Warn against secrets in state and promote ephemeral resources and write-only arguments #859
Open
2 tasks done
Comments
aristosvo
changed the title
You can read Otherwise, I'd just mention it in the rule's docs: https://github.com/terraform-linters/tflint-ruleset-aws/tree/master/docs/rules
Security recommendations are fine here! Could make sense in both tools but if you want to add a rule here we'd maintain it. |
aristosvo
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be nice to have linting rules against secrets in state and promote the usage of ephemeral resources and write only arguments: https://developer.hashicorp.com/terraform/language/resources/ephemeral.
Resources with write-only arguments:
aws_secretsmanager_secret_version: included in Validate against sensitive attributes, recommending write-only arguments #860aws_rds_cluster: included in Validate against sensitive attributes, recommending write-only arguments #860aws_db_instance: included in Validate against sensitive attributes, recommending write-only arguments #860aws_redshift_cluster: included in Validate against sensitive attributes, recommending write-only arguments #860aws_docdb_cluster: included in Validate against sensitive attributes, recommending write-only arguments #860aws_redshiftserverless_namespace: included in Validate against sensitive attributes, recommending write-only arguments #860aws_ssm_parameter: included in Validate against sensitive attributes, recommending write-only arguments #860Data sources that have ephemeral equivalents:
aws_ssm_parameter: included in feat: warn against data sources with ephemeral alternatives #861aws_secretsmanager_secret_version: included in feat: warn against data sources with ephemeral alternatives #861aws_secretsmanager_random_password: included in feat: warn against data sources with ephemeral alternatives #861aws_eks_cluster_auth: included in feat: warn against data sources with ephemeral alternatives #861aws_kms_secrets: included in feat: warn against data sources with ephemeral alternatives #861aws_lambda_invocation: included in feat: warn against data sources with ephemeral alternatives #861Questions to be answered:
tflint-ruleset-awsor istrivya better tool to integrate this in?The text was updated successfully, but these errors were encountered: