Validate against secret attributes

Author: aristosvo

docs/rules/aws_secretsmanager_secret_version_secret_string.md

@@ -0,0 +1,55 @@
+# aws_secretsmanager_secret_version_secret_string
+
+Disallows using the `secret_string` attribute, in favor of the `secret_string_wo` attribute.
+
+## Example
+
+```hcl
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_string = var.secret
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Warning: "secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use "secret_string_wo". (aws_secretsmanager_secret_version_secret_string)
+
+  on test.tf line 3:
+   3:   secret_string = var.secret
+
+```
+
+## Why
+
+Saving secrets to state or plan files is a bad practice. It can cause serious security issues. Keeping secrets from these files is possible in most of the cases by using write-only attributes.
+
+## How To Fix
+
+Replace the `secret_string` with `secret_string_wo` and `secret_string_wo_version`, either via using an ephemeral resource as source or using an ephemeral variable:
+
+```hcl
+ephemeral "random_password" "test" {
+  length           = 32
+  override_special = "!#$%&*()-_=+[]{}<>:?"
+}
+
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_string_wo         = ephemeral.random_password.test.value
+  secret_string_wo_version = 1
+}
+```
+
+```hcl
+variable "test" {
+  type        = string
+  ephemeral   = true # Optional, non-ephemeral values can also be used for write-only attributes
+  description = "Input variable for a secret"
+}
+
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_string_wo         = var.test
+  secret_string_wo_version = 1
+}
+```

rules/aws_secretsmanager_secret_version_secret_string.go

@@ -0,0 +1,85 @@
+package rules
+
+import (
+	"fmt"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+	"github.com/zclconf/go-cty/cty"
+)
+
+// AwsSecretsmanagerSecretVersionSecretStringRule checks if the secret_string attribute is used in secretsmanager_secret_version
+// It emits a warning if the attribute is used, as it is a non-ephemeral attribute and the secret is stored in state
+// It suggests using secret_string_wo instead
+type AwsSecretsmanagerSecretVersionSecretStringRule struct {
+	tflint.DefaultRule
+
+	resourceType           string
+	attributeName          string
+	writeOnlyAttributeName string
+}
+
+// NewAwsSecretsmanagerSecretVersionSecretStringRule returns new rule with default attributes
+func NewAwsSecretsmanagerSecretVersionSecretStringRule() *AwsSecretsmanagerSecretVersionSecretStringRule {
+	return &AwsSecretsmanagerSecretVersionSecretStringRule{
+		resourceType:           "aws_secretsmanager_secret_version",
+		attributeName:          "secret_string",
+		writeOnlyAttributeName: "secret_string_wo",
+	}
+}
+
+// Name returns the rule name
+func (r *AwsSecretsmanagerSecretVersionSecretStringRule) Name() string {
+	return "aws_secretsmanager_secret_version_secret_string"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsSecretsmanagerSecretVersionSecretStringRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsSecretsmanagerSecretVersionSecretStringRule) Severity() tflint.Severity {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *AwsSecretsmanagerSecretVersionSecretStringRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks whether the secret string attribute exists
+func (r *AwsSecretsmanagerSecretVersionSecretStringRule) Check(runner tflint.Runner) error {
+	resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{
+		Attributes: []hclext.AttributeSchema{
+			{Name: r.attributeName},
+		},
+	}, nil)
+	if err != nil {
+		return err
+	}
+
+	for _, resource := range resources.Blocks {
+		attribute, exists := resource.Body.Attributes[r.attributeName]
+		if !exists {
+			continue
+		}
+
+		err := runner.EvaluateExpr(attribute.Expr, func(val cty.Value) error {
+			if !val.IsNull() {
+				runner.EmitIssue(
+					r,
+					fmt.Sprintf("\"%s\" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only attribute \"%s\".", r.attributeName, r.writeOnlyAttributeName),
+					attribute.Expr.Range(),
+				)
+			}
+			return nil
+		}, nil)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}

rules/aws_secretsmanager_secret_version_secret_string_test.go

@@ -0,0 +1,57 @@
+package rules
+
+import (
+	"testing"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
+
+func Test_AwsSecretsmanagerSecretVersionSecretString(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Content  string
+		Expected helper.Issues
+	}{
+		{
+			Name: "basic",
+			Content: `
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_string = "test"
+}
+`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAwsSecretsmanagerSecretVersionSecretStringRule(),
+					Message: `"secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only attribute "secret_string_wo".`,
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 3, Column: 19},
+						End:      hcl.Pos{Line: 3, Column: 25},
+					},
+				},
+			},
+		},
+		{
+			Name: "everything is fine",
+			Content: `
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_string_wo = "test"
+}
+`,
+			Expected: helper.Issues{},
+		},
+	}
+
+	rule := NewAwsSecretsmanagerSecretVersionSecretStringRule()
+
+	for _, tc := range cases {
+		runner := helper.TestRunner(t, map[string]string{"resource.tf": tc.Content})
+
+		if err := rule.Check(runner); err != nil {
+			t.Fatalf("Unexpected error occurred: %s", err)
+		}
+
+		helper.AssertIssues(t, tc.Expected, runner.Issues)
+	}
+}

rules/provider.go

@@ -43,6 +43,7 @@ var manualRules = []tflint.Rule{
 	NewAwsProviderMissingDefaultTagsRule(),
 	NewAwsSecurityGroupInlineRulesRule(),
 	NewAwsSecurityGroupRuleDeprecatedRule(),
+	NewAwsSecretsmanagerSecretVersionSecretStringRule(),
 }
 
 // Rules is a list of all rules