Add google_disabled_api rule (#75)

* Enable deep checking

* Add google_disabled_api rule

* Add documentation

* Fix rule name

Author: wata727

README.md

@@ -20,9 +20,11 @@ plugin "google" {
 }
 ```
 
+For more configuration about the plugin, see [Plugin Configuration](docs/configuration.md).
+
 ## Rules
 
-100+ rules are available. See the [documentation](docs/README.md).
+100+ rules are available. See the [documentation](docs/rules/README.md).
 
 ## Building the plugin
 

docs/configuration.md

@@ -0,0 +1,19 @@
+# Configuration
+
+This plugin can take advantage of additional features by configure the `plugin` block. Currently, this configuration is only available for [Deep Checking](deep_checking.md).
+
+Here's an example:
+
+```hcl
+plugin "google" {
+    enabled = true
+
+    deep_check = false
+}
+```
+
+## `deep_check`
+
+Default: false
+
+Enable [Deep Checking](deep_checking.md).

docs/deep_checking.md

@@ -0,0 +1,30 @@
+# Deep Checking
+
+Deep Checking uses your provider's credentials to perform a more strict inspection.
+
+For example, you can confirm that the API you are trying to use in the project is enabled. See also the [google_disabled_api](rules/google_disabled_api.md) rule.
+
+```console
+$ tflint
+1 issue(s) found:
+
+Error: Compute Engine API has not been used in foo-bar-baz before or it is disabled. (google_disabled_api)
+
+  on template.tf line 25:
+  25: resource "google_compute_network" "vpc_network" {
+
+```
+
+You can enable Deep Checking by changing the plugin configuration.
+
+```hcl
+plugin "google" {
+  enabled = true
+
+  deep_check = true
+}
+```
+
+## Credentials
+
+Currently, credentials, regions, etc. declared inside the "google" provider block are not considered except for the `project` attribute. You need to pass the credentials to TFLint using environment variables and so on.

docs/README.md renamed to docs/rules/README.md

@@ -20,6 +20,14 @@ These rules warn you if a machine type not listed at https://cloud.google.com/co
 
 ## Magic Modules Rules
 
-These are the rules that warn against invalid values generated from [Magic Modules](https://github.com/terraform-linters/magic-modules). These rules are defined under the [`rules/magicmodules`](../rules/magicmodules) directory.
+These are the rules that warn against invalid values generated from [Magic Modules](https://github.com/terraform-linters/magic-modules). These rules are defined under the [`rules/magicmodules`](../../rules/magicmodules) directory.
 
-See the [`tools`](../tools) directory for how to generate these rules.
+See the [`tools`](../../tools) directory for how to generate these rules.
+
+## Deep Checking Rules
+
+By enabling [Deep Checking](../deep_checking.md), you can enable rules that invoke API to perform more strict checking.
+
+|Name|Severity|Enabled|
+| --- | --- | --- |
+|google_disabled_api|ERROR|✔|

docs/rules/google_disabled_api.md

@@ -0,0 +1,46 @@
+# google_disabled_api
+
+Disallow to declare resources with disabled API.
+
+## Example
+
+```hcl
+resource "google_compute_network" "vpc_network" {
+  name                    = "terraform-network"
+  auto_create_subnetworks = "true"
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Error: Compute Engine API has not been used in foo-bar-baz before or it is disabled. (google_disabled_api)
+
+  on template.tf line 1:
+   1: resource "google_compute_network" "vpc_network" {
+
+```
+
+[Service Usage API](https://cloud.google.com/service-usage/docs/reference/rest) must be enabled in order to use this rule.
+
+## Why
+
+`terraform apply` will fail when the resources refer to disabled APIs.
+
+```
+$ terraform apply
+
+...
+
+Error: Error creating Network: googleapi: Error 403: Compute Engine API has not been used in project 1234567890 before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/compute.googleapis.com/overview?project=1234567890 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry., accessNotConfigured
+```
+
+Even more unfortunately, not all errors are returned. For example, if you have resources that depend on multiple disabled APIs, you will not see an error for the other APIs. This rule allows you to detect all disabled API errors in advance.
+
+## How to Fix
+
+Enable the API from the Cloud Console in your project or remove the resource.
+
+https://cloud.google.com/endpoints/docs/openapi/enable-api
+

go.mod

@@ -7,4 +7,5 @@ require (
 	github.com/hashicorp/hcl/v2 v2.9.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.4.4
 	github.com/terraform-linters/tflint-plugin-sdk v0.8.1
+	google.golang.org/api v0.40.0
 )

go.sum

@@ -0,0 +1,24 @@
+package google
+
+import (
+	"context"
+
+	"google.golang.org/api/serviceusage/v1"
+)
+
+// Client is a wrapper of the Google API client
+type Client struct {
+	ServiceUsage *serviceusage.Service
+}
+
+// NewClient returns a new Client
+func NewClient() (*Client, error) {
+	serviceusageClient, err := serviceusage.NewService(context.TODO())
+	if err != nil {
+		return nil, err
+	}
+
+	return &Client{
+		ServiceUsage: serviceusageClient,
+	}, nil
+}

google/client.go

@@ -0,0 +1,10 @@
+package google
+
+import "github.com/hashicorp/hcl/v2"
+
+// Config is the configuration for the ruleset.
+type Config struct {
+	DeepCheck bool `hcl:"deep_check,optional"`
+
+	Remain hcl.Body `hcl:",remain"`
+}

google/config.go

@@ -0,0 +1,98 @@
+package google
+
+import (
+	"os"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/terraform/configs"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// GoogleProviderBlockSchema is a schema of `google` provider block
+var GoogleProviderBlockSchema = &hcl.BodySchema{
+	Attributes: []hcl.AttributeSchema{
+		{Name: "project"},
+	},
+}
+
+// ProviderData represents a provider block with an eval context (runner)
+type ProviderData struct {
+	provider   *configs.Provider
+	runner     tflint.Runner
+	attributes hcl.Attributes
+	blocks     hcl.Blocks
+}
+
+// GetProject retrieves project_id from the "provider" block in the Terraform configuration and environment variables
+func GetProject(runner tflint.Runner) (string, error) {
+	provider, err := runner.RootProvider("google")
+	if err != nil {
+		return "", err
+	}
+	if provider == nil {
+		return getProjectFromEnv(), nil
+	}
+
+	d, err := newProviderData(provider, runner)
+	if err != nil {
+		return "", err
+	}
+
+	project, exists, err := d.Get("project")
+	if exists {
+		return project, err
+	}
+
+	return getProjectFromEnv(), nil
+}
+
+func getProjectFromEnv() string {
+	envs := []string{"GOOGLE_PROJECT", "GOOGLE_CLOUD_PROJECT", "GCLOUD_PROJECT", "CLOUDSDK_CORE_PROJECT"}
+	for _, env := range envs {
+		if project := os.Getenv(env); project != "" {
+			return project
+		}
+	}
+	return ""
+}
+
+func newProviderData(provider *configs.Provider, runner tflint.Runner) (*ProviderData, error) {
+	providerData := &ProviderData{
+		provider:   provider,
+		runner:     runner,
+		attributes: map[string]*hcl.Attribute{},
+		blocks:     []*hcl.Block{},
+	}
+
+	if provider != nil {
+		content, _, diags := provider.Config.PartialContent(GoogleProviderBlockSchema)
+		if diags.HasErrors() {
+			return nil, diags
+		}
+
+		providerData.attributes = content.Attributes
+		providerData.blocks = content.Blocks
+	}
+
+	return providerData, nil
+}
+
+// Get returns a value corresponding to the given key
+// It should be noted that the value is evaluated if it is evaluable
+// The second return value is a flag that determines whether a value exists
+// We assume the provider has only simple attributes, so it just returns string
+func (d *ProviderData) Get(key string) (string, bool, error) {
+	attribute, exists := d.attributes[key]
+	if !exists {
+		return "", false, nil
+	}
+
+	var val string
+	err := d.runner.EvaluateExprOnRootCtx(attribute.Expr, &val, nil)
+
+	err = d.runner.EnsureNoError(err, func() error { return nil })
+	if err != nil {
+		return "", true, err
+	}
+	return val, true, nil
+}

google/provider.go

@@ -0,0 +1,71 @@
+package google
+
+import (
+	"fmt"
+
+	"github.com/hashicorp/hcl/v2/gohcl"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// RuleSet is the custom ruleset for the Google provider plugin.
+type RuleSet struct {
+	tflint.BuiltinRuleSet
+	APIRules []tflint.Rule
+	config   *Config
+}
+
+// RuleNames is a list of rule names provided by the plugin.
+func (r *RuleSet) RuleNames() []string {
+	names := []string{}
+	for _, rule := range r.Rules {
+		names = append(names, rule.Name())
+	}
+	for _, rule := range r.APIRules {
+		names = append(names, rule.Name())
+	}
+	return names
+}
+
+// ApplyConfig reflects the plugin configuration to the ruleset.
+func (r *RuleSet) ApplyConfig(config *tflint.Config) error {
+	r.ApplyCommonConfig(config)
+
+	// Apply "plugin" block config
+	cfg := Config{}
+	diags := gohcl.DecodeBody(config.Body, nil, &cfg)
+	if diags.HasErrors() {
+		return diags
+	}
+	r.config = &cfg
+
+	// Apply config for API rules
+	for _, rule := range r.APIRules {
+		enabled := rule.Enabled()
+		if cfg := config.Rules[rule.Name()]; cfg != nil {
+			enabled = cfg.Enabled
+		} else if config.DisabledByDefault {
+			enabled = false
+		}
+
+		if cfg.DeepCheck && enabled {
+			r.EnabledRules = append(r.EnabledRules, rule)
+		}
+	}
+
+	return nil
+}
+
+// Check runs inspections for each rule with the custom Google runner.
+func (r *RuleSet) Check(rr tflint.Runner) error {
+	runner, err := NewRunner(rr, r.config)
+	if err != nil {
+		return err
+	}
+
+	for _, rule := range r.EnabledRules {
+		if err := rule.Check(runner); err != nil {
+			return fmt.Errorf("Failed to check `%s` rule: %s", rule.Name(), err)
+		}
+	}
+	return nil
+}

google/ruleset.go

@@ -0,0 +1,43 @@
+package google
+
+import (
+	"fmt"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+)
+
+// Runner is a wrapper of RPC client for inserting custom actions for Google provider.
+type Runner struct {
+	tflint.Runner
+	Client  *Client
+	Project string
+}
+
+// NewRunner returns a custom Google runner.
+func NewRunner(runner tflint.Runner, config *Config) (*Runner, error) {
+	var client *Client
+	var project string
+	var err error
+	if config.DeepCheck {
+		client, err = NewClient()
+		if err != nil {
+			return nil, err
+		}
+
+		project, err = GetProject(runner)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return &Runner{
+		Runner:  runner,
+		Client:  client,
+		Project: project,
+	}, nil
+}
+
+// ParentProject returns a part of the API path about the parent project
+func (r *Runner) ParentProject() string {
+	return fmt.Sprintf("projects/%s", r.Project)
+}