New rule: aws_provider_missing_tags (#633)

bootswithdefer · web-flow · commit 51d759d6ab31 · 2024-05-04T23:10:06.000+09:00
* provider missing tags rule

* revert version change

* switch to standard slices package

* rename aws_provider_missing_tags to aws_provider_missing_default_tags

* more descriptive default provider messages, return error from emitIssue

* use attr.Range instead of provider.DefRange

* update docs

* hcl code block

* enabled

* rename rule in docs
diff --git a/docs/rules/README.md b/docs/rules/README.md
@@ -74,6 +74,7 @@ These rules enforce best practices and naming conventions:
 |[aws_lambda_function_deprecated_runtime](aws_lambda_function_deprecated_runtime.md)|Disallow deprecated runtimes for Lambda Function|✔|
 |[aws_resource_missing_tags](aws_resource_missing_tags.md)|Require specific tags for all AWS resource types that support them||
 |[aws_s3_bucket_name](aws_s3_bucket_name.md)|Ensures all S3 bucket names match the naming rules|✔|
+|[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||
 
 ### SDK-based Validations
 
diff --git a/docs/rules/README.md.tmpl b/docs/rules/README.md.tmpl
@@ -74,6 +74,7 @@ These rules enforce best practices and naming conventions:
 |[aws_lambda_function_deprecated_runtime](aws_lambda_function_deprecated_runtime.md)|Disallow deprecated runtimes for Lambda Function|✔|
 |[aws_resource_missing_tags](aws_resource_missing_tags.md)|Require specific tags for all AWS resource types that support them||
 |[aws_s3_bucket_name](aws_s3_bucket_name.md)|Ensures all S3 bucket names match the naming rules|✔|
+|[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||
 
 ### SDK-based Validations
 
diff --git a/docs/rules/aws_provider_missing_default_tags.md b/docs/rules/aws_provider_missing_default_tags.md
@@ -0,0 +1,72 @@
+# aws_provider_missing_default_tags
+
+Require specific tags for all AWS provider default_tags blocks.
+
+## Configuration
+
+```hcl
+rule "aws_provider_missing_default_tags" {
+  enabled = true
+  tags = ["Foo", "Bar"]
+}
+```
+
+## Examples
+
+The `tags` attribute is a map of `key`=`value` pairs, like resource tags:
+
+```hcl
+provider "aws" {
+  default_tags {
+    tags = {
+      foo = "Bar"
+      bar = "Baz"
+    }
+  }
+}
+```
+
+An issue is reported because the tag keys ["foo", "bar"] don't match the required tags ["Foo", "Bar"]
+
+```
+$ tflint
+1 issue(s) found:
+
+Notice: The provider is missing the following tags: "Bar", "Foo". (aws_provider_missing_default_tags)
+
+  on test.tf line 1:
+   1: provider "aws" {
+```
+
+## Why
+
+- You want to set a standardized set of tags for your AWS resources via the provider default tags.
+- You want more DRY (don't repeat yourself) Terraform code, by eliminating tag configuration from resources.
+- Using default tags results in better tagging coverage. The resource missing tags rule needs support
+  to be added for non-standard uses of tags in the provider, for example EC2 root block devices.
+
+Use this rule in conjuction with aws_resource_missing_tags_rule, for example to enforce common tags and
+resource specific tags, without duplicating tags.
+
+```hcl
+rule "aws_resource_missing_tags" {
+  enabled = true
+  tags = [
+    "kubernetes.io/cluster/eks",
+  ]
+  include = [
+    "aws_subnet",
+  ]
+}
+
+rule "aws_provider_missing_default_tags" {
+  enabled = true
+  tags = [
+    "CostCenter",
+  ]
+}
+```
+
+## How To Fix
+
+Ensure the provider default tags contains all your required tags.
diff --git a/rules/aws_provider_missing_default_tags.go b/rules/aws_provider_missing_default_tags.go
@@ -0,0 +1,174 @@
+package rules
+
+import (
+	"fmt"
+	"slices"
+	"sort"
+	"strings"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/logger"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+	"github.com/zclconf/go-cty/cty"
+)
+
+// AwsProviderMissingDefaultTagsRule checks whether providers are tagged correctly
+type AwsProviderMissingDefaultTagsRule struct {
+	tflint.DefaultRule
+}
+
+type awsProviderTagsRuleConfig struct {
+	Tags []string `hclext:"tags"`
+}
+
+const (
+	providerDefaultTagsBlockName = "default_tags"
+	providerTagsAttributeName    = "tags"
+)
+
+// NewAwsProviderMissingDefaultTagsRule returns new rules for all providers that support tags
+func NewAwsProviderMissingDefaultTagsRule() *AwsProviderMissingDefaultTagsRule {
+	return &AwsProviderMissingDefaultTagsRule{}
+}
+
+// Name returns the rule name
+func (r *AwsProviderMissingDefaultTagsRule) Name() string {
+	return "aws_provider_missing_default_tags"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsProviderMissingDefaultTagsRule) Enabled() bool {
+	return false
+}
+
+// Severity returns the rule severity
+func (r *AwsProviderMissingDefaultTagsRule) Severity() tflint.Severity {
+	return tflint.NOTICE
+}
+
+// Link returns the rule reference link
+func (r *AwsProviderMissingDefaultTagsRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks providers for missing tags
+func (r *AwsProviderMissingDefaultTagsRule) Check(runner tflint.Runner) error {
+	config := awsProviderTagsRuleConfig{}
+	if err := runner.DecodeRuleConfig(r.Name(), &config); err != nil {
+		return err
+	}
+
+	providerSchema := &hclext.BodySchema{
+		Attributes: []hclext.AttributeSchema{
+			{
+				Name:     "alias",
+				Required: false,
+			},
+		},
+		Blocks: []hclext.BlockSchema{
+			{
+				Type: providerDefaultTagsBlockName,
+				Body: &hclext.BodySchema{
+					Attributes: []hclext.AttributeSchema{
+						{
+							Name: providerTagsAttributeName,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	providerBody, err := runner.GetProviderContent("aws", providerSchema, nil)
+	if err != nil {
+		return nil
+	}
+
+	// Get provider default tags
+	var providerAlias string
+	for _, provider := range providerBody.Blocks.OfType("provider") {
+		// Get the alias attribute, in terraform when there is a single aws provider its called "default"
+		providerAttr, ok := provider.Body.Attributes["alias"]
+		if !ok {
+			providerAlias = "default"
+		} else {
+			err := runner.EvaluateExpr(providerAttr.Expr, func(alias string) error {
+				providerAlias = alias
+				return nil
+			}, nil)
+			if err != nil {
+				return nil
+			}
+		}
+		logger.Debug("Walk `%s` provider", providerAlias)
+
+		if len(provider.Body.Blocks) == 0 {
+			var issue string
+			if providerAlias == "default" {
+				issue = "The aws provider is missing the `default_tags` block"
+			} else {
+				issue = fmt.Sprintf("The aws provider with alias `%s` is missing the `default_tags` block", providerAlias)
+			}
+			if err := runner.EmitIssue(r, issue, provider.DefRange); err != nil {
+				return err
+			}
+			continue
+		}
+
+		for _, block := range provider.Body.Blocks {
+			var providerTags []string
+			attr, ok := block.Body.Attributes[providerTagsAttributeName]
+			if !ok {
+				if err := r.emitIssue(runner, providerTags, config, provider.DefRange); err != nil {
+					return err
+				}
+				continue
+			}
+
+			err := runner.EvaluateExpr(attr.Expr, func(val cty.Value) error {
+				keys, known := getKeysForValue(val)
+
+				if !known {
+					logger.Warn("The missing aws tags rule can only evaluate provided variables, skipping %s.", provider.Labels[0]+"."+providerAlias+"."+providerDefaultTagsBlockName+"."+providerTagsAttributeName)
+					return nil
+				}
+
+				logger.Debug("Walk `%s` provider with tags `%v`", providerAlias, keys)
+				providerTags = keys
+				return nil
+			}, nil)
+
+			if err != nil {
+				return nil
+			}
+
+			// Check tags
+			if err := r.emitIssue(runner, providerTags, config, attr.Range); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func (r *AwsProviderMissingDefaultTagsRule) emitIssue(runner tflint.Runner, tags []string, config awsProviderTagsRuleConfig, location hcl.Range) error {
+	var missing []string
+	for _, tag := range config.Tags {
+		if !slices.Contains(tags, tag) {
+			missing = append(missing, fmt.Sprintf("%q", tag))
+		}
+	}
+	if len(missing) > 0 {
+		sort.Strings(missing)
+		wanted := strings.Join(missing, ", ")
+		issue := fmt.Sprintf("The provider is missing the following tags: %s.", wanted)
+		if err := runner.EmitIssue(r, issue, location); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/rules/aws_provider_missing_default_tags_test.go b/rules/aws_provider_missing_default_tags_test.go
diff --git a/rules/provider.go b/rules/provider.go
