rules nested under site_config

Author: pregress

.gitignore

@@ -1,2 +1,4 @@
 # don't track built binary
 /tflint-ruleset-azurerm-security
+
+tools/

README.md

@@ -23,14 +23,7 @@ plugin "azurerm-security" {
 
 ## Rules
 
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
-|azurerm_linux_web_app_ftps_state|Disable sftp to a linux web app |ERROR|✔||
-|azurerm_linux_web_app_minimum_tls_version|Enforce TLS 1.2 on linux web apps |ERROR|✔||
-|azurerm_mssql_database_transparent_data_encryption_enabled|Enforce transparant data encryption|ERROR|✔||
-|azurerm_storage_account_tls_version|Enforce TLS 1.2 on storage accounts |ERROR|✔||
-|azurerm_windows_web_app_ftps_state|Disable sftp to a windows web app |ERROR|✔||
-|azurerm_windows_web_app_minimum_tls_version|Enforce TLS 1.2 on windows web apps |ERROR|✔||
+See the [documentation](docs/README.md).
 
 ## Building the plugin
 
@@ -48,6 +41,8 @@ $ make install
 
 Note that if you install the plugin with make install, you must omit the version and source attributes in .tflint.hcl:
 
+```
 plugin "azurerm-security" {
     enabled = true
-}
+}
+```

docs/README.md

@@ -0,0 +1,10 @@
+# Rules
+
+|Name|Description|Severity|Enabled|Link|
+| --- | --- | --- | --- | --- |
+|azurerm_linux_web_app_ftps_state|Disable sftp to a linux web app |WARNING|✔||
+|azurerm_linux_web_app_minimum_tls_version|Enforce TLS 1.2 on linux web apps |WARNING|✔||
+|azurerm_mssql_database_transparent_data_encryption_enabled|Enforce transparant data encryption|WARNING|✔||
+|azurerm_storage_account_tls_version|Enforce TLS 1.2 on storage accounts |WARNING|✔||
+|azurerm_windows_web_app_ftps_state|Disable sftp to a windows web app |WARNING|✔||
+|azurerm_windows_web_app_minimum_tls_version|Enforce TLS 1.2 on windows web apps |WARNING|✔||

main.go

@@ -1,3 +1,4 @@
+// main.go
 package main
 
 import (
@@ -6,19 +7,23 @@ import (
 	"github.com/terraform-linters/tflint-ruleset-azurerm-security/rules"
 )
 
+func CreateRuleSet() *tflint.BuiltinRuleSet {
+	return &tflint.BuiltinRuleSet{
+		Name:    "azurerm-security",
+		Version: "0.1.2",
+		Rules: []tflint.Rule{
+			rules.NewAzurermLinuxWebAppFtpsState(),
+			rules.NewAzurermLinuxWebAppMinimumTlsVersion(),
+			rules.NewAzurermMssqlDatabaseEncryption(),
+			rules.NewAzurermStorageAccountUnsecureTls(),
+			rules.NewAzurermWindowsWebAppFtpsState(),
+			rules.NewAzurermWindowsWebAppMinimumTlsVersion(),
+		},
+	}
+}
+
 func main() {
 	plugin.Serve(&plugin.ServeOpts{
-		RuleSet: &tflint.BuiltinRuleSet{
-			Name:    "azurerm-security",
-			Version: "0.1.2",
-			Rules: []tflint.Rule{
-				rules.NewAzurermLinuxWebAppFtpsState(),
-				rules.NewAzurermLinuxWebAppMinimumTlsVersion(),
-				rules.NewAzurermMssqlDatabaseEncryption(),
-				rules.NewAzurermStorageAccountUnsecureTls(),
-				rules.NewAzurermWindowsWebAppFtpsState(),
-				rules.NewAzurermWindowsWebAppMinimumTlsVersion(),
-			},
-		},
+		RuleSet: CreateRuleSet(),
 	})
 }

main_test.go

@@ -0,0 +1,39 @@
+// main_test.go
+package main
+
+import (
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestRulesLength(t *testing.T) {
+	ruleSet := CreateRuleSet()
+	actualRules := len(ruleSet.Rules)
+
+	// Count .go files in rules directory that don't end with _test.go
+	rulesPath := "./rules"
+	expectedRules := 0
+
+	err := filepath.Walk(rulesPath, func(path string, info os.FileInfo, err error) error {
+		if err != nil {
+			return err
+		}
+		if !info.IsDir() && 
+		   strings.HasSuffix(path, ".go") && 
+		   !strings.HasSuffix(path, "_test.go") {
+			expectedRules++
+		}
+		return nil
+	})
+
+	if err != nil {
+		t.Fatalf("Error walking rules directory: %v", err)
+	}
+
+	if actualRules != expectedRules {
+		t.Errorf("Number of rules does not match number of rule files. Got %d rules, expected %d", 
+			actualRules, expectedRules)
+	}
+}

rules/azurerm_linux_web_app_ftps_state.go

@@ -2,25 +2,26 @@ package rules
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
 	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
 )
 
-// AzurermLinuxWebAppFtpsState checks if ftps_state is disabled
+// AzurermLinuxWebAppFtpsState checks that ftps_state is set to "Disabled"
 type AzurermLinuxWebAppFtpsState struct {
 	tflint.DefaultRule
 
 	resourceType  string
-	attributeName string
+	attributePath []string
 	expectedValue string
 }
 
-// NewAzurermLinuxWebAppFtpsState creates a new rule instance
+// NewAzurermLinuxWebAppFtpsState returns a new rule instance
 func NewAzurermLinuxWebAppFtpsState() *AzurermLinuxWebAppFtpsState {
 	return &AzurermLinuxWebAppFtpsState{
 		resourceType:  "azurerm_linux_web_app",
-		attributeName: "ftps_state",
+		attributePath: []string{"site_config", "ftps_state"},
 		expectedValue: "Disabled",
 	}
 }
@@ -37,7 +38,7 @@ func (r *AzurermLinuxWebAppFtpsState) Enabled() bool {
 
 // Severity returns the rule severity
 func (r *AzurermLinuxWebAppFtpsState) Severity() tflint.Severity {
-	return tflint.ERROR
+	return tflint.WARNING
 }
 
 // Link returns the rule reference link
@@ -48,36 +49,53 @@ func (r *AzurermLinuxWebAppFtpsState) Link() string {
 // Check verifies that ftps_state is set to "Disabled"
 func (r *AzurermLinuxWebAppFtpsState) Check(runner tflint.Runner) error {
 	resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{
-		Attributes: []hclext.AttributeSchema{
-			{Name: r.attributeName},
+		Blocks: []hclext.BlockSchema{
+			{
+				Type: "site_config",
+				Body: &hclext.BodySchema{
+					Attributes: []hclext.AttributeSchema{
+						{Name: "ftps_state"},
+					},
+				},
+			},
 		},
 	}, nil)
 	if err != nil {
 		return err
 	}
 
 	for _, resource := range resources.Blocks {
-		attribute, exists := resource.Body.Attributes[r.attributeName]
-		if !exists {
+		siteConfigBlocks := resource.Body.Blocks.OfType("site_config")
+		if len(siteConfigBlocks) == 0 {
 			runner.EmitIssue(
 				r,
-				"ftps_state should be set to Disabled",
+				"site_config block is missing, ftps_state should be set to Disabled",
 				resource.DefRange,
 			)
 			continue
 		}
 
+		siteConfig := siteConfigBlocks[0]
+		attribute, exists := siteConfig.Body.Attributes["ftps_state"]
+		if !exists {
+			runner.EmitIssue(
+				r,
+				"ftps_state is missing in site_config, should be set to Disabled",
+				siteConfig.DefRange,
+			)
+			continue
+		}
+
 		err := runner.EvaluateExpr(attribute.Expr, func(val string) error {
-			if val != r.expectedValue {
+			if !strings.EqualFold(val, r.expectedValue) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf("ftps_state is set to %q, should be Disabled", val),
+					fmt.Sprintf("ftps_state is set to %s, should be set to Disabled", val),
 					attribute.Expr.Range(),
 				)
 			}
 			return nil
 		}, nil)
-
 		if err != nil {
 			return err
 		}

rules/azurerm_linux_web_app_ftps_state_test.go

@@ -14,47 +14,98 @@ func Test_AzurermLinuxWebAppFtpsState(t *testing.T) {
 		Expected helper.Issues
 	}{
 		{
-			Name: "FTPS enabled",
+			Name: "ftps_state not set to Disabled",
 			Content: `
 resource "azurerm_linux_web_app" "example" {
-    ftps_state = "Enabled"
+    site_config {
+        ftps_state = "FtpsOnly"
+    }
 }`,
 			Expected: helper.Issues{
 				{
 					Rule:    NewAzurermLinuxWebAppFtpsState(),
-					Message: `ftps_state is set to "Enabled", should be Disabled`,
+					Message: "ftps_state is set to FtpsOnly, should be set to Disabled",
 					Range: hcl.Range{
 						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 3, Column: 18},
-						End:      hcl.Pos{Line: 3, Column: 27},
+						Start: hcl.Pos{
+							Line:   4,
+							Column: 22,
+						},
+						End: hcl.Pos{
+							Line:   4,
+							Column: 32,
+						},
 					},
 				},
 			},
 		},
 		{
-			Name: "FTPS state missing",
+			Name: "ftps_state set to disabled (lowercase)",
 			Content: `
 resource "azurerm_linux_web_app" "example" {
+    site_config {
+        ftps_state = "disabled"
+    }
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "ftps_state set to DISABLED (uppercase)",
+			Content: `
+resource "azurerm_linux_web_app" "example" {
+    site_config {
+        ftps_state = "DISABLED"
+    }
+}`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "ftps_state attribute missing",
+			Content: `
+resource "azurerm_linux_web_app" "example" {
+    site_config {
+    }
 }`,
 			Expected: helper.Issues{
 				{
 					Rule:    NewAzurermLinuxWebAppFtpsState(),
-					Message: `ftps_state should be set to Disabled`,
+					Message: "ftps_state is missing in site_config, should be set to Disabled",
 					Range: hcl.Range{
 						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 2, Column: 1},
-						End:      hcl.Pos{Line: 2, Column: 43},
+						Start: hcl.Pos{
+							Line:   3,
+							Column: 5,
+						},
+						End: hcl.Pos{
+							Line:   3,
+							Column: 16,
+						},
 					},
 				},
 			},
 		},
 		{
-			Name: "FTPS disabled",
+			Name: "site_config block missing",
 			Content: `
 resource "azurerm_linux_web_app" "example" {
-    ftps_state = "Disabled"
 }`,
-			Expected: helper.Issues{},
+			Expected: helper.Issues{
+				{
+					Rule:    NewAzurermLinuxWebAppFtpsState(),
+					Message: "site_config block is missing, ftps_state should be set to Disabled",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start: hcl.Pos{
+							Line:   2,
+							Column: 1,
+						},
+						End: hcl.Pos{
+							Line:   2,
+							Column: 43,
+						},
+					},
+				},
+			},
 		},
 	}
 
@@ -71,5 +122,4 @@ resource "azurerm_linux_web_app" "example" {
 			helper.AssertIssues(t, test.Expected, runner.Issues)
 		})
 	}
-}
-
+}