docker: add terraform validation

`validate` command enables:
- terraform validate
- terraform fmt
- tflint
- tfsec

docker/Dockerfile

@@ -46,12 +46,22 @@ RUN /usr/src/install-scripts/packer.sh --version="1.6.5" --sha="a49f6408a50c220f
 
 # Install tflint
 COPY install-scripts/tflint.sh /usr/src/install-scripts/tflint.sh
-RUN /usr/src/install-scripts/tflint.sh --version="v0.21.0" --sha="f80a85dbe88d39231faef5ad10f3a2ecccca70496476ebbc608a78bfabcaa904"
+RUN /usr/src/install-scripts/tflint.sh --version="v0.24.1" --sha="2dbe3b423f5d3e0bb458d51761c97d51a4fd6c3d7bd1efd87c4aa3dc5199e7b2" --user="${USER}"
+COPY config/.tflint.hcl /home/${USER}/.tflint.d/.tflint.hcl
+
+# Install tflint ruleset
+COPY install-scripts/tflint-ruleset.sh /usr/src/install-scripts/tflint-ruleset.sh
+RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="azurerm" --version="v0.8.2" --sha="4ef97bbc847bde194401c3206eb127fffaf4ce430127e0408878a8a833242a30" --user="${USER}" --group="${GROUP}"
+RUN /usr/src/install-scripts/tflint-ruleset.sh --ruleset="aws" --version="v0.2.1" --sha="ec2a992a8413227e2321d985b62cde34bc34287599894f966b0fc8904aba0d8a" --user="${USER}" --group="${GROUP}"
 
 # Install terraform (tfenv)
 COPY install-scripts/tfenv.sh /usr/src/install-scripts/tfenv.sh
 RUN /usr/src/install-scripts/tfenv.sh --latest-terraform-version="0.14.7" --tfenv-version="v2.2.0" --user="${USER}" --group="${GROUP}"
 
+# Install tfsec
+COPY install-scripts/tfsec.sh /usr/src/install-scripts/tfsec.sh
+RUN /usr/src/install-scripts/tfsec.sh --version="v0.39.5" --sha="60e52ef9a2b2eb5aebf74fbebfbaf0d30fa107816a8bbc2759cfe5d5c2a9021d"
+
 # Install Open Policy Agent
 COPY install-scripts/opa.sh /usr/src/install-scripts/opa.sh
 RUN /usr/src/install-scripts/opa.sh --version="v0.24.0" --sha="e40bde4cca8a5819518e3c35862bc5b6c388bc2904d412227059af29170f79e9"

docker/config/.tflint.hcl

@@ -0,0 +1,65 @@
+config {
+  module = false
+  force = false
+  disabled_by_default = false
+}
+
+plugin "azurerm" {
+    enabled = true
+}
+
+plugin "aws" {
+    enabled = true
+}
+
+rule "terraform_deprecated_interpolation" {
+  enabled = true
+}
+
+rule "terraform_deprecated_index" {
+  enabled = true
+}
+
+rule "terraform_unused_declarations" {
+  enabled = true
+}
+
+rule "terraform_comment_syntax" {
+  enabled = true
+}
+
+rule "terraform_documented_outputs" {
+  enabled = true
+}
+
+rule "terraform_documented_variables" {
+  enabled = true
+}
+
+rule "terraform_typed_variables" {
+  enabled = true
+}
+
+rule "terraform_module_pinned_source" {
+  enabled = true
+}
+
+rule "terraform_naming_convention" {
+  enabled = true
+}
+
+rule "terraform_required_version" {
+  enabled = true
+}
+
+rule "terraform_required_providers" {
+  enabled = true
+}
+
+rule "terraform_standard_module_structure" {
+  enabled = true
+}
+
+rule "terraform_workspace_remote" {
+  enabled = true
+}

docker/install-scripts/tflint-ruleset.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+set -e
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --ruleset=*)
+      RULESET="${1#*=}"
+      ;;
+    --version=*)
+      VERSION="${1#*=}"
+      ;;
+    --sha=*)
+      SHA="${1#*=}"
+      ;;
+    --user=*)
+      USER="${1#*=}"
+      ;;
+    --group=*)
+      GROUP="${1#*=}"
+      ;;
+    *)
+      echo "Error: Invalid argument."
+      exit 1
+  esac
+  shift
+done
+
+wget https://github.com/terraform-linters/tflint-ruleset-${RULESET}/releases/download/${VERSION}/tflint-ruleset-${RULESET}_linux_amd64.zip
+
+DOWNLOAD_SHA=$(openssl sha1 -sha256 tflint-ruleset-${RULESET}_linux_amd64.zip | awk '{print $2}')
+if [[ "${SHA}" != "${DOWNLOAD_SHA}" ]]; then
+    echo "Downloaded checksum (${DOWNLOAD_SHA}) does not match expected value: ${SHA}"
+    exit 1
+fi
+
+unzip tflint-ruleset-${RULESET}_linux_amd64.zip
+rm tflint-ruleset-${RULESET}_linux_amd64.zip
+mkdir -p /home/${USER}/.tflint.d/plugins/
+mv tflint-ruleset-${RULESET} /home/${USER}/.tflint.d/plugins/tflint-ruleset-${RULESET}
+chown -R ${USER}:${GROUP} /home/${USER}/.tflint.d

docker/install-scripts/tflint.sh

@@ -9,6 +9,9 @@ while [ $# -gt 0 ]; do
     --sha=*)
       SHA="${1#*=}"
       ;;
+    --user=*)
+      USER="${1#*=}"
+      ;;
     *)
       echo "Error: Invalid argument."
       exit 1
@@ -27,3 +30,4 @@ fi
 unzip tflint_linux_amd64.zip
 rm tflint_linux_amd64.zip
 mv tflint /usr/local/bin/tflint
+mkdir -p /home/${USER}/.tflint.d

docker/install-scripts/tfsec.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -e
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --version=*)
+      VERSION="${1#*=}"
+      ;;
+    --sha=*)
+      SHA="${1#*=}"
+      ;;
+    *)
+      echo "Error: Invalid argument."
+      exit 1
+  esac
+  shift
+done
+
+
+wget https://github.com/tfsec/tfsec/releases/download/${VERSION}/tfsec-linux-amd64
+
+DOWNLOAD_SHA=$(openssl sha1 -sha256 tfsec-linux-amd64 | awk '{print $2}')
+if [[ "${SHA}" != "${DOWNLOAD_SHA}" ]]; then
+    echo "Downloaded checksum (${DOWNLOAD_SHA}) does not match expected value: ${SHA}"
+    exit 1
+fi
+
+chmod +x tfsec-linux-amd64
+mv tfsec-linux-amd64 /usr/local/bin/tfsec

docker/terraform.sh

@@ -150,7 +150,15 @@ state_remove () {
   fi
 }
 
-
+validate () {
+  terraform init -input=false -backend-config="key=${BACKEND_KEY}" -backend-config="resource_group_name=${BACKEND_RG}" -backend-config="storage_account_name=${BACKEND_NAME}" -backend-config="container_name=${CONTAINER_NAME}" -backend-config="snapshot=true"
+  terraform workspace select ${ENVIRONMENT}
+  terraform validate
+  terraform fmt .
+  terraform fmt variables/
+  tflint --config="/home/${USER}/.tflint.d/.tflint.hcl" --var-file="variables/${ENVIRONMENT}.tfvars" --var-file="variables/common.tfvars" --var-file="../global.tfvars" .
+  tfsec .
+}
 
 envup() {
   if [ -f ${ENVIRONMENT_FILE} ]; then
@@ -183,4 +191,8 @@ case $ACTION in
   state-remove )
     state_remove
     ;;
+
+  validate )
+    validate
+    ;;
 esac