A norms and conventions validator for Terraform
License: Apache License 2.0
I'm Thibault, a Site Reliability Engineer from France.
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Hi,
Using "validation" in a variable block generates an error :
Unexpected "validation" block; Blocks are not allowed here
variable "image_id" {
type = string
description = "The id of the machine image (AMI) to use for the server."
validation {
condition = length(var.image_id) > 4 && substr(var.image_id, 0, 4) == "ami-"
error_message = "The image_id value must be a valid AMI id, starting with \"ami-\"."
}
}
Even "validation" comes with terraform 0.13, terraform-validator should not raise an error because validation block is inside variable definition ?
Firstly, this is a great tool. I use it constantly for a large number of Terraform modules I maintain. Thank you!
In my versions.tf file, I have a block which looks like this:
# https://www.terraform.io/docs/configuration/terraform.html
terraform {
required_version = ">= 0.12"
required_providers {
aws = "~> 2.67"
newrelic = "~> 1.19"
}
}A truncated version of my .terraform-validator.yaml file looks like this:
layers:
default:
files:
versions.tf:
mandatory: true
authorized_blocks:
- required_providers # only added this after receiving the error message; it didn't help
- terraformWhen I run the tool, I get this message:
$ terraform-validator .
2020/07/03 01:07:04 versions.tf:5,3-21: Unsupported block type; Blocks of type "required_providers" are not expected here.The required_providers sub-block of a terraform block is documented here: https://www.terraform.io/docs/configuration/terraform.html#specifying-required-provider-versions
How do I get terraform-validator to allow/enforce this block without throwing an error?
the idea is to add a new test: ensure_terraform_fmt
If set to true, this will ensure that the terraform fmt command pass. This ensure that the terraform code is well formatted.
In order to run the good terraform version for everyone, terraform will be a dependency of terraform-validator if that option is set to true
An exemple with the GCP Provider :
About IAM management, 3 different types of resources can be used : google_project_iam_policy, google_project_iam_binding and google_project_iam_member.
The GCP IAM API manage users roles as a users list per roles.
In terraform, google_project_iam_member will append a new user in the list of the role, but google_project_iam_binding will totally replace this list by the one in parameter.
So, it's not possible to declare two times the resource google_project_iam_binding (or google_project_iam_binding and google_project_iam_member) to manage the same gcp role in the same Terraform stack.
Same case with the resources google_project_service and google_project_services
It could be interesting to check this part with terraform-validator.
Hi!
I have an "assume_role" block in my provider.tf
provider "google" {
version = "foo"
assume_role {
role_arn = "role"
}
}
and I ran in this error:
2019/11/15 15:24:23 testdata/ok_default_config/providers.tf:5,3-14: Unexpected "assume_role" block; Blocks are not allowed here.
It seems that hcl2 libs are giving an error for a valid terraform format. Also the hcl2 repo is archived.
Are you aware of this issue?
It would be interesting to enforce that a file exist and then that a block is present inside.
e.g. :
Enforce presence of provider block only providers.tffile.
Configuration could be like this :
layers:
default:
files:
main.tf:
mandatory: true
authorized_blocks:
providers.tf:
mandatory: true
exclusive_blocks:
- provider
Terraform-validator current version cannot handle internal modules and layering.
This should be the next evolve !
Each sub directory inherit the .terrform-validator.yaml configuration. If something is different, another .terrform-validator.yaml can be added here to change the configuration of the directory and it's sub directories
the idea is to add a new test: ensure_readme_updated
If set to true, this will ensure the terraform-docs command was run and so that the documentation seems updated.
In order to run the good terraform version for everyone, terraform-docs will be a dependency of terraform-validator if that option is set to true. If not install, we might use the latest version (not yet fuly decided about that)
Terraform-validator should be able to ensure that outputs and/or variables blocks contains a description.
For this, we will needs to add two parameters (one to check the variables description, one for the outputs).
Create the check and include it in the fileCheck function.
Hi there,
Would it be possible to make terraform-validator "compatible" with 0.13 way of managing providers' version ? :
https://www.terraform.io/docs/configuration/provider-requirements.html
TY !
Main complexity is to high.
Extract the log code in a new internal/log package
if len(blockNamesErrors) > 0 || len(blocksInFilesErrors) > 0 || len(providersVersionErrors) > 0 {
exitCode = 1
fmt.Printf("\nERROR: %s misformed:\n", file.Path)
if len(providersVersionErrors) > 0 {
fmt.Printf(" Unversioned provider(s):\n")
for _, err := range providersVersionErrors {
fmt.Printf(" - %s\n", err.Error())
}
}
if len(blockNamesErrors) > 0 {
fmt.Printf(" Unmatching \"%s\" pattern blockname(s):\n",
globalConfig.TerraformConfig.BlockPatternName)
for _, err := range blockNamesErrors {
fmt.Printf(" - %s\n", err.Error())
}
}
if len(blocksInFilesErrors) > 0 {
fmt.Println(" Unauthorized block(s):")
for _, err := range blocksInFilesErrors {
fmt.Printf(" - %s\n", err.Error())
}
}
}the idea is to add a new test: ensure_terraform_validate
If set to true, this will ensure that the terraform validate command pass. This ensure that the terraform code is well written.
In order to run the good terraform version for everyone, terraform will be a dependency of terraform-validator if that option is set to true
Hi,
It seems terraform-validator is unable to check if a non *.tf file exists :
layers:
default:
files:
README.md:
mandatory: true
terraform-validator .
INFO: running on terraform/meta with default configuration
ERROR: missing mandatory file(s):
- README.md
ls -1 terraform/meta/README.md
terraform/meta/README.md
In this sample, it good be interesting to ensure that a README.md file exists
This is not terraform0.12 compatible ... make it work ! ๐
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.