aws_acm_certificate: fix false positive for private CA (#455)

* `aws_acm_certificate`: fix false positive for private CA

* Use "%s" instead of %q

%q escapes tab char to \t

---------

Co-authored-by: Kazuma Watanabe <[email protected]>

Author: bendrucker

rules/models/aws_acm_certificate_invalid_certificate_authority_arn.go

@@ -29,7 +29,7 @@ func NewAwsAcmCertificateInvalidCertificateAuthorityArnRule() *AwsAcmCertificate
 		attributeName: "certificate_authority_arn",
 		max:           2048,
 		min:           20,
-		pattern:       regexp.MustCompile(`^arn:[\w+=/,.@-]+:acm:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+		pattern:       regexp.MustCompile(`^arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
 	}
 }
 
@@ -93,7 +93,7 @@ func (r *AwsAcmCertificateInvalidCertificateAuthorityArnRule) Check(runner tflin
 			if !r.pattern.MatchString(val) {
 				runner.EmitIssue(
 					r,
-					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:acm:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
 					attribute.Expr.Range(),
 				)
 			}

rules/models/aws_acm_certificate_invalid_certificate_authority_arn_test.go

@@ -0,0 +1,52 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"testing"
+	"fmt"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
+
+func Test_AwsAcmCertificateInvalidCertificateAuthorityArnRule(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Content  string
+		Expected helper.Issues
+	}{
+		{
+			Name: "It includes invalid characters",
+			Content: `
+resource "aws_acm_certificate" "foo" {
+	certificate_authority_arn = "arn:aws:unknown-service:us-east-1:0000000000:certificate-authority/xxxxxx-xxx-xxx-xxxx-xxxxxxxxx"
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAwsAcmCertificateInvalidCertificateAuthorityArnRule(),
+					Message: fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage("arn:aws:unknown-service:us-east-1:0000000000:certificate-authority/xxxxxx-xxx-xxx-xxxx-xxxxxxxxx"), `^arn:[\w+=/,.@-]+:acm-pca:[\w+=/,.@-]*:[0-9]+:[\w+=,.@-]+(/[\w+=,.@-]+)*$`),
+				},
+			},
+		},
+		{
+			Name: "It is valid",
+			Content: `
+resource "aws_acm_certificate" "foo" {
+	certificate_authority_arn = "arn:aws:acm-pca:us-east-1:0000000000:certificate-authority/xxxxxx-xxx-xxx-xxxx-xxxxxxxxx"
+}`,
+			Expected: helper.Issues{},
+		},
+	}
+
+	rule := NewAwsAcmCertificateInvalidCertificateAuthorityArnRule()
+
+	for _, tc := range cases {
+		runner := helper.TestRunner(t, map[string]string{"resource.tf": tc.Content})
+
+		if err := rule.Check(runner); err != nil {
+			t.Fatalf("Unexpected error occurred: %s", err)
+		}
+
+		helper.AssertIssuesWithoutRange(t, tc.Expected, runner.Issues)
+	}
+}

rules/models/aws_acmpca_certificate_authority_invalid_type_test.go

@@ -4,6 +4,7 @@ package models
 
 import (
 	"testing"
+	"fmt"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
@@ -23,7 +24,7 @@ resource "aws_acmpca_certificate_authority" "foo" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsAcmpcaCertificateAuthorityInvalidTypeRule(),
-					Message: `"ORDINATE" is an invalid value as type`,
+					Message: fmt.Sprintf(`"%s" is an invalid value as %s`, truncateLongMessage("ORDINATE"), "type"),
 				},
 			},
 		},

rules/models/aws_ami_invalid_architecture_test.go

@@ -4,6 +4,7 @@ package models
 
 import (
 	"testing"
+	"fmt"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
@@ -23,7 +24,7 @@ resource "aws_ami" "foo" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsAMIInvalidArchitectureRule(),
-					Message: `"x86" is an invalid value as architecture`,
+					Message: fmt.Sprintf(`"%s" is an invalid value as %s`, truncateLongMessage("x86"), "architecture"),
 				},
 			},
 		},

rules/models/aws_api_gateway_authorizer_invalid_type_test.go

@@ -4,6 +4,7 @@ package models
 
 import (
 	"testing"
+	"fmt"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
@@ -23,7 +24,7 @@ resource "aws_api_gateway_authorizer" "foo" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsAPIGatewayAuthorizerInvalidTypeRule(),
-					Message: `"RESPONSE" is an invalid value as type`,
+					Message: fmt.Sprintf(`"%s" is an invalid value as %s`, truncateLongMessage("RESPONSE"), "type"),
 				},
 			},
 		},

rules/models/aws_api_gateway_gateway_response_invalid_response_type_test.go

@@ -4,6 +4,7 @@ package models
 
 import (
 	"testing"
+	"fmt"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
@@ -23,7 +24,7 @@ resource "aws_api_gateway_gateway_response" "foo" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsAPIGatewayGatewayResponseInvalidResponseTypeRule(),
-					Message: `"4XX" is an invalid value as response_type`,
+					Message: fmt.Sprintf(`"%s" is an invalid value as %s`, truncateLongMessage("4XX"), "response_type"),
 				},
 			},
 		},

rules/models/aws_api_gateway_gateway_response_invalid_status_code_test.go

@@ -4,6 +4,7 @@ package models
 
 import (
 	"testing"
+	"fmt"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
@@ -23,7 +24,7 @@ resource "aws_api_gateway_gateway_response" "foo" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsAPIGatewayGatewayResponseInvalidStatusCodeRule(),
-					Message: `"004" does not match valid pattern ^[1-5]\d\d$`,
+					Message: fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage("004"), `^[1-5]\d\d$`),
 				},
 			},
 		},

rules/models/aws_api_gateway_integration_invalid_connection_type_test.go

@@ -4,6 +4,7 @@ package models
 
 import (
 	"testing"
+	"fmt"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
@@ -23,7 +24,7 @@ resource "aws_api_gateway_integration" "foo" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsAPIGatewayIntegrationInvalidConnectionTypeRule(),
-					Message: `"INTRANET" is an invalid value as connection_type`,
+					Message: fmt.Sprintf(`"%s" is an invalid value as %s`, truncateLongMessage("INTRANET"), "connection_type"),
 				},
 			},
 		},

rules/models/aws_api_gateway_integration_invalid_content_handling_test.go

@@ -4,6 +4,7 @@ package models
 
 import (
 	"testing"
+	"fmt"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
@@ -23,7 +24,7 @@ resource "aws_api_gateway_integration" "foo" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsAPIGatewayIntegrationInvalidContentHandlingRule(),
-					Message: `"CONVERT_TO_FILE" is an invalid value as content_handling`,
+					Message: fmt.Sprintf(`"%s" is an invalid value as %s`, truncateLongMessage("CONVERT_TO_FILE"), "content_handling"),
 				},
 			},
 		},

rules/models/aws_api_gateway_integration_invalid_type_test.go

@@ -4,6 +4,7 @@ package models
 
 import (
 	"testing"
+	"fmt"
 
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
@@ -23,7 +24,7 @@ resource "aws_api_gateway_integration" "foo" {
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsAPIGatewayIntegrationInvalidTypeRule(),
-					Message: `"AWS_HTTP" is an invalid value as type`,
+					Message: fmt.Sprintf(`"%s" is an invalid value as %s`, truncateLongMessage("AWS_HTTP"), "type"),
 				},
 			},
 		},