feat: add aws_iam_policy_attachment_exclusive_attachment rule #786
Conversation
…hment_has_alternatives-rule
…hment_has_alternatives-rule
|
This is a copy of #384. It seems that there are only minor things to fix, so let's get it done. Motivation: We had an outage due to misuse of the |
…if the resource exists.
kayman-mk
changed the title
aws_iam_policy_attachment_has_alternatives ruleaws_iam_policy_attachment_exclusive_attachement rule
kayman-mk
changed the title
aws_iam_policy_attachment_exclusive_attachement ruleaws_iam_policy_attachment_exclusive_attachment rule
.gitignore
Outdated
| @@ -1 +1,3 @@ | |||
| .idea/ | |||
| @@ -0,0 +1,35 @@ | |||
| # aws_iam_policy_attachment_exclusive_attachment | |||
|
|
|||
| Consider alternative resources to `aws_iam_policy_attachment`. | |||
There was a problem hiding this comment.
Get a little bit of the why up here. The section below can expand but this intro should give the reader a 1-2 sentence summary of what and why.
|
|
||
| ## Why | ||
|
|
||
| The `aws_iam_policy_attachment` resource creates exclusive attachments of IAM policies. Across the entire AWS account, all the users/roles/groups to which a single policy is attached must be declared by a single `aws_iam_policy_attachment` resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment |
There was a problem hiding this comment.
Hyperlink the first use of the identifier (in backticks) instead of appending the URL at the end
|
|
||
| runner.EmitIssue( | ||
| r, | ||
| "Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment instead.", |
There was a problem hiding this comment.
Include a brief bit of why here (exclusive for whole account)
| } | ||
|
|
||
| for _, resource := range resources.Blocks { | ||
| attribute, exists := resource.Body.Attributes[r.attributeName] |
There was a problem hiding this comment.
Why does this logic apply? If there's no name attribute, the resource should be skipped?
There was a problem hiding this comment.
I don't see this logic on my machine. We don't need it here.
|
Not sure how to decide about "enabled by default" and "severity". |
kayman-mk
changed the title
aws_iam_policy_attachment_exclusive_attachment rule
Add
aws_iam_policy_attachment_exclusive_attachment_rule.This rule warns when there are recommended alternatives to the resource, and is disabled by default
This recommendation is documented by HashiCorp in the AWS Provider documentation due to common misuse: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment
In this particular case the blast radius of misuse can be severe across an entire organization account and cause production outages due to the unexpected removal of permissions.
After reviewing past issues (#35) and PR's (terraform-linters/tflint#769) I think that adding individual rules informed by HashiCorp recommendations is the most practical approach for community maintenance and this PR could be used as an approachable template for further rules without deep knowledge of the project (I used #355)
Thank you for your consideration.
Closes #35