forked from strataconsulting/pre-commit-terraform
-
Notifications
You must be signed in to change notification settings - Fork 0
/
tfrules.py
96 lines (87 loc) · 3.42 KB
/
tfrules.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
import terraform_validate
import unittest
import os
import sys
class TestAWSResources(unittest.TestCase):
# This list contains the resource types where rules should be applied
# It's a subset of main identities related to most common services.
# See https://www.terraform.io/docs/providers/aws
AWS_RESOURCES = [
"aws_ami",
"aws_autoscaling_group",
"aws_cloudformation_stack",
"aws_cloudfront_distribution",
"aws_cloudwatch_dashboard",
"aws_config_config_rule",
"aws_db_instance",
"aws_db_snapshot",
"aws_ebs_snapshot",
"aws_ebs_volume",
"aws_ecr_cluster",
"aws_ecs_cluster",
"aws_efs_file_system",
"aws_eip",
"aws_elastic_beanstalk_application",
"aws_elasticache_cluster",
"aws_elasticsearch_domain",
"aws_emr_cluster",
"aws_iam_access_key",
"aws_iam_group",
"aws_iam_policy",
"aws_iam_role",
"aws_iam_role_policy",
"aws_iam_user",
"aws_instance",
"aws_key_pair",
"aws_kms_key",
"aws_lambda_function",
"aws_launch_configuration",
"aws_lb",
"aws_rds_cluster",
"aws_route53_zone",
"aws_s3_bucket",
"aws_security_group",
"aws_sns_topic",
"aws_subnet",
"aws_vpc"
]
# This is the list of required tags
REQUIRED_TAGS = [
"Name",
"Description",
"Owner",
"Provisioner"
]
def setUp(self):
# tfrules.sh provides the directory of the terraform files as argument
terraform_directory = sys.argv[1]
# Tell the module where to find your terraform configuration folder
self.path = terraform_directory
self.v = terraform_validate.Validator(self.path)
def test_tags(self):
# Assert that all resources of these types have the required tags
self.v.resources(self.AWS_RESOURCES).property('tags').should_have_properties(self.REQUIRED_TAGS)
def test_naming(self):
# Assert that all resources of these types doesnt include/repeat the resource type on the resource name
# We check agains a list of names not including the "aws_" preffix used by Terraform. Therefore, instead
# of just check if "aws_iam_group" is part of the name, we check against the use of "iam_group"
check_list = []
for aws_resource in self.AWS_RESOURCES:
check_resource = aws_resource.replace("aws_", "")
check_list.append(check_resource)
self.v.resources(self.AWS_RESOURCES).property('name').list_should_not_contain(check_list)
# NOTE: The above checking is just for the "name" property of the resource, but doesn't check
# the Terraform's resource name. That check is performed below.
resources = self.v.resources(self.AWS_RESOURCES).resource_list
errors = []
for resource in resources:
for check_item in check_list:
if check_item in resource.name:
errors.append("'{0}' name should not include '{1}'".format(resource.name, check_item))
if len(errors) > 0:
raise AssertionError("\n".join(sorted(errors)))
if __name__ == '__main__':
# Execute tests and return success to shell (for pre-commit)
suite = unittest.TestLoader().loadTestsFromTestCase(TestAWSResources)
ret = not unittest.TextTestRunner(verbosity=0).run(suite).wasSuccessful()
sys.exit(ret)