Skip to content

Commit

Permalink
feat: azurerm_eventhub_namespace_public_network_access_enabled takes …
Browse files Browse the repository at this point in the history 
…network_rulesets into account (#18)
  • Loading branch information
@pregress
pregress authored Nov 14, 2024
1 parent 6921ef0 commit ccf7f4f
Show file tree
Hide file tree
Showing 2 changed files with 109 additions and 22 deletions.
68 changes: 52 additions & 16 deletions rules/azurerm_eventhub_namespace_public_network_access_enabled.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,37 +47,73 @@ func (r *AzurermEventhubNamespacePublicNetworkAccessEnabled) Check(runner tflint
Attributes: []hclext.AttributeSchema{
{Name: r.attributeName},
},
Blocks: []hclext.BlockSchema{
{
Type: "network_rulesets",
Body: &hclext.BodySchema{
Attributes: []hclext.AttributeSchema{
{Name: "default_action"},
},
},
},
},
}, nil)
if err != nil {
return err
}

for _, resource := range resources.Blocks {
// Check if the `public_network_access_enabled` attribute exists and its value
attribute, exists := resource.Body.Attributes[r.attributeName]
publicNetworkEnabled := false
if !exists {
// Emit an issue if the attribute does not exist
runner.EmitIssue(
r,
"public_network_access_enabled is not defined and defaults to true, consider disabling it",
resource.DefRange,
)
continue
publicNetworkEnabled = true
} else {
if err := runner.EvaluateExpr(attribute.Expr, &publicNetworkEnabled, nil); err != nil {
return err
}

if !publicNetworkEnabled {
return nil
}
}

err := runner.EvaluateExpr(attribute.Expr, func(val bool) error {
if val {
// Check network_rulesets block when `public_network_access_enabled` is true
if publicNetworkEnabled {
issueEmitted := false
for _, block := range resource.Body.Blocks {
if block.Type == "network_rulesets" {
actionAttr, exists := block.Body.Attributes["default_action"]
if exists {
var defaultAction string
if err := runner.EvaluateExpr(actionAttr.Expr, &defaultAction, nil); err != nil {
return err
}
if defaultAction == "Allow" {
runner.EmitIssue(
r,
"public_network_access_enabled is true and network_rulesets block with default_action = Allow, Consider changing the default_action to deny",
actionAttr.Expr.Range(),
)
issueEmitted = true
} else {
return nil
}
}
}
}

if !issueEmitted {
runner.EmitIssue(
r,
"Consider changing public_network_access_enabled to false",
attribute.Expr.Range(),
"public_network_access_enabled is not defined and defaults to true, consider disabling it or add network_rulesets block with default_action = Deny",
resource.DefRange,
)
continue
}
return nil
}, nil)

if err != nil {
return err
}


}

return nil
Expand Down
63 changes: 57 additions & 6 deletions rules/azurerm_eventhub_namespace_public_network_access_enabled_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,32 +14,32 @@ func Test_AzurermEventhubNamespacePublicNetworkAccessEnabled(t *testing.T) {
Expected helper.Issues
}{
{
Name: "public network access disabled",
Name: "public network access enabled",
Content: `
resource "azurerm_eventhub_namespace" "example" {
public_network_access_enabled = true
}`,
Expected: helper.Issues{
{
Rule: NewAzurermEventhubNamespacePublicNetworkAccessEnabled(),
Message: "Consider changing public_network_access_enabled to false",
Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it or add network_rulesets block with default_action = Deny",
Range: hcl.Range{
Filename: "resource.tf",
Start: hcl.Pos{Line: 3, Column: 37},
End: hcl.Pos{Line: 3, Column: 41},
Start: hcl.Pos{Line: 2, Column: 1},
End: hcl.Pos{Line: 2, Column: 48},
},
},
},
},
{
Name: "public network access missing",
Name: "public network access missing and network_rulesets missing",
Content: `
resource "azurerm_eventhub_namespace" "example" {
}`,
Expected: helper.Issues{
{
Rule: NewAzurermEventhubNamespacePublicNetworkAccessEnabled(),
Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it",
Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it or add network_rulesets block with default_action = Deny",
Range: hcl.Range{
Filename: "resource.tf",
Start: hcl.Pos{Line: 2, Column: 1},
Expand All @@ -48,11 +48,62 @@ resource "azurerm_eventhub_namespace" "example" {
},
},
},
{
Name: "public network access missing and network_rulesets empty",
Content: `
resource "azurerm_eventhub_namespace" "example" {
network_rulesets {
}
}`,
Expected: helper.Issues{
{
Rule: NewAzurermEventhubNamespacePublicNetworkAccessEnabled(),
Message: "public_network_access_enabled is not defined and defaults to true, consider disabling it or add network_rulesets block with default_action = Deny",
Range: hcl.Range{
Filename: "resource.tf",
Start: hcl.Pos{Line: 2, Column: 1},
End: hcl.Pos{Line: 2, Column: 48},
},
},
},
},
{
Name: "public network access enabled and network_rulesets default action allow",
Content: `
resource "azurerm_eventhub_namespace" "example" {
public_network_access_enabled = true
network_rulesets {
default_action = "Allow"
}
}`,
Expected: helper.Issues{
{
Rule: NewAzurermEventhubNamespacePublicNetworkAccessEnabled(),
Message: "public_network_access_enabled is true and network_rulesets block with default_action = Allow, Consider changing the default_action to deny",
Range: hcl.Range{
Filename: "resource.tf",
Start: hcl.Pos{Line: 5, Column: 23},
End: hcl.Pos{Line: 5, Column: 30},
},
},
},
},
{
Name: "public network access disabled",
Content: `
resource "azurerm_eventhub_namespace" "example" {
public_network_access_enabled = false
}`,
Expected: helper.Issues{},
},
{
Name: "public network access enabled and network_rulesets default action deny",
Content: `
resource "azurerm_eventhub_namespace" "example" {
public_network_access_enabled = true
network_rulesets {
default_action = "Deny"
}
}`,
Expected: helper.Issues{},
},
Expand Down

0 comments on commit ccf7f4f

Please sign in to comment.