-
Notifications
You must be signed in to change notification settings - Fork 358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] - Adding new terraform_blacklisted_resources rule #769
Conversation
Wanted to get some eyes on this approach before I go further. I was going to take a look at the additional attribute |
return err | ||
} | ||
|
||
// Since the resources are stored as a map, there is no guarantee of the order in which |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems like something we should address in AssertIssues
rather than requiring a rule to sort like this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, I just could not see a way to make this happen easily. The right thing to do is to resolve the issue in AssertIssues
first instead of polluting the rule.
Terraform stores the resources as a map
, so there is no guaranteed order in the case of evaluation of resources.
type Issue struct {
Rule Rule
Message string
Range hcl.Range
Callers []hcl.Range
}
Thoughts?
rule "terraform_blacklisted_resources" { | ||
enabled = true | ||
types = { | ||
aws_iam_policy_attachment = "Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment instead." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about a map[string][]string
, where the key is the forbidden resource and the values are the suggested alternatives? I think it's best that we avoid putting literal messages in rule configuration, unless it's a meta-parameter that all rules can provide (#768).
Thoughts on naming this |
Going back to the idea of include a message as part of the rule, this is something that would be valuable to be able to provide some context for each type specified. The message would be something that is "optional" What are you thoughts about a rule structure as such:
|
Yeah, I think suggested or alternative or something similar sets the right tone. And you're right re: the message, since it does need to be on a per-resource basis I think that makes sense. What does |
Thanks @mveitas for the PR. I think Are the only changes left the rename ?
Yes, I was imagining something more like this rule "terraform_alternative_resources" {
enabled = true
aws_identity = {
alternatives = ["aws_iam_policy_attachment"],
message = ["This resource is deprecated. Please use aws_iam_role_policy_attachment instead"]
}
} or maybe rule "terraform_alternative_resources" {
enabled = true
resources = [
# bad aws iam policy attachment
{
# string or array ?
resources = ["aws.aws_iam_policy_attachment"]
alternatives = [
"aws.aws_iam_role_policy_attachment",
"aws.aws_iam_user_policy_attachment",
"aws.aws_iam_group_policy_attachment",
]
message = "This resource is deprecated. Please use one of these instead: ${join(",", this.alternatives)}"
# allow_in_modules = true
allow_in_modules = ["https://github.com/claranet/terraform-aws-lambda"]
}
# additional resources that we don't want used for some reason
# ...
]
} Also what if modules use the flagged resource. Would it be possible to allow this resource in upstream modules ? |
See #878 for discussion on linting child modules and a proposed behavior change. Otherwise, this rule would behave in unexpected ways with child modules, and only trigger errors when the disallowed resource included a |
@bendrucker wait how come this was closed ? Is there a way to do this now using a different rule ? |
This is not merge-able or complete. If someone else wants to take it up in a rule set plugin that's fine. There's still an open issue too. I'll transfer the terraform rule set to its own repo/plugin soon and will make some decisions on whether to implement any related rule requests at that time. |
This rule adds the ability to prevent a resource of a certain type from being used. Each type specified has a custom message that will be displayed to the user that can be used to provide guidance on an alternative.
Fixes https://github.com/terraform-linters/tflint/issues/700