From 3e1440ca6bdcf59ad42ae4f87532814c4df31034 Mon Sep 17 00:00:00 2001 From: TommyE123 Date: Sun, 23 Jun 2024 17:43:10 +0100 Subject: [PATCH 1/6] TFLint - improvements --- CHANGELOG.md | 1 + TEMPLATES/.tflint.hcl | 31 +++++++++++-------- .../terraform.megalinter-descriptor.yml | 3 ++ 3 files changed, 22 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5e4675c2d37..93a9629f9bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,6 +31,7 @@ Note: Can be used with `oxsecurity/megalinter@beta` in your GitHub Action mega-l - [Powershell](https://github.com/PowerShell/PSScriptAnalyzer#readme) added missing schema property `POWERSHELL_POWERSHELL_FORMATTER_OUTPUT_ENCODING` - [tflint](https://github.com/terraform-linters/tflint) added missing schema property `TERRAFORM_TFLINT_SECURED_ENV` - [xmllint](https://gitlab.gnome.org/GNOME/libxml2/-/wikis/home) added missing schema properties `XML_XMLLINT_AUTOFORMAT` and `XML_XMLLINT_INDENT` + - [tflint](https://github.com/terraform-linters/tflint) fixed deprecated argument and other improvements to default `.tflint.hcl` template - Doc diff --git a/TEMPLATES/.tflint.hcl b/TEMPLATES/.tflint.hcl index 977138664d9..af2aa18aa50 100644 --- a/TEMPLATES/.tflint.hcl +++ b/TEMPLATES/.tflint.hcl @@ -1,24 +1,29 @@ -// https://github.com/terraform-linters/tflint/blob/master/docs/guides/config.md +// https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/config.md + config { - module = false + call_module_type = "local" force = false } -plugin "aws" { +plugin "terraform" { enabled = true - version = "0.32.0" - source = "github.com/terraform-linters/tflint-ruleset-aws" - deep_check = false + preset = "recommended" } -rule "aws_instance_invalid_type" { - enabled = false +plugin "azurerm" { + enabled = true + version = "0.26.0" + source = "github.com/terraform-linters/tflint-ruleset-azurerm" } -rule "aws_instance_previous_type" { - enabled = false +plugin "aws" { + enabled = true + version = "0.32.0" + source = "github.com/terraform-linters/tflint-ruleset-aws" } -rule "terraform_required_providers" { - enabled = false -} \ No newline at end of file +plugin "google" { + enabled = true + version = "0.29.0" + source = "github.com/terraform-linters/tflint-ruleset-google" +} diff --git a/megalinter/descriptors/terraform.megalinter-descriptor.yml b/megalinter/descriptors/terraform.megalinter-descriptor.yml index ecada0f3ea6..4a80474ec7e 100644 --- a/megalinter/descriptors/terraform.megalinter-descriptor.yml +++ b/megalinter/descriptors/terraform.megalinter-descriptor.yml @@ -23,6 +23,9 @@ linters: linter_rules_inline_disable_url: https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/annotations.md linter_text: | > If you are using the GitHub action please use the `TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN` to prevent plugin download issues + + Note: It's recommended to create your own `.tflint.hcl` custom config file tailored to your project's specific needs. + The default configuration enables all supported languages and rules, which may not be optimal for every project. linter_icon_png_url: https://raw.githubusercontent.com/oxsecurity/megalinter/main/docs/assets/icons/linters/tflint.png cli_lint_mode: project config_file_name: .tflint.hcl From c3c56de9328dc9a774d63202912ef6be22c8435b Mon Sep 17 00:00:00 2001 From: Tom Eley Date: Sun, 23 Jun 2024 17:02:46 +0000 Subject: [PATCH 2/6] updated tflint documentation --- docs/descriptors/terraform_tflint.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/descriptors/terraform_tflint.md b/docs/descriptors/terraform_tflint.md index a77067d249b..36adfffa774 100644 --- a/docs/descriptors/terraform_tflint.md +++ b/docs/descriptors/terraform_tflint.md @@ -9,6 +9,9 @@ description: How to use tflint (configure, ignore files, ignore errors, help & v > If you are using the GitHub action please use the `TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN` to prevent plugin download issues +Note: It's recommended to create your own `.tflint.hcl` custom config file tailored to your project's specific needs. +The default configuration enables all supported languages and rules, which may not be optimal for every project. + ## tflint documentation - Version in MegaLinter: **0.51.1** From 182bcfc85061afc871bfcbd47851bc06cb3df99e Mon Sep 17 00:00:00 2001 From: Tom Date: Sun, 23 Jun 2024 19:11:45 +0100 Subject: [PATCH 3/6] updated tflint tests --- .../test/terraform/good/terraform_good_1.tf | 29 ++++++++++----- .../test/terraform/good/terraform_good_2.tf | 35 ++++++++++++++----- .../test/terraform/good/terraform_good_3.tf | 30 ++++++++++++++++ 3 files changed, 76 insertions(+), 18 deletions(-) create mode 100644 .automation/test/terraform/good/terraform_good_3.tf diff --git a/.automation/test/terraform/good/terraform_good_1.tf b/.automation/test/terraform/good/terraform_good_1.tf index fbfef93e814..f162bfdf50f 100644 --- a/.automation/test/terraform/good/terraform_good_1.tf +++ b/.automation/test/terraform/good/terraform_good_1.tf @@ -1,17 +1,28 @@ terraform { - required_version = ">= 1.2.5" + required_version = ">= 1.8.5" + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 5.55.0" # https://registry.terraform.io/providers/hashicorp/aws/latest + } + } } -resource "aws_instance" "good" { - required_version = ">= 0.15.0" - ami = "ami-0ff8a91507f77f867" - instance_type = "t2.small" - associate_public_ip_address = false +provider "aws" { + region = "us-west-2" +} - vpc_security_group_ids = ["sg-12345678901234567"] +resource "aws_s3_bucket" "example" { + bucket = "my-tf-test-bucket-${random_id.bucket_suffix.hex}" +} - ebs_block_device { - encrypted = true +resource "aws_s3_bucket_versioning" "example" { + bucket = aws_s3_bucket.example.id + versioning_configuration { + status = "Enabled" } } +resource "random_id" "bucket_suffix" { + byte_length = 4 +} diff --git a/.automation/test/terraform/good/terraform_good_2.tf b/.automation/test/terraform/good/terraform_good_2.tf index fbfef93e814..e62ab84c598 100644 --- a/.automation/test/terraform/good/terraform_good_2.tf +++ b/.automation/test/terraform/good/terraform_good_2.tf @@ -1,17 +1,34 @@ terraform { - required_version = ">= 1.2.5" + required_version = ">= 1.8.5" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">= 3.109.0" # https://registry.terraform.io/providers/hashicorp/azurerm/latest + } + } } -resource "aws_instance" "good" { - required_version = ">= 0.15.0" - ami = "ami-0ff8a91507f77f867" - instance_type = "t2.small" - associate_public_ip_address = false +provider "azurerm" { + features {} +} - vpc_security_group_ids = ["sg-12345678901234567"] +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "East US" +} - ebs_block_device { - encrypted = true +resource "azurerm_storage_account" "example" { + name = "storageacc${random_id.suffix.hex}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "GRS" + + tags = { + environment = "staging" } } +resource "random_id" "suffix" { + byte_length = 8 +} diff --git a/.automation/test/terraform/good/terraform_good_3.tf b/.automation/test/terraform/good/terraform_good_3.tf new file mode 100644 index 00000000000..b0370f7dedb --- /dev/null +++ b/.automation/test/terraform/good/terraform_good_3.tf @@ -0,0 +1,30 @@ +terraform { + required_version = ">= 1.8.5" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 5.34.0" # https://registry.terraform.io/providers/hashicorp/google/latest + } + } +} + +provider "google" { + project = "my-project-id" + region = "us-central1" +} + +resource "google_storage_bucket" "example" { + name = "my-bucket-${random_id.suffix.hex}" + location = "US" + force_destroy = true + + uniform_bucket_level_access = true + + versioning { + enabled = true + } +} + +resource "random_id" "suffix" { + byte_length = 4 +} From 02ed1e9f02d68b2f419dcafd898616f8d1e1bd52 Mon Sep 17 00:00:00 2001 From: Tom Date: Sun, 23 Jun 2024 19:13:43 +0100 Subject: [PATCH 4/6] spaces --- megalinter/descriptors/terraform.megalinter-descriptor.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/megalinter/descriptors/terraform.megalinter-descriptor.yml b/megalinter/descriptors/terraform.megalinter-descriptor.yml index 4a80474ec7e..ec423209ab6 100644 --- a/megalinter/descriptors/terraform.megalinter-descriptor.yml +++ b/megalinter/descriptors/terraform.megalinter-descriptor.yml @@ -48,6 +48,7 @@ linters: ARG TFLINT_VERSION=0.51.1 - FROM ghcr.io/terraform-linters/tflint:v${TFLINT_VERSION} as tflint - COPY --link --from=tflint /usr/local/bin/tflint /usr/bin/ + # TERRASCAN - class: TerrascanLinter linter_name: terrascan @@ -88,6 +89,7 @@ linters: dockerfile: - FROM tenable/terrascan:1.18.11 as terrascan - COPY --link --from=terrascan /go/bin/terrascan /usr/bin/ + # TERRAGRUNT - linter_name: terragrunt name: TERRAFORM_TERRAGRUNT @@ -122,6 +124,7 @@ linters: dockerfile: - FROM alpine/terragrunt:latest as terragrunt - COPY --link --from=terragrunt /usr/local/bin/terragrunt /usr/bin/ + # TERRAFORM_FMT - linter_name: terraform-fmt name: TERRAFORM_TERRAFORM_FMT From 275eb126e00ff6f74c44d4c9650dcf4360233384 Mon Sep 17 00:00:00 2001 From: Tom Date: Sun, 23 Jun 2024 21:27:59 +0100 Subject: [PATCH 5/6] added rule "terraform_required_providers" --- TEMPLATES/.tflint.hcl | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/TEMPLATES/.tflint.hcl b/TEMPLATES/.tflint.hcl index af2aa18aa50..ca59901b9f1 100644 --- a/TEMPLATES/.tflint.hcl +++ b/TEMPLATES/.tflint.hcl @@ -27,3 +27,7 @@ plugin "google" { version = "0.29.0" source = "github.com/terraform-linters/tflint-ruleset-google" } + +rule "terraform_required_providers" { + enabled = false +} From ef32fafdbc5b1c9333167c6676b3a9592bd2eceb Mon Sep 17 00:00:00 2001 From: TommyE123 Date: Mon, 24 Jun 2024 18:06:54 +0100 Subject: [PATCH 6/6] Added bad tests --- .../test/terraform/bad/terraform_bad_1.tf | 30 ++++++++++++----- .../test/terraform/bad/terraform_bad_2.tf | 33 ++++++++++++++----- .../test/terraform/bad/terraform_bad_3.tf | 30 +++++++++++++++++ 3 files changed, 75 insertions(+), 18 deletions(-) create mode 100644 .automation/test/terraform/bad/terraform_bad_3.tf diff --git a/.automation/test/terraform/bad/terraform_bad_1.tf b/.automation/test/terraform/bad/terraform_bad_1.tf index 8d4a1f96a44..34863c19c49 100644 --- a/.automation/test/terraform/bad/terraform_bad_1.tf +++ b/.automation/test/terraform/bad/terraform_bad_1.tf @@ -1,16 +1,28 @@ terraform { - required_version = ">= 1.2.5" + required_version = ">= 1.8.5" + required_providers { + aws = { + source = "hashicorp/aws" + version ">= 5.55.0" # https://registry.terraform.io/providers/hashicorp/aws/latest + } + } +} + +provider "aws" { + region = "us-west-2" } -resource "aws_instance" "bad" { - instance_type = "t2.small" - associate_public_ip_address = false +resource "aws_s3_bucket" "example" { + bucket = "my-tf-test-bucket-${random_id.bucket_suffix.hex}" +} - murf = "cupcake8" +resource "aws_s3_bucket_versioning" "example" + bucket = aws_s3_bucket.example.id + versioning_configuration { + status = "Enabled" - ebs_block_device { - encrypted = true - wesh = false - } } +resource "bucket_suffix" { + byte_length = 4 +} diff --git a/.automation/test/terraform/bad/terraform_bad_2.tf b/.automation/test/terraform/bad/terraform_bad_2.tf index 3449f18bb77..99121ef6f25 100644 --- a/.automation/test/terraform/bad/terraform_bad_2.tf +++ b/.automation/test/terraform/bad/terraform_bad_2.tf @@ -1,18 +1,33 @@ terraform { - required_version = ">= 1.2.5" + required_version = ">= 1.8.5" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = ">= 3.109.0 # https://registry.terraform.io/providers/hashicorp/azurerm/latest " + } + } } -resource "aws_instance" "bad" { - ami = "ami-0ff8a91507f77f867" - associate_public_ip_address = false +provider "azurerm" { +} - vpc_security_group_ids = ["sg-12345678901234567"] +resource "azurerm_resource_group" "example" { + name = "example-resources" + location = "East US" +} - murf = "cupcake" +resource "azurerm_storage_account" "example" { + name = "storageacc${random_id.suffix.hex}" + resource_group_name = azurerm_resource_group.example.name +location = azurerm_resource_group.example.location + account_tier_wrong = "Standard" + account_replication_type = "GRS" - ebs_block_device { - encrypted = true - wesh2 = false + tags = { + environment = "staging" } } +resource "random_id" "suffix" { + byte_length = 8 +} diff --git a/.automation/test/terraform/bad/terraform_bad_3.tf b/.automation/test/terraform/bad/terraform_bad_3.tf new file mode 100644 index 00000000000..19f8e9e5103 --- /dev/null +++ b/.automation/test/terraform/bad/terraform_bad_3.tf @@ -0,0 +1,30 @@ +terraform { + # required_version = ">= 1.8.5" + required_providers { + google = { + source = "hashicorp/google" + version = ">= 5.34.0" # https://registry.terraform.io/providers/hashicorp/google/latest + } + } +} + +provide "google" { + project = "my-project-id" + region = "us-central1" +} + +resource "google_storage_bucket" "example" { + name = "my-bucket-${random_id.suffix}" +location = NotValid + force_destroy=true + + uniform_bucket_level_access = Any + + versioning { + enabled = true + } +} + +resource "random_id suffix" { + byte_length = 4 +}