"\", err\n\t\t}\n\t\tswitch strings.ToLower(parsedURL.Scheme) {\n\t\tcase \"s3\":\n\t\t\treturn v.GetValueFromS3(parsedURL.Host, parsedURL.Path)\n\t\tcase \"http\":\n\t\t\treturn v.GetValueFromHTTP(expression.ValueFrom.URL)\n\t\tcase \"https\":\n\t\t\treturn v.GetValueFromHTTP(expression.ValueFrom.URL)\n\t\tdefault:\n\t\t\treturn \"\", fmt.Errorf(\"Unsupported protocol for value_from: %s\", parsedURL.Scheme)\n\t\t}\n\t}\n\tif expression.ValueFrom.Variable != \"\" {\n\t\tif value, ok := v.Variables[expression.ValueFrom.Variable]; ok {\n\t\t\tDebugf(\"Getting value_from variable %s: %s\\n\", expression.ValueFrom.Variable, value)\n\t\t\treturn value, nil\n\t\t}\n\t\tDebugf(\"Getting value_from variable %s not found\\n\", expression.ValueFrom.Variable)\n\t\treturn expression.ValueFrom.Variable, nil // or should this throw an error?\n\t}\n\treturn expression.Value, nil\n}\n\n// GetValueFromS3 looks up external values for an Expression when the S3 protocol is specified\nfunc (v StandardValueSource) GetValueFromS3(bucket string, key string) (string, error) {\n\tregion, err := getBucketRegion(bucket)\n\tif err != nil {\n\t\tmessage := fmt.Sprintf(\"Cannot get region for bucket %s: %s\", bucket, err.Error())\n\t\treturn \"\", errors.New(message)\n\t}\n\n\tconfig := &aws.Config{Region: aws.String(region)}\n\tawsSession := session.New()\n\ts3Client := s3.New(awsSession, config)\n\tresponse, err := s3Client.GetObject(&s3.GetObjectInput{\n\t\tBucket: aws.String(bucket),\n\t\tKey: aws.String(key),\n\t})\n\tif err != nil {\n\t\tmessage := fmt.Sprintf(\"Cannot read bucket %s key %s: %s\", bucket, key, err.Error())\n\t\treturn \"\", errors.New(message)\n\t}\n\tbuf := new(bytes.Buffer)\n\tbuf.ReadFrom(response.Body)\n\tvalue := strings.TrimSpace(buf.String())\n\tDebugf(\"Value from bucket %s key %s in region %s: %s\\n\", bucket, key, region, value)\n\treturn value, nil\n}\n\nfunc getBucketRegion(bucket string) (string, error) {\n\tawsSession := session.New()\n\ts3Client := s3.New(awsSession)\n\tlocation, err := s3Client.GetBucketLocation(&s3.GetBucketLocationInput{\n\t\tBucket: aws.String(bucket),\n\t})\n\tif err != nil {\n\t\treturn \"us-east-1\", err\n\t}\n\tif location.LocationConstraint == nil {\n\t\t// default region is us-east-1\n\t\treturn \"us-east-1\", nil\n\t}\n\treturn *location.LocationConstraint, nil\n}\n\n// GetValueFromHTTP looks up external value for an Expression when the HTTP protocol is specified\nfunc (v StandardValueSource) GetValueFromHTTP(url string) (string, error) {\n\thttpResponse, err := http.Get(url)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\tif httpResponse.StatusCode != 200 {\n\t\treturn \"\", err\n\t}\n\tdefer httpResponse.Body.Close()\n\tbody, err := ioutil.ReadAll(httpResponse.Body)\n\tif err != nil {\n\t\treturn \"\", err\n\t}\n\treturn strings.TrimSpace(string(body)), nil\n}\n"
},
{
"path": "assertion/value_test.go",
"content": "package assertion\n\nimport (\n\t\"fmt\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"net/http\"\n\t\"net/http/httptest\"\n\t\"testing\"\n)\n\nfunc TestCommandLineVariable(t *testing.T) {\n\ts := StandardValueSource{\n\t\tVariables: map[string]string{\"foo\": \"bar\"},\n\t}\n\te := Expression{\n\t\tValueFrom: ValueFrom{Variable: \"foo\"},\n\t}\n\tv, err := s.GetValue(e)\n\tif err != nil {\n\t\tt.Errorf(\"Expected GetValue to return without error: %v\\n\", err.Error())\n\t}\n\tif v != \"bar\" {\n\t\tt.Errorf(\"Expected GetValue to find variable 'foo' with value 'bar', not '%s'\\n\", v)\n\t}\n}\n\nfunc TestValueFromHttp(t *testing.T) {\n\tcidrBlock := \"0.0.0.0/0\"\n\tts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n\t\tfmt.Fprintln(w, cidrBlock)\n\t}))\n\tdefer ts.Close()\n\ts := StandardValueSource{}\n\te := Expression{\n\t\tValueFrom: ValueFrom{URL: ts.URL},\n\t}\n\tv, err := s.GetValue(e)\n\tassert.Nil(t, err, \"Expecting GetValue to not return an error\")\n\tassert.Equal(t, cidrBlock, v, \"Expecting CIDR value to be returned\")\n}\n"
},
{
"path": "cli/app.go",
"content": "package main\n\n//go:generate packr -v\n\nimport (\n\t\"encoding/json\"\n\t\"errors\"\n\t\"fmt\"\n\t\"io\"\n\t\"io/ioutil\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strings\"\n\n\t\"github.com/ghodss/yaml\"\n\t\"github.com/gobuffalo/packr\"\n\t\"github.com/stelligent/config-lint/assertion\"\n\t\"github.com/stelligent/config-lint/linter\"\n)\n\nvar version string\n\ntype (\n\t// LinterOptions for applying rules\n\tLinterOptions struct {\n\t\tTags []string\n\t\tRuleIDs []string\n\t\tIgnoreRuleIDs []string\n\t\tQueryExpression string\n\t\tSearchExpression string\n\t\tExcludePatterns []string\n\t\tVariables map[string]string\n\t\tTerraformParser string\n\t}\n\n\t// ProfileOptions for default options from a project file\n\tProfileOptions struct {\n\t\tRules []string\n\t\tIDs []string\n\t\tIgnoreIDs []string `json:\"ignore_ids\"`\n\t\tTags []string\n\t\tQuery string\n\t\tFiles []string\n\t\tTerraform bool\n\t\tExceptions []RuleException\n\t\tVariables map[string]string\n\t\tExcludePatterns []string `json:\"exclude\"`\n\t\tExcludeFromFilenames []string `json:\"exclude_from\"`\n\t}\n\n\t// RuleException optional list allowing a project to ignore specific rules for specific resources\n\tRuleException struct {\n\t\tRuleID string\n\t\tResourceCategory string\n\t\tResourceType string\n\t\tResourceID string\n\t\tComments string\n\t}\n\n\t// CommandLineOptions for collecting options from the command line\n\tCommandLineOptions struct {\n\t\tRulesFilenames arrayFlags\n\t\tExcludePatterns arrayFlags\n\t\tExcludeFromFilenames arrayFlags\n\t\tVariables arrayFlags\n\t\tTerraformParser *string\n\t\tProfileFilename *string\n\t\tTerraformBuiltInRules *bool\n\t\tTags *string\n\t\tIds *string\n\t\tIgnoreIds *string\n\t\tQueryExpression *string\n\t\tVerboseReport *bool\n\t\tSearchExpression *string\n\t\tValidate *bool\n\t\tVersion *bool\n\t\tDebug *bool\n\t\tArgs []string\n\t}\n\n\t// ReportWriter formats and displays a ValidationReport\n\tReportWriter interface {\n\t\tWriteReport(assertion.ValidationReport, LinterOptions)\n\t}\n\n\t// DefaultReportWriter writes the report to Stdout\n\tDefaultReportWriter struct {\n\t\tWriter io.Writer\n\t}\n)\n\nfunc main() {\n\n\tcommandLineOptions := getCommandLineOptions()\n\n\tif *commandLineOptions.Version == true {\n\t\tfmt.Println(version)\n\t\treturn\n\t}\n\n\tif *commandLineOptions.Debug == true {\n\t\tassertion.SetDebug(true)\n\t}\n\n\tif *commandLineOptions.Validate {\n\t\texitCode, err := validateRules(commandLineOptions.Args, DefaultReportWriter{Writer: os.Stdout})\n\t\tif err != nil {\n\t\t\tfmt.Println(err.Error())\n\t\t}\n\t\tos.Exit(exitCode)\n\t}\n\n\tprofileOptions, err := loadProfile(*commandLineOptions.ProfileFilename)\n\tif err != nil {\n\t\tfmt.Printf(\"Error loading profile: %v\\n\", err)\n\t\tos.Exit(-1)\n\t}\n\n\trulesFilenames := loadFilenames(commandLineOptions.RulesFilenames, profileOptions.Rules)\n\tconfigFilenames := defaultToCurrentDirectory(loadFilenames(commandLineOptions.Args, profileOptions.Files))\n\tuseTerraformBuiltInRules := *commandLineOptions.TerraformBuiltInRules || profileOptions.Terraform\n\n\tif err != nil {\n\t\tfmt.Printf(\"Unable to load exclude patterns: %s\\n\", err)\n\t\tos.Exit(-1)\n\t}\n\n\tlinterOptions, err := getLinterOptions(commandLineOptions, profileOptions)\n\tif err != nil {\n\t\tfmt.Printf(\"Failed to parse options: %v\\n\", err)\n\t\tos.Exit(-1)\n\t}\n\n\truleSets, err := loadRuleSets(rulesFilenames)\n\tif err != nil {\n\t\tfmt.Printf(\"Failed to load rules: %v\\n\", err)\n\t\tos.Exit(-1)\n\t}\n\t// Same rule set applies to both TerraformBuiltInRules and Terraform11BuiltInRules\n\t// loadBuiltInRuleSet can be called recursively against a directory, as done here,\n\t// or can be called against a single file, as done with lint-rule.yml\n\tif useTerraformBuiltInRules {\n\t\tbuiltInRuleSet, err := loadBuiltInRuleSet(\"terraform/\")\n\t\tif err != nil {\n\t\t\tfmt.Printf(\"Failed to load built-in rules for Terraform: %v\\n\", err)\n\t\t\tos.Exit(-1)\n\t\t}\n\t\truleSets = append(ruleSets, builtInRuleSet)\n\t}\n\tif len(ruleSets) == 0 {\n\t\tfmt.Println(\"No rules\")\n\t\tos.Exit(-1)\n\t}\n\n\truleSets = addExceptions(ruleSets, profileOptions.Exceptions)\n\n\tos.Exit(applyRules(ruleSets, configFilenames, linterOptions, DefaultReportWriter{Writer: os.Stdout}))\n}\n\nfunc addExceptions(ruleSets []assertion.RuleSet, exceptions []RuleException) []assertion.RuleSet {\n\tsets := []assertion.RuleSet{}\n\tfor _, ruleSet := range ruleSets {\n\t\tsets = append(sets, addExceptionsToRuleSet(ruleSet, exceptions))\n\t}\n\treturn sets\n}\n\nfunc addExceptionsToRuleSet(ruleSet assertion.RuleSet, exceptions []RuleException) assertion.RuleSet {\n\trules := []assertion.Rule{}\n\tfor _, rule := range ruleSet.Rules {\n\t\tfor _, e := range exceptions {\n\t\t\tif rule.ID == e.RuleID && resourceMatch(rule, e) && categoryMatch(rule, e) {\n\t\t\t\trule.Except = append(rule.Except, e.ResourceID)\n\t\t\t}\n\t\t}\n\t\trules = append(rules, rule)\n\t}\n\truleSet.Rules = rules\n\treturn ruleSet\n}\n\nfunc resourceMatch(rule assertion.Rule, exception RuleException) bool {\n\tif assertion.SliceContains(rule.Resources, exception.ResourceType) || rule.Resource == exception.ResourceType {\n\t\treturn true\n\t}\n\treturn false\n}\n\nfunc categoryMatch(rule assertion.Rule, exception RuleException) bool {\n\treturn rule.Category == exception.ResourceCategory || exception.ResourceCategory == \"resources\" || rule.Category == \"\"\n}\n\nfunc validateRules(filenames []string, w ReportWriter) (int, error) {\n\tbuiltInRuleSet, err := loadBuiltInRuleSet(\"lint-rules.yml\")\n\tif err != nil {\n\t\treturn -1, err\n\t}\n\truleSets := []assertion.RuleSet{builtInRuleSet}\n\tlinterOptions := LinterOptions{\n\t\tQueryExpression: \"Violations[]\",\n\t}\n\treturn applyRules(ruleSets, filenames, linterOptions, w), nil\n}\n\nfunc loadRuleSets(args arrayFlags) ([]assertion.RuleSet, error) {\n\trulesFilenames := yamlFilesOnly(getFilenames(args))\n\truleSets := []assertion.RuleSet{}\n\tfor _, rulesFilename := range rulesFilenames {\n\t\trulesContent, err := ioutil.ReadFile(rulesFilename)\n\t\tif err != nil {\n\t\t\treturn ruleSets, err\n\t\t}\n\t\truleSet, err := assertion.ParseRules(string(rulesContent))\n\t\tif err != nil {\n\t\t\treturn ruleSets, err\n\t\t}\n\t\truleSet.Source = rulesFilename\n\t\truleSets = append(ruleSets, ruleSet)\n\t}\n\treturn ruleSets, nil\n}\n\nfunc isYamlFile(filename string) bool {\n\tconfigPatterns := []string{\"*yml\", \"*.yaml\"}\n\tmatch, _ := assertion.ShouldIncludeFile(configPatterns, filename)\n\treturn match\n\n}\n\nfunc yamlFilesOnly(filenames []string) []string {\n\tconfigFiles := []string{}\n\tfor _, filename := range filenames {\n\t\tmatch := isYamlFile(filename)\n\t\tif match {\n\t\t\tconfigFiles = append(configFiles, filename)\n\t\t}\n\t}\n\treturn configFiles\n}\n\n// Takes a name of a rule YAML file or a directory containing YAML rules\n// Returns a RuleSet of all rules in that file or directory\nfunc loadBuiltInRuleSet(filename string) (assertion.RuleSet, error) {\n\truleSet := assertion.RuleSet{}\n\tbox := packr.NewBox(\"./assets\")\n\tassertion.Debugf(\"Looking for file %v in Box: %v\\n\", filename, box)\n\n\tvar err error\n\tif isYamlFile(filename) && box.Has(filename) {\n\t\truleSet, err = addRuleSet(ruleSet, box, filename)\n\t\tif err != nil {\n\t\t\tassertion.Debugf(\"Failed to add RuleSet: %v\\n\", err)\n\t\t\treturn assertion.RuleSet{}, err // returns empty rule set\n\t\t}\n\t} else if strings.HasSuffix(filename, \"/\") {\n\t\tfilesInBox := box.List()\n\t\tif len(filesInBox) > 0 {\n\t\t\t// Get each file in that box\n\t\t\tfor _, fileInBox := range filesInBox {\n\t\t\t\t// Check if file is YAML and starts with the folder name\n\t\t\t\tassertion.Debugf(\"Box File: %v\\n\", fileInBox)\n\t\t\t\tif isYamlFile(fileInBox) && strings.HasPrefix(fileInBox, filename) {\n\t\t\t\t\tassertion.Debugf(\"Adding rule set: %v\\n\", fileInBox)\n\t\t\t\t\truleSet, err = addRuleSet(ruleSet, box, fileInBox)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tassertion.Debugf(\"Failed to add RuleSet: %v\\n\", err)\n\t\t\t\t\t\treturn assertion.RuleSet{}, err // returns empty rule set\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t} else {\n\t\treturn assertion.RuleSet{}, errors.New(\"File or directory doesnt exist\")\n\t}\n\n\treturn ruleSet, nil\n}\n\nfunc addRuleSet(ruleSet assertion.RuleSet, box packr.Box, filename string) (assertion.RuleSet, error) {\n\t// Get RuleSet from file\n\tnewRuleSet, err := getRuleSet(box, filename)\n\tif err != nil {\n\t\tassertion.Debugf(\"Failed to get RuleSet: %v\\n\", err)\n\t\treturn assertion.RuleSet{}, err // returns empty rule set\n\t}\n\n\t// Join with existing rule sets\n\truleSet, err = assertion.JoinRuleSets(ruleSet, newRuleSet)\n\tif err != nil {\n\t\tassertion.Debugf(\"Failed to join RuleSets: %v\\n\", err)\n\t\treturn assertion.RuleSet{}, err // returns empty rule set\n\t}\n\n\treturn ruleSet, nil\n}\n\n// Given a packr box and rule file in that box,\n// build and return a RuleSet\nfunc getRuleSet(box packr.Box, name string) (assertion.RuleSet, error) {\n\trulesContent, err := box.FindString(name)\n\tif err != nil {\n\t\tassertion.Debugf(\"Failed to find filename string in box: %v\\n\", err)\n\t\treturn assertion.RuleSet{}, err\n\t}\n\truleSet, err := assertion.ParseRules(string(rulesContent))\n\tif err != nil {\n\t\tassertion.Debugf(\"Failed to parse rules from file: %v\\n\", err)\n\t\treturn assertion.RuleSet{}, err\n\t}\n\treturn ruleSet, nil\n}\n\nfunc applyRules(ruleSets []assertion.RuleSet, args arrayFlags, options LinterOptions, w ReportWriter) int {\n\n\treport := assertion.ValidationReport{\n\t\tViolations: []assertion.Violation{},\n\t\tFilesScanned: []string{},\n\t\tResourcesScanned: []assertion.ScannedResource{},\n\t}\n\n\ttfParser := options.TerraformParser\n\tfilenames := excludeFilenames(getFilenames(args), options.ExcludePatterns)\n\tvs := assertion.StandardValueSource{Variables: options.Variables}\n\n\tfor _, ruleSet := range ruleSets {\n\t\tl, err := linter.NewLinter(ruleSet, vs, filenames, tfParser)\n\t\tif err != nil {\n\t\t\tfmt.Println(err)\n\t\t\treturn -1\n\t\t}\n\t\tif l != nil {\n\t\t\tif options.SearchExpression != \"\" {\n\t\t\t\tl.Search(ruleSet, options.SearchExpression, os.Stdout)\n\t\t\t} else {\n\t\t\t\toptions := linter.Options{\n\t\t\t\t\tTags: options.Tags,\n\t\t\t\t\tRuleIDs: options.RuleIDs,\n\t\t\t\t\tIgnoreRuleIDs: options.IgnoreRuleIDs,\n\t\t\t\t}\n\t\t\t\tr, err := l.Validate(ruleSet, options)\n\t\t\t\tif err != nil {\n\t\t\t\t\tfmt.Println(\"Validate failed:\", err)\n\t\t\t\t}\n\t\t\t\treport = linter.CombineValidationReports(report, r)\n\t\t\t}\n\t\t}\n\t}\n\tw.WriteReport(report, options)\n\treturn generateExitCode(report)\n}\n\nfunc printReport(w io.Writer, report assertion.ValidationReport, queryExpression string) error {\n\tjsonData, err := json.MarshalIndent(report, \"\", \" \")\n\tif err != nil {\n\t\treturn err\n\t}\n\tif queryExpression != \"\" {\n\t\tvar data interface{}\n\t\terr = yaml.Unmarshal(jsonData, &data)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\tv, err := assertion.SearchData(queryExpression, data)\n\t\tif err != nil {\n\t\t\treturn err\n\t\t}\n\t\ts, err := assertion.JSONStringify(v)\n\t\tif err == nil && s != \"null\" {\n\t\t\tfmt.Fprintln(w, s)\n\t\t}\n\t} else {\n\t\tfmt.Fprintln(w, string(jsonData))\n\t}\n\treturn nil\n}\n\ntype arrayFlags []string\n\nfunc (i *arrayFlags) String() string {\n\tif i != nil {\n\t\treturn strings.Join(*i, \",\")\n\t}\n\treturn \"\"\n}\n\nfunc (i *arrayFlags) Set(value string) error {\n\t*i = append(*i, value)\n\treturn nil\n}\n\nfunc generateExitCode(report assertion.ValidationReport) int {\n\tfor _, v := range report.Violations {\n\t\tif v.Status == \"FAILURE\" {\n\t\t\treturn -1\n\t\t}\n\t}\n\treturn 0\n}\n\nfunc loadFilenames(commandLineFilenames []string, profileFilenames []string) []string {\n\tif len(commandLineFilenames) > 0 {\n\t\treturn commandLineFilenames\n\t}\n\tif len(profileFilenames) > 0 {\n\t\treturn profileFilenames\n\t}\n\treturn []string{}\n}\n\nfunc defaultToCurrentDirectory(filenames []string) []string {\n\tif len(filenames) == 0 {\n\t\treturn []string{\".\"}\n\t}\n\treturn filenames\n}\n\nfunc excludeFilenames(filenames []string, excludePatterns []string) []string {\n\tassertion.Debugf(\"Exclude patterns: %v\\n\", excludePatterns)\n\tfilteredFilenames := []string{}\n\tfor _, filename := range filenames {\n\t\tif !excludeFilename(filename, excludePatterns) {\n\t\t\tfilteredFilenames = append(filteredFilenames, filename)\n\t\t}\n\t}\n\treturn filteredFilenames\n}\n\nfunc excludeFilename(filename string, excludePatterns []string) bool {\n\tfor _, pattern := range excludePatterns {\n\t\tmatch, _ := filepath.Match(pattern, filename)\n\t\tif match {\n\t\t\tassertion.Debugf(\"Excluding file: %s using pattern: %s\\n\", filename, pattern)\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\nfunc getFilenames(args []string) []string {\n\tfilenames := []string{}\n\tfor _, arg := range args {\n\t\tif arg == \"-\" {\n\t\t\tfilenames = append(filenames, arg)\n\t\t\tcontinue\n\t\t}\n\t\tfi, err := os.Stat(arg)\n\t\tif err != nil {\n\t\t\t// append as is, error reported later when file cannot be opened\n\t\t\tfilenames = append(filenames, arg)\n\t\t\tcontinue\n\t\t}\n\t\tmode := fi.Mode()\n\t\tif mode.IsDir() {\n\t\t\tfilenames = append(filenames, getFilesInDirectory(arg)...)\n\t\t} else {\n\t\t\tfilenames = append(filenames, arg)\n\t\t}\n\t}\n\treturn filenames\n}\n\nfunc getFilesInDirectory(root string) []string {\n\tdirectoryFiles := []string{}\n\terr := filepath.Walk(root, func(path string, info os.FileInfo, err error) error {\n\t\tif err != nil {\n\t\t\tfmt.Printf(\"Error processing %s: %s\\n\", path, err)\n\t\t\treturn err\n\t\t}\n\t\tif !info.IsDir() {\n\t\t\tdirectoryFiles = append(directoryFiles, path)\n\t\t}\n\t\treturn nil\n\t})\n\tif err != nil {\n\t\tfmt.Printf(\"Error walking directory %s: %s\\n\", root, err)\n\t}\n\treturn directoryFiles\n}\n"
},
{
"path": "cli/app_test.go",
"content": "package main\n\nimport (\n\t\"bytes\"\n\t\"testing\"\n\n\t\"github.com/gobuffalo/packr\"\n\t\"github.com/stelligent/config-lint/assertion\"\n\t\"github.com/stelligent/config-lint/linter\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestLoadTerraformRules(t *testing.T) {\n\t_, err := loadBuiltInRuleSet(\"terraform/\")\n\tif err != nil {\n\t\tt.Errorf(\"Cannot load built-in Terraform rules\")\n\t}\n}\n\nfunc TestLoadValidateRules(t *testing.T) {\n\t_, err := loadBuiltInRuleSet(\"lint-rules.yml\")\n\tif err != nil {\n\t\tt.Errorf(\"Cannot load built-in rules for -validate option\")\n\t}\n}\n\nfunc TestExcludeAll(t *testing.T) {\n\tfilenames := []string{\"file1.tf\", \"file2.tf\", \"file3.tf\"}\n\tpatterns := []string{\"*.tf\"}\n\tfiltered := excludeFilenames(filenames, patterns)\n\tif len(filtered) != 0 {\n\t\tt.Errorf(\"Expecting all files to be excluded, but files are %v\", filtered)\n\t}\n}\n\nfunc TestExcludeSubdirectory(t *testing.T) {\n\tfilenames := []string{\"file1.tf\", \"foo/bar/secrets/database.yml\"}\n\tpatterns := []string{\"foo/bar/secrets/*\"}\n\tfiltered := excludeFilenames(filenames, patterns)\n\tif len(filtered) != 1 {\n\t\tt.Errorf(\"Expecting secrets subdirectory to be excluded, but files are %v\", filtered)\n\t}\n}\n\nfunc TestExcludeOnePattern(t *testing.T) {\n\tfilenames := []string{\"file1.tf\", \"file2.tf\", \"file3.tf\"}\n\tpatterns := []string{\"*1.tf\"}\n\tfiltered := excludeFilenames(filenames, patterns)\n\tif len(filtered) != 2 {\n\t\tt.Errorf(\"Expecting one file to be excluded, but files are %v\", filtered)\n\t}\n}\n\nfunc TestExcludeMultiplePattern(t *testing.T) {\n\tfilenames := []string{\"file1.tf\", \"file2.tf\", \"file3.tf\"}\n\tpatterns := []string{\"*1.tf\", \"*2.tf\"}\n\tfiltered := excludeFilenames(filenames, patterns)\n\tif len(filtered) != 1 {\n\t\tt.Errorf(\"Expecting two files to be excluded, but files are %v\", filtered)\n\t}\n}\n\nfunc TestExcludeFrom(t *testing.T) {\n\texcludeFromFilenames := []string{\"./testdata/exclude-list\"}\n\tpatterns, err := loadExcludePatterns([]string{}, excludeFromFilenames)\n\tif err != nil {\n\t\tt.Errorf(\"Expecting loadExcludePatterns returned error: %s\", err.Error())\n\t}\n\tif len(patterns) != 2 {\n\t\tt.Errorf(\"Expecting to load 2 patterns from excludeFromFilenames, not %v\", patterns)\n\t}\n\tif patterns[0] != \"*1.tf\" {\n\t\tt.Errorf(\"Expecting first pattern from file to be '*1.tf', not '%s'\", patterns[0])\n\t}\n\tif patterns[1] != \"*2.tf\" {\n\t\tt.Errorf(\"Expecting second pattern from file to be '*2.tf', not '%s'\", patterns[1])\n\t}\n}\n\nfunc TestProfileExceptions(t *testing.T) {\n\tfilenames := []string{\"./testdata/terraform.yml\"}\n\truleSets, err := loadRuleSets(filenames)\n\tif err != nil {\n\t\tt.Errorf(\"Expecting loadRuleSets to not return error: %s\", err.Error())\n\t}\n\tprofileExceptions := []RuleException{\n\t\t{\n\t\t\tRuleID: \"RULE_1\",\n\t\t\tResourceCategory: \"resource\",\n\t\t\tResourceType: \"aws_instance\",\n\t\t\tComments: \"Testing\",\n\t\t\tResourceID: \"my-special-resource\",\n\t\t},\n\t}\n\truleSets = addExceptions(ruleSets, profileExceptions)\n\truleExceptions := ruleSets[0].Rules[0].Except\n\tif len(ruleExceptions) != 1 {\n\t\tt.Errorf(\"Expecting Rule.Except to have one ID: %v\", ruleExceptions)\n\t\treturn\n\t}\n\tid := ruleExceptions[0]\n\tif id != \"my-special-resource\" {\n\t\tt.Errorf(\"Unexpected ResourceID found in Except: %s\", id)\n\t}\n}\n\nfunc TestBuiltRules(t *testing.T) {\n\truleSet, err := loadBuiltInRuleSet(\"lint-rules.yml\")\n\tif err != nil {\n\t\tt.Errorf(\"Expecting loadBuiltInRuleSet to not return error: %s\", err.Error())\n\t}\n\tvs := assertion.StandardValueSource{}\n\n\t// Get all rule files from the assets box\n\tbox := packr.NewBox(\"./assets\")\n\tallFilenames := box.List()\n\tvar filenames []string\n\tfor _, filename := range allFilenames {\n\t\tif isYamlFile(filename) && !isTestCase(filename) {\n\t\t\tfilenames = append(filenames, \"assets/\"+filename)\n\t\t}\n\t}\n\tl, err := linter.NewLinter(ruleSet, vs, filenames, \"\")\n\tif err != nil {\n\t\tt.Errorf(\"Expecting NewLinter to not return error: %s\", err.Error())\n\t}\n\toptions := linter.Options{}\n\treport, err := l.Validate(ruleSet, options)\n\tif err != nil {\n\t\tt.Errorf(\"Expecting Validate to not return error: %s\", err.Error())\n\t}\n\tif len(report.Violations) != 0 {\n\t\tt.Errorf(\"Expecting Validate for built in rules to not report any violations: %v\", report.Violations)\n\t}\n}\n\nfunc TestPrintReport(t *testing.T) {\n\tr := assertion.ValidationReport{}\n\tvar b bytes.Buffer\n\terr := printReport(&b, r, \"\")\n\tassert.Nil(t, err, \"Expecting printReport to run without error\")\n\tassert.Contains(t, b.String(), \"FilesScanned\\\": null\")\n\tassert.Contains(t, b.String(), \"ResourcesScanned\\\": null\")\n\tassert.Contains(t, b.String(), \"Violations\\\": null\")\n}\n\nfunc TestPrintReportWithQueryString(t *testing.T) {\n\tr := assertion.ValidationReport{\n\t\tViolations: []assertion.Violation{\n\t\t\tassertion.Violation{RuleMessage: \"Houston, we have a problem\"},\n\t\t},\n\t}\n\tvar b bytes.Buffer\n\terr := printReport(&b, r, \"Violations[]\")\n\tassert.Nil(t, err, \"Expecting printReport to run without error\")\n\tassert.Contains(t, b.String(), \"RuleMessage\")\n\tassert.NotContains(t, b.String(), \"Violations\")\n\tassert.NotContains(t, b.String(), \"FilesScanned\")\n\tassert.NotContains(t, b.String(), \"ResourcesScanned\")\n}\n\ntype MockReportWriter struct {\n\tReport assertion.ValidationReport\n}\n\nfunc (w MockReportWriter) WriteReport(r assertion.ValidationReport, o LinterOptions) {\n\tw.Report = r\n}\n\nfunc TestApplyRules(t *testing.T) {\n\truleSets := []assertion.RuleSet{\n\t\tassertion.RuleSet{\n\t\t\tType: \"JSON\",\n\t\t},\n\t}\n\targs := arrayFlags{}\n\toptions := LinterOptions{}\n\tw := MockReportWriter{}\n\texitCode := applyRules(ruleSets, args, options, w)\n\tassert.Equal(t, exitCode, 0, \"Expecting applyRules to return 0\")\n\tassert.Empty(t, w.Report.Violations, \"Expecting empty report\")\n}\n\nfunc TestValidateRules(t *testing.T) {\n\tfilenames := []string{\"./testdata/has-properties.yml\"}\n\tw := MockReportWriter{}\n\tvalidateRules(filenames, w)\n\tassert.Empty(t, w.Report.Violations, \"Expecting empty report for validateRules\")\n}\n\nfunc TestResourceMatch(t *testing.T) {\n\ttestRule := []assertion.Rule{\n\t\t{\n\t\t\tID: \"RULE_1\",\n\t\t\tCategory: \"resource\",\n\t\t\tResources: []string{\"aws_instance\", \"aws_s3_bucket\"},\n\t\t},\n\t\t{\n\t\t\tID: \"RULE_2\",\n\t\t\tCategory: \"resource\",\n\t\t\tResource: \"aws_s3_bucket\",\n\t\t},\n\t}\n\tprofileExceptions := []RuleException{\n\t\t{\n\t\t\tRuleID: \"RULE_1\",\n\t\t\tResourceCategory: \"resource\",\n\t\t\tResourceType: \"aws_instance\",\n\t\t\tComments: \"Testing\",\n\t\t\tResourceID: \"my-special-resource\",\n\t\t},\n\t\t{\n\t\t\tRuleID: \"RULE_2\",\n\t\t\tResourceCategory: \"resources\",\n\t\t\tResourceType: \"aws_s3_bucket\",\n\t\t\tComments: \"Testing\",\n\t\t\tResourceID: \"my-special-bucket\",\n\t\t},\n\t\t{\n\t\t\tRuleID: \"RULE_2\",\n\t\t\tResourceCategory: \"resources\",\n\t\t\tResourceType: \"aws_vpc\",\n\t\t\tComments: \"Should not match\",\n\t\t\tResourceID: \"my-vpc\",\n\t\t},\n\t}\n\n\tassert.True(t, resourceMatch(testRule[0], profileExceptions[0]), \"Expecting exception resource to be found in rule resources\")\n\tassert.True(t, resourceMatch(testRule[1], profileExceptions[1]), \"Expecting one to one match with exception resource and rule resource\")\n\tassert.False(t, resourceMatch(testRule[1], profileExceptions[2]), \"Expecting rule and exception to not match\")\n}\n\nfunc TestLoadRuleSetsBadFilename(t *testing.T) {\n\targs := []string{\"no-such-file.yml\"}\n\t_, err := loadRuleSets(args)\n\tassert.NotNil(t, err, \"LoadRuleSet with bad filename should return an error\")\n}\n\nfunc TestLoadRuleSetsParseErrors(t *testing.T) {\n\targs := []string{\"./testdata/syntax-errors.yml\"}\n\t_, err := loadRuleSets(args)\n\tassert.NotNil(t, err, \"Expecting rules file with syntax errors to fail\")\n\tif err != nil {\n\t\tassert.Contains(t, err.Error(), \"error unmarshaling JSON\")\n\t}\n}\n\nfunc TestStdinFilename(t *testing.T) {\n\tfilenames := getFilenames([]string{\"-\"})\n\tassert.Len(t, filenames, 1, \"getFilenames should file 1 file\")\n\tassert.Equal(t, filenames[0], \"-\", \"getFilenames should allow - for stdin\")\n}\n\nfunc TestGetFilenamesUsingDirectory(t *testing.T) {\n\tfilenames := getFilenames([]string{\"./testdata/dirtest\"})\n\tassert.Len(t, filenames, 2)\n\tassert.Equal(t, \"testdata/dirtest/a.yml\", filenames[0])\n\tassert.Equal(t, \"testdata/dirtest/b.yml\", filenames[1])\n}\n\nfunc TestLoadFilenamesFromCommandLine(t *testing.T) {\n\tcommandLineFilenames := []string{\"command.yml\"}\n\tprofileFilenames := []string{\"default.yml\"}\n\tresult := loadFilenames(commandLineFilenames, profileFilenames)\n\tassert.Equal(t, result, commandLineFilenames)\n}\n\nfunc TestLoadFilenamesFromProfile(t *testing.T) {\n\tcommandLineFilenames := []string{}\n\tprofileFilenames := []string{\"default.yml\"}\n\tresult := loadFilenames(commandLineFilenames, profileFilenames)\n\tassert.Equal(t, result, profileFilenames)\n}\n\nfunc TestArrayFlags(t *testing.T) {\n\tvar f arrayFlags\n\tassert.Equal(t, \"\", f.String(), \"Default arrayFlags should return empty string\")\n\tf.Set(\"first\")\n\tf.Set(\"second\")\n\tassert.Equal(t, arrayFlags{\"first\", \"second\"}, f, \"Expecting arrayFlags to have two elements\")\n}\n\nfunc TestLoadBuiltInRuleSetMissing(t *testing.T) {\n\t_, err := loadBuiltInRuleSet(\"missing.yml\")\n\tassert.Contains(t, err.Error(), \"File or directory doesnt exist\", \"loadBuiltInRuleSet should fail for missing file\")\n}\n"
},
{
"path": "cli/assets/lint-rules.yml",
"content": "---\nversion: 1\ndescription: Rules for config-lint\ntype: LintRules\nfiles:\n - \"*.yml\"\nrules:\n\n - id: VALID_TYPE\n message: Not a valid linter type\n resource: LintRuleSet\n severity: FAILURE\n assertions:\n - key: type\n op: in\n value: Terraform,Terraform12,Kubernetes,LintRules,YAML,JSON,CSV\n\n - id: VALID_VERSION\n message: RuleSet must have a supported version\n resource: LintRuleSet\n severity: WARNING\n assertions:\n - key: version\n op: eq\n value: 1\n\n - id: HAS_RULES\n message: RuleSet needs at least one rule\n resource: LintRuleSet\n severity: WARNING\n assertions:\n - key: rules\n op: not-empty\n\n - id: YAML_RULES_HAVE_RESOURCES_SECTION\n message: RuleSet for YAML required resources section\n resource: LintRuleSet\n severity: FAILURE\n conditions:\n - key: type\n op: eq\n value: YAML\n assertions:\n - key: resources\n op: present\n\n - id: EVERY_RULE_HAS_ID\n message: Event rule in rule set must have an id\n resource: LintRuleSet\n severity: FAILURE\n assertions:\n - every:\n key: rules\n expressions:\n - key: id\n op: present\n\n - id: ID_PRESENT\n message: Rule must have an ID\n resource: LintRule\n severity: FAILURE\n assertions:\n - key: id\n op: present\n\n - id: RESOURCE_PRESENT\n message: Rule must have a resource, resources or except_resources attribute\n severity: FAILURE\n resource: LintRule\n assertions:\n - or:\n - key: resource\n op: present\n - key: resources\n op: present\n - key: except_resources\n op: present\n tags:\n - resource\n\n - id: ASSERTIONS_OR_INVOKE\n message: Rule must have assertions or invoke\n resource: LintRule\n severity: FAILURE\n assertions:\n - or:\n - key: assertions\n op: present\n - key: invoke\n op: present\n\n - id: VALID_EXPRESSION\n message: \"These are mutually exclusive in the same expression: key,or,xor,and,not,every,some,none\"\n resource: LintRule\n severity: FAILURE\n assertions:\n - every:\n key: \"assertions[]\"\n expressions:\n - xor:\n - key: \"@\"\n op: has-properties\n value: key,op\n - key: \"@\"\n op: has-properties\n value: or\n - key: \"@\"\n op: has-properties\n value: xor\n - key: \"@\"\n op: has-properties\n value: and\n - key: \"@\"\n op: has-properties\n value: not\n - key: \"@\"\n op: has-properties\n value: every\n - key: \"@\"\n op: has-properties\n value: some\n - key: \"@\"\n op: has-properties\n value: none\n - key: \"@\"\n op: has-properties\n value: exactly-one\n"
},
{
"path": "cli/assets/terraform/aws/api_gateway/api_gateway_domain_name/security_policy/rule.yml",
"content": "---\nversion: 1\ndescription: Terraform rules\ntype: Terraform\nfiles:\n - \"*.tf\"\n - \"*.tfvars\"\nrules:\n\n - id: API_GW_DOMAIN_SECURITY_POLICY_TLS1_2\n message: API Gateway domain name must use TLS 1.2\n resource: aws_api_gateway_domain_name\n severity: FAILURE\n assertions:\n - key: security_policy\n op: eq\n value: \"TLS_1_2\"\n tags:\n - api_gateway"
},
{
"path": "cli/assets/terraform/aws/api_gateway/api_gateway_domain_name/security_policy/tests/terraform12/security_policy.tf",
"content": "# Test that an api_gateway_domain_name is using TLS 1.2\n# https://www.terraform.io/docs/providers/aws/r/api_gateway_domain_name.html#security_policy\n\nprovider \"aws\" {\n region = \"us-east-1\"\n}\n\n# PASS: security_policy is set to TLS 1.2\nresource \"aws_api_gateway_domain_name\" \"api_gw_domain_using_tls1_2\" {\n domain_name = \"api.example.com\"\n\n endpoint_configuration {\n types = [\"REGIONAL\"]\n }\n\n security_policy = \"TLS_1_2\"\n}\n\n# FAIL: security_policy is not defined\nresource \"aws_api_gateway_domain_name\" \"api_gw_security_policy_not_set\" {\n domain_name = \"api.example.com\"\n\n endpoint_configuration {\n types = [\"REGIONAL\"]\n }\n}\n\n# FAIL: security_policy is set to TLS 1.0 \nresource \"aws_api_gateway_domain_name\" \"api_gw_domain_using_tls1_0\" {\n domain_name = \"api.example.com\"\n\n endpoint_configuration {\n types = [\"REGIONAL\"]\n }\n\n security_policy = \"TLS_1_0\"\n}\n"
},
{
"path": "cli/assets/terraform/aws/api_gateway/api_gateway_domain_name/security_policy/tests/test.yml",
"content": "---\nversion: 1\ndescription: Terraform 11 and 12 tests\ntype: Terraform\nfiles:\n - \"*.tf\"\n - \"*.tfvars\"\ntests:\n -\n ruleId: API_GW_DOMAIN_SECURITY_POLICY_TLS1_2\n warnings: 0\n failures: 2\n tags:\n - \"terraform12\""
},
{
"path": "cli/assets/terraform/aws/batch/batch_job_definition/aws_secrets/rule.yml",
"content": "---\nversion: 1\ndescription: Terraform rules\ntype: Terraform\nfiles:\n - \"*.tf\"\n - \"*.tfvars\"\nrules:\n\n - id: BATCH_JOB_AWS_ENVIRONMENT_SECRETS\n message: Environment for batch jobs should not include AWS secrets\n resource: aws_batch_job_definition\n severity: FAILURE\n # This rule fails if it finds a regex match for either the Access Key ID and/or the Secret Access Key\n assertions:\n - not:\n - some:\n key: \"container_properties.environment[].value\"\n expressions:\n # Check if the string starts with any known 4 character ACCESS_KEY sequence\n # and is 20 capital alpha-numeric characters long in total\n - key: \"@\"\n op: regex\n value: \"^(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}$\"\n - some:\n key: \"container_properties.environment[].value\"\n expressions:\n - and:\n # Check if the string is exactly 40 characters long\n - key: \"@\"\n op: regex\n value: \"^.{40}$\"\n # Check if the string contains only alpha-numeric-slash-plus characters with at least 1 / or +\n - key: \"@\"\n op: regex\n value: \"^[a-zA-Z0-9/+]+[/+]+[a-zA-Z0-9/+]+$\"\n tags:\n - batch\n"
},
{
"path": "cli/assets/terraform/aws/batch/batch_job_definition/aws_secrets/tests/terraform12/aws_secrets.tf",
"content": "# Test that AWS secrets are not being used in batch environment variables\n# https://www.terraform.io/docs/providers/aws/r/batch_job_definition.html#container_properties\n# Reference API for container_properties spec: https://docs.aws.amazon.com/batch/latest/APIReference/API_RegisterJobDefinition.html\n\nprovider \"aws\" {\n region = \"us-east-1\"\n}\n\n# PASS: AWS secrets are not used in the env vars\nresource \"aws_batch_job_definition\" \"batch_job_without_secrets\" {\n name = \"tf_test_batch_job_definition\"\n type = \"container\"\n\n container_properties = <K7MDENG^bPxRfiCYEXAMPLEKEY\"\n }\n ]\n }\n]\nEOF\n}\n\n# Pass\nresource \"aws_ecs_task_definition\" \"container_definitions_environment_aws_secrets_not_set_41_character_string\" {\n family = \"foo\"\n container_definitions = <K7MDENG^bPxRfiCYEXAMPLEKEY\"\n }\n ]\n }\n]\nEOF\n}\n\n# Pass\nresource \"aws_ecs_task_definition\" \"container_definitions_environment_aws_secrets_not_set_41_character_string\" {\n family = \"foo\"\n container_definitions = < 0 {\n\t\tpatterns := options.Files\n\t\toptions.Files = []string{}\n\t\tfor _, pattern := range patterns {\n\t\t\tmatches, err := filepath.Glob(pattern)\n\t\t\tif err != nil {\n\t\t\t\treturn options, err\n\t\t\t}\n\t\t\toptions.Files = append(options.Files, matches...)\n\t\t}\n\t}\n\treturn options, nil\n}\n\nfunc makeTagList(tags string, profileOptions []string) []string {\n\tif tags != \"\" {\n\t\treturn strings.Split(tags, \",\")\n\t}\n\tif len(profileOptions) != 0 {\n\t\treturn profileOptions\n\t}\n\treturn nil\n}\n\nfunc makeRulesList(ruleIDs string, profileOptions []string) []string {\n\tif ruleIDs != \"\" {\n\t\treturn strings.Split(ruleIDs, \",\")\n\t}\n\tif len(profileOptions) != 0 {\n\t\treturn profileOptions\n\t}\n\treturn nil\n}\n\nfunc makeQueryExpression(queryExpression string, verboseReport bool, profileOptions string) string {\n\tif queryExpression != \"\" {\n\t\treturn queryExpression\n\t}\n\t// return complete report when -verbose option is used\n\tif verboseReport {\n\t\treturn \"\"\n\t}\n\tif profileOptions != \"\" {\n\t\treturn profileOptions\n\t}\n\t// default is to only report Violations\n\treturn \"Violations[]\"\n}\n\nfunc parseVariables(vars []string) map[string]string {\n\tm := map[string]string{}\n\tfor _, kv := range vars {\n\t\tparts := strings.Split(kv, \"=\")\n\t\tif len(parts) == 2 {\n\t\t\tm[parts[0]] = parts[1]\n\t\t} else {\n\t\t\tfmt.Printf(\"Cannot parse command line variable: %s\\n\", kv)\n\t\t}\n\t}\n\treturn m\n}\n\nfunc mergeVariables(a, b map[string]string) map[string]string {\n\tif a == nil {\n\t\treturn b\n\t}\n\tif b == nil {\n\t\treturn map[string]string{}\n\t}\n\tfor k, v := range b {\n\t\ta[k] = v\n\t}\n\treturn a\n}\n\nfunc loadExcludePatterns(patterns []string, excludeFromFilenames []string) ([]string, error) {\n\tif len(excludeFromFilenames) == 0 {\n\t\treturn patterns, nil\n\t}\n\tfor _, filename := range excludeFromFilenames {\n\t\tlines, err := ioutil.ReadFile(filename)\n\t\tif err != nil {\n\t\t\treturn patterns, err\n\t\t}\n\t\tfor _, patternFromFile := range strings.Split(string(lines), \"\\n\") {\n\t\t\tif patternFromFile != \"\" {\n\t\t\t\tassertion.Debugf(\"Pattern from file %s: %s\\n\", filename, patternFromFile)\n\t\t\t\tpatterns = append(patterns, patternFromFile)\n\t\t\t}\n\t\t}\n\t}\n\treturn patterns, nil\n}\n\nfunc validateParser(parser string) (string, error) {\n\tvalidOptions := []string{\"\", \"tf11\", \"tf12\"}\n\tfor _, option := range validOptions {\n\t\tif parser == option {\n\t\t\treturn parser, nil\n\t\t}\n\t}\n\treturn \"\", fmt.Errorf(\"tf-parser \\\"%s\\\" is not valid. Choose from [\\\"tf11\\\", \\\"tf12\\\"].\\n\", parser)\n}\n"
},
{
"path": "cli/options_test.go",
"content": "package main\n\nimport (\n\t\"testing\"\n)\n\nfunc emptyCommandLineOptions() CommandLineOptions {\n\temptyString := \"\"\n\tverbose := false\n\treturn CommandLineOptions{\n\t\tTags: &emptyString,\n\t\tIds: &emptyString,\n\t\tIgnoreIds: &emptyString,\n\t\tQueryExpression: &emptyString,\n\t\tSearchExpression: &emptyString,\n\t\tVerboseReport: &verbose,\n\t\tTerraformParser: &emptyString,\n\t}\n}\n\nfunc TestCommandLineOnlyOptions(t *testing.T) {\n\ttags := \"1,2,3\"\n\to := emptyCommandLineOptions()\n\to.Tags = &tags\n\tp := ProfileOptions{}\n\tl, err := getLinterOptions(o, p)\n\n\tif err != nil {\n\t\tt.Errorf(\"getLinterOptions should not return error: %s\\n\", err.Error())\n\t}\n\tif len(l.Tags) != 3 {\n\t\tt.Errorf(\"getLinterOptions should find 3 tags: %v\\n\", l.Tags)\n\t}\n}\n\nfunc TestProfileOnlyOptions(t *testing.T) {\n\to := emptyCommandLineOptions()\n\tp := ProfileOptions{\n\t\tTags: []string{\"1\", \"2\", \"3\"},\n\t}\n\tl, err := getLinterOptions(o, p)\n\n\tif err != nil {\n\t\tt.Errorf(\"getLinterOptions should not return error: %s\\n\", err.Error())\n\t}\n\tif len(l.Tags) != 3 {\n\t\tt.Errorf(\"getLinterOptions should find 3 tags: %v\\n\", l.Tags)\n\t}\n}\n\nfunc TestCommandLineOverridesProfile(t *testing.T) {\n\ttags := \"1,2,3,4\"\n\to := emptyCommandLineOptions()\n\to.Tags = &tags\n\tp := ProfileOptions{\n\t\tTags: []string{\"1\", \"2\", \"3\"},\n\t}\n\tl, err := getLinterOptions(o, p)\n\n\tif err != nil {\n\t\tt.Errorf(\"getLinterOptions should not return error: %s\\n\", err.Error())\n\t}\n\tif len(l.Tags) != 4 {\n\t\tt.Errorf(\"getLinterOptions should find 4 tags: %v\\n\", l.Tags)\n\t}\n}\n\nfunc TestCommandLineVariables(t *testing.T) {\n\to := emptyCommandLineOptions()\n\to.Variables = []string{\"namespace=web\"}\n\tp := ProfileOptions{}\n\tl, err := getLinterOptions(o, p)\n\n\tif err != nil {\n\t\tt.Errorf(\"getLinterOptions should not return error: %s\\n\", err.Error())\n\t}\n\tv, ok := l.Variables[\"namespace\"]\n\tif !ok {\n\t\tt.Errorf(\"Expecting namespace variable to have a value\\n\")\n\t} else {\n\t\tif v != \"web\" {\n\t\t\tt.Errorf(\"Expecting namespace variable to be 'web', not '%s'\\n\", v)\n\t\t}\n\t}\n}\n\nfunc TestMergeVariables(t *testing.T) {\n\to := emptyCommandLineOptions()\n\to.Variables = []string{\"namespace=web\"}\n\tp := ProfileOptions{\n\t\tVariables: map[string]string{\"kind\": \"Pod\"},\n\t}\n\tl, err := getLinterOptions(o, p)\n\n\tif err != nil {\n\t\tt.Errorf(\"getLinterOptions should not return error: %s\\n\", err.Error())\n\t}\n\tnamespace, ok := l.Variables[\"namespace\"]\n\tif !ok {\n\t\tt.Errorf(\"Expecting namespace variable to have a value\\n\")\n\t} else {\n\t\tif namespace != \"web\" {\n\t\t\tt.Errorf(\"Expecting namespace variable to be 'web', not '%s'\\n\", namespace)\n\t\t}\n\t}\n\tkind, ok := l.Variables[\"kind\"]\n\tif !ok {\n\t\tt.Errorf(\"Expecting kind variable to have a value\\n\")\n\t} else {\n\t\tif kind != \"Pod\" {\n\t\t\tt.Errorf(\"Expecting kind variable to be 'Pod', not '%s'\\n\", kind)\n\t\t}\n\t}\n}\n\nfunc TestLoadProfile(t *testing.T) {\n\tp, err := loadProfile(\"./testdata/profile.yml\")\n\tif err != nil {\n\t\tt.Errorf(\"Expecting loadProfile to run without error: %v\\n\", err.Error())\n\t}\n\tif len(p.Tags) != 1 || p.Tags[0] != \"iam\" {\n\t\tt.Errorf(\"Expecting single tag in profile: %v\\n\", p.Tags)\n\t}\n}\n\nfunc TestProfileExclude(t *testing.T) {\n\tp, err := loadProfile(\"./testdata/profile.yml\")\n\tif err != nil {\n\t\tt.Errorf(\"Expecting loadProfile to run without error: %v\\n\", err.Error())\n\t}\n\to := emptyCommandLineOptions()\n\tl, err := getLinterOptions(o, p)\n\tif err != nil {\n\t\tt.Errorf(\"Expecting getLinterOptions to run without error: %v\\n\", err.Error())\n\t}\n\tif len(l.ExcludePatterns) != 3 {\n\t\tt.Errorf(\"Expecting 3 excludes in total using 'exclude' and 'exclude_from' in profile: %v\\n\", l.ExcludePatterns)\n\t}\n\tif l.ExcludePatterns[0] != \"this_file_will_be_excluded.tf\" {\n\t\tt.Errorf(\"Expecting 1st pattern using 'exclude' in profile to be 'this_file_will_be_excluded.tf', not '%s'\", l.ExcludePatterns[0])\n\t}\n\tif l.ExcludePatterns[1] != \"*1.tf\" {\n\t\tt.Errorf(\"Expecting 2nd pattern using 'exclude_from' in profile to be '*1.tf', not '%s'\", l.ExcludePatterns[1])\n\t}\n\tif l.ExcludePatterns[2] != \"*2.tf\" {\n\t\tt.Errorf(\"Expecting 3rd pattern using 'exclude_from' in profile to be '*2.tf', not '%s'\", l.ExcludePatterns[2])\n\t}\n}\n\nfunc TestValidateParser(t *testing.T) {\n\tparser, err := validateParser(\"\")\n\tif err != nil {\n\t\tt.Errorf(\"Expected %s, got %v\", parser, err)\n\t}\n\tparser, err = validateParser(\"tf11\")\n\tif err != nil {\n\t\tt.Errorf(\"Expected %s, got %v\", parser, err)\n\t}\n\tparser, err = validateParser(\"tf12\")\n\tif err != nil {\n\t\tt.Errorf(\"Expected %s, got %v\", parser, err)\n\t}\n\tparser, err = validateParser(\"tf13\")\n\tif err == nil {\n\t\tt.Errorf(\"Expected %v, got nil\", err)\n\t}\n}\n"
},
{
"path": "cli/report_writer.go",
"content": "package main\n\nimport (\n\t\"fmt\"\n\t\"github.com/stelligent/config-lint/assertion\"\n)\n\nfunc (w DefaultReportWriter) WriteReport(report assertion.ValidationReport, options LinterOptions) {\n\tif options.SearchExpression == \"\" {\n\t\terr := printReport(w.Writer, report, options.QueryExpression)\n\t\tif err != nil {\n\t\t\tfmt.Println(err.Error())\n\t\t}\n\t}\n}\n"
},
{
"path": "cli/report_writer_test.go",
"content": "package main\n\nimport (\n\t\"bytes\"\n\t\"github.com/stelligent/config-lint/assertion\"\n\t\"github.com/stretchr/testify/assert\"\n\t\"testing\"\n)\n\nfunc TestReportWriter(t *testing.T) {\n\tvar b bytes.Buffer\n\tw := DefaultReportWriter{Writer: &b}\n\tr := assertion.ValidationReport{\n\t\tViolations: []assertion.Violation{\n\t\t\tassertion.Violation{\n\t\t\t\tRuleID: \"RULE_1\",\n\t\t\t},\n\t\t},\n\t}\n\tw.WriteReport(r, LinterOptions{})\n\tassert.Contains(t, b.String(), \"RULE_1\")\n}\n"
},
{
"path": "cli/terraform_test.go",
"content": "package main\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"path/filepath\"\n\t\"strings\"\n\t\"testing\"\n\n\t\"github.com/ghodss/yaml\"\n\t\"github.com/gobuffalo/packr\"\n\t\"github.com/stelligent/config-lint/assertion\"\n\t\"github.com/stelligent/config-lint/linter\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\ntype TestSuite struct {\n\tVersion string\n\tDescription string\n\tType string\n\tFiles []string\n\tTests []TestCase\n\tRootPath string\n}\n\ntype TestCase struct {\n\tRuleId string\n\tWarnings int\n\tFailures int\n\tTags []string\n}\n\n/*\n* Determine if the given filename is a test case\n */\nfunc isTestCase(filename string) bool {\n\tif strings.Contains(filename, \"test\") && isYamlFile(filename) {\n\t\treturn true\n\t} else {\n\t\treturn false\n\t}\n}\n\n/*\n* Given filepath to a YAML test suite, return a TestSuite object\n */\nfunc loadTestSuite(filename string) (TestSuite, error) {\n\tyamlFile, err := ioutil.ReadFile(filename)\n\tif err != nil {\n\t\tassertion.Debugf(\"Failed to load Test Suite file: %v\\n %v\\n\", filename, err)\n\t\treturn TestSuite{}, err\n\t}\n\tts := TestSuite{}\n\terr = yaml.Unmarshal([]byte(yamlFile), &ts)\n\tif err != nil {\n\t\tassertion.Debugf(\"Failed to unmarshall YAML Test Suite: %v\\n %v\\n\", filename, err)\n\t\treturn TestSuite{}, err\n\t}\n\n\tts.RootPath = strings.TrimSuffix(filename, \"/tests/test.yml\")\n\n\treturn ts, nil\n}\n\nfunc getTestResources(directory string) ([]string, error) {\n\tvar testResources []string\n\tbox := packr.NewBox(directory)\n\tfilesInBox := box.List()\n\tconfigPatterns := []string{\"*.tf\"}\n\tfor _, f := range filesInBox {\n\t\tmatch, _ := assertion.ShouldIncludeFile(configPatterns, f)\n\t\tif match {\n\t\t\tabsolutePath, err := filepath.Abs(directory + \"/\" + f)\n\t\t\tif err != nil {\n\t\t\t\treturn []string{}, err\n\t\t\t}\n\t\t\ttestResources = append(testResources, absolutePath)\n\t\t}\n\t}\n\treturn testResources, nil\n}\n\nfunc contains(arr []string, str string) bool {\n\tfor _, a := range arr {\n\t\tif a == str {\n\t\t\treturn true\n\t\t}\n\t}\n\treturn false\n}\n\n// Run each test case in a test suite\nfunc runTestSuite(t *testing.T, ts TestSuite) {\n\t// Load only the rule for this test suite\n\truleConfigPath := strings.Split(ts.RootPath, \"config-lint/cli/assets/\")[1] + \"/rule.yml\"\n\truleSet, err := loadBuiltInRuleSet(ruleConfigPath)\n\tif err != nil {\n\t\tassert.Nil(t, err, \"Cannot load built-in Terraform rule\")\n\t}\n\n\tfor _, tc := range ts.Tests {\n\t\toptions := linter.Options{\n\t\t\tRuleIDs: []string{tc.RuleId},\n\t\t}\n\t\tvs := assertion.StandardValueSource{}\n\n\t\t// validate the rule set\n\t\tif contains(tc.Tags, \"terraform11\") {\n\t\t\t// Load the test resources for this test suite\n\t\t\ttestResourceDirectory := strings.Split(ts.RootPath, \"config-lint/cli/\")[1] + \"/tests/terraform11/\"\n\t\t\ttestResources, err := getTestResources(testResourceDirectory)\n\t\t\tif err != nil {\n\t\t\t\tassert.Nil(t, err, \"Cannot load built-in Terraform 11 test resources\")\n\n\t\t\t}\n\t\t\t// Defining 'tf11' for the Parser type\n\t\t\tl, err := linter.NewLinter(ruleSet, vs, testResources, \"tf11\")\n\n\t\t\treport, err := l.Validate(ruleSet, options)\n\t\t\tassert.Nil(t, err, \"Validate failed for file\")\n\n\t\t\twarningViolationsReported := getViolationsString(\"WARNING\", report.Violations)\n\t\t\twarningMessage := fmt.Sprintf(\"Expecting %d warnings for rule %s:\\n %s\", tc.Warnings, tc.RuleId, warningViolationsReported)\n\t\t\tassert.Equal(t, tc.Warnings, numberOfWarnings(report.Violations), warningMessage)\n\n\t\t\tfailureViolationsReported := getViolationsString(\"FAILURE\", report.Violations)\n\t\t\tfailureMessage := fmt.Sprintf(\"Expecting %d failures for rule %s:\\n %s\", tc.Failures, tc.RuleId, failureViolationsReported)\n\t\t\tassert.Equal(t, tc.Failures, numberOfFailures(report.Violations), failureMessage)\n\t\t}\n\n\t\tif contains(tc.Tags, \"terraform12\") {\n\t\t\t// Load the test resources for this test suite\n\t\t\ttestResourceDirectory := strings.Split(ts.RootPath, \"config-lint/cli/\")[1] + \"/tests/terraform12/\"\n\t\t\ttestResources, err := getTestResources(testResourceDirectory)\n\t\t\tif err != nil {\n\t\t\t\tassert.Nil(t, err, \"Cannot load built-in Terraform 12 test resources\")\n\n\t\t\t}\n\t\t\t// Defining 'tf11' for the Parser type\n\t\t\tl, err := linter.NewLinter(ruleSet, vs, testResources, \"tf12\")\n\n\t\t\treport, err := l.Validate(ruleSet, options)\n\t\t\tassert.Nil(t, err, \"Validate failed for file\")\n\n\t\t\twarningViolationsReported := getViolationsString(\"WARNING\", report.Violations)\n\t\t\twarningMessage := fmt.Sprintf(\"Expecting %d warnings for rule %s:\\n %s\", tc.Warnings, tc.RuleId, warningViolationsReported)\n\t\t\tassert.Equal(t, tc.Warnings, numberOfWarnings(report.Violations), warningMessage)\n\n\t\t\tfailureViolationsReported := getViolationsString(\"FAILURE\", report.Violations)\n\t\t\tfailureMessage := fmt.Sprintf(\"Expecting %d failures for rule %s:\\n %s\", tc.Failures, tc.RuleId, failureViolationsReported)\n\t\t\tassert.Equal(t, tc.Failures, numberOfFailures(report.Violations), failureMessage)\n\t\t}\n\t}\n}\n\n/*\n* Given resource type and tags\n* Run all defined tests per resource type and subtype\n */\nfunc RunBuiltinTests(t *testing.T, resourceType string) {\n\t// Get a list of all test cases\n\tbox := packr.NewBox(\"./assets/\" + resourceType)\n\tfilesInBox := box.List()\n\tfor _, file := range filesInBox {\n\t\tif isTestCase(file) {\n\t\t\tabsolutePath, _ := filepath.Abs(\"./assets/\" + resourceType + \"/\" + file)\n\t\t\tts, err := loadTestSuite(absolutePath)\n\t\t\tif err != nil {\n\t\t\t\tassert.Nil(t, err, \"Cannot load test case\")\n\t\t\t}\n\t\t\trunTestSuite(t, ts)\n\t\t}\n\t}\n}\n\n// Run built in rules against Terraform parser\nfunc TestTerraformBuiltInRules(t *testing.T) {\n\tRunBuiltinTests(t, \"terraform\")\n}\n"
},
{
"path": "cli/testdata/builtin/terraform12/test.tf",
"content": "resource \"aws_cloudtrail\" \"object_logging_enabled\" {\n name = \"tf-trail-foobar\"\n s3_bucket_name = \"nwm-cloudtrail-logs\"\n s3_key_prefix = \"prefix\"\n include_global_service_events = false\n event_selector {\n read_write_type = \"All\"\n include_management_events = true\n data_resource {\n type = \"AWS::S3::Object\"\n values = [\"arn:aws:s3:::\"]\n }\n }\n}\n\nresource \"aws_cloudtrail\" \"object_logging_enabled\" {\n name = \"tf-trail-foobar\"\n s3_bucket_name = \"nwm-cloudtrail-logs\"\n s3_key_prefix = \"prefix\"\n include_global_service_events = false\n event_selector {\n read_write_type = \"All\"\n include_management_events = true\n data_resource {\n type = \"wrong\"\n values = [\"arn:aws:s3:::\"]\n }\n }\n}\nresource \"aws_cloudtrail\" \"object_logging_enabled\" {\n name = \"tf-trail-foobar\"\n s3_bucket_name = \"nwm-cloudtrail-logs\"\n s3_key_prefix = \"prefix\"\n include_global_service_events = false\n event_selector {\n read_write_type = \"All\"\n include_management_events = true\n }\n}\n"
},
{
"path": "cli/testdata/dirtest/a.yml",
"content": "---\ncomment: test file\n"
},
{
"path": "cli/testdata/dirtest/b.yml",
"content": "---\ncomment: test file\n\n"
},
{
"path": "cli/testdata/exclude-list",
"content": "*1.tf\n*2.tf\n"
},
{
"path": "cli/testdata/profile-exceptions.yml",
"content": "---\n\nterraform: true\n\nfiles:\n - \"*.tf\"\n\nexceptions:\n - RuleID: IAM_ROLE_WILDCARD_ACTION\n ResourceCategory: resource\n ResourceType: aws_iam_role\n ResourceID: role2\n Comments: Just because\n\ntags:\n - iam\n"
},
{
"path": "cli/testdata/profile.yml",
"content": "---\n\nterraform: true\n\nfiles:\n - \"*.tf\"\n\nexceptions:\n - RuleID: ROLE_WILDCARD_ACTION\n ResourceCategory: resource\n ResourceType: aws_iam_role\n ResourceID: role2\n Comments: Just because\n\ntags:\n - iam\n\nexclude:\n - this_file_will_be_excluded.tf\n\nexclude_from:\n - ./testdata/exclude-list\n"
},
{
"path": "cli/testdata/smoketest_exceptions.tf",
"content": "resource \"aws_iam_role\" \"role2\" {\n name = \"role2\"\n\n assume_role_policy = <\n\n# config-lint 1.x\n\na tool to validate configuration files against custom specifications\n\nterraform | kubernetes | yaml | json | csv\n\n[GitHub](https://github.com/stelligent/config-lint)\n[Get Started](#config-lint)"
},
{
"path": "docs/css/style.css",
"content": "/* COVER */\nsection.cover {\n color: #fff;\n background:url(../img/bg-pattern.png),linear-gradient(to left,#f4842b,#7b4397) !important;\n }\n \n section.cover h1 {\n font-size: 5rem;\n font-weight: 600;\n }\n \n section.cover h1 a span {\n color: #fff;\n }\n \n /* Cover buttons */\n \n section.cover .cover-main > p:last-child a {\n border: 1px solid #fff;\n color: #fff;\n }\n section.cover .cover-main > p:last-child a:last-child {\n background-color: #fff;\n color: var(--theme-color,#fff);\n }\n section.cover .cover-main > p:last-child a:last-child:hover {\n color: var(--theme-color,#fff);\n opacity: 0.8;\n }\n"
},
{
"path": "docs/design.md",
"content": "# Design\n\n## Motivation\n\n* Static analysis of Terraform configuration files, similar to [cfn_nag](https://github.com/stelligent/cfn_nag) for CloudFormation templates\n* Analysis of Kubernetes spec files\n* Scanning of AWS resources already provisioned, via AWS API describe* calls\n* Processing of event data in AWS Config custom rules\n\nWhile the data source in each of these cases is different (files vs API calls vs event parameters), the application of the rules follows a similar pattern:\n\n* Extract a data element about a resource\n* Make assertions about the value or values found\n\n## Goals\n\n### Rules written in a DSL, rather than code\n\nUsing a DSL in YAML has some advantages: \n\n* Common format that is easy to read\n* Easy to add new rules\n* Easy to scan an existing rule set\n\nThe DSL was modeled after that found in [Cloud Custodian](https://github.com/capitalone/cloud-custodian). Instead of specifying filters to select resources, the DSL makes assertions about values discovered about resources.\n\nThe DSL does have the ability to invoke HTTP endpoints. This is intended for logic that is too complex to specify in the DSL.\n\n### Dynamic data\n\nIn addition to using data embedded directly in a rule, the rules should be able to reference dynamic data. Typical examples are lists of IP addresses, and EC2 instance types. \n\nThe DSL can reference HTTP endpoints or S3 objects for such dynamic data. This idea was also inspired by Cloud Custodian.\n\n### Not aimed at remediation. \n\nThe primary use case is as part of a CI/CD pipeline. If violations are detected, the exit code of the program is set so the pipeline can be terminated.\n\nThe JSON output of the tool can be read by a other tools to trigger notifications or automatic remediation.\n\n## Implementation \n\nThe tool itself is written in go, and is a self contained binary. This simplifies its use in pipelines as well as for local development. \n\n### Built-in rules\n\nThe implementation includes a set of rules for Terraform that can be turned on with a command line option. These implement the same rules found in [cfn_nag](https://github.com/stelligent/cfn_nag) as well as those found in [terrascan](https://github.com/cesar-rodriguez/terrascan)\n\n### Packages\n\nThere are three packages in the repository:\n\n* cli\n* linter\n* assertion\n\n#### cli package\n\nThis processes command line arguments and loads project files before using the linter package to do the actual linting.\n\n#### linter package\n\nDefines a linter interface, and provides a factory function to create linters that can discover resources that will be analyzed.\nCurrently supported:\n\n* File based configurations - Terraform, Kubernetes, YAML, and self validation of config-lint rules files\n* API based congifurations - AWS Security Groups and IAM users\n\nThe cli package in this repo uses the linter package. The linter package might also be used in tools that are not command line driven, such as a website or an AWS Lambda used for Config rules. Implementations of these can be found in the early commit history of this repository, but future work will be moved to separate repositories.\n\nThe linter then uses the assertion package to analyze the collection of resources, and then generate a report.\n\n#### assertion\n\nApplies a set of rules to a collection of JSON objects and returns a report that includes any violations found. \nThis package works on JSON objects and has no knowledge of how the resources were loaded. That work is done in the linter package.\n\n"
},
{
"path": "docs/development.md",
"content": "# Developing for config-lint\n\n## VS Code Remote Development\nThe preferred method of developing is to use the VS Code Remote development functionality.\n\n- Install the VS Code [Remote Development extension pack](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.vscode-remote-extensionpack)\n- Open the repo in VS Code\n- When prompted \"`Folder contains a dev container configuration file. Reopen folder to develop in a container`\" click the \"`Reopen in Container`\" button\n- When opening in the future use the \"`config-lint [Dev Container]`\" option\n\n### VS Code Dependencies\n\nThere are a couple of dependencies that you need to configure locally before being able to fully utizlize the Remote Developemnt environment.\n- Requires `ms-vscode-remote.remote-containers` >= `0.101.0`\n- [Docker](https://www.docker.com/products/docker-desktop)\n - Needs to be installed in order to use the remote development container\n- [GPG](https://gpgtools.org)\n - Should to be installed in `~/.gnupg/` to be able to sign git commits with gpg\n- SSH\n - Should to be installed in `~/.ssh` to be able to use your ssh config and keys.\n\n## Local Development\n\n### Prerequisites \n- [Install golang](https://golang.org/doc/install)\n- Add the output of the following command to your PATH\n```\necho \"$(go env GOPATH)/bin\"\n```\n\n### Build Command Line tool\n\n```\nmake all\n```\n\nThe binary is located at `.release/config-lint`\n\n### Tests\nTests are located in the `assertion` directory. To run all tests: \n```\nmake test\n```\n\nTo run the Terraform builtin rules tests:\n```\nmake testtf\n```\n\nMore information about how to create and run tests can be found [here](tests.md).\n\n### Linting\nTo lint all files (using golint):\n```\nmake lint\n```\n\n### Releasing\nMerging to master will automatically cut a minor incremental release for any code changes. To create a new major release, you will need to merge a commit that includes the `#major` tag.\n\nReleases are created via GitHub Workflows. You can find more information about this [here](/github_workflow.md)"
},
{
"path": "docs/example-rules.md",
"content": "# Example Rules\n\nAdd these rules to a YAML file, and pass the filename to config-lint using the -rules option.\nEach rule contains a list of assertions, and these assertions use operations that are [documented here](operations.md).\n\n\n* [Simple Expressions](#simple-expressions)\n* [Boolean Expressions](#boolean-expressions)\n* [Collection Expressions](#collection-expressions)\n* [Dynamic Values](#dynamic-values)\n* [Conditions](#conditions)\n* [Macros](#macros)\n\n## simple-expressions\n\nTo test that an AWS instance type has one of two values:\n\n```\nversion: 1\ndescription: Simple expression example\ntype: Terraform\nfiles:\n - \"*.tf\"\nrules:\n - id: EC2_INSTANCE_TYPE\n message: Instance type should be t2.micro or m3.medium\n resource: aws_instance\n assertions:\n - key: instance_type\n op: in\n value: t2.micro,m3.medium\n severity: WARNING\n```\n\n## boolean-expressions\n\nThis could also be done by using the or operation with two different assertions:\n\n```\nversion: 1\ndescription: Boolean expression example\ntype: Terraform\nfiles:\n - \"*.tf\"\nRules:\n - id: EC2_INSTANCE_TYPE\n message: Instance type shouldG be t2.micro or m3.medium\n resource: aws_instance\n assertions:\n or:\n - key: instance_type\n op: eq\n value: t2.micro\n - key: instance_type\n op: eq\n value: m3.medium\n severity: WARNING\n```\n\n## collection-expressions\n\nThere are three operators that simplify working with collections: [every](operations.md#every), [some](operations.md#some) and [none](operations.md#none).\nYou provide a JMESPath expression to extract the entire collection from the resource properties.\nThen a separate set of expressions are applied to each element of the collection.\nThe expressions are the same as used for rule assertions.\nThe every operator requires all elements to return true for the expression, the some operator requires at least one element to return true, and the none operator requires all of the elements to return false for the expression.\n\n\n```\nversion: 1\ndescription: Collection expression example\ntype: YAML\nfiles:\n - \"*.config\"\n\nresources:\n - type: customer\n key: customers[]\n id: id\n\nrules:\n\n - id: CUSTOMER_LOCATIONS\n message: Every customer location needs an address and a zip_code\n resource: customer\n severity: FAILURE\n assertions:\n - every:\n key: locations\n assertions:\n - key: address\n op: present\n - key: zip_code\n op: present\n\n```\n\n## dynamic-values\n\nInstead of including a list of values directly in the rules file, it can be retrieved\nfrom an S3 object at runtime. HTTP endpoints are also supported.\n\n```\nversion: 1\ndescription: Dynamic value example\ntype: Terraform\nfiles:\n - \"*.tf\"\nrules:\n - id: EC2_INSTANCE_TYPE\n message: Instance type should be t2.micro or m3.medium\n resource: aws_instance\n assertions:\n - key: instance_type\n op: in\n value_from: s3://your-bucket/instance-types.txt\n severity: FAILURE\n```\n\n## conditions\n\nRules always have a condition based on the resource type, but you can add additional conditions. Here is an example\nfrom the internal rule set used for the -validate option. This rule will only apply when a resource of type LintRuleSet\nhas a type equal to YAML. For that type of LintRuleSet, another attribute called resources must be present:\n\n```\nversion: 1\ndescription: Condition example\ntype: YAML\nfiles:\n - *.config\nrules:\n - id: YAML_RULES_HAVE_RESOURCES_SECTION\n message: RuleSet for YAML required resources section\n resource: LintRuleSet\n severity: FAILURE\n conditions:\n - key: type\n op: eq\n value: YAML\n assertions:\n - key: resources\n op: present\n```\n\n## macros\n\nBecause the rules are specified in YAML format, it is possible to use anchors and aliases as a simple kind of macro language to\neliminate duplicate expressions in a rule set. If you are familiar with Ruby on Rails configuration files, this might be familiar.\n\nHere is an example where the rules for different resource types check for the same attribute names.\nYou can use the \"&\" to define an anchor. In this example there\nare three of these: &has_name, &has_description and &has_name_and_description (the first two are actually used to\ndefine the third one). Elsewhere in the file you can use the \"*\" (alias) and the \"<<\" (merge key) to insert\nthese expressions into multiple rules, without copying the entire expression map.\n\n```\nversion: 1\ndescription: Macro example\ntype: YAML\nfiles:\n - \"*.config\"\n\n# some anchors to keep rules DRY\n\nhas_name: &has_name\n key: name\n op: present\n\nhas_name: &has_description\n key: description\n op: present\n\nhas_name_and_description: &has_name_and_description\n and:\n - <<: *has_name\n - <<: *has_description\n\n# resources to find in the config file\n\nresources:\n - type: widget\n key: widgets[]\n id: id\n - type: gadget\n key: gadgets[]\n id: name\n\n# rules to apply\n\nrules:\n\n - id: WIDGET_PROPERTIES\n message: Widget needs name and description\n severity: FAILURE\n resource: widget\n assertions:\n - <<: *has_name_and_description\n\n - id: GADGET_PROPERTIES\n message: Gadget needs name a description\n severity: FAILURE\n resource: gadget\n assertions:\n - <<: *has_name_and_description\n```\n\nThis feature of YAML can even be used for partial expressions. The JMESPath expression for find a specific tag in a Terraform resource is not particularly friendly, so that could be hidden in an anchor called \"has_tag\". Then a rule assertion can reference that, and include the tag name that is required.\n\n```\nVersion: 1\nDescription: Use an alias to hide a complicated JMESPath expression\nType: Terraform\nFiles:\n - \"*.tf\"\n\nhas_tag: &has_tag\n key: \"tags[]|[0].keys(@)\"\n op: contains\n\nrules:\n\n - id: HAS_NAME_TAG\n message: Tags are required\n resource: aws_ebs_volume\n assertions:\n - <<: *has_tag\n value: Name\n```\n\nThe assertions and operations were inspired by those in Cloud Custodian: https://cloud-custodian.github.io/cloud-custodian/docs/\n"
},
{
"path": "docs/faq.md",
"content": "# FAQs\n\n1. With the newest version of config-lint being able to handle configuration files written in Terraform v0.12 syntax, is it still\nbackwards compatible with configuration files written in the Terraform v0.11?\n - Yes the new version of config-lint is able to handle parsing Terraform configuration files written in both v0.11 and v0.12 syntax.\n - To choose the between parsing Terraform 0.11 vs 0.12 syntax, you can pass in the flag option `-tfparser` followed\n by either `tf11` or `tf12`. For example:\n - `config-lint -tfparser tf12 -rules example_rule.yml example_config/example_file.tf`\n2. I'm running into errors when trying to run the newest version of config-lint against configuration files\nwritten in Terraform v0.12 syntax. Where should be the first place to check for resolving this?\n - The first thing to check is to make sure you're passing in the correct `-tfparser` flag option.\n Depending on which Terraform syntax the configuration file is written in, refer to the FAQ #1 above for \n passing in the correct flag option values.\n - For configuration files that contain Terraform v0.12 syntax, you should confirm that whatever rule.yml file/files you pass in\n have the `type:` key set to `Terraform12`. For example in this rule.yml file:\n ```\n version: 1\n description: Rules for Terraform configuration files\n type: Terraform12\n files:\n - \"*.tf\"\n rules:\n - id: AMI_SET\n message: Testing\n resource: aws_instance\n assertions:\n - key: ami\n op: eq\n value: ami-f2d3638a\n ```\n"
},
{
"path": "docs/github_workflow.md",
"content": "# GitHub Workflows\n\nThis project utilizes GitHub Workflows to run checks against pushed commits and to also control releases.\n\n## Configs\n\nThe configuration files for the Workflows are stored in the `.github/workflows/` directory. The Workflows are split up into 2 different types, `Build` and `Deploy`. More information about each can be found below:\n\n### Build\n\n`.github/workflows/build.yml`\n\nThere is a general catchall `Build` Workflow that is used against each push to the repository from any branch as long as the push **DOES NOT** contain a tag. This Workflow will download the `GO` module dependencies and run a `make test` against the pushed commit.\n\nThis `Build` Workflow is attached to Pull Requests as a Status Check to ensure all the tests are passing before code can be merged.\n\n### Deploy\n\nThere are 2 `Deploy` Workflow types, each is tied to a specific release type, **`Stable`** or **`Beta`**.\n\n#### Stable Release\n\n`.github/workflows/build_and_deploy.yml`\n\nThis Workflow will run on any push that contains a tag with `v*.*.*` but will ignore tags ending in `-beta`. This Workflow will download the `GO` module dependencies and run a `make test` against the pushed commit. Afterwards it will run the `release` stage and run `goreleaser release` utilizing the `.goreleaser.yml` configuration file.\n\nThe `goreleaser` step will create release files and create an actual `Release` in GitHub. It will also update the [stelligent/homebrew-tap](https://github.com/stelligent/homebrew-tap) to use the latest stable version stored in the [Formula/config-lint.rb](https://github.com/stelligent/homebrew-tap/blob/master/Formula/config-lint.rb) file\n\n#### Beta Release\n\n`.github/workflows/beta_build_and_deploy.yml`\n\nThis Workflow will run on any push that contains a tag with `v*.*.*-beta`. It is important to note that it must end in `-beta` for this beta release Workflow to trigger. This Workflow will download the `GO` module dependencies and run a `make test` against the pushed commit. Afterwards it will run the `beta release` stage and run `goreleaser release` utilizing the `.beta-goreleaser.yml` configuration file.\n\nThe `goreleaser` step will create release files and create a `Pre-Release` in GitHub. It will also update the [stelligent/homebrew-tap](https://github.com/stelligent/homebrew-tap) to use the latest pre-release version stored in the [Formula/beta/config-lint.rb](https://github.com/stelligent/homebrew-tap/blob/master/Formula/beta/config-lint.rb) file.\n\n---\nSome things to note within the `.beta-goreleaser.yml` file:\n\n``` yaml\nrelease:\n prerelease: auto\n```\n\n* This allows GitHub to assign a `Pre-Release` labeled release since the semantic version ends in `-beta`\n\n``` yaml\nbrews:\n -\n ...\n folder: Formula/beta\n```\n\n* Storing the beta release in a new directory specifically for beta releases in homebrew.\n"
},
{
"path": "docs/index.html",
"content": "\n\n \n \n config-lint: a tool to validate configuration files against custom specifications.\n \n \n \n \n \n\n \n \n \n \n \n \n \n \n \n \n \n \n"
},
{
"path": "docs/install.md",
"content": "# config-lint installation guide\n\n## Homebrew\n\nYou can use [Homebrew](https://brew.sh/) to install the latest version:\n\n``` bash\nbrew tap stelligent/tap\nbrew install config-lint\n```\n\n## Docker\n\nYou can pull the latest image from [DockerHub](https://hub.docker.com/r/stelligent/config-lint):\n\n``` bash\ndocker pull stelligent/config-lint\n```\n\nIf you choose to install and run via `docker` you will need mount a directory to the running container so that it has access to your configuration files.\n\n``` bash\ndocker run -v /path/to/your/configs/:/foobar stelligent/config-lint -terraform /foobar/foo.tf\n\n# or \n\ndocker run --mount src=/path/to/your/configs/,target=/foobar,type=bind stelligent/config-lint -terraform /foobar/foo.tf\n```\n\nIf you are linting Kubernetes configuration files, you will need to reference the path to the Kubernetes rules accordingly.\n\nFor example if the `pwd` has rules and configuration files:\n```\ndocker run -v $(pwd):/foobar stelligent/config-lint -rules /foobar/path/to/rules/kubernetes.yml /foobar/path/to/configs\n```\n\nIf you don't have your own set of rules that you want to run against your Kubernetes configuration files, you can copy or download the example set from [example-files/rules/kubernetes.yml](https://github.com/stelligent/config-lint/blob/master/example-files/rules/kubernetes.yml).\n\n## Linux\n\n```\n# Install the latest version of config-lint\ncurl -L https://github.com/stelligent/config-lint/releases/download/latest/config-lint_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin config-lint\n\n# See https://github.com/stelligent/config-lint/releases for release versions\nVERSION=v1.0.0\ncurl -L https://github.com/stelligent/config-lint/releases/download/${VERSION}/config-lint_Linux_x86_64.tar.gz | tar xz -C /usr/local/bin config-lint\n\nchmod +rx /usr/local/bin/config-lint\n```\n\n## Windows\n\nDownload the [latest Windows release](https://github.com/stelligent/config-lint/releases/latest) for your platform and add the binary to your Windows PATH.\n"
},
{
"path": "docs/operations.md",
"content": "# Operations\n\nThe rules contain a list of expressions that use operations\n\n## Assertion Operations\n\n| Operation | Description |\n|----------------------------------------|----------------------------|\n| [absent](#absent) | Absent |\n| [and](#and) | And |\n| [contains](#contains) | Contains |\n| [does-not-contain](#does-not-contain) | Does Not Contain |\n| [ends-with](#ends-with) | Ends With |\n| [eq](#eq) | Equal |\n| [empty](#empty) | Empty |\n| [every](#every) | Every |\n| [has-properties](#has-properties) | Has Properties |\n| [in](#in) | In |\n| [is-array](#is-array) | Is Array |\n| [is-false](#is-false) | Is False |\n| [is-not-array](#is-not-array) | Is Not Array |\n| [is-true](#is-true) | Is True |\n| [ne](#ne) | Not equal |\n| [none](#none) | None |\n| [not](#not) | Not |\n| [not-contains](#does-not-contain) | Does Not Contain |\n| [not-empty](#not-empty) | Not Empty |\n| [not-in](#not-in) | Not In |\n| [exactly-one](#exactly-one) | Exactly One |\n| [or](#or) | Or |\n| [present](#present) | Present |\n| [regex](#regex) | Regex |\n| [starts-with](#starts-with) | Starts With |\n| [some](#some) | Some |\n| [xor](#xor) | Xor |\n| [is-subnet](#is-subnet) | Is Subnet |\n| [is-private-ip](#is-private-ip) | Is Private IP |\n| [exposed-hosts](#exposed-hosts) | Number of hosts exposed to |\n\n## eq\n\nEqual\n\n###Example:\n\n```\n...\n - id: VOLUME1\n resource: aws_ebs_volume\n message: EBS Volumes must be encrypted\n severity: FAILURE\n assertions:\n - key: encrypted\n op: eq\n value: true\n...\n```\n\n## ne\n\nNot Equal\n\nExample:\n```\n...\n - id: SG1\n resource: aws_security_group\n message: Security group should not allow ingress from 0.0.0.0/0\n severity: FAILURE\n assertions:\n - key: \"ingress[].cidr_blocks[] | [0]\"\n op: ne\n value: \"0.0.0.0/0\"\n...\n```\n\n## in\n\n In list of values\n\n### Example:\n\n```\n...\n - id: R1\n message: Instance type should be t2.micro or m3.medium\n resource: aws_instance\n assertions:\n - key: instance_type\n op: in\n value: t2.micro,m3.medium\n severity: WARNING\n...\n```\n\n## not-in\n\nNot in list of values\n\n## present\n\nAttribute is present\n\n###Example:\n\n```\n...\n - id: R6\n message: Department tag is required\n resource: aws_instance\n assertions:\n - key: \"tags[].Department | [0]\"\n op: present\n severity: FAILURE\n...\n```\n\n## absent\n\nAttribute is not present\n\n## empty\n\nAttribute is empty\n\n## not-empty\n\nAttribute is not empty\n\n## contains\n\nAttribute contains a substring, or array contains an element\n\n## does-not-contain\n\nAttribute does not contain a substring, or array does not contain an element\n\nYou can also use the 'not-contains' operator to do the same thing.\n\n## regex\n\nAttribute matches a regular expression\n\nSee [here](https://github.com/google/re2/wiki/Syntax) for regular expression syntax.\n\n## and\n\nLogical and of a list of assertions\n\n### Example:\n\n```\n...\n - id: ANDTEST\n resource: aws_instance\n message: Should have both Project and Department tags\n severity: WARNING\n assertions:\n - and:\n - key: \"tags[].Department | [0]\"\n op: present\n - key: \"tags[].Project | [0]\"\n op: present\n tags:\n - and-test\n...\n```\n\n## or\n\nLogical or of a list of assertions\n\n### Example:\n\n```\n...\n - id: ORTEST\n resource: aws_instance\n message: Should have instance_type of t2.micro or m3.medium\n severity: WARNING\n assertions:\n - or:\n - key: instance_type\n op: eq\n value: t2.micro\n - key: instance_type\n op: eq\n value: m3.medium\n...\n```\n\n## xor\n\nLogical xor of a list of assertions. The assertion is true when exactly one test passes\n\n### Example:\n\n```\n...\n - id: ORTEST\n resource: lint_rule\n message: Can have value or value_from, but not both\n severity: WARNING\n assertions:\n - xor:\n - key: value\n op: present\n - key: value_from\n op: present\n...\n```\n\n## not\n\nLogical not of an assertion\n\nExample:\n\n```\n...\n - id: NOTTEST\n resource: aws_instance\n message: Should not have instance type of c4.large\n severity: WARNING\n assertions:\n - not:\n - key: instance_type\n op: eq\n value: c4.large\n...\n```\n\n## has-properties\n\nChecks for the present of every property in a comma separated list. This could also be done using the [and](#and) expression,\nbut this will often be more convenient.\n\nExample:\n\n```\n...\n - id: VALID_ADDRESS\n message: Every address needs city, state and zip\n severity: FAILURE\n resource: address\n assertions:\n - key: address\n op: has-properties\n value: city,state,zip\n...\n```\n\n## every\n\nSelect an array from a resource, and run assertions against each element. All of the sub assertions must pass for the test to pass.\nThe key is a JMESPath expression that should return an array of objects. The key used in each sub assertion is relative to the selected objects.\n\nThis provides a simple looping mechanism that is easier to write and understand than a complex JMESPath expression.\n\nExample:\n\n```\n...\n - id: LOCATIONS_NEED_LAT_LONG\n message: Every location requires a latitude and longitude\n severity: FAILURE\n resource: sample\n assertions:\n - every:\n key: Location\n expressions:\n - key: latitude\n op: present\n - key: longitude\n op: present\n...\n```\n\n## some\n\nSelect an array from a resource, and run assertions against each element. At least one sub assertion must pass for the test to pass.\nThe key is a JMESPath expression that should return an array of objects. The key used in each sub assertion is relative to the selected objects.\n\nThis provides a simple looping mechanism that is easier to write and understand than a complex JMESPath expression.\n\nExample:\n\n```\n...\n - id: LOCATION_REQUIRES_LAT_LONG\n message: At least one location requires a latitude and longitude\n severity: FAILURE\n resource: sample\n assertions:\n - some:\n key: Location\n expressions:\n - key: latitude\n op: present\n - key: longitude\n op: present\n...\n```\n\n## none\n\nSelect an array from a resource, and run assertions against each element. All of the sub assertions must fail for the test to pass.\nThe key is a JMESPath expression that should return an array of objects. The key used in each sub assertion is relative to the selected objects.\n\nThis provides a simple looping mechanism that is easier to write and understand than a complex JMESPath expression.\n\nExample:\n\n```\n...\n - id: PORT_22_INGRESS\n message: No ingress for port 22 should be open to the world\n severity: FAILURE\n resource: sample\n assertions:\n - none:\n key: \"ipPermissions[]\"\n expressions:\n - key: \"fromPort\"\n op: eq\n value: 22\n value_type: integer\n - key: \"ipRanges[]\"\n op: contains\n value: 0.0.0.0/0\n...\n```\n\n## exactly-one\n\nSelect an array from a resource, and run assertions against each element. Only one of the sub assertions should return true for the test to pass.\nThe key is a JMESPath expression that should return an array of objects. The key used in each sub assertion is relative to the selected objects.\n\nThis provides a simple looping mechanism that is easier to write and understand than a complex JMESPath expression.\n\nExample:\n\n```\n - id: ONLY_ONE_DEFAULT\n message: Default should be true for only one element\n severity: FAILURE\n resource: sample\n assertions:\n - exactly-one:\n key: \"items[]\"\n expressions:\n - key: \"default\"\n op: is-true\n```\n\n## is-true\n\nCheck that the data has a true value. Shorthand for using { op: \"eq\" , \"value\": true }\n\nExample:\n\n```\n...\n - id: ENCRYPTION_TRUE\n message: Encryption should be true\n severity: FAILURE\n resource: ebs_volume\n assertions:\n - key: encrypted\n op: is-true\n...\n```\n\n## is-false\n\nCheck that the data has a false value. Shorthand for using { op: \"eq\" , \"value\": false }\n\nExample:\n\n```\n...\n - id: ALLOW_PUBLIC_ACCESS\n message: Should not allow public access\n severity: FAILURE\n resource: some_resource\n assertions:\n - key: public_access\n op: is-false\n...\n```\n\n## starts-with\n\nCheck that a string value starts with a value\n\nExample:\n\n```\n...\n - id: NAME_PREFIX\n message: Name should have a certain prefix\n severity: FAILURE\n resource: some_resource\n assertions:\n - key: name\n op: starts-with\n value: Foo\n...\n```\n\n## ends-with\n\nCheck that a string value ends with a value\n\nExample:\n\n```\n...\n - id: NAME_SUFFIX\n message: Name should have a certain suffix\n severity: FAILURE\n resource: some_resource\n assertions:\n - key: name\n op: ends-with\n value: Resource\n...\n```\n\n## is-array\n\nCheck that an attribute is an array\n\nExample:\n\n```\n...\n - id: TAGS_ARRAY\n message: Tags should be an array\n severity: FAILURE\n resource: some_resource\n assertions:\n - key: Tags[]\n op: is-array\n...\n```\n\n## is-not-array\n\nCheck that an attribute is not an array\n\nExample:\n\n```\n...\n - id: DESCRIPTION_NOT_AN_ARRAY\n message: Description should not be an array\n severity: FAILURE\n resource: some_resource\n assertions:\n - key: Name\n op: is-not-array\n...\n```\n\n## is-subnet\n\nCheck whether a given IP or CIDR block is a subnet of a larger CIDR block\n\nExample:\n\n```\n...\n - id: IP_IN_SUPERNET\n message: All ip_address values should be in the 10.0.0.0/8 supernet\n severity: FAILURE\n resource: some_resource\n assertions:\n - key: \"ip_address\"\n op: is-subnet\n value: \"10.0.0.0/8\"\n...\n```\n\n## is-private-ip\n\nCheck whether a given IP is in RFC1918 address space.\n\nExample:\n\n```\n...\n - id: IP_IN_PRIVATE_RANGE\n message: All ip_address values should be in private address space\n severity: FAILURE\n resource: some_resource\n assertions:\n - key: \"ip_address\"\n op: is-private-ip\n...\n```\n\n## max-host-count\n\nChecks how many hosts in a given CIDR range. This is useful for evaluating security group rules, for instance.\n\nExample:\n\n```\n...\n - id: MAX_HOSTS_EXPOSED_PER_RULE\n message: All security group rules must expose less than 1016 hosts\n severity: FAILURE\n resource: aws_security_group_rule\n assertions:\n - every:\n key: \"cidr_blocks\"\n expressions:\n - key: \"@\"\n op: max-host-count\n value: 1016\n...\n```\n"
},
{
"path": "docs/output.md",
"content": "# Output from config-lint\n\nThe program outputs a JSON string with the results. The JSON object has the following attributes:\n\n* FilesScanned - a list of the filenames evaluated\n* Violations - an object whose keys are the severity of any violations detected. The value for each key is an array with an entry for every violation of that severity.\n\n## Using -query to limit the output\n\nYou can limit the output by specifying a JMESPath expression for the -query command line option. For example, if you just wanted to see the ResourceId attribute for failed checks, you can do the following:\n\n```\n./config-lint -rules example-files/rules/terraform.yml -query 'Violations.FAILURE[].ResourceId' example-files/config/*\n```"
},
{
"path": "docs/profiles.md",
"content": "# Profiles\n\nYou can use a profile to control the default options.\n\nThe -profile command line option takes a filename which contains a set of default values for various command line options. If there is a file in the working directory called `config-lint.yml`, it will be loaded automatically. All values in the profile are optional, and are overriden by anything specified on the command line.\n\nAn example profile:\n\n```\n# A list of files containing rules for linting\nrules:\n - example-files/rules/generic-yaml.yml\n\n# A list of files to scan\nfiles:\n - example-files/config/*.config\n\n# An optional list of rules to check, the default is all rules\nids:\n - RULE_1\n - RULE_2\n\n# An optional list of tags used to select what rules to apply, the default is all rules\ntags:\n - s3\n\n# A list of resources and rules that should not be applied\n# This is useful if you want to turn off some rules for some resources, especially\n# when using built-in rules\n# (For custom rules files, you can use the Except attribute on a rule)\nexceptions:\n - RuleID: S3_BUCKET_ACL\n ResourceCategory: resource\n ResourceType: aws_s3_bucket\n ResourceID: simple_website\n Comments: This bucket hosts a public website\n```\n\n"
},
{
"path": "docs/rule_development.md",
"content": "# Developing rules for config-lint\n\n## Developing new rules using -search\n\nEach rule requires a JMESPath key that it will use to search resources. Documentation for JMESPATH is here: http://jmespath.org/\n\nThe expressions can be tricky to get right, so this tool provides a -search option which takes a JMESPath expression. The expression is evaluated against all the resources in the files provided on the command line. The results are written to stdout.\n\nThis example will scan the example terraform file and print the \"ami\" attribute for each resource:\n\n```\n./config-lint -rules example-files/rules/terraform.yml -search 'ami' example-files/config/terraform.tf\n```\n\nIf you specify -search, the rules files is only used to determine the type of configuration files.\nThe files will *not* be scanned for violations."
},
{
"path": "docs/rules.md",
"content": "# Rules File\n\nA YAML file that specifies what kinds of files to process, and what validations to perform.\n\n## Attributes for the Rule Set\n\n|Name |Description |\n|-----------|------------------------------------------------------------------------------------|\n|version |Currently ignored |\n|description|Text description for the file, not currently used |\n|type |Terraform, Terraform12, Kubernetes, SecurityGroups, AWSConfig |\n|files |Filenames must match one of these patterns to be processed by this set of rules |\n|rules |A list of rules, see next section |\n\n## Attributes for each Rule\n\nEach rule contains the following attributes:\n\n|Name |Description |\n|-----------------|------------------------------------------------------------------------------------|\n|id | A unique identifier for the rule |\n|message | A string to be printed when a validation error is detected |\n|resource | The resource type to which the rule will be applied |\n|resources | A list of resources types to which the rule will be applied |\n|except_resources | A list of resource types to exclude |\n|category | Optional value used for Terraform: resource(default), data, provider |\n|[conditions](conditions.md) | Expressions (in addition to resource) that determine if a rule should apply |\n|except | An optional list of resource ids that should not be validated |\n|severity | FAILURE, WARNING, NON_COMPLIANT |\n|assertions | A list of expressions used to detect validation errors, see next section |\n|invoke | Alternative to assertions for a custom external API call to validate, see below |\n|tags | Optional list of tags, command line has option to limit scans to a subset of tags |\n\n## Attributes for each Expression\n\nEach expression contains the following attributes:\n\n|Name |Description |\n|-----------|------------------------------------------------------------------------------------|\n|key | JMES path used to find data in a resource |\n|[op](operations.md) | Operation to perform on the data return. [See here for valid operations](operations.md) |\n|value | Literal value needed for most operations |\n|[value_from](value_from.md) | Endpoint for loading values dynamically [See here for dynamic values](value_from.md) |\n\n## Invoke external API for validation\n\n|Name | Description |\n|-----------|------------------------------------------------------------------------------------|\n|Url | HTTP endpoint to invoke |\n|Payload | Optional JMESPATH to use for payload, default is '@' |\n\n"
},
{
"path": "docs/running.md",
"content": "# Running config-lint\n\nThe program has a set of built-in rules for scanning the following types of files:\n\n* [Terraform](terraform.md)\n\nThe program can also read files from a separate YAML file, and can scan these types of files:\n\n* [Terraform](terraform.md)\n* Kubernetes\n* LintRules\n* YAML\n* JSON\n\n## Example invocations\n\n### Validate Terraform files with built-in rules\n\n```\nconfig-lint -terraform example-files/config\n```\n\n### Validate Terraform files with custom rules\n\n```\nconfig-lint -rules examples-files/rules/terraform.yml example-files/config\n```\n\n### Validate Kubernetes files\n\n```\nconfig-lint -rules example-files/rules/kubernetes.yml example-files/config\n```\n\n### Validate LintRules files\n\nThis type of linting allows the tool to lint its own rules.\n\n```\nconfig-lint -rules example-files/rules/lint-rules.yml example-files/rules\n```\n\n### Validate a custom YAML file\n\n```\nconfig-lint -rules example-files/rules/generic-yaml.yml example-files/config/generic.config\n```\n\n## Using STDIN\n\nYou can use \"-\" for the filename if you want the configuration data read from STDIN.\n\n```\ncat example-files/resources/s3.tf | config-lint -terraform -\n```\n\n## Exit Code\n\nIf at least one rule with a severity of FAILURE was triggered the exit code will be 1, otherwise it will be 0.\n\n## Options\n\nHere are all the different command line options that can be used with config-lint. You can also\nview them via the -help option.\n\n * -debug - Debug logging\n \t\n * -exclude value - Filename patterns to exclude\n \n * -exclude-from value - Filename containing patterns to exclude\n \n * -ids string - Run only the rules in this comma separated list\n \n * -ignore-ids string - Ignore the rules in this comma separated list\n \n * -profile string- Provide default options\n \n * -query string - JMESPath expression to query the results\n \n * -rules value - Rules file, can be specified multiple times\n \n * -search string - JMESPath expression to evaluation against the files\n \n * -tags string - Run only tests with tags in this comma separated list\n \n * -terraform - Use built-in rules for Terraform\n \n * -validate - Validate rules file\n \n * -var value - Variable values for rules with ValueFrom.Variable\n \n * -verbose - Output a verbose report\n \n * -version - Get program version\n \n * -tfparser - (Optional) Set the Terraform parser version. Options are `tf11` or `tf12`. By default, `tf12` will be used."
},
{
"path": "docs/sidebar.md",
"content": "\n\n- [home](/)\n- [installation guide](install.md 'Installation guide')\n- [running config-lint](running.md 'Running config-lint')\n- [profiles](profiles.md 'Profiles to specify default config-lint options')\n- [output](output.md 'Understanding the output from config-lint')\n- [example rules](example-rules.md 'Some examples of config-lint rules')\n- [design](design.md 'Overview of config-lint design')\n- [rule development](rule_development.md 'Rule development')\n- [rules](rules.md 'Structure of config-lint rules files')\n- [tests](tests.md 'Testing config-lint rules')\n- [terraform](terraform.md 'Terraform linting')\n- [yaml](yaml.md 'Parsing an abitrary YAML file')\n- [operations](operations.md 'Rule operations')\n- [conditions](conditions.md 'Rule conditions')\n- [value_from](value_from.md 'Using dynamic values')\n- [development](development.md 'config-lint development information')\n- [github workflow](github_workflow.md 'GitHub workflows')\n- [FAQ](faq.md 'Frequently asked questions')"
},
{
"path": "docs/terraform.md",
"content": "# Terraform Linting\n\n## Validate Terraform files with built-in rules\n\nThere is a set of [built-in rules](/cli/assets/terraform) that cover some best practices for AWS resources.\n\n```\nconfig-lint -terraform \n```\n\nIf you want to run most of the built-in rules, but not all, you can use a [profile](profiles.md) to exclude some rules or resources.\n\nThe Terraform12 parser is fully backwards compatible with previous versions of Terraform. By default, Terraform files will be validated with Terraform 0.12 standards. \n\nIf you wish to force a specific parser version, add the `-tfparser tf11|tf12` flag. This is useful if you have a lot of rules with `Type: Terraform` but your Terraform files include Terraform 12 syntax. \n\n## Custom Terraform rules for your project or organization\n\n```\nconfig-lint -rules \n```\n\nYou can specify the -rules option multiple times if you have multiple custom rule files. It is also possible to specify both the -terraform option as well as one or more -rules options, if you want the built-in rules as well as some custom rules.\n\n### Categories\n\nThe default category for resources that can be linter is \"resource\", which covers the most common use case. This is for things like aws_instances, or s3_buckets, etc. But all other block types are available for Terraform linting.\n\n* data\n* locals\n* module\n* output\n* provider\n* resource\n* terraform\n* variable\n\n### Rule Structure\n\nRules are divided into their respective resource directory starting under `assets/terraform`. Each rule is organized following the same tiered directory structure `{ Provider }} / {{ Major Family }} / {{ Resource Name }} / {{ Rule Name }} / rule.yml` where Major Family and Resource Name follow the same naming conventions defined by Terraform. For example, `cli/assets/terraform/aws/batch/batch_job_definition/container_properties_privileged/rule.yml`. The rule configuration itself must be named `rule.yml`.\n\n```\nāāā terraform\n āāā aws\n āĀ Ā āāā batch\n āĀ Ā āĀ Ā āāā batch_job_definition\n āĀ Ā āĀ Ā āāā container_properties_privileged\n āĀ Ā āĀ Ā āāā rule.yml\n āĀ Ā āĀ Ā āāā tests\n āĀ Ā āĀ Ā āāā terraform11\n āĀ Ā āĀ Ā āĀ Ā āāā container_properties_privileged.tf\n āĀ Ā āĀ Ā āāā terraform12\n āĀ Ā āĀ Ā āĀ Ā āāā container_properties_privileged.tf\n āĀ Ā āĀ Ā āāā test.yml\n ...\n```\n\n\n### Rule Example\n\n```yaml\n---\nversion: 1\ndescription: Check for tags in Terraform file\ntype: Terraform\nfiles:\n - \"*.tf\"\nrules:\n - id: REQUIRED_TAGS\n message: \"A required tag is missing\"\n resources:\n - aws_s3_bucket\n - aws_instance\n assertions:\n - key: tags[0]\n op: has-properties\n value: environment,cost_center\n - id: VALID_ENVIRONMENT_TAG\n message: \"The environment tag is not valid\"\n resources:\n - aws_s3_bucket\n - aws_instance\n assertions:\n - key: tags[0].environment\n op: in\n value: dev,prod,stage\n - id: VALID_COST_CENTER_TAG\n message: \"Cost center must be a 4 digit number\"\n resources:\n - aws_s3_bucket\n - aws_instance\n assertions:\n - key: tags[0].cost_center\n op: regex\n value: \"^[0-9]{4}$\"\n```\n\n### Top level blocks\n\nConfig-lint mainly works on [block arguments and expressions](https://www.terraform.io/docs/configuration/index.html#arguments-blocks-and-expressions) level (the inner part of Terraform blocks), however top level block types and names could linted using `__type__` and `__name__` keys.\n\nHere is an example to follow [Terraform best practices](https://www.terraform.io/docs/extend/best-practices/naming.html) for naming:\n\n```yaml\n---\nversion: 1\ndescription: Make sure Terraform top level blocks follow best practices.\ntype: Terraform\nfiles:\n - \"*.tf\"\nrules:\n - id: TF_RESOURCE_NAMING_CONVENTION\n message: \"Terraform resource block name should match the naming convention. Name should be: not more 64 chars, starts with letter, doesn't have dash, and ends with letter or number\"\n severity: FAILURE\n category: resource\n assertions:\n - key: __name__\n op: regex\n value: '^[a-z][a-z0-9_]{0,62}[a-z0-9]$'\n - id: TF_DATA_NAMING_CONVENTION\n message: \"Terraform data block name should match the naming convention. Name should be: not more 64 chars, starts with letter, doesn't have dash, and ends with letter or number\"\n severity: FAILURE\n category: data\n assertions:\n - key: __name__\n op: regex\n value: '^[a-z][a-z0-9_]{0,62}[a-z0-9]$'\n```\n\nAnother example, maybe you want to make sure there are no beta providers (e.g. [google-beta](https://www.terraform.io/docs/providers/google/guides/provider_versions.html#google-beta)) used in production:\n```yaml\nrules:\n - id: TF_PROVIDER_NO_BETA\n message: \"No beta feature providers should be used in production\"\n severity: FAILURE\n category: data\n assertions:\n - not:\n - key: __type__\n op: regex\n value: '.*?beta.*'\n```\n\n**Please note:**\n\nNot all blocks have `__type__` and `__name__` keys. It depends on the block itself. For example, `variable` blocks have name but not type.\n\nThere are 4 groups in that regard:\n* **Type and name:** data, resource.\n* **Type only:** provider.\n* **Name only:** module, output, variable.\n* **No type and no name:** locals, terraform (they are linted using normal keys defined within them).\n\n### Provider Example\n\nFor providers, set the category to \"provider\" and the resource attribute to the name of the provider.\n\n```yaml\n---\nversion: 1\ndescription: Terraform provider example\ntype: Terraform\nfiles:\n - \"*.tf\"\nrules:\n - id: NO_SECRETS_IN_AWS_PROVIDER\n category: provider\n resource: aws\n assertions:\n - key: access_key\n op: absent\n - key: secret_key\n op: absent\n```\n\n### Module Example\n\nFor modules, use \"module\" for category, and for resource use the \"source\" attribute.\n\nThis allows checking of parameters being used when a module is referenced.\n\n\n```yaml\n---\nversion: 1\ndescription: Terraform module invocation example\ntype: Terraform\nfiles:\n - \"*.tf\"\nrules:\n - id: MODULE_EXAMPLE\n message:\n category: module\n resource: \"example/website\"\n assertions:\n - key: num_servers\n op: present\n```\n\n### Terraform 12 Example\n\nNote the `type: Terraform12` item below. Rules targeting templates with Terraform 12-specific features must use the Terraform12 type.\n\n```yaml\nversion: 1\ndescription: Rules for Terraform configuration files\ntype: Terraform12\nfiles:\n - \"*.tf\"\nrules:\n\n - id: CIDR_SET\n message: Testing\n resource: aws_security_group\n assertions:\n - every:\n key: \"ingress\"\n expressions:\n # this says that it either must be a private IP, or not have IP regex (eg sg string, interpolation)\n - every:\n key: cidr_blocks\n expressions:\n - key: \"@\"\n op: contains\n value: \"/24\"\n```\n\n### Evaluating Terraform 12 Dynamic Blocks\n\nDynamic blocks are a new feature introduced in Terraform 12 that enables users to dynamically construct repeatable nested blocks such as ingress rules in an AWS Security Group.\n\nWriting rules for dynamic blocks is a little tricky, as the structure that Terraform parses the .tf file into is different than you may expect.\n\nThis Terraform config will generate an `ingress` block for reach item in the `service_ports` list variable.\n```hcl-terraform\nvariable \"service_ports\" {\n default = [22, 80, 1433, 6379]\n}\n\nresource \"aws_security_group\" \"example\" {\n name = \"example\"\n\n dynamic \"ingress\" {\n for_each = var.service_ports\n content {\n from_port = ingress.value\n to_port = ingress.value\n protocol = \"tcp\"\n }\n }\n\n egress = \"-1\"\n}\n```\n\nThe following rule will result in an error if port 22 (SSH) is included as an ingress for the security group.\n\nThe JMESPATH expression refers to keys (\"dynamic\" and \"for_each\") that are generated by Terraform, rather than what is present in the configuration.\n\n```yaml\nversion: 1\ndescription: Rules for Terraform configuration files\ntype: Terraform12\nfiles:\n - \"dynamic_block.tf\"\nrules:\n - id: NO_SSH_ACCESS\n message: Testing\n resource: aws_security_group\n assertions:\n - key: \"dynamic[*].for_each[]\"\n op: not-contains\n value: 22\n```\n\n### Testing Builtin Rules\n\nAll rules need to be tested. All tests for a given rule will be included at the same rule path as the rule configuration itself and live under the `tests` folder. That test folder must include a configuration for the tests, named `test.yml`, and the resources required for testing. The test configuration file must follow the following format:\n\n```yaml\n---\nversion: 1\ndescription: Terraform 11 and 12 tests\ntype: Terraform\nfiles:\n - \"*.tf\"\n - \"*.tfvars\"\ntests:\n -\n ruleId: RULE_1_TO_BE_TESTED\n warnings: 0\n failures: 2\n tags:\n - \"terraform11\"\n - \"terraform12\"\n -\n ruleId: RULE_2_TO_BE_TESTED\n warnings: 2\n failures: 0\n tags:\n - \"terraform11\"\n -\n ruleId: RULE_2_TO_BE_TESTED\n warnings: 3\n failures: 0\n tags:\n - \"terraform12\"\n```\n\nThe `ruleId` must match the RuleID given in the rule configuration. Warnings or Failures will check against any resource files included under the named `tag` directory within the same tests directory. For example `RULE_1_TO_BE_TESTED` will run the rule against resources in both folders terraform11 and terraform12 and check for the same number of warnings and failures for both. Whereas `RULE_2_TO_BE_TESTED` will check for a different number of warnings for the two versions.\n"
},
{
"path": "docs/tests.md",
"content": "# Tests\n\nYou can run the project tests by invoking the correct make command:\n\n* `make test` -> Runs all tests residing inside the config-lint project\n* `make testtf` -> Runs all tests defined within the `TestTerraformBuiltInRules` test function. This runs against terraform 0.11 first and then against terraform 0.12\n\n## Testing Best Practices\n\nIt is best practice to always come up with **at least 2** scenarios for each test (ideally more if applicable). You want a test case that will *pass* and a test case that will *fail*. This covers the bare minimum to ensure that a rule and test case are working as expected.\n\n## Terraform\n\nTerraform rules have their own set of tests that you can use to verify that a new rule or configuration is working as expected. As noted above, the `make testtf` command will run the tests defined within the `TestTerraformBuiltInRules` test function.\n\n### Creating Terraform Tests\n\nTo create a new test to validate a Terraform built in rule you need to do the following:\n* Add test case inside `TestTerraformBuiltInRules` function in the `cli/builtin_terraform_test.go` file.\n * Example: `{\"aws/security_group/world_ingress.tf\", \"SG_WORLD_INGRESS\", 2, 0},` will run the `SG_WORLD_INGRESS` rule against the contents of the `cli/testdata/builtin/terraform/aws/security_group/world_ingress.tf` file. It is expecting there to be **2** *Warnings* and **0** *Failures*\n * The test must follow the `struct` format for `BuiltInTestCase`\n\n ``` go\n type BuiltInTestCase struct {\n\tFilename string\n\tRuleID string\n\tWarningCount int\n\tFailureCount int\n }\n ```\n\n * This test case must match a valid Rule `id` from within the `cli/assets/terraform.yml` file.\n"
},
{
"path": "docs/value_from.md",
"content": "# Dynamic Value\n\nIn cases where a rule needs a dynamic value, instead of specifying \"value\", \"value_from\" can be used instead. This allows an external source, such as an S3 object, or an HTTP endpoint to provider the values. Or the value can be provided on the command line when config-lint is invoked.\n\n\n## Using an S3 Bucket\n\n\n### Example:\n\n```\n...\n - id: VALUE_FROM_S3\n message: Instance type should be in list from S3 object\n resource: aws_instance\n assertions:\n - key: instance_type\n op: in\n value_from:\n url: s3://my-bucket/allowed-instance-types\n...\n```\n\n## Using an HTTP endpoint\n\n### Example:\n\n```\n...\n - id: VALUE_FROM_HTTPS\n message: Instance type should be in list from https endpoint\n resource: aws_instance\n assertions:\n - key: instance_type\n op: in\n value_from:\n url: https://my-api-endpoint/dev/instance_types\n...\n```\n\n## Using a command line variable\n\n### Example:\n\n```\n...\n - id: VALUE_FROM_COMMAND_LINE\n message: Instance type should be in list from https endpoint\n resource: aws_instance\n assertions:\n - key: instance_type\n op: in\n value_from:\n variable: instance_types\n...\n```\n\nWhen invoking the config-lint, include the -var option, as in this example:\n\n```\nconfig-lint -rules -var \"instance_types=t2.small,c3.medium\" \n```\n"
},
{
"path": "docs/yaml.md",
"content": "# Parsing an Arbitrary YAML file\n\nSet the Type to YAML, and provide a `resources` section to describe how to discover the resources in a YAML file.\nThe other parsers have code that expects a specific file format, and it converts those into a collection of\nresource objects that will be linted.\n\nFor arbitrary YAML files, the resources describes how resources should be loaded. Each resources has these attributes:\n\n* type: identifies the type of resource. Rules with a matching `resource` will be applied to these resources.\n* key: JMESPath expression that should return an array of objects from the YAML file.\n* id: a JMESPATH expression applied to each resource to extract its unique identifier.\n\nThe rules section works the same as in any other linter.\n\nExample:\n\n```\nversion: 1\ndescription: Rules for generic YAML file\ntype: YAML\nfiles:\n - \"*.config\"\n\n# For generic YAML linting, we need a list of resources\n# Each entry in the list describes the resource type, how to discover it in the file, and how to get its ID\n# The key attribute is a JMESPath expression that should return an array\n\nresources:\n - type: widget\n key: widgets[]\n id: id\n - type: gadget\n key: gadgets[]\n id: name\n - type: contraption\n key: other_stuff.contraptions[]\n id: ids.serial_number\n # include the root document in a single element array with a literal id\n - type: document\n key: '[@]'\n id: '`\"Document\"`'\n\nrules:\n\n - id: DOCUMENT_KEYS\n message: Unexpected document key\n severity: FAILURE\n resource: document\n assertions:\n - every:\n key: \"keys(@)\"\n assertions:\n - key: \"@\"\n op: in\n value: widgets,gadgets,other_stuff\n\n - id: WIDGET_NAME\n message: Widget needs a name\n severity: FAILURE\n resource: widget\n assertions:\n - key: name\n op: present\n\n - id: GADGET_COLOR\n message: Gadget has missing or invalid color\n severity: FAILURE\n resource: gadget\n assertions:\n - key: color\n op: in\n value: red,blue,green\n\n - id: GADGET_PROPERTIES\n message: Gadget has missing properties\n severity: FAILURE\n resource: gadget\n assertions:\n - key: \"@\"\n op: has-properties\n value: name,color\n\n - id: CONTRAPTION_SIZE\n message: Contraption size should be less than 1000\n resource: contraption\n severity: FAILURE\n assertions:\n - key: size\n op: lt\n value: 1000\n value_type: integer\n\n - id: CONTRAPTION_LOCATIONS\n message: Contraption location must have city\n resource: contraption\n severity: FAILURE\n assertions:\n - every:\n key: locations\n assertions:\n - key: city\n op: present\n```\n\nThere is an example file [here](example-files/config/generic.config) that this rule file can scan.\n"
},
{
"path": "example-files/config/cloudfront.tf",
"content": "resource \"aws_s3_bucket\" \"b\" {\n bucket = \"mybucket\"\n acl = \"private\"\n\n tags {\n Name = \"My bucket\"\n }\n}\n\nresource \"aws_cloudfront_distribution\" \"s3_distribution\" {\n origin {\n domain_name = \"${aws_s3_bucket.b.bucket_domain_name}\"\n origin_id = \"myS3Origin\"\n\n s3_origin_config {\n origin_access_identity = \"origin-access-identity/cloudfront/ABCDEFG1234567\"\n }\n }\n\n enabled = true\n is_ipv6_enabled = true\n comment = \"Some comment\"\n default_root_object = \"index.html\"\n\n logging_config {\n include_cookies = false\n bucket = \"mylogs.s3.amazonaws.com\"\n prefix = \"myprefix\"\n }\n\n aliases = [\"mysite.example.com\", \"yoursite.example.com\"]\n\n default_cache_behavior {\n allowed_methods = [\"DELETE\", \"GET\", \"HEAD\", \"OPTIONS\", \"PATCH\", \"POST\", \"PUT\"]\n cached_methods = [\"GET\", \"HEAD\"]\n target_origin_id = \"myS3Origin\"\n\n forwarded_values {\n query_string = false\n\n cookies {\n forward = \"none\"\n }\n }\n\n viewer_protocol_policy = \"allow-all\"\n min_ttl = 0\n default_ttl = 3600\n max_ttl = 86400\n }\n\n price_class = \"PriceClass_200\"\n\n restrictions {\n geo_restriction {\n restriction_type = \"whitelist\"\n locations = [\"US\", \"CA\", \"GB\", \"DE\"]\n }\n }\n\n tags {\n Environment = \"production\"\n }\n\n viewer_certificate {\n cloudfront_default_certificate = true\n }\n}\n"
},
{
"path": "example-files/config/elb.tf",
"content": "resource \"aws_elb\" \"bar\" {\n name = \"foobar-terraform-elb\"\n availability_zones = [\"us-west-2a\", \"us-west-2b\", \"us-west-2c\"]\n\n access_logs {\n bucket = \"foo\"\n bucket_prefix = \"bar\"\n interval = 60\n }\n\n listener {\n instance_port = 8000\n instance_protocol = \"http\"\n lb_port = 80\n lb_protocol = \"http\"\n }\n\n listener {\n instance_port = 8000\n instance_protocol = \"http\"\n lb_port = 443\n lb_protocol = \"https\"\n ssl_certificate_id = \"arn:aws:iam::123456789012:server-certificate/certName\"\n }\n\n health_check {\n healthy_threshold = 2\n unhealthy_threshold = 2\n timeout = 3\n target = \"HTTP:8000/\"\n interval = 30\n }\n\n instances = [\"${aws_instance.foo.id}\"]\n cross_zone_load_balancing = true\n idle_timeout = 400\n connection_draining = true\n connection_draining_timeout = 400\n\n tags {\n Name = \"foobar-terraform-elb\"\n }\n}\n\nresource \"aws_elb\" \"elb_no_access_logs\" {\n name = \"foobar-terraform-elb\"\n availability_zones = [\"us-west-2a\", \"us-west-2b\", \"us-west-2c\"]\n\n listener {\n instance_port = 8000\n instance_protocol = \"http\"\n lb_port = 80\n lb_protocol = \"http\"\n }\n\n listener {\n instance_port = 8000\n instance_protocol = \"http\"\n lb_port = 443\n lb_protocol = \"https\"\n ssl_certificate_id = \"arn:aws:iam::123456789012:server-certificate/certName\"\n }\n\n health_check {\n healthy_threshold = 2\n unhealthy_threshold = 2\n timeout = 3\n target = \"HTTP:8000/\"\n interval = 30\n }\n\n instances = [\"${aws_instance.foo.id}\"]\n cross_zone_load_balancing = true\n idle_timeout = 400\n connection_draining = true\n connection_draining_timeout = 400\n\n tags {\n Name = \"foobar-terraform-elb\"\n }\n}\n\n"
},
{
"path": "example-files/config/generic.config",
"content": "#\nwidgets:\n - id: W1\n name: Foo\n - id: W2\n name: Bar\n - id: W3\n key: Baz\n\ngadgets:\n - name: first_gadget\n color: red\n - name: second_gadget\n color: blue\n - name: third_gadget\n color: green\n - name: fourth_gadget\n color: yellow\n\nother_stuff:\n contraptions:\n - ids:\n serial_number: S1000\n sku: S1234\n size: 10\n locations:\n - city: Seattle\n - city: San Francisco\n - ids:\n serial_number: S2000\n sku: S5678\n size: 20\n locations:\n - city: New York\n - ids:\n serial_number: S3000\n sku: S0101\n size: 4000\n locations:\n - city: Paris\n - city: Munich\n - city: Florence\n"
},
{
"path": "example-files/config/iam.tf",
"content": "resource \"aws_iam_role\" \"iam_role_1\" {\n name = \"iam_role_1\"\n assume_role_policy = < 0 {\n\t\tresourcePos := resourceItems[0].Val.Pos()\n\t\tassertion.Debugf(\"Position %s %s:%d\\n\", resourceID, filename, resourcePos.Line)\n\t\treturn resourcePos.Line\n\t}\n\treturn 0\n}\n\n// Load parses an HCL file into a collection or Resource objects\nfunc (l TerraformResourceLoader) Load(filename string) (FileResources, error) {\n\tloaded := FileResources{\n\t\tResources: []assertion.Resource{},\n\t}\n\tresult, err := loadHCL(filename)\n\tif err != nil {\n\t\treturn loaded, err\n\t}\n\tloaded.Variables = result.Variables\n\tloaded.Resources = append(loaded.Resources, getResources(filename, result.AST, result.Resources, \"resource\")...)\n\tloaded.Resources = append(loaded.Resources, getResources(filename, result.AST, result.Data, \"data\")...)\n\tloaded.Resources = append(loaded.Resources, getResources(filename, result.AST, addIDToProviders(result.Providers), \"provider\")...)\n\tloaded.Resources = append(loaded.Resources, getResources(filename, result.AST, addKeyToModules(result.Modules), \"module\")...)\n\n\tassertion.DebugJSON(\"loaded.Resources\", loaded.Resources)\n\n\treturn loaded, nil\n}\n\n// Providers do not have an name, so generate one to make the data format the same as resources\n\nfunc addIDToProviders(providers []interface{}) []interface{} {\n\tresources := []interface{}{}\n\tfor _, provider := range providers {\n\t\tresources = append(resources, addIDToProvider(provider))\n\t}\n\treturn resources\n}\n\nfunc addIDToProvider(provider interface{}) interface{} {\n\tm := provider.(map[string]interface{})\n\tfor providerType, value := range m {\n\t\tm[providerType] = addIDToProviderValue(value)\n\t}\n\treturn m\n}\n\n// Counter used to generate an ID for providers\nvar Counter = 0\n\nfunc addIDToProviderValue(value interface{}) interface{} {\n\tCounter++\n\tm := map[string]interface{}{}\n\tkey := fmt.Sprintf(\"%d\", Counter)\n\tm[key] = value\n\treturn []interface{}{m}\n}\n\n// use the source attribute of modules as the key\nfunc addKeyToModules(modules []interface{}) []interface{} {\n\tresources := map[string]interface{}{}\n\tfor _, module := range modules {\n\t\tresources = addKeyToModule(resources, module)\n\t}\n\treturn []interface{}{resources}\n}\n\nfunc addKeyToModule(resources map[string]interface{}, module interface{}) map[string]interface{} {\n\tm := module.(map[string]interface{})\n\tfor moduleName, valueList := range m {\n\t\ta := valueList.([]interface{})\n\t\tfor _, value := range a {\n\t\t\tproperties := value.(map[string]interface{})\n\t\t\tsource := properties[\"source\"].(string)\n\n\t\t\tinner := []interface{}{properties}\n\n\t\t\touter := map[string]interface{}{}\n\t\t\touter[moduleName] = inner\n\n\t\t\texisting, ok := resources[source]\n\t\t\tif ok {\n\t\t\t\tlist := existing.([]interface{})\n\t\t\t\tresources[source] = append(list, outer)\n\t\t\t} else {\n\t\t\t\tresources[source] = []interface{}{outer}\n\t\t\t}\n\t\t}\n\t}\n\treturn resources\n}\n\nfunc getResources(filename string, ast *ast.File, objects []interface{}, category string) []assertion.Resource {\n\tresources := []assertion.Resource{}\n\tfor _, resource := range objects {\n\t\tfor resourceType, templateResources := range resource.(map[string]interface{}) {\n\t\t\tif templateResources != nil {\n\t\t\t\tfor _, templateResource := range templateResources.([]interface{}) {\n\t\t\t\t\tfor resourceID, templateResource := range templateResource.(map[string]interface{}) {\n\t\t\t\t\t\tproperties := getProperties(templateResource)\n\t\t\t\t\t\tlineNumber := getResourceLineNumber(resourceType, resourceID, filename, ast)\n\t\t\t\t\t\t// Expose block ID so it could be linted e.g.\n\t\t\t\t\t\t// resource \"aws_s3_bucket\" \"web\" { ... }\n\t\t\t\t\t\t// The block name/id here is \"web\".\n\t\t\t\t\t\tproperties[\"__name__\"] = resourceID\n\t\t\t\t\t\tproperties[\"__file__\"] = filename\n\t\t\t\t\t\tproperties[\"__dir__\"] = filepath.Dir(filename)\n\t\t\t\t\t\ttr := assertion.Resource{\n\t\t\t\t\t\t\tID: resourceID,\n\t\t\t\t\t\t\tType: resourceType,\n\t\t\t\t\t\t\tCategory: category,\n\t\t\t\t\t\t\tProperties: properties,\n\t\t\t\t\t\t\tFilename: filename,\n\t\t\t\t\t\t\tLineNumber: lineNumber,\n\t\t\t\t\t\t}\n\t\t\t\t\t\tresources = append(resources, tr)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t}\n\treturn resources\n}\n\n// PostLoad resolves variable expressions\nfunc (l TerraformResourceLoader) PostLoad(fr FileResources) ([]assertion.Resource, error) {\n\tfor _, resource := range fr.Resources {\n\t\tresource.Properties = replaceVariables(resource.Properties, fr.Variables)\n\t}\n\tfor _, resource := range fr.Resources {\n\t\tproperties, err := parseJSONDocuments(resource.Properties)\n\t\tif err != nil {\n\t\t\treturn fr.Resources, err\n\t\t}\n\t\tresource.Properties = properties\n\t}\n\treturn fr.Resources, nil\n}\n\nfunc replaceVariables(templateResource interface{}, variables []Variable) interface{} {\n\tswitch v := templateResource.(type) {\n\tcase map[string]interface{}:\n\t\treturn replaceVariablesInMap(v, variables)\n\tcase string:\n\t\treturn interpolate(v, variables)\n\tdefault:\n\t\tassertion.Debugf(\"replaceVariables cannot process type %T: %v\\n\", v, v)\n\t\treturn templateResource\n\t}\n}\n\nfunc replaceVariablesInMap(templateResource map[string]interface{}, variables []Variable) interface{} {\n\tfor key, value := range templateResource {\n\t\tswitch v := value.(type) {\n\t\tcase string:\n\t\t\ttemplateResource[key] = interpolate(v, variables)\n\t\tcase map[string]interface{}:\n\t\t\ttemplateResource[key] = replaceVariablesInMap(v, variables)\n\t\tcase []interface{}:\n\t\t\ttemplateResource[key] = replaceVariablesInList(v, variables)\n\t\tdefault:\n\t\t\tassertion.Debugf(\"replaceVariablesInMap cannot process type %T\\n\", v)\n\t\t}\n\t}\n\treturn templateResource\n}\n\nfunc replaceVariablesInList(list []interface{}, variables []Variable) []interface{} {\n\tresult := []interface{}{}\n\tfor _, e := range list {\n\t\tresult = append(result, replaceVariables(e, variables))\n\t}\n\treturn result\n}\n\nfunc parseJSONDocuments(resource interface{}) (interface{}, error) {\n\tproperties := resource.(map[string]interface{})\n\tfor _, attribute := range []string{\"assume_role_policy\", \"policy\", \"container_definitions\", \"access_policies\", \"access_policy\", \"container_properties\"} {\n\t\tif policyAttribute, hasPolicyString := properties[attribute]; hasPolicyString {\n\t\t\tif policyString, isString := policyAttribute.(string); isString {\n\t\t\t\tvar policy interface{}\n\t\t\t\tif policyString != \"\" && policyString != \"UNDEFINED\" {\n\t\t\t\t\terr := json.Unmarshal([]byte(policyString), &policy)\n\t\t\t\t\tif err != nil {\n\t\t\t\t\t\tassertion.Debugf(\"Unable to parse '%s' as JSON\\n\", policyString)\n\t\t\t\t\t\tassertion.Debugf(\"Error: %v\\n\", err)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t\tproperties[attribute] = policy\n\t\t\t}\n\t\t}\n\t}\n\treturn properties, nil\n}\n\nfunc getProperties(templateResource interface{}) map[string]interface{} {\n\tswitch v := templateResource.(type) {\n\tcase []interface{}:\n\t\treturn v[0].(map[string]interface{})\n\tdefault:\n\t\treturn map[string]interface{}{}\n\t}\n}\n"
},
{
"path": "linter/terraform_interpolate.go",
"content": "package linter\n\nimport (\n\t\"fmt\"\n\t\"github.com/hashicorp/hil\"\n\t\"github.com/hashicorp/hil/ast\"\n\t\"github.com/stelligent/config-lint/assertion\"\n\t\"io/ioutil\"\n\t\"regexp\"\n\t\"strconv\"\n\t\"strings\"\n)\n\nfunc makeList(variables []interface{}) []ast.Variable {\n\tlist := []ast.Variable{}\n\tfor _, v := range variables {\n\t\tlist = append(list, makeVar(v))\n\t}\n\treturn list\n}\n\nfunc makeMap(m map[string]interface{}) map[string]ast.Variable {\n\tresult := map[string]ast.Variable{}\n\tfor k, v := range m {\n\t\tif stringValue, ok := v.(string); ok {\n\t\t\tresult[k] = ast.Variable{Type: ast.TypeString, Value: stringValue}\n\t\t}\n\t}\n\treturn result\n}\n\nfunc makeVar(v interface{}) ast.Variable {\n\tswitch tv := v.(type) {\n\tcase string:\n\t\treturn ast.Variable{\n\t\t\tType: ast.TypeString,\n\t\t\tValue: tv,\n\t\t}\n\tcase []interface{}:\n\t\treturn ast.Variable{\n\t\t\tType: ast.TypeList,\n\t\t\tValue: makeList(tv),\n\t\t}\n\tcase map[string]interface{}:\n\t\tm := ast.Variable{\n\t\t\tType: ast.TypeMap,\n\t\t\tValue: makeMap(tv),\n\t\t}\n\t\treturn m\n\tdefault:\n\t\treturn ast.Variable{\n\t\t\tType: ast.TypeString,\n\t\t\tValue: \"\",\n\t\t}\n\t}\n}\n\nfunc makeVarMap(variables []Variable) map[string]ast.Variable {\n\tm := map[string]ast.Variable{}\n\tfor _, v := range variables {\n\t\tm[v.Name] = makeVar(v.Value)\n\t}\n\treturn m\n}\n\nfunc interpolationFuncFile() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{ast.TypeString},\n\t\tReturnType: ast.TypeString,\n\t\tVariadic: false,\n\t\tCallback: func(inputs []interface{}) (interface{}, error) {\n\t\t\tb, err := ioutil.ReadFile(inputs[0].(string))\n\t\t\tif err != nil {\n\t\t\t\treturn \"\", nil\n\t\t\t}\n\t\t\treturn strings.TrimSpace(string(b)), nil\n\t\t},\n\t}\n}\n\n// The following functions are copied or adapted\n// from https://github.com/hashicorp/terraform/blob/master/config/interpolate_funcs.go\n\n// interpolationFuncLookup implements the \"lookup\" function that allows\n// dynamic lookups of map types within a Terraform configuration.\nfunc interpolationFuncLookup() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{ast.TypeMap, ast.TypeString},\n\t\tReturnType: ast.TypeString,\n\t\tVariadic: true,\n\t\tVariadicType: ast.TypeString,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\tdefaultValue := \"\"\n\t\t\tdefaultValueSet := false\n\t\t\tif len(args) > 2 {\n\t\t\t\tdefaultValue = args[2].(string)\n\t\t\t\tdefaultValueSet = true\n\t\t\t}\n\t\t\tif len(args) > 3 {\n\t\t\t\treturn \"\", fmt.Errorf(\"lookup() takes no more than three arguments\")\n\t\t\t}\n\t\t\tindex := args[1].(string)\n\t\t\tmapVar := args[0].(map[string]ast.Variable)\n\n\t\t\tv, ok := mapVar[index]\n\t\t\tif !ok {\n\t\t\t\tif defaultValueSet {\n\t\t\t\t\treturn defaultValue, nil\n\t\t\t\t} else {\n\t\t\t\t\treturn \"\", fmt.Errorf(\n\t\t\t\t\t\t\"lookup failed to find '%s'\",\n\t\t\t\t\t\targs[1].(string))\n\t\t\t\t}\n\t\t\t}\n\t\t\tif v.Type != ast.TypeString {\n\t\t\t\treturn nil, fmt.Errorf(\n\t\t\t\t\t\"lookup() may only be used with flat maps, this map contains elements of %s\",\n\t\t\t\t\tv.Type.Printable())\n\t\t\t}\n\n\t\t\treturn v.Value.(string), nil\n\t\t},\n\t}\n}\n\n// interpolationFuncJoin implements the \"join\" function that allows\n// multi-variable values to be joined by some character.\nfunc interpolationFuncJoin() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{ast.TypeString},\n\t\tVariadic: true,\n\t\tVariadicType: ast.TypeList,\n\t\tReturnType: ast.TypeString,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\tvar list []string\n\n\t\t\tif len(args) < 2 {\n\t\t\t\treturn nil, fmt.Errorf(\"not enough arguments to join()\")\n\t\t\t}\n\n\t\t\tfor _, arg := range args[1:] {\n\t\t\t\tfor _, part := range arg.([]ast.Variable) {\n\t\t\t\t\tif part.Type != ast.TypeString {\n\t\t\t\t\t\treturn nil, fmt.Errorf(\n\t\t\t\t\t\t\t\"only works on flat lists, this list contains elements of %s\",\n\t\t\t\t\t\t\tpart.Type.Printable())\n\t\t\t\t\t}\n\t\t\t\t\tlist = append(list, part.Value.(string))\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn strings.Join(list, args[0].(string)), nil\n\t\t},\n\t}\n}\n\n// interpolationFuncConcat implements the \"concat\" function that concatenates\n// multiple lists.\nfunc interpolationFuncConcat() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{ast.TypeList},\n\t\tReturnType: ast.TypeList,\n\t\tVariadic: true,\n\t\tVariadicType: ast.TypeList,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\tvar outputList []ast.Variable\n\n\t\t\tfor _, arg := range args {\n\t\t\t\tfor _, v := range arg.([]ast.Variable) {\n\t\t\t\t\tswitch v.Type {\n\t\t\t\t\tcase ast.TypeString:\n\t\t\t\t\t\toutputList = append(outputList, v)\n\t\t\t\t\tcase ast.TypeList:\n\t\t\t\t\t\toutputList = append(outputList, v)\n\t\t\t\t\tcase ast.TypeMap:\n\t\t\t\t\t\toutputList = append(outputList, v)\n\t\t\t\t\tdefault:\n\t\t\t\t\t\treturn nil, fmt.Errorf(\"concat() does not support lists of %s\", v.Type.Printable())\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// we don't support heterogeneous types, so make sure all types match the first\n\t\t\tif len(outputList) > 0 {\n\t\t\t\tfirstType := outputList[0].Type\n\t\t\t\tfor _, v := range outputList[1:] {\n\t\t\t\t\tif v.Type != firstType {\n\t\t\t\t\t\treturn nil, fmt.Errorf(\"unexpected %s in list of %s\", v.Type.Printable(), firstType.Printable())\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn outputList, nil\n\t\t},\n\t}\n}\n\n// interpolationFuncFormat implements the \"format\" function that does\n// string formatting.\nfunc interpolationFuncFormat() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{ast.TypeString},\n\t\tVariadic: true,\n\t\tVariadicType: ast.TypeAny,\n\t\tReturnType: ast.TypeString,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\tformat := args[0].(string)\n\t\t\treturn fmt.Sprintf(format, args[1:]...), nil\n\t\t},\n\t}\n}\n\n// interpolationFuncList creates a list from the parameters passed\n// to it.\nfunc interpolationFuncList() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{},\n\t\tReturnType: ast.TypeList,\n\t\tVariadic: true,\n\t\tVariadicType: ast.TypeAny,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\tvar outputList []ast.Variable\n\n\t\t\tfor i, val := range args {\n\t\t\t\tswitch v := val.(type) {\n\t\t\t\tcase string:\n\t\t\t\t\toutputList = append(outputList, ast.Variable{Type: ast.TypeString, Value: v})\n\t\t\t\tcase []ast.Variable:\n\t\t\t\t\toutputList = append(outputList, ast.Variable{Type: ast.TypeList, Value: v})\n\t\t\t\tcase map[string]ast.Variable:\n\t\t\t\t\toutputList = append(outputList, ast.Variable{Type: ast.TypeMap, Value: v})\n\t\t\t\tdefault:\n\t\t\t\t\treturn nil, fmt.Errorf(\"unexpected type %T for argument %d in list\", v, i)\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// we don't support heterogeneous types, so make sure all types match the first\n\t\t\tif len(outputList) > 0 {\n\t\t\t\tfirstType := outputList[0].Type\n\t\t\t\tfor i, v := range outputList[1:] {\n\t\t\t\t\tif v.Type != firstType {\n\t\t\t\t\t\treturn nil, fmt.Errorf(\"unexpected type %s for argument %d in list\", v.Type, i+1)\n\t\t\t\t\t}\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn outputList, nil\n\t\t},\n\t}\n}\n\n// interpolationFuncReplace implements the \"replace\" function that does\n// string replacement.\nfunc interpolationFuncReplace() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{ast.TypeString, ast.TypeString, ast.TypeString},\n\t\tReturnType: ast.TypeString,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\ts := args[0].(string)\n\t\t\tsearch := args[1].(string)\n\t\t\treplace := args[2].(string)\n\n\t\t\t// We search/replace using a regexp if the string is surrounded\n\t\t\t// in forward slashes.\n\t\t\tif len(search) > 1 && search[0] == '/' && search[len(search)-1] == '/' {\n\t\t\t\tre, err := regexp.Compile(search[1 : len(search)-1])\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\n\t\t\t\treturn re.ReplaceAllString(s, replace), nil\n\t\t\t}\n\n\t\t\treturn strings.Replace(s, search, replace, -1), nil\n\t\t},\n\t}\n}\n\n// interpolationFuncElement implements the \"element\" function that allows\n// a specific index to be looked up in a multi-variable value. Note that this will\n// wrap if the index is larger than the number of elements in the multi-variable value.\nfunc interpolationFuncElement() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{ast.TypeList, ast.TypeString},\n\t\tReturnType: ast.TypeString,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\tlist := args[0].([]ast.Variable)\n\t\t\tif len(list) == 0 {\n\t\t\t\treturn nil, fmt.Errorf(\"element() may not be used with an empty list\")\n\t\t\t}\n\n\t\t\tindex, err := strconv.Atoi(args[1].(string))\n\t\t\tif err != nil || index < 0 {\n\t\t\t\treturn \"\", fmt.Errorf(\n\t\t\t\t\t\"invalid number for index, got %s\", args[1])\n\t\t\t}\n\n\t\t\tresolvedIndex := index % len(list)\n\n\t\t\tv := list[resolvedIndex]\n\t\t\tif v.Type != ast.TypeString {\n\t\t\t\treturn nil, fmt.Errorf(\n\t\t\t\t\t\"element() may only be used with flat lists, this list contains elements of %s\",\n\t\t\t\t\tv.Type.Printable())\n\t\t\t}\n\t\t\treturn v.Value, nil\n\t\t},\n\t}\n}\n\n// interpolationFuncMap creates a map from the parameters passed\n// to it.\nfunc interpolationFuncMap() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{},\n\t\tReturnType: ast.TypeMap,\n\t\tVariadic: true,\n\t\tVariadicType: ast.TypeAny,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\toutputMap := make(map[string]ast.Variable)\n\n\t\t\tif len(args)%2 != 0 {\n\t\t\t\treturn nil, fmt.Errorf(\"requires an even number of arguments, got %d\", len(args))\n\t\t\t}\n\n\t\t\tvar firstType *ast.Type\n\t\t\tfor i := 0; i < len(args); i += 2 {\n\t\t\t\tkey, ok := args[i].(string)\n\t\t\t\tif !ok {\n\t\t\t\t\treturn nil, fmt.Errorf(\"argument %d represents a key, so it must be a string\", i+1)\n\t\t\t\t}\n\t\t\t\tval := args[i+1]\n\t\t\t\tvariable, err := hil.InterfaceToVariable(val)\n\t\t\t\tif err != nil {\n\t\t\t\t\treturn nil, err\n\t\t\t\t}\n\t\t\t\t// Enforce map type homogeneity\n\t\t\t\tif firstType == nil {\n\t\t\t\t\tfirstType = &variable.Type\n\t\t\t\t} else if variable.Type != *firstType {\n\t\t\t\t\treturn nil, fmt.Errorf(\"all map values must have the same type, got %s then %s\", firstType.Printable(), variable.Type.Printable())\n\t\t\t\t}\n\t\t\t\t// Check for duplicate keys\n\t\t\t\tif _, ok := outputMap[key]; ok {\n\t\t\t\t\treturn nil, fmt.Errorf(\"argument %d is a duplicate key: %q\", i+1, key)\n\t\t\t\t}\n\t\t\t\toutputMap[key] = variable\n\t\t\t}\n\n\t\t\treturn outputMap, nil\n\t\t},\n\t}\n}\n\nfunc interpolationFuncMerge() ast.Function {\n\treturn ast.Function{\n\t\tArgTypes: []ast.Type{ast.TypeMap},\n\t\tReturnType: ast.TypeMap,\n\t\tVariadic: true,\n\t\tVariadicType: ast.TypeMap,\n\t\tCallback: func(args []interface{}) (interface{}, error) {\n\t\t\toutputMap := make(map[string]ast.Variable)\n\n\t\t\tfor _, arg := range args {\n\t\t\t\tfor k, v := range arg.(map[string]ast.Variable) {\n\t\t\t\t\toutputMap[k] = v\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn outputMap, nil\n\t\t},\n\t}\n}\n\nfunc Funcs() map[string]ast.Function {\n\treturn map[string]ast.Function{\n\t\t\"concat\": interpolationFuncConcat(),\n\t\t\"element\": interpolationFuncElement(),\n\t\t\"file\": interpolationFuncFile(),\n\t\t\"format\": interpolationFuncFormat(),\n\t\t\"join\": interpolationFuncJoin(),\n\t\t\"list\": interpolationFuncList(),\n\t\t\"lookup\": interpolationFuncLookup(),\n\t\t\"map\": interpolationFuncMap(),\n\t\t\"merge\": interpolationFuncMerge(),\n\t\t\"replace\": interpolationFuncReplace(),\n\t}\n}\n\nfunc interpolate(s string, variables []Variable) interface{} {\n\tif strings.Index(s, \"${\") == -1 {\n\t\t// no interpolation to be done\n\t\treturn s\n\t}\n\tassertion.Debugf(\"interpolate: %s\\n\", s)\n\tconfig := &hil.EvalConfig{\n\t\tGlobalScope: &ast.BasicScope{\n\t\t\tVarMap: makeVarMap(variables),\n\t\t\tFuncMap: Funcs(),\n\t\t},\n\t}\n\ttree, err := hil.Parse(s)\n\tif err != nil {\n\t\tassertion.Debugf(\"Parse error: %v\\n\", err)\n\t\treturn s\n\t}\n\tresult, err := hil.Eval(tree, config)\n\tif err != nil {\n\t\tassertion.Debugf(\"Eval error: %v\\n\", err)\n\t\treturn s\n\t}\n\tassertion.Debugf(\"interpolation result: %v\\n\", result.Value)\n\tif stringValue, ok := result.Value.(string); ok {\n\t\tif stringValue == s {\n\t\t\treturn stringValue // no changes, no need for recursive call\n\t\t}\n\t\treturn interpolate(stringValue, variables)\n\t}\n\treturn result.Value\n}\n"
},
{
"path": "linter/terraform_interpolate_test.go",
"content": "package linter\n\nimport (\n\t\"github.com/stretchr/testify/assert\"\n\t\"testing\"\n)\n\ntype interpolationTestCase struct {\n\tInput string\n\tExpected interface{}\n}\n\nfunc TestInterpolation(t *testing.T) {\n\ttestCases := []interpolationTestCase{\n\t\t{\"${2+6}\", \"8\"},\n\t\t{\"bucket_${var.environment}\", \"bucket_development\"},\n\t\t{\"${var.environment == \\\"development\\\" ? \\\"YES\\\" : \\\"NO\\\"}\", \"YES\"},\n\t\t{\"${local.count + local.count}\", \"202\"},\n\t\t{\"${replace(var.template,var.user_pattern,var.user)}\", \"https://users/adam\"},\n\t\t{\"${list(var.a, var.b, var.c)}\", []interface{}{\"one\", \"two\", \"three\"}},\n\t\t{\"${element(list(var.a, var.b, var.c),2)}\", \"three\"},\n\t\t{\"${join(var.pipe, list(var.a, var.b))}\", \"one|two\"},\n\t\t{\"${concat(list(var.a,var.b), list(var.c))}\", []interface{}{\"one\", \"two\", \"three\"}},\n\t\t{\"${format(\\\"id-%s\\\",var.a)}\", \"id-one\"},\n\t\t{\"${map(var.k1,var.v1,var.k2,var.v2)}\", map[string]interface{}{\"key1\": \"value1\", \"key2\": \"value2\"}},\n\t\t{\"${missing_func(1)}\", \"${missing_func(1)}\"},\n\t\t{\"${module.required_tags.tags}\", \"${module.required_tags.tags}\"},\n\t\t{\"${merge(map(\\\"NodeType\\\", \\\"Runner\\\"), var.tags)}\", map[string]interface{}{\"NodeType\": \"Runner\", \"Name\": \"Web\"}},\n\t\t{\"{\\\"version\\\":\\\"$LATEST\\\"}\", \"{\\\"version\\\":\\\"$LATEST\\\"}\"},\n\t\t{\"echo $PWD\", \"echo $PWD\"},\n\t}\n\tvars := []Variable{\n\t\t{Name: \"var.environment\", Value: \"development\"},\n\t\t{Name: \"local.count\", Value: \"101\"},\n\t\t{Name: \"var.template\", Value: \"https://users/USER_ID\"},\n\t\t{Name: \"var.user_pattern\", Value: \"USER_ID\"},\n\t\t{Name: \"var.user\", Value: \"adam\"},\n\t\t{Name: \"var.a\", Value: \"one\"},\n\t\t{Name: \"var.b\", Value: \"two\"},\n\t\t{Name: \"var.c\", Value: \"three\"},\n\t\t{Name: \"var.pipe\", Value: \"|\"},\n\t\t{Name: \"var.k1\", Value: \"key1\"},\n\t\t{Name: \"var.k2\", Value: \"key2\"},\n\t\t{Name: \"var.v1\", Value: \"value1\"},\n\t\t{Name: \"var.v2\", Value: \"value2\"},\n\t\t{Name: \"var.tags\", Value: map[string]interface{}{\"Name\": \"Web\"}},\n\t}\n\tfor _, tc := range testCases {\n\t\tresult := interpolate(tc.Input, vars)\n\t\tassert.Equal(t, tc.Expected, result)\n\t}\n}\n"
},
{
"path": "linter/terraform_test.go",
"content": "package linter\n\nimport (\n\t\"os\"\n\t\"testing\"\n\n\t\"github.com/stelligent/config-lint/assertion\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestTerraformLinter(t *testing.T) {\n\toptions := Options{\n\t\tTags: []string{},\n\t\tRuleIDs: []string{},\n\t}\n\tfilenames := []string{\"./testdata/resources/terraform_instance.tf\"}\n\tlinter := FileLinter{Filenames: filenames, ValueSource: TestingValueSource{}, Loader: TerraformResourceLoader{}}\n\truleSet := loadRulesForTest(\"./testdata/rules/terraform_instance.yml\", t)\n\treport, err := linter.Validate(ruleSet, options)\n\tassert.Nil(t, err, \"Expecting Validate to run without error\")\n\tassert.Equal(t, len(report.ResourcesScanned), 1, \"Unexpected number of resources scanned\")\n\tassert.Equal(t, len(report.FilesScanned), 1, \"Unexpected number of files scanned\")\n\tassertViolationsCount(\"TestTerraformLinter \", 0, report.Violations, t)\n}\n\nfunc loadResourcesToTest(t *testing.T, filename string) []assertion.Resource {\n\tloader := TerraformResourceLoader{}\n\tloaded, err := loader.Load(filename)\n\tassert.Nil(t, err, \"Expecting Load to run without error\")\n\tresources, err := loader.PostLoad(loaded)\n\tassert.Nil(t, err, \"Expecting PostLoad to run without error\")\n\treturn resources\n}\n\nfunc getResourceTags(r assertion.Resource) map[string]interface{} {\n\tproperties := r.Properties.(map[string]interface{})\n\ttags := properties[\"tags\"].([]interface{})\n\treturn tags[0].(map[string]interface{})\n}\n\nfunc TestTerraformVariable(t *testing.T) {\n\tresources := loadResourcesToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"ami\"], \"ami-f2d3638a\", \"Unexpected value for simple variable\")\n}\n\nfunc TestTerraformVariableWithNoDefault(t *testing.T) {\n\tresources := loadResourcesToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\ttags := getResourceTags(resources[0])\n\tassert.Equal(t, tags[\"department\"], \"\", \"Unexpected value for variable with no default\")\n}\n\nfunc TestTerraformFunctionCall(t *testing.T) {\n\tresources := loadResourcesToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\ttags := getResourceTags(resources[0])\n\tassert.Equal(t, tags[\"environment\"], \"test\", \"Unexpected value for lookup function\")\n}\n\nfunc TestTerraformListVariable(t *testing.T) {\n\tresources := loadResourcesToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\ttags := getResourceTags(resources[0])\n\tassert.Equal(t, tags[\"comment\"], \"bar\", \"Unexpected value for list variable\")\n}\n\nfunc TestTerraformLocalVariable(t *testing.T) {\n\tresources := loadResourcesToTest(t, \"./testdata/resources/uses_local_variables.tf\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, \"myprojectbucket\", properties[\"name\"], \"Unexpected value for name attribute\")\n}\n\nfunc TestTerraformVariablesFromEnvironment(t *testing.T) {\n\tos.Setenv(\"TF_VAR_instance_type\", \"c4.large\")\n\tresources := loadResourcesToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tassert.Equal(t, len(resources), 1, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"instance_type\"], \"c4.large\", \"Unexpected value for instance_type\")\n\tos.Setenv(\"TF_VAR_instance_type\", \"\")\n}\n\nfunc TestTerraformFileFunction(t *testing.T) {\n\tresources := loadResourcesToTest(t, \"./testdata/resources/reference_file.tf\")\n\tassert.Equal(t, len(resources), 1, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"bucket\"], \"example\", \"Unexpected value for bucket property\")\n}\n\nfunc TestTerraformVariablesInDifferentFile(t *testing.T) {\n\toptions := Options{\n\t\tTags: []string{},\n\t\tRuleIDs: []string{},\n\t}\n\tfilenames := []string{\n\t\t\"./testdata/resources/defines_variables.tf\",\n\t\t\"./testdata/resources/reference_variables.tf\",\n\t}\n\tlinter := FileLinter{Filenames: filenames, ValueSource: TestingValueSource{}, Loader: TerraformResourceLoader{}}\n\truleSet := loadRulesForTest(\"./testdata/rules/terraform_instance.yml\", t)\n\treport, err := linter.Validate(ruleSet, options)\n\tassert.Nil(t, err, \"Expecting Validate to run without error\")\n\tassert.Equal(t, len(report.ResourcesScanned), 1, \"Unexpected number of resources\")\n\tassert.Equal(t, len(report.FilesScanned), 2, \"Unexpected number of files scanned\")\n\tassertViolationsCount(\"TestTerraformVariablesInDifferentFile \", 0, report.Violations, t)\n}\n\ntype TestingValueSource struct{}\n\nfunc (s TestingValueSource) GetValue(a assertion.Expression) (string, error) {\n\tif a.ValueFrom.URL != \"\" {\n\t\treturn \"TEST\", nil\n\t}\n\treturn a.Value, nil\n}\n\nfunc TestTerraformDataLoader(t *testing.T) {\n\tloader := TerraformResourceLoader{}\n\tloaded, err := loader.Load(\"./testdata/resources/terraform_data.tf\")\n\tassert.Nil(t, err, \"Expecting Load to run without error\")\n\tassert.Equal(t, len(loaded.Resources), 1, \"Unexpected number of resources\")\n}\n\ntype terraformLinterTestCase struct {\n\tConfigurationFilename string\n\tRulesFilename string\n\tExpectedViolationCount int\n\tExpectedViolationRuleID string\n}\n\nfunc TestTerraformLinterCases(t *testing.T) {\n\ttestCases := map[string]terraformLinterTestCase{\n\t\t\"ParseError\": {\n\t\t\t\"./testdata/resources/terraform_syntax_error.tf\",\n\t\t\t\"./testdata/rules/terraform_provider.yml\",\n\t\t\t1,\n\t\t\t\"FILE_LOAD\",\n\t\t},\n\t\t\"Provider\": {\n\t\t\t\"./testdata/resources/terraform_provider.tf\",\n\t\t\t\"./testdata/rules/terraform_provider.yml\",\n\t\t\t1,\n\t\t\t\"AWS_PROVIDER\",\n\t\t},\n\t\t\"DataObject\": {\n\t\t\t\"./testdata/resources/terraform_data.tf\",\n\t\t\t\"./testdata/rules/terraform_data.yml\",\n\t\t\t1,\n\t\t\t\"DATA_NOT_CONTAINS\",\n\t\t},\n\t\t\"PoliciesWithVariables\": {\n\t\t\t\"./testdata/resources/policy_with_variables.tf\",\n\t\t\t\"./testdata/rules/policy_variable.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"HereDocWithExpression\": {\n\t\t\t\"./testdata/resources/policy_with_expression.tf\",\n\t\t\t\"./testdata/rules/policy_variable.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"Policies\": {\n\t\t\t\"./testdata/resources/terraform_policy.tf\",\n\t\t\t\"./testdata/rules/terraform_policy.yml\",\n\t\t\t1,\n\t\t\t\"TEST_POLICY\",\n\t\t},\n\t\t\"PolicyInvalidJSON\": {\n\t\t\t\"./testdata/resources/terraform_policy_invalid_json.tf\",\n\t\t\t\"./testdata/rules/terraform_policy.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"PolicyEmpty\": {\n\t\t\t\"./testdata/resources/terraform_policy_empty.tf\",\n\t\t\t\"./testdata/rules/terraform_policy.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"Module\": {\n\t\t\t\"./testdata/resources/terraform_module.tf\",\n\t\t\t\"./testdata/rules/terraform_module.yml\",\n\t\t\t1,\n\t\t\t\"MODULE_DESCRIPTION\",\n\t\t},\n\t\t\"BatchPrivileged\": {\n\t\t\t\"./testdata/resources/batch_privileged.tf\",\n\t\t\t\"./testdata/rules/batch_definition.yml\",\n\t\t\t1,\n\t\t\t\"BATCH_DEFINITION_PRIVILEGED\",\n\t\t},\n\t\t\"CloudfrontAccessLogs\": {\n\t\t\t\"./testdata/resources/cloudfront_access_logs.tf\",\n\t\t\t\"./testdata/rules/cloudfront_access_logs.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"PublicEC2\": {\n\t\t\t\"./testdata/resources/ec2_public.tf\",\n\t\t\t\"./testdata/rules/ec2_public.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"ElastiCacheRest\": {\n\t\t\t\"./testdata/resources/elasticache_encryption_rest.tf\",\n\t\t\t\"./testdata/rules/elasticache_encryption_rest.yml\",\n\t\t\t1,\n\t\t\t\"ELASTICACHE_ENCRYPTION_REST\",\n\t\t},\n\t\t\"ElastiCacheTransit\": {\n\t\t\t\"./testdata/resources/elasticache_encryption_transit.tf\",\n\t\t\t\"./testdata/rules/elasticache_encryption_transit.yml\",\n\t\t\t1,\n\t\t\t\"ELASTICACHE_ENCRYPTION_TRANSIT\",\n\t\t},\n\t\t\"NeptuneClusterEncryption\": {\n\t\t\t\"./testdata/resources/neptune_db_encryption.tf\",\n\t\t\t\"./testdata/rules/neptune_db_encryption.yml\",\n\t\t\t1,\n\t\t\t\"NEPTUNE_DB_ENCRYPTION\",\n\t\t},\n\t\t\"RdsPublic\": {\n\t\t\t\"./testdata/resources/rds_publicly_available.tf\",\n\t\t\t\"./testdata/rules/rds_publicly_available.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"KinesisKms\": {\n\t\t\t\"./testdata/resources/kinesis_kms_stream.tf\",\n\t\t\t\"./testdata/rules/kinesis_kms_stream.yml\",\n\t\t\t1,\n\t\t\t\"KINESIS_STREAM_KMS\",\n\t\t},\n\t\t\"DmsEncryption\": {\n\t\t\t\"./testdata/resources/dms_endpoint_encryption.tf\",\n\t\t\t\"./testdata/rules/dms_endpoint_encryption.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"EmrClusterLogs\": {\n\t\t\t\"./testdata/resources/emr_cluster_logs.tf\",\n\t\t\t\"./testdata/rules/emr_cluster_logs.yml\",\n\t\t\t1,\n\t\t\t\"AWS_EMR_CLUSTER_LOGGING\",\n\t\t},\n\t\t\"KmsKeyRotation\": {\n\t\t\t\"./testdata/resources/kms_key_rotation.tf\",\n\t\t\t\"./testdata/rules/kms_key_rotation.yml\",\n\t\t\t1,\n\t\t\t\"AWS_KMS_KEY_ROTATION\",\n\t\t},\n\t\t\"SagemakerEndpoint\": {\n\t\t\t\"./testdata/resources/sagemaker_endpoint_encryption.tf\",\n\t\t\t\"./testdata/rules/sagemaker_endpoint_encryption.yml\",\n\t\t\t1,\n\t\t\t\"SAGEMAKER_ENDPOINT_ENCRYPTION\",\n\t\t},\n\t\t\"SagemakerNotebook\": {\n\t\t\t\"./testdata/resources/sagemaker_notebook_encryption.tf\",\n\t\t\t\"./testdata/rules/sagemaker_notebook_encryption.yml\",\n\t\t\t1,\n\t\t\t\"SAGEMAKER_NOTEBOOK_ENCRYPTION\",\n\t\t},\n\t}\n\tfor name, tc := range testCases {\n\t\toptions := Options{\n\t\t\tTags: []string{},\n\t\t\tRuleIDs: []string{},\n\t\t}\n\t\tfilenames := []string{tc.ConfigurationFilename}\n\t\tlinter := FileLinter{Filenames: filenames, ValueSource: TestingValueSource{}, Loader: TerraformResourceLoader{}}\n\t\truleSet := loadRulesForTest(tc.RulesFilename, t)\n\t\treport, err := linter.Validate(ruleSet, options)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Expecting %s to return without an error: %s\", name, err.Error())\n\t\t}\n\t\tif len(report.FilesScanned) != 1 {\n\t\t\tt.Errorf(\"TestTerraformLinterCases scanned %d files, expecting 1\", len(report.FilesScanned))\n\t\t}\n\t\tif len(report.Violations) != tc.ExpectedViolationCount {\n\t\t\tt.Errorf(\"%s returned %d violations, expecting %d\", name, len(report.Violations), tc.ExpectedViolationCount)\n\t\t\tt.Errorf(\"Violations: %v\", report.Violations)\n\t\t}\n\t\tif tc.ExpectedViolationRuleID != \"\" {\n\t\t\tassertViolationByRuleID(name, tc.ExpectedViolationRuleID, report.Violations, t)\n\t\t}\n\t}\n}\n"
},
{
"path": "linter/terraform_v12.go",
"content": "package linter\n\nimport (\n\t\"strconv\"\n\t\"strings\"\n\n\t\"github.com/hashicorp/hcl/v2\"\n\t\"github.com/stelligent/config-lint/assertion\"\n\t\"github.com/stelligent/config-lint/linter/tf12parser\"\n\t\"github.com/zclconf/go-cty/cty\"\n)\n\ntype (\n\t// Terraform12ResourceLoader converts Terraform configuration files into JSON objects\n\tTerraform12ResourceLoader struct{}\n\n\t// Terraform12LoadResult collects all the returns value for parsing an HCL string\n\tTerraform12LoadResult struct {\n\t\tResources []assertion.Resource\n\t\tData []interface{}\n\t\tProviders []interface{}\n\t\tModules []interface{}\n\t\tVariables []Variable\n\t\tAST *hcl.File\n\t}\n)\n\nvar (\n\tblockTypes = []string{\n\t\t\"data\",\n\t\t\"locals\",\n\t\t\"module\",\n\t\t\"output\",\n\t\t\"provider\",\n\t\t\"resource\",\n\t\t\"terraform\",\n\t\t\"variable\",\n\t}\n\n\tblockLabelSyntax = map[string][]string{\n\t\t\"TypeAndName\": []string{\"data\", \"resource\"},\n\t\t\"TypeOnly\": []string{\"provider\"},\n\t\t\"NameOnly\": []string{\"module\", \"output\", \"variable\"},\n\t\t\"NoTypeNoName\": []string{\"locals\", \"terraform\"},\n\t}\n)\n\n// Load parses an HCLv2 file into a collection or Resource objects\n//TODO: This should be unused, but can't remove due to the interface, I think?\nfunc (l Terraform12ResourceLoader) Load(filename string) (FileResources, error) {\n\tloaded := FileResources{\n\t\tResources: []assertion.Resource{},\n\t}\n\tresult, err := loadHCLv2([]string{filename})\n\tif err != nil {\n\t\treturn loaded, err\n\t}\n\tloaded.Resources = result.Resources\n\n\tassertion.DebugJSON(\"loaded.Resources\", loaded.Resources)\n\treturn loaded, nil\n}\n\nfunc (l Terraform12ResourceLoader) LoadMany(filenames []string) (FileResources, error) {\n\tloaded := FileResources{\n\t\tResources: []assertion.Resource{},\n\t}\n\tresult, err := loadHCLv2(filenames)\n\tif err != nil {\n\t\treturn loaded, err\n\t}\n\tloaded.Resources = result.Resources\n\n\tassertion.DebugJSON(\"loaded.Resources\", loaded.Resources)\n\treturn loaded, nil\n}\n\nfunc loadHCLv2(paths []string) (Terraform12LoadResult, error) {\n\tresult := Terraform12LoadResult{\n\t\tResources: []assertion.Resource{},\n\t\tData: []interface{}{},\n\t\tProviders: []interface{}{},\n\t\tModules: []interface{}{},\n\t\tVariables: []Variable{},\n\t}\n\n\tparser := *tf12parser.New()\n\tblocks, err := parser.ParseMany(paths)\n\tif err != nil {\n\t\treturn result, err\n\t}\n\n\t// Get all Terraform blocks of a given type and append to the slice of Resources\n\tfor _, blockType := range blockTypes {\n\t\tresult.Resources = append(result.Resources, getBlocksOfType(blocks, blockType)...)\n\t}\n\n\tfor _, resource := range result.Resources {\n\t\tproperties, err := parseJSONDocuments(resource.Properties)\n\t\tif err != nil {\n\t\t\treturn result, err\n\t\t}\n\t\tresource.Properties = properties\n\t}\n\n\tassertion.Debugf(\"LoadHCL Variables: %v\\n\", result.Variables)\n\treturn result, nil\n}\n\n// Retrieves Terraform blocks of a specific type\n// and places them in a slice of assertion.Resources.\nfunc getBlocksOfType(blocks tf12parser.Blocks, blockCategory string) []assertion.Resource {\n\tvar blockType string\n\tvar blockName string\n\tvar resources []assertion.Resource\n\n\ttfBlocks := blocks.OfType(blockCategory)\n\ti := 0\n\n\tfor _, block := range tfBlocks {\n\n\t\tproperties := attributesToMap(*block)\n\n\t\t// Terraform has labels between 0 and 2 for each block e.g `locals`, `provider`, and `resource`,\n\t\t// and labels could be fixed types or configurable names.\n\t\t// Thus this code checks which label should be used as type and as a name/id. If the block doesn't have\n\t\t// a unique name, then its name/id assigned to an auto-incrementing integer.\n\t\tif assertion.SliceContains(blockLabelSyntax[\"TypeAndName\"], blockCategory) {\n\t\t\tblockType = block.Labels()[0]\n\t\t\tblockName = block.Labels()[1]\n\t\t\tproperties[\"__type__\"] = blockType\n\t\t\tproperties[\"__name__\"] = blockName\n\n\t\t} else if assertion.SliceContains(blockLabelSyntax[\"TypeOnly\"], blockCategory) {\n\t\t\tblockType = block.Labels()[0]\n\t\t\tblockName = strconv.Itoa(i)\n\t\t\ti++\n\t\t\tproperties[\"__type__\"] = blockType\n\t\t\tproperties[\"__name__\"] = blockName\n\n\t\t} else if assertion.SliceContains(blockLabelSyntax[\"NameOnly\"], blockCategory) {\n\t\t\t// A special handling for module to add its source as a type.\n\t\t\tif blockCategory == \"module\" {\n\t\t\t\tblockType = block.GetAttribute(\"source\").Value().AsString()\n\t\t\t} else {\n\t\t\t\tblockType = blockCategory\n\t\t\t}\n\t\t\tblockName = block.Labels()[0]\n\t\t\tproperties[\"__name__\"] = blockName\n\n\t\t} else if assertion.SliceContains(blockLabelSyntax[\"NoTypeNoName\"], blockCategory) {\n\t\t\tblockType = blockCategory\n\t\t\tblockName = strconv.Itoa(i)\n\t\t\ti++\n\t\t}\n\n\t\tresource := assertion.Resource{\n\t\t\tID: blockName,\n\t\t\tType: blockType,\n\t\t\tCategory: blockCategory,\n\t\t\tProperties: properties,\n\t\t\tFilename: block.Range().Filename,\n\t\t\tLineNumber: block.Range().StartLine,\n\t\t}\n\t\tresources = append(resources, resource)\n\t}\n\treturn resources\n}\n\nfunc attributesToMap(block tf12parser.Block) map[string]interface{} {\n\tpropertyMap := make(map[string]interface{})\n\tallBlocks := block.AllBlocks()\n\tfor _, currentBlock := range allBlocks {\n\t\tvar toAppend []interface{}\n\t\ttoAppend = append(toAppend, attributesToMap(*currentBlock))\n\t\tif propertyMap[currentBlock.Type()] == nil {\n\t\t\tpropertyMap[currentBlock.Type()] = toAppend\n\t\t} else {\n\t\t\tv := propertyMap[currentBlock.Type()].([]interface{})\n\t\t\tv = append(v, toAppend[0])\n\t\t\tpropertyMap[currentBlock.Type()] = v\n\t\t}\n\t}\n\tattributes := block.GetAttributes()\n\tfor _, attribute := range attributes {\n\t\tvalue := attribute.Value()\n\t\tif value.Type().IsTupleType() {\n\t\t\tinnerArray := make([]interface{}, 0)\n\n\t\t\titer := value.ElementIterator()\n\t\t\tfor iter.Next() {\n\t\t\t\t_, iterValue := iter.Element()\n\t\t\t\tif iterValue.CanIterateElements() {\n\t\t\t\t\titerateElements(propertyMap, attribute.Name(), iterValue)\n\t\t\t\t} else {\n\t\t\t\t\tinnerArray = append(innerArray, ctyValueToString(iterValue))\n\t\t\t\t}\n\t\t\t}\n\t\t\tpropertyMap[attribute.Name()] = innerArray\n\t\t} else if value.CanIterateElements() {\n\t\t\titerateElements(propertyMap, attribute.Name(), value)\n\t\t} else {\n\t\t\tsetValue(propertyMap, attribute.Name(), ctyValueToString(value))\n\t\t}\n\t}\n\treturn propertyMap\n}\n\nfunc iterateElements(propertyMap map[string]interface{}, name string, value cty.Value) {\n\tvar innerArray []interface{}\n\tinnerMap := make(map[string]interface{})\n\tinnerArray = append(innerArray, innerMap)\n\tpropertyMap[name] = innerArray\n\n\titer := value.ElementIterator()\n\tfor iter.Next() {\n\t\tkey, value := iter.Element()\n\t\tif value.CanIterateElements() {\n\t\t\titerateElements(innerMap, ctyValueToString(key), value)\n\t\t} else {\n\t\t\tsetValue(innerMap, ctyValueToString(key), ctyValueToString(value))\n\t\t}\n\t}\n}\n\nfunc setValue(m map[string]interface{}, name string, value string) {\n\tenvironmentVariable := getVariableFromEnvironment(name)\n\tif environmentVariable == \"\" {\n\t\tm[name] = value\n\t} else {\n\t\tm[name] = environmentVariable\n\t}\n}\n\nfunc ctyValueToString(value cty.Value) string {\n\t// In case the value is nil but the type is not necessarily , ~~return an empty string~~\n\t// Update: return an actual string.\n\t// We cannot evaluate tf generated values in tf12, such as referenced arn, but we still want to be able to check for it\n\tif value.IsNull() || !value.IsKnown() {\n\t\treturn \"UNDEFINED\"\n\t} else {\n\t\tswitch value.Type() {\n\t\tcase cty.NilType:\n\t\t\treturn \"\"\n\t\tcase cty.Bool:\n\t\t\tif value.True() {\n\t\t\t\treturn \"true\"\n\t\t\t} else {\n\t\t\t\treturn \"false\"\n\t\t\t}\n\t\tcase cty.String:\n\t\t\treturn strings.Trim(value.AsString(), \"\\n\")\n\t\tcase cty.Number:\n\t\t\tif value.RawEquals(cty.PositiveInfinity) || value.RawEquals(cty.NegativeInfinity) {\n\t\t\t\tpanic(\"cannot convert infinity to string\")\n\t\t\t}\n\t\t\treturn value.AsBigFloat().Text('f', -1)\n\t\tdefault:\n\t\t\tpanic(\"unsupported primitive type\")\n\t\t\t//return \"\"\n\t\t}\n\t}\n}\n\n// PostLoad resolves variable expressions\nfunc (l Terraform12ResourceLoader) PostLoad(inputResources FileResources) ([]assertion.Resource, error) {\n\treturn inputResources.Resources, nil\n}\n"
},
{
"path": "linter/terraform_v12_test.go",
"content": "package linter\n\nimport (\n\t\"fmt\"\n\t\"io/ioutil\"\n\t\"log\"\n\t\"os\"\n\t\"path/filepath\"\n\t\"strconv\"\n\t\"testing\"\n\n\t\"github.com/stelligent/config-lint/assertion\"\n\t\"github.com/stretchr/testify/assert\"\n)\n\nfunc TestTerraformV12Linter(t *testing.T) {\n\toptions := Options{\n\t\tTags: []string{},\n\t\tRuleIDs: []string{},\n\t}\n\tfilenames := []string{\"./testdata/resources/terraform_instance.tf\"}\n\tlinter := FileLinter{Filenames: filenames, ValueSource: TestingValueSource{}, Loader: Terraform12ResourceLoader{}}\n\truleSet := loadRulesForTest(\"./testdata/rules/terraform_instance.yml\", t)\n\treport, err := linter.Validate(ruleSet, options)\n\tassert.Nil(t, err, \"Expecting Validate to run without error\")\n\tassert.Equal(t, len(report.ResourcesScanned), 1, \"Unexpected number of resources scanned\")\n\tassert.Equal(t, len(report.FilesScanned), 1, \"Unexpected number of files scanned\")\n\tassertViolationsCount(\"TestTerraformLinter \", 0, report.Violations, t)\n}\n\nfunc loadResources12ToTest(t *testing.T, filename string) []assertion.Resource {\n\tloader := Terraform12ResourceLoader{}\n\tloaded, err := loader.Load(filename)\n\tassert.Nil(t, err, \"Expecting Load to run without error\")\n\tresources, err := loader.PostLoad(loaded)\n\tassert.Nil(t, err, \"Expecting PostLoad to run without error\")\n\treturn resources\n}\n\nfunc filterByCategory(t *testing.T, resources []assertion.Resource, categoryName string) []assertion.Resource {\n\tresult := []assertion.Resource{}\n\tfor _, resource := range resources {\n\t\tif resource.Category == categoryName {\n\t\t\tresult = append(result, resource)\n\t\t}\n\t}\n\treturn result\n}\n\nfunc TestSingleResourceType(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, 1, len(resources), \"Expecting 1 resource\")\n\tassert.Equal(t, \"aws_instance\", resources[0].Type)\n\tassert.Equal(t, \"first\", resources[0].ID)\n}\n\nfunc TestResourceDependency(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/tf12_resource_dependency.tf\")\n\tassert.Equal(t, 2, len(resources), \"Expecting 1 resource\")\n}\n\n//The idea of this test is to confirm a particular difference between the original parser and the new\n//I know it's not clear. - MN\nfunc TestTupleType(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/multi_level.tf\")\n\tassert.Equal(t, 1, len(resources), \"Expecting 1 resource\")\n\tstatement := resources[0].Properties.(map[string]interface{})[\"statement\"]\n\tprincipals := statement.([]interface{})[0].(map[string]interface{})[\"principals\"]\n\tidentifiers := principals.([]interface{})[0].(map[string]interface{})[\"identifiers\"]\n\tvalue, ok := identifiers.([]interface{})\n\tassert.True(t, ok)\n\t_, ok = value[0].(string)\n\tassert.True(t, ok)\n}\n\nfunc TestMultipleBlocksOfSameType12(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/multiple_blocks_same.tf\")\n\tassert.Equal(t, 1, len(resources), \"Expecting 1 resource\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tebsBlocks := properties[\"ebs_block_device\"]\n\tassert.Len(t, ebsBlocks, 2)\n}\n\nfunc TestInnerObjects12(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/terraform_inner_objects.tf\")\n\tassert.Equal(t, 2, len(resources), \"Expecting 2 resource\")\n\tproperties := resources[1].Properties.(map[string]interface{})\n\tartifactStore := properties[\"artifact_store\"].([]interface{})[0].(map[string]interface{})\n\tencryptionKey := artifactStore[\"encryption_key\"]\n\tassert.NotNil(t, encryptionKey)\n}\n\nfunc TestTerraform12Variable(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, 1, len(resources), \"Expecting 1 resource\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, \"ami-f2d3638a\", properties[\"ami\"], \"Unexpected value for simple variable\")\n}\n\nfunc TestTerraform12VariableWithNoDefault(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\ttags := getResourceTags(resources[0])\n\tassert.Equal(t, \"UNDEFINED\", tags[\"department\"], \"Unexpected value for variable with no default\")\n}\n\nfunc TestTerraform12FunctionCall(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\ttags := getResourceTags(resources[0])\n\tassert.Equal(t, \"test\", tags[\"environment\"], \"Unexpected value for lookup function\")\n}\n\nfunc TestTerraform12ListVariable(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\ttags := getResourceTags(resources[0])\n\tassert.Equal(t, tags[\"comment\"], \"bar\", \"Unexpected value for list variable\")\n}\n\nfunc TestTerraform12LocalVariable(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/uses_local_variables.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 1, \"Expecting 1 resource\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, \"myprojectbucket\", properties[\"name\"], \"Unexpected value for name attribute\")\n}\n\nfunc TestTerraform12VariablesFromEnvironment(t *testing.T) {\n\tos.Setenv(\"TF_VAR_instance_type\", \"c4.large\")\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 1, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"instance_type\"], \"c4.large\", \"Unexpected value for instance_type\")\n\tos.Setenv(\"TF_VAR_instance_type\", \"\")\n}\n\nfunc TestTerraform12FileFunction(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/reference_file.tf\")\n\tassert.Equal(t, len(resources), 1, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"bucket\"], \"example\", \"Unexpected value for bucket property\")\n}\n\nfunc TestTerraform12VariablesInDifferentFile(t *testing.T) {\n\toptions := Options{\n\t\tTags: []string{},\n\t\tRuleIDs: []string{},\n\t}\n\tfilenames := []string{\n\t\t\"./testdata/resources/defines_variables.tf\",\n\t\t\"./testdata/resources/reference_variables.tf\",\n\t}\n\tlinter := FileLinter{Filenames: filenames, ValueSource: TestingValueSource{}, Loader: Terraform12ResourceLoader{}}\n\truleSet := loadRulesForTest(\"./testdata/rules/terraform_instance.yml\", t)\n\treport, err := linter.Validate(ruleSet, options)\n\tassert.Nil(t, err, \"Expecting Validate to run without error\")\n\tassert.Equal(t, 1, len(report.ResourcesScanned), \"Unexpected number of resources\")\n\tassert.Equal(t, 2, len(report.FilesScanned), \"Unexpected number of files scanned\")\n\tassertViolationsCount(\"TestTerraformVariablesInDifferentFile \", 0, report.Violations, t)\n}\n\nfunc TestTerraform12DataLoader(t *testing.T) {\n\tloader := TerraformResourceLoader{}\n\tloaded, err := loader.Load(\"./testdata/resources/terraform_data.tf\")\n\tassert.Nil(t, err, \"Expecting Load to run without error\")\n\tassert.Equal(t, len(loaded.Resources), 1, \"Unexpected number of resources\")\n}\n\nfunc TestTerraform12ResourceLineNumber(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tassert.Equal(t, 30, resources[0].LineNumber)\n}\n\nfunc TestTerraform12ResourceFileName(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/uses_variables.tf\")\n\tassert.Equal(t, \"./testdata/resources/uses_variables.tf\", resources[0].Filename)\n}\n\nfunc TestTerraform12DataLineNumber(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/terraform_data.tf\")\n\tassert.Equal(t, 1, resources[0].LineNumber)\n}\n\nfunc TestTerraform12DataFileName(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/terraform_data.tf\")\n\tassert.Equal(t, \"./testdata/resources/terraform_data.tf\", resources[0].Filename)\n}\n\nfunc TestTerraform12ProviderLineNumber(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/terraform_provider.tf\")\n\tassert.Equal(t, 1, resources[0].LineNumber)\n}\n\nfunc TestTerraform12ProviderFileName(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/terraform_provider.tf\")\n\tassert.Equal(t, \"./testdata/resources/terraform_provider.tf\", resources[0].Filename)\n}\n\nfunc TestTerraform12ModuleLineNumber(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/terraform_module.tf\")\n\tassert.Equal(t, 1, resources[0].LineNumber)\n}\n\nfunc TestTerraform12ModuleFileName(t *testing.T) {\n\tresources := loadResources12ToTest(t, \"./testdata/resources/terraform_module.tf\")\n\tassert.Equal(t, \"./testdata/resources/terraform_module.tf\", resources[0].Filename)\n}\n\n// String build message for violations. Debug helper\n// TODO move to class. remove copy pasted function in tt 12 test\nfunc getViolationsString(violations []assertion.Violation) string {\n\tvar violationsReported string\n\tfor count, v := range violations {\n\t\tviolationsReported += strconv.Itoa(count+1) + \". Violation:\"\n\t\tviolationsReported += \"\\n\\tRule Message: \" + v.RuleMessage\n\t\tviolationsReported += \"\\n\\tRule Id: \" + v.RuleID\n\t\tviolationsReported += \"\\n\\tResource ID: \" + v.ResourceID\n\t\tviolationsReported += \"\\n\\tResource Type: \" + v.ResourceType\n\t\tviolationsReported += \"\\n\\tCategory: \" + v.Category\n\t\tviolationsReported += \"\\n\\tStatus: \" + v.Status\n\t\tviolationsReported += \"\\n\\tAssertion Message: \" + v.AssertionMessage\n\t\tviolationsReported += \"\\n\\tFilename: \" + v.Filename\n\t\tviolationsReported += \"\\n\\tLine Number: \" + strconv.Itoa(v.LineNumber)\n\t\tviolationsReported += \"\\n\\tCreated At: \" + v.CreatedAt + \"\\n\"\n\t}\n\treturn violationsReported\n}\n\nfunc TestTerraform12LinterCases(t *testing.T) {\n\ttestCases := map[string]terraformLinterTestCase{\n\t\t\"ParseError\": {\n\t\t\t\"./testdata/resources/terraform_syntax_error.tf\",\n\t\t\t\"./testdata/rules/terraform_provider.yml\",\n\t\t\t1,\n\t\t\t\"FILE_LOAD\",\n\t\t},\n\t\t\"Provider\": {\n\t\t\t\"./testdata/resources/terraform_provider.tf\",\n\t\t\t\"./testdata/rules/terraform_provider.yml\",\n\t\t\t1,\n\t\t\t\"AWS_PROVIDER\",\n\t\t},\n\t\t\"DataObject\": {\n\t\t\t\"./testdata/resources/terraform_data.tf\",\n\t\t\t\"./testdata/rules/terraform_data.yml\",\n\t\t\t1,\n\t\t\t\"DATA_NOT_CONTAINS\",\n\t\t},\n\t\t\"PoliciesWithVariables\": {\n\t\t\t\"./testdata/resources/policy_with_variables.tf\",\n\t\t\t\"./testdata/rules/policy_variable.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"HereDocWithExpression\": {\n\t\t\t\"./testdata/resources/policy_with_expression.tf\",\n\t\t\t\"./testdata/rules/policy_variable.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"Policies\": {\n\t\t\t\"./testdata/resources/terraform_policy.tf\",\n\t\t\t\"./testdata/rules/terraform_policy.yml\",\n\t\t\t1,\n\t\t\t\"TEST_POLICY\",\n\t\t},\n\t\t\"PolicyInvalidJSON\": {\n\t\t\t\"./testdata/resources/terraform_policy_invalid_json.tf\",\n\t\t\t\"./testdata/rules/terraform_policy.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"PolicyEmpty\": {\n\t\t\t\"./testdata/resources/terraform_policy_empty.tf\",\n\t\t\t\"./testdata/rules/terraform_policy.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"BatchPrivileged\": {\n\t\t\t\"./testdata/resources/batch_privileged.tf\",\n\t\t\t\"./testdata/rules/batch_definition.yml\",\n\t\t\t1,\n\t\t\t\"BATCH_DEFINITION_PRIVILEGED\",\n\t\t},\n\t\t\"PublicEC2\": {\n\t\t\t\"./testdata/resources/ec2_public.tf\",\n\t\t\t\"./testdata/rules/ec2_public.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"CloudfrontAccessLogs\": {\n\t\t\t\"./testdata/resources/cloudfront_access_logs.tf\",\n\t\t\t\"./testdata/rules/cloudfront_access_logs.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"Module\": {\n\t\t\t\"./testdata/resources/terraform_module.tf\",\n\t\t\t\"./testdata/rules/terraform_module.yml\",\n\t\t\t1,\n\t\t\t\"MODULE_DESCRIPTION\",\n\t\t},\n\t\t\"ElastiCacheRest\": {\n\t\t\t\"./testdata/resources/elasticache_encryption_rest.tf\",\n\t\t\t\"./testdata/rules/elasticache_encryption_rest.yml\",\n\t\t\t1,\n\t\t\t\"ELASTICACHE_ENCRYPTION_REST\",\n\t\t},\n\t\t\"ElastiCacheTransit\": {\n\t\t\t\"./testdata/resources/elasticache_encryption_transit.tf\",\n\t\t\t\"./testdata/rules/elasticache_encryption_transit.yml\",\n\t\t\t1,\n\t\t\t\"ELASTICACHE_ENCRYPTION_TRANSIT\",\n\t\t},\n\t\t\"NeptuneClusterEncryption\": {\n\t\t\t\"./testdata/resources/neptune_db_encryption.tf\",\n\t\t\t\"./testdata/rules/neptune_db_encryption.yml\",\n\t\t\t1,\n\t\t\t\"NEPTUNE_DB_ENCRYPTION\",\n\t\t},\n\t\t\"RdsPublic\": {\n\t\t\t\"./testdata/resources/rds_publicly_available.tf\",\n\t\t\t\"./testdata/rules/rds_publicly_available.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"KinesisKms\": {\n\t\t\t\"./testdata/resources/kinesis_kms_stream.tf\",\n\t\t\t\"./testdata/rules/kinesis_kms_stream.yml\",\n\t\t\t1,\n\t\t\t\"KINESIS_STREAM_KMS\",\n\t\t},\n\t\t\"DmsEncryption\": {\n\t\t\t\"./testdata/resources/dms_endpoint_encryption.tf\",\n\t\t\t\"./testdata/rules/dms_endpoint_encryption.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"EmrClusterLogs\": {\n\t\t\t\"./testdata/resources/emr_cluster_logs.tf\",\n\t\t\t\"./testdata/rules/emr_cluster_logs.yml\",\n\t\t\t1,\n\t\t\t\"AWS_EMR_CLUSTER_LOGGING\",\n\t\t},\n\t\t\"KmsKeyRotation\": {\n\t\t\t\"./testdata/resources/kms_key_rotation.tf\",\n\t\t\t\"./testdata/rules/kms_key_rotation.yml\",\n\t\t\t1,\n\t\t\t\"AWS_KMS_KEY_ROTATION\",\n\t\t},\n\t\t\"SagemakerEndpoint\": {\n\t\t\t\"./testdata/resources/sagemaker_endpoint_encryption.tf\",\n\t\t\t\"./testdata/rules/sagemaker_endpoint_encryption.yml\",\n\t\t\t1,\n\t\t\t\"SAGEMAKER_ENDPOINT_ENCRYPTION\",\n\t\t},\n\t\t\"SagemakerNotebook\": {\n\t\t\t\"./testdata/resources/sagemaker_notebook_encryption.tf\",\n\t\t\t\"./testdata/rules/sagemaker_notebook_encryption.yml\",\n\t\t\t1,\n\t\t\t\"SAGEMAKER_NOTEBOOK_ENCRYPTION\",\n\t\t},\n\t\t\"TF12Variables\": {\n\t\t\t\"./testdata/resources/uses_tf12_variables.tf\",\n\t\t\t\"./testdata/rules/terraform_v12_variables.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"TF12ForLoop\": {\n\t\t\t\"./testdata/resources/tf12_for_loop.tf\",\n\t\t\t\"./testdata/rules/tf12_for_loop.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"TF12NullValue\": {\n\t\t\t\"./testdata/resources/nullable_value.tf\",\n\t\t\t\"./testdata/rules/nullable_value.yml\",\n\t\t\t0,\n\t\t\t\"\",\n\t\t},\n\t\t\"TF12DynamicBlock\": {\n\t\t\t\"./testdata/resources/dynamic_block.tf\",\n\t\t\t\"./testdata/rules/dynamic_block.yml\",\n\t\t\t1,\n\t\t\t\"NO_SSH_ACCESS\",\n\t\t},\n\t\t\"TF12Tagging\": {\n\t\t\t\"./testdata/resources/tagging.tf\",\n\t\t\t\"./testdata/rules/tagging.yml\",\n\t\t\t5,\n\t\t\t\"TAG_VALID\",\n\t\t},\n\t\t\"TF12ExplicitChar\": {\n\t\t\t\"./testdata/resources/explicit_chars.tf\",\n\t\t\t\"./testdata/rules/explicit_chars.yml\",\n\t\t\t1,\n\t\t\t\"CHECK_FOR_COLON\",\n\t\t},\n\t}\n\n\tfor name, tc := range testCases {\n\t\toptions := Options{\n\t\t\tTags: []string{},\n\t\t\tRuleIDs: []string{},\n\t\t}\n\t\tfilenames := []string{tc.ConfigurationFilename}\n\t\tlinter := FileLinter{Filenames: filenames, ValueSource: TestingValueSource{}, Loader: Terraform12ResourceLoader{}}\n\t\truleSet := loadRulesForTest(tc.RulesFilename, t)\n\t\treport, err := linter.Validate(ruleSet, options)\n\t\tif err != nil {\n\t\t\tt.Errorf(\"Expecting %s to return without an error: %s\", name, err.Error())\n\t\t}\n\t\tif len(report.FilesScanned) != 1 {\n\t\t\tt.Errorf(\"TestTerraformLinterCases scanned %d files, expecting 1\", len(report.FilesScanned))\n\t\t}\n\t\tif len(report.Violations) != tc.ExpectedViolationCount {\n\t\t\tt.Errorf(\"%s returned %d violations, expecting %d\", name, len(report.Violations), tc.ExpectedViolationCount)\n\t\t\tviolationsReported := getViolationsString(report.Violations)\n\t\t\tt.Errorf(\"\\nViolations: %v\", violationsReported)\n\t\t}\n\t\tif tc.ExpectedViolationRuleID != \"\" {\n\t\t\tassertViolationByRuleID(name, tc.ExpectedViolationRuleID, report.Violations, t)\n\t\t}\n\t}\n}\n\nfunc TestTerraform12FileFunctionMultiLineContent(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/reference_file_multi_line.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 2, \"Unexpected number of resources found\")\n\tproperties_1 := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties_1[\"test_value\"], \"multi\\nline\\nexample\", \"Unexpected value for bucket property\")\n\tproperties_2 := resources[1].Properties.(map[string]interface{})\n\tassert.Equal(t, properties_2[\"test_value2\"], properties_1[\"test_value\"], \"Unexpected value for bucket property\")\n}\n\nfunc TestTerraform12FileFunctionResourceFileAbsolutePath(t *testing.T) {\n\tabsolutePath, _ := filepath.Abs(\"./testdata/resources/reference_file.tf\")\n\tresources := loadResources12ToTest(t, absolutePath)\n\tassert.Equal(t, len(resources), 1, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"bucket\"], \"example\", \"Unexpected value for bucket property\")\n}\n\nfunc TestTerraform12FileFunctionTemplateFileFunction(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/template_file_function_basic.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 1, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"bucket\"], \"bucket-foo-example-bar\", \"Unexpected value for bucket property\")\n}\n\nfunc TestTerraform12FileFunctionTemplateFileForLoop(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/template_file_function_for_loop.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 1, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"test_value\"], \"testing:foo\\ntesting:bar\", \"Unexpected value for bucket property\")\n}\n\nfunc TestTerraform12FileFunctionTemplateFileConditional(t *testing.T) {\n\tallResources := loadResources12ToTest(t, \"./testdata/resources/template_file_function_conditional.tf\")\n\tresources := filterByCategory(t, allResources, \"resource\")\n\tassert.Equal(t, len(resources), 2, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"test_value\"], \"Foo\", \"Unexpected value for bucket property\")\n\tproperties2 := resources[1].Properties.(map[string]interface{})\n\tassert.Equal(t, properties2[\"test_value2\"], \"Bar\", \"Unexpected value for bucket property\")\n}\n\nfunc TestTerraform12FileFunctionReferenceFileAbsoultePath(t *testing.T) {\n\tpath, _ := os.Getwd()\n\tvar err error\n\tvar tempResourceFile *os.File\n\tvar tempReferenceFile *os.File\n\tvar tempResourceDir string\n\tvar tempReferenceDir string\n\n\ttempResourceDir, err = ioutil.TempDir(path, \"tf_resource\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\ttempReferenceDir, err = ioutil.TempDir(tempResourceDir, \"tf_reference\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\ttempResourceFile, err = ioutil.TempFile(tempResourceDir, \"test_resource.tf\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\ttempReferenceFile, err = ioutil.TempFile(tempReferenceDir, \"test_reference.txt\")\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\t// tempReferenceFile.Name() is returned as the Absolute Path of the temp reference file\n\ttf12ResourceContent := fmt.Sprintf(`resource \"aws_s3_bucket\" \"a_bucket\" {\n bucket = \"${file(\"%v\")}\"\n}\n`, tempReferenceFile.Name())\n\n\ttf12ReferenceContent := (`example\n`)\n\terr = ioutil.WriteFile(tempResourceFile.Name(), []byte(tf12ResourceContent), 0644)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\terr = ioutil.WriteFile(tempReferenceFile.Name(), []byte(tf12ReferenceContent), 0644)\n\tif err != nil {\n\t\tlog.Fatal(err)\n\t}\n\n\tresources := loadResources12ToTest(t, tempResourceFile.Name())\n\tassert.Equal(t, len(resources), 1, \"Unexpected number of resources found\")\n\tproperties := resources[0].Properties.(map[string]interface{})\n\tassert.Equal(t, properties[\"bucket\"], \"example\", \"Unexpected value for bucket property\")\n\tos.RemoveAll(tempResourceDir)\n\tos.RemoveAll(tempReferenceDir)\n}\n"
},
{
"path": "linter/testdata/data/bucket_name",
"content": "example\n"
},
{
"path": "linter/testdata/data/multi_line_content",
"content": "multi\nline\nexample\n"
},
{
"path": "linter/testdata/data/reference_relative.tf",
"content": "resource \"aws_s3_bucket\" \"a_bucket\" {\n bucket = \"${file(\"bucket_name\")}\"\n}\n"
},
{
"path": "linter/testdata/data/template_file_example_basic",
"content": "bucket-${var1}-example-${var2}\n"
},
{
"path": "linter/testdata/data/template_file_example_conditional",
"content": "%{ if test_var == \"Alpha\" }\nFoo\n%{ else }\nBar\n%{ endif ~}\n"
},
{
"path": "linter/testdata/data/template_file_example_for_loop",
"content": "%{ for word in words ~}\ntesting:${word}\n%{ endfor ~}\n"
},
{
"path": "linter/testdata/resources/batch_privileged.tf",
"content": "resource \"aws_batch_job_definition\" \"test\" {\n name = \"tf_test_batch_job_definition\"\n type = \"container\"\n container_properties = <= 0.12.0\"\n}\n\nvariable \"service_ports\" {\n default = [22, 80, 1433, 6379]\n}\n\nresource \"aws_security_group\" \"example\" {\n name = \"example\"\n\n dynamic \"ingress\" {\n for_each = var.service_ports\n content {\n from_port = ingress.value\n to_port = ingress.value\n protocol = \"tcp\"\n }\n }\n\n egress {\n from_port = 443\n to_port = 443\n protocol = \"tcp\"\n }\n}"
},
{
"path": "linter/testdata/resources/ec2_public.tf",
"content": "resource \"aws_subnet\" \"main\" {\n vpc_id = \"${aws_vpc.main.id}\"\n cidr_block = \"10.0.1.0/24\"\n\n tags = {\n Name = \"Main\"\n }\n}\n"
},
{
"path": "linter/testdata/resources/elasticache_encryption_rest.tf",
"content": "resource \"aws_elasticache_replication_group\" \"example\" {\n automatic_failover_enabled = true\n availability_zones = [\"us-west-2a\", \"us-west-2b\"]\n replication_group_id = \"tf-rep-group-1\"\n replication_group_description = \"test description\"\n node_type = \"cache.m4.large\"\n number_cache_clusters = 2\n parameter_group_name = \"default.redis3.2\"\n port = 6379\n\n lifecycle {\n ignore_changes = [\"number_cache_clusters\"]\n }\n}\n\nresource \"aws_elasticache_cluster\" \"replica\" {\n count = 1\n\n cluster_id = \"tf-rep-group-1-${count.index}\"\n replication_group_id = \"${aws_elasticache_replication_group.example.id}\"\n}\n"
},
{
"path": "linter/testdata/resources/elasticache_encryption_transit.tf",
"content": "resource \"aws_elasticache_replication_group\" \"example\" {\n automatic_failover_enabled = true\n availability_zones = [\"us-west-2a\", \"us-west-2b\"]\n replication_group_id = \"tf-rep-group-1\"\n replication_group_description = \"test description\"\n node_type = \"cache.m4.large\"\n number_cache_clusters = 2\n parameter_group_name = \"default.redis3.2\"\n port = 6379\n\n lifecycle {\n ignore_changes = [\"number_cache_clusters\"]\n }\n}\n\nresource \"aws_elasticache_cluster\" \"replica\" {\n count = 1\n\n cluster_id = \"tf-rep-group-1-${count.index}\"\n replication_group_id = \"${aws_elasticache_replication_group.example.id}\"\n}\n"
},
{
"path": "linter/testdata/resources/embedded_yaml.yml",
"content": "---\napiVersion: v1\nkind: ConfigMap\nmetadata:\n name: config\ndata:\n config1.yml: |-\n ---\n # this is an embedded YAML file\n foo:\n bar:\n key1: value\n key2: value\n unit_count: 1\n config2.yml: |-\n ---\n # another embedded YAML file\n logging:\n loglevel: INFO\n logformat: default\n---\napiVersion: 1\nkind: ConfigMap\nmetadata:\n name: config2\ndata:\n message: Hello\n"
},
{
"path": "linter/testdata/resources/empty_document.yml",
"content": "---\n#apiVersion: v1\n#kind: Pod\n#metadata:\n# name: web1\n# namespace: web\n#spec:\n# containers:\n# - name: nginx\n# image: nginx:1.7.9\n# ports:\n# - containerPort: 80\n---\napiVersion: v1\nkind: Pod\nmetadata:\n name: web2\n namespace: web\nspec:\n containers:\n - name: nginx\n image: nginx:1.7.9\n ports:\n - containerPort: 80\n---\n\n"
},
{
"path": "linter/testdata/resources/emr_cluster_logs.tf",
"content": "resource \"aws_emr_cluster\" \"cluster\" {\n name = \"emr-test-arn\"\n release_label = \"emr-4.6.0\"\n applications = [\"Spark\"]\n\n additional_info = <= 0.12.0\"\n}\n\nresource \"test_resource\" \"test\" {\n test_value = file(\"./testdata/data/multi_line_content\")\n}\n\nresource \"test_resource2\" \"test2\" {\n test_value2 = <= 0.12.0\"\n}\n\nvariable \"object_1\" {\n default = \"foo\"\n}\n\nvariable \"object_2\" {\n default = \"bar\"\n}\n\nresource \"aws_s3_bucket\" \"a_bucket\" {\n bucket = templatefile(\"./testdata/data/template_file_example_basic\", { var1 = var.object_1, var2 = var.object_2})\n}"
},
{
"path": "linter/testdata/resources/template_file_function_conditional.tf",
"content": "terraform {\n required_version = \">= 0.12.0\"\n}\n\nvariable \"var1\" {\n default = \"Alpha\"\n}\n\nvariable \"var2\" {\n default = \"Bravo\"\n}\n\nresource \"test_resource\" \"test\" {\n test_value = templatefile(\"./testdata/data/template_file_example_conditional\", { test_var = var.var1})\n}\n\nresource \"test_resource\" \"test2\" {\n test_value2 = templatefile(\"./testdata/data/template_file_example_conditional\", { test_var = var.var2})\n}"
},
{
"path": "linter/testdata/resources/template_file_function_for_loop.tf",
"content": "terraform {\n required_version = \">= 0.12.0\"\n}\n\nvariable \"words\" {\n default = [\"foo\", \"bar\"]\n}\n\nresource \"test\" \"test_resource\" {\n test_value = templatefile(\"./testdata/data/template_file_example_for_loop\", { words = var.words})\n}"
},
{
"path": "linter/testdata/resources/terraform_data.tf",
"content": "data \"template_file\" \"example\" {\n template = \"/example/template.json\"\n}\n"
},
{
"path": "linter/testdata/resources/terraform_inner_objects.tf",
"content": "data \"aws_kms_alias\" \"s3kmskey\" {\n name = \"alias/myKmsKey\"\n}\n\nresource \"aws_codepipeline\" \"foo\" {\n artifact_store = {\n encryption_key = {\n id = \"id\"\n type = \"KMS\"\n }\n }\n}"
},
{
"path": "linter/testdata/resources/terraform_instance.tf",
"content": "resource \"aws_instance\" \"first\" {\n ami = \"ami-f2d3638a\"\n instance_type = \"t2.micro\"\n}\n"
},
{
"path": "linter/testdata/resources/terraform_module.tf",
"content": "module \"test_module\" {\n source = \"./modules/foo\"\n name = \"counter_1\"\n count = 4\n}\n\nmodule \"test_module_with_description\" {\n source = \"./modules/foo\"\n name = \"counter_2\"\n description = \"here is a description\"\n}\n"
},
{
"path": "linter/testdata/resources/terraform_policy.tf",
"content": "resource \"aws_iam_role\" \"role1\" {\n name = \"role1\"\n assume_role_policy = <