Add support for a single run to be converted into different outputs

[stevehipwell]

Introduction

Currently in CI/CD I have to run TFLint 4 times to get my desired outputs and error code, this is very expensive so I;d like to be able to only run the TFLint scanner once and then report on the output. Trivy does this very well with trivy convert and Terraform has similar functionality with terraform show.

Proposal

I'd like TFLint to add a command to read a common format (JSON?) and convert it to an output with error codes as if it was coming directly from a scan.

The following example code assumes there is a new --convert arg and minimum failure severity could be set to none.

tflint --recursive --minimum-failure-severity none --format json > tflint.json
tflint --convert tflint.json --recursive --minimum-failure-severity none --format sarif > tflint.sarif
tflint --convert tflint.json --recursive --disable-rule terraform_required_version --disable-rule terraform_required_providers --minimum-failure-severity error --format compact
tflint --convert tflint.json --only terraform_required_version --only terraform_required_providers --minimum-failure-severity error --format compact

References

[wata727]

Interesting idea. Intuitively, I think that use cases like this should be achieved by supporting multiple output flags rather than conversions. It seems that Trivy had a similar opinion, but due to their own circumstances, they decided to implement trivy convert. See aquasecurity/trivy#3243

This constraint doesn't exist in TFLint, so I'm positive about supporting multiple output flags. Support status in other linters and discussion on Trivy may be helpful.

However, fine-grained control over error codes cannot be achieved with this feature, so other ways must be considered. Can I ask why you need to change the rules or --minimum-failure-severity multiple times?

[stevehipwell]

@wata727 multiple output formats would work if the outputs captured all of the issues before exiting. In my example being able to suppress an exit code is required as we're aiming to capture all issues as SARIF and then print a table and exit.

The slight problem with the above is that TFLint still doesn't support differentiating between the root module/workspace and sub-modules for provider configuration. So we might still need to run multiple passes to get our required output.

[wata727]

TFLint still doesn't support differentiating between the root module/workspace and sub-modules for provider configuration.

Understood. You can use different provider configuration by putting .tflint.hcl in each module directory. Perhaps this will satisfy your requirement without any conversions.

[stevehipwell]

@wata727 I wasn't aware of that, thanks. Do the configurations nest, as in would the subdirectory inherit from the root with a minimal config just disabling specific rules?

[stevehipwell]

@wata727 based on my testing I currently need to duplicate the whole .tflint.hcl in each sub directory including the plugin versions; so even though it'd be quicker the UX barrier is too high to be able to roll this out.

Maybe a config { partial = true } argument would allow for merging this configuration?

[wata727]

You're right. We are aware of this issue and it is tracked in #1536.

Perhaps config inheritance like Git, rather than adding new attributes like partial, could solve this issue. However, due to design issues, we have not made any progress on this issue and are open to feedback. If you are interested, please comment your opinion in the issue.