mapping aws_ecr (#256)

PatMyron · web-flow · commit 1b09d6d9cdd7 · 2021-12-29T12:50:37.000-08:00
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_pull_through_cache_rule https://github.com/aws/aws-sdk-go/blob/main/models/apis/ecr/2015-09-21/api-2.json
diff --git a/docs/rules/README.md b/docs/rules/README.md
@@ -513,6 +513,9 @@ These rules enforce best practices and naming conventions:
 |aws_ec2_transit_gateway_vpc_attachment_invalid_ipv6_support|✔|
 |aws_ecr_lifecycle_policy_invalid_policy|✔|
 |aws_ecr_lifecycle_policy_invalid_repository|✔|
+|aws_ecr_pull_through_cache_rule_invalid_ecr_repository_prefix|✔|
+|aws_ecr_registry_policy_invalid_policy|✔|
+|aws_ecr_registry_scanning_configuration_invalid_scan_type|✔|
 |aws_ecr_repository_invalid_name|✔|
 |aws_ecr_repository_policy_invalid_policy|✔|
 |aws_ecr_repository_policy_invalid_repository|✔|
diff --git a/rules/models/aws_ecr_pull_through_cache_rule_invalid_ecr_repository_prefix.go b/rules/models/aws_ecr_pull_through_cache_rule_invalid_ecr_repository_prefix.go
@@ -0,0 +1,87 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule checks the pattern is valid
+type AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+	pattern       *regexp.Regexp
+}
+
+// NewAwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule returns new rule with default attributes
+func NewAwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule() *AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule {
+	return &AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule{
+		resourceType:  "aws_ecr_pull_through_cache_rule",
+		attributeName: "ecr_repository_prefix",
+		max:           20,
+		min:           2,
+		pattern:       regexp.MustCompile(`^[a-z0-9]+(?:[._-][a-z0-9]+)*$`),
+	}
+}
+
+// Name returns the rule name
+func (r *AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule) Name() string {
+	return "aws_ecr_pull_through_cache_rule_invalid_ecr_repository_prefix"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"ecr_repository_prefix must be 20 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"ecr_repository_prefix must be 2 characters or higher",
+					attribute.Expr,
+				)
+			}
+			if !r.pattern.MatchString(val) {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^[a-z0-9]+(?:[._-][a-z0-9]+)*$`),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/aws_ecr_registry_policy_invalid_policy.go b/rules/models/aws_ecr_registry_policy_invalid_policy.go
@@ -0,0 +1,67 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsEcrRegistryPolicyInvalidPolicyRule checks the pattern is valid
+type AwsEcrRegistryPolicyInvalidPolicyRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+}
+
+// NewAwsEcrRegistryPolicyInvalidPolicyRule returns new rule with default attributes
+func NewAwsEcrRegistryPolicyInvalidPolicyRule() *AwsEcrRegistryPolicyInvalidPolicyRule {
+	return &AwsEcrRegistryPolicyInvalidPolicyRule{
+		resourceType:  "aws_ecr_registry_policy",
+		attributeName: "policy",
+		max:           10240,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsEcrRegistryPolicyInvalidPolicyRule) Name() string {
+	return "aws_ecr_registry_policy_invalid_policy"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsEcrRegistryPolicyInvalidPolicyRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsEcrRegistryPolicyInvalidPolicyRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsEcrRegistryPolicyInvalidPolicyRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsEcrRegistryPolicyInvalidPolicyRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"policy must be 10240 characters or less",
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/aws_ecr_registry_scanning_configuration_invalid_scan_type.go b/rules/models/aws_ecr_registry_scanning_configuration_invalid_scan_type.go
@@ -0,0 +1,77 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsEcrRegistryScanningConfigurationInvalidScanTypeRule checks the pattern is valid
+type AwsEcrRegistryScanningConfigurationInvalidScanTypeRule struct {
+	resourceType  string
+	attributeName string
+	enum          []string
+}
+
+// NewAwsEcrRegistryScanningConfigurationInvalidScanTypeRule returns new rule with default attributes
+func NewAwsEcrRegistryScanningConfigurationInvalidScanTypeRule() *AwsEcrRegistryScanningConfigurationInvalidScanTypeRule {
+	return &AwsEcrRegistryScanningConfigurationInvalidScanTypeRule{
+		resourceType:  "aws_ecr_registry_scanning_configuration",
+		attributeName: "scan_type",
+		enum: []string{
+			"BASIC",
+			"ENHANCED",
+		},
+	}
+}
+
+// Name returns the rule name
+func (r *AwsEcrRegistryScanningConfigurationInvalidScanTypeRule) Name() string {
+	return "aws_ecr_registry_scanning_configuration_invalid_scan_type"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsEcrRegistryScanningConfigurationInvalidScanTypeRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsEcrRegistryScanningConfigurationInvalidScanTypeRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsEcrRegistryScanningConfigurationInvalidScanTypeRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsEcrRegistryScanningConfigurationInvalidScanTypeRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			found := false
+			for _, item := range r.enum {
+				if item == val {
+					found = true
+				}
+			}
+			if !found {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" is an invalid value as scan_type`, truncateLongMessage(val)),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/mappings/ecr.hcl b/rules/models/mappings/ecr.hcl
@@ -5,6 +5,24 @@ mapping "aws_ecr_lifecycle_policy" {
   policy     = LifecyclePolicyText
 }
 
+mapping "aws_ecr_pull_through_cache_rule" {
+  ecr_repository_prefix = PullThroughCacheRuleRepositoryPrefix
+  upstream_registry_url = Url
+}
+
+mapping "aws_ecr_registry_policy" {
+  policy = RegistryPolicyText
+}
+
+mapping "aws_ecr_registry_scanning_configuration" {
+  scan_type = ScanType
+  rule = RegistryScanningRuleList
+}
+
+mapping "aws_ecr_replication_configuration" {
+  replication_configuration = ReplicationConfiguration
+}
+
 mapping "aws_ecr_repository" {
   name = RepositoryName
   tags = TagList
diff --git a/rules/models/provider.go b/rules/models/provider.go
@@ -441,6 +441,9 @@ var Rules = []tflint.Rule{
 	NewAwsEc2TransitGatewayVpcAttachmentInvalidIpv6SupportRule(),
 	NewAwsEcrLifecyclePolicyInvalidPolicyRule(),
 	NewAwsEcrLifecyclePolicyInvalidRepositoryRule(),
+	NewAwsEcrPullThroughCacheRuleInvalidEcrRepositoryPrefixRule(),
+	NewAwsEcrRegistryPolicyInvalidPolicyRule(),
+	NewAwsEcrRegistryScanningConfigurationInvalidScanTypeRule(),
 	NewAwsEcrRepositoryInvalidNameRule(),
 	NewAwsEcrRepositoryPolicyInvalidPolicyRule(),
 	NewAwsEcrRepositoryPolicyInvalidRepositoryRule(),
