This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
Warn against secrets in state and promote ephemeral resources and write-only arguments #2299
Comments
{{ message }}
You can continue the conversation there. Go to discussion →
Uh oh!
There was an error while loading. Please reload this page.
Introduction
I have introduced two rules for ephemeral resources/write-only arguments for the AWS provider linter based on this issue, the last one being under review (tflint-ruleset-aws #861).
The question is how to bring these rules towards other providers, because this is not an issue limited to one provider.
Proposals
Proposal 1:
The first proposal is to implement these two rules for every provider ruleset. This should not take long, as the code can be basically copy-pasted into each ruleset. The rules logic could lean more on the SDK to reduce the amount of code duplication.
Proposal 2:
As the specific rulesets don't cover all known providers (and most specifically the
hashicorp/randomprovider), we miss one of the most of the ephemeral replacement options:resource.random_password➡ephemeral.random_passwordTo fix that we would have to include the same two rules for all other (or just a list of most used, to be extended) providers in
tflintitself.To fix that we would have to include the same two rules for all other (or just a list of most used, to be extended) providers in a separate ruleset.
References
The text was updated successfully, but these errors were encountered: