From 866cc386d4f7a56e694e093dbf473d3fb9850a86 Mon Sep 17 00:00:00 2001 From: lhitchon Date: Mon, 12 Mar 2018 14:10:30 -0700 Subject: [PATCH] add except handling to terraform and kubernetes linters --- cli/kubernetes.go | 26 +++++++++++++++----------- cli/terraform.go | 26 +++++++++++++++----------- example-files/rules/terraform.yml | 3 +++ 3 files changed, 33 insertions(+), 22 deletions(-) diff --git a/cli/kubernetes.go b/cli/kubernetes.go index b5fbe21..858694e 100644 --- a/cli/kubernetes.go +++ b/cli/kubernetes.go @@ -60,18 +60,22 @@ func validateKubernetesResources(report *filter.ValidationReport, resources []fi log(fmt.Sprintf("Rule %s: %s", rule.Id, rule.Message)) for _, ruleFilter := range rule.Filters { for _, resource := range filterKubernetesResourcesByType(resources, rule.Resource) { - log(fmt.Sprintf("Checking resource %s", resource.Id)) - status := filter.ApplyFilter(rule, ruleFilter, resource, log) - if status != "OK" { - v := filter.Violation{ - RuleId: rule.Id, - ResourceId: resource.Id, - ResourceType: resource.Type, - Status: status, - Message: rule.Message, - Filename: resource.Filename, + if filter.ExcludeResource(rule, resource) { + log(fmt.Sprintf("Ignoring resource %s", resource.Id)) + } else { + log(fmt.Sprintf("Checking resource %s", resource.Id)) + status := filter.ApplyFilter(rule, ruleFilter, resource, log) + if status != "OK" { + v := filter.Violation{ + RuleId: rule.Id, + ResourceId: resource.Id, + ResourceType: resource.Type, + Status: status, + Message: rule.Message, + Filename: resource.Filename, + } + report.Violations[status] = append(report.Violations[status], v) } - report.Violations[status] = append(report.Violations[status], v) } } } diff --git a/cli/terraform.go b/cli/terraform.go index 19ae6b8..673e2d2 100644 --- a/cli/terraform.go +++ b/cli/terraform.go @@ -88,18 +88,22 @@ func validateTerraformResources(report *filter.ValidationReport, resources []fil log(fmt.Sprintf("Rule %s: %s", rule.Id, rule.Message)) for _, ruleFilter := range rule.Filters { for _, resource := range filterTerraformResourcesByType(resources, rule.Resource) { - log(fmt.Sprintf("Checking resource %s", resource.Id)) - status := filter.ApplyFilter(rule, ruleFilter, resource, log) - if status != "OK" { - v := filter.Violation{ - RuleId: rule.Id, - ResourceId: resource.Id, - ResourceType: resource.Type, - Status: status, - Message: rule.Message, - Filename: resource.Filename, + if filter.ExcludeResource(rule, resource) { + log(fmt.Sprintf("Ignoring resource %s", resource.Id)) + } else { + log(fmt.Sprintf("Checking resource %s", resource.Id)) + status := filter.ApplyFilter(rule, ruleFilter, resource, log) + if status != "OK" { + v := filter.Violation{ + RuleId: rule.Id, + ResourceId: resource.Id, + ResourceType: resource.Type, + Status: status, + Message: rule.Message, + Filename: resource.Filename, + } + report.Violations[status] = append(report.Violations[status], v) } - report.Violations[status] = append(report.Violations[status], v) } } } diff --git a/example-files/rules/terraform.yml b/example-files/rules/terraform.yml index 5cb0114..3bf8ce9 100644 --- a/example-files/rules/terraform.yml +++ b/example-files/rules/terraform.yml @@ -29,6 +29,9 @@ Rules: - id: R3 message: Department tag is not valid resource: aws_instance + except: + - foo + - third filters: - type: value key: "tags[].Department | [0]"