Skip to content

Add support for ephemeral mark #133

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Mar 11, 2025
Merged

Add support for ephemeral mark #133

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions docs/debug.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ deny_invalid_instance_type contains issue if {
$ TFLINT_LOG=debug tflint
...
16:47:48 [DEBUG] host2plugin/client.go:124: starting host-side gRPC server
16:47:48 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:47:48 [DEBUG] topdown/print.go:48: [{"config": {"instance_type": {"range": {"end": {"byte": 61, "column": 29, "line": 2}, "filename": "main.tf", "start": {"byte": 51, "column": 19, "line": 2}}, "sensitive": false, "unknown": false, "value": "t2.micro"}}, "decl_range": {"end": {"byte": 30, "column": 31, "line": 1}, "filename": "main.tf", "start": {"byte": 0, "column": 1, "line": 1}}, "name": "main", "type": "aws_instance"}]
16:47:48 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:47:48 [DEBUG] topdown/print.go:48: [{"config": {"instance_type": {"range": {"end": {"byte": 61, "column": 29, "line": 2}, "filename": "main.tf", "start": {"byte": 51, "column": 19, "line": 2}}, "sensitive": false, "ephemeral": false, "unknown": false, "value": "t2.micro"}}, "decl_range": {"end": {"byte": 30, "column": 31, "line": 1}, "filename": "main.tf", "start": {"byte": 0, "column": 1, "line": 1}}, "name": "main", "type": "aws_instance"}]
...
```

Expand Down Expand Up @@ -62,9 +62,9 @@ $ TFLINT_LOG=debug TFLINT_OPA_TRACE=1 tflint
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | Index data.tflint.deny_invalid_instance_type (matched 1 rule)
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | Enter data.tflint.deny_invalid_instance_type
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Eval terraform.resources("aws_instance", {"instance_type": "string"}, {}, __local2__)
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Unify __local2__ = [{"config": {"instance_type": {"range": {"end": {"byte": 61, "column": 29, "line": 2}, "filename": "main.tf", "start": {"byte": 51, "column": 19, "line": 2}}, "sensitive": false, "unknown": false, "value": "t2.micro"}}, "decl_range": {"end": {"byte": 30, "column": 31, "line": 1}, "filename": "main.tf", "start": {"byte": 0, "column": 1, "line": 1}}, "name": "main", "type": "aws_instance"}]
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Unify __local2__ = [{"config": {"instance_type": {"range": {"end": {"byte": 61, "column": 29, "line": 2}, "filename": "main.tf", "start": {"byte": 51, "column": 19, "line": 2}}, "sensitive": false, "ephemeral": false, "unknown": false, "value": "t2.micro"}}, "decl_range": {"end": {"byte": 30, "column": 31, "line": 1}, "filename": "main.tf", "start": {"byte": 0, "column": 1, "line": 1}}, "name": "main", "type": "aws_instance"}]
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Eval instances = __local2__
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Unify instances = [{"config": {"instance_type": {"range": {"end": {"byte": 61, "column": 29, "line": 2}, "filename": "main.tf", "start": {"byte": 51, "column": 19, "line": 2}}, "sensitive": false, "unknown": false, "value": "t2.micro"}}, "decl_range": {"end": {"byte": 30, "column": 31, "line": 1}, "filename": "main.tf", "start": {"byte": 0, "column": 1, "line": 1}}, "name": "main", "type": "aws_instance"}]
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Unify instances = [{"config": {"instance_type": {"range": {"end": {"byte": 61, "column": 29, "line": 2}, "filename": "main.tf", "start": {"byte": 51, "column": 19, "line": 2}}, "sensitive": false, "ephemeral": false, "unknown": false, "value": "t2.micro"}}, "decl_range": {"end": {"byte": 30, "column": 31, "line": 1}, "filename": "main.tf", "start": {"byte": 0, "column": 1, "line": 1}}, "name": "main", "type": "aws_instance"}]
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Eval trace("after fetch")
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Note "after fetch"
16:55:12 [DEBUG] [email protected]/client.go:1045: tflint-ruleset-opa: 16:55:12 [DEBUG] topdown/trace.go:239: | | Eval instances[_].config.type.value = "t2.micro"
Expand Down
15 changes: 14 additions & 1 deletion docs/functions.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ Types:
|---|---|
|`schema`|`object[string: any<string, schema>]`|
|`body`|`object[string: any<expr, array[nested_block]>]`|
|`expr`|`object<value: any, unknown: boolean, sensitive: boolean, range: range>`|
|`expr`|`object<value: any, unknown: boolean, sensitive: boolean, ephemeral: boolean, range: range>`|
|`nested_block`|`object<config: object[string: any<expr, array[nested_block]>], labels: array[string], decl_range: range>`|
|`range`|`object<filename: string, start: pos, end: pos>`|
|`pos`|`object<line: number, column: number, byte: number>`|
Expand Down Expand Up @@ -61,6 +61,7 @@ terraform.resources("aws_instance", {"instance_type": "string"}, {})
"value": "t2.micro",
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {
"filename": "main.tf",
"start": { "line": 2, "column": 19, "byte": 51 },
Expand Down Expand Up @@ -100,6 +101,7 @@ terraform.resources("aws_instance", {"ebs_block_device": {"volume_size": "number
"value": 50,
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -225,6 +227,7 @@ terraform.data_sources("aws_ami", {"owners": "list(string)"}, {})
"value": ["self"],
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -271,6 +274,7 @@ terraform.module_calls({"instance_type": "string"}, {})
"value": "t2.micro",
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -317,6 +321,7 @@ terraform.providers({"region": "string"}, {})
"value": "us-east-1",
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -373,6 +378,7 @@ terraform.settings({"required_providers": {"aws": "map(string)"}}, {})
},
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -424,6 +430,7 @@ terraform.variables({"nullable": "bool"}, {})
"value": true,
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -470,6 +477,7 @@ terraform.outputs({"description": "string"}, {})
"value": null,
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -514,6 +522,7 @@ terraform.locals({})
"value": "bar",
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
},
"decl_range": {...}
Expand Down Expand Up @@ -558,6 +567,7 @@ terraform.moved_blocks({"from": "any"}, {})
"from": {
"unknown": true,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -604,6 +614,7 @@ terraform.imports({"id": "string"}, {})
"value": "i-abcd1234",
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -658,6 +669,7 @@ terraform.checks({"assert": {"condition": "bool"}}, {})
"condition": {
"unknown": true,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -711,6 +723,7 @@ terraform.removed_blocks({"from": "any"}, {})
"from": {
"unknown": true,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down
4 changes: 3 additions & 1 deletion docs/handling_special_values.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ Ideally, you should also set `TF_VAR_bucket_name` in CI, but if it's not availab
Cases that return unknown values are:

- Variables without values
- Variables marked with `sensitive = true`
- Variables marked with `sensitive = true` or `ephemeral = true`
- Resource attributes (e.g. `aws_instance.web.arn`)
- Data attributes (e.g. `data.aws_ami.web.id`)
- Module outputs (e.g. `module.vpc.vpc_id`)
Expand All @@ -40,6 +40,7 @@ In this case the returned JSON looks like this:
"bucket": {
"unknown": true,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down Expand Up @@ -256,6 +257,7 @@ In this case the returned JSON looks like this:
"value": null,
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {...}
}
},
Expand Down
2 changes: 2 additions & 0 deletions docs/intro.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ The return value of this function will be the following JSON:
"value": "example-corp-assets",
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {
"filename": "main.tf",
"start": { "line": 2, "column": 12, "byte": 48 },
Expand All @@ -95,6 +96,7 @@ The return value of this function will be the following JSON:
"value": "example-com-assets",
"unknown": false,
"sensitive": false,
"ephemeral": false,
"range": {
"filename": "main.tf",
"start": { "line": 6, "column": 12, "byte": 119 },
Expand Down
8 changes: 8 additions & 0 deletions integration/instance_type/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,11 @@ variable "sensitive" {
resource "aws_instance" "sensitive" {
instance_type = var.sensitive
}

variable "ephemeral" {
default = "m5.large"
ephemeral = true
}
resource "aws_instance" "ephemeral" {
instance_type = var.ephemeral
}
9 changes: 9 additions & 0 deletions integration/instance_type/policies/main.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,12 @@ deny_not_t2_micro contains issue if {

issue := tflint.issue("t2.micro is only allowed", instance_type.range)
}

deny_not_t2_micro contains issue if {
resources := terraform.resources("aws_instance", {"instance_type": "string"}, {})
instance_type := resources[_].config.instance_type

instance_type.ephemeral == true

issue := tflint.issue("instance type is ephemeral", instance_type.range)
}
21 changes: 21 additions & 0 deletions integration/instance_type/policies/main_test.rego
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,3 +61,24 @@ test_not_deny_t2_micro_sensitive_failed if {

count(issues) == 0
}

mock_resources_ephemeral_instance_type(type, schema, options) := terraform.mock_resources(type, schema, options, {"main.tf": `
variable "ephemeral" {
default = "t2.micro"
ephemeral = true
}
resource "aws_instance" "main" {
instance_type = var.ephemeral
}`})

test_not_deny_t2_micro_ephemeral_passed if {
issues := deny_not_t2_micro with terraform.resources as mock_resources_ephemeral_instance_type

count(issues) == 2
}

test_not_deny_t2_micro_ephemeral_failed if {
issues := deny_not_t2_micro with terraform.resources as mock_resources_ephemeral_instance_type

count(issues) == 0
}
125 changes: 125 additions & 0 deletions integration/instance_type/result-v0.43.0.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,125 @@
{
"issues": [
{
"rule": {
"name": "opa_deny_not_t2_micro",
"severity": "error",
"link": "policies/main.rego:5"
},
"message": "t2.micro is only allowed",
"range": {
"filename": "main.tf",
"start": {
"line": 2,
"column": 19
},
"end": {
"line": 2,
"column": 29
}
},
"callers": []
},
{
"rule": {
"name": "opa_deny_not_t2_micro",
"severity": "error",
"link": "policies/main.rego:5"
},
"message": "t2.micro is only allowed",
"range": {
"filename": "main.tf",
"start": {
"line": 13,
"column": 19
},
"end": {
"line": 13,
"column": 31
}
},
"callers": []
},
{
"rule": {
"name": "opa_deny_not_t2_micro",
"severity": "error",
"link": "policies/main.rego:5"
},
"message": "instance type is unknown",
"range": {
"filename": "main.tf",
"start": {
"line": 18,
"column": 19
},
"end": {
"line": 18,
"column": 30
}
},
"callers": []
},
{
"rule": {
"name": "opa_deny_not_t2_micro",
"severity": "error",
"link": "policies/main.rego:5"
},
"message": "instance type is sensitive",
"range": {
"filename": "main.tf",
"start": {
"line": 26,
"column": 19
},
"end": {
"line": 26,
"column": 32
}
},
"callers": []
},
{
"rule": {
"name": "opa_deny_not_t2_micro",
"severity": "error",
"link": "policies/main.rego:5"
},
"message": "instance type is unknown",
"range": {
"filename": "main.tf",
"start": {
"line": 26,
"column": 19
},
"end": {
"line": 26,
"column": 32
}
},
"callers": []
},
{
"rule": {
"name": "opa_deny_not_t2_micro",
"severity": "error",
"link": "policies/main.rego:5"
},
"message": "t2.micro is only allowed",
"range": {
"filename": "main.tf",
"start": {
"line": 34,
"column": 19
},
"end": {
"line": 34,
"column": 32
}
},
"callers": []
}
],
"errors": []
}
40 changes: 40 additions & 0 deletions integration/instance_type/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,46 @@
}
},
"callers": []
},
{
"rule": {
"name": "opa_deny_not_t2_micro",
"severity": "error",
"link": "policies/main.rego:5"
},
"message": "instance type is ephemeral",
"range": {
"filename": "main.tf",
"start": {
"line": 34,
"column": 19
},
"end": {
"line": 34,
"column": 32
}
},
"callers": []
},
{
"rule": {
"name": "opa_deny_not_t2_micro",
"severity": "error",
"link": "policies/main.rego:5"
},
"message": "instance type is unknown",
"range": {
"filename": "main.tf",
"start": {
"line": 34,
"column": 19
},
"end": {
"line": 34,
"column": 32
}
},
"callers": []
}
],
"errors": []
Expand Down
Loading