terracop 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f057dfe056a3c276f9f3376612f36a92e6c4b7e0bf38a9a720240d63325f60b1
-  data.tar.gz: 10f2142bf9bd9d9bca724e4f24a94fca78b11cb796a90663a7399ffa32d5939a
+  metadata.gz: 5fb344f85daa3aa3f6d3c3c4f0d436c0b4c0d4211e4fbc6ff3b19f44e1ea1148
+  data.tar.gz: 2bbff8adc3eeeedf696296e9ce90c4cbebe2ced06c781fe703f14477f8a58f93
 SHA512:
-  metadata.gz: cf20e57e9125a9a03a296537e2b69e09e721872a4fb4ab54cd75e638f98f1d5a4c027bb054e9a30d066722e90abb9c98009dc7d597ce011fb60b64e31fd2914a
-  data.tar.gz: aa5804ad797a3bfa980c8ca28085540f20dfdd52e9f1389e4ea98f75b38a6c6619e0280b13481b590631a447648bc7f674576642b31d0e4e05a1a83cea1aeb8f
+  metadata.gz: 9b695431e3b74dd944dc60f5df9fb70ac88c9884c2a51397ef1ad59539359efabdfdd767302faf2be925d31e61cc2540558deea6e5870029287a424fc7607ac7
+  data.tar.gz: a5b1ef53d62e241551a38aaab925df92c3811355fd42a66075e56247d78c43f3162b356a06125b8d03a176538d1ba270cc652a4c3715f9837e0cb56b645b1e3f

data/.rubocop.yml

@@ -12,3 +12,11 @@ Style/AsciiComments:
 
 RSpec/NestedGroups:
   Max: 7
+
+Style/GuardClause:
+  # Usually good, sometimes dumb.
+  Enabled: false
+
+RSpec/SubjectStub:
+  # Sometimes, there's no other way.
+  Enabled: false

data/CHANGELOG.md

@@ -4,7 +4,26 @@ All notable changes to this project will be documented in this file.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## 0.1.0
+## 0.2.0 (2019-12-28)
+
+- New cops:
+  - Aws/BadPasswordPolicy
+  - Aws/EnsurePropagatedTags
+  - Aws/FaultIntolerant
+  - Aws/IamInlinePolicy
+  - Aws/IamPolicyAttachment
+  - Aws/PreferLaunchTemplates
+- Deprecated cop: IamRolePolicy.
+- Improve test coverage.
+- Improve Aws/EnsureTags to handle weird resources.
+- Ignore deletions when analyzing plans.
+
+## 0.1.1 (2019-12-22)
+
+- Exit with failure when offenses are found.
+- Add `terracop` executable.
+
+## 0.1.0 (2019-12-22)
 
 - Initial release.
 - Can load Terraform 0.12 state and plan files.

data/README.md

@@ -1,8 +1,9 @@
 # Terracop
 
-Terracop is a HashiCorp [Terraform](https://www.terraform.io/) state / plan
-parser and analyzer. Put it in a CI pipeline to analyze your Terraform plans
-or run it on already applied states and see what could be improved.
+Terracop is an opinionated HashiCorp [Terraform](https://www.terraform.io/)
+state / plan parser and analyzer. Put it in a CI pipeline to analyze your
+Terraform plans or run it on already applied states and see what could be
+improved.
 
 The checks run by Terracop go anywhere from resource names guidelines to
 identifying security holes in your configuration.
@@ -33,8 +34,8 @@ like this:
 
     $ terracop --state path/to/state/file
 
-Terracop can (will) parse also terraform plan files, in order to report
-potential issues before you apply the plan and make the problem permanent. Eg:
+Terracop can also parse terraform plan files, in order to report potential
+issues before you apply the plan and persist the problem. Eg:
 
     $ terraform plan -out tfplan
     $ terracop --plan tfplan

data/lib/terracop.rb

@@ -3,12 +3,17 @@
 require 'json'
 require 'yaml'
 
+require 'terracop/cop/aws/bad_password_policy'
 require 'terracop/cop/aws/describe_security_group_rules'
+require 'terracop/cop/aws/ensure_propagated_tags'
 require 'terracop/cop/aws/ensure_tags'
-require 'terracop/cop/aws/iam_role_policy'
+require 'terracop/cop/aws/fault_intolerant'
+require 'terracop/cop/aws/iam_inline_policy'
+require 'terracop/cop/aws/iam_policy_attachment'
 require 'terracop/cop/aws/open_egress'
 require 'terracop/cop/aws/open_ingress'
 require 'terracop/cop/aws/open_ssh'
+require 'terracop/cop/aws/prefer_launch_templates'
 require 'terracop/cop/aws/unrestricted_egress_ports'
 require 'terracop/cop/aws/unrestricted_ingress_ports'
 require 'terracop/cop/aws/wide_egress'

data/lib/terracop/cop/aws/bad_password_policy.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against a password policy that goes against industry
+      # best practices. Ideally the password policy should be strict enough
+      # to require the use of a password manager, and never expire passwords.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_iam_account_password_policy" "policy" {
+      #     minimum_password_length        = 4
+      #     require_lowercase_characters   = true
+      #     require_numbers                = true
+      #     allow_users_to_change_password = false
+      #     max_password_age               = 7
+      #   }
+      #
+      #   # good
+      #   resource "aws_iam_account_password_policy" "policy" {
+      #     minimum_password_length        = 20
+      #     require_lowercase_characters   = true
+      #     require_uppercase_characters   = true
+      #     require_numbers                = true
+      #     require_symbols                = true
+      #     allow_users_to_change_password = true
+      #   }
+      class BadPasswordPolicy < Base
+        register
+        applies_to :aws_iam_account_password_policy
+
+        def check
+          check_length
+          check_characters
+          check_age
+        end
+
+        def check_length
+          length = attributes['minimum_password_length']
+          if length && length < 14
+            offense('Set the minimum password length policy to at least 14.')
+          end
+        end
+
+        def check_characters
+          if !attributes['require_uppercase_characters'] ||
+             !attributes['require_lowercase_characters']
+            offense('Require both lowercase and uppercase characters.')
+          end
+
+          unless attributes['require_numbers']
+            offense('Require numbers in passwords.')
+          end
+
+          unless attributes['require_symbols']
+            offense('Require symbols in passwords.')
+          end
+        end
+
+        def check_age
+          age = attributes['max_password_age']
+          if age && age < 90
+            offense('Expiring passwords is discouraged. If you really have ' \
+                    'to, do not do it more than once every 3 months.')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/ensure_propagated_tags.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop makes sure that EC2 instances launched by Autoscaling Groups
+      # also have tags. It is configured like the Aws/EnsureTags cop.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_asg" "asg" {
+      #     tag {
+      #       key = "Name"
+      #       value = "asg"
+      #       propagate_at_launch = false
+      #     }
+      #   }
+      #
+      #   # good
+      #   resource "aws_asg" "asg" {
+      #     tag {
+      #       key = "Name"
+      #       value = "asg"
+      #       propagate_at_launch = true
+      #     }
+      #   }
+      class EnsurePropagatedTags < Base
+        register
+        applies_to :aws_autoscaling_group
+
+        def check
+          if self.class.config['Required']
+            check_required(propagated_tags, self.class.config['Required'])
+          elsif propagated_tags.empty?
+            offense 'The EC2 instances launched by this Autoscaling group ' \
+                    'will not have any tags.'
+          end
+        end
+
+        private
+
+        def propagated_tags
+          tags = attributes['tags'] || attributes['tag']
+          tags.select { |t| t['propagate_at_launch'] }
+        end
+
+        def check_required(tags, required_tags)
+          required_tags.each do |key|
+            unless tags.find { |t| t['key'] == key }
+              offense "Required tag \"#{key}\" is not propagated to EC2 " \
+                      'instances launched by this Autoscaling Group.'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/ensure_tags.rb

@@ -27,24 +27,42 @@ module Terracop
         register
 
         def check
-          return unless attributes['tags']
+          tags = tags_for(attributes)
+          return unless tags
 
           if self.class.config['Required']
-            check_required(self.class.config['Required'])
-          elsif attributes['tags'].empty?
+            check_required(tags, self.class.config['Required'])
+          elsif tags.empty?
             offense 'Tag resources properly.'
           end
         end
 
         private
 
-        def check_required(required_tags)
+        def check_required(tags, required_tags)
           required_tags.each do |key|
-            unless attributes['tags'][key]
+            unless tag(tags, key)
               offense "Required tag \"#{key}\" is missing on this resource."
             end
           end
         end
+
+        def tags_for(attributes)
+          case type
+          when 'aws_autoscaling_group'
+            attributes['tags'] || attributes['tag']
+          else
+            attributes['tags']
+          end
+        end
+
+        def tag(list, name)
+          if list.is_a?(Hash)
+            list[name]
+          else
+            list.find { |tag| tag['key'] == name }
+          end
+        end
       end
     end
   end

data/lib/terracop/cop/aws/fault_intolerant.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop checks for Autoscaling Groups that can only launch instances
+      # in a specific Availability Zone. This creates an availability risk,
+      # as if that AZ is lost, the ASG will not be able to launch instances
+      # anywhere else.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_autoscaling_group" "asg" {
+      #     vpc_zone_identifier = ["subnet-123"]
+      #   }
+      #
+      #   # good
+      #   resource "aws_autoscaling_group" "asg" {
+      #     # Note that to pass this cop, the two subnets must live in
+      #     # different AZs.
+      #     vpc_zone_identifier = ["subnet-123", "subnet-456"]
+      #   }
+      class FaultIntolerant < Base
+        register
+        applies_to :aws_autoscaling_group
+
+        MSG = 'This Autoscaling Group can launch instances in only one AZ ' \
+              '(%<az>s). This setup would not tolerate the loss of that AZ.'
+
+        def check
+          return unless attributes['availability_zones'].count < 2
+
+          offense(format(MSG, az: attributes['availability_zones'][0]))
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/{iam_role_policy.rb → iam_inline_policy.rb}

@@ -5,7 +5,7 @@ require 'terracop/cop/base'
 module Terracop
   module Cop
     module Aws
-      # This cop warns against the use of inline role policies.
+      # This cop warns against the use of inline group/role/user policies.
       # Inline policies tend to be copy/pasted, sometimes with minor changes
       # and are not shown in the "Policies" tab of AWS IAM.
       #
@@ -33,13 +33,15 @@ module Terracop
       #     role       = aws_iam_role.role.name
       #     policy_arn = aws_iam_policy.policy.arn
       #   }
-      class IamRolePolicy < Base
+      class IamInlinePolicy < Base
         register
-        applies_to :aws_iam_role_policy
+        applies_to :aws_iam_group_policy, :aws_iam_role_policy,
+                   :aws_iam_user_policy
 
         def check
-          offense('Use aws_iam_role_policy_attachment instead of attaching ' \
-                  'inline policies with aws_iam_role_policy.')
+          entity = type.scan(/aws_iam_(.+)_policy/).first.first
+          offense("Use aws_iam_#{entity}_policy_attachment instead of " \
+                  "attaching inline policies with aws_iam_#{entity}_policy.")
         end
       end
     end

data/lib/terracop/cop/aws/iam_policy_attachment.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against the use of an evil all encompassing
+      # aws_iam_policy_attachment.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_iam_policy_attachment" "attach" {
+      #     name       = "test-attachment"
+      #     policy_arn = aws_iam_policy.policy.arn
+      #     users      = [aws_iam_user.user.name]
+      #     roles      = [aws_iam_role.role.name]
+      #     groups     = [aws_iam_group.group.name]
+      #   }
+      #
+      #   # good
+      #   resource "aws_iam_role_policy_attachment" "attach" {
+      #     role       = aws_iam_role.role.name
+      #     policy_arn = aws_iam_policy.policy.arn
+      #   }
+      #
+      #   resource "aws_iam_user_policy_attachment" "attach" {
+      #     user       = aws_iam_user.user.name
+      #     policy_arn = aws_iam_policy.policy.arn
+      #   }
+      #
+      #   resource "aws_iam_group_policy_attachment" "attach" {
+      #     group      = aws_iam_group.user.name
+      #     policy_arn = aws_iam_policy.policy.arn
+      #   }
+      class IamPolicyAttachment < Base
+        register
+        applies_to :iam_policy_attachment
+
+        def check
+          offense('Use aws_iam_role_policy_attachment, ' \
+                  'aws_iam_user_policy_attachment, or ' \
+                  'aws_iam_group_policy_attachment instead.')
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/prefer_launch_templates.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/aws/security_group_rule_cop'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against an ingress rule from 0.0.0.0/0 on port 22 (SSH).
+      # That is a Very Bad Idea™.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_launch_configuration" "lc" {}
+      #
+      #   resource "aws_autoscaling_group" "asg" {
+      #     launch_configuration = aws_launch_configuration.lc.name
+      #   }
+      #
+      #   # good
+      #   resource "aws_launch_template" "tpl" {}
+      #
+      #   resource "aws_autoscaling_group" "asg" {
+      #     launch_template {
+      #       id      = aws_launch_template.tpl.id
+      #       version = "$Latest"
+      #     }
+      #   }
+      class PreferLaunchTemplates < SecurityGroupRuleCop
+        register
+        applies_to :aws_launch_configuration, :aws_autoscaling_group
+
+        def check
+          if type == 'aws_launch_configuration' ||
+             attributes['launch_configuration']
+            offense('Prefer Launch Templates to Launch Configurations.')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/terracop/plan_loader.rb

@@ -9,7 +9,8 @@ module Terracop
         plan = decode(file)
 
         changed_resources = plan['resource_changes'].reject! do |resource|
-          resource['change']['actions'] == ['no-op']
+          resource['change']['actions'] == ['no-op'] ||
+            resource['change']['actions'] == ['delete']
         end
 
         restruct_resources(changed_resources)
@@ -17,12 +18,14 @@ module Terracop
 
       private
 
+      # :nocov:
       def decode(file)
         JSON.parse(`terraform show -json #{file}`)
       rescue JSON::ParserError
         puts 'Terraform failed to decode the plan file.'
         exit
       end
+      # :nocov:
 
       def restruct_resources(resources)
         resources.map do |resource|

data/lib/terracop/runner.rb

@@ -3,50 +3,59 @@
 module Terracop
   # Executes Terracop on a given state file.
   class Runner
-    attr_accessor :state
-
     def initialize(type, file, formatter)
       @formatter = Formatters.const_get(formatter.to_s.capitalize).new
 
-      if file
-        load_state_from_file(type, file)
-      else
-        load_state_from_terraform
-      end
+      @type = type
+      @file = file
     end
 
     def run
-      offenses = @state.map do |instance|
+      offenses = state.map do |instance|
         Terracop::Cop.run_for(
           instance[:type], instance[:name],
           instance[:index], instance[:attributes]
         )
       end
 
-      by_res = offenses.flatten.group_by { |o| "#{o[:type]}.#{o[:name]}" }
-      print @formatter.generate(by_res)
+      print formatted(offenses)
 
       offenses.flatten.count
     end
 
+    def state
+      @state ||= begin
+        if @file
+          load_state_from_file(@type, @file)
+        else
+          load_state_from_terraform
+        end
+      end
+    end
+
     private
 
     def load_state_from_file(type, file)
-      @state = if type == :plan
-                 PlanLoader.load(file)
-               else
-                 StateLoader.load(file)
-               end
+      if type == :plan
+        PlanLoader.load(file)
+      else
+        StateLoader.load(file)
+      end
     end
 
     # :nocov:
     def load_state_from_terraform
-      @state = StateLoader.load_from_text(`terraform state pull`)
+      StateLoader.load_from_text(`terraform state pull`)
     rescue JSON::ParserError
       puts 'Run terracop somewhere with a state file or pass it directly ' \
            'with --state FILE'
       exit
     end
     # :nocov:
+
+    def formatted(offenses)
+      by_res = offenses.flatten.group_by { |o| "#{o[:type]}.#{o[:name]}" }
+      @formatter.generate(by_res)
+    end
   end
 end

data/lib/terracop/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Terracop
-  VERSION = '0.1.1'
+  VERSION = '0.2.0'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: terracop
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Francesco Boffa
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-12-22 00:00:00.000000000 Z
+date: 2019-12-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -148,12 +148,17 @@ files:
 - default_config.yml
 - exe/terracop
 - lib/terracop.rb
+- lib/terracop/cop/aws/bad_password_policy.rb
 - lib/terracop/cop/aws/describe_security_group_rules.rb
+- lib/terracop/cop/aws/ensure_propagated_tags.rb
 - lib/terracop/cop/aws/ensure_tags.rb
-- lib/terracop/cop/aws/iam_role_policy.rb
+- lib/terracop/cop/aws/fault_intolerant.rb
+- lib/terracop/cop/aws/iam_inline_policy.rb
+- lib/terracop/cop/aws/iam_policy_attachment.rb
 - lib/terracop/cop/aws/open_egress.rb
 - lib/terracop/cop/aws/open_ingress.rb
 - lib/terracop/cop/aws/open_ssh.rb
+- lib/terracop/cop/aws/prefer_launch_templates.rb
 - lib/terracop/cop/aws/security_group_rule_cop.rb
 - lib/terracop/cop/aws/unrestricted_egress_ports.rb
 - lib/terracop/cop/aws/unrestricted_ingress_ports.rb
@@ -194,7 +199,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.6
+rubygems_version: 3.1.2
 signing_key: 
 specification_version: 4
 summary: Automatic Terraform state/plan checking tool