Merge pull request #29 from wata727/aws_elasticache_cluster_invalid_security_group

add invalid security group detector for ElastiCache

Author: wata727

detector/aws_elasticache_cluster_invalid_security_group.go

@@ -0,0 +1,76 @@
+package detector
+
+import (
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/hashicorp/hcl/hcl/token"
+	"github.com/wata727/tflint/issue"
+)
+
+type AwsElastiCacheClusterInvalidSecurityGroupDetector struct {
+	*Detector
+}
+
+func (d *Detector) CreateAwsElastiCacheClusterInvalidSecurityGroupDetector() *AwsElastiCacheClusterInvalidSecurityGroupDetector {
+	return &AwsElastiCacheClusterInvalidSecurityGroupDetector{d}
+}
+
+func (d *AwsElastiCacheClusterInvalidSecurityGroupDetector) Detect(issues *[]*issue.Issue) {
+	if !d.isDeepCheck("resource", "aws_elasticache_cluster") {
+		return
+	}
+
+	validSecurityGroups := map[string]bool{}
+	if d.ResponseCache.DescribeSecurityGroupsOutput == nil {
+		resp, err := d.AwsClient.Ec2.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{})
+		if err != nil {
+			d.Logger.Error(err)
+			d.Error = true
+		}
+		d.ResponseCache.DescribeSecurityGroupsOutput = resp
+	}
+	for _, securityGroup := range d.ResponseCache.DescribeSecurityGroupsOutput.SecurityGroups {
+		validSecurityGroups[*securityGroup.GroupId] = true
+	}
+
+	for filename, list := range d.ListMap {
+		for _, item := range list.Filter("resource", "aws_elasticache_cluster").Items {
+			var varToken token.Token
+			var securityGroupTokens []token.Token
+			var err error
+			if varToken, err = hclLiteralToken(item, "security_group_ids"); err == nil {
+				securityGroupTokens, err = d.evalToStringTokens(varToken)
+				if err != nil {
+					d.Logger.Error(err)
+					continue
+				}
+			} else {
+				d.Logger.Error(err)
+				securityGroupTokens, err = hclLiteralListToken(item, "security_group_ids")
+				if err != nil {
+					d.Logger.Error(err)
+					continue
+				}
+			}
+
+			for _, securityGroupToken := range securityGroupTokens {
+				securityGroup, err := d.evalToString(securityGroupToken.Text)
+				if err != nil {
+					d.Logger.Error(err)
+					continue
+				}
+
+				if !validSecurityGroups[securityGroup] {
+					issue := &issue.Issue{
+						Type:    "ERROR",
+						Message: fmt.Sprintf("\"%s\" is invalid security group.", securityGroup),
+						Line:    securityGroupToken.Pos.Line,
+						File:    filename,
+					}
+					*issues = append(*issues, issue)
+				}
+			}
+		}
+	}
+}

detector/aws_elasticache_cluster_invalid_security_group_test.go

@@ -0,0 +1,101 @@
+package detector
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/golang/mock/gomock"
+	"github.com/wata727/tflint/awsmock"
+	"github.com/wata727/tflint/config"
+	"github.com/wata727/tflint/issue"
+)
+
+func TestDetectAwsElastiCacheClusterInvalidSecurityGroup(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Src      string
+		Response []*ec2.SecurityGroup
+		Issues   []*issue.Issue
+	}{
+		{
+			Name: "security group is invalid",
+			Src: `
+resource "aws_elasticache_cluster" "redis" {
+    security_group_ids = [
+        "sg-1234abcd",
+        "sg-abcd1234",
+    ]
+}`,
+			Response: []*ec2.SecurityGroup{
+				&ec2.SecurityGroup{
+					GroupId: aws.String("sg-12345678"),
+				},
+				&ec2.SecurityGroup{
+					GroupId: aws.String("sg-abcdefgh"),
+				},
+			},
+			Issues: []*issue.Issue{
+				&issue.Issue{
+					Type:    "ERROR",
+					Message: "\"sg-1234abcd\" is invalid security group.",
+					Line:    4,
+					File:    "test.tf",
+				},
+				&issue.Issue{
+					Type:    "ERROR",
+					Message: "\"sg-abcd1234\" is invalid security group.",
+					Line:    5,
+					File:    "test.tf",
+				},
+			},
+		},
+		{
+			Name: "security group is valid",
+			Src: `
+resource "aws_elasticache_cluster" "redis" {
+    security_group_ids = [
+        "sg-1234abcd",
+        "sg-abcd1234",
+    ]
+}`,
+			Response: []*ec2.SecurityGroup{
+				&ec2.SecurityGroup{
+					GroupId: aws.String("sg-1234abcd"),
+				},
+				&ec2.SecurityGroup{
+					GroupId: aws.String("sg-abcd1234"),
+				},
+			},
+			Issues: []*issue.Issue{},
+		},
+	}
+
+	for _, tc := range cases {
+		c := config.Init()
+		c.DeepCheck = true
+
+		awsClient := c.NewAwsClient()
+		ctrl := gomock.NewController(t)
+		defer ctrl.Finish()
+		ec2mock := awsmock.NewMockEC2API(ctrl)
+		ec2mock.EXPECT().DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{}).Return(&ec2.DescribeSecurityGroupsOutput{
+			SecurityGroups: tc.Response,
+		}, nil)
+		awsClient.Ec2 = ec2mock
+
+		var issues = []*issue.Issue{}
+		TestDetectByCreatorName(
+			"CreateAwsElastiCacheClusterInvalidSecurityGroupDetector",
+			tc.Src,
+			c,
+			awsClient,
+			&issues,
+		)
+
+		if !reflect.DeepEqual(issues, tc.Issues) {
+			t.Fatalf("Bad: %s\nExpected: %s\n\ntestcase: %s", issues, tc.Issues, tc.Name)
+		}
+	}
+}

detector/detector.go

@@ -46,6 +46,7 @@ var detectors = map[string]string{
 	"aws_elasticache_cluster_default_parameter_group": "CreateAwsElastiCacheClusterDefaultParameterGroupDetector",
 	"aws_elasticache_cluster_invalid_parameter_group": "CreateAwsElastiCacheClusterInvalidParameterGroupDetector",
 	"aws_elasticache_cluster_invalid_subnet_group":    "CreateAwsElastiCacheClusterInvalidSubnetGroupDetector",
+	"aws_elasticache_cluster_invalid_security_group":  "CreateAwsElastiCacheClusterInvalidSecurityGroupDetector",
 }
 
 func NewDetector(listMap map[string]*ast.ObjectList, c *config.Config) (*Detector, error) {

docs/README.md

@@ -45,3 +45,4 @@ If you have enabled deep check, you can check if nonexistent values ​​are no
 - AWS ElastiCache Cluster
     - aws_elasticache_cluster_invalid_parameter_group
     - aws_elasticache_cluster_invalid_subnet_group
+    - aws_elasticache_cluster_invalid_security_group