Add aws_iam_role_deprecated_policy_attributes rule
#833
Conversation
| } | ||
| } | ||
|
|
||
| for _, rule := range resource.Body.Blocks { |
There was a problem hiding this comment.
Avoid assuming that inline_policies is the only block type and explicitly check that in this loop and skip other blocks.
There was a problem hiding this comment.
I'll look into this. Is this just a safety check, or a really bad assumption I've made with how the schema passed to GetResourceContent works?? I think I was assuming the only block type I'd ever see is for inline_policy. But this is my first attempt at writing a plugin, (and I barely know any go!)
There was a problem hiding this comment.
I understand this as a safety check that asserts expectations.
| attribute, exists := resource.Body.Attributes["managed_policy_arns"] | ||
|
|
||
| if exists { | ||
| if err := runner.EmitIssue(r, "The managed_policy_arns argument is deprecated. Use the aws_iam_role_policy_attachment resource instead. If Terraform should exclusively manage all managed policy attachments (the current behavior of this argument), use the aws_iam_role_policy_attachments_exclusive resource as well.", attribute.Range); err != nil { |
There was a problem hiding this comment.
I would flip these. Users should prefer the exclusive resources by default and fall back on the non-authoritative versions if they want to attach policies separate from the role definition.
There was a problem hiding this comment.
The warning messages were taken verbatim from the iam_role documentation page. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
If you want exclusive behaviour, you have to use both aws_iam_role_policy_attachments_exclusive and aws_iam_role_policy_attachment resources.
There was a problem hiding this comment.
Oh, in that case quoting the provider docs is fine
| } | ||
|
|
||
| for _, rule := range resource.Body.Blocks { | ||
| if err := runner.EmitIssue(r, "The inline_policy argument is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.", rule.DefRange); err != nil { |
There was a problem hiding this comment.
| if err := runner.EmitIssue(r, "The inline_policy argument is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.", rule.DefRange); err != nil { | |
| if err := runner.EmitIssue(r, "The inline_policy block is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.", rule.DefRange); err != nil { |
There was a problem hiding this comment.
Again, taken verbatim from upstream resource docs, but I can't disagree, block is more accurate, so I can still change it if you prefer.
The warning messages have been copied verbatim from the upstream documentation of the `aws_iam_role` resource.
57cd57a to
ff01475
Compare
|
Thanks for working on this. However, it looks like these deprecation warnings have already been addressed by the AWS provider. Given this, it seems like there would be no point in introducing the same rule in TFLint, but what use cases do you have? |
|
|
|
Thanks for taking another look at this. I can see the warning during a With |
|
Actually, looks like |
|
For this config: terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
}
resource "aws_iam_role" "example_role" {
name = "example-role"
assume_role_policy = jsonencode({})
managed_policy_arns = [
"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
"arn:aws:iam::aws:policy/CloudWatchLogsFullAccess"
]
inline_policy {
policy = jsonencode({})
}
}I get this {
"format_version": "1.0",
"valid": true,
"error_count": 0,
"warning_count": 2,
"diagnostics": [
{
"severity": "warning",
"summary": "Argument is deprecated",
"detail": "managed_policy_arns is deprecated. Use the aws_iam_role_policy_attachment resource instead. If Terraform should exclusively manage all managed policy attachments (the current behavior of this argument), use the aws_iam_role_policy_attachments_exclusive resource as well.",
"address": "aws_iam_role.example_role",
"range": {
"filename": "main.tf",
"start": {
"line": 13,
"column": 25,
"byte": 220
},
"end": {
"line": 16,
"column": 4,
"byte": 334
}
},
"snippet": {
"context": "resource \"aws_iam_role\" \"example_role\"",
"code": " managed_policy_arns = [\n \"arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess\",\n \"arn:aws:iam::aws:policy/CloudWatchLogsFullAccess\"\n ]",
"start_line": 13,
"highlight_start_offset": 24,
"highlight_end_offset": 138,
"values": []
}
},
{
"severity": "warning",
"summary": "Argument is deprecated",
"detail": "inline_policy is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.",
"address": "aws_iam_role.example_role",
"range": {
"filename": "main.tf",
"start": {
"line": 9,
"column": 40,
"byte": 131
},
"end": {
"line": 9,
"column": 41,
"byte": 132
}
},
"snippet": {
"context": "resource \"aws_iam_role\" \"example_role\"",
"code": "resource \"aws_iam_role\" \"example_role\" {",
"start_line": 9,
"highlight_start_offset": 39,
"highlight_end_offset": 40,
"values": []
}
}
]
}Which looks correct. I get that the Terraform CLI doesn't handle the whole workflow but the pieces are there. Initially I was going to say it's a separate tool but maybe we should consider something where TFLint calls I'd say the idea of TFLint handling plans is pretty dead (terraform-linters/tflint#328) but |
|
Interesting... It looks like the validate warning isn't generated in the case the terraform {
required_providers {
aws = {
source = "hashicorp/aws"
}
}
}
resource "aws_iam_role" "warning_generated" {
name = "example-1"
assume_role_policy = jsonencode({})
inline_policy {
policy = jsonencode({})
}
}
resource "aws_iam_role" "no_warning" {
name = "example-2"
assume_role_policy = jsonencode({})
inline_policy {
policy = data.aws_iam_policy_document.inline_policy.json
}
}
data "aws_iam_policy_document" "inline_policy" {
statement {
actions = ["events:PutEvents"]
resources = ["*"]
}
}{
"format_version": "1.0",
"valid": true,
"error_count": 0,
"warning_count": 1,
"diagnostics": [
{
"severity": "warning",
"summary": "Argument is deprecated",
"detail": "inline_policy is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.",
"address": "aws_iam_role.warning_generated",
"range": {
"filename": "test.tf",
"start": {
"line": 9,
"column": 45,
"byte": 138
},
"end": {
"line": 9,
"column": 46,
"byte": 139
}
},
"snippet": {
"context": "resource \"aws_iam_role\" \"warning_generated\"",
"code": "resource \"aws_iam_role\" \"warning_generated\" {",
"start_line": 9,
"highlight_start_offset": 44,
"highlight_end_offset": 45,
"values": []
}
}
]
}Not sure if this is a limitation in It's common to use |
Terraform. Even though the full shape of the JSON is unknown, Terraform still knows that the block is declared. It just can't see the attribute value during validation with the data source. So there shouldn't be any difference in That bug is worth squashing upstream. But given the significant usage of the |
|
Any closer to a consensus on this? I bumped into this again today with a role with managed_policy_arns = [
"arn:${data.aws_partition.current.partition}:iam::aws:policy/SecurityAudit"
]Had the partition been hard-coded, |
|
Sorry for the late reply. I agree with @bendrucker's suggestion. |
No description provided.