Add aws_iam_role_deprecated_policy_attributes rule
#833
Conversation
| } | ||
| } | ||
|
|
||
| for _, rule := range resource.Body.Blocks { |
There was a problem hiding this comment.
Avoid assuming that inline_policies is the only block type and explicitly check that in this loop and skip other blocks.
There was a problem hiding this comment.
I'll look into this. Is this just a safety check, or a really bad assumption I've made with how the schema passed to GetResourceContent works?? I think I was assuming the only block type I'd ever see is for inline_policy. But this is my first attempt at writing a plugin, (and I barely know any go!)
There was a problem hiding this comment.
I understand this as a safety check that asserts expectations.
| attribute, exists := resource.Body.Attributes["managed_policy_arns"] | ||
|
|
||
| if exists { | ||
| if err := runner.EmitIssue(r, "The managed_policy_arns argument is deprecated. Use the aws_iam_role_policy_attachment resource instead. If Terraform should exclusively manage all managed policy attachments (the current behavior of this argument), use the aws_iam_role_policy_attachments_exclusive resource as well.", attribute.Range); err != nil { |
There was a problem hiding this comment.
I would flip these. Users should prefer the exclusive resources by default and fall back on the non-authoritative versions if they want to attach policies separate from the role definition.
There was a problem hiding this comment.
The warning messages were taken verbatim from the iam_role documentation page. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
If you want exclusive behaviour, you have to use both aws_iam_role_policy_attachments_exclusive and aws_iam_role_policy_attachment resources.
There was a problem hiding this comment.
Oh, in that case quoting the provider docs is fine
| } | ||
|
|
||
| for _, rule := range resource.Body.Blocks { | ||
| if err := runner.EmitIssue(r, "The inline_policy argument is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.", rule.DefRange); err != nil { |
There was a problem hiding this comment.
| if err := runner.EmitIssue(r, "The inline_policy argument is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.", rule.DefRange); err != nil { | |
| if err := runner.EmitIssue(r, "The inline_policy block is deprecated. Use the aws_iam_role_policy resource instead. If Terraform should exclusively manage all inline policy associations (the current behavior of this argument), use the aws_iam_role_policies_exclusive resource as well.", rule.DefRange); err != nil { |
There was a problem hiding this comment.
Again, taken verbatim from upstream resource docs, but I can't disagree, block is more accurate, so I can still change it if you prefer.
The warning messages have been copied verbatim from the upstream documentation of the `aws_iam_role` resource.
57cd57a to
ff01475
Compare
|
Thanks for working on this. However, it looks like these deprecation warnings have already been addressed by the AWS provider. Given this, it seems like there would be no point in introducing the same rule in TFLint, but what use cases do you have? |
|
|
No description provided.