terraform-linters / tflint Goto Github PK

View Code? Open in Web Editor NEW

4.7K 37.0 349.0 9.51 MB

A Pluggable Terraform Linter

License: Mozilla Public License 2.0

Go 97.43% Makefile 0.06% HCL 2.19% Dockerfile 0.04% Shell 0.29%

terraform tflint

tflint's People

Contributors

Stargazers

Watchers

Forkers

pocke hakamadare omardarwish chrisbelyea kjmkznr rkulagowski brianantonelli jonshern no-signal cinderellagarage rastaman jbecker42 vjftw devops-workflow egon010 matti kuje dem0nix boldlink cwonrails kerscher kulpree paultyng josephreynolds dxw ellerbrock iacfio cloud-architecture ndevops coretech ninir mmizutani kforsthoevel ahmadtawila kouk odinho srve4 adamdmharvey howdoicomputer lloydgriffiths lukebrewerton guillermo-menjivar thefotios burythehammer drn tanakapayam vermdeep kanatsultan-zz tchia04 smiller171 krzyzakp nadoby ineffyble bonomali pputnik zylphrex lawliet89 kulinacs alzabo craigfurman uncleweb ccsalway abitrolly calijason76 kasama charlottemach ngenator islamazab alexsn sianliu eliask kkashyap1707 ollionorg ozbillwang dunedan pielu madddi brunochauvet rgee0 wlmgithub stl-jim dan-kitchen bwhaley rypeck tylern91 sangyoon-lee yourim19 aaronsteers christophshyper raj13aug wenesak hwchiu mveitas stevejr decorus-kazuma devdrops bendrucker acumenix stackpoet iwarapter

tflint's Issues

tflint crashes when used with --deep

V.0.3.5 on MacOS Sierra, installed via brew.

Log output:

Panic: interface conversion: interface {} is *evaluator.Evaluator, not string
-> 0: main.main.func1: /main.go(17)
-> 1: runtime.call32: /asm_amd64.s(514)
-> 2: runtime.gopanic: /panic.go(489)
-> 3: runtime.panicdottype: /iface.go(172)
-> 4: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalOutput).Eval: /eval.go(399)
-> 5: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).visit: /eval.go(207)
-> 6: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).(github.com/wata727/tflint/vendor/github.com/hashicorp/hil.visit)-fm: /eval.go(167)
-> 7: github.com/wata727/tflint/vendor/github.com/hashicorp/hil/ast.(*Output).Accept: /output.go(23)
-> 8: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).Visit: /eval.go(167)
-> 9: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.internalEval: /eval.go(145)
-> 10: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.Eval: /eval.go(52)
-> 11: github.com/wata727/tflint/evaluator.(*Evaluator).Eval: /evaluator.go(65)
-> 12: github.com/wata727/tflint/detector.(*Detector).evalToString: /detector.go(222)
-> 13: github.com/wata727/tflint/detector.(*AwsInstanceInvalidAMIDetector).Detect: /aws_instance_invalid_ami.go(47)
-> 14: runtime.call64: /asm_amd64.s(515)
-> 15: reflect.Value.call: /value.go(434)
-> 16: reflect.Value.Call: /value.go(302)
-> 17: github.com/wata727/tflint/detector.(*Detector).detect: /detector.go(216)
-> 18: github.com/wata727/tflint/detector.(*Detector).Detect: /detector.go(170)
-> 19: main.(*CLI).Run: /cli.go(116)
-> 20: main.main: /main.go(30)
-> 21: runtime.main: /proc.go(185)
-> 22: runtime.goexit: /asm_amd64.s(2197)

TFLint crached... :(

////////////
It crashes on this minimalistic terraform file:

module "saras_ec2" {
ami = "${module.first_ima.id}"
name = "saras_ec2"
instance_type = "t2.nano"
subnet_id = "${module.first_private_subnet.id}"
source = "./modules/ec2"
security_groups = "${module.first_sg.id}"
}
////////////
It works fine without the --deep option, and provides this output for the same file:

./modules/ec2/main.tf
NOTICE:35 "iam_instance_profile" is not specified. If you want to change it, you need to recreate instance. (Only less than Terraform 0.8.8)

Result: 1 issues (0 errors , 0 warnings , 1 notices)

Problem running tflint v0.5.0 on alpine linux

Hi there.

I was very excited to test the new version of tflint on our project as it ran on my machine so I decided to put it on our CI. Unfortunately things didn't go well :/
Long story short: I think there was something different/strange regarding linking libraries when generating this new version.

These are some steps one can do to reproduce the issue:

Version 0.4.3 - Everything working

$ docker run --entrypoint /bin/sh -ti hashicorp/terraform:0.10.6
# curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.4.3/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin
...
# tflint
Awesome! Your code is following the best practices :)

# apk add --upgrade file
...
# file /usr/local/bin/tflint
/usr/local/bin/tflint: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, with debug_info, not stripped

# ldd /usr/local/bin/tflint
ldd: /usr/local/bin/tflint: Not a valid dynamic program

Version 0.5.0 - with terraform 0.10.6

$ docker run --entrypoint /bin/sh -ti hashicorp/terraform:0.10.6
# curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.5.0/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin
...
# tflint
/bin/sh: tflint: not found

# apk add --upgrade file
...
# file /usr/local/bin/tflint
/usr/local/bin/tflint: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, with debug_info, not stripped

# ldd /usr/local/bin/tflint
        /lib64/ld-linux-x86-64.so.2 (0x5605e5ca0000)
        libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x5605e5ca0000)
        libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x5605e5ca0000)
Error relocating /usr/local/bin/tflint: __vfprintf_chk: symbol not found
Error relocating /usr/local/bin/tflint: __fprintf_chk: symbol not found

Version 0.5.0 - with terraform 0.10.7

$ docker run --entrypoint /bin/sh -ti hashicorp/terraform:0.10.7
# curl -L -o /tmp/tflint.zip https://github.com/wata727/tflint/releases/download/v0.5.0/tflint_linux_amd64.zip && unzip /tmp/tflint.zip -d /usr/local/bin
...
# tflint
/bin/sh: tflint: not found

# apk add --upgrade file
...
# file /usr/local/bin/tflint
/usr/local/bin/tflint: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, with debug_info, not stripped

# ldd /usr/local/bin/tflint
        /lib64/ld-linux-x86-64.so.2 (0x55e51813d000)
        libpthread.so.0 => /lib64/ld-linux-x86-64.so.2 (0x55e51813d000)
        libc.so.6 => /lib64/ld-linux-x86-64.so.2 (0x55e51813d000)
Error relocating /usr/local/bin/tflint: __vfprintf_chk: symbol not found
Error relocating /usr/local/bin/tflint: __fprintf_chk: symbol not found

Please ping if there is something I can do to help.

High CPU usage when running tflint

When running tflint for the first time there is a high CPU spike after some time and system gets stuck for a while
OS:

Fedora 24 4.9.13-201.fc25.x86_64

Using https://github.com/wata727/tflint/releases/download/v0.3.1/tflint_linux_amd64.zip this binary

Add deep check detectors

Question - Is it possible to ignore rules by resource/file?

The config settings for ignoring rules seem to be per-project. Is it possible to ignore rules per-file or per-resource?

I have a set of existing resources that break some of the recommendations -- I'd like to catch if I add something that breaks these, but thats hard to spot with the baseline noise that comes from the existing resources.

Add integration test

CloudWatch Unit Linting?

Hi there! Just stumbled across this project when it got added to the Visual Studio Code Terraform plugin. Awesome idea!

Question: is the following apply error on an aws_cloudwatch_metric_alarm incorrect unit something this project would support? If so, would you implement it or accept a pull request? Thanks!

* aws_cloudwatch_metric_alarm.rds-writer-memory: Creating metric alarm failed: ValidationError: 1 validation error detected: Value 'GB' at 'unit' failed to satisfy constraint: Member must satisfy enum value set: [Gigabits/Second, Gigabits, Percent, Terabits, Bits, Kilobits, Megabytes/Second, Kilobytes, Megabits/Second, Terabytes, Bytes, Count, Gigabytes, Milliseconds, Count/Second, Gigabytes/Second, None, Terabytes/Second, Bytes/Second, Megabits, Kilobytes/Second, Megabytes, Microseconds, Kilobits/Second, Terabits/Second, Bits/Second, Seconds]
	status code: 400, request id: --OMITTED--

Here's the configuration that generated the error (note unit field, changing to Gigabytes worked):

resource "aws_cloudwatch_metric_alarm" "rds-writer-memory" {
  alarm_name = "${var.env}-rds-writer-memory"

  alarm_actions = [
    "${data.aws_sns_topic.PagerDuty.arn}",
  ]

  comparison_operator = "LessThanOrEqualToThreshold"
  evaluation_periods  = "2"
  metric_name         = "FreeableMemory"
  namespace           = "AWS/RDS"

  ok_actions = [
    "${data.aws_sns_topic.PagerDuty.arn}",
  ]

  period    = "300"
  statistic = "Average"
  threshold = "1"
  unit      = "GB"

  dimensions = {
    DBClusterIdentifer = "${aws_rds_cluster.rds.cluster_identifier}"
    Role               = "WRITER"
  }
}

tflint crashed

This is what I've got

Panic: interface conversion: interface {} is int, not string
 -> 0: main.main.func1: /main.go(17)
 -> 1: runtime.call32: /asm_amd64.s(514)
 -> 2: runtime.gopanic: /panic.go(489)
 -> 3: runtime.panicdottype: /iface.go(172)
 -> 4: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalOutput).Eval: /eval.go(399)
 -> 5: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).visit: /eval.go(207)
 -> 6: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).(github.com/wata727/tflint/vendor/github.com/hashicorp/hil.visit)-fm: /eval.go(167)
 -> 7: github.com/wata727/tflint/vendor/github.com/hashicorp/hil/ast.(*Output).Accept: /output.go(23)
 -> 8: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.(*evalVisitor).Visit: /eval.go(167)
 -> 9: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.internalEval: /eval.go(145)
 -> 10: github.com/wata727/tflint/vendor/github.com/hashicorp/hil.Eval: /eval.go(52)
 -> 11: github.com/wata727/tflint/evaluator.(*Evaluator).Eval: /evaluator.go(67)
 -> 12: github.com/wata727/tflint/evaluator.(*Evaluator).evalModuleAttr: /module.go(44)
 -> 13: github.com/wata727/tflint/evaluator.(*Evaluator).initModule: /module.go(24)
 -> 14: github.com/wata727/tflint/evaluator.NewEvaluator: /evaluator.go(35)
 -> 15: github.com/wata727/tflint/detector.NewDetector: /detector.go(88)
 -> 16: main.(*CLI).Run: /cli.go(116)
 -> 17: main.main: /main.go(30)
 -> 18: runtime.main: /proc.go(185)
 -> 19: runtime.goexit: /asm_amd64.s(2197)

TFLint crached... :(
Please attach an output log, describe the situation and version that occurred and post an issue to https://github.com/wata727/tflint/issues

version 0.4.0

not sure if I need to attach anything else to help debugging this

tflint should maybe catch invalid AWS Route Table names

If the AWS API requires strict formatting then maybe tflint could/should catch this?
tflint and terraform plan completed successfully but terraform apply produced:


2 error(s) occurred:

* aws_route.nat-ngw-a: 1 error(s) occurred:

* aws_route.nat-ngw-a: Error creating route: InvalidRouteTableId.Malformed: Invalid id: "rtb-nat-gw-a"
	status code: 400, request id: 9eff0fe5-d8ec-468d-98a8-bd4b72ebe851
* aws_route.nat-ngw-b: 1 error(s) occurred:

* aws_route.nat-ngw-b: Error creating route: InvalidRouteTableId.Malformed: Invalid id: "rtb-nat-gw-b"
	status code: 400, request id: 8c0392c6-dd45-4f38-851f-7f316f84e589```

Workspaces support

https://www.terraform.io/docs/state/workspaces.html

`terraform version` options

For example, If you use the latest Terraform version, do not have to think about aws_instance_not_specified_iam_profile rule. (In the new Terraform, it is possible to replace the IAM profile later.)

For this purpose we introduce terraform_version in configuration file. This option will optimize issues.

I would love to see results in a Jenkins parseable format, pls?

`aws_instance_not_specified_iam_profile` is deprecated

hashicorp/terraform#11862

tflint prodcuces errror for existing IAM instance profile

I am a resource set like this:

resource "aws_instance" "ec2" {
	ami = "${var.ami}"
	instance_type = "${var.instance_type}"
	subnet_id = "${var.app_subnet}"
	vpc_security_group_ids = ["${aws_security_group.vnow_sg.id}"]
	key_name = "${var.ssh_key}"
	root_block_device {
		volume_type = "standard"
		volume_size = "${var.volume_size}"
		delete_on_termination = true
	}
	iam_instance_profile = "${var.instance_profile}"
	associate_public_ip_address = false
	user_data = "${data.template_file.user_data.rendered}"
	tags {
		Name = "${var.tag_name}"
		Owner = "${var.tag_owner}"
		ExpirationDate = "${var.tag_date}"
	}

}

In terraform.tfvars file I have set the instance profile. When i run tflint this is the output.

instance.tf
	ERROR:12 "s3accesstoec2" is invalid IAM profile name.

Result: 1 issues  (1 errors , 0 warnings , 0 notices)

but the instance profile already exists as per the aws cli command

aws iam list-instance-profiles | grep s3accesstoec2

O/P

                    "RoleName": "s3accesstoec2", 
                    "Arn": "arn:aws:iam::111111111111:role/s3accesstoec2"
            "InstanceProfileName": "s3accesstoec2", 
            "Arn": "arn:aws:iam::111111111111:instance-profile/s3accesstoec2"

Support environment variable variables

I have being trying to use tflint but hit a roadblock when loading variables from env vars

> TF_VAR_THIS_THING=foo tflint
1:3: unknown variable accessed: var.THIS_THING

Remove dependency in brew package

its common to use tfenv to manage terraform, $ brew install tfenv instead of just installing terraform versions

the brew package for tflint has a dependency on terraform:

$ brew install tflint
==> Installing tflint from wata727/tflint
==> Installing dependencies for wata727/tflint/tflint: go, glide, terraform
==> Installing wata727/tflint/tflint dependency: go
==> Downloading https://homebrew.bintray.com/bottles/go-1.9.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring go-1.9.sierra.bottle.tar.gz
==> Caveats
A valid GOPATH is required to use the `go get` command.
If $GOPATH is not specified, $HOME/go will be used by default:
  https://golang.org/doc/code.html#GOPATH

You may wish to add the GOROOT-based install location to your PATH:
  export PATH=$PATH:/usr/local/opt/go/libexec/bin
==> Summary
🍺  /usr/local/Cellar/go/1.9: 7,639 files, 293.7MB
==> Installing wata727/tflint/tflint dependency: glide
==> Downloading https://homebrew.bintray.com/bottles/glide-0.12.3.sierra.bottle.tar.gz
######################################################################## 100.0%
==> Pouring glide-0.12.3.sierra.bottle.tar.gz
🍺  /usr/local/Cellar/glide/0.12.3: 6 files, 10MB
==> Installing wata727/tflint/tflint dependency: terraform
Error: Cannot install terraform because conflicting formulae are installed.
  tfenv: because tfenv symlinks terraform binaries

Please `brew unlink tfenv` before continuing.

Unlinking removes a formula's symlinks from /usr/local. You can
link the formula again after the install finishes. You can --force this
install, but the build may fail or cause obscure side-effects in the
resulting software.

tflint can't find modules when using terraform 0.10.6

I'm not sure where or how the issue occurred but recently updating to terraform 0.10.6, and using it in conjunction with tflint in our build pipeline has caused our builds to fail. This behavior was not present in 0.10.5 or 0.10.4, so I'm wondering if it has something to do with the registry addition?

Output from 0.10.5:

/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # wget https://releases.hashicorp.com/terraform/0.10.5/terraform_0.10.5_linux_amd64.zip
--2017-09-25 16:23:28--  https://releases.hashicorp.com/terraform/0.10.5/terraform_0.10.5_linux_amd64.zip
Resolving releases.hashicorp.com... 151.101.53.183, 2a04:4e42:d::439
Connecting to releases.hashicorp.com|151.101.53.183|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13480473 (13M) [application/zip]
Saving to: 'terraform_0.10.5_linux_amd64.zip'

terraform_0.10.5_linux_amd64.zip                     100%[====================================================================================================================>]  12.86M  25.5MB/s    in 0.5s

2017-09-25 16:23:29 (25.5 MB/s) - 'terraform_0.10.5_linux_amd64.zip' saved [13480473/13480473]

/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # unzip terraform_0.10.5_linux_amd64.zip
Archive:  terraform_0.10.5_linux_amd64.zip
  inflating: terraform
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # ls
Makefile                          backend.tf                        ec2-service-consul.tf             module-concourse-worker.tf        terraform                         variables-account.tf
autoscaling_groups.tf             cloudwatch_alarms.tf              global-provider.tf                module-elasticsearch.tf           terraform_0.10.4_linux_amd64.zip  variables-global.tf
autoscaling_notifications.tf      config.mk                         jenkins-master.tf                 security_groups.tf                terraform_0.10.5_linux_amd64.zip  variables-region.tf
autoscaling_policies.tf           ec2-instances.tf                  launch_configurations.tf          state.tf                          userdata                          variables.tf
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # chmod +x terraform
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # mv terraform /usr/local/bin/
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # rm -rf .terraform/
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform version
Terraform v0.10.5

Your version of Terraform is out of date! The latest version
is 0.10.6. You can update by downloading from www.terraform.io
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform init
Downloading modules...
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/service-consul
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/jenkins-master
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/concourse-worker
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/service-elasticsearch

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "consul" (0.1.0)...
- Downloading plugin for provider "vault" (0.1.0)...
- Downloading plugin for provider "terraform" (1.0.0)...
- Downloading plugin for provider "aws" (0.1.4)...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform validate
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # tflint
Awesome! Your code is following the best practices :)

And from 0.10.6:

/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # wget https://releases.hashicorp.com/terraform/0.10.6/terraform_0.10.6_linux_amd64.zip
--2017-09-25 16:24:38--  https://releases.hashicorp.com/terraform/0.10.6/terraform_0.10.6_linux_amd64.zip
Resolving releases.hashicorp.com... 151.101.53.183, 2a04:4e42:d::439
Connecting to releases.hashicorp.com|151.101.53.183|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 13482562 (13M) [application/zip]
Saving to: 'terraform_0.10.6_linux_amd64.zip'

terraform_0.10.6_linux_amd64.zip                     100%[====================================================================================================================>]  12.86M  29.2MB/s    in 0.4s

2017-09-25 16:24:38 (29.2 MB/s) - 'terraform_0.10.6_linux_amd64.zip' saved [13482562/13482562]

/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # unzip terraform_0.10.6_linux_amd64.zip
Archive:  terraform_0.10.6_linux_amd64.zip
  inflating: terraform
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # chmod +x terraform
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # mv terraform /usr/local/bin/
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # rm -rf .terraform/
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform version
Terraform v0.10.6

t/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform init
Downloading modules...
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/service-consul
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/jenkins-master
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/concourse-worker
Get: file:///tmp/build/d147a603/operations-terraform/modules/mycompany/service-elasticsearch

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...
- Checking for available provider plugins on https://releases.hashicorp.com...
- Downloading plugin for provider "aws" (0.1.4)...
- Downloading plugin for provider "consul" (0.1.0)...
- Downloading plugin for provider "vault" (0.1.0)...
- Downloading plugin for provider "terraform" (1.0.0)...

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # terraform validate
/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # tflint
ERROR: module `../../../../modules/mycompany/service-consul` not found. Did you run `terraform get`?

The modules are definitely present and downloaded:

/tmp/build/d147a603/operations-terraform/config/mycompany/us-west-2/o1 # ls -al .terraform/modules/
total 24
drwxr-xr-x    2 root     root          4096 Sep 25 16:24 .
drwxr-xr-x    4 root     root          4096 Sep 25 16:25 ..
lrwxrwxrwx    1 root     root            71 Sep 25 16:24 2dada97fb16b13c172562f10af0e2c5c -> /tmp/build/d147a603/operations-terraform/modules/mycompany/service-consul
lrwxrwxrwx    1 root     root            78 Sep 25 16:24 4b5207903722440c6caba86b6dcd1edf -> /tmp/build/d147a603/operations-terraform/modules/mycompany/service-elasticsearch
lrwxrwxrwx    1 root     root            73 Sep 25 16:24 54fcf8b4e772f5398245d82180ef8372 -> /tmp/build/d147a603/operations-terraform/modules/mycompany/concourse-worker
lrwxrwxrwx    1 root     root            71 Sep 25 16:24 c3bbf5350eba55d1d9316c839bcf312c -> /tmp/build/d147a603/operations-terraform/modules/mycompany/jenkins-master

tflint --deep issues

I am trying to lint a piece of Terraform I have where I am specifying the AWS region in the provider block like:

provider "aws" {
  region = "us-west-2"
}

When running tflint --deep, I am getting the following error:

ERROR: error occurred in detecting. Please run with --debug option for details.

When running tflint --deep --debug, I am getting the following output:

DEBUG:/loader.go:120 [INFO] Load environment...
DEBUG:/loader.go:128 [ERROR] open .terraform/environment: no such file or directory
DEBUG:/loader.go:131 [INFO] Load tfstate...
DEBUG:/loader.go:145 [INFO] Local state detected
DEBUG:/loader.go:161 [INFO] Load tfvars...
DEBUG:/loader.go:164 [INFO] Load `terraform.tfvars`
DEBUG:/loader.go:166 [ERROR] stat terraform.tfvars: no such file or directory
DEBUG:/loader.go:191 [INFO] Load HCL file: `main.tf`
DEBUG:/loader.go:53 [INFO] Load HCL file: `main.tf`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_type`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_previous_type`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_not_specified_iam_profile`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_default_standard_volume`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_iam_profile`
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_ami`
DEBUG:/aws_instance_invalid_ami.go:31 [ERROR] MissingRegion: could not find region configuration
DEBUG:/aws_instance_invalid_ami.go:48 [ERROR] ERROR: `"${data.aws_ami.ec2_ami.image_id}"` is not evaluable
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_key_name`
DEBUG:/aws_instance_invalid_key_name.go:31 [ERROR] MissingRegion: could not find region configuration
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_subnet`
DEBUG:/aws_instance_invalid_subnet.go:31 [ERROR] MissingRegion: could not find region configuration
DEBUG:/detector.go:153 [INFO] detect by `aws_instance_invalid_vpc_security_group`
DEBUG:/aws_instance_invalid_vpc_security_group.go:32 [ERROR] MissingRegion: could not find region configuration
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_alb_invalid_security_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_alb_invalid_subnet`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_alb_duplicate_name`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elb_invalid_security_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elb_invalid_subnet`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elb_invalid_instance`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elb_duplicate_name`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_default_parameter_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_vpc_security_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_db_subnet_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_parameter_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_option_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_invalid_type`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_previous_type`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_readable_password`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_db_instance_duplicate_identifier`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_default_parameter_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_invalid_parameter_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_invalid_subnet_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_invalid_security_group`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_invalid_type`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_previous_type`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_elasticache_cluster_duplicate_id`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_security_group_duplicate_name`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_route_table`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_not_specified_target`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_specified_multiple_targets`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_gateway`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_egress_only_gateway`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_nat_gateway`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_vpc_peering_connection`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_instance`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_route_invalid_network_interface`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_cloudwatch_metric_alarm_invalid_unit`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `aws_ecs_cluster_duplicate_name`
DEBUG:/detector.go:251 [INFO] targets are not found.
DEBUG:/detector.go:149 [INFO] skip `terraform_module_pinned_source`
ERROR: error occurred in detecting. Please run with --debug option for details.

[Question] Which files produced the lint error?

Running tflint on it's own does not give too much feedback at the moment.

$ tflint
1:3: unknown variable accessed: var.aws_allowed_account_ids

I'd like to know more specifically which files were inspected, so I've wrapped this command like so

find . -type f -not \( -path '*/.terraform/*' \) -name '*.tf' -exec \
  /bin/bash -c "echo 'Linting {}' && tflint {} --deep --error-with-issues" \;
Linting ./main.tf
1:3: unknown variable accessed: var.aws_region
Linting ./output.tf
Awesome! Your code is following the best practices :)
Linting ./variables.tf
Awesome! Your code is following the best practices :)

but by linting one file at a time, it has no knowledge of the other files. So, is there a way to add more information about what was linted and which file is causing issues?

detect duplicate resource

For example, If we create duplicate DNS records in Route53, an error will occur.

Support new instance type

https://aws.amazon.com/blogs/aws/ec2-instance-type-update-t2-r4-f1-elastic-gpus-i3-c5/

False ERROR:3 on instance_type with modules using.

Hello.

I've found false error reporting on instance_type when use modules.
Test repo https://github.com/Nklya/tflint-example

TFLint version 0.3.4

tflint-example  tflint
./modules/test1/main.tf
NOTICE:1 "iam_instance_profile" is not specified. If you want to change it, you need to recreate instance. (Only less than Terra
form 0.8.8)
ERROR:3 "${var.instance_type}" is invalid instance type.
Result: 2 issues (1 errors , 0 warnings , 1 notices)

However, instance_type correctly set in variables.tf, modules/test1/variables.tf and terraform successfully apply this configuration.

Command line argument parsing is buggy

Seems that if I give tflint and invalid option such as aws_region, placing it on the tail, the wrong argument is listed as wrong:

$ tflint --debug --deep --aws_region us-east-1
ERROR: `--debug` is unknown options. Please run `tflint --help`

I haven't looked at the code handling this, maybe you meant to list all the command line arguments in that error message?

Lastly, I'll quietly mention that "X is unknown options" isn't quite proper grammar usage.

Utterly minor bug I hate even reporting.

Provides docker image

Tflint is detecting errors with respect to referencing's in terraform code

Hi,

I am using your tool for validating our terraform code which cannot be captured by terraform plan to avoid any issues while running the terraform apply. but while using it i am facing some issues in terms of validating, before jumping onto the issues, let me give you the context about our terraform code.

Context:
I am using two types of referencing in my terraform code:

module output referencing [referencing output values from one module into other
eg: module.apptier_1_route_table.route_table_id
referencing values from terraform remote state files [i am managing the multiple terraform state files and referencing values from these terraform remote state files at other places]
eg: data.terraform_remote_state.nat_gw.nat_gw_ids_list

Issue:
While validating our terraform code via tflint, it is giving errors with respect to these types of referencing s, sample of those errors are given below

../../../modules/route_tables/rt_routes/igw/main.tf
ERROR:11 "${data.terraform_remote_state.vpc.vpc_info["main_route_table_id"]}" is invalid route table ID.
ERROR:13 "${data.terraform_remote_state.vpc.vpc_info["igw_id"]}" is invalid internet gateway ID.
../../../modules/route_tables/rt_routes/nat_gw/main.tf
ERROR:11 "${module.apptier_1_route_table.route_table_id}" is invalid route table ID.
ERROR:11 "${module.apptier_2_route_table.route_table_id}" is invalid route table ID.
ERROR:13 "${data.terraform_remote_state.nat_gw.nat_gw_ids_list[0]}" is invalid NAT gateway ID.
ERROR:13 "${data.terraform_remote_state.nat_gw.nat_gw_ids_list[1]}" is invalid NAT gateway ID.

But there is one more catch in this, i am maintaining the terraform code in different directories and running tflint at each location to validate, terraform code at all locations having this referencing code, but tflint is not detecting these referencing's as an errors at all locations (our terraform code is working fine in terms provisioning aws resources with these types of referencing's).

Queries:

How this can happen that tflint is detecting these referencing's as an errors at some locations?
What configuration or parameter should be passed while running tflint so that it can ignore these errors (i mean does not show)?
How to ignore notices as well?
We only want to get the validation error with respect to actual's like ami id and instance type is not valid?

Let me know if anything else is required in same from my side.

Thx.

When reading from .aws/credentials file any profile other than default produces error

This is my .tflint.hcl file

config {
  deep_check = true

  aws_credentials = {
    profile = "master"
    region     = "us-east-1"
  }
}

I have no default profile set in .aws/credentials and I have multiple profiles in the file. Any profile other than default produces this error

[ERROR] NoCredentialProviders: no valid providers in chain. Deprecated. 
	For verbose messaging see aws.Config.CredentialsChainVerboseErrors

Support `terraform.tfvars`

Terragrunt support

Hi,

This is an awesome wrapper to perform the lint analysis on terraform code. In my case we are using terragrunt wrapper to perform the terraform activities.

We were trying to use tflint for terragrunt but it seems tflint does not support terragrunt semantics. Is it possible to add the support for terragrunt?

It will be a great enhancement.

Thanks,
Sanjiv

Abstract HCL resource access

Introduce schema package. This makes it easier to add new detectors.
This issue is also related to #86, to make it easier to merge resources too.

Exit status is 0 for error's

The exit status of tflint is always zero whether the test has failed or successful.

Program panics on AwsSecurityGroupDuplicateDetector

It seems I made tflint crash with the following code (some pieces redacted):

provider "aws" {
  region = "<redacted a valid region>"
}

variable "vpc_id" {
    type = "string"
    default = "vpc-<redacted a valid vpc id>"
    description = "<redacted a valid description>"
}

# testing security group
resource "aws_security_group" "testing" {
    name        = "testing"
    description = "Testing Security Group"
    vpc_id      = "${var.vpc_id}"

    tags {
        "owner" = "Testing"
    }
}

Here is the tail of the output, let me know if you need more:

DEBUG:/detector.go:143 [INFO] detect by `aws_security_group_duplicate_name`
Panic: runtime error: invalid memory address or nil pointer dereference
 -> 0: main.main.func1: /main.go(17)
 -> 1: runtime.call32: /asm_amd64.s(514)
 -> 2: runtime.gopanic: /panic.go(489)
 -> 3: runtime.panicmem: /panic.go(63)
 -> 4: runtime.sigpanic: /signal_unix.go(290)
 -> 5: github.com/wata727/tflint/detector.(*AwsSecurityGroupDuplicateDetector).PreProcess: /aws_security_group_duplicate_name.go(45)
 -> 6: runtime.call32: /asm_amd64.s(514)
 -> 7: reflect.Value.call: /value.go(434)
 -> 8: reflect.Value.Call: /value.go(302)
 -> 9: github.com/wata727/tflint/detector.(*Detector).detect: /detector.go(181)
 -> 10: github.com/wata727/tflint/detector.(*Detector).Detect: /detector.go(144)
 -> 11: main.(*CLI).Run: /cli.go(144)
 -> 12: main.main: /main.go(30)
 -> 13: runtime.main: /proc.go(185)
 -> 14: runtime.goexit: /asm_amd64.s(2197)

TFLint crached... :(
Please attach an output log, describe the situation and version that occurred and post an issue to https://github.com/wata727/tflint/issues

Needless to say, this code works fine for plan and apply. Thanks for the awesome project, by the way!

Docker image needs `ca-certificates` for --deep

Hi,

When I run

docker run -it \
	--volume `pwd`:/app \
	--workdir /app/ \
	--env AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
	--env AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
	--env AWS_REGION=eu-west-1 \
	wata727/tflint:0.5.1 --deep --debug --error-with-issues

I get errors such as:

DEBUG:/aws_security_group_duplicate_name.go:33 [ERROR] RequestError: send request failed
caused by: Post https://ec2.eu-west-1.amazonaws.com/: x509: failed to load system roots and no roots provided
DEBUG:/aws_security_group_duplicate_name.go:75 [ERROR] ERROR: `"${aws_vpc.app.id}"` is not evaluable

DEBUG:/aws_ecs_cluster_duplicate_name.go:31 [ERROR] RequestError: send request failed
caused by: Post https://ecs.eu-west-1.amazonaws.com/: x509: failed to load system roots and no roots provided

This also passes returns 0, when I guess it should fail as there were some form of errors?

To fix the x509, just need to add
RUN apk add --no-cache ca-certificates
to the Dockerfile.

I'll quickly get a PR going for this ^^

overrides for source cause failure

Hi @wata727

we use overrides (https://www.terraform.io/docs/configuration/override.html) quite extensively - because it suits our CI/CD tooling - but this causes issues for TFlint...

-- main.tf
module "foo" {
a = "b"
c = "d"
}

-- main_override.tf
module "foo" {
source = "git::http://some_git_url.git?ref=master"
}

I get:
ERROR: Invalid module source in foo

Thanks again for the lovely TFlint tool. We love it.
N

Custom Modules

I see a way to exclude custom modules, but don't see any documentation on how to add custom modules/validations. I would like to add some custom validations for my custom Terraform provider and resources.. Is this possible?

i consistently get spurious "module not found" errors

ERROR: module [email protected]:chanzuckerberg/shared-infra//terraform/modules/aws-env?ref=master not found. Did you run terraform get?

From line:

https://github.com/wata727/tflint/blob/5865a74a904ebdbc26387ba671a005861142b234/schema/module.go#L45

My current setup works so it seems that this check is too naive?

TFLint crashes with "reflect: slice index out of range" when parsing list variables

I have the following variable of type list:

variable "domains" {
    default = []
}

Which makes tflint to fail with the following error message (tried with the latest version 0.3.1):

cd tf/staging && ../../tflint --error-with-issues
Panic: reflect: slice index out of range
 -> 0: main.main.func1: /main.go(17)
 -> 1: runtime.call32: /asm_amd64.s(514)
 -> 2: runtime.gopanic: /panic.go(489)
 -> 3: reflect.Value.Index: /value.go(865)
 -> 4: github.com/wata727/tflint/evaluator.parseVariable: /variable.go(137)
 -> 5: github.com/wata727/tflint/evaluator.detectVariables: /variable.go(42)
 -> 6: github.com/wata727/tflint/evaluator.NewEvaluator: /evaluator.go(20)
 -> 7: github.com/wata727/tflint/detector.NewDetector: /detector.go(69)
 -> 8: github.com/wata727/tflint/detector.(*Detector).Detect: /detector.go(152)
 -> 9: main.(*CLI).Run: /cli.go(142)
 -> 10: main.main: /main.go(30)
 -> 11: runtime.main: /proc.go(185)
 -> 12: runtime.goexit: /asm_amd64.s(2197)

TFLint crached... :(
Please attach an output log, describe the situation and version that occurred and post an issue to https://github.com/wata727/tflint/issues

cd tf/staging && ../../tflint --error-with-issues returned exit code 2

I tried adding explicit type = "list" but this doesn't seem to help.

Support for terraform.env variable

terraform.env is not recognised as a valid terraform variable.

$ tflint
1:3: unknown variable accessed: terraform.env
$ tflint -v
TFLint version 0.3.5

Allow setting shared credentials path

It would be extremely useful to be able to set the shared credentials path (default and the only acceptable by tflint is ~/.aws/credentials). In my specific usecase, Jenkins has a secret file with AWS credentials that simply can't be at that location, but I do receive an environment variable with its location.

To be clear, it's an option to create another, tflint-specific, secret Jenkins file with the credentials but that would be a duplication effort I'd prefer to avoid.

I've never touched Go, but can probably put together a working pull request for this.

Additionally, is there any reason that the region isn't being parsed out of the credentials file as well? It seems I have to either specify it on command line or via .tflint.hcl.

Thank you!

I3 instance type support

Fix ineffecient module detector method call

Ref #8

Currently, as the number of modules increases, the deep check will be delayed. Because TFLint calls the detector method for each module.

Recursive mode

Hello,

I'm thinking of working on and submitting a pull request for a feature to recurse into directories, e.g. tflint -r . to visit all of my subdirectories of Terraform recipes and lint each one.

Is that a good feature? Any pros/cons to implementing such a thing?

How customize/extend TFLint?

Hello, congratulations for your work, TFLint is a great tool and we use it a lot.

Our DevOps team wants use TFLint to enforce some internal policies related to internal naming conventions on the resources, require the addition of tags that should be always present (for AWS-related resources) etc. So, we want extend/customize TFLint (we can write Go code)

Could you please provide me a few "development guidelines" to start my work on that project? I mean, what is the cleanest and easiest way to extend/customize TFLint to add more checks?

Thank you very much in advance!

Best Regards,
Leo

Extends interpolation syntax support

Currently, it support HCL interpolation syntax, but only variables (ex. ${var.name} etc).
By parsing tfstate, will support attributes of resource, built-in functions etc.

bash: ./tflint: cannot execute binary file

I have followed the installation steps on CentOS but I have received the error when ran "./tflint -v"

bash: ./tflint: cannot execute binary file

Check for tags rule

Check for AWS resources which are tagable but doesn't have any tags specified.

A bonus point would be to check for specific tag keys like Name and Team.

detect default ebs_optimize in ec2 (ex: m4 family)

TBD

Add document link and detector name on output

For example:

Pretty Print

template.tf
        NOTICE:1 "iam_instance_profile" is not specified. If you want to change it, you need to recreate it (aws_instance_not_specified_iam_profile)
        ERROR:3 "t1.2xlarge" is invalid instance type. (aws_instance_invalid_type)

Result: 2 issues  (1 errors , 0 warnings , 1 notices)

JSON

[
  {
    "detecot": "aws_instance_not_specified_iam_profile",
    "type": "NOTICE",
    "message": "\"iam_instance_profile\" is not specified. If you want to change it, you need to recreate it ",
    "line": 1,
    "file": "template.tf",
    "link": "https://github.com/wata727/tflint/blob/master/docs/aws_instance_not_specified_iam_profile.md",
  },
  {
    "detector": "aws_instance_invalid_type",
    "type": "ERROR",
    "message": "\"t1.2xlarge\" is invalid instance type.",
    "line": 3,
    "file": "template.tf",
    "link": "https://github.com/wata727/tflint/blob/master/docs/aws_instance_invalid_type.md",
  }
]

detect `depends_on` needed in SpotFleet

SpotFleet start and delete EC2 spot instances using IAM role associated with appropriate policy. Because it cannot delete instances if remove policy association before it is deleted.

do not call API when target resources are not found

Currently, call API in whatever template when enabled deep checking. Even if the target resources are not found. So, it takes time to detect simple template.
At first, make sure that resources are in template. do not call API when target resources are not found.

terraform-linters / tflint Goto Github PK

tflint's People

Contributors

Stargazers

Watchers

Forkers

tflint's Issues

Issue: While validating our terraform code via tflint, it is giving errors with respect to these types of referencing s, sample of those errors are given below

Recommend Projects

Recommend Topics

Recommend Org

Issue:
While validating our terraform code via tflint, it is giving errors with respect to these types of referencing s, sample of those errors are given below