DENA-969: Implemented rule for checking the backend (#5)

* Removed sample rules

* Add CODEOWNERS

* Updated plugin name

* Updated dependabot

* Added golangci-lint with pre-commit

* Update GH workflow

* Add yaml check

* Use credentials

* Inlined go mod tidy

* Add golangci-lint

* Run pre-commit on PR

* Skip golang-ci-full from pre-commit

* Run tests only for linux

* Added linting

* Removed the last sample rule

* Updated readme

* Revert "Removed the last sample rule"

This reverts commit 43ba7da.

* Updated to latest libs

* Update .github/dependabot.yml

Co-authored-by: Matt Hughes <[email protected]>

* Update .golangci.yaml

Co-authored-by: Matt Hughes <[email protected]>

* Update .golangci.yaml

Co-authored-by: Matt Hughes <[email protected]>

* Update .golangci.yaml

Co-authored-by: Matt Hughes <[email protected]>

* Added gitignore

* Fixed linting

* Updated name

* Added implementation for msk backend check.

* Removed sample rules

* Add documentation for the msk module backend rule

* Fixed anchor

* Added the implemented rule in the table

* Fixed main build.

* Added helper struct for overwriting the OriginalWd

* Added helper struct for overwriting the OriginalWd

* Update README.md

Co-authored-by: Matt Hughes <[email protected]>

* Update rules/msk_module_backend.go

Co-authored-by: Matt Hughes <[email protected]>

* Remove duplicated example

* Rearranged the test cases

* Implemented link to rule

---------

Co-authored-by: Matt Hughes <[email protected]>

Author: sbuliarca

README.md

@@ -17,8 +17,10 @@ plugin "kafka-config" {
 
 ## Rules
 
-|Name|Description|Severity|Enabled|Link|
-| --- | --- | --- | --- | --- |
+| Name                                              | Description                                                                              |
+|---------------------------------------------------|------------------------------------------------------------------------------------------|
+| [msk_module_backend](rules/msk_module_backend.md) | Requires an S3 backend to be defined, with a key that has as suffix the name of the team (taken from the current directory name) |
+
 
 ## Building the plugin
 

go.mod

@@ -4,12 +4,14 @@ go 1.22.2
 
 require (
 	github.com/hashicorp/hcl/v2 v2.22.0
+	github.com/stretchr/testify v1.7.2
 	github.com/terraform-linters/tflint-plugin-sdk v0.21.0
 )
 
 require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/fatih/color v1.17.0 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
@@ -22,6 +24,7 @@ require (
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/oklog/run v1.1.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/zclconf/go-cty v1.15.0 // indirect
@@ -34,4 +37,5 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240930140551-af27646dc61f // indirect
 	google.golang.org/grpc v1.67.1 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -83,6 +83,7 @@ google.golang.org/grpc v1.67.1 h1:zWnc1Vrcno+lHZCOofnIMvycFcc0QRGIzm9dhnDX68E=
 google.golang.org/grpc v1.67.1/go.mod h1:1gLDyUQU7CTLJI90u3nXZ9ekeghjeM7pTDZlqFNg2AA=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

main.go

@@ -13,7 +13,7 @@ func main() {
 			Name:    "kafka-config",
 			Version: "0.1.0",
 			Rules: []tflint.Rule{
-				rules.NewTerraformBackendTypeRule(),
+				rules.NewMskModuleBackendRule(),
 			},
 		},
 	})

rules/msk_module_backend.go

@@ -0,0 +1,147 @@
+package rules
+
+import (
+	"fmt"
+	"path/filepath"
+	"strings"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/hashicorp/hcl/v2/gohcl"
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// MskModuleBackendRule checks whether an MSK module has an S3 backend defined with a key that has as suffix the name of the team.
+type MskModuleBackendRule struct {
+	tflint.DefaultRule
+}
+
+// NewMskModuleBackendRule returns a new rule.
+func NewMskModuleBackendRule() *MskModuleBackendRule {
+	return &MskModuleBackendRule{}
+}
+
+// Name returns the rule name.
+func (r *MskModuleBackendRule) Name() string {
+	return "msk_module_backend"
+}
+
+// Enabled returns whether the rule is enabled by default.
+func (r *MskModuleBackendRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity.
+func (r *MskModuleBackendRule) Severity() tflint.Severity {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link.
+func (r *MskModuleBackendRule) Link() string {
+	return ReferenceLink(r.Name())
+}
+
+func (r *MskModuleBackendRule) Check(runner tflint.Runner) error {
+	path, err := runner.GetModulePath()
+	if err != nil {
+		return fmt.Errorf("getting module path: %w", err)
+	}
+	if !path.IsRoot() {
+		// This rule does not evaluate child modules.
+		return nil
+	}
+
+	// This rule is an example to get attributes of blocks other than resources.
+	content, err := runner.GetModuleContent(&hclext.BodySchema{
+		Blocks: []hclext.BlockSchema{
+			{
+				Type: "terraform",
+				Body: &hclext.BodySchema{
+					Blocks: []hclext.BlockSchema{
+						{
+							Type:       "backend",
+							LabelNames: []string{"type"},
+							Body: &hclext.BodySchema{
+								Attributes: []hclext.AttributeSchema{
+									{Name: "key"},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}, nil)
+	if err != nil {
+		return fmt.Errorf("getting module content: %w", err)
+	}
+
+	backend := findBackendDef(content)
+	if backend == nil {
+		err := runner.EmitIssue(r, "an s3 backend should be configured for a kafka MSK module", hcl.Range{})
+		if err != nil {
+			return fmt.Errorf("emitting issue: backend missing: %w", err)
+		}
+		return nil
+	}
+
+	backendType := backend.Labels[0]
+	if backendType != "s3" {
+		err := runner.EmitIssue(r, "backend should always be s3 for a kafka MSK module", backend.DefRange)
+		if err != nil {
+			return fmt.Errorf("emitting issue: always s3: %w", err)
+		}
+		return nil
+	}
+
+	keyAttr, keyExists := backend.Body.Attributes["key"]
+	if !keyExists {
+		err := runner.EmitIssue(r, "the s3 backend should specify the details inside the kafka MSK module", backend.DefRange)
+		if err != nil {
+			return fmt.Errorf("emitting issue: no s3 details: %w", err)
+		}
+		return nil
+	}
+
+	return r.checkKeyHasTeamSuffix(runner, keyAttr)
+}
+
+func findBackendDef(content *hclext.BodyContent) *hclext.Block {
+	if content.IsEmpty() {
+		return nil
+	}
+	for _, tfConfig := range content.Blocks {
+		if len(tfConfig.Body.Blocks) > 0 {
+			return tfConfig.Body.Blocks[0]
+		}
+	}
+	return nil
+}
+
+func (r *MskModuleBackendRule) checkKeyHasTeamSuffix(runner tflint.Runner, keyAttr *hclext.Attribute) error {
+	var key string
+	diags := gohcl.DecodeExpression(keyAttr.Expr, nil, &key)
+	if diags.HasErrors() {
+		return diags
+	}
+
+	modulePath, err := runner.GetOriginalwd()
+	if err != nil {
+		return fmt.Errorf("failed getting module path: %w", err)
+	}
+
+	teamName := filepath.Base(modulePath)
+
+	if !strings.HasSuffix(key, teamName) {
+		err = runner.EmitIssue(
+			r,
+			fmt.Sprintf("backend key must have the team's name '%s' as a suffix. Current value is: %s", teamName, key),
+			keyAttr.Range,
+		)
+		if err != nil {
+			return fmt.Errorf("emitting issue: no team suffix: %w", err)
+		}
+	}
+
+	return nil
+}

rules/msk_module_backend.md

@@ -0,0 +1,58 @@
+# msk_module_backend
+
+Requires an S3 backend to be defined, with a key that has as suffix the name of the team.
+
+## Example
+
+### Bad examples 
+```hcl
+// no s3 backend
+terraform {
+  
+}
+
+// backend is not S3
+terraform {
+  backend "local" {
+  }
+}
+
+// s3 backend doesn't have details
+terraform {
+  backend "s3" {
+  }
+}
+
+// backend key doesn't have the team's suffix
+terraform {
+  backend "s3" {
+    bucket = "mybucket"
+    key    = "key-without-team-suffix"
+    region = "us-east-1"
+  }
+}
+```
+
+### Good example
+
+Good for team `pubsub`:
+```hcl
+terraform {
+  backend "s3" {
+    bucket = "mybucket"
+    key    = "dev-aws/msk-pubsub"
+    region = "us-east-1"
+  }
+}
+```
+
+## Why
+
+We want to avoid team mixing their states due to copy/paste issues.
+With this rule, all the details for the bucket will always be specified in the kafka-cluster-config repository where we have a module per team and each team has a unique name.
+
+## How To Fix
+
+Define the S3 backend in the team's module, having the key as the team's suffix.
+
+See [good example](#good-example)