mapping aws_kms (#278)

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_replica_external_key
https://github.com/aws/aws-sdk-go/blob/main/models/apis/kms/2014-11-01/api-2.json

Author: PatMyron

docs/rules/README.md

@@ -801,6 +801,10 @@ These rules enforce best practices and naming conventions:
 |aws_kms_key_invalid_description|✔|
 |aws_kms_key_invalid_key_usage|✔|
 |aws_kms_key_invalid_policy|✔|
+|aws_kms_replica_external_key_invalid_description|✔|
+|aws_kms_replica_external_key_invalid_policy|✔|
+|aws_kms_replica_key_invalid_description|✔|
+|aws_kms_replica_key_invalid_policy|✔|
 |aws_lakeformation_resource_invalid_role_arn|✔|
 |aws_lambda_alias_invalid_description|✔|
 |aws_lambda_alias_invalid_function_name|✔|

rules/models/aws_kms_replica_external_key_invalid_description.go

@@ -0,0 +1,67 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsKmsReplicaExternalKeyInvalidDescriptionRule checks the pattern is valid
+type AwsKmsReplicaExternalKeyInvalidDescriptionRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+}
+
+// NewAwsKmsReplicaExternalKeyInvalidDescriptionRule returns new rule with default attributes
+func NewAwsKmsReplicaExternalKeyInvalidDescriptionRule() *AwsKmsReplicaExternalKeyInvalidDescriptionRule {
+	return &AwsKmsReplicaExternalKeyInvalidDescriptionRule{
+		resourceType:  "aws_kms_replica_external_key",
+		attributeName: "description",
+		max:           8192,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsKmsReplicaExternalKeyInvalidDescriptionRule) Name() string {
+	return "aws_kms_replica_external_key_invalid_description"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsKmsReplicaExternalKeyInvalidDescriptionRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsKmsReplicaExternalKeyInvalidDescriptionRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsKmsReplicaExternalKeyInvalidDescriptionRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsKmsReplicaExternalKeyInvalidDescriptionRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"description must be 8192 characters or less",
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}

rules/models/aws_kms_replica_external_key_invalid_policy.go

@@ -0,0 +1,87 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsKmsReplicaExternalKeyInvalidPolicyRule checks the pattern is valid
+type AwsKmsReplicaExternalKeyInvalidPolicyRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+	pattern       *regexp.Regexp
+}
+
+// NewAwsKmsReplicaExternalKeyInvalidPolicyRule returns new rule with default attributes
+func NewAwsKmsReplicaExternalKeyInvalidPolicyRule() *AwsKmsReplicaExternalKeyInvalidPolicyRule {
+	return &AwsKmsReplicaExternalKeyInvalidPolicyRule{
+		resourceType:  "aws_kms_replica_external_key",
+		attributeName: "policy",
+		max:           131072,
+		min:           1,
+		pattern:       regexp.MustCompile(`^[\x{0009}\x{000A}\x{000D}\x{0020}-\x{00FF}]+$`),
+	}
+}
+
+// Name returns the rule name
+func (r *AwsKmsReplicaExternalKeyInvalidPolicyRule) Name() string {
+	return "aws_kms_replica_external_key_invalid_policy"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsKmsReplicaExternalKeyInvalidPolicyRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsKmsReplicaExternalKeyInvalidPolicyRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsKmsReplicaExternalKeyInvalidPolicyRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsKmsReplicaExternalKeyInvalidPolicyRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"policy must be 131072 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"policy must be 1 characters or higher",
+					attribute.Expr,
+				)
+			}
+			if !r.pattern.MatchString(val) {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^[\x{0009}\x{000A}\x{000D}\x{0020}-\x{00FF}]+$`),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}

rules/models/aws_kms_replica_key_invalid_description.go

@@ -0,0 +1,67 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"log"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsKmsReplicaKeyInvalidDescriptionRule checks the pattern is valid
+type AwsKmsReplicaKeyInvalidDescriptionRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+}
+
+// NewAwsKmsReplicaKeyInvalidDescriptionRule returns new rule with default attributes
+func NewAwsKmsReplicaKeyInvalidDescriptionRule() *AwsKmsReplicaKeyInvalidDescriptionRule {
+	return &AwsKmsReplicaKeyInvalidDescriptionRule{
+		resourceType:  "aws_kms_replica_key",
+		attributeName: "description",
+		max:           8192,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsKmsReplicaKeyInvalidDescriptionRule) Name() string {
+	return "aws_kms_replica_key_invalid_description"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsKmsReplicaKeyInvalidDescriptionRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsKmsReplicaKeyInvalidDescriptionRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsKmsReplicaKeyInvalidDescriptionRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsKmsReplicaKeyInvalidDescriptionRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"description must be 8192 characters or less",
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}

rules/models/aws_kms_replica_key_invalid_policy.go

@@ -0,0 +1,87 @@
+// This file generated by `generator/`. DO NOT EDIT
+
+package models
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// AwsKmsReplicaKeyInvalidPolicyRule checks the pattern is valid
+type AwsKmsReplicaKeyInvalidPolicyRule struct {
+	resourceType  string
+	attributeName string
+	max           int
+	min           int
+	pattern       *regexp.Regexp
+}
+
+// NewAwsKmsReplicaKeyInvalidPolicyRule returns new rule with default attributes
+func NewAwsKmsReplicaKeyInvalidPolicyRule() *AwsKmsReplicaKeyInvalidPolicyRule {
+	return &AwsKmsReplicaKeyInvalidPolicyRule{
+		resourceType:  "aws_kms_replica_key",
+		attributeName: "policy",
+		max:           131072,
+		min:           1,
+		pattern:       regexp.MustCompile(`^[\x{0009}\x{000A}\x{000D}\x{0020}-\x{00FF}]+$`),
+	}
+}
+
+// Name returns the rule name
+func (r *AwsKmsReplicaKeyInvalidPolicyRule) Name() string {
+	return "aws_kms_replica_key_invalid_policy"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsKmsReplicaKeyInvalidPolicyRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsKmsReplicaKeyInvalidPolicyRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsKmsReplicaKeyInvalidPolicyRule) Link() string {
+	return ""
+}
+
+// Check checks the pattern is valid
+func (r *AwsKmsReplicaKeyInvalidPolicyRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var val string
+		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
+
+		return runner.EnsureNoError(err, func() error {
+			if len(val) > r.max {
+				runner.EmitIssueOnExpr(
+					r,
+					"policy must be 131072 characters or less",
+					attribute.Expr,
+				)
+			}
+			if len(val) < r.min {
+				runner.EmitIssueOnExpr(
+					r,
+					"policy must be 1 characters or higher",
+					attribute.Expr,
+				)
+			}
+			if !r.pattern.MatchString(val) {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf(`"%s" does not match valid pattern %s`, truncateLongMessage(val), `^[\x{0009}\x{000A}\x{000D}\x{0020}-\x{00FF}]+$`),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}

rules/models/mappings/kms.hcl

@@ -42,3 +42,18 @@ mapping "aws_kms_key" {
   enable_key_rotation     = BooleanType
   tags                    = TagList
 }
+
+mapping "aws_kms_replica_external_key" {
+  deletion_window_in_days = PendingWindowInDaysType
+  description = DescriptionType
+  policy = PolicyType
+  tags = TagList
+  valid_to = DateType
+}
+
+mapping "aws_kms_replica_key" {
+  deletion_window_in_days = PendingWindowInDaysType
+  description = DescriptionType
+  policy = PolicyType
+  tags = TagList
+}

rules/models/provider.go

@@ -729,6 +729,10 @@ var Rules = []tflint.Rule{
 	NewAwsKmsKeyInvalidDescriptionRule(),
 	NewAwsKmsKeyInvalidKeyUsageRule(),
 	NewAwsKmsKeyInvalidPolicyRule(),
+	NewAwsKmsReplicaExternalKeyInvalidDescriptionRule(),
+	NewAwsKmsReplicaExternalKeyInvalidPolicyRule(),
+	NewAwsKmsReplicaKeyInvalidDescriptionRule(),
+	NewAwsKmsReplicaKeyInvalidPolicyRule(),
 	NewAwsLakeformationResourceInvalidRoleArnRule(),
 	NewAwsLambdaAliasInvalidDescriptionRule(),
 	NewAwsLambdaAliasInvalidFunctionNameRule(),