terracop 0.1.0

data/lib/terracop/formatters/report.html.erb

@@ -0,0 +1,289 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset='UTF-8' />
+    <title>Terracop Inspection Report</title>
+    <style>
+    * {
+    -webkit-box-sizing: border-box;
+    -moz-box-sizing: border-box;
+    box-sizing: border-box;
+    }
+
+    body, html {
+    font-size: 62.5%;
+    }
+    body {
+    background-color: #ecedf0;
+    font-family: "Helvetica Neue",Helvetica,Arial,sans-serif;
+    margin: 0;
+    }
+    code {
+    font-family: Consolas, "Liberation Mono", Menlo, Courier, monospace;
+    font-size: 85%;
+    }
+    #header {
+    background: #f9f9f9;
+    color: #333;
+    border-bottom: 3px solid #ccc;
+    height: 50px;
+    padding: 0;
+    }
+    #header .logo {
+    float: left;
+    margin: 5px 12px 7px 20px;
+    width: 38px;
+    height: 38px;
+    }
+    #header .title {
+    display: inline-block;
+    float: left;
+    height: 50px;
+    font-size: 2.4rem;
+    letter-spacing: normal;
+    line-height: 50px;
+    margin: 0;
+    }
+
+    .information, #offenses {
+    width: 100%;
+    padding: 20px;
+    color: #333;
+    }
+    #offenses {
+    padding: 0 20px;
+    }
+
+    .information .infobox {
+    border-left: 3px solid;
+    border-radius: 4px;
+    background-color: #fff;
+    -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);
+    box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);
+    padding: 15px;
+    border-color: #0088cc;
+    font-size: 1.4rem;
+    }
+    .information .infobox .info-title {
+    font-size: 1.8rem;
+    line-height: 2.2rem;
+    margin: 0 0 0.5em;
+    }
+    .information .offenses-list li {
+    line-height: 1.8rem
+    }
+    .information .offenses-list {
+    padding-left: 20px;
+    margin-bottom: 0;
+    }
+
+    #offenses .offense-box {
+    border-radius: 4px;
+    margin-bottom: 20px;
+    background-color: #fff;
+    -webkit-box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);
+    box-shadow: 0 1px 1px rgba(0, 0, 0, 0.05);
+    }
+    .fixed .box-title {
+    position: fixed;
+    top: 0;
+    z-index: 10;
+    width: 100%;
+    }
+    .box-title-placeholder {
+    display: none;
+    }
+    .fixed .box-title-placeholder {
+    display: block;
+    }
+    #offenses .offense-box .box-title h3, #offenses .offense-box .box-title-placeholder h3 {
+    color: #33353f;
+    background-color: #f6f6f6;
+    font-size: 2rem;
+    line-height: 2rem;
+    display: block;
+    padding: 15px;
+    border-radius: 5px;
+    margin: 0;
+    }
+    #offenses .offense-box .offense-reports  {
+    padding: 0 15px;
+    }
+    #offenses .offense-box .offense-reports .report {
+    border-bottom: 1px dotted #ddd;
+    padding: 15px 0px;
+    position: relative;
+    font-size: 1.3rem;
+    }
+    #offenses .offense-box .offense-reports .report:last-child {
+    border-bottom: none;
+    }
+    #offenses .offense-box .offense-reports .report pre code {
+    display: block;
+    background: #000;
+    color: #fff;
+    padding: 10px 15px;
+    border-radius: 5px;
+    line-height: 1.6rem;
+    }
+    #offenses .offense-box .offense-reports .report .location {
+    font-weight: bold;
+    }
+    #offenses .offense-box .offense-reports .report .message code {
+    padding: 0.3em;
+    background-color: rgba(0,0,0,0.07);
+    border-radius: 3px;
+    }
+    .severity {
+    text-transform: capitalize;
+    font-weight: bold;
+    }
+    .highlight {
+    padding: 2px;
+    border-radius: 2px;
+    font-weight: bold;
+    }
+
+    .severity.refactor {
+    color: rgba(237, 156, 40, 1.0);
+    }
+    .highlight.refactor {
+    background-color: rgba(237, 156, 40, 0.6);
+    border: 1px solid rgba(237, 156, 40, 0.4);
+    }
+
+    .severity.convention {
+    color: rgba(237, 156, 40, 1.0);
+    }
+    .severity.security {
+      color: red;
+    }
+    .highlight.convention {
+    background-color: rgba(237, 156, 40, 0.6);
+    border: 1px solid rgba(237, 156, 40, 0.4);
+    }
+
+    .severity.warning {
+    color: rgba(150, 40, 239, 1.0);
+    }
+    .highlight.warning {
+    background-color: rgba(150, 40, 239, 0.6);
+    border: 1px solid rgba(150, 40, 239, 0.4);
+    }
+
+    .severity.error {
+    color: rgba(210, 50, 45, 1.0);
+    }
+    .highlight.error {
+    background-color: rgba(210, 50, 45, 0.6);
+    border: 1px solid rgba(210, 50, 45, 0.4);
+    }
+
+    .severity.fatal {
+    color: rgba(210, 50, 45, 1.0);
+    }
+    .highlight.fatal {
+    background-color: rgba(210, 50, 45, 0.6);
+    border: 1px solid rgba(210, 50, 45, 0.4);
+    }
+
+    footer {
+    margin-bottom: 20px;
+    margin-right: 20px;
+    font-size: 1.3rem;
+    color: #777;
+    text-align: right;
+    }
+    .extra-code {
+      color: #ED9C28
+    }
+    </style>
+
+    <script>
+    (function() {
+      // floating headers. requires classList support.
+      if (!('classList' in document.createElement("_"))) return;
+
+      var loaded = false,
+        boxes,
+        boxPositions;
+
+      window.onload = function() {
+        var scrollY = window.scrollY;
+        boxes = document.querySelectorAll('.offense-box');
+        boxPositions = [];
+        for (var i = 0; i < boxes.length; i++)
+          // need to add scrollY because the page might be somewhere other than the top when loaded.
+          boxPositions[i] = boxes[i].getBoundingClientRect().top + scrollY;
+        loaded = true;
+      };
+
+      window.onscroll = function() {
+        if (!loaded) return;
+        var i,
+          idx,
+          scrollY = window.scrollY;
+        for (i = 0; i < boxPositions.length; i++) {
+          if (scrollY <= boxPositions[i] - 1) {
+            idx = i;
+            break;
+          }
+        }
+        if (typeof idx == 'undefined') idx = boxes.length;
+        if (idx > 0)
+          boxes[idx - 1].classList.add('fixed');
+        for (i = 0; i < boxes.length; i++) {
+          if (i < idx) continue;
+          boxes[i].classList.remove('fixed');
+        }
+      };
+    })();
+    </script>
+  </head>
+  <body>
+    <div id="header">
+      <h1 class="title">TerraCop Inspection Report</h1>
+    </div>
+    <div class="information">
+      <div class="infobox">
+        <div class="total">
+          <%= resources.count %> resources inspected,
+          <%= resources.values.map(&:count).sum %> offenses detected:
+        </div>
+        <ul class="offenses-list">
+          <% resources.each do |resource, offenses| %>
+            <li>
+              <a href="#<%= resource %>">
+                <%= resource %> - <%= offenses.count %> offenses
+              </a>
+            </li>
+          <% end %>
+        </ul>
+      </div>
+    </div>
+
+    <div id="offenses">
+      <% resources.each do |resource, offenses| %>
+        <div class="offense-box" id="<%= resource %>">
+          <div class="box-title-placeholder"><h3>&nbsp;</h3></div>
+          <div class="box-title"><h3><%= resource %> - <%= offenses.count %> offenses</h3></div>
+          <div class="offense-reports">
+            <% offenses.each do |offense| %>
+              <div class="report">
+                <div class="meta">
+                  <span class="severity <%= offense[:severity] %>"><%= offense[:severity] %>:</span>
+                  <span class="message"><b><%= offense[:cop_name] %></b>: <%= offense[:message] %></span>
+                </div>
+              </div>
+            <% end %>
+          </div>
+        </div>
+      <% end %>
+    </div>
+
+    <footer>
+      Generated by <a href="https://github.com/aomega08/terracop">TerraCop</a>
+      <span class="version"><%= Terracop::VERSION %></span>
+    </footer>
+  </body>
+</html>

data/lib/terracop/plan_loader.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Terracop
+  # Loads a Terraform plan file and transforms it into a Terracop-friendly list
+  # of instances.
+  class PlanLoader
+    class << self
+      def load(file)
+        plan = decode(file)
+
+        changed_resources = plan['resource_changes'].reject! do |resource|
+          resource['change']['actions'] == ['no-op']
+        end
+
+        restruct_resources(changed_resources)
+      end
+
+      private
+
+      def decode(file)
+        JSON.parse(`terraform show -json #{file}`)
+      rescue JSON::ParserError
+        puts 'Terraform failed to decode the plan file.'
+        exit
+      end
+
+      def restruct_resources(resources)
+        resources.map do |resource|
+          {
+            type: resource['type'],
+            name: resource['name'],
+            index: resource['index'],
+            attributes: resource['change']['after']
+          }
+        end
+      end
+    end
+  end
+end

data/lib/terracop/runner.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+module Terracop
+  # Executes Terracop on a given state file.
+  class Runner
+    attr_accessor :state
+
+    def initialize(type, file, formatter)
+      @formatter = Formatters.const_get(formatter.to_s.capitalize).new
+
+      if file
+        load_state_from_file(type, file)
+      else
+        load_state_from_terraform
+      end
+    end
+
+    def run
+      offenses = @state.map do |instance|
+        Terracop::Cop.run_for(
+          instance[:type], instance[:name],
+          instance[:index], instance[:attributes]
+        )
+      end
+
+      by_res = offenses.flatten.group_by { |o| "#{o[:type]}.#{o[:name]}" }
+      print @formatter.generate(by_res)
+    end
+
+    private
+
+    def load_state_from_file(type, file)
+      @state = if type == :plan
+                 PlanLoader.load(file)
+               else
+                 StateLoader.load(file)
+               end
+    end
+
+    # :nocov:
+    def load_state_from_terraform
+      @state = StateLoader.load_from_text(`terraform state pull`)
+    rescue JSON::ParserError
+      puts 'Run terracop somewhere with a state file or pass it directly ' \
+           'with --state FILE'
+      exit
+    end
+    # :nocov:
+  end
+end

data/lib/terracop/state_loader.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module Terracop
+  # Loads a Terraform state file and transforms it into a Terracop-friendly list
+  # of instances.
+  class StateLoader
+    class << self
+      def load(file)
+        state = File.read(file)
+        load_from_text(state)
+      end
+
+      def load_from_text(text)
+        state = JSON.parse(text)
+
+        managed_resources = state['resources'].select do |resource|
+          resource['mode'] == 'managed'
+        end
+
+        flatten_instances(managed_resources)
+      end
+
+      private
+
+      def flatten_instances(resources)
+        resources.map do |resource|
+          resource['instances'].map do |instance|
+            {
+              type: resource['type'],
+              name: resource['name'],
+              index: instance['index_key'],
+              attributes: instance['attributes']
+            }
+          end
+        end.flatten
+      end
+    end
+  end
+end

data/lib/terracop/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Terracop
+  VERSION = '0.1.0'
+end

data/lib/terracop.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'yaml'
+
+require 'terracop/cop/aws/describe_security_group_rules'
+require 'terracop/cop/aws/ensure_tags'
+require 'terracop/cop/aws/iam_role_policy'
+require 'terracop/cop/aws/open_egress'
+require 'terracop/cop/aws/open_ingress'
+require 'terracop/cop/aws/open_ssh'
+require 'terracop/cop/aws/unrestricted_egress_ports'
+require 'terracop/cop/aws/unrestricted_ingress_ports'
+require 'terracop/cop/aws/wide_egress'
+require 'terracop/cop/aws/wide_ingress'
+
+require 'terracop/cop/style/dash_in_resource_name'
+require 'terracop/cop/style/resource_type_in_name'
+require 'terracop/cop/style/snake_case'
+
+require 'terracop/formatters/default'
+require 'terracop/formatters/html'
+require 'terracop/formatters/json'
+
+require 'terracop/plan_loader'
+require 'terracop/runner'
+require 'terracop/state_loader'
+require 'terracop/version'
+
+# Wrapper module for the gem.
+module Terracop
+  class Error < StandardError; end
+
+  class << self
+    def config
+      @config ||= begin
+        defaults_path = File.join(__dir__, '../default_config.yml')
+        overrides_path = '.terracop.yml'
+
+        config = YAML.safe_load(File.read(defaults_path)) || {}
+        if File.exist?(overrides_path)
+          config.merge!(YAML.safe_load(File.read(overrides_path)) || {})
+        end
+
+        config
+      end
+    end
+  end
+end

data/terracop.gemspec

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+lib = File.expand_path('lib', __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'terracop/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'terracop'
+  spec.version       = Terracop::VERSION
+  spec.authors       = ['Francesco Boffa']
+  spec.email         = ['fra.boffa@gmail.com']
+  spec.license       = 'MIT'
+
+  spec.summary       = 'Automatic Terraform state/plan checking tool'
+  spec.description   = <<-DESCRIPTION
+    Automatic Terraform state/plan checking tool.
+    Aims to enforce best practices for Terraform and "the cloud".
+  DESCRIPTION
+
+  spec.homepage = 'https://github.com/aomega08/terracop'
+
+  spec.metadata['homepage_uri'] = spec.homepage
+  spec.metadata['source_code_uri'] = spec.homepage
+  spec.metadata['changelog_uri'] = "#{spec.homepage}/blob/master/CHANGELOG.md"
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`
+      .split("\x0")
+      .reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+
+  spec.bindir        = 'exe'
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 2.0'
+  spec.add_development_dependency 'byebug', '~> 11.0'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+  spec.add_development_dependency 'rubocop', '~> 0.78'
+  spec.add_development_dependency 'rubocop-rspec', '~> 1.37'
+  spec.add_development_dependency 'simplecov', '~> 0.10'
+
+  spec.add_dependency 'colorize', '~> 0.8'
+end