Add "expr" type as a schema type

Author: wata727

integration/expr_without_eval/.tflint.hcl

@@ -0,0 +1,9 @@
+plugin "terraform" {
+  enabled = false
+}
+
+plugin "opa" {
+  enabled = true
+
+  policy_dir = "policies"
+}

integration/expr_without_eval/main.tf

@@ -0,0 +1,27 @@
+resource "aws_instance" "valid" {
+  ami = get_ami_id("service1", "v1")
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+
+resource "aws_instance" "invalid" {
+  ami = get_ami_id("service1", "v0.9")
+
+  lifecycle {
+    ignore_changes = [ami]
+  }
+}
+
+module "valid" {
+  providers = {
+    aws = aws.usw1
+  }
+}
+
+module "invalid" {
+  providers = {
+    aws = aws.usw2
+  }
+}

integration/expr_without_eval/policies/main.rego

@@ -0,0 +1,58 @@
+package tflint
+
+import rego.v1
+
+deny_require_lifecycle_ignore_tags contains issue if {
+  res := terraform.resources("*",{"lifecycle": {"ignore_changes": "expr"}},{"expand_mode": "none"})[_]
+  not has_tags_ignore(res)
+
+  issue := tflint.issue(
+    sprintf("Resource %s.%s must have lifecycle.ignore_changes include \"tags\"", [res.type, res.name]),
+    res.decl_range
+  )
+}
+
+# helper succeeds only if there's a lifecycle.ignore_changes list and one of its elements == "tags"
+has_tags_ignore(res) if {
+  lifeblock := res.config.lifecycle[_]
+
+  ic := lifeblock.config.ignore_changes
+print(hcl.expr_list(ic))
+  some i
+  hcl.expr_list(ic)[i].value == "tags"
+}
+
+deny_deprecated_regions contains issue if {
+  call := terraform.module_calls({"providers": "expr"}, {})[_]
+  has_deprecated_region(call)
+
+  issue := tflint.issue(
+    "deprecated region reference found",
+    call.config.providers.range,
+  )
+}
+
+has_deprecated_region(call) if {
+  providers := call.config.providers
+
+  some i
+  hcl.expr_map(providers)[i].value.value == "aws.usw2"
+}
+
+deny_deprecated_ami_version contains issue if {
+  instance := terraform.resources("aws_instance", {"ami": "expr"}, {})[_]
+  is_function_call_with_deprecated_version(instance)
+
+  issue := tflint.issue(
+    "get_ami_id function should be called with v1",
+    instance.decl_range
+  )
+}
+
+is_function_call_with_deprecated_version(instance) if {
+  ami := instance.config.ami
+
+  call := hcl.expr_call(ami)
+  call.name == "get_ami_id"
+  call.arguments[1].value != `"v1"`
+}

integration/expr_without_eval/policies/main_test.rego

@@ -0,0 +1,122 @@
+package tflint
+
+import rego.v1
+
+invalid_resources(type, schema, options) := terraform.mock_resources(type, schema, options, {
+  "main.tf": `
+resource "aws_instance" "invalid" {
+  ami = get_ami_id("service1", "v0.9")
+
+  lifecycle {
+    ignore_changes = [ami]
+  }
+}
+`,
+})
+
+valid_resources(type, schema, options) := terraform.mock_resources(type, schema, options, {
+  "main.tf": `
+resource "aws_instance" "valid" {
+  ami = get_ami_id("service1", "v1")
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
+}
+`,
+})
+
+test_wrong_ignore_passed if {
+  issues := deny_require_lifecycle_ignore_tags with terraform.resources as invalid_resources
+
+  count(issues) == 1
+  issues[_].msg == "Resource aws_instance.invalid must have lifecycle.ignore_changes include \"tags\""
+}
+
+test_wrong_ignore_failed if {
+  issues := deny_require_lifecycle_ignore_tags with terraform.resources as invalid_resources
+
+  count(issues) == 0
+}
+
+test_correct_ignore_passed if {
+  issues := deny_require_lifecycle_ignore_tags with terraform.resources as valid_resources
+
+  count(issues) == 0
+}
+
+test_correct_ignore_failed if {
+  issues := deny_require_lifecycle_ignore_tags with terraform.resources as valid_resources
+
+  count(issues) == 1
+}
+
+test_wrong_ami_passed if {
+  issues := deny_deprecated_ami_version with terraform.resources as invalid_resources
+
+  count(issues) == 1
+  issues[_].msg == "get_ami_id function should be called with v1"
+}
+
+test_wrong_ami_failed if {
+  issues := deny_deprecated_ami_version with terraform.resources as invalid_resources
+
+  count(issues) == 0
+}
+
+test_correct_ami_passed if {
+  issues := deny_deprecated_ami_version with terraform.resources as valid_resources
+
+  count(issues) == 0
+}
+
+test_correct_ami_failed if {
+  issues := deny_deprecated_ami_version with terraform.resources as valid_resources
+
+  count(issues) == 1
+}
+
+invalid_calls(schema, options) := terraform.mock_module_calls(schema, options, {
+  "main.tf": `
+module "invalid" {
+  providers = {
+    aws = aws.usw2
+  }
+}
+`,
+})
+
+valid_calls(schema, options) := terraform.mock_module_calls(schema, options, {
+  "main.tf": `
+module "valid" {
+  providers = {
+    aws = aws.usw1
+  }
+}
+`,
+})
+
+test_wrong_region_passed if {
+  issues := deny_deprecated_regions with terraform.module_calls as invalid_calls
+
+  count(issues) == 1
+  issues[_].msg == "deprecated region reference found"
+}
+
+test_wrong_region_failed if {
+  issues := deny_deprecated_regions with terraform.module_calls as invalid_calls
+
+  count(issues) == 0
+}
+
+test_correct_region_passed if {
+  issues := deny_deprecated_regions with terraform.module_calls as valid_calls
+
+  count(issues) == 0
+}
+
+test_correct_region_failed if {
+  issues := deny_deprecated_regions with terraform.module_calls as valid_calls
+
+  count(issues) == 1
+}

integration/expr_without_eval/result.json

@@ -0,0 +1,65 @@
+{
+  "issues": [
+    {
+      "rule": {
+        "name": "opa_deny_require_lifecycle_ignore_tags",
+        "severity": "error",
+        "link": "policies/main.rego:5"
+      },
+      "message": "Resource aws_instance.invalid must have lifecycle.ignore_changes include \"tags\"",
+      "range": {
+        "filename": "main.tf",
+        "start": {
+          "line": 9,
+          "column": 1
+        },
+        "end": {
+          "line": 9,
+          "column": 34
+        }
+      },
+      "callers": []
+    },
+    {
+      "rule": {
+        "name": "opa_deny_deprecated_ami_version",
+        "severity": "error",
+        "link": "policies/main.rego:42"
+      },
+      "message": "get_ami_id function should be called with v1",
+      "range": {
+        "filename": "main.tf",
+        "start": {
+          "line": 9,
+          "column": 1
+        },
+        "end": {
+          "line": 9,
+          "column": 34
+        }
+      },
+      "callers": []
+    },
+    {
+      "rule": {
+        "name": "opa_deny_deprecated_regions",
+        "severity": "error",
+        "link": "policies/main.rego:25"
+      },
+      "message": "deprecated region reference found",
+      "range": {
+        "filename": "main.tf",
+        "start": {
+          "line": 24,
+          "column": 15
+        },
+        "end": {
+          "line": 26,
+          "column": 4
+        }
+      },
+      "callers": []
+    }
+  ],
+  "errors": []
+}