add --tag command line option to limit rules checked

stelligent · Mar 7, 2018 · b3fe2df · b3fe2df
1 parent 32228c1
commit b3fe2df
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 5 deletions.
diff --git a/app.go b/app.go
@@ -84,6 +84,7 @@ type Rule struct {
 	Severity string
 	Resource string
 	Filters  []Filter
+	Tags     []string
 }
 
 type Rules struct {
@@ -226,9 +227,30 @@ type ValidationResult struct {
 	Message    string
 }
 
-func validateTerraformResources(resources []TerraformResource, ruleData Rules, log LoggingFunction) []ValidationResult {
+func listsIntersect(list1 []string, list2 []string) bool {
+	for _, a := range list1 {
+		for _, b := range list2 {
+			if a == b {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func filterRulesByTag(rules []Rule, tags []string) []Rule {
+	filteredRules := make([]Rule, 0)
+	for _, rule := range rules {
+		if tags == nil || listsIntersect(tags, rule.Tags) {
+			filteredRules = append(filteredRules, rule)
+		}
+	}
+	return filteredRules
+}
+
+func validateTerraformResources(resources []TerraformResource, ruleData Rules, tags []string, log LoggingFunction) []ValidationResult {
 	results := make([]ValidationResult, 0)
-	for _, rule := range ruleData.Rules {
+	for _, rule := range filterRulesByTag(ruleData.Rules, tags) {
 		log(fmt.Sprintf("Rule %s: %s", rule.Id, rule.Message))
 		for _, filter := range rule.Filters {
 			for _, resource := range resources {
@@ -263,30 +285,38 @@ func printResults(results []ValidationResult) {
 	}
 }
 
-func terraform(filename string, log LoggingFunction) {
+func terraform(filename string, tags []string, log LoggingFunction) {
 	hclTemplate, err := ioutil.ReadFile(filename)
 	if err != nil {
 		panic(err)
 	}
 	resources := loadTerraformResources(loadHCL(string(hclTemplate), log))
 	rules := MustParseRules(loadTerraformRules())
 
-	results := validateTerraformResources(resources, rules, log)
+	results := validateTerraformResources(resources, rules, tags, log)
 	printResults(results)
 }
 
+func makeTagList(tags string) []string {
+	if tags == "" {
+		return nil
+	}
+	return strings.Split(tags, ",")
+}
+
 func main() {
 	parseCloudFormation := flag.Bool("cloudformation", false, "Validate CloudFormation template")
 	parseTerraform := flag.Bool("terraform", false, "Validate Terraform template")
 	verboseLogging := flag.Bool("verbose", false, "Verbose logging")
+	tags := flag.String("tags", "", "Run only tests with tags in this comma separated list")
 	flag.Parse()
 
 	for _, filename := range flag.Args() {
 		if *parseCloudFormation {
 			cloudFormation(filename, makeLogger(*verboseLogging))
 		}
 		if *parseTerraform {
-			terraform(filename, makeLogger(*verboseLogging))
+			terraform(filename, makeTagList(*tags), makeLogger(*verboseLogging))
 		}
 	}
 }
diff --git a/rules/terraform.yml b/rules/terraform.yml
@@ -8,6 +8,8 @@ Rules:
         op: in
         value: t2.micro,m3.medium
     severity: WARNING
+    tags:
+      - ec2
   - id: R2
     message: Not an approved AMI
     resource: aws_instance
@@ -17,6 +19,8 @@ Rules:
         op: in
         value: ami-f2d3638a
     severity: FAILURE
+    tags:
+      - ec2
   - id: R3
     message: Department tag is not valid
     resource: aws_instance
@@ -26,6 +30,8 @@ Rules:
         op: in
         value: Operations,Sales,Marketing,Engineering
     severity: WARNING
+    tags:
+      - ec2
   - id: R4
     message: Role name should start with 'role'
     resource: aws_iam_role