From 1feeb4a15a5744306f618159630187e3a224f69f Mon Sep 17 00:00:00 2001 From: Ben Doerr Date: Thu, 7 Dec 2023 19:21:17 -0500 Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20(security):=20Appli?= =?UTF-8?q?es=20best=20practices=20from=20StepSecurity?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .deepsource.toml | 13 ++ .github/dependabot.yml | 1 - .github/workflows/codeql.yml | 82 +++++++++++ .github/workflows/dependency-review.yml | 27 ++++ .github/workflows/lint.yml | 174 ++++++++++++++++++++++++ .github/workflows/scorecard.yml | 78 +++++++++++ .github/workflows/test.yml | 27 +++- .gitignore | 6 + .markdownlint.yml | 4 + .pre-commit-config.yaml | 55 ++++++++ .trivyignore | 1 + LICENSE.txt | 2 +- SECURITY.md | 16 +++ aws-dynamodb.tf | 7 +- aws-iam.tf | 43 +++++- aws-s3.tf | 7 +- examples/complete/complete.tfvars | 4 +- examples/complete/ctx.tf | 2 +- examples/complete/provider.tf | 4 +- examples/complete/tfstate_complete.tf | 4 +- examples/complete/variables.tf | 44 +++--- test/examples_complete_test.go | 13 -- test/go.mod | 2 +- test/go.sum | 7 + test/osv-scanner.toml | 3 + trivy.yaml | 6 + variables.tf | 16 ++- versions.tf | 2 +- 28 files changed, 587 insertions(+), 63 deletions(-) create mode 100644 .deepsource.toml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/lint.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 .gitignore create mode 100644 .markdownlint.yml create mode 100644 .pre-commit-config.yaml create mode 100644 .trivyignore create mode 100644 SECURITY.md create mode 100644 test/osv-scanner.toml create mode 100644 trivy.yaml diff --git a/.deepsource.toml b/.deepsource.toml new file mode 100644 index 0000000..7a71a22 --- /dev/null +++ b/.deepsource.toml @@ -0,0 +1,13 @@ +version = 1 + +[[analyzers]] +name = "secrets" + +[[analyzers]] +name = "terraform" + +[[analyzers]] +name = "go" + + [analyzers.meta] + import_root = "github.com/bendoerr-terraform-modules/terraform-aws-tfstate/test" diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5b6cf7c..69cc2fc 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -38,4 +38,3 @@ updates: - "patch" commit-message: prefix: "⬆️ (deps-ghaction):" - diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..999924e --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,82 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: ["main"] + pull_request: + # The branches below must be a subset of the branches above + branches: ["main"] + schedule: + - cron: "0 0 * * 1" + +permissions: + contents: read + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["go"] + # CodeQL supports [ $supported-codeql-languages ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "1.21.4" + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 0000000..bd14f1a --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,27 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: "Dependency Review" +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: "Checkout Repository" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: "Dependency Review" + uses: actions/dependency-review-action@01bc87099ba56df1e897b6874784491ea6309bc4 # v3.1.4 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..3e48345 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,174 @@ +name: Lint + +on: + push: + branches: [main] + pull_request: + branches: [main] + types: [opened, synchronize, reopened] + +permissions: + contents: read + +jobs: + tflint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: tflint + uses: reviewdog/action-tflint@d39483f7058c6772a9641473d4d3b5c372a3a10d # v1.20.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + tflint_init: true + flags: --no-module --recursive + trivy: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: trivy + uses: reviewdog/action-trivy@8cfa1fa3912d9e5aebeff91118c0cd212edaf612 # main + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + golangci-lint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: golangci-lint + uses: reviewdog/action-golangci-lint@94d61e3205b61acf4ddabfeb13c5f8a13eb4167b # v2.5.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + workdir: test/ + go_version_file: test/go.mod + golangci_lint_flags: --verbose --presets + bugs,comment,complexity,error,format,import,metalinter,module,performance,style,unused + --fast --exclude-use-default --tests --timeout 120s ./... + prettier: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: create package.json + run: | + echo -e '{"devDependencies": {"prettier": "^3.1.0"}}' > package.json + - name: prettier + uses: EPMatt/reviewdog-action-prettier@93fb51ed5da157256e1d8c998fb249837304050c # v1.2.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + misspell: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: misspell + uses: reviewdog/action-misspell@cc799b020b057600b66eedf2b6e97ca26137de21 # v1.14.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + exclude: | + ./.git/* + ./.cache/* + alex: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: alex + uses: reviewdog/action-alex@83d6502258513773127065a4d8d53c2c84697579 # v1.7.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + alex_flags: | + * .github/* .github/workflows/* docs/* test/* examples/complete/* + markdownlint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: markdownlint + uses: reviewdog/action-markdownlint@6e02140816b5fcc7295ea7ae2a664af18190ff29 # v0.14.0 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file + markdownlint_flags: | + --disable MD033 MD013 -- . + actionlint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: actionlint + uses: reviewdog/action-actionlint@82693e9e3b239f213108d6e412506f8b54003586 # v1.39.1 + with: + github_token: ${{ github.token }} + reporter: github-pr-review + fail_on_error: "false" + filter_mode: file diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..645b2a1 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,78 @@ +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Scorecard supply-chain security +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: "16 12 * * 0" + push: + branches: ["main"] + workflow_dispatch: + +# Declare default permissions as read only. +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + # (Optional) "write" PAT token. Uncomment the `repo_token` line below if: + # - you want to enable the Branch-Protection check on a *public* repository, or + # - you are installing Scorecard on a *private* repository + # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat. + # repo_token: ${{ secrets.SCORECARD_TOKEN }} + + # Public repositories: + # - Publish results to OpenSSF REST API for easy access by consumers + # - Allows the repository to include the Scorecard badge. + # - See https://github.com/ossf/scorecard-action#publishing-results. + # For private repositories: + # - `publish_results` will always be set to `false`, regardless + # of the value entered here. + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index eb204de..247376f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,21 +1,34 @@ -name: Pull Request +name: Test on: push: - branches: [ main ] + branches: [main] pull_request: - branches: [ main ] - types: [ opened, synchronize, reopened, closed, labeled, unlabeled ] + branches: [main] + types: [opened, synchronize, reopened] + +permissions: + contents: read jobs: terratest: runs-on: ubuntu-latest steps: - - uses: webfactory/ssh-agent@v0.8.0 + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "1.21.4" + + - uses: webfactory/ssh-agent@d4b9b8ff72958532804b70bbe600ad43b36d5f2e # v0.8.0 with: ssh-private-key: | ${{ secrets.ORG_ACCESS_SSH_KEY }} - - name: Run Terratest - uses: cloudposse/github-action-terratest@main + + - name: terratest + uses: cloudposse/github-action-terratest@bcc438f66e180dcaafcacdf8644967dea9eaf7d2 # main with: sourceDir: test env: diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..8820953 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +.terraform +terraform.tfstate +terraform.tfstate.backup +terraform.tfstate.*.backup +.pre-commit-trivy-cache +.infracost diff --git a/.markdownlint.yml b/.markdownlint.yml new file mode 100644 index 0000000..6a1fdf3 --- /dev/null +++ b/.markdownlint.yml @@ -0,0 +1,4 @@ +default: true +MD033: false +MD013: false +MD041: false diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..173cdff --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,55 @@ +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.18.1 + hooks: + - id: gitleaks + + - repo: https://github.com/gruntwork-io/pre-commit + rev: v0.1.23 + hooks: + - id: terraform-fmt + - id: terraform-validate + - id: shellcheck + + - repo: https://github.com/mxab/pre-commit-trivy.git + rev: v0.9.0 + hooks: + - id: trivyfs-docker + args: ["."] + - id: trivyconfig-docker + args: ["."] + + - repo: https://github.com/pre-commit/mirrors-prettier + rev: "v3.1.0" + hooks: + - id: prettier + exclude_types: + - markdown + - id: prettier + name: prettier markdown + types: + - markdown + args: ["--prose-wrap", "always"] + + - repo: https://github.com/golangci/golangci-lint + rev: v1.55.2 + hooks: + - id: golangci-lint-full + entry: bash -c 'cd test && golangci-lint run --fix' + + - repo: https://github.com/igorshubovych/markdownlint-cli + rev: v0.37.0 + hooks: + - id: markdownlint-fix-docker + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.5.0 + hooks: + - id: check-json + - id: check-toml + - id: check-yaml + - id: end-of-file-fixer + - id: trailing-whitespace + - id: check-added-large-files + - id: check-case-conflict + - id: check-executables-have-shebangs diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..ae9b640 --- /dev/null +++ b/.trivyignore @@ -0,0 +1 @@ +AVD-AWS-0089 diff --git a/LICENSE.txt b/LICENSE.txt index cdad9f2..c4e2932 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE. \ No newline at end of file +SOFTWARE. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..853f833 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,16 @@ +# Security Policy + +## Supported Versions + +Only the latest tagged version is supported. + +## Reporting a Vulnerability + +To report a security issue, please email with a +description of the issue, or alternatively use GitHub's +[Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). +functionality. Include the steps you took to create the issue, affected +versions, and, if known, mitigations for the issue. Our vulnerability management +team will respond within 3 working days of your email. If the issue is confirmed +as a vulnerability, we will open a Security Advisory. This project follows a 90 +day disclosure timeline. diff --git a/aws-dynamodb.tf b/aws-dynamodb.tf index 00d351a..c1c6253 100644 --- a/aws-dynamodb.tf +++ b/aws-dynamodb.tf @@ -5,6 +5,8 @@ module "label_locks" { name = "locks" } +# Point in time recovery is not needed. +#tfsec:ignore:aws-dynamodb-enable-recovery resource "aws_dynamodb_table" "locks" { name = module.label_locks.id tags = module.label_locks.tags @@ -23,6 +25,7 @@ resource "aws_dynamodb_table" "locks" { } server_side_encryption { - enabled = true + enabled = true + kms_key_arn = var.dynamodb_kms_key_arn } -} \ No newline at end of file +} diff --git a/aws-iam.tf b/aws-iam.tf index fdeec8b..63b1265 100644 --- a/aws-iam.tf +++ b/aws-iam.tf @@ -17,10 +17,29 @@ data "aws_iam_policy_document" "dynamodb_rw" { } } +data "aws_iam_policy_document" "dynamodb_rw_enc" { + count = var.dynamodb_kms_key_arn != null ? 1 : 0 + statement { + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + ] + resources = [var.dynamodb_kms_key_arn] + } +} + +data "aws_iam_policy_document" "dynamodb_rw_combined" { + source_policy_documents = concat( + [data.aws_iam_policy_document.dynamodb_rw.json], + var.dynamodb_kms_key_arn != null ? [data.aws_iam_policy_document.dynamodb_rw_enc[0].json] : [] + ) +} + resource "aws_iam_policy" "state_dynamodb_rw" { name = module.label_dynamodb_rw.id tags = module.label_dynamodb_rw.tags - policy = data.aws_iam_policy_document.dynamodb_rw.json + policy = data.aws_iam_policy_document.dynamodb_rw_combined.json } module "label_s3_rw" { @@ -30,6 +49,7 @@ module "label_s3_rw" { name = "s3-rw" } +# tfsec:ignore:aws-iam-no-policy-wildcards data "aws_iam_policy_document" "s3_rw" { statement { effect = "Allow" @@ -48,8 +68,27 @@ data "aws_iam_policy_document" "s3_rw" { } } +data "aws_iam_policy_document" "s3_rw_enc" { + count = var.s3_kms_key_arn != null ? 1 : 0 + statement { + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + ] + resources = [var.s3_kms_key_arn] + } +} + +data "aws_iam_policy_document" "s3_rw_combined" { + source_policy_documents = concat( + [data.aws_iam_policy_document.s3_rw.json], + var.dynamodb_kms_key_arn != null ? [data.aws_iam_policy_document.s3_rw_enc[0].json] : [] + ) +} + resource "aws_iam_policy" "s3_rw" { name = module.label_s3_rw.id tags = module.label_s3_rw.tags policy = data.aws_iam_policy_document.s3_rw.json -} \ No newline at end of file +} diff --git a/aws-s3.tf b/aws-s3.tf index 7555fb3..db8d617 100644 --- a/aws-s3.tf +++ b/aws-s3.tf @@ -5,6 +5,7 @@ module "label_store" { name = "store" } +# tfsec:ignore:aws-s3-enable-bucket-logging module "store" { source = "terraform-aws-modules/s3-bucket/aws" version = "3.15.1" @@ -23,13 +24,9 @@ module "store" { server_side_encryption_configuration = { rule = { apply_server_side_encryption_by_default = { - kms_master_key_id = data.aws_kms_alias.s3.arn + kms_master_key_id = var.s3_kms_key_arn sse_algorithm = "aws:kms" } } } } - -data "aws_kms_alias" "s3" { - name = "alias/aws/s3" -} \ No newline at end of file diff --git a/examples/complete/complete.tfvars b/examples/complete/complete.tfvars index 558c962..f3f56fe 100644 --- a/examples/complete/complete.tfvars +++ b/examples/complete/complete.tfvars @@ -7,9 +7,9 @@ region_short = "uw2" instance = "demo" instance_short = "dmo" project = "test" -attributes = [ +attributes = [ "attr1" ] tags = { ExtraTag = "ExtraTagValue" -} \ No newline at end of file +} diff --git a/examples/complete/ctx.tf b/examples/complete/ctx.tf index 4d228bb..183a668 100644 --- a/examples/complete/ctx.tf +++ b/examples/complete/ctx.tf @@ -11,4 +11,4 @@ module "context" { project = var.project attributes = var.attributes tags = var.tags -} \ No newline at end of file +} diff --git a/examples/complete/provider.tf b/examples/complete/provider.tf index 24dc22c..d508966 100644 --- a/examples/complete/provider.tf +++ b/examples/complete/provider.tf @@ -1,4 +1,4 @@ # AWS Provider Configuration provider "aws" { - region = var.region -} \ No newline at end of file + region = var.region +} diff --git a/examples/complete/tfstate_complete.tf b/examples/complete/tfstate_complete.tf index 97105ee..394d4ef 100644 --- a/examples/complete/tfstate_complete.tf +++ b/examples/complete/tfstate_complete.tf @@ -1,4 +1,4 @@ module "tfstate" { - source = "../.." + source = "../.." context = module.context.shared -} \ No newline at end of file +} diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf index 20bab7b..dc03d57 100644 --- a/examples/complete/variables.tf +++ b/examples/complete/variables.tf @@ -1,5 +1,5 @@ variable "namespace" { - type = string + type = string description = <<-EOT Element to ensure resources are generated with names that are globally unique and do not collide. This should be a short key such as initials. @@ -7,8 +7,8 @@ variable "namespace" { } variable "environment" { - type = string - default = "" + type = string + default = "" description = <<-EOT Element to identify the region and/or the role. If not provided this element defaults to -(-). @@ -16,8 +16,8 @@ variable "environment" { } variable "role" { - type = string - default = "" + type = string + default = "" description = <<-EOT A simple name for the hosting provider account or workspace. Included in tags to ensure that identification is simple across accounts. Examples @@ -26,8 +26,8 @@ variable "role" { } variable "role_short" { - type = string - default = "" + type = string + default = "" description = <<-EOT Shortened version of the 'role'. Automatic shortening is done by removal of vowels unless handled by special @@ -36,16 +36,16 @@ variable "role_short" { } variable "region" { - type = string - default = "" + type = string + default = "" description = <<-EOT Key for the hosting provider region. EOT } variable "region_short" { - type = string - default = "" + type = string + default = "" description = <<-EOT Shortened version of the 'region'. Automatic shortening is done by removal of vowels unless handled by special @@ -54,8 +54,8 @@ variable "region_short" { } variable "instance" { - type = string - default = "" + type = string + default = "" description = <<-EOT Element to identify a tenant or copy of an environment (blue-green deployments). This is not used often. @@ -63,8 +63,8 @@ variable "instance" { } variable "instance_short" { - type = string - default = "" + type = string + default = "" description = <<-EOT Shortened version of the 'instance'. Automatic shortening is done by removal of vowels. @@ -72,14 +72,14 @@ variable "instance_short" { } variable "attributes" { - type = list(string) - default = [] + type = list(string) + default = [] description = "Additional id elements that would be appended." } variable "tags" { - type = map(string) - default = {} + type = map(string) + default = {} description = "Additional tags to include." } @@ -103,7 +103,7 @@ variable "context" { } variable "project" { - type = string - default = "" + type = string + default = "" description = "Name of the project or application, this can override the context's project" -} \ No newline at end of file +} diff --git a/test/examples_complete_test.go b/test/examples_complete_test.go index 30ed448..20fb2de 100644 --- a/test/examples_complete_test.go +++ b/test/examples_complete_test.go @@ -2,11 +2,9 @@ package test import ( "context" - "fmt" "github.com/aws/aws-sdk-go-v2/config" "github.com/gruntwork-io/terratest/modules/terraform" test_structure "github.com/gruntwork-io/terratest/modules/test-structure" - "github.com/kr/pretty" "testing" ) @@ -41,14 +39,3 @@ func TestDefaults(t *testing.T) { t.Fatal(err) } } - -func makediff(want interface{}, got interface{}) string { - s := fmt.Sprintf("\nwant: %# v", pretty.Formatter(want)) - s = fmt.Sprintf("%s\ngot: %# v", s, pretty.Formatter(got)) - diffs := pretty.Diff(want, got) - s = fmt.Sprintf("%s\ndifferences: ", s) - for _, d := range diffs { - s = fmt.Sprintf("%s\n - %s", s, d) - } - return s -} diff --git a/test/go.mod b/test/go.mod index d0bf29b..f42604c 100644 --- a/test/go.mod +++ b/test/go.mod @@ -1,6 +1,6 @@ module github.com/bendoerr-terraform-modules/terraform-aws-tfstate/test -go 1.20 +go 1.21.4 require ( github.com/aws/aws-sdk-go-v2/config v1.25.5 diff --git a/test/go.sum b/test/go.sum index af4e2fd..6e6004b 100644 --- a/test/go.sum +++ b/test/go.sum @@ -116,6 +116,7 @@ cloud.google.com/go/language v1.6.0/go.mod h1:6dJ8t3B+lUYfStgls25GusK04NLh3eDLQn cloud.google.com/go/lifesciences v0.5.0/go.mod h1:3oIKy8ycWGPUyZDR/8RNnTOYevhaMLqh5vLUXs9zvT8= cloud.google.com/go/lifesciences v0.6.0/go.mod h1:ddj6tSX/7BOnhxCSd3ZcETvtNr8NZ6t/iPhY2Tyfu08= cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM= +cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo= cloud.google.com/go/mediatranslation v0.5.0/go.mod h1:jGPUhGTybqsPQn91pNXw0xVHfuJ3leR1wj37oU3y1f4= cloud.google.com/go/mediatranslation v0.6.0/go.mod h1:hHdBCTYNigsBxshbznuIMFNe5QXEowAuNmmC7h8pu5w= cloud.google.com/go/memcache v1.4.0/go.mod h1:rTOfiGZtJX1AaFUrOgsMHX5kAzaTQ8azHiuDoTPzNsE= @@ -198,6 +199,7 @@ github.com/apparentlymart/go-textseg v1.0.0/go.mod h1:z96Txxhf3xSFMPmb5X/1W05FF/ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6iT90AvPUL1NNfNw= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/aws/aws-sdk-go v1.44.122/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.45.2 h1:hTong9YUklQKqzrGk3WnKABReb5R8GjbG4Y6dEQfjnk= github.com/aws/aws-sdk-go v1.45.2/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= @@ -289,6 +291,7 @@ github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+ github.com/go-sql-driver/mysql v1.7.1 h1:lUIinVbN1DY0xBg0eMOzmmtGoHwWBbvnWubQUrtU8EI= github.com/go-sql-driver/mysql v1.7.1/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-test/deep v1.0.7 h1:/VSMRlnY/JSyqxQUzQLKVMAskpY/NZKFA5j2P+0pP2M= github.com/go-test/deep v1.0.7/go.mod h1:QV8Hv/iy04NyLBxAdO9njL0iVPN1S4d/A3NVv1V36o8= @@ -359,6 +362,7 @@ github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIG github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0= github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw= +github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk= github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM= @@ -484,7 +488,9 @@ github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjY github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= +github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= +github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= @@ -836,6 +842,7 @@ golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y= +golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/test/osv-scanner.toml b/test/osv-scanner.toml new file mode 100644 index 0000000..f14d33b --- /dev/null +++ b/test/osv-scanner.toml @@ -0,0 +1,3 @@ +[[IgnoredVulns]] +id = "GO-2022-0646" +reason = "does not use the the V1 EncryptionClient of aws-sdk-go" diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..e29acb6 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,6 @@ +scan: + skip-dirs: + - ./.terraform + - ./.infracost + - ./examples/complete/.terraform + - ./examples/complete/.infracost diff --git a/variables.tf b/variables.tf index b6883fa..38ff333 100644 --- a/variables.tf +++ b/variables.tf @@ -14,4 +14,18 @@ variable "context" { tags = map(string) }) description = "Shared Context from Ben's terraform-null-context" -} \ No newline at end of file +} + +variable "dynamodb_kms_key_arn" { + type = string + default = null + description = "TODO" + nullable = true +} + +variable "s3_kms_key_arn" { + type = string + default = null + description = "TODO" + nullable = true +} diff --git a/versions.tf b/versions.tf index 6f1b5e0..5db35af 100644 --- a/versions.tf +++ b/versions.tf @@ -6,4 +6,4 @@ terraform { version = "~> 5.0" } } -} \ No newline at end of file +} From 52c8e96ad69414b866d24cd209945bd2d66d3fe4 Mon Sep 17 00:00:00 2001 From: Ben Doerr Date: Thu, 7 Dec 2023 19:26:37 -0500 Subject: [PATCH 2/3] =?UTF-8?q?=E2=9C=8F=EF=B8=8F=20Fix?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- aws-iam.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aws-iam.tf b/aws-iam.tf index 63b1265..6441ce6 100644 --- a/aws-iam.tf +++ b/aws-iam.tf @@ -90,5 +90,5 @@ data "aws_iam_policy_document" "s3_rw_combined" { resource "aws_iam_policy" "s3_rw" { name = module.label_s3_rw.id tags = module.label_s3_rw.tags - policy = data.aws_iam_policy_document.s3_rw.json + policy = data.aws_iam_policy_document.s3_rw_combined.json } From 76b9bb2258e867926b2522b6a79a832255b6c110 Mon Sep 17 00:00:00 2001 From: Ben Doerr Date: Thu, 7 Dec 2023 19:34:10 -0500 Subject: [PATCH 3/3] =?UTF-8?q?=E2=9C=8F=EF=B8=8F=20Fix?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/lint.yml | 3 - test/.golangci.yml | 316 +++++++++++++++++++++++++++++++++ test/examples_complete_test.go | 5 +- test/go.mod | 3 - test/go.sum | 2 - 5 files changed, 319 insertions(+), 10 deletions(-) create mode 100644 test/.golangci.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 3e48345..11cb147 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -69,9 +69,6 @@ jobs: filter_mode: file workdir: test/ go_version_file: test/go.mod - golangci_lint_flags: --verbose --presets - bugs,comment,complexity,error,format,import,metalinter,module,performance,style,unused - --fast --exclude-use-default --tests --timeout 120s ./... prettier: runs-on: ubuntu-latest permissions: diff --git a/test/.golangci.yml b/test/.golangci.yml new file mode 100644 index 0000000..a21d084 --- /dev/null +++ b/test/.golangci.yml @@ -0,0 +1,316 @@ +run: + # Timeout for analysis, e.g. 30s, 5m. + # Default: 1m + timeout: 3m + +# This file contains only configs which differ from defaults. +# All possible options can be found here https://github.com/golangci/golangci-lint/blob/master/.golangci.reference.yml +linters-settings: + cyclop: + # The maximal code complexity to report. + # Default: 10 + max-complexity: 30 + # The maximal average package complexity. + # If it's higher than 0.0 (float) the check is enabled + # Default: 0.0 + package-average: 10.0 + + errcheck: + # Report about not checking of errors in type assertions: `a := b.(MyStruct)`. + # Such cases aren't reported by default. + # Default: false + check-type-assertions: true + + exhaustive: + # Program elements to check for exhaustiveness. + # Default: [ switch ] + check: + - switch + - map + + exhaustruct: + # List of regular expressions to exclude struct packages and names from check. + # Default: [] + exclude: + # std libs + - "^net/http.Client$" + - "^net/http.Cookie$" + - "^net/http.Request$" + - "^net/http.Response$" + - "^net/http.Server$" + - "^net/http.Transport$" + - "^net/url.URL$" + - "^os/exec.Cmd$" + - "^reflect.StructField$" + # public libs + - "^github.com/Shopify/sarama.Config$" + - "^github.com/Shopify/sarama.ProducerMessage$" + - "^github.com/mitchellh/mapstructure.DecoderConfig$" + - "^github.com/prometheus/client_golang/.+Opts$" + - "^github.com/spf13/cobra.Command$" + - "^github.com/spf13/cobra.CompletionOptions$" + - "^github.com/stretchr/testify/mock.Mock$" + - "^github.com/testcontainers/testcontainers-go.+Request$" + - "^github.com/testcontainers/testcontainers-go.FromDockerfile$" + - "^golang.org/x/tools/go/analysis.Analyzer$" + - "^google.golang.org/protobuf/.+Options$" + - "^gopkg.in/yaml.v3.Node$" + + funlen: + # Checks the number of lines in a function. + # If lower than 0, disable the check. + # Default: 60 + lines: 100 + # Checks the number of statements in a function. + # If lower than 0, disable the check. + # Default: 40 + statements: 50 + # Ignore comments when counting lines. + # Default false + ignore-comments: true + + gocognit: + # Minimal code complexity to report. + # Default: 30 (but we recommend 10-20) + min-complexity: 20 + + gocritic: + # Settings passed to gocritic. + # The settings key is the name of a supported gocritic checker. + # The list of supported checkers can be find in https://go-critic.github.io/overview. + settings: + captLocal: + # Whether to restrict checker to params only. + # Default: true + paramsOnly: false + underef: + # Whether to skip (*x).method() calls where x is a pointer receiver. + # Default: true + skipRecvDeref: false + + gomnd: + # List of function patterns to exclude from analysis. + # Values always ignored: `time.Date`, + # `strconv.FormatInt`, `strconv.FormatUint`, `strconv.FormatFloat`, + # `strconv.ParseInt`, `strconv.ParseUint`, `strconv.ParseFloat`. + # Default: [] + ignored-functions: + - flag.Arg + - flag.Duration.* + - flag.Float.* + - flag.Int.* + - flag.Uint.* + - os.Chmod + - os.Mkdir.* + - os.OpenFile + - os.WriteFile + - prometheus.ExponentialBuckets.* + - prometheus.LinearBuckets + + gomodguard: + blocked: + # List of blocked modules. + # Default: [] + modules: + - github.com/golang/protobuf: + recommendations: + - google.golang.org/protobuf + reason: "see https://developers.google.com/protocol-buffers/docs/reference/go/faq#modules" + - github.com/satori/go.uuid: + recommendations: + - github.com/google/uuid + reason: "satori's package is not maintained" + - github.com/gofrs/uuid: + recommendations: + - github.com/google/uuid + reason: "gofrs' package is not go module" + + govet: + # Enable all analyzers. + # Default: false + enable-all: true + # Disable analyzers by name. + # Run `go tool vet help` to see all analyzers. + # Default: [] + disable: + - fieldalignment # too strict + # Settings per analyzer. + settings: + shadow: + # Whether to be strict about shadowing; can be noisy. + # Default: false + strict: true + + nakedret: + # Make an issue if func has more lines of code than this setting, and it has naked returns. + # Default: 30 + max-func-lines: 0 + + nolintlint: + # Exclude following linters from requiring an explanation. + # Default: [] + allow-no-explanation: [funlen, gocognit, lll] + # Enable to require an explanation of nonzero length after each nolint directive. + # Default: false + require-explanation: true + # Enable to require nolint directives to mention the specific linter being suppressed. + # Default: false + require-specific: true + + rowserrcheck: + # database/sql is always checked + # Default: [] + packages: + - github.com/jmoiron/sqlx + + tenv: + # The option `all` will run against whole test files (`_test.go`) regardless of method/function signatures. + # Otherwise, only methods that take `*testing.T`, `*testing.B`, and `testing.TB` as arguments are checked. + # Default: false + all: true + +linters: + disable-all: true + enable: + ## enabled by default + - errcheck # checking for unchecked errors, these unchecked errors can be critical bugs in some cases + - gosimple # specializes in simplifying a code + - govet # reports suspicious constructs, such as Printf calls whose arguments do not align with the format string + - ineffassign # detects when assignments to existing variables are not used + - staticcheck # is a go vet on steroids, applying a ton of static analysis checks + - typecheck # like the front-end of a Go compiler, parses and type-checks Go code + - unused # checks for unused constants, variables, functions and types + ## disabled by default + - asasalint # checks for pass []any as any in variadic func(...any) + - asciicheck # checks that your code does not contain non-ASCII identifiers + - bidichk # checks for dangerous unicode character sequences + - bodyclose # checks whether HTTP response body is closed successfully + - cyclop # checks function and package cyclomatic complexity + - dupl # tool for code clone detection + - durationcheck # checks for two durations multiplied together + - errname # checks that sentinel errors are prefixed with the Err and error types are suffixed with the Error + - errorlint # finds code that will cause problems with the error wrapping scheme introduced in Go 1.13 + - execinquery # checks query string in Query function which reads your Go src files and warning it finds + - exhaustive # checks exhaustiveness of enum switch statements + - exportloopref # checks for pointers to enclosing loop variables + - forbidigo # forbids identifiers + - funlen # tool for detection of long functions + - gocheckcompilerdirectives # validates go compiler directive comments (//go:) + - gochecknoglobals # checks that no global variables exist + - gochecknoinits # checks that no init functions are present in Go code + - gochecksumtype # checks exhaustiveness on Go "sum types" + - gocognit # computes and checks the cognitive complexity of functions + - goconst # finds repeated strings that could be replaced by a constant + - gocritic # provides diagnostics that check for bugs, performance and style issues + - gocyclo # computes and checks the cyclomatic complexity of functions + - godot # checks if comments end in a period + - goimports # in addition to fixing imports, goimports also formats your code in the same style as gofmt + - gomnd # detects magic numbers + - gomoddirectives # manages the use of 'replace', 'retract', and 'excludes' directives in go.mod + - gomodguard # allow and block lists linter for direct Go module dependencies. This is different from depguard where there are different block types for example version constraints and module recommendations + - goprintffuncname # checks that printf-like functions are named with f at the end + - gosec # inspects source code for security problems + - lll # reports long lines + - loggercheck # checks key value pairs for common logger libraries (kitlog,klog,logr,zap) + - makezero # finds slice declarations with non-zero initial length + - mirror # reports wrong mirror patterns of bytes/strings usage + - musttag # enforces field tags in (un)marshaled structs + - nakedret # finds naked returns in functions greater than a specified function length + - nestif # reports deeply nested if statements + - nilerr # finds the code that returns nil even if it checks that the error is not nil + - nilnil # checks that there is no simultaneous return of nil error and an invalid value + - noctx # finds sending http request without context.Context + - nolintlint # reports ill-formed or insufficient nolint directives + - nonamedreturns # reports all named returns + - nosprintfhostport # checks for misuse of Sprintf to construct a host with port in a URL + - perfsprint # checks that fmt.Sprintf can be replaced with a faster alternative + - predeclared # finds code that shadows one of Go's predeclared identifiers + - promlinter # checks Prometheus metrics naming via promlint + - protogetter # reports direct reads from proto message fields when getters should be used + - reassign # checks that package variables are not reassigned + - revive # fast, configurable, extensible, flexible, and beautiful linter for Go, drop-in replacement of golint + - rowserrcheck # checks whether Err of rows is checked successfully + - sloglint # ensure consistent code style when using log/slog + - sqlclosecheck # checks that sql.Rows and sql.Stmt are closed + - stylecheck # is a replacement for golint + - tenv # detects using os.Setenv instead of t.Setenv since Go1.17 + - testableexamples # checks if examples are testable (have an expected output) + - testifylint # checks usage of github.com/stretchr/testify + - testpackage # makes you use a separate _test package + - tparallel # detects inappropriate usage of t.Parallel() method in your Go test codes + - unconvert # removes unnecessary type conversions + - unparam # reports unused function parameters + - usestdlibvars # detects the possibility to use variables/constants from the Go standard library + - wastedassign # finds wasted assignment statements + - whitespace # detects leading and trailing whitespace + + ## you may want to enable + #- decorder # checks declaration order and count of types, constants, variables and functions + #- exhaustruct # [highly recommend to enable] checks if all structure fields are initialized + #- gci # controls golang package import order and makes it always deterministic + #- ginkgolinter # [if you use ginkgo/gomega] enforces standards of using ginkgo and gomega + #- godox # detects FIXME, TODO and other comment keywords + #- goheader # checks is file header matches to pattern + #- inamedparam # [great idea, but too strict, need to ignore a lot of cases by default] reports interfaces with unnamed method parameters + #- interfacebloat # checks the number of methods inside an interface + #- ireturn # accept interfaces, return concrete types + #- prealloc # [premature optimization, but can be used in some cases] finds slice declarations that could potentially be preallocated + #- tagalign # checks that struct tags are well aligned + #- varnamelen # [great idea, but too many false positives] checks that the length of a variable's name matches its scope + #- wrapcheck # checks that errors returned from external packages are wrapped + #- zerologlint # detects the wrong usage of zerolog that a user forgets to dispatch zerolog.Event + + ## disabled + #- containedctx # detects struct contained context.Context field + #- contextcheck # [too many false positives] checks the function whether use a non-inherited context + #- depguard # [replaced by gomodguard] checks if package imports are in a list of acceptable packages + #- dogsled # checks assignments with too many blank identifiers (e.g. x, _, _, _, := f()) + #- dupword # [useless without config] checks for duplicate words in the source code + #- errchkjson # [don't see profit + I'm against of omitting errors like in the first example https://github.com/breml/errchkjson] checks types passed to the json encoding functions. Reports unsupported types and optionally reports occasions, where the check for the returned error can be omitted + #- forcetypeassert # [replaced by errcheck] finds forced type assertions + #- goerr113 # [too strict] checks the errors handling expressions + #- gofmt # [replaced by goimports] checks whether code was gofmt-ed + #- gofumpt # [replaced by goimports, gofumports is not available yet] checks whether code was gofumpt-ed + #- gosmopolitan # reports certain i18n/l10n anti-patterns in your Go codebase + #- grouper # analyzes expression groups + #- importas # enforces consistent import aliases + #- maintidx # measures the maintainability index of each function + #- misspell # [useless] finds commonly misspelled English words in comments + #- nlreturn # [too strict and mostly code is not more readable] checks for a new line before return and branch statements to increase code clarity + #- paralleltest # [too many false positives] detects missing usage of t.Parallel() method in your Go test + #- tagliatelle # checks the struct tags + #- thelper # detects golang test helpers without t.Helper() call and checks the consistency of test helpers + #- wsl # [too strict and mostly code is not more readable] whitespace linter forces you to use empty lines + + ## deprecated + #- deadcode # [deprecated, replaced by unused] finds unused code + #- exhaustivestruct # [deprecated, replaced by exhaustruct] checks if all struct's fields are initialized + #- golint # [deprecated, replaced by revive] golint differs from gofmt. Gofmt reformats Go source code, whereas golint prints out style mistakes + #- ifshort # [deprecated] checks that your code uses short syntax for if-statements whenever possible + #- interfacer # [deprecated] suggests narrower interface types + #- maligned # [deprecated, replaced by govet fieldalignment] detects Go structs that would take less memory if their fields were sorted + #- nosnakecase # [deprecated, replaced by revive var-naming] detects snake case of variable naming and function name + #- scopelint # [deprecated, replaced by exportloopref] checks for unpinned variables in go programs + #- structcheck # [deprecated, replaced by unused] finds unused struct fields + #- varcheck # [deprecated, replaced by unused] finds unused global variables and constants + +issues: + # Maximum count of issues with the same text. + # Set to 0 to disable. + # Default: 3 + max-same-issues: 50 + + exclude-rules: + - source: "(noinspection|TODO)" + linters: [godot] + - source: "//noinspection" + linters: [gocritic] + - path: "_test\\.go" + linters: + - bodyclose + - dupl + - funlen + - goconst + - gosec + - noctx + - wrapcheck diff --git a/test/examples_complete_test.go b/test/examples_complete_test.go index 20fb2de..41ac1c8 100644 --- a/test/examples_complete_test.go +++ b/test/examples_complete_test.go @@ -1,11 +1,12 @@ -package test +package test_test import ( "context" + "testing" + "github.com/aws/aws-sdk-go-v2/config" "github.com/gruntwork-io/terratest/modules/terraform" test_structure "github.com/gruntwork-io/terratest/modules/test-structure" - "testing" ) func TestDefaults(t *testing.T) { diff --git a/test/go.mod b/test/go.mod index f42604c..24a0e93 100644 --- a/test/go.mod +++ b/test/go.mod @@ -5,7 +5,6 @@ go 1.21.4 require ( github.com/aws/aws-sdk-go-v2/config v1.25.5 github.com/gruntwork-io/terratest v0.46.7 - github.com/kr/pretty v0.3.1 ) require ( @@ -64,7 +63,6 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.15.11 // indirect - github.com/kr/text v0.2.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect @@ -76,7 +74,6 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/pquerna/otp v1.2.0 // indirect - github.com/rogpeppe/go-internal v1.10.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect github.com/stretchr/testify v1.8.4 // indirect diff --git a/test/go.sum b/test/go.sum index 6e6004b..bec94a9 100644 --- a/test/go.sum +++ b/test/go.sum @@ -491,7 +491,6 @@ github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE= github.com/onsi/gomega v1.27.6/go.mod h1:PIQNjfQwkP3aQAH7lf7j87O/5FiNr+ZR8+ipb+qQlhg= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= @@ -500,7 +499,6 @@ github.com/pquerna/otp v1.2.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=