search

terraform-linters / tflint-ruleset-aws

TFLint ruleset for terraform-provider-aws
Mozilla Public License 2.0
336 stars 72 forks source link

docs: `deep_check` assume role working mechanism #476

Closed MaxymVlasov closed 1 year ago

MaxymVlasov commented 1 year ago

Hi, We have an accessibility issue that will be fixed, but we have different opinions on how TFlint assumes role mechanism works, and docs can be intercepted in more than one way.

So, we have this docs.

image

This plugin can assume a role in the same way as Terraform ... link to tf docs

Is that mean that TFLint is able to read terraform config, found which role the provider assumes inside terraform code and use that role?

Or it just mentions "Look - the same syntax, check out what this syntax looks like and use it inside .tflint.hcl"?

MaxymVlasov commented 1 year ago

@bendrucker, just to clarify, can TFLint somehow get role_arn from the code below?

provider "aws" {
  region = var.region

  assume_role {
    # `terraform import` will not use data from a data source,
    # so on import we have to explicitly specify the role
    role_arn = coalesce(var.import_role_arn, module.iam_roles.terraform_role_arn)
  }
}
bendrucker commented 1 year ago

Best to read the code to understand this:

https://github.com/terraform-linters/tflint-ruleset-aws/blob/master/aws/provider.go

It's using the same expression evaluation mechanism as elsewhere. Variables can be evaluated if passed, coalesce with unknown arguments is less likely to work.