Rewrite Option
Overview
A rewrite option defines how the matched parts of code should be transformed. You can utilize a single rewrite option with rewrite
block in a rule OR multiple rewrite options with rewrite_options
block. For example, if you need to show some options to transform the parts depending on external factors such as the user's environment or preference etc., rewrite_options
is useful.
📝 Tips: You can't use both
rewrite
andrewrite_options
. You need to choose either one.
Single Rewrite Option
For example, the following rule set includes a rule which finds attr1 = (blah blah)
and rewrites it to another = 3
version: "1"rules:- id: "test-policy"language: hclmessage: testpattern: |attr1 = :[_]rewrite: |another = 3
Suppose you apply the above rule to the following Terraform code:
// (R1)resource "foobar" "foo" {attr1 = 1}// (R2)resource "foobar" "foo" {attr2 = 2}// (R3)resource "foobar" "foo" {size = 1}
In this case you'll get the following outputs from Shisho:
$ cat example.tf | shisho check policy.yaml[test-policy]: testIn /dev/stdin:|3 | attr1 = 1|Suggested changes (1):2 2 | resource "foobar" "foo" {3 | - attr1 = 13 | + another = 34 4 | }
Multiple Rewrite Options
This searches the part error_notification_level = 3
and shows two rewrite options, error_notification_level = 4
and error_notification_level = 5
.
version: "1"rules:- id: "test-policy"language: hclmessage: testpattern: |error_notification_level = 3rewrite_options:- |# send an error notification to group memberserror_notification_level = 4- |# send an error notification to all userserror_notification_level = 5
Suppose you apply the above rule to the following Terraform code:
resource "foobar" "foo" {error_notification_level = 3}
In this case you'll get the following outputs from Shisho:
$ cat example.tf | shisho check policy.yaml[test-policy]: testIn /dev/stdin:|2 | error_notification_level = 3|Suggested changes (1):1 1 | resource "foobar" "foo" {2 | - error_notification_level = 32 | + # send an error notification to group members3 | + error_notification_level = 44 | +3 5 | }Suggested changes (2):1 1 | resource "foobar" "foo" {2 | - error_notification_level = 32 | + # send an error notification to all users3 | + error_notification_level = 53 4 | }
For instance, with the below incorrect case that both rewrite
and rewrite_options
blocks are included, you'll get the following outputs from Shisho:
// This includes both `rewrite` and `rewrite_options`version: "1"rules:- id: "test-policy"language: hclmessage: testpattern: |error_notification_level = 3rewrite: |# send an error notification to group 1error_notification_level = 4rewrite_options:- |# send an error notification to group 1error_notification_level = 4- |# send an error notification to all userserror_notification_level = 5
// the check result shows an error message$ cat example.tf | shisho check policy.yaml[test-policy]: testIn /dev/stdin:|2 | error_notification_level = 3|error: You can use only one of `rewrite` or `rewrite_options`.
Refer to Metavariables
You can refer to the metavariable value captured in the pattern like this:
📝 Tips: What are constraints?
Please review the page rule constraints
version: '1'rules:- id: 'unencrypted-ebs-volume'language: hclmessage: |There was unencrypted EBS module.pattern: |resource "aws_ebs_volume" :[NAME] {:[...X]}constraints:- target: Xshould: not-matchpattern: |encrypted = truerewrite: |resource "aws_ebs_volume" :[NAME] {:[X]encrypted = true}
Suppose you apply the above rule to the following Terraform code:
resource "aws_ebs_volume" "volume" {availability_zone = "${var.region}a"size = 1}
In this case, you'll get the following outputs from Shisho:
$ cat example.tf | shisho check policy.yaml[unencrypted-ebs-volume]: There was unencrypted EBS module.In /dev/stdin:|1 | resource "aws_ebs_volume" "volume" {2 | availability_zone = "${var.region}a"3 | size = 14 | }|Suggested changes (1):3 3 | size = 14 | + encrypted = true4 5 | }
Refer to Metavariables with Constraints
Moreover, you can refer to the metavariables captured by constraints. The feature allows referring to existing values.
version: '1'rules:- id: 'test-metavariables-with-constraints 'language: hclmessage: |This is a test.pattern: |resource "foobar" :[NAME] {:[...X]}constraints:- target: Xshould: matchpattern: |recovery_mode {:[...Y]}constraints:- target: Yshould: matchpattern: |auto_repair_level = :[Z]rewrite: |resource "foobar" :[NAME] {auto_repair_level = :[Z]}
Suppose you apply the above rule to the following Terraform code:
resource "foobar" "foo" {recovery_mode {auto_repair_level = 4}}
In this case you'll get the following outputs from Shisho:
$ cat example.tf | shisho check policy.yaml[unencrypted-ebs-volume]: This is a test.In /dev/stdin:|1 | resource "foobar" "foo" {2 | recovery_mode {3 | auto_repair_level = 44 | }5 | }|Suggested changes (1):1 1 | resource "foobar" "foo" {2 | - recovery_mode {3 | - auto_repair_level = 44 | - }2 | + auto_repair_level = 45 3 | }