Skip to main content

Custom Terraform / IaC lint rules — stdlib, pre-commit-friendly.

Project description

sarj-iac-lint

Custom Terraform / IaC lint rules — stdlib only, line/block based, pre-commit-friendly. Mined from recurring infra review comments across the org.

uv tool install sarj-iac-lint

Rules

Code Rule What it flags
SARJ201 require-deletion-protection A stateful resource (Cloud SQL, GKE, BigQuery, Spanner, AlloyDB, Bigtable, RDS, DynamoDB, ElastiCache, DocumentDB, Neptune, Azure databases, Cosmos DB, ...) without deletion_protection = true.
SARJ202 no-comment-cruft Commented-out Terraform/HCL and section-banner / divider comments.
SARJ203 no-hardcoded-private-cidr A hardcoded RFC-1918 private IP/CIDR literal that should be a variable.

.tf, .hcl, and .tfvars files are scanned by all rules; .yaml/.yml (Helm/k8s/Compose) are scanned by no-comment-cruft for banners only.

Pre-commit

- repo: https://github.com/sarj-ai/standards
  rev: iac-v0.1.0
  hooks:
    - id: sarj-require-deletion-protection
    - id: sarj-no-comment-cruft-iac
    - id: sarj-no-hardcoded-private-cidr

CLI

sarj-iac-lint check --rule require-deletion-protection iac/
sarj-iac-lint list-rules

Diagnostic format is path:line:col: CODE message — Ruff-compatible. --exit-zero reports without failing (warn mode).

Adoption

require-deletion-protection and no-comment-cruft have ~zero false positives — run them as hard (blocking) hooks. no-hardcoded-private-cidr legitimately fires on network modules that define subnets, so adopt it with --exit-zero (warn) or suppress the source-of-truth definitions and let it catch new duplication.

require-deletion-protection treats variable/expression-gated protection (deletion_protection = var.enabled) and lifecycle { prevent_destroy = true } as protected — only a literal = false or a total absence is flagged.

Suppression

Inline # sarj-noqa: SARJ201 — <reason> on the offending line (the resource line for SARJ201).

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sarj_iac_lint-0.1.0.tar.gz (9.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sarj_iac_lint-0.1.0-py3-none-any.whl (13.5 kB view details)

Uploaded Python 3

File details

Details for the file sarj_iac_lint-0.1.0.tar.gz.

File metadata

  • Download URL: sarj_iac_lint-0.1.0.tar.gz
  • Upload date:
  • Size: 9.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sarj_iac_lint-0.1.0.tar.gz
Algorithm Hash digest
SHA256 2f54f281c0b7a2bedcc4654d9c8b6dca7ec1c4c70b7ea8857892f3c68911f3c7
MD5 2957796981b1a685222f01ea9fc0fe5d
BLAKE2b-256 517ffefcb6e59f909455cf81fca370cee3fe9360da0f027bcf310e26e452a30f

See more details on using hashes here.

Provenance

The following attestation bundles were made for sarj_iac_lint-0.1.0.tar.gz:

Publisher: release.yml on sarj-ai/standards

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sarj_iac_lint-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: sarj_iac_lint-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 13.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for sarj_iac_lint-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 594030adb035a8ba3f99fe23f3199c0e643bfc53a8dbca2027ff486b09023e5c
MD5 b90ec194e659588f6836f8e4af0e3ed1
BLAKE2b-256 a2958dbd9ad971983d1103e079d71c8cead0fbc2899129950c2efde24da498ac

See more details on using hashes here.

Provenance

The following attestation bundles were made for sarj_iac_lint-0.1.0-py3-none-any.whl:

Publisher: release.yml on sarj-ai/standards

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page