mapping aws_secretsmanager (#279)

PatMyron · web-flow · commit c130bfd45d36 · 2021-12-31T13:35:37.000-08:00
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_policy https://github.com/aws/aws-sdk-go/blob/main/models/apis/secretsmanager/2017-10-17/api-2.json
diff --git a/docs/rules/README.md b/docs/rules/README.md
@@ -1112,6 +1112,10 @@ These rules enforce best practices and naming conventions:
 |aws_secretsmanager_secret_invalid_name|✔|
 |aws_secretsmanager_secret_invalid_policy|✔|
 |aws_secretsmanager_secret_invalid_rotation_lambda_arn|✔|
+|aws_secretsmanager_secret_policy_invalid_policy|✔|
+|aws_secretsmanager_secret_policy_invalid_secret_arn|✔|
+|aws_secretsmanager_secret_rotation_invalid_rotation_lambda_arn|✔|
+|aws_secretsmanager_secret_rotation_invalid_secret_id|✔|
 |aws_secretsmanager_secret_version_invalid_secret_id|✔|
 |aws_secretsmanager_secret_version_invalid_secret_string|✔|
 |aws_securityhub_action_target_invalid_description|✔|
diff --git a/rules/models/aws_secretsmanager_secret_policy_invalid_policy.go b/rules/models/aws_secretsmanager_secret_policy_invalid_policy.go
@@ -0,0 +1,76 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsSecretsmanagerSecretPolicyInvalidPolicyRule checks the pattern is valid
+type AwsSecretsmanagerSecretPolicyInvalidPolicyRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+}
+
+// NewAwsSecretsmanagerSecretPolicyInvalidPolicyRule returns new rule with default attributes
+func NewAwsSecretsmanagerSecretPolicyInvalidPolicyRule() *AwsSecretsmanagerSecretPolicyInvalidPolicyRule {
+	return &AwsSecretsmanagerSecretPolicyInvalidPolicyRule{
+		resourceType:  "aws_secretsmanager_secret_policy",
+		attributeName: "policy",
+		max:           20480,
+		min:           1,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsSecretsmanagerSecretPolicyInvalidPolicyRule) Name() string {
+	return "aws_secretsmanager_secret_policy_invalid_policy"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsSecretsmanagerSecretPolicyInvalidPolicyRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsSecretsmanagerSecretPolicyInvalidPolicyRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsSecretsmanagerSecretPolicyInvalidPolicyRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsSecretsmanagerSecretPolicyInvalidPolicyRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"policy must be 20480 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"policy must be 1 characters or higher",
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/aws_secretsmanager_secret_policy_invalid_secret_arn.go b/rules/models/aws_secretsmanager_secret_policy_invalid_secret_arn.go
@@ -0,0 +1,76 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsSecretsmanagerSecretPolicyInvalidSecretArnRule checks the pattern is valid
+type AwsSecretsmanagerSecretPolicyInvalidSecretArnRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+}
+
+// NewAwsSecretsmanagerSecretPolicyInvalidSecretArnRule returns new rule with default attributes
+func NewAwsSecretsmanagerSecretPolicyInvalidSecretArnRule() *AwsSecretsmanagerSecretPolicyInvalidSecretArnRule {
+	return &AwsSecretsmanagerSecretPolicyInvalidSecretArnRule{
+		resourceType:  "aws_secretsmanager_secret_policy",
+		attributeName: "secret_arn",
+		max:           2048,
+		min:           1,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsSecretsmanagerSecretPolicyInvalidSecretArnRule) Name() string {
+	return "aws_secretsmanager_secret_policy_invalid_secret_arn"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsSecretsmanagerSecretPolicyInvalidSecretArnRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsSecretsmanagerSecretPolicyInvalidSecretArnRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsSecretsmanagerSecretPolicyInvalidSecretArnRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsSecretsmanagerSecretPolicyInvalidSecretArnRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"secret_arn must be 2048 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"secret_arn must be 1 characters or higher",
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/aws_secretsmanager_secret_rotation_invalid_rotation_lambda_arn.go b/rules/models/aws_secretsmanager_secret_rotation_invalid_rotation_lambda_arn.go
@@ -0,0 +1,67 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule checks the pattern is valid
+type AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+}
+
+// NewAwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule returns new rule with default attributes
+func NewAwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule() *AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule {
+	return &AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule{
+		resourceType:  "aws_secretsmanager_secret_rotation",
+		attributeName: "rotation_lambda_arn",
+		max:           2048,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule) Name() string {
+	return "aws_secretsmanager_secret_rotation_invalid_rotation_lambda_arn"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"rotation_lambda_arn must be 2048 characters or less",
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/aws_secretsmanager_secret_rotation_invalid_secret_id.go b/rules/models/aws_secretsmanager_secret_rotation_invalid_secret_id.go
@@ -0,0 +1,76 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsSecretsmanagerSecretRotationInvalidSecretIDRule checks the pattern is valid
+type AwsSecretsmanagerSecretRotationInvalidSecretIDRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+}
+
+// NewAwsSecretsmanagerSecretRotationInvalidSecretIDRule returns new rule with default attributes
+func NewAwsSecretsmanagerSecretRotationInvalidSecretIDRule() *AwsSecretsmanagerSecretRotationInvalidSecretIDRule {
+	return &AwsSecretsmanagerSecretRotationInvalidSecretIDRule{
+		resourceType:  "aws_secretsmanager_secret_rotation",
+		attributeName: "secret_id",
+		max:           2048,
+		min:           1,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsSecretsmanagerSecretRotationInvalidSecretIDRule) Name() string {
+	return "aws_secretsmanager_secret_rotation_invalid_secret_id"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsSecretsmanagerSecretRotationInvalidSecretIDRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsSecretsmanagerSecretRotationInvalidSecretIDRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsSecretsmanagerSecretRotationInvalidSecretIDRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsSecretsmanagerSecretRotationInvalidSecretIDRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"secret_id must be 2048 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"secret_id must be 1 characters or higher",
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/models/mappings/secretsmanager.hcl b/rules/models/mappings/secretsmanager.hcl
@@ -12,6 +12,17 @@ mapping "aws_secretsmanager_secret" {
   tags                    = TagListType
 }
 
+mapping "aws_secretsmanager_secret_policy" {
+  policy = NonEmptyResourcePolicyType
+  secret_arn = SecretIdType
+}
+
+mapping "aws_secretsmanager_secret_rotation" {
+  secret_id = SecretIdType
+  rotation_lambda_arn = RotationLambdaARNType
+  rotation_rules = RotationRulesType
+}
+
 mapping "aws_secretsmanager_secret_version" {
   secret_id      = SecretIdType
   secret_string  = SecretStringType
diff --git a/rules/models/provider.go b/rules/models/provider.go
@@ -1040,6 +1040,10 @@ var Rules = []tflint.Rule{
 	NewAwsSecretsmanagerSecretInvalidNameRule(),
 	NewAwsSecretsmanagerSecretInvalidPolicyRule(),
 	NewAwsSecretsmanagerSecretInvalidRotationLambdaArnRule(),
+	NewAwsSecretsmanagerSecretPolicyInvalidPolicyRule(),
+	NewAwsSecretsmanagerSecretPolicyInvalidSecretArnRule(),
+	NewAwsSecretsmanagerSecretRotationInvalidRotationLambdaArnRule(),
+	NewAwsSecretsmanagerSecretRotationInvalidSecretIDRule(),
 	NewAwsSecretsmanagerSecretVersionInvalidSecretIDRule(),
 	NewAwsSecretsmanagerSecretVersionInvalidSecretStringRule(),
 	NewAwsSecurityhubActionTargetInvalidDescriptionRule(),
