Merge pull request #2 from terraform-linters/migrate_api_rules

Migrate API rules from TFLint core

Author: wata727

aws/api.go

@@ -0,0 +1,218 @@
+package aws
+
+import (
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/aws/aws-sdk-go/service/elasticache"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/aws/aws-sdk-go/service/rds"
+)
+
+// DescribeSecurityGroups is a wrapper of DescribeSecurityGroups
+func (c *Client) DescribeSecurityGroups() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeSecurityGroups(&ec2.DescribeSecurityGroupsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, sg := range resp.SecurityGroups {
+		ret[*sg.GroupId] = true
+	}
+	return ret, err
+}
+
+// DescribeSubnets is a wrapper of DescribeSubnets
+func (c *Client) DescribeSubnets() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeSubnets(&ec2.DescribeSubnetsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, subnet := range resp.Subnets {
+		ret[*subnet.SubnetId] = true
+	}
+	return ret, err
+}
+
+// DescribeDBSubnetGroups is a wrapper of DescribeDBSubnetGroups
+func (c *Client) DescribeDBSubnetGroups() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.RDS.DescribeDBSubnetGroups(&rds.DescribeDBSubnetGroupsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, subnetGroup := range resp.DBSubnetGroups {
+		ret[*subnetGroup.DBSubnetGroupName] = true
+	}
+	return ret, err
+}
+
+// DescribeOptionGroups is a wrapper of DescribeOptionGroups
+func (c *Client) DescribeOptionGroups() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.RDS.DescribeOptionGroups(&rds.DescribeOptionGroupsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, optionGroup := range resp.OptionGroupsList {
+		ret[*optionGroup.OptionGroupName] = true
+	}
+	return ret, err
+}
+
+// DescribeDBParameterGroups is a wrapper of DescribeDBParameterGroups
+func (c *Client) DescribeDBParameterGroups() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.RDS.DescribeDBParameterGroups(&rds.DescribeDBParameterGroupsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, parameterGroup := range resp.DBParameterGroups {
+		ret[*parameterGroup.DBParameterGroupName] = true
+	}
+	return ret, err
+}
+
+// DescribeCacheParameterGroups is a wrapper of DescribeCacheParameterGroups
+func (c *Client) DescribeCacheParameterGroups() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.ElastiCache.DescribeCacheParameterGroups(&elasticache.DescribeCacheParameterGroupsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, parameterGroup := range resp.CacheParameterGroups {
+		ret[*parameterGroup.CacheParameterGroupName] = true
+	}
+	return ret, err
+}
+
+// DescribeCacheSubnetGroups is a wrapper of DescribeCacheSubnetGroups
+func (c *Client) DescribeCacheSubnetGroups() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.ElastiCache.DescribeCacheSubnetGroups(&elasticache.DescribeCacheSubnetGroupsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, subnetGroup := range resp.CacheSubnetGroups {
+		ret[*subnetGroup.CacheSubnetGroupName] = true
+	}
+	return ret, err
+}
+
+// DescribeInstances is a wrapper of DescribeInstances
+func (c *Client) DescribeInstances() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeInstances(&ec2.DescribeInstancesInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, reservation := range resp.Reservations {
+		for _, instance := range reservation.Instances {
+			ret[*instance.InstanceId] = true
+		}
+	}
+	return ret, err
+}
+
+// ListInstanceProfiles is a wrapper of ListInstanceProfiles
+func (c *Client) ListInstanceProfiles() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.IAM.ListInstanceProfiles(&iam.ListInstanceProfilesInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, iamProfile := range resp.InstanceProfiles {
+		ret[*iamProfile.InstanceProfileName] = true
+	}
+	return ret, err
+}
+
+// DescribeKeyPairs is a wrapper of DescribeKeyPairs
+func (c *Client) DescribeKeyPairs() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeKeyPairs(&ec2.DescribeKeyPairsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, keyPair := range resp.KeyPairs {
+		ret[*keyPair.KeyName] = true
+	}
+	return ret, err
+}
+
+// DescribeEgressOnlyInternetGateways is wrapper of DescribeEgressOnlyInternetGateways
+func (c *Client) DescribeEgressOnlyInternetGateways() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeEgressOnlyInternetGateways(&ec2.DescribeEgressOnlyInternetGatewaysInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, egateway := range resp.EgressOnlyInternetGateways {
+		ret[*egateway.EgressOnlyInternetGatewayId] = true
+	}
+	return ret, err
+}
+
+// DescribeInternetGateways is a wrapper of DescribeInternetGateways
+func (c *Client) DescribeInternetGateways() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeInternetGateways(&ec2.DescribeInternetGatewaysInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, gateway := range resp.InternetGateways {
+		ret[*gateway.InternetGatewayId] = true
+	}
+	return ret, err
+}
+
+// DescribeNatGateways is a wrapper of DescribeNatGateways
+func (c *Client) DescribeNatGateways() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeNatGateways(&ec2.DescribeNatGatewaysInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, ngateway := range resp.NatGateways {
+		ret[*ngateway.NatGatewayId] = true
+	}
+	return ret, err
+}
+
+// DescribeNetworkInterfaces is a wrapper of DescribeNetworkInterfaces
+func (c *Client) DescribeNetworkInterfaces() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeNetworkInterfaces(&ec2.DescribeNetworkInterfacesInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, networkInterface := range resp.NetworkInterfaces {
+		ret[*networkInterface.NetworkInterfaceId] = true
+	}
+	return ret, err
+}
+
+// DescribeRouteTables is a wrapper of DescribeRouteTables
+func (c *Client) DescribeRouteTables() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeRouteTables(&ec2.DescribeRouteTablesInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, routeTable := range resp.RouteTables {
+		ret[*routeTable.RouteTableId] = true
+	}
+	return ret, err
+}
+
+// DescribeVpcPeeringConnections is a wrapper of DescribeVpcPeeringConnections
+func (c *Client) DescribeVpcPeeringConnections() (map[string]bool, error) {
+	ret := map[string]bool{}
+	resp, err := c.EC2.DescribeVpcPeeringConnections(&ec2.DescribeVpcPeeringConnectionsInput{})
+	if err != nil {
+		return ret, err
+	}
+	for _, vpcPeeringConnection := range resp.VpcPeeringConnections {
+		ret[*vpcPeeringConnection.VpcPeeringConnectionId] = true
+	}
+	return ret, err
+}

aws/client.go

@@ -0,0 +1,109 @@
+package aws
+
+import (
+	"errors"
+	"log"
+	"strings"
+
+	"github.com/aws/aws-sdk-go/service/ec2"
+	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
+	"github.com/aws/aws-sdk-go/service/ecs"
+	"github.com/aws/aws-sdk-go/service/ecs/ecsiface"
+	"github.com/aws/aws-sdk-go/service/elasticache"
+	"github.com/aws/aws-sdk-go/service/elasticache/elasticacheiface"
+	"github.com/aws/aws-sdk-go/service/elb"
+	"github.com/aws/aws-sdk-go/service/elb/elbiface"
+	"github.com/aws/aws-sdk-go/service/elbv2"
+	"github.com/aws/aws-sdk-go/service/elbv2/elbv2iface"
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/aws/aws-sdk-go/service/iam/iamiface"
+	"github.com/aws/aws-sdk-go/service/rds"
+	"github.com/aws/aws-sdk-go/service/rds/rdsiface"
+	awsbase "github.com/hashicorp/aws-sdk-go-base"
+	"github.com/mitchellh/go-homedir"
+)
+
+//go:generate go run github.com/golang/mock/mockgen -destination mock/ec2.go -package mock github.com/aws/aws-sdk-go/service/ec2/ec2iface EC2API
+//go:generate go run github.com/golang/mock/mockgen -destination mock/elasticache.go -package mock github.com/aws/aws-sdk-go/service/elasticache/elasticacheiface ElastiCacheAPI
+//go:generate go run github.com/golang/mock/mockgen -destination mock/elb.go -package mock github.com/aws/aws-sdk-go/service/elb/elbiface ELBAPI
+//go:generate go run github.com/golang/mock/mockgen -destination mock/elbv2.go -package mock github.com/aws/aws-sdk-go/service/elbv2/elbv2iface ELBV2API
+//go:generate go run github.com/golang/mock/mockgen -destination mock/iam.go -package mock github.com/aws/aws-sdk-go/service/iam/iamiface IAMAPI
+//go:generate go run github.com/golang/mock/mockgen -destination mock/rds.go -package mock github.com/aws/aws-sdk-go/service/rds/rdsiface RDSAPI
+//go:generate go run github.com/golang/mock/mockgen -destination mock/ecs.go -package mock github.com/aws/aws-sdk-go/service/ecs/ecsiface ECSAPI
+
+// Client is a wrapper of the AWS SDK client
+// It has interfaces for each services to make testing easier
+type Client struct {
+	IAM         iamiface.IAMAPI
+	EC2         ec2iface.EC2API
+	RDS         rdsiface.RDSAPI
+	ElastiCache elasticacheiface.ElastiCacheAPI
+	ELB         elbiface.ELBAPI
+	ELBV2       elbv2iface.ELBV2API
+	ECS         ecsiface.ECSAPI
+}
+
+// Credentials is credentials for AWS used in deep check mode
+type Credentials struct {
+	AccessKey             string
+	SecretKey             string
+	Profile               string
+	CredsFile             string
+	AssumeRoleARN         string
+	AssumeRoleExternalID  string
+	AssumeRolePolicy      string
+	AssumeRoleSessionName string
+	Region                string
+}
+
+// NewClient returns a new Client with configured session
+func NewClient(creds Credentials) (*Client, error) {
+	log.Print("[INFO] Initialize AWS Client")
+
+	config, err := getBaseConfig(creds)
+	if err != nil {
+		return nil, err
+	}
+
+	s, err := awsbase.GetSession(config)
+	if err != nil {
+		return nil, formatBaseConfigError(err)
+	}
+
+	return &Client{
+		IAM:         iam.New(s),
+		EC2:         ec2.New(s),
+		RDS:         rds.New(s),
+		ElastiCache: elasticache.New(s),
+		ELB:         elb.New(s),
+		ELBV2:       elbv2.New(s),
+		ECS:         ecs.New(s),
+	}, nil
+}
+
+func getBaseConfig(creds Credentials) (*awsbase.Config, error) {
+	expandedCredsFile, err := homedir.Expand(creds.CredsFile)
+	if err != nil {
+		return nil, err
+	}
+
+	return &awsbase.Config{
+		AccessKey:             creds.AccessKey,
+		AssumeRoleARN:         creds.AssumeRoleARN,
+		AssumeRoleExternalID:  creds.AssumeRoleExternalID,
+		AssumeRolePolicy:      creds.AssumeRolePolicy,
+		AssumeRoleSessionName: creds.AssumeRoleSessionName,
+		SecretKey:             creds.SecretKey,
+		Profile:               creds.Profile,
+		CredsFilename:         expandedCredsFile,
+		Region:                creds.Region,
+	}, nil
+}
+
+// @see https://github.com/hashicorp/aws-sdk-go-base/blob/v0.3.0/session.go#L87
+func formatBaseConfigError(err error) error {
+	if strings.Contains(err.Error(), "No valid credential sources found for AWS Provider") {
+		return errors.New("No valid credential sources found")
+	}
+	return err
+}

aws/client_test.go

@@ -0,0 +1,60 @@
+package aws
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	awsbase "github.com/hashicorp/aws-sdk-go-base"
+	"github.com/mitchellh/go-homedir"
+)
+
+func Test_getBaseConfig(t *testing.T) {
+	home, err := homedir.Expand("~/")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	cases := []struct {
+		Name     string
+		Creds    Credentials
+		Expected *awsbase.Config
+	}{
+		{
+			Name: "static credentials",
+			Creds: Credentials{
+				AccessKey: "AWS_ACCESS_KEY",
+				SecretKey: "AWS_SECRET_KEY",
+				Region:    "us-east-1",
+			},
+			Expected: &awsbase.Config{
+				AccessKey: "AWS_ACCESS_KEY",
+				SecretKey: "AWS_SECRET_KEY",
+				Region:    "us-east-1",
+			},
+		},
+		{
+			Name: "shared credentials",
+			Creds: Credentials{
+				Profile:   "default",
+				CredsFile: "~/.aws/creds",
+				Region:    "us-east-1",
+			},
+			Expected: &awsbase.Config{
+				Profile:       "default",
+				CredsFilename: filepath.Join(home, ".aws", "creds"),
+				Region:        "us-east-1",
+			},
+		},
+	}
+
+	for _, tc := range cases {
+		base, err := getBaseConfig(tc.Creds)
+		if err != nil {
+			t.Fatalf("Failed `%s` test: Unexpected error occurred: %s", tc.Name, err)
+		}
+		if !cmp.Equal(tc.Expected, base) {
+			t.Fatalf("Failed `%s` test: Diff=%s", tc.Name, cmp.Diff(tc.Expected, base))
+		}
+	}
+}