Merge pull request #14549 from terraform-providers/documentation-ftlint

Adds tflint validation to Terraform in documentation

.actrc

@@ -0,0 +1,2 @@
+# Needed for testing our workflows
+-P ubuntu-latest=nektos/act-environments-ubuntu:18.04

.github/workflows/README.md

@@ -17,8 +17,4 @@ steps:
 
 The tool [`act`](https://github.com/nektos/act) can be used to test GitHub workflows locally. The default container [intentionally does not have feature parity](https://github.com/nektos/act#default-runners-are-intentionally-incomplete) with the containers used in GitHub due to the size of a full container.
 
-A fully-featured container can be used by specifying a different container.
-
-```console
-act -P ubuntu-latest=nektos/act-environments-ubuntu:18.04
-```
+The file `./actrc` configures `act` to use a fully-featured container.

.github/workflows/website.yml

@@ -17,6 +17,7 @@ on:
 env:
   GO_VERSION: "1.14"
   GO111MODULE: on
+  TFLINT_VERSION: "v0.18.0"
 
 jobs:
   markdown-link-check:
@@ -76,3 +77,68 @@ jobs:
           key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('go.sum') }}
       - run: go install github.com/katbyte/terrafmt
       - run: terrafmt diff ./website --check --pattern '*.markdown' --quiet
+  validate-terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-go@v2
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - uses: actions/cache@v2
+        continue-on-error: true
+        timeout-minutes: 2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-pkg-mod-${{ hashFiles('go.sum') }}
+      - run: |
+          # go get github.com/katbyte/terrafmt
+          git clone --branch json-output --single-branch https://github.com/gdavison/terrafmt terrafmt
+          cd terrafmt
+          go install
+      - run: curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | sh
+      - run: |
+          exit_code=0
+
+          # Configure the rules for tflint.
+          # The *_invalid_* rules disabled here prevent evaluation of expressions.
+          # Do not disable *_invalid_name rules, since these are good checks for e.g. "%s" formatting verbs
+          # being carried over from test cases.
+          shared_rules=(
+              "--enable-rule=terraform_comment_syntax"
+              "--disable-rule=aws_cloudwatch_event_target_invalid_arn"
+              "--disable-rule=aws_cognito_user_pool_domain_invalid_domain"
+              "--disable-rule=aws_db_instance_default_parameter_group"
+              "--disable-rule=aws_elasticache_cluster_default_parameter_group"
+              "--disable-rule=aws_iam_saml_provider_invalid_saml_metadata_document"
+              "--disable-rule=aws_iam_server_certificate_invalid_certificate_body"
+              "--disable-rule=aws_iam_server_certificate_invalid_private_key"
+              "--disable-rule=aws_transfer_ssh_key_invalid_body"
+              "--disable-rule=aws_worklink_website_certificate_authority_association_invalid_certificate"
+          )
+          find ./website/docs -type f \( -name '*.md' -o -name '*.markdown' \) \
+            | sort -u \
+            | while read -r filename ; do
+            rules=("${shared_rules[@]}")
+            if [[ "$filename" == "./website/docs/guides/version-2-upgrade.html.md" ]]; then
+                # ./website/docs/guides/version-2-upgrade.html.md should still include pre-0.12 syntax,
+                # since v1.0 does not support Terraform 0.12.
+                rules+=(
+                "--disable-rule=terraform_deprecated_interpolation"
+                "--disable-rule=terraform_deprecated_index"
+                )
+            else
+                rules+=(
+                "--enable-rule=terraform_deprecated_interpolation"
+                "--enable-rule=terraform_deprecated_index"
+                )
+            fi
+            # echo "Let's go with $filename..."
+            # We need to capture the output and error code here. We don't want to exit on the first error
+            set +e
+            ./scripts/validate-terraform-file.sh "$filename" "${rules[@]}"
+            lint_exitcode=$?
+            set -e
+            if [ $lint_exitcode -ne 0 ]; then exit_code=1; fi
+          done
+
+          exit $exit_code

scripts/validate-terraform-file.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+# This script accepts the filename and an array of options for tflint.
+# To call it, e.g.
+# rules=(
+#   "--enable-rule=terraform_deprecated_interpolation"
+#   "--enable-rule=terraform_deprecated_index"
+# )
+# ./scripts/validate-terraform-file.sh "$filename"  "${rules[@]}"
+
+filename=$1
+shift
+rules=( "$@" )
+
+exit_code=0
+
+block_number=0
+
+while IFS= read -r block ; do
+    ((block_number+=1))
+    start_line=$(echo "$block" | jq '.start_line')
+    end_line=$(echo "$block" | jq '.end_line')
+    text=$(echo "$block" | jq --raw-output '.text')
+
+    td=$(mktemp -d)
+    tf="$td/main.tf"
+
+    echo "$text" > "$tf"
+
+    # We need to capture the output and error code here. We don't want to exit on the first error
+    set +e
+    tflint_output=$(tflint "${rules[@]}" "$tf" 2>&1)
+    tflint_exitcode=$?
+    set -e
+
+    if [ $tflint_exitcode -ne 0 ]; then
+        echo "ERROR: File \"$filename\", block #$block_number (lines $start_line-$end_line):"
+        echo "$tflint_output"
+        echo
+        exit_code=1
+    fi
+done < <( terrafmt blocks --json "$filename" | jq --compact-output '.blocks[]?' )
+
+exit $exit_code

website/docs/d/acm_certificate.html.markdown

@@ -16,20 +16,20 @@ it by domain without having to hard code the ARNs as input.
 
 ```hcl
 # Find a certificate that is issued
-data "aws_acm_certificate" "example" {
+data "aws_acm_certificate" "issued" {
   domain   = "tf.example.com"
   statuses = ["ISSUED"]
 }
 
 # Find a certificate issued by (not imported into) ACM
-data "aws_acm_certificate" "example" {
+data "aws_acm_certificate" "amazon_issued" {
   domain      = "tf.example.com"
   types       = ["AMAZON_ISSUED"]
   most_recent = true
 }
 
 # Find a RSA 4096 bit certificate
-data "aws_acm_certificate" "example" {
+data "aws_acm_certificate" "rsa_4096" {
   domain    = "tf.example.com"
   key_types = ["RSA_4096"]
 }

website/docs/d/cloudformation_export.html.markdown

@@ -22,7 +22,7 @@ data "aws_cloudformation_export" "subnet_id" {
 
 resource "aws_instance" "web" {
   ami           = "ami-abb07bcb"
-  instance_type = "t1.micro"
+  instance_type = "t2.micro"
   subnet_id     = data.aws_cloudformation_export.subnet_id.value
 }
 ```

website/docs/d/cloudformation_stack.html.markdown

@@ -20,7 +20,7 @@ data "aws_cloudformation_stack" "network" {
 
 resource "aws_instance" "web" {
   ami           = "ami-abb07bcb"
-  instance_type = "t1.micro"
+  instance_type = "t2.micro"
   subnet_id     = data.aws_cloudformation_stack.network.outputs["SubnetId"]
 
   tags = {

website/docs/d/ec2_instance_type_offering.html.markdown

@@ -16,10 +16,10 @@ Information about single EC2 Instance Type Offering.
 data "aws_ec2_instance_type_offering" "example" {
   filter {
     name   = "instance-type"
-    values = ["t1.micro", "t2.micro", "t3.micro"]
+    values = ["t2.micro", "t3.micro"]
   }
 
-  preferred_instance_types = ["t3.micro", "t2.micro", "t1.micro"]
+  preferred_instance_types = ["t3.micro", "t2.micro"]
 }
 ```
 

website/docs/d/kms_key.html.markdown

@@ -16,19 +16,19 @@ without having to hard code the ARN as input.
 ## Example Usage
 
 ```hcl
-data "aws_kms_key" "foo" {
+data "aws_kms_key" "by_alias" {
   key_id = "alias/my-key"
 }
 
-data "aws_kms_key" "foo" {
+data "aws_kms_key" "by_id" {
   key_id = "1234abcd-12ab-34cd-56ef-1234567890ab"
 }
 
-data "aws_kms_key" "foo" {
+data "aws_kms_key" "by_alias_arn" {
   key_id = "arn:aws:kms:us-east-1:111122223333:alias/my-key"
 }
 
-data "aws_kms_key" "foo" {
+data "aws_kms_key" "by_key_arn" {
   key_id = "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab"
 }
 ```

website/docs/d/workspaces_bundle.html.markdown

@@ -13,11 +13,11 @@ Retrieve information about an AWS WorkSpaces bundle.
 ## Example Usage
 
 ```hcl
-data "aws_workspaces_bundle" "example" {
+data "aws_workspaces_bundle" "by_id" {
   bundle_id = "wsb-b0s22j3d7"
 }
 
-data "aws_workspaces_bundle" "example" {
+data "aws_workspaces_bundle" "by_owner_and_name" {
   owner = "AMAZON"
   name  = "Value with Windows 10 and Office 2016"
 }

website/docs/r/appsync_function.html.markdown

@@ -13,9 +13,9 @@ Provides an AppSync Function.
 ## Example Usage
 
 ```hcl
-resource "aws_appsync_graphql_api" "test" {
+resource "aws_appsync_graphql_api" "example" {
   authentication_type = "API_KEY"
-  name                = "tf-example"
+  name                = "example"
   schema              = <<EOF
 type Mutation {
   putPost(id: ID!, title: String!): Post
@@ -37,20 +37,20 @@ schema {
 EOF
 }
 
-resource "aws_appsync_datasource" "test" {
-  api_id = aws_appsync_graphql_api.test.id
-  name   = "tf-example"
+resource "aws_appsync_datasource" "example" {
+  api_id = aws_appsync_graphql_api.example.id
+  name   = "example"
   type   = "HTTP"
 
   http_config {
     endpoint = "http://example.com"
   }
 }
 
-resource "aws_appsync_function" "test" {
-  api_id                   = aws_appsync_graphql_api.test.id
-  data_source              = aws_appsync_datasource.test.name
-  name                     = "tf_example"
+resource "aws_appsync_function" "example" {
+  api_id                   = aws_appsync_graphql_api.example.id
+  data_source              = aws_appsync_datasource.example.name
+  name                     = "example"
   request_mapping_template = <<EOF
 {
     "version": "2018-05-29",

website/docs/r/autoscaling_policy.html.markdown

@@ -61,16 +61,20 @@ The following arguments are only available to "StepScaling" type policies:
 group scaling. These have the following structure:
 
 ```hcl
-step_adjustment {
-  scaling_adjustment          = -1
-  metric_interval_lower_bound = 1.0
-  metric_interval_upper_bound = 2.0
-}
+resource "aws_autoscaling_policy" "example" {
+  # ... other configuration ...
+
+  step_adjustment {
+    scaling_adjustment          = -1
+    metric_interval_lower_bound = 1.0
+    metric_interval_upper_bound = 2.0
+  }
 
-step_adjustment {
-  scaling_adjustment          = 1
-  metric_interval_lower_bound = 2.0
-  metric_interval_upper_bound = 3.0
+  step_adjustment {
+    scaling_adjustment          = 1
+    metric_interval_lower_bound = 2.0
+    metric_interval_upper_bound = 3.0
+  }
 }
 ```
 
@@ -92,27 +96,31 @@ The following arguments are only available to "TargetTrackingScaling" type polic
 * `target_tracking_configuration` - (Optional) A target tracking policy. These have the following structure:
 
 ```hcl
-target_tracking_configuration {
-  predefined_metric_specification {
-    predefined_metric_type = "ASGAverageCPUUtilization"
+resource "aws_autoscaling_policy" "example" {
+  # ... other configuration ...
+
+  target_tracking_configuration {
+    predefined_metric_specification {
+      predefined_metric_type = "ASGAverageCPUUtilization"
+    }
+
+    target_value = 40.0
   }
 
-  target_value = 40.0
-}
+  target_tracking_configuration {
+    customized_metric_specification {
+      metric_dimension {
+        name  = "fuga"
+        value = "fuga"
+      }
 
-target_tracking_configuration {
-  customized_metric_specification {
-    metric_dimension {
-      name  = "fuga"
-      value = "fuga"
+      metric_name = "hoge"
+      namespace   = "hoge"
+      statistic   = "Average"
     }
 
-    metric_name = "hoge"
-    namespace   = "hoge"
-    statistic   = "Average"
+    target_value = 40.0
   }
-
-  target_value = 40.0
 }
 ```
 

website/docs/r/cloudfront_origin_access_identity.html.markdown

@@ -56,8 +56,14 @@ The below snippet demonstrates use with the `s3_origin_config` structure for the
 [`aws_cloudfront_distribution`][3] resource:
 
 ```hcl
-s3_origin_config {
-  origin_access_identity = aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path
+resource "aws_cloudfront_distribution" "example" {
+  # ... other configuration ...
+
+  origin {
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.example.cloudfront_access_identity_path
+    }
+  }
 }
 ```
 

website/docs/r/cognito_identity_pool.markdown

@@ -15,7 +15,7 @@ Provides an AWS Cognito Identity Pool.
 ```hcl
 resource "aws_iam_saml_provider" "default" {
   name                   = "my-saml-provider"
-  saml_metadata_document = "${file("saml-metadata.xml")}"
+  saml_metadata_document = file("saml-metadata.xml")
 }
 
 resource "aws_cognito_identity_pool" "main" {
@@ -39,8 +39,8 @@ resource "aws_cognito_identity_pool" "main" {
     "accounts.google.com" = "123456789012.apps.googleusercontent.com"
   }
 
-  saml_provider_arns           = ["${aws_iam_saml_provider.default.arn}"]
-  openid_connect_provider_arns = ["arn:aws:iam::123456789012:oidc-provider/foo.example.com"]
+  saml_provider_arns           = [aws_iam_saml_provider.default.arn]
+  openid_connect_provider_arns = ["arn:aws:iam::123456789012:oidc-provider/id.example.com"]
 }
 ```