feat(build): #232 lint terraform

- Add argument, module and docs

Author: kamadorueda

.github/workflows/dev.yml

@@ -113,6 +113,14 @@ jobs:
       name: /lintPython/module/cliMain
       with:
         args: sh -c "nix-env -if . && m . /lintPython/module/cliMain"
+  lintTerraform_module:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: docker://docker.io/nixos/nix:2.3.12
+      name: /lintTerraform/module
+      with:
+        args: sh -c "nix-env -if . && m . /lintTerraform/module"
   lintWithLizard:
     runs-on: ubuntu-latest
     steps:

README.md

@@ -38,6 +38,7 @@ in just a few steps, in any technology.
         - [lintMarkdown](#lintmarkdown)
         - [lintNix](#lintnix)
         - [lintPython](#lintpython)
+        - [lintTerraform](#lintterraform)
         - [lintWithLizard](#lintwithlizard)
     - [Pinning](#pinning)
         - [inputs](#inputs)
@@ -419,6 +420,14 @@ Attributes:
 - pubKey (`str`):
   Public key of the [Cachix][CACHIX] cache.
 
+Required environment variables:
+
+- `CACHIX_AUTH_TOKEN`: API token of the [Cachix][CACHIX] cache.
+    - For Public caches:
+      If not set the cache will only be read, but not written to.
+    - For private caches:
+      If not set the cache won't be read, nor written to.
+
 Example `makes.nix`:
 
 ```nix
@@ -431,14 +440,6 @@ Example `makes.nix`:
 }
 ```
 
-Required environment variables:
-
-- `CACHIX_AUTH_TOKEN`: API token of the [Cachix][CACHIX] cache.
-    - For Public caches:
-      If not set the cache will only be read, but not written to.
-    - For private caches:
-      If not set the cache won't be read, nor written to.
-
 ## Formatters
 
 Formatters help your code be consistent, beautiful and more maintainable.
@@ -773,6 +774,70 @@ Example invocation: `$ m . /lintPython/dirOfModules/makes/main`
 
 Example invocation: `$ m . /lintPython/module/cliMain`
 
+### lintTerraform
+
+Lint [Terraform][TERRAFORM] code
+with [TFLint][TFLINT].
+
+Attributes:
+
+- enable (`boolean`): Optional.
+  Defaults to false.
+- config (`lines`): Optional.
+  Defaults to:
+
+  ```hcl
+  config {
+    module = true
+  }
+
+  plugin "aws" {
+    enabled = true
+  }
+  ```
+
+- modules (`attrsOf moduleType`): Optional.
+  Path to [Terraform][TERRAFORM] modules to lint.
+  Defaults to `{ }`.
+
+Custom Types:
+
+- moduleType (`submodule`):
+    - src (`str`):
+      Path to the [Terraform][TERRAFORM] module.
+    - version (`str`):
+      [Terraform][TERRAFORM] version your module is built with.
+
+Required environment variables:
+
+- If your [Terraform][TERRAFORM] module uses the AWS provider:
+    - `AWS_ACCESS_KEY_ID`
+    - `AWS_SECRET_ACCESS_KEY`
+    - `AWS_DEFAULT_REGION`
+    - `AWS_SESSION_TOKEN`: Required only if the AWS credentials are temporary.
+
+Example `makes.nix`:
+
+```nix
+{
+  lintTerraform = {
+    enable = true;
+    modules = {
+      module1 = {
+        src = "/my/module1";
+        version = "0.12";
+      };
+      module2 = {
+        src = "/my/module2";
+        version = "0.16";
+      };
+    };
+  };
+}
+```
+
+Example invocation: `$ m . /lintTerraform`
+
 ### lintWithLizard
 
 Using [Lizard][LIZARD] to check
@@ -883,9 +948,9 @@ Custom Types:
 
 Required environment variables:
 
-- CI_REGISTRY_USER and CI_REGISTRY_PASSWORD, when deploying to GitLab.
-- DOCKER_HUB_USER and DOCKER_HUB_PASS, when deploying to Docker Hub.
-- GITHUB_ACTOR and GITHUB_TOKEN, when deploying to Github Container Registry.
+- `CI_REGISTRY_USER` and `CI_REGISTRY_PASSWORD`, when deploying to GitLab.
+- `DOCKER_HUB_USER` and `DOCKER_HUB_PASS`, when deploying to Docker Hub.
+- `GITHUB_ACTOR` and `GITHUB_TOKEN`, when deploying to Github Container Registry.
 
 Example `makes.nix`:
 
@@ -1598,6 +1663,9 @@ $ m . /example
 - [TERRAFORM_FMT]: https://www.terraform.io/docs/cli/commands/fmt.html
   [Terraform FMT][TERRAFORM_FMT]
 
+- [TFLINT]: https://github.com/terraform-linters/tflint
+  [TFLint][TFLINT]
+
 - [TRAVIS_CI]: https://travis-ci.org/
   [Travis CI][TRAVIS_CI]
 

makes.nix

@@ -86,6 +86,15 @@
       };
     };
   };
+  lintTerraform = {
+    enable = true;
+    modules = {
+      module = {
+        src = "/test/lintTerraform/module";
+        version = "0.13";
+      };
+    };
+  };
   lintWithLizard = {
     enable = true;
     targets = [ "/" ];

src/args/default.nix

@@ -21,6 +21,7 @@ let
     formatTerraform = import ./format-terraform args;
     getAttr = import ./get-attr/default.nix;
     inherit inputs;
+    lintTerraform = import ./lint-terraform/default.nix args;
     makeContainerImage = import ./make-container-image/default.nix args;
     makeDerivation = import ./make-derivation/default.nix args;
     makeDerivationParallel = import ./make-derivation-parallel/default.nix args;
@@ -29,13 +30,15 @@ let
     makeScript = import ./make-script/default.nix args;
     makeScriptParallel = import ./make-script-parallel/default.nix args;
     makeSearchPaths = import ./make-search-paths/default.nix args;
+    makeTerraformEnvironment = import ./make-terraform-environment/default.nix args;
     inherit makesVersion;
     makeTemplate = import ./make-template/default.nix args;
     inherit outputs;
     path = path: head + path;
     pathImpure = path: headImpure + path;
     sortAscii = builtins.sort (a: b: a < b);
     sortAsciiCaseless = builtins.sort (a: b: lib.toLower a < lib.toLower b);
+    toDerivationName = lib.strings.sanitizeDerivationName;
     toFileJson = import ./to-file-json/default.nix args;
     toFileLst = import ./to-file-lst/default.nix;
   };

src/args/lint-terraform/default.nix

@@ -0,0 +1,29 @@
+{ __nixpkgs__
+, makeScript
+, makeTerraformEnvironment
+, ...
+}:
+{ config
+, name
+, version
+, src
+, ...
+}:
+makeScript {
+  entrypoint = ./entrypoint.sh;
+  replace = {
+    __argConfig__ = config;
+    __argSrc__ = src;
+  };
+  name = "lint-terraform-for-${name}";
+  searchPaths = {
+    bin = [
+      __nixpkgs__.tflint
+    ];
+    source = [
+      (makeTerraformEnvironment {
+        inherit version;
+      })
+    ];
+  };
+}

src/args/lint-terraform/entrypoint.sh

@@ -0,0 +1,12 @@
+# shellcheck shell=bash
+
+function main {
+  cd "$(mktemp -d)" \
+    && copy '__argSrc__' . \
+    && info Initializing '__argSrc__' \
+    && terraform init \
+    && info Linting '__argSrc__' \
+    && tflint -c '__argConfig__' .
+}
+
+main "${@}"

src/args/make-terraform-environment/builder.sh

@@ -0,0 +1,27 @@
+# shellcheck shell=bash
+
+function main {
+  local pip=(python -m pip --cache-dir .)
+
+  info Creating virtualenv \
+    && python -m venv "${out}" \
+    && info Activating virtualenv \
+    && source "${out}/bin/activate" \
+    && info Installing \
+    && HOME=. "${pip[@]}" install --requirement "${envRequirementsFile}" \
+    && info Freezing \
+    && HOME=. "${pip[@]}" freeze | sort --ignore-case > "${out}/installed" \
+    && sed -E 's|^(.*)\[.*?\](.*)$|\1\2|g' "${envRequirementsFile}" > "${out}/desired" \
+    && if test "$(cat "${out}/desired")" = "$(cat "${out}/installed")"; then
+      info Integrity check passed
+    else
+      info Integrity check failed \
+        && info You need to specify all dependencies: \
+        && git --no-pager diff --no-index "${out}/desired" "${out}/installed" \
+        && error Stopping due to failed integrity check
+    fi \
+    && rm -f "${out}/desired" \
+    && rm -f "${out}/installed"
+}
+
+main "${@}"

src/args/make-terraform-environment/default.nix

@@ -0,0 +1,18 @@
+{ __nixpkgs__
+, makeSearchPaths
+, ...
+}:
+{ version
+}:
+let
+  terraform = {
+    "0.12" = __nixpkgs__.terraform_0_12;
+    "0.13" = __nixpkgs__.terraform_0_13;
+    "0.14" = __nixpkgs__.terraform_0_14;
+    "0.15" = __nixpkgs__.terraform_0_15;
+    "0.16" = __nixpkgs__.terraform_0_16;
+  }.${version};
+in
+makeSearchPaths {
+  bin = [ terraform ];
+}

src/evaluator/modules/outputs/builtins/default.nix

@@ -14,6 +14,7 @@ args:
     (import ./lint-markdown/default.nix args)
     (import ./lint-nix/default.nix args)
     (import ./lint-python/default.nix args)
+    (import ./lint-terraform/default.nix args)
     (import ./lint-with-lizard/default.nix args)
   ];
 }

src/evaluator/modules/outputs/builtins/lint-terraform/default.nix

@@ -0,0 +1,69 @@
+{ __nixpkgs__
+, lintTerraform
+, path
+, ...
+}:
+{ config
+, lib
+, ...
+}:
+let
+  makeModule = name: { src, version }: {
+    name = "/lintTerraform/${name}";
+    value = lintTerraform {
+      config = builtins.toFile "tflint.hcl" config.lintTerraform.config;
+      inherit name;
+      src = path src;
+      inherit version;
+    };
+  };
+in
+{
+  options = {
+    lintTerraform = {
+      enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+      };
+      config = lib.mkOption {
+        default = ''
+          config {
+            module = true
+          }
+          plugin "aws" {
+            enabled = true
+          }
+        '';
+        type = lib.types.lines;
+      };
+      modules = lib.mkOption {
+        default = { };
+        type = lib.types.attrsOf (lib.types.submodule (_: {
+          options = {
+            src = lib.mkOption {
+              type = lib.types.str;
+            };
+            version = lib.mkOption {
+              type = lib.types.enum [
+                "0.12"
+                "0.13"
+                "0.14"
+                "0.15"
+                "0.16"
+              ];
+            };
+          };
+        }));
+      };
+    };
+  };
+  config = {
+    outputs = lib.mkIf config.lintTerraform.enable
+      (builtins.foldl'
+        (all: one: all // { "${one.name}" = one.value; })
+        { }
+        (lib.attrsets.mapAttrsToList
+          makeModule
+          config.lintTerraform.modules));
+  };
+}