aws_elasticache_replication_group (#143)

* aws_elasticache_replication_group -  fixes #140 Add tests fir aws_elasticache_replication_group # Please enter the commit message for your changes. Lines starting # with '#' will be ignored, and an empty message aborts the commit. # # Date: Mon Jul 19 15:34:06 2021 -0400 # # On branch aws_elasticache_replication_group # Changes to be committed: # modified: docs/rules/aws_elasticache_cluster_default_parameter_group.md # new file: docs/rules/aws_elasticache_replication_group_default_parameter_group.md # new file: rules/aws_elasticache_replication_group_default_parameter_group.go # new file: rules/aws_elasticache_replication_group_default_parameter_group_test.go # new file: rules/aws_elasticache_replication_group_invalid_type.go # new file: rules/aws_elasticache_replication_group_invalid_type_test.go #

* aws_elasticache_replication_group -  Fix variable, and registered to provider

* aws_elasticache_replication_group -  Add to readme

* aws_elasticache_replication_group -  Add docs for rule and register with provider

* aws_elasticache_replication_group -  Add missing docs

* aws_elasticache_replication_group -  Add previous type rule for replication group

Co-authored-by: James Ray <[email protected]>

Author: Rihoj

docs/rules/README.md

@@ -20,7 +20,8 @@ These rules warn of possible errors that can occur at `terraform apply`. Rules m
 |aws_elasticache_cluster_invalid_parameter_group|Disallow using invalid parameter group|✔|✔|
 |aws_elasticache_cluster_invalid_security_group|Disallow using invalid security groups|✔|✔|
 |aws_elasticache_cluster_invalid_subnet_group|Disallow using invalid subnet group|✔|✔|
-|aws_elasticache_cluster_invalid_type|Disallow using invalid node type||✔|
+|[aws_elasticache_cluster_invalid_type](aws_elasticache_cluster_invalid_type)|Disallow using invalid node type||✔|
+|[aws_elasticache_replication_group_invalid_type](aws_elasticache_replication_group_invalid_type)|Disallow using invalid node type||✔|
 |aws_elb_invalid_instance|Disallow using invalid instances|✔|✔|
 |aws_elb_invalid_security_group|Disallow using invalid security groups|✔|✔|
 |aws_elb_invalid_subnet|Disallow using invalid subnets|✔|✔|
@@ -51,6 +52,8 @@ These rules enforce best practices and naming conventions:
 |[aws_db_instance_default_parameter_group](aws_db_instance_default_parameter_group.md)|Disallow using default DB parameter group|✔|
 |[aws_elasticache_cluster_previous_type](aws_elasticache_cluster_previous_type.md)|Disallow using previous node types|✔|
 |[aws_elasticache_cluster_default_parameter_group](aws_elasticache_cluster_default_parameter_group.md)|Disallow using default parameter group|✔|
+|[aws_elasticache_replication_group_previous_type](aws_elasticache_replication_group_previous_type.md)|Disallow using previous node types|✔|
+|[aws_elasticache_replication_group_default_parameter_group](aws_elasticache_replication_group_default_parameter_group.md)|Disallow using default parameter group|✔|
 |[aws_instance_previous_type](aws_instance_previous_type.md)|Disallow using previous generation instance types|✔|
 |[aws_iam_policy_document_gov_friendly_arns](aws_iam_policy_document_gov_friendly_arns.md)|Ensure `iam_policy_document` data sources do not contain `arn:aws:` ARN's||
 |[aws_iam_policy_gov_friendly_arns](aws_iam_policy_gov_friendly_arns.md)|Ensure `iam_policy` resources do not contain `arn:aws:` ARN's||

docs/rules/README.md.tmpl

@@ -20,7 +20,8 @@ These rules warn of possible errors that can occur at `terraform apply`. Rules m
 |aws_elasticache_cluster_invalid_parameter_group|Disallow using invalid parameter group|✔|✔|
 |aws_elasticache_cluster_invalid_security_group|Disallow using invalid security groups|✔|✔|
 |aws_elasticache_cluster_invalid_subnet_group|Disallow using invalid subnet group|✔|✔|
-|aws_elasticache_cluster_invalid_type|Disallow using invalid node type||✔|
+|[aws_elasticache_cluster_invalid_type](aws_elasticache_cluster_invalid_type)|Disallow using invalid node type||✔|
+|[aws_elasticache_replication_group_invalid_type](aws_elasticache_replication_group_invalid_type)|Disallow using invalid node type||✔|
 |aws_elb_invalid_instance|Disallow using invalid instances|✔|✔|
 |aws_elb_invalid_security_group|Disallow using invalid security groups|✔|✔|
 |aws_elb_invalid_subnet|Disallow using invalid subnets|✔|✔|
@@ -51,6 +52,8 @@ These rules enforce best practices and naming conventions:
 |[aws_db_instance_default_parameter_group](aws_db_instance_default_parameter_group.md)|Disallow using default DB parameter group|✔|
 |[aws_elasticache_cluster_previous_type](aws_elasticache_cluster_previous_type.md)|Disallow using previous node types|✔|
 |[aws_elasticache_cluster_default_parameter_group](aws_elasticache_cluster_default_parameter_group.md)|Disallow using default parameter group|✔|
+|[aws_elasticache_replication_group_previous_type](aws_elasticache_replication_group_previous_type.md)|Disallow using previous node types|✔|
+|[aws_elasticache_replication_group_default_parameter_group](aws_elasticache_replication_group_default_parameter_group.md)|Disallow using default parameter group|✔|
 |[aws_instance_previous_type](aws_instance_previous_type.md)|Disallow using previous generation instance types|✔|
 |[aws_iam_policy_document_gov_friendly_arns](aws_iam_policy_document_gov_friendly_arns.md)|Ensure `iam_policy_document` data sources do not contain `arn:aws:` ARN's||
 |[aws_iam_policy_gov_friendly_arns](aws_iam_policy_gov_friendly_arns.md)|Ensure `iam_policy` resources do not contain `arn:aws:` ARN's||

docs/rules/aws_elasticache_cluster_default_parameter_group.md

@@ -26,8 +26,8 @@ $ tflint
 Notice: "default.redis3.2" is default parameter group. You cannot edit it. (aws_elasticache_cluster_default_parameter_group)
 
   on template.tf line 9:
-   9:   parameter_group_name = "default.redis3.2" // default paramete group!
- 
+   9:   parameter_group_name = "default.redis3.2" // default parameter group!
+
 ```
 
 ## Why

docs/rules/aws_elasticache_cluster_invalid_type.md

@@ -0,0 +1,40 @@
+# aws_elasticache_cluster_invalid_type
+
+Disallow using invalid type.
+
+## Example
+
+```hcl
+resource "aws_elasticache_cluster" "default" {
+  node_type                     = "cache.t3.mini" // invalid type!
+  engine_version                = "6.x"
+  maintenance_window            = "thu:02:30-thu:03:30"
+  num_cache_nodes               = 1
+  apply_immediately             = false
+  parameter_group_name          = "custom.redis6.x.cluster.on"
+  port                          = 6379
+  cluster_id                    = "cluster_id"
+  snapshot_retention_limit      = 1
+  subnet_group_name             = aws_elasticache_subnet_group.private.name
+  security_group_ids            = [aws_security_group.redis_service.id]
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Warning: "cache.t3.mini" is an invalid node type. (aws_elasticache_cluster_invalid_type)
+
+  on template.tf line 5:
+   2:   node_type       = "cache.t3.mini" // invalid type!
+
+```
+
+## Why
+
+Apply will fail. (Plan will succeed with the invalid value though)
+
+## How To Fix
+
+Select valid type according to the [document](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)

docs/rules/aws_elasticache_replication_group_default_parameter_group.md

@@ -0,0 +1,36 @@
+# aws_elasticache_replication_group_default_parameter_group
+
+Disallow using default parameter group.
+
+## Example
+
+```hcl
+resource "aws_elasticache_replication_group" "redis" {
+  cluster_id           = "app"
+  engine               = "redis"
+  engine_version       = "3.2.4"
+  maintenance_window   = "sun:00:00-sun:06:00"
+  node_type            = "cache.m4.large"
+  num_cache_nodes      = 1
+  port                 = 6379
+  parameter_group_name = "default.redis3.2" // default paramete group!
+  subnet_group_name    = "app-subnet-group"
+  security_group_ids   = ["${aws_security_group.redis.id}"]
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+Notice: "default.redis3.2" is default parameter group. You cannot edit it. (aws_elasticache_replication_group_default_parameter_group)
+  on template.tf line 9:
+   9:   parameter_group_name = "default.redis3.2" // default parameter group!
+```
+
+## Why
+
+You can modify parameter values in a custom parameter group, but you can't change the parameter values in a default parameter group.
+
+## How To Fix
+
+Create a new parameter group, and change the `parameter_group_name` to that.

docs/rules/aws_elasticache_replication_group_invalid_type.md

@@ -0,0 +1,47 @@
+# aws_elasticache_replication_group_invalid_type
+
+Disallow using invalid type.
+
+## Example
+
+```hcl
+resource "aws_elasticache_replication_group" "default" {
+  node_type                     = "cache.t3.mini" // invalid type!
+  at_rest_encryption_enabled    = true
+  automatic_failover_enabled    = true
+  engine_version                = "6.x"
+  maintenance_window            = "thu:02:30-thu:03:30"
+  apply_immediately             = false
+  parameter_group_name          = "custom.redis6.x.cluster.on"
+  port                          = 6379
+  replication_group_description = " "
+  replication_group_id          = "replication_group_id"
+  snapshot_retention_limit      = 1
+  subnet_group_name             = aws_elasticache_subnet_group.private.name
+  security_group_ids            = [aws_security_group.redis_service.id]
+
+  cluster_mode {
+    replicas_per_node_group = 1
+    num_node_groups         = 2
+  }
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Warning: "cache.t3.mini" is an invalid node type. (aws_elasticache_replication_group_invalid_type)
+
+  on template.tf line 5:
+   2:   node_type       = "cache.t3.mini" // invalid type!
+
+```
+
+## Why
+
+Apply will fail. (Plan will succeed with the invalid value though)
+
+## How To Fix
+
+Select valid type according to the [document](https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/CacheNodes.SupportedTypes.html#CacheNodes.SupportedTypesByRegion)

docs/rules/aws_elasticache_replication_group_previous_type.md

@@ -0,0 +1,47 @@
+# aws_elasticache_replication_group_previous_type
+
+Disallow using previous node types.
+
+## Example
+
+```hcl
+resource "aws_elasticache_replication_group" "default" {
+  node_type                     = "cache.t1.micro" // previous node type!
+  at_rest_encryption_enabled    = true
+  automatic_failover_enabled    = true
+  engine_version                = "6.x"
+  maintenance_window            = "thu:02:30-thu:03:30"
+  apply_immediately             = false
+  parameter_group_name          = "custom.redis6.x.cluster.on"
+  port                          = 6379
+  replication_group_description = " "
+  replication_group_id          = "replication_group_id"
+  snapshot_retention_limit      = 1
+  subnet_group_name             = aws_elasticache_subnet_group.private.name
+  security_group_ids            = [aws_security_group.redis_service.id]
+
+  cluster_mode {
+    replicas_per_node_group = 1
+    num_node_groups         = 2
+  }
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Warning: "cache.t1.micro" is previous generation node type. (aws_elasticache_replication_group_previous_type)
+
+  on template.tf line 6:
+   2:   node_type            = "cache.t1.micro" // previous node type!
+
+```
+
+## Why
+
+Previous node types are inferior to current generation in terms of performance and fee. Unless there is a special reason, you should avoid to use these ones.
+
+## How To Fix
+
+Select a current generation node type according to the [upgrade paths](https://aws.amazon.com/elasticache/previous-generation/).

rules/aws_elasticache_replication_group_default_parameter_group.go

@@ -0,0 +1,65 @@
+package rules
+
+import (
+	"fmt"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+)
+
+// AwsElastiCacheReplicationGroupDefaultParameterGroupRule checks whether the cluster use default parameter group
+type AwsElastiCacheReplicationGroupDefaultParameterGroupRule struct {
+	resourceType  string
+	attributeName string
+}
+
+// NewAwsElastiCacheReplicationGroupDefaultParameterGroupRule returns new rule with default attributes
+func NewAwsElastiCacheReplicationGroupDefaultParameterGroupRule() *AwsElastiCacheReplicationGroupDefaultParameterGroupRule {
+	return &AwsElastiCacheReplicationGroupDefaultParameterGroupRule{
+		resourceType:  "aws_elasticache_replication_group",
+		attributeName: "parameter_group_name",
+	}
+}
+
+// Name returns the rule name
+func (r *AwsElastiCacheReplicationGroupDefaultParameterGroupRule) Name() string {
+	return "aws_elasticache_replication_group_default_parameter_group"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsElastiCacheReplicationGroupDefaultParameterGroupRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsElastiCacheReplicationGroupDefaultParameterGroupRule) Severity() string {
+	return tflint.NOTICE
+}
+
+// Link returns the rule reference link
+func (r *AwsElastiCacheReplicationGroupDefaultParameterGroupRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+var defaultElastiCacheReplicationParameterGroupRegexp = regexp.MustCompile("^default")
+
+// Check checks the parameter group name starts with `default`
+func (r *AwsElastiCacheReplicationGroupDefaultParameterGroupRule) Check(runner tflint.Runner) error {
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var parameterGroup string
+		err := runner.EvaluateExpr(attribute.Expr, &parameterGroup, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if defaultElastiCacheParameterGroupRegexp.Match([]byte(parameterGroup)) {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf("\"%s\" is default parameter group. You cannot edit it.", parameterGroup),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}

rules/aws_elasticache_replication_group_default_parameter_group_test.go

@@ -0,0 +1,55 @@
+package rules
+
+import (
+	"testing"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
+
+func Test_AwsElastiCacheReplicationGroupDefaultParameterGroup(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Content  string
+		Expected helper.Issues
+	}{
+		{
+			Name: "default.redis3.2 is default parameter group",
+			Content: `
+resource "aws_elasticache_replication_group" "cache" {
+    parameter_group_name = "default.redis3.2"
+}`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAwsElastiCacheReplicationGroupDefaultParameterGroupRule(),
+					Message: "\"default.redis3.2\" is default parameter group. You cannot edit it.",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 3, Column: 28},
+						End:      hcl.Pos{Line: 3, Column: 46},
+					},
+				},
+			},
+		},
+		{
+			Name: "application3.2 is not default parameter group",
+			Content: `
+resource "aws_elasticache_replication_group" "cache" {
+    parameter_group_name = "application3.2"
+}`,
+			Expected: helper.Issues{},
+		},
+	}
+
+	rule := NewAwsElastiCacheReplicationGroupDefaultParameterGroupRule()
+
+	for _, tc := range cases {
+		runner := helper.TestRunner(t, map[string]string{"resource.tf": tc.Content})
+
+		if err := rule.Check(runner); err != nil {
+			t.Fatalf("Unexpected error occurred: %s", err)
+		}
+
+		helper.AssertIssues(t, tc.Expected, runner.Issues)
+	}
+}