terracop 0.1.0

data/lib/terracop/cop/aws/unrestricted_ingress_ports.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/aws/security_group_rule_cop'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against ingress security group rules that allow any port.
+      # Servers usually run multiple services that might open different ports,
+      # exposing them to a range of vulnerabilities. Only allow the specific
+      # ports you want to receive traffic on, and no more.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type        = "ingress"
+      #     from_port   = 0
+      #     to_port     = 65535
+      #   }
+      #
+      #   # good
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type        = "ingress"
+      #     from_port   = 443
+      #     to_port     = 443
+      #   }
+      class UnrestrictedIngressPorts < SecurityGroupRuleCop
+        register
+
+        def check
+          return unless ingress? && (tcp? || udp?) && any_port?
+
+          offense('Limit ingress traffic to small port ranges.', :security)
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/wide_egress.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/aws/security_group_rule_cop'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against egress security group rules that allow very wide
+      # address ranges.
+      # This goes hand in hand with OpenEgress, but also warns against blocks
+      # like 10.0.0.0/8.
+      # Always pick the smallest possible choice of sources/destinations.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group_rule" "egress" {
+      #     type        = "egress"
+      #     cidr_blocks = ["10.0.0.0/8"]
+      #   }
+      #
+      #   # good
+      #   resource "aws_security_group_rule" "egress" {
+      #     type        = "egress"
+      #     cidr_blocks = ["10.4.3.0/24"]
+      #   }
+      #
+      #   # better
+      #   resource "aws_security_group_rule" "egress" {
+      #     type              = "egress"
+      #     security_group_id = aws_security_group.destination.id
+      #   }
+      class WideEgress < SecurityGroupRuleCop
+        register
+
+        MSG = 'Avoid allowing egress traffic from wide address blocks ' \
+              '(%<cidr>s).'
+
+        def check
+          return unless egress?
+
+          attributes['cidr_blocks'].each do |cidr|
+            # Handled by OpenEgress
+            next if cidr == '0.0.0.0/0'
+
+            _, bits = cidr.split('/')
+
+            offense(format(MSG, cidr: cidr), :security) if bits.to_i < 16
+          end
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/wide_ingress.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/aws/security_group_rule_cop'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against ingress security group rules that allow very wide
+      # address ranges.
+      # This goes hand in hand with OpenIngress, but also warns against blocks
+      # like 10.0.0.0/8.
+      # Always pick the smallest possible choice of sources/destinations.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type        = "ingress"
+      #     cidr_blocks = ["10.0.0.0/8"]
+      #   }
+      #
+      #   # good
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type        = "ingress"
+      #     cidr_blocks = ["10.4.3.0/24"]
+      #   }
+      #
+      #   # better
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type              = "ingress"
+      #     security_group_id = aws_security_group.destination.id
+      #   }
+      class WideIngress < SecurityGroupRuleCop
+        register
+
+        MSG = 'Avoid allowing ingress traffic from wide address blocks ' \
+              '(%<cidr>s).'
+
+        def check
+          return unless ingress?
+
+          attributes['cidr_blocks'].each do |cidr|
+            # Handled by OpenIngress
+            next if cidr == '0.0.0.0/0'
+
+            _, bits = cidr.split('/')
+
+            offense(format(MSG, cidr: cidr), :security) if bits.to_i < 16
+          end
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/base.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+module Terracop
+  # This namespace holds all the individual Cop (checks).
+  module Cop
+    class << self
+      def all
+        @all ||= []
+      end
+
+      def run_for(type, name, index, attributes)
+        offenses = all.map do |cop|
+          cop.run(type, name, index, attributes)
+        end
+
+        offenses.flatten.compact
+      end
+    end
+
+    # Base class for all cops.
+    class Base
+      attr_accessor :type, :name, :index, :attributes
+
+      class << self
+        def run(type, name, index, attributes)
+          return unless applies_to?(type, name)
+
+          cop = new(type, name, index, attributes)
+          cop.check
+          cop.offenses
+        end
+
+        def cop_name
+          name.gsub(/^Terracop::Cop::/, '').gsub('::', '/')
+        end
+
+        def config
+          config = Terracop.config[cop_name] || {}
+          config['Enabled'] = config['Enabled'].nil? ? true : config['Enabled']
+          config
+        end
+
+        protected
+
+        def register
+          Terracop::Cop.all << self
+        end
+
+        def applies_to(*types)
+          @applies_to ||= []
+          @applies_to += types.map(&:to_s)
+        end
+
+        def applies_to?(type, name)
+          return unless enabled?
+          return unless @applies_to.nil? || @applies_to.include?(type)
+
+          !excludes?(type, name)
+        end
+
+        def enabled?
+          config['Enabled']
+        end
+
+        def excludes?(type, name)
+          excludes = config['Exclude'] || []
+          excludes.each do |rule|
+            return true if ["#{type}.*", "#{type}.#{name}"].include?(rule)
+          end
+
+          false
+        end
+      end
+
+      def initialize(type, name, index, attributes)
+        self.type = type
+        self.name = name
+        self.index = index
+        self.attributes = attributes
+        @offenses = []
+      end
+
+      def human_name
+        index ? "#{name}[#{index}]" : name
+      end
+
+      def check
+        message = "#{self.class.name} does not implement the #check method"
+        raise NotImplementedError, message
+      end
+
+      def offense(message, severity = :convention)
+        @offenses << {
+          cop_name: self.class.cop_name,
+          severity: severity,
+          type: type,
+          name: human_name,
+          message: message
+        }
+      end
+
+      attr_reader :offenses
+    end
+  end
+end

data/lib/terracop/cop/style/dash_in_resource_name.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Style
+      # This cop checks for the use of dashes in terraform resource names.
+      # Terraform uses underscores for resource types and attributes.
+      # Using dashes for resource names makes for awkward combinations.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group" "load-balancer" { }
+      #
+      #   # good
+      #   resource "aws_security_group" "load_balancer" { }
+      #
+      # @note
+      #   When you rename a resource terraform will destroy and recreate it.
+      #   Use `terraform mv` on the state file to avoid this from happening.
+      class DashInResourceName < Base
+        register
+
+        MSG = 'Use underscores in terraform resource names instead of dashes.'
+
+        def check
+          return unless name.index('-')
+
+          offense(MSG)
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/style/resource_type_in_name.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Style
+      # This cop checks terraform resource names that include the type in them.
+      # This makes for very long and redundant names.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group" "load_balancer_security_group" { }
+      #   resource "aws_security_group" "load_balancer_sg" { }
+      #   resource "aws_security_group_rule" "ingress_rule" { }
+      #
+      #   # good
+      #   resource "aws_security_group" "load_balancer" { }
+      #   resource "aws_security_group_rule" "ingress" { }
+      #
+      # @note
+      #   When you rename a resource terraform will destroy and recreate it.
+      #   Use `terraform mv` on the state file to avoid this from happening.
+      class ResourceTypeInName < Base
+        register
+
+        BLACKLIST = {
+          'aws_alb' => %w[alb lb load_balancer],
+          'aws_alb_listener' => %w[listener],
+          'aws_alb_target_group' => %w[tg],
+          'aws_autoscaling_group' => %w[asg],
+          'aws_cloudwatch_metric_alarm' => %w[metric alarm],
+          'aws_iam_instance_profile' => %w[profile],
+          'aws_iam_role' => %w[role],
+          'aws_iam_role_policy' => %w[policy],
+          'aws_route53_record' => %w[record],
+          'aws_security_group' => %w[sg group security_group],
+          'aws_security_group_rule' => %w[rule]
+        }.freeze
+
+        def check
+          blacklist = BLACKLIST[type]
+          blacklist&.each do |word|
+            if name.downcase.gsub('-', '_').include?(word)
+              offense 'Do not include the resource type in its name.'
+              return
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/style/snake_case.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Style
+      # This cop checks terraform resource names that are using CamelCase or
+      # in general, contain capital letters. Terraform prefers snake_case.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group" "LoadBalancer" { }
+      #   resource "aws_security_group" "app_ALB" { }
+      #
+      #   # good
+      #   resource "aws_security_group" "load_balancer" { }
+      #   resource "aws_security_group_rule" "app_alb" { }
+      #
+      # @note
+      #   When you rename a resource terraform will destroy and recreate it.
+      #   Use `terraform mv` on the state file to avoid this from happening.
+      class SnakeCase < Base
+        register
+
+        def check
+          # Allow dashes here as there is another cop to complain about that.
+          return if name =~ /^[\da-z_\-]+$/
+
+          offense 'Use snake_case for resource names.'
+        end
+      end
+    end
+  end
+end

data/lib/terracop/formatters/default.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+require 'colorize'
+
+module Terracop
+  module Formatters
+    # Default CLI-friendly output formatter.
+    class Default
+      def generate(resources)
+        out = []
+        resources.each do |resource, offenses|
+          out << "#{resource.cyan}:"
+
+          offenses.each do |offense|
+            out << "#{offense[:cop_name].yellow}: #{offense[:message]}"
+          end
+
+          out << ''
+        end
+
+        out.join("\n")
+      end
+    end
+  end
+end

data/lib/terracop/formatters/html.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'erb'
+
+module Terracop
+  module Formatters
+    # Generates a single page HTML report listing all the offenses.
+    # Ideal for human readable reports.
+    class Html
+      def generate(resources)
+        template = ERB.new(File.read(File.join(__dir__, './report.html.erb')))
+        template.result(binding)
+      end
+    end
+  end
+end

data/lib/terracop/formatters/json.rb

@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Terracop
+  module Formatters
+    # Generates a JSON document listing all the offenses.
+    # Ideal to generate ouputs to be digested by other tools in a CI pipeline.
+    class Json
+      def generate(resources)
+        {
+          metadata: meta,
+          resources: build_resources(resources),
+          summary: {
+            offense_count: resources.values.map(&:count).sum,
+            resource_count: resources.count
+          }
+        }.to_json
+      end
+
+      private
+
+      def meta
+        {
+          terracop_version: Terracop::VERSION,
+          ruby_engine: RUBY_ENGINE,
+          ruby_version: RUBY_ENGINE_VERSION,
+          ruby_patchlevel: RUBY_PATCHLEVEL,
+          ruby_platform: RUBY_PLATFORM
+        }
+      end
+
+      def build_resources(resources)
+        resources.map do |resource, offenses|
+          {
+            resource: resource,
+            offsenses: build_offenses(offenses)
+          }
+        end
+      end
+
+      def build_offenses(offenses)
+        offenses.map do |offense|
+          {
+            severity: offense[:severity],
+            cop_name: offense[:cop_name],
+            message: offense[:message]
+          }
+        end
+      end
+    end
+  end
+end