-
Notifications
You must be signed in to change notification settings - Fork 73
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Generic rule to prevent certain dangerous resources like aws_iam_policy_attachment #35
Comments
@nitrocode Are you thinking along the lines of a rule named |
Yes exactly |
I'll try and get this knocked out. I think this is a great thing to have and am going to make use of it as soon as it is released! |
Would be nice for this to take a map of suggested resources and the preferred alternative as opposed to just returning that something was blacklisted. I'm not sure what actual use cases there'd be for entirely blacklisting a resource with no suggested alternative. |
@bendrucker yes or even a custom message could be printed if the code was flagged due to the
@bendrucker, |
Ha, was typing as I saw your edit. In theory I could imagine someone wanting to blacklist a resource with no alternative because it has bugs, but that seems like a pretty narrow/tricky use case. Suggestions to use b instead of a could cover a lot of providers—the Google provider has resources with similar caveats, e.g.: https://www.terraform.io/docs/providers/google/r/google_organization_iam_binding.html |
It would be nice to have this within the provider so tools could leverage this information. It sort of already exists as the documentation for a provide has the information. |
@nitrocode I have an initial version of the rule: terraform-linters/tflint#769 |
In my opinion, it is better to obviously resources that should be avoided (like On the other hand, I agree that such a rule is effective when you want to avoid some resources for some special reason, but if possible, I want to make it a tool that provides such best practices. |
That starts to add an opinion with regards to best practices and each organization is going to have their own view on what's best for them. IMO TFLint is best served to provide a framework for people to enforce rules. The overhead associated with understanding all of the resources associated with a provider is a large amount of work. |
+1 from me on usable defaults, e.g. suggesting alternatives to |
👍 Since these things are very much provide specific, can we say that the |
Yes. I'd avoid making the tests or examples too AWS centric to help avoid confusion with an eventual AWS-specific rule. |
@mveitas are there still chances, that this rule will be implemented? |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
There is a large warning for the resource
aws_iam_policy_attachment
to useaws_iam_role_policy_attachment
instead.I'd like to prevent the first resource from getting into our infrastructure with an appropriate tflint rule. We could make it specific to this resource but I'd prefer a more generic one so if we find a future resource, we can simply add it to a list within the rule.
Edit: @mveitas put in PR terraform-linters/tflint#769
The text was updated successfully, but these errors were encountered: