feat: update for auto gen

Author: aristosvo

rules/aws_write_only_arguments.go

@@ -0,0 +1,137 @@
+package rules
+
+import (
+	"fmt"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+	"github.com/zclconf/go-cty/cty"
+)
+
+// AwsWriteOnlyArgumentsRule checks if a write-only argument is available for sensitive input attributes
+type AwsWriteOnlyArgumentsRule struct {
+	tflint.DefaultRule
+
+	writeOnlyArguments map[string][]writeOnlyArgument
+}
+
+type writeOnlyArgument struct {
+	originalAttribute    string
+	writeOnlyAlternative string
+}
+
+// NewAwsWriteOnlyArgumentsRule returns new rule with default attributes
+func NewAwsWriteOnlyArgumentsRule() *AwsWriteOnlyArgumentsRule {
+	writeOnlyArguments := map[string][]writeOnlyArgument{
+		"aws_db_instance": {
+			{
+				originalAttribute:    "password",
+				writeOnlyAlternative: "password_wo",
+			},
+		},
+		"aws_docdb_cluster": {
+			{
+				originalAttribute:    "master_password",
+				writeOnlyAlternative: "master_password_wo",
+			},
+		},
+		"aws_rds_cluster": {
+			{
+				originalAttribute:    "master_password",
+				writeOnlyAlternative: "master_password_wo",
+			},
+		},
+		"aws_redshift_cluster": {
+			{
+				originalAttribute:    "master_password",
+				writeOnlyAlternative: "master_password_wo",
+			},
+		},
+		"aws_redshiftserverless_namespace": {
+			{
+				originalAttribute:    "admin_user_password",
+				writeOnlyAlternative: "admin_user_password_wo",
+			},
+		},
+		"aws_secretsmanager_secret_version": {
+			{
+				originalAttribute:    "secret_string",
+				writeOnlyAlternative: "secret_string_wo",
+			},
+		},
+		"aws_ssm_parameter": {
+			{
+				originalAttribute:    "value",
+				writeOnlyAlternative: "value_wo",
+			},
+		},
+	}
+	return &AwsWriteOnlyArgumentsRule{
+		writeOnlyArguments: writeOnlyArguments,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsWriteOnlyArgumentsRule) Name() string {
+	return "aws_write_only_arguments"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsWriteOnlyArgumentsRule) Enabled() bool {
+	return false
+}
+
+// Severity returns the rule severity
+func (r *AwsWriteOnlyArgumentsRule) Severity() tflint.Severity {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *AwsWriteOnlyArgumentsRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks whether the sensitive attribute exists
+func (r *AwsWriteOnlyArgumentsRule) Check(runner tflint.Runner) error {
+	for resourceType, attributes := range r.writeOnlyArguments {
+		for _, resourceAttribute := range attributes {
+			resources, err := runner.GetResourceContent(resourceType, &hclext.BodySchema{
+				Attributes: []hclext.AttributeSchema{
+					{Name: resourceAttribute.originalAttribute},
+				},
+			}, nil)
+			if err != nil {
+				return err
+			}
+
+			for _, resource := range resources.Blocks {
+				attribute, exists := resource.Body.Attributes[resourceAttribute.originalAttribute]
+				if !exists {
+					continue
+				}
+
+				err := runner.EvaluateExpr(attribute.Expr, func(val cty.Value) error {
+					if !val.IsNull() {
+						if err := runner.EmitIssueWithFix(
+							r,
+							fmt.Sprintf("\"%s\" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument \"%s\".", resourceAttribute.originalAttribute, resourceAttribute.writeOnlyAlternative),
+							attribute.Expr.Range(),
+							func(f tflint.Fixer) error {
+								return f.ReplaceText(attribute.NameRange, resourceAttribute.writeOnlyAlternative)
+							},
+						); err != nil {
+							return fmt.Errorf("failed to call EmitIssueWithFix(): %w", err)
+						}
+					}
+					return nil
+				}, nil)
+				if err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}

rules/aws_write_only_argurments_test.go renamed to rules/aws_write_only_arguments_test.go

@@ -3,7 +3,6 @@ package rules
 import (
 	"testing"
 
-	hcl "github.com/hashicorp/hcl/v2"
 	"github.com/terraform-linters/tflint-plugin-sdk/helper"
 )
 
@@ -15,101 +14,85 @@ func Test_AwsWriteOnlyAttribute(t *testing.T) {
 		Fixed    string
 	}{
 		{
-			Name: "basic aws_secretsmanager_secret_version",
+			Name: "basic aws_db_instance",
 			Content: `
-resource "aws_secretsmanager_secret_version" "test" {
-  secret_string = "test"
+resource "aws_db_instance" "test" {
+  password = "test"
 }
 `,
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsWriteOnlyArgumentsRule(),
-					Message: `"secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "secret_string_wo".`,
-					Range: hcl.Range{
-						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 3, Column: 19},
-						End:      hcl.Pos{Line: 3, Column: 25},
-					},
+					Message: `"password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "password_wo".`,
 				},
 			},
 			Fixed: `
-resource "aws_secretsmanager_secret_version" "test" {
-  secret_string_wo = "test"
+resource "aws_db_instance" "test" {
+  password_wo = "test"
 }
 `,
 		},
 		{
-			Name: "everything is fine aws_secretsmanager_secret_version",
+			Name: "everything is fine aws_db_instance",
 			Content: `
-resource "aws_secretsmanager_secret_version" "test" {
-  secret_string_wo = "test"
+resource "aws_db_instance" "test" {
+  password_wo = "test"
 }
 `,
 			Expected: helper.Issues{},
 		},
 		{
-			Name: "basic aws_rds_cluster",
+			Name: "basic aws_docdb_cluster",
 			Content: `
-resource "aws_rds_cluster" "test" {
+resource "aws_docdb_cluster" "test" {
   master_password = "test"
 }
 `,
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsWriteOnlyArgumentsRule(),
 					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
-					Range: hcl.Range{
-						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 3, Column: 21},
-						End:      hcl.Pos{Line: 3, Column: 27},
-					},
 				},
 			},
 			Fixed: `
-resource "aws_rds_cluster" "test" {
+resource "aws_docdb_cluster" "test" {
   master_password_wo = "test"
 }
 `,
 		},
 		{
-			Name: "everything is fine aws_rds_cluster",
+			Name: "everything is fine aws_docdb_cluster",
 			Content: `
-resource "aws_rds_cluster" "test" {
+resource "aws_docdb_cluster" "test" {
   master_password_wo = "test"
 }
 `,
 			Expected: helper.Issues{},
 		},
-
 		{
-			Name: "basic aws_db_instance",
+			Name: "basic aws_rds_cluster",
 			Content: `
-resource "aws_db_instance" "test" {
-  password = "test"
+resource "aws_rds_cluster" "test" {
+  master_password = "test"
 }
 `,
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsWriteOnlyArgumentsRule(),
-					Message: `"password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "password_wo".`,
-					Range: hcl.Range{
-						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 3, Column: 14},
-						End:      hcl.Pos{Line: 3, Column: 20},
-					},
+					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
 				},
 			},
 			Fixed: `
-resource "aws_db_instance" "test" {
-  password_wo = "test"
+resource "aws_rds_cluster" "test" {
+  master_password_wo = "test"
 }
 `,
 		},
 		{
-			Name: "everything is fine aws_db_instance",
+			Name: "everything is fine aws_rds_cluster",
 			Content: `
-resource "aws_db_instance" "test" {
-  password_wo = "test"
+resource "aws_rds_cluster" "test" {
+  master_password_wo = "test"
 }
 `,
 			Expected: helper.Issues{},
@@ -125,11 +108,6 @@ resource "aws_redshift_cluster" "test" {
 				{
 					Rule:    NewAwsWriteOnlyArgumentsRule(),
 					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
-					Range: hcl.Range{
-						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 3, Column: 21},
-						End:      hcl.Pos{Line: 3, Column: 27},
-					},
 				},
 			},
 			Fixed: `
@@ -148,68 +126,57 @@ resource "aws_redshift_cluster" "test" {
 			Expected: helper.Issues{},
 		},
 		{
-			Name: "basic aws_docdb_cluster",
+			Name: "basic aws_redshiftserverless_namespace",
 			Content: `
-resource "aws_docdb_cluster" "test" {
-  master_password = "test"
+resource "aws_redshiftserverless_namespace" "test" {
+  admin_user_password = "test"
 }
 `,
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsWriteOnlyArgumentsRule(),
-					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
-					Range: hcl.Range{
-						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 3, Column: 21},
-						End:      hcl.Pos{Line: 3, Column: 27},
-					},
+					Message: `"admin_user_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "admin_user_password_wo".`,
 				},
 			},
 			Fixed: `
-resource "aws_docdb_cluster" "test" {
-  master_password_wo = "test"
+resource "aws_redshiftserverless_namespace" "test" {
+  admin_user_password_wo = "test"
 }
 `,
 		},
 		{
-			Name: "everything is fine aws_docdb_cluster",
+			Name: "everything is fine aws_redshiftserverless_namespace",
 			Content: `
-resource "aws_docdb_cluster" "test" {
-  master_password_wo = "test"
+resource "aws_redshiftserverless_namespace" "test" {
+  admin_user_password_wo = "test"
 }
 `,
 			Expected: helper.Issues{},
 		},
-
 		{
-			Name: "basic aws_redshiftserverless_namespace",
+			Name: "basic aws_secretsmanager_secret_version",
 			Content: `
-resource "aws_redshiftserverless_namespace" "test" {
-  admin_password = "test"
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_string = "test"
 }
 `,
 			Expected: helper.Issues{
 				{
 					Rule:    NewAwsWriteOnlyArgumentsRule(),
-					Message: `"admin_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "admin_password_wo".`,
-					Range: hcl.Range{
-						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 3, Column: 20},
-						End:      hcl.Pos{Line: 3, Column: 26},
-					},
+					Message: `"secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "secret_string_wo".`,
 				},
 			},
 			Fixed: `
-resource "aws_redshiftserverless_namespace" "test" {
-  admin_password_wo = "test"
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_string_wo = "test"
 }
 `,
 		},
 		{
-			Name: "everything is fine aws_redshiftserverless_namespace",
+			Name: "everything is fine aws_secretsmanager_secret_version",
 			Content: `
-resource "aws_redshiftserverless_namespace" "test" {
-  admin_password_wo = "test"
+resource "aws_secretsmanager_secret_version" "test" {
+  secret_string_wo = "test"
 }
 `,
 			Expected: helper.Issues{},
@@ -225,14 +192,8 @@ resource "aws_ssm_parameter" "test" {
 				{
 					Rule:    NewAwsWriteOnlyArgumentsRule(),
 					Message: `"value" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "value_wo".`,
-					Range: hcl.Range{
-						Filename: "resource.tf",
-						Start:    hcl.Pos{Line: 3, Column: 11},
-						End:      hcl.Pos{Line: 3, Column: 17},
-					},
 				},
 			},
-
 			Fixed: `
 resource "aws_ssm_parameter" "test" {
   value_wo = "test"
@@ -259,7 +220,7 @@ resource "aws_ssm_parameter" "test" {
 		if err := rule.Check(runner); err != nil {
 			t.Fatalf("Unexpected error occurred: %s", err)
 		}
-		helper.AssertIssues(t, tc.Expected, runner.Issues)
+		helper.AssertIssuesWithoutRange(t, tc.Expected, runner.Issues)
 
 		want := map[string]string{}
 		if tc.Fixed != "" {