terraform-linters / tflint-ruleset-aws Goto Github PK

View Code? Open in Web Editor NEW

322.0 7.0 70.0 6.65 MB

TFLint ruleset for terraform-provider-aws

License: Mozilla Public License 2.0

Makefile 0.01% Go 94.98% HCL 5.02%

tflint-ruleset tflint aws terraform

tflint-ruleset-aws's Introduction

TFLint Ruleset for terraform-provider-aws

TFLint ruleset plugin for Terraform AWS Provider

This ruleset focus on possible errors and best practices about AWS resources. Many rules are enabled by default and warn against code that might fail when running terraform apply, or clearly unrecommened.

Requirements

TFLint v0.42+
Go v1.22

Installation

You can install the plugin by adding a config to .tflint.hcl and running tflint --init:

plugin "aws" {
    enabled = true
    version = "0.32.0"
    source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

For more configuration about the plugin, see Plugin Configuration.

Getting Started

Terraform is a great tool for Infrastructure as Code. However, many of these tools don't validate provider-specific issues. For example, see the following configuration file:

resource "aws_instance" "foo" {
  ami           = "ami-0ff8a91507f77f867"
  instance_type = "t1.2xlarge" # invalid type!
}

Since t1.2xlarge is an invalid instance type, an error will occur when you run terraform apply. But terraform validate and terraform plan cannot find this possible error in advance. That's because it's an AWS provider-specific issue and it's valid as the Terraform Language.

The goal of this ruleset is to find such errors:

By running TFLint with this ruleset in advance, you can fix the problem before the error occurs in production CI/CD pipelines.

Rules

700+ rules are available. See Rules.

Building the plugin

Clone the repository locally and run the following command:

$ make

You can easily install the built plugin with the following:

$ make install

Note that if you install the plugin with make install, you must omit the version and source attributes in .tflint.hcl:

plugin "aws" {
    enabled = true
}

Add a new rule

If you are interested in adding a new rule to this ruleset, you can use the generator. Run the following command:

$ go run ./rules/generator

Follow the instructions to edit the generated files and open a new pull request.

tflint-ruleset-aws's People

Stargazers

Watchers

tflint-ruleset-aws's Issues

feat: detect iam policy documents greater or near 2048 maximum char limit

AWS has a max char limit on policies of 2048 chars. This isn't found on terraform plan but could be checked in tflint.

What do you think?

aws_cognito_user_pool checks

If you don't specify an email config, the aws_cognito_user_pool_invalid_email_verification_message check errors out on null reference

resource "aws_cognito_user_pool" "this" {
  count = var.create ? 0 : 1
  name  = "Foo"
}

Error:

Error: Failed to check `aws_cognito_user_pool_invalid_email_verification_message` rule: Failed to eval an expression in main.tf:##; Null condition: The condition value is null. Conditions must either be true or false.

Detect invalid attribute name in DynamoDB

The following keywords are reserved for use by DynamoDB. Do not use any of these words as attribute names in expressions.
Reserved Words in DynamoDB

feat: detect if security groups attempt to write more than 60 rules

Terraform plan doesn't catch this limitation but it would be nice if tflint could.

Installation failure—macOS—Failed to verify checksums

When following the directions in the README, I'm getting an error stating that there was a checksum mismatch.

.tflint.hcl:

plugin "aws" {
    enabled = true
    version = "0.7.0"
    source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

tflint --init output:

❯ TFLINT_LOG=debug tflint --init
12:25:43 config.go:105: [INFO] Load config: .tflint.hcl
12:25:43 config.go:324: [DEBUG] Config loaded
12:25:43 config.go:325: [DEBUG]   Module: false
12:25:43 config.go:326: [DEBUG]   Force: false
12:25:43 config.go:327: [DEBUG]   IgnoreModules: map[string]bool{}
12:25:43 config.go:328: [DEBUG]   Varfiles: []string{}
12:25:43 config.go:329: [DEBUG]   Variables: []string{}
12:25:43 config.go:330: [DEBUG]   DisabledByDefault: false
12:25:43 config.go:331: [DEBUG]   Rules: map[string]*tflint.RuleConfig{}
12:25:43 config.go:332: [DEBUG]   Plugins: map[string]*tflint.PluginConfig{"aws":(*tflint.PluginConfig)(0xc0000c8080)}
Installing `aws` plugin...
12:25:43 install.go:80: [DEBUG] Mkdir plugin dir: /Users/brian.shacklett/.tflint.d/plugins/github.com/terraform-linters/tflint-ruleset-aws/0.7.0
12:25:43 install.go:153: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.7.0
12:25:44 install.go:160: [DEBUG] asset found: checksums.txt
12:25:44 install.go:160: [DEBUG] asset found: checksums.txt.sig
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_darwin_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_darwin_arm64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_arm.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_freebsd_arm64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_arm.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_linux_arm64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_netbsd_arm.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_arm.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_openbsd_arm64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_386.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_amd64.zip
12:25:44 install.go:160: [DEBUG] asset found: tflint-ruleset-aws_windows_arm.zip
12:25:44 install.go:90: [DEBUG] Download checksums.txt
12:25:44 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504208
12:25:44 install.go:194: [DEBUG] Downloaded to /var/folders/w3/llk_25v55mn1wk78cwbz66qm0000gq/T/tflint-download-temp-file-255622989
12:25:44 install.go:101: [DEBUG] Download checksums.txt.sig
12:25:44 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504692
12:25:44 install.go:194: [DEBUG] Downloaded to /var/folders/w3/llk_25v55mn1wk78cwbz66qm0000gq/T/tflint-download-temp-file-344556616
12:25:44 install.go:116: [DEBUG] Verified signature successfully
12:25:44 install.go:119: [DEBUG] Download tflint-ruleset-aws_darwin_amd64.zip
12:25:44 install.go:176: [DEBUG] Request to https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/assets/43504240
12:25:47 install.go:194: [DEBUG] Downloaded to /var/folders/w3/llk_25v55mn1wk78cwbz66qm0000gq/T/tflint-download-temp-file-621248775
Failed to install a plugin. An error occurred:

Error: Failed to verify checksums: Failed to match checksums: expected=dc13dec45ed96e3e30d363015416bff1ac5b64334db2e24e66273418fd9d9bd8, actual=cff18d5b2498086d7dc1820f5e049f2b78a9fc611f12ff7f4d82326b31904cd1

Generate rules from Terraform provider

To avoid problems like terraform-linters/tflint#400, it would be useful to be able to automatically generate rules not only from aws-sdk but also from terraform provider code.

Since terraform-provider-aws is simple Go project, I think it is not difficult to parse and convert it to TFLint rule format.

Add support for STS-generated credentials

Happy New Year!

It seems that a shared credentials file containing STS-generated credentials cannot be currently used (as the SessionToken isn't passed to the S3 client).

Would it be possible to have this added?

P.S. I wasn't sure if I should submit here or against tflint-ruleset-aws. Let me know if I should move this issue :)

nodejs14.x runtime support

Hello team

May i know when the below nodejs14.x support will be available in tflint ?
currently i am getting aws_lambda_function_invalid_runtime error while using nodejs14.x with tflint 0.24.1
Thanks

https://github.com/terraform-linters/tflint-ruleset-aws/blob/master/rules/models/aws_lambda_function_invalid_runtime.go#L32

Detect invalid attribute name in DynamoDB

The following keywords are reserved for use by DynamoDB. Do not use any of these words as attribute names in expressions.
Reserved Words in DynamoDB

aws_s3_bucket_name rule broken and documentation is incorrect

The rule doesn't run when enabled, and the regex example given is not valid.

TFLint version 0.23.0
+ ruleset.aws (0.1.1-bundled)

Example rule:

rule "aws_s3_bucket_name" {
  enabled = true
  regex = "[a-z\-]+"
  prefix = "my-org"
}

Error:

Failed to load TFLint config. 1 error(s) occurred:

Error: Invalid escape sequence

  on /opt/vsts/_work/3/s/.pipeline/config/tflint_config.hcl line 16:
  (source code not available)

The symbol "-" is not a valid escape sequence selector.`

Removing the "-" from the regex results in the following:

Error: Failed to check aws_s3_bucket_name rule: /opt/vsts/_work/1/s/.pipeline/config/tflint_config.hcl:15,3-10: Unsupported argument; An argument named "enabled" is not expected here.

Commenting out enabled line as a test:

Error: Missing required argument

  on /opt/vsts/_work/5/s/.pipeline/config/tflint_config.hcl line 14:
  (source code not available)

The argument "enabled" is required, but no definition was found.`

No rules are being loaded

I have downloaded and installed https://github.com/terraform-linters/tflint-ruleset-aws on .tflint.d/plugins/tflint-ruleset-aws.

$ tflint --version
TFLint version 0.24.1
+ ruleset.aws (0.2.1)

plugin "aws" {
    enabled = true
}

tflint --loglevel=debug -c .tflint.hcl terraform

14:33:36 config.go:96: [INFO] Load config: .tflint.hcl
14:33:36 config.go:311: [DEBUG] Config loaded
14:33:36 config.go:312: [DEBUG]   Module: false
14:33:36 config.go:313: [DEBUG]   Force: false
14:33:36 config.go:314: [DEBUG]   IgnoreModules: map[string]bool{}
14:33:36 config.go:315: [DEBUG]   Varfiles: []string{}
14:33:36 config.go:316: [DEBUG]   Variables: []string{}
14:33:36 config.go:317: [DEBUG]   DisabledByDefault: false
14:33:36 config.go:318: [DEBUG]   Rules: map[string]*tflint.RuleConfig{}
14:33:36 config.go:319: [DEBUG]   Plugins: map[string]*tflint.PluginConfig{"aws":(*tflint.PluginConfig)(0xc0002eeb70)}
14:33:36 option.go:48: [DEBUG] CLI Options
14:33:36 option.go:49: [DEBUG]   Module: false
14:33:36 option.go:50: [DEBUG]   Force: false
14:33:36 option.go:51: [DEBUG]   IgnoreModules: map[string]bool{}
14:33:36 option.go:52: [DEBUG]   EnableRules: []string(nil)
14:33:36 option.go:53: [DEBUG]   DisableRules: []string(nil)
14:33:36 option.go:54: [DEBUG]   Only: []string(nil)
14:33:36 option.go:55: [DEBUG]   Varfiles: []string{}
14:33:36 option.go:56: [DEBUG]   Variables: []string{}
14:33:36 loader.go:57: [INFO] Initialize new loader
14:33:36 loader.go:82: [INFO] Load configurations under terraform
14:33:36 loader.go:90: [INFO] Module inspection is disabled. Building a root module without children...
14:33:36 loader.go:170: [INFO] Load values files
14:33:36 runner.go:50: [INFO] Initialize new runner for root
14:33:36 discovery.go:68: [INFO] Plugin `aws` found
14:33:36 provider.go:62: [INFO] Prepare rules
14:33:36 provider.go:90: [INFO]   3 rules enabled
14:33:36 terraform_module_pinned_source.go:81: [DEBUG] Walk `cloudwatch.source` attribute
14:33:36 terraform_module_pinned_source.go:81: [DEBUG] Walk `docs.source` attribute
14:33:36 terraform_module_pinned_source.go:81: [DEBUG] Walk `iam.source` attribute
14:33:36 terraform_module_pinned_source.go:81: [DEBUG] Walk `letsencrypt.source` attribute

Why are there only 3 rules loaded? I should be seeing the 700+ SDK rules being tested.

aws_iam_role_invalid_path should allow empty string

Problem statement

When writing a terraform module with a var.path as the IAM Role path the following error is thrown:

2 issue(s) found:

Error: path must be 1 characters or higher (aws_iam_role_invalid_path)

  on iam.tf line 38:
  38:   path               = var.path

Error: "" does not match valid pattern ^(\x{002F})|(\x{002F}[\x{0021}-\x{007F}]+\x{002F})$ (aws_iam_role_invalid_path)

  on iam.tf line 38:
  38:   path               = var.path

I believe that the regex pattern should be something like: (^(\x{002F})|(\x{002F}[\x{0021}-\x{007F}]+\x{002F})$|^$) to account for modules with variables that default to empty strings (which the provider will really default to /).

Version

TFLint version 0.23.1
+ ruleset.aws (0.1.2-bundled)

Got a failing use case even though this is a valid policy (notice the lack of `[]` in `Statement`):

Got a failing use case even though this is a valid policy (notice the lack of [] in Statement):

resource "aws_iam_policy" "failing" {
  name   = "failing"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "*"
  }
}
EOF
}

resource "aws_iam_policy" "passing" {
  name   = "passing"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "*"
  }]
}
EOF
}

Error messages:

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Version

TFLint version 0.32.1
+ ruleset.aws (0.7.1-bundled)

Originally posted by @kyblik in #149 (comment)

`aws_iam_policy_sid_invalid_characters` fails when policy isn't evaluable.

I have Terraform code of this form:

data "aws_iam_policy_document" "ecr_readonly" {
  statement {
    sid       = "authorization"
    actions   = ["ecr:GetAuthorizationToken"]
    resources = ["*"]
  }

  statement {
    sid = "pullimages"

    actions = [
      "ecr:ListImages",
      "ecr:GetDownloadUrlForLayer",
      "ecr:DescribeRepositories",
      "ecr:DescribeImages",
      "ecr:BatchGetImage",
      "ecr:BatchCheckLayerAvailability"
    ]

    resources = [
      aws_ecr_repository.repo1.arn,
      aws_ecr_repository.repo2.arn
    ]
  }
}

resource "aws_iam_policy" "ecr_readonly" {
  name = join("-", [local.env, "ecr", "readonly"])
  path = join("/", ["", local.env, ""])

  policy = data.aws_iam_policy_document.ecr_readonly.json
}

When I run tflint 0.31.0 using tflint-ruleset-aws 0.7.0, it fails with this error:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: unexpected end of JSON input

Running with debug info, I see this:

...
2021-09-01T18:04:00.230-0700 [DEBUG] plugin.tflint-ruleset-aws: 2021/09/01 18:04:00 [DEBUG] Walk `aws_iam_policy.*.policy` attribute
18:04:00 runner_walk.go:36: [DEBUG] Walk `aws_iam_policy.repo2.policy` attribute
18:04:00 runner_walk.go:36: [DEBUG] Walk `aws_iam_policy.repo1.policy` attribute
18:04:00 runner_eval.go:73: [INFO] Unevaluable expression found in logging.tf:49. TFLint ignores unevaluable expressions.
Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: unexpected end of JSON input

It seems like this rule isn't prepared for condition where it doesn't have actual access to the policy document, perhaps?

Feat => v2:aws_resource_missing_tags errors when tags are provided via default_tags mechanism

I have the same needs reported in the issue #117.

In CI/CD scenario i need this tag rule to be followed anyway.

The provider block grants me the tags on all resources, but the risk of having those tags changed is medium/high.

Thanks!

error on commas in AWS Tag values

There's a formatting specification for Tag Keys and Values. One issue with applying some changes is that you are disallowed from using certain characters (notably the ,) in a Tag Value, and this is not being caught by tflint currently.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html#w2ab1c25c10d254c13c17

"r6i.large" is an invalid value as instance_type (aws_instance_invalid_type)

tflint is returning the following error for aws instance of type r6i.large
Error: "r6i.large" is an invalid value as instance_type (aws_instance_invalid_type)

~> tflint -v                                                                                                                                      AWS>[pip-prod]
TFLint version 0.34.1
~>

please support new instances from re:invent

this includes i4 family, c7g family, among others. right now we're needing to ignore the aws_launch_template_invalid_instance_type rule.

Not inspecting modules when doing so is enabled

Problem

AWS linting is not looking into modules when the --module argument is included. Vanilla tflint rules are checking the modules.

Have the following files:

.
├── main.tf
└── module
    └── main.tf

Contents of ./main.tf:

provider "aws" {
  region = "us-west-2"
}


module "derp" {
  source = "./module"
}

Contents of module/main.tf

resource "aws_instance" "derp" {
  ami = "ami-ssjjdisosos"
  instance_type = "t6.micro"
}

Command run:

tflint . --module

Expected Outcome

Throw an error due to the wrong instance_type.

Current Outcome

No errors or warnings found.

Additional notes:

If I move the aws_instance resource into the root main.tf it throws the error as expected.

tflint -v
TFLint version 0.28.1
+ ruleset.aws (0.4.0)

rules missing from documentation

https://github.com/terraform-linters/tflint-ruleset-aws/tree/master/docs/rules

aws_dynamodb_table_invalid_stream_view_type
aws_iam_group_policy_too_long
aws_iam_policy_sid_invalid_characters
aws_iam_policy_too_long_policy
aws_lambda_function_deprecated_runtime
aws_mq_broker_invalid_engine_type
aws_mq_configuration_invalid_engine_type
aws_s3_bucket_invalid_acl
aws_s3_bucket_invalid_region
aws_spot_fleet_request_invalid_excess_capacity_termination_policy

6/10 look converted from SDK-based validations: terraform-linters/tflint#728 (comment), think @Rihoj wrote the others

Could probably add an automatic check to enforce presence of rules in https://github.com/terraform-linters/tflint-ruleset-aws/blob/master/docs/rules/README.md.tmpl after adding those

tflint deep IAM policy

Hello, we want to run this in CI, and be able to also run the deep inspection, but its not clear what kind of IAM permissions are needed. We want to run this in CI, and grant it the least privileged IAM policy.

Thanks!

add_rule: aws_cloudfront_distribution with acm_certificate_arn not in us-east-1

CloudFront distributions can only be used with ACM certificates in us-east-1, which is a common gotcha.

It would be great (albeit a little tricky) if tflint could check if the certificate being passed to a CloudFront distribution is in the wrong region.

"m6a.large" is an invalid value as instance_type

tflint is throwing an error for the new instances types.

new instance types
m6a.xlarge
m6a.2xlarge
m6a.4xlarge
m6a.8xlarge
m6a.12xlarge
m6a.16xlarge
m6a.24xlarge
m6a.32xlarge
m6a.48xlarge

Also please do add the new EC2 Instance types powered by Arm-based AWS Graviton2 & Graviton3 processors.

aws_elasticache_replication_group same basic rules

It looks like aws_elasticache_replication_group could use some of the rules as aws_elasticache_cluster such as node type, default parameter group, etc. Is this of interest to the community?

aws_resource_missing_tags appears broken

I noticed there was an existing ticket about this rule, but I don't think they're related (I could be wrong).

After updating to tflint v0.23.1 and installing this module at v0.1.2 I am now seeing a large number of errors coming out of the aws_resource_missing_tags rule.

I have a rule created like this:

rule "aws_resource_missing_tags" {
  enabled = true
  tags = ["Environment", "Owner", "Terraform", "Name", "Type"]
  exclude = []
}

We are configuring tags using a merge operation with a variable that gets merged in:

variable "tags" {
  description = "A map of tags to use"
  type        = map(string)
  default     = {}
}
locals {
  tags = merge({
    Environment = "unknown"
    Owner       = "unknown"
    }, var.tags, {
    Type      = "cdn/cloudfront"
    Terraform = "true"
  })
}

This appears to fail this check with the following types of errors:

Error: Failed to check `aws_resource_missing_tags` rule: gob: type not registered for interface: map[string]string

Error: Failed to check `aws_resource_missing_tags` rule: gob: type not registered for interface: map[string]string

2021-01-17T02:43:33.850-0800 [WARN]  plugin: error closing client during Kill: err="unexpected EOF"
2021-01-17T02:43:33.850-0800 [WARN]  plugin: plugin failed to exit gracefully
2021-01-17T02:43:31.979-0800 [WARN]  plugin: error closing client during Kill: err="unexpected EOF"
2021-01-17T02:43:31.979-0800 [WARN]  plugin: plugin failed to exit gracefully

Error: Failed to check `aws_resource_missing_tags` rule: gob: type not registered for interface: []rules.awsAutoscalingGroupTag

2021-01-17T02:43:33.018-0800 [WARN]  plugin: error closing client during Kill: err="unexpected EOF"
2021-01-17T02:43:33.018-0800 [WARN]  plugin: plugin failed to exit gracefully

Maybe I'm doing something wrong, but I hope someone can either point me in the right direction or maybe I found a bug?

Rule request - "Model name must be alphanumeric" for aws_api_gateway_model

Detect that an AWS API Gateway model name is alphanumeric.

feat: aws route53 rules from trusted advisor

If a route53 record is pointing to an AWS resource (s3 website, cloudfront, elb) with type CNAME, can we automatically flag it to show that this could be potentially an alias (A), quad a (AAAA), or another type?

From trusted advisor:

Amazon Route 53 Alias Resource Record Sets

Checks for resource record sets that can be changed to alias resource record sets to improve performance and save money. An alias resource record set routes DNS queries to an AWS resource (for example, an Elastic Load Balancing load balancer or an Amazon S3 bucket) or to another Route 53 resource record set. When you use alias resource record sets, Route 53 routes your DNS queries to AWS resources free of charge.

Alert Criteria

Yellow: A resource record set is a CNAME to an Amazon S3 website.
Yellow: A resource record set is a CNAME to an Amazon CloudFront distribution.
Yellow: A resource record set is a CNAME to an Elastic Load Balancing load balancer.

Recommended Action

Replace the listed CNAME resource record sets with alias resource record sets; see Choosing Between Alias and Non-Alias Resource Record Sets. You also need to change the record type from CNAME to A or AAAA, depending on the AWS resource; see Values that You Specify When You Create or Edit Amazon Route 53 Resource Record Sets.

Add support for "AWS_LAMBDA" as a valid Transfer Server identity provider type

Rule: aws_transfer_server_invalid_identity_provider_type
Relates: hashicorp/terraform-provider-aws#22039.

ERROR: File "./website/docs/r/transfer_server.html.markdown", block #5 (lines 60-68):
1 issue(s) found:

Error: "AWS_LAMBDA" is an invalid value as identity_provider_type (aws_transfer_server_invalid_identity_provider_type)

  on /tmp/tmp.yB3PG06l1h/main.tf line 2:
   2:   identity_provider_type = "AWS_LAMBDA"

New Transfer Server identity provider type AWS_LAMBDA.

tflint-ruleset-aws - aws_route_not_specified_target

Hi,

I have an egress_only_gateway_id and it says that I don't have:
"Error: The routing target is not specified, each aws_route must contain either egress_only_gateway_id, gateway_id, instance_id, nat_gateway_id, network_interface_id, transit_gateway_id, vpc_peering_connection_id or vpc_endpoint_id. (aws_route_not_specified_target)"

code:

resource "aws_route" "public_egress_only_internet_gateway" {
  count = var.ipv6_enable && (length(var.public_subnets) > 0) && (var.egress_only_gateway != null) ? 1 : 0

  route_table_id              = aws_route_table.public[0].id
  destination_ipv6_cidr_block = "::/0"
  egress_only_gateway_id      = var.egress_only_gateway

  timeouts {
    create = "5m"
  }
}

Using [tflint v0.31.0] https://github.com/terraform-linters/tflint

M1 (arm64) release?

Hey there,

Trying to set up tflint with this ruleset on an M1 Mac and running into this error:

Installing `aws` plugin...
Failed to install a plugin. An error occurred:

Error: Failed to download tflint-ruleset-aws_darwin_arm64.zip: file not found in the GitHub release. Does the release contain the file with the correct name ?

I'm guessing this is because goreleaser / the latest release isn't set up to build arm64 by default, though looks like it is supported upstream now: goreleaser/goreleaser#1952. Would you be open to a PR changing that config in the project?

Missing t4g node types for ElastiCache

#211

What command do I run to generate docs/rules/README.md?

I haven't really used generators before in my own projects, so:

What command do I run to generate https://github.com/terraform-linters/tflint-ruleset-aws/blob/master/docs/rules/README.md

It looks like it has something to do with rules/models/generator/doc.go, but none of the reading I've done today has led me to a command which generates this file.

Tips?

aws_resource_missing_tags errors when tags are provided via default_tags mechanism

Aws have provided a new way of providing default tags through aws provider.

Right now those are ignored by aws_resource_missing_tags rule.

Would it be for the rule not to error if the tags are present in the provider?

Thank you

Rule aws_s3_bucket_name does work on module parameters

I have the following in place:

tflint-config:

plugin "aws" {
  enabled = true
  version = "0.8.0"
  source  = "github.com/terraform-linters/tflint-ruleset-aws"
}

config {
  module = true
}

rule "aws_s3_bucket_name" {
  enabled = true
  regex = "^[a-z\\-]+$"
  prefix = "my-prefix-"
}

Terrafrom "main-module":

module "my_bucket" {
  source = "../modules/s3"
  bucket_name = "my-new-bucket......" # <--- This is on purpose wrong!!!
}

The used Terraform-module:

resource "aws_s3_bucket" "bucket" {
  bucket = var.bucket_name # <-- This variable is defined in a "variables.tf" from within the module-directory
  acl    = "private"

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        sse_algorithm = "AES256"
      }
    }
  }
}

When I now run "tflint" within the "main-modules"-directory I don't get any error even though the rule for "aws_s3_bucket_name" should produce an error as the value for "bucket_name" does not match die regex and the prefix of the rule. Changing "bucket" from within the module from "bucket = var.bucket_name" to something like "bucket = "foobar"" results in getting the expected error-message as the bucket-name does not adhere to the rule(s).

Version

$ tflint -v
TFLint version 0.33.1
+ ruleset.aws (0.8.0)
$ terraform -v
Terraform v1.0.10
on darwin_amd64
+ provider registry.terraform.io/hashicorp/aws v3.63.0

Failed to check aws_organizations_policy_invalid_content rule

When running tflint against the below snippet

resource "aws_organizations_policy" "policy" {
    name = "tags"
    description = "xyz"
    type = "TAG_POLICY"
    content = file("../${path.module}/tag-policies/x.json")
}

gives below mentioned error

$ tflint
18:07:55 server.go:418: rpc: gob error encoding body: gob: type not registered for interface: tfdiags.diagnosticsAsError
Failed to check ruleset. An error occurred:

Error: Failed to check `aws_organizations_policy_invalid_content` rule: reading body EOF

It looks like as if the type TAG_POLICY is not yet supported when the aws_organizations_policy_invalid_content ruleset is run.

Cognito user pool domain incorrectly rejects fully-qualified domains

The linting rules for the aws_cognito_user_pool_domain resource incorrectly restrict the domain attribute to consist only of the subdomain, but when specifying a fully-customized domain for a pool, you must specify the entire domain, including the root and its TLD.

Error example:

resource "aws_cognito_user_pool_domain" "zombo" {
  domain          = "zombocom.zombo.com"
  certificate_arn = "whatever"
  user_pool_id    = aws_cognito_user_pool.zombocom.id
}

Produces:

Error: "zombocom.zombo.com" does not match valid pattern ^[a-z0-9](?:[a-z0-9\-]{0,61}[a-z0-9])?$ (aws_cognito_user_pool_domain_invalid_domain)

rule: aws_iam_policy_document - Sid string check

Hi Community,

The plugin currently does not validates aws_iam_policy_document sid_string.
Based on AWS documentation basic alphanumeric characters (A-Z,a-z,0-9) are the only allowed characters in the Sid value.

It would be great if there would be rule to check the sid_string.

Thanks,
Andor

Error when using aws_resource_missing_tags with module.

terraform init
tflint --module --config /path/validates.hcl

rule "aws_resource_missing_tags" {
  enabled = true
  tags = ["Name", "purpose"]
}

module "s3_bucket" {
  source = "terraform-aws-modules/s3-bucket/aws"

  bucket = "my-s3-bucket"
  acl    = "private"

  versioning = {
    enabled = true
  }

}

tflint --module --config ./validate.hcl  --loglevel=trace
13:41:16 config.go:96: [INFO] Load config: ./validate.hcl
13:41:16 config.go:311: [DEBUG] Config loaded
13:41:16 config.go:312: [DEBUG]   Module: false
13:41:16 config.go:313: [DEBUG]   Force: false
13:41:16 config.go:314: [DEBUG]   IgnoreModules: map[string]bool{}
13:41:16 config.go:315: [DEBUG]   Varfiles: []string{}
13:41:16 config.go:316: [DEBUG]   Variables: []string{}
13:41:16 config.go:317: [DEBUG]   DisabledByDefault: false
13:41:16 config.go:318: [DEBUG]   Rules: map[string]*tflint.RuleConfig{"aws_resource_missing_tags":(*tflint.RuleConfig)(0xc000415800)}
13:41:16 config.go:319: [DEBUG]   Plugins: map[string]*tflint.PluginConfig{}
13:41:16 option.go:48: [DEBUG] CLI Options
13:41:16 option.go:49: [DEBUG]   Module: true
13:41:16 option.go:50: [DEBUG]   Force: false
13:41:16 option.go:51: [DEBUG]   IgnoreModules: map[string]bool{}
13:41:16 option.go:52: [DEBUG]   EnableRules: []string(nil)
13:41:16 option.go:53: [DEBUG]   DisableRules: []string(nil)
13:41:16 option.go:54: [DEBUG]   Only: []string(nil)
13:41:16 option.go:55: [DEBUG]   Varfiles: []string{}
13:41:16 option.go:56: [DEBUG]   Variables: []string{}
13:41:16 loader.go:57: [INFO] Initialize new loader
13:41:16 loader.go:68: [INFO] Module manifest file found. Initializing...
13:41:16 loader.go:291: [DEBUG] Parsing the module manifest file: {"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"s3_bucket","Source":"terraform-aws-modules/s3-bucket/aws","Version":"1.17.0","Dir":".terraform/modules/s3_bucket"}]}
13:41:16 loader.go:82: [INFO] Load configurations under .
13:41:16 loader.go:97: [INFO] Module inspection is enabled. Building a root module with children...
13:41:16 loader.go:273: [DEBUG] Trying to load the module: key=module.s3_bucket, version=1.17.0, dir=.terraform/modules/s3_bucket
13:41:16 loader.go:170: [INFO] Load values files
13:41:16 runner.go:50: [INFO] Initialize new runner for root
13:41:16 runner.go:50: [INFO] Initialize new runner for module.s3_bucket
13:41:16 inspect.go:48: [INFO] AWS provider requirements found. Enable the plugin `aws` automatically
13:41:16 discovery.go:54: [INFO] Plugin `aws` is not installed, but bundled plugins are available.
13:41:16 discovery.go:68: [INFO] Plugin `aws` found
13:41:16 provider.go:62: [INFO] Prepare rules
13:41:16 provider.go:90: [INFO]   3 rules enabled
13:41:16 terraform_deprecated_interpolation.go:48: [TRACE] Check `terraform_deprecated_interpolation` rule for `root` runner
13:41:16 terraform_module_pinned_source.go:72: [TRACE] Check `terraform_module_pinned_source` rule for `root` runner
13:41:16 terraform_module_pinned_source.go:81: [DEBUG] Walk `s3_bucket.source` attribute
13:41:16 terraform_workspace_remote.go:48: [TRACE] Check `terraform_workspace_remote` rule for `root` runner
13:41:16 runner_walk.go:36: [DEBUG] Walk `aws_s3_bucket.this.acl` attribute
13:41:16 runner_walk.go:36: [DEBUG] Walk `aws_s3_bucket.this.acceleration_status` attribute
13:41:16 runner_eval.go:137: [WARN] Null value found in .terraform/modules/s3_bucket/main.tf:9; TFLint ignores an expression includes an null value.
13:41:16 runner_walk.go:36: [DEBUG] Walk `aws_s3_bucket.this.request_payer` attribute
13:41:16 runner_eval.go:137: [WARN] Null value found in .terraform/modules/s3_bucket/main.tf:10; TFLint ignores an expression includes an null value.

Version

$ tflint -v
TFLint version 0.23.1
+ ruleset.aws (0.1.2-bundled)
$ terraform -v
Terraform v0.13.5

How can I solved this problem?

Incorrectly reported as Error: "db.r6g.8xlarge" is invalid instance type

TFLint version 0.30.0

ruleset.aws (0.6.0)

Incorrectly reported as Error: "db.r6g.8xlarge" is invalid instance type. (aws_db_instance_invalid_type)

Issue with EOF bracket in terraform code

With TFLint version 0.23 we have a issue with EOF bracket in our terraform code, the issue is :
Failed to check aws_iam_role_policy_invalid_policy rule: main.tf:37,4-4: Unterminated template string; No closing marker was found for the string.

 policy = <<-EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AttachVolume",
        "ec2:CreateSnapshot",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteSnapshot",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DescribeInstances",
        "ec2:DescribeSnapshots",
        "ec2:DescribeTags",
        "ec2:DescribeVolumes",
        "ec2:DescribeVolumesModifications",
        "ec2:DescribeAvailabilityZones",
        "ec2:DetachVolume",
        "ec2:ModifyVolume"
      ],
      "Resource": "*"
    }
  ]
}
EOF
}

This is also one example of the code where we have a issue with EOF bracket

  input = <<DOC
  {
        "ServerId":"${aws_transfer_server.sftp_server.id}"
        }
DOC

Here the name of the issue is :
Unterminated template string; No closing marker was found for the string.

So a different type of error that is related to the EOF bracket.

Version

$ tflint -v
TFLint version 0.23.0
+ ruleset.aws (0.1.1-bundled)
$ terraform -v
Terraform v0.12.2

Lint valid engine for RDS

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance

I'd like to lint if engine is valid.
Can I try it?

Rule aws_route_not_specified_target seems to be not working properly

Hi,

we have the following code:

...
resource "aws_route" "private_tgw_egress" {
  count = var.enable_nat_gateway == false && var.enable_transit_egress == true ? local.private_subnet_count : 0

  route_table_id         = element(aws_route_table.private.*.id, count.index)
  destination_cidr_block = "0.0.0.0/0"
  transit_gateway_id     = var.transit_gateway_id

  timeouts {
    create = "5m"
  }

  depends_on = [aws_ec2_transit_gateway_vpc_attachment.this]
}
...

This result in the following error:

1 issue(s) found:

Error: The routing target is not specified, each aws_route must contain either egress_only_gateway_id, gateway_id, instance_id, nat_gateway_id, network_interface_id, transit_gateway_id, vpc_peering_connection_id or vpc_endpoint_id. (aws_route_not_specified_target)

  on main.tf line 330:
 330: resource "aws_route" "private_tgw_egress" {

Reference: https://github.com/terraform-linters/tflint-ruleset-aws/blob/v0.4.1/docs/rules/aws_route_not_specified_target.md

I think this is wrong because the parameter transit_gateway_id is specified:

I tried running tflint from VScode or shell but this does not change anything.

Version

Example:

$ tflint --version
TFLint version 0.29.1
+ ruleset.aws (0.4.3)
$ terraform version
Terraform v1.0.1

missing db.t4g.xxxx instance types

Not all rds instance types, mentioned on the https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.DBInstanceClass.html#Concepts.DBInstanceClass.Types page are present

feat: warn on heredocs for specific resources like aws_iam_role

Using the resource aws_iam_role, I can create a role using

resource "aws_iam_role" "task_role" {
  name               = "ecs-${var.project}"
  path               = "/"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
  ...
  ]
}
EOF
}

or I can create one using the data source aws_iam_policy_document. I'd prefer using the data source because it's a lot cleaner and less error prone than using JSON.

Rule definition

rule "aws_resource_no_eof" {
  enabled = true
  include = [
    "aws_iam_role_policy",
    "aws_iam_role"
  ]
}

Tracks Lambda runtime deprecations

Not quite sure if we have the same, but in cloudformation linter, it has the deprecation warning linter

https://github.com/aws-cloudformation/cfn-python-lint/blob/master/src/cfnlint/data/AdditionalSpecs/LmbdRuntimeLifecycle.json

feat: Generic rule to prevent certain dangerous resources like aws_iam_policy_attachment

There is a large warning for the resource aws_iam_policy_attachment to use aws_iam_role_policy_attachment instead.

I'd like to prevent the first resource from getting into our infrastructure with an appropriate tflint rule. We could make it specific to this resource but I'd prefer a more generic one so if we find a future resource, we can simply add it to a list within the rule.

rule "terraform_denylisted_resources" {
  enabled = true

  resources = [
    "aws_iam_policy_attachment",
    "google_organization_iam_binding",
  ]

  # in case some upstream module refuses to remove xyz resource 
  # and you don't want to manage a fork
  allow_in_modules = true
}

Edit: @mveitas put in PR terraform-linters/tflint#769

Documentation for new `gov_friendly_arns` rules is misnamed

v.0.3.0 introduces three new GovCloud-friendly ARN rules, from PR #55,

aws_iam_policy_document_gov_friendly_arns
aws_iam_policy_gov_friendly_arns
aws_iam_role_policy_gov_friendly_arns

The documentation for these rules drops the _arns from the end.

aws_resource_missing_tags rule not working

It seems that the aws_resource_missing_tags does not trigger an error for missing tags if any of the tags are null, a variable, a datasource, or if the tags on a resource are referencing a map of tags set in locals?
Is this a known bug / limitation?
Any chance of fixing this?

Version

TFLint version 0.19.1
Terraform v0.13.2

Check that subnet CIDR are within VPC CIDR range(s)

I was testing tflint with some code the other days and while it catches a lot of things one thing that caught my attention is that I use VPC CIDR 10.30.0.0/16, but one of the subnet CIDR's is 10.35.5.0/24, and I am not getting any error about that. Can we somehow know if one of our subnets is mismatching the VPC CIDR.

Feature Request: EKS ServiceAccount Mapping Support

Hello, I'm attempting to run TFLint docker image within my EKS cluster (as a Jenkins job) and it doesn't seem to support assuming a role using AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE combination as provided by EKS/Kubernetes and the AWS IAM Service Role -> IAM Role Mapping. This support does work in. 0.13.x of Terraform, my validation steps are working fine now that I up graded from 0.12.29, but TFLint is now failing with permission issues as i suspect it is not assuming that role in the standard way the aws SDK supports.

https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

terraform-linters / tflint-ruleset-aws Goto Github PK

tflint-ruleset-aws's Introduction

TFLint Ruleset for terraform-provider-aws

Requirements

Installation

Getting Started

Rules

Building the plugin

Add a new rule

tflint-ruleset-aws's People

Stargazers

Watchers

Forkers

tflint-ruleset-aws's Issues

Problem statement

Version

Problem

Expected Outcome

Current Outcome

Additional notes:

Amazon Route 53 Alias Resource Record Sets

Alert Criteria

Recommended Action

Version

Version

Version

Version

Version

Recommend Projects

Recommend Topics

Recommend Org