generated from terraform-linters/tflint-ruleset-template
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* feat: function rules * main branch for linter * Add lint to makefile * Format makefile * lint ---------
- Loading branch information
Showing
28 changed files
with
1,397 additions
and
86 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,46 @@ | ||
| # Rules | ||
|
|
||
| ## azurerm_key_vault | ||
| |Name|Description|Severity|Enabled|Link| | ||
| | --- | --- | --- | --- | --- | | ||
| |azurerm_key_vault_public_network_access_enabled|Consider disabling public network access on keyvaults. |NOTICE|✔|| | ||
|
|
||
| ## azurerm_linux_function_app | ||
| |Name|Description|Severity|Enabled|Link| | ||
| | --- | --- | --- | --- | --- | | ||
| |azurerm_linux_function_app_ftps_state|Disable sftp to a linux function app |WARNING|✔|| | ||
| |azurerm_linux_function_app_https_only|Force all traffic over https |WARNING|✔|| | ||
| |azurerm_linux_function_app_minimum_tls_version|Enforce TLS 1.2 on linux function apps |WARNING|✔|| | ||
|
|
||
| ## azurerm_linux_web_app | ||
| |Name|Description|Severity|Enabled|Link| | ||
| | --- | --- | --- | --- | --- | | ||
| |azurerm_linux_web_app_ftps_state|Disable sftp to a linux web app |WARNING|✔|| | ||
| |azurerm_linux_web_app_https_only|Force all traffic over https |WARNING|✔|| | ||
| |azurerm_linux_web_app_minimum_tls_version|Enforce TLS 1.2 on linux web apps |WARNING|✔|| | ||
|
|
||
| ## azurerm_mssql_database | ||
| |Name|Description|Severity|Enabled|Link| | ||
| | --- | --- | --- | --- | --- | | ||
| |azurerm_mssql_database_transparent_data_encryption_enabled|Enforce transparant data encryption|WARNING|✔|| | ||
|
|
||
| ## azurerm_storage_account | ||
| |Name|Description|Severity|Enabled|Link| | ||
| | --- | --- | --- | --- | --- | | ||
| |azurerm_storage_account_public_network_access_enabled|Consider disabling public network access on storage accounts. |NOTICE|✔|| | ||
| |azurerm_storage_account_tls_version|Enforce TLS 1.2 on storage accounts |WARNING|✔|| | ||
|
|
||
| ## azurerm_windows_function_app | ||
| |Name|Description|Severity|Enabled|Link| | ||
| | --- | --- | --- | --- | --- | | ||
| |azurerm_windows_function_app_ftps_state|Disable sftp to a windows function app |WARNING|✔|| | ||
| |azurerm_windows_function_app_https_only|Force all traffic over https |WARNING|✔|| | ||
| |azurerm_windows_function_app_minimum_tls_version|Enforce TLS 1.2 on windows function apps |WARNING|✔|| | ||
|
|
||
|
|
||
| ## azurerm_windows_web_app | ||
| |Name|Description|Severity|Enabled|Link| | ||
| | --- | --- | --- | --- | --- | | ||
| |azurerm_windows_web_app_ftps_state|Disable sftp to a windows web app |WARNING|✔|| | ||
| |azurerm_windows_web_app_https_only|Force all traffic over https |WARNING|✔|| | ||
| |azurerm_windows_web_app_minimum_tls_version|Enforce TLS 1.2 on windows web apps |WARNING|✔|| | ||
| |azurerm_windows_web_app_minimum_tls_version|Enforce TLS 1.2 on windows web apps |WARNING|✔|| |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,105 @@ | ||
| package rules | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "strings" | ||
|
|
||
| "github.com/terraform-linters/tflint-plugin-sdk/hclext" | ||
| "github.com/terraform-linters/tflint-plugin-sdk/tflint" | ||
| ) | ||
|
|
||
| // AzurermLinuxFunctionAppFtpsState checks that ftps_state is set to "Disabled" | ||
| type AzurermLinuxFunctionAppFtpsState struct { | ||
| tflint.DefaultRule | ||
|
|
||
| resourceType string | ||
| attributePath []string | ||
| expectedValue string | ||
| } | ||
|
|
||
| // NewAzurermLinuxFunctionAppFtpsState returns a new rule instance | ||
| func NewAzurermLinuxFunctionAppFtpsState() *AzurermLinuxFunctionAppFtpsState { | ||
| return &AzurermLinuxFunctionAppFtpsState{ | ||
| resourceType: "azurerm_linux_function_app", | ||
| attributePath: []string{"site_config", "ftps_state"}, | ||
| expectedValue: "Disabled", | ||
| } | ||
| } | ||
|
|
||
| // Name returns the rule name | ||
| func (r *AzurermLinuxFunctionAppFtpsState) Name() string { | ||
| return "azurerm_linux_function_app_ftps_state" | ||
| } | ||
|
|
||
| // Enabled returns whether the rule is enabled by default | ||
| func (r *AzurermLinuxFunctionAppFtpsState) Enabled() bool { | ||
| return true | ||
| } | ||
|
|
||
| // Severity returns the rule severity | ||
| func (r *AzurermLinuxFunctionAppFtpsState) Severity() tflint.Severity { | ||
| return tflint.WARNING | ||
| } | ||
|
|
||
| // Link returns the rule reference link | ||
| func (r *AzurermLinuxFunctionAppFtpsState) Link() string { | ||
| return "" | ||
| } | ||
|
|
||
| // Check verifies that ftps_state is set to "Disabled" | ||
| func (r *AzurermLinuxFunctionAppFtpsState) Check(runner tflint.Runner) error { | ||
| resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{ | ||
| Blocks: []hclext.BlockSchema{ | ||
| { | ||
| Type: "site_config", | ||
| Body: &hclext.BodySchema{ | ||
| Attributes: []hclext.AttributeSchema{ | ||
| {Name: "ftps_state"}, | ||
| }, | ||
| }, | ||
| }, | ||
| }, | ||
| }, nil) | ||
| if err != nil { | ||
| return err | ||
| } | ||
|
|
||
| for _, resource := range resources.Blocks { | ||
| siteConfigBlocks := resource.Body.Blocks.OfType("site_config") | ||
| if len(siteConfigBlocks) == 0 { | ||
| runner.EmitIssue( | ||
| r, | ||
| "site_config block is missing, ftps_state should be set to Disabled", | ||
| resource.DefRange, | ||
| ) | ||
| continue | ||
| } | ||
|
|
||
| siteConfig := siteConfigBlocks[0] | ||
| attribute, exists := siteConfig.Body.Attributes["ftps_state"] | ||
| if !exists { | ||
| runner.EmitIssue( | ||
| r, | ||
| "ftps_state is missing in site_config, should be set to Disabled", | ||
| siteConfig.DefRange, | ||
| ) | ||
| continue | ||
| } | ||
|
|
||
| err := runner.EvaluateExpr(attribute.Expr, func(val string) error { | ||
| if !strings.EqualFold(val, r.expectedValue) { | ||
| runner.EmitIssue( | ||
| r, | ||
| fmt.Sprintf("ftps_state is set to %s, should be set to Disabled", val), | ||
| attribute.Expr.Range(), | ||
| ) | ||
| } | ||
| return nil | ||
| }, nil) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| } | ||
|
|
||
| return nil | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,125 @@ | ||
| package rules | ||
|
|
||
| import ( | ||
| "testing" | ||
|
|
||
| hcl "github.com/hashicorp/hcl/v2" | ||
| "github.com/terraform-linters/tflint-plugin-sdk/helper" | ||
| ) | ||
|
|
||
| func Test_AzurermLinuxFunctionAppFtpsState(t *testing.T) { | ||
| tests := []struct { | ||
| Name string | ||
| Content string | ||
| Expected helper.Issues | ||
| }{ | ||
| { | ||
| Name: "ftps_state not set to Disabled", | ||
| Content: ` | ||
| resource "azurerm_linux_function_app" "example" { | ||
| site_config { | ||
| ftps_state = "FtpsOnly" | ||
| } | ||
| }`, | ||
| Expected: helper.Issues{ | ||
| { | ||
| Rule: NewAzurermLinuxFunctionAppFtpsState(), | ||
| Message: "ftps_state is set to FtpsOnly, should be set to Disabled", | ||
| Range: hcl.Range{ | ||
| Filename: "resource.tf", | ||
| Start: hcl.Pos{ | ||
| Line: 4, | ||
| Column: 22, | ||
| }, | ||
| End: hcl.Pos{ | ||
| Line: 4, | ||
| Column: 32, | ||
| }, | ||
| }, | ||
| }, | ||
| }, | ||
| }, | ||
| { | ||
| Name: "ftps_state set to disabled (lowercase)", | ||
| Content: ` | ||
| resource "azurerm_linux_function_app" "example" { | ||
| site_config { | ||
| ftps_state = "disabled" | ||
| } | ||
| }`, | ||
| Expected: helper.Issues{}, | ||
| }, | ||
| { | ||
| Name: "ftps_state set to DISABLED (uppercase)", | ||
| Content: ` | ||
| resource "azurerm_linux_function_app" "example" { | ||
| site_config { | ||
| ftps_state = "DISABLED" | ||
| } | ||
| }`, | ||
| Expected: helper.Issues{}, | ||
| }, | ||
| { | ||
| Name: "ftps_state attribute missing", | ||
| Content: ` | ||
| resource "azurerm_linux_function_app" "example" { | ||
| site_config { | ||
| } | ||
| }`, | ||
| Expected: helper.Issues{ | ||
| { | ||
| Rule: NewAzurermLinuxFunctionAppFtpsState(), | ||
| Message: "ftps_state is missing in site_config, should be set to Disabled", | ||
| Range: hcl.Range{ | ||
| Filename: "resource.tf", | ||
| Start: hcl.Pos{ | ||
| Line: 3, | ||
| Column: 5, | ||
| }, | ||
| End: hcl.Pos{ | ||
| Line: 3, | ||
| Column: 16, | ||
| }, | ||
| }, | ||
| }, | ||
| }, | ||
| }, | ||
| { | ||
| Name: "site_config block missing", | ||
| Content: ` | ||
| resource "azurerm_linux_function_app" "example" { | ||
| }`, | ||
| Expected: helper.Issues{ | ||
| { | ||
| Rule: NewAzurermLinuxFunctionAppFtpsState(), | ||
| Message: "site_config block is missing, ftps_state should be set to Disabled", | ||
| Range: hcl.Range{ | ||
| Filename: "resource.tf", | ||
| Start: hcl.Pos{ | ||
| Line: 2, | ||
| Column: 1, | ||
| }, | ||
| End: hcl.Pos{ | ||
| Line: 2, | ||
| Column: 48, | ||
| }, | ||
| }, | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
|
|
||
| rule := NewAzurermLinuxFunctionAppFtpsState() | ||
|
|
||
| for _, test := range tests { | ||
| t.Run(test.Name, func(t *testing.T) { | ||
| runner := helper.TestRunner(t, map[string]string{"resource.tf": test.Content}) | ||
|
|
||
| if err := rule.Check(runner); err != nil { | ||
| t.Fatalf("Unexpected error occurred: %s", err) | ||
| } | ||
|
|
||
| helper.AssertIssues(t, test.Expected, runner.Issues) | ||
| }) | ||
| } | ||
| } |
Oops, something went wrong.