Skip to content

Commit 68e8939

Browse files
committed
feat: update for auto gen
1 parent 13da514 commit 68e8939

File tree

7 files changed

+418
-202
lines changed

7 files changed

+418
-202
lines changed

rules/aws_write_only_arguments.go

Lines changed: 137 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,137 @@
1+
package rules
2+
3+
import (
4+
"fmt"
5+
6+
"github.com/terraform-linters/tflint-plugin-sdk/hclext"
7+
"github.com/terraform-linters/tflint-plugin-sdk/tflint"
8+
"github.com/terraform-linters/tflint-ruleset-aws/project"
9+
"github.com/zclconf/go-cty/cty"
10+
)
11+
12+
// AwsWriteOnlyArgumentsRule checks if a write-only argument is available for sensitive input attributes
13+
type AwsWriteOnlyArgumentsRule struct {
14+
tflint.DefaultRule
15+
16+
writeOnlyArguments map[string][]writeOnlyArgument
17+
}
18+
19+
type writeOnlyArgument struct {
20+
originalAttribute string
21+
writeOnlyAlternative string
22+
}
23+
24+
// NewAwsWriteOnlyArgumentsRule returns new rule with default attributes
25+
func NewAwsWriteOnlyArgumentsRule() *AwsWriteOnlyArgumentsRule {
26+
writeOnlyArguments := map[string][]writeOnlyArgument{
27+
"aws_db_instance": {
28+
{
29+
originalAttribute: "password",
30+
writeOnlyAlternative: "password_wo",
31+
},
32+
},
33+
"aws_docdb_cluster": {
34+
{
35+
originalAttribute: "master_password",
36+
writeOnlyAlternative: "master_password_wo",
37+
},
38+
},
39+
"aws_rds_cluster": {
40+
{
41+
originalAttribute: "master_password",
42+
writeOnlyAlternative: "master_password_wo",
43+
},
44+
},
45+
"aws_redshift_cluster": {
46+
{
47+
originalAttribute: "master_password",
48+
writeOnlyAlternative: "master_password_wo",
49+
},
50+
},
51+
"aws_redshiftserverless_namespace": {
52+
{
53+
originalAttribute: "admin_user_password",
54+
writeOnlyAlternative: "admin_user_password_wo",
55+
},
56+
},
57+
"aws_secretsmanager_secret_version": {
58+
{
59+
originalAttribute: "secret_string",
60+
writeOnlyAlternative: "secret_string_wo",
61+
},
62+
},
63+
"aws_ssm_parameter": {
64+
{
65+
originalAttribute: "value",
66+
writeOnlyAlternative: "value_wo",
67+
},
68+
},
69+
}
70+
return &AwsWriteOnlyArgumentsRule{
71+
writeOnlyArguments: writeOnlyArguments,
72+
}
73+
}
74+
75+
// Name returns the rule name
76+
func (r *AwsWriteOnlyArgumentsRule) Name() string {
77+
return "aws_write_only_arguments"
78+
}
79+
80+
// Enabled returns whether the rule is enabled by default
81+
func (r *AwsWriteOnlyArgumentsRule) Enabled() bool {
82+
return false
83+
}
84+
85+
// Severity returns the rule severity
86+
func (r *AwsWriteOnlyArgumentsRule) Severity() tflint.Severity {
87+
return tflint.WARNING
88+
}
89+
90+
// Link returns the rule reference link
91+
func (r *AwsWriteOnlyArgumentsRule) Link() string {
92+
return project.ReferenceLink(r.Name())
93+
}
94+
95+
// Check checks whether the sensitive attribute exists
96+
func (r *AwsWriteOnlyArgumentsRule) Check(runner tflint.Runner) error {
97+
for resourceType, attributes := range r.writeOnlyArguments {
98+
for _, resourceAttribute := range attributes {
99+
resources, err := runner.GetResourceContent(resourceType, &hclext.BodySchema{
100+
Attributes: []hclext.AttributeSchema{
101+
{Name: resourceAttribute.originalAttribute},
102+
},
103+
}, nil)
104+
if err != nil {
105+
return err
106+
}
107+
108+
for _, resource := range resources.Blocks {
109+
attribute, exists := resource.Body.Attributes[resourceAttribute.originalAttribute]
110+
if !exists {
111+
continue
112+
}
113+
114+
err := runner.EvaluateExpr(attribute.Expr, func(val cty.Value) error {
115+
if !val.IsNull() {
116+
if err := runner.EmitIssueWithFix(
117+
r,
118+
fmt.Sprintf("\"%s\" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument \"%s\".", resourceAttribute.originalAttribute, resourceAttribute.writeOnlyAlternative),
119+
attribute.Expr.Range(),
120+
func(f tflint.Fixer) error {
121+
return f.ReplaceText(attribute.NameRange, resourceAttribute.writeOnlyAlternative)
122+
},
123+
); err != nil {
124+
return fmt.Errorf("failed to call EmitIssueWithFix(): %w", err)
125+
}
126+
}
127+
return nil
128+
}, nil)
129+
if err != nil {
130+
return err
131+
}
132+
}
133+
}
134+
}
135+
136+
return nil
137+
}

rules/aws_write_only_argurments_test.go renamed to rules/aws_write_only_arguments_test.go

Lines changed: 42 additions & 81 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,6 @@ package rules
33
import (
44
"testing"
55

6-
hcl "github.com/hashicorp/hcl/v2"
76
"github.com/terraform-linters/tflint-plugin-sdk/helper"
87
)
98

@@ -15,101 +14,85 @@ func Test_AwsWriteOnlyAttribute(t *testing.T) {
1514
Fixed string
1615
}{
1716
{
18-
Name: "basic aws_secretsmanager_secret_version",
17+
Name: "basic aws_db_instance",
1918
Content: `
20-
resource "aws_secretsmanager_secret_version" "test" {
21-
secret_string = "test"
19+
resource "aws_db_instance" "test" {
20+
password = "test"
2221
}
2322
`,
2423
Expected: helper.Issues{
2524
{
2625
Rule: NewAwsWriteOnlyArgumentsRule(),
27-
Message: `"secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "secret_string_wo".`,
28-
Range: hcl.Range{
29-
Filename: "resource.tf",
30-
Start: hcl.Pos{Line: 3, Column: 19},
31-
End: hcl.Pos{Line: 3, Column: 25},
32-
},
26+
Message: `"password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "password_wo".`,
3327
},
3428
},
3529
Fixed: `
36-
resource "aws_secretsmanager_secret_version" "test" {
37-
secret_string_wo = "test"
30+
resource "aws_db_instance" "test" {
31+
password_wo = "test"
3832
}
3933
`,
4034
},
4135
{
42-
Name: "everything is fine aws_secretsmanager_secret_version",
36+
Name: "everything is fine aws_db_instance",
4337
Content: `
44-
resource "aws_secretsmanager_secret_version" "test" {
45-
secret_string_wo = "test"
38+
resource "aws_db_instance" "test" {
39+
password_wo = "test"
4640
}
4741
`,
4842
Expected: helper.Issues{},
4943
},
5044
{
51-
Name: "basic aws_rds_cluster",
45+
Name: "basic aws_docdb_cluster",
5246
Content: `
53-
resource "aws_rds_cluster" "test" {
47+
resource "aws_docdb_cluster" "test" {
5448
master_password = "test"
5549
}
5650
`,
5751
Expected: helper.Issues{
5852
{
5953
Rule: NewAwsWriteOnlyArgumentsRule(),
6054
Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
61-
Range: hcl.Range{
62-
Filename: "resource.tf",
63-
Start: hcl.Pos{Line: 3, Column: 21},
64-
End: hcl.Pos{Line: 3, Column: 27},
65-
},
6655
},
6756
},
6857
Fixed: `
69-
resource "aws_rds_cluster" "test" {
58+
resource "aws_docdb_cluster" "test" {
7059
master_password_wo = "test"
7160
}
7261
`,
7362
},
7463
{
75-
Name: "everything is fine aws_rds_cluster",
64+
Name: "everything is fine aws_docdb_cluster",
7665
Content: `
77-
resource "aws_rds_cluster" "test" {
66+
resource "aws_docdb_cluster" "test" {
7867
master_password_wo = "test"
7968
}
8069
`,
8170
Expected: helper.Issues{},
8271
},
83-
8472
{
85-
Name: "basic aws_db_instance",
73+
Name: "basic aws_rds_cluster",
8674
Content: `
87-
resource "aws_db_instance" "test" {
88-
password = "test"
75+
resource "aws_rds_cluster" "test" {
76+
master_password = "test"
8977
}
9078
`,
9179
Expected: helper.Issues{
9280
{
9381
Rule: NewAwsWriteOnlyArgumentsRule(),
94-
Message: `"password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "password_wo".`,
95-
Range: hcl.Range{
96-
Filename: "resource.tf",
97-
Start: hcl.Pos{Line: 3, Column: 14},
98-
End: hcl.Pos{Line: 3, Column: 20},
99-
},
82+
Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
10083
},
10184
},
10285
Fixed: `
103-
resource "aws_db_instance" "test" {
104-
password_wo = "test"
86+
resource "aws_rds_cluster" "test" {
87+
master_password_wo = "test"
10588
}
10689
`,
10790
},
10891
{
109-
Name: "everything is fine aws_db_instance",
92+
Name: "everything is fine aws_rds_cluster",
11093
Content: `
111-
resource "aws_db_instance" "test" {
112-
password_wo = "test"
94+
resource "aws_rds_cluster" "test" {
95+
master_password_wo = "test"
11396
}
11497
`,
11598
Expected: helper.Issues{},
@@ -125,11 +108,6 @@ resource "aws_redshift_cluster" "test" {
125108
{
126109
Rule: NewAwsWriteOnlyArgumentsRule(),
127110
Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
128-
Range: hcl.Range{
129-
Filename: "resource.tf",
130-
Start: hcl.Pos{Line: 3, Column: 21},
131-
End: hcl.Pos{Line: 3, Column: 27},
132-
},
133111
},
134112
},
135113
Fixed: `
@@ -148,68 +126,57 @@ resource "aws_redshift_cluster" "test" {
148126
Expected: helper.Issues{},
149127
},
150128
{
151-
Name: "basic aws_docdb_cluster",
129+
Name: "basic aws_redshiftserverless_namespace",
152130
Content: `
153-
resource "aws_docdb_cluster" "test" {
154-
master_password = "test"
131+
resource "aws_redshiftserverless_namespace" "test" {
132+
admin_user_password = "test"
155133
}
156134
`,
157135
Expected: helper.Issues{
158136
{
159137
Rule: NewAwsWriteOnlyArgumentsRule(),
160-
Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
161-
Range: hcl.Range{
162-
Filename: "resource.tf",
163-
Start: hcl.Pos{Line: 3, Column: 21},
164-
End: hcl.Pos{Line: 3, Column: 27},
165-
},
138+
Message: `"admin_user_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "admin_user_password_wo".`,
166139
},
167140
},
168141
Fixed: `
169-
resource "aws_docdb_cluster" "test" {
170-
master_password_wo = "test"
142+
resource "aws_redshiftserverless_namespace" "test" {
143+
admin_user_password_wo = "test"
171144
}
172145
`,
173146
},
174147
{
175-
Name: "everything is fine aws_docdb_cluster",
148+
Name: "everything is fine aws_redshiftserverless_namespace",
176149
Content: `
177-
resource "aws_docdb_cluster" "test" {
178-
master_password_wo = "test"
150+
resource "aws_redshiftserverless_namespace" "test" {
151+
admin_user_password_wo = "test"
179152
}
180153
`,
181154
Expected: helper.Issues{},
182155
},
183-
184156
{
185-
Name: "basic aws_redshiftserverless_namespace",
157+
Name: "basic aws_secretsmanager_secret_version",
186158
Content: `
187-
resource "aws_redshiftserverless_namespace" "test" {
188-
admin_password = "test"
159+
resource "aws_secretsmanager_secret_version" "test" {
160+
secret_string = "test"
189161
}
190162
`,
191163
Expected: helper.Issues{
192164
{
193165
Rule: NewAwsWriteOnlyArgumentsRule(),
194-
Message: `"admin_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "admin_password_wo".`,
195-
Range: hcl.Range{
196-
Filename: "resource.tf",
197-
Start: hcl.Pos{Line: 3, Column: 20},
198-
End: hcl.Pos{Line: 3, Column: 26},
199-
},
166+
Message: `"secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "secret_string_wo".`,
200167
},
201168
},
202169
Fixed: `
203-
resource "aws_redshiftserverless_namespace" "test" {
204-
admin_password_wo = "test"
170+
resource "aws_secretsmanager_secret_version" "test" {
171+
secret_string_wo = "test"
205172
}
206173
`,
207174
},
208175
{
209-
Name: "everything is fine aws_redshiftserverless_namespace",
176+
Name: "everything is fine aws_secretsmanager_secret_version",
210177
Content: `
211-
resource "aws_redshiftserverless_namespace" "test" {
212-
admin_password_wo = "test"
178+
resource "aws_secretsmanager_secret_version" "test" {
179+
secret_string_wo = "test"
213180
}
214181
`,
215182
Expected: helper.Issues{},
@@ -225,14 +192,8 @@ resource "aws_ssm_parameter" "test" {
225192
{
226193
Rule: NewAwsWriteOnlyArgumentsRule(),
227194
Message: `"value" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "value_wo".`,
228-
Range: hcl.Range{
229-
Filename: "resource.tf",
230-
Start: hcl.Pos{Line: 3, Column: 11},
231-
End: hcl.Pos{Line: 3, Column: 17},
232-
},
233195
},
234196
},
235-
236197
Fixed: `
237198
resource "aws_ssm_parameter" "test" {
238199
value_wo = "test"
@@ -259,7 +220,7 @@ resource "aws_ssm_parameter" "test" {
259220
if err := rule.Check(runner); err != nil {
260221
t.Fatalf("Unexpected error occurred: %s", err)
261222
}
262-
helper.AssertIssues(t, tc.Expected, runner.Issues)
223+
helper.AssertIssuesWithoutRange(t, tc.Expected, runner.Issues)
263224

264225
want := map[string]string{}
265226
if tc.Fixed != "" {

0 commit comments

Comments
 (0)