feat: warn against data sources with ephemeral alternatives (#861)

* feat: add suggestions to replace data sources with ephemeral alternatives

* fix: implement remarks

* fix: doc generation fix

* fix: resolve comments

Author: aristosvo

docs/rules/README.md

@@ -61,24 +61,26 @@ These rules enforce best practices and naming conventions:
 |Rule|Description|Enabled by default|
 | --- | --- | --- |
 |[aws_acm_certificate_lifecycle](aws_acm_certificate_lifecycle.md)|Disallow adding `aws_acm_certificate` resource without setting `create_before_destroy = true` in `lifecycle` block |✔|
-|[aws_db_instance_previous_type](aws_db_instance_previous_type.md)|Disallow using previous generation instance types|✔|
 |[aws_db_instance_default_parameter_group](aws_db_instance_default_parameter_group.md)|Disallow using default DB parameter group|✔|
-|[aws_elasticache_cluster_previous_type](aws_elasticache_cluster_previous_type.md)|Disallow using previous node types|✔|
+|[aws_db_instance_previous_type](aws_db_instance_previous_type.md)|Disallow using previous generation instance types|✔|
 |[aws_elasticache_cluster_default_parameter_group](aws_elasticache_cluster_default_parameter_group.md)|Disallow using default parameter group|✔|
-|[aws_elasticache_replication_group_previous_type](aws_elasticache_replication_group_previous_type.md)|Disallow using previous node types|✔|
+|[aws_elasticache_cluster_previous_type](aws_elasticache_cluster_previous_type.md)|Disallow using previous node types|✔|
 |[aws_elasticache_replication_group_default_parameter_group](aws_elasticache_replication_group_default_parameter_group.md)|Disallow using default parameter group|✔|
-|[aws_instance_previous_type](aws_instance_previous_type.md)|Disallow using previous generation instance types|✔|
+|[aws_elasticache_replication_group_previous_type](aws_elasticache_replication_group_previous_type.md)|Disallow using previous node types|✔|
+|[aws_ephemeral_resources](aws_ephemeral_resources.md)|Recommends using available ephemeral resources instead of the original data source. This is only valid for Terraform v1.10+.||
 |[aws_iam_policy_attachment_exclusive_attachment](aws_iam_policy_attachment_exclusive_attachment.md)|Consider alternative resources to `aws_iam_policy_attachment`||
 |[aws_iam_policy_document_gov_friendly_arns](aws_iam_policy_document_gov_friendly_arns.md)|Ensure `iam_policy_document` data sources do not contain `arn:aws:` ARN's||
 |[aws_iam_policy_gov_friendly_arns](aws_iam_policy_gov_friendly_arns.md)|Ensure `iam_policy` resources do not contain `arn:aws:` ARN's||
 |[aws_iam_role_deprecated_policy_attributes](aws_iam_role_deprecated_policy_attributes.md)|Disallow using deprecated policy attributes of `aws_iam_role`||
 |[aws_iam_role_policy_gov_friendly_arns](aws_iam_role_policy_gov_friendly_arns.md)|Ensure `iam_role_policy` resources do not contain `arn:aws:` ARN's||
+|[aws_instance_previous_type](aws_instance_previous_type.md)|Disallow using previous generation instance types|✔|
 |[aws_lambda_function_deprecated_runtime](aws_lambda_function_deprecated_runtime.md)|Disallow deprecated runtimes for Lambda Function|✔|
+|[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||
 |[aws_resource_missing_tags](aws_resource_missing_tags.md)|Require specific tags for all AWS resource types that support them||
 |[aws_s3_bucket_name](aws_s3_bucket_name.md)|Ensures all S3 bucket names match the naming rules|✔|
 |[aws_security_group_inline_rules](aws_security_group_inline_rules.md)|Disallow `ingress` and `egress` arguments of the `aws_security_group` resource||
 |[aws_security_group_rule_deprecated](aws_security_group_rule_deprecated.md)|Disallow using `aws_security_group_rule` resource||
-|[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||
+|[aws_write_only_arguments](aws_write_only_arguments.md)|Recommends using available write-only arguments instead of the original sensitive attribute. This is only valid for Terraform v1.11+.||
 
 ### SDK-based Validations
 

docs/rules/README.md.tmpl

@@ -61,24 +61,26 @@ These rules enforce best practices and naming conventions:
 |Rule|Description|Enabled by default|
 | --- | --- | --- |
 |[aws_acm_certificate_lifecycle](aws_acm_certificate_lifecycle.md)|Disallow adding `aws_acm_certificate` resource without setting `create_before_destroy = true` in `lifecycle` block |✔|
-|[aws_db_instance_previous_type](aws_db_instance_previous_type.md)|Disallow using previous generation instance types|✔|
 |[aws_db_instance_default_parameter_group](aws_db_instance_default_parameter_group.md)|Disallow using default DB parameter group|✔|
-|[aws_elasticache_cluster_previous_type](aws_elasticache_cluster_previous_type.md)|Disallow using previous node types|✔|
+|[aws_db_instance_previous_type](aws_db_instance_previous_type.md)|Disallow using previous generation instance types|✔|
 |[aws_elasticache_cluster_default_parameter_group](aws_elasticache_cluster_default_parameter_group.md)|Disallow using default parameter group|✔|
-|[aws_elasticache_replication_group_previous_type](aws_elasticache_replication_group_previous_type.md)|Disallow using previous node types|✔|
+|[aws_elasticache_cluster_previous_type](aws_elasticache_cluster_previous_type.md)|Disallow using previous node types|✔|
 |[aws_elasticache_replication_group_default_parameter_group](aws_elasticache_replication_group_default_parameter_group.md)|Disallow using default parameter group|✔|
-|[aws_instance_previous_type](aws_instance_previous_type.md)|Disallow using previous generation instance types|✔|
+|[aws_elasticache_replication_group_previous_type](aws_elasticache_replication_group_previous_type.md)|Disallow using previous node types|✔|
+|[aws_ephemeral_resources](aws_ephemeral_resources.md)|Recommends using available ephemeral resources instead of the original data source. This is only valid for Terraform v1.10+.||
 |[aws_iam_policy_attachment_exclusive_attachment](aws_iam_policy_attachment_exclusive_attachment.md)|Consider alternative resources to `aws_iam_policy_attachment`||
 |[aws_iam_policy_document_gov_friendly_arns](aws_iam_policy_document_gov_friendly_arns.md)|Ensure `iam_policy_document` data sources do not contain `arn:aws:` ARN's||
 |[aws_iam_policy_gov_friendly_arns](aws_iam_policy_gov_friendly_arns.md)|Ensure `iam_policy` resources do not contain `arn:aws:` ARN's||
 |[aws_iam_role_deprecated_policy_attributes](aws_iam_role_deprecated_policy_attributes.md)|Disallow using deprecated policy attributes of `aws_iam_role`||
 |[aws_iam_role_policy_gov_friendly_arns](aws_iam_role_policy_gov_friendly_arns.md)|Ensure `iam_role_policy` resources do not contain `arn:aws:` ARN's||
+|[aws_instance_previous_type](aws_instance_previous_type.md)|Disallow using previous generation instance types|✔|
 |[aws_lambda_function_deprecated_runtime](aws_lambda_function_deprecated_runtime.md)|Disallow deprecated runtimes for Lambda Function|✔|
+|[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||
 |[aws_resource_missing_tags](aws_resource_missing_tags.md)|Require specific tags for all AWS resource types that support them||
 |[aws_s3_bucket_name](aws_s3_bucket_name.md)|Ensures all S3 bucket names match the naming rules|✔|
 |[aws_security_group_inline_rules](aws_security_group_inline_rules.md)|Disallow `ingress` and `egress` arguments of the `aws_security_group` resource||
 |[aws_security_group_rule_deprecated](aws_security_group_rule_deprecated.md)|Disallow using `aws_security_group_rule` resource||
-|[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||
+|[aws_write_only_arguments](aws_write_only_arguments.md)|Recommends using available write-only arguments instead of the original sensitive attribute. This is only valid for Terraform v1.11+.||
 
 ### SDK-based Validations
 

docs/rules/aws_ephemeral_resources.md

@@ -0,0 +1,44 @@
+# aws_ephemeral_resources
+
+Recommends using available [ephemeral resources](https://developer.hashicorp.com/terraform/language/resources/ephemeral/reference) instead of the original data source. This is only valid for Terraform v1.10+.
+
+## Example
+
+This example uses `aws_secretsmanager_random_password`, but the rule applies to all data sources with an ephemeral equivalent:
+
+```hcl
+data "aws_secretsmanager_random_password" "test" {
+  password_length = 50
+  exclude_numbers = true
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Warning: "aws_secretsmanager_random_password" is a non-ephemeral data source, which means that all (sensitive) attributes are stored in state. Please use ephemeral resource "aws_secretsmanager_random_password" instead. (aws_ephemeral_resources)
+
+  on test.tf line 2:
+   2: data "aws_secretsmanager_random_password" "test"
+
+```
+
+## Why
+
+By default, sensitive attributes are still stored in state, just hidden from view in plan output. Other resources are able to refer to these attributes. Current versions of Terraform also include support for ephemeral resources, which are not persisted to state. Other resources can refer to their values, but executing of the lookup is defered until the apply stage.
+
+Using ephemeral resources mitigates the risk of a malicious actor obtaining privileged credentials by accessing Terraform state files directly. Prefer using them over the original data sources for sensitive data.
+
+## How To Fix
+
+Replace the data source with its ephemeral resource equivalent. Use resources with write-only arguments or in provider configuration to ensure that the sensitive value is not persisted to state.
+
+In case of the previously shown `aws_secretsmanager_random_password` data source, replace `data` by `ephemeral`:
+
+```hcl
+ephemeral "aws_secretsmanager_random_password" "test" {
+  password_length = 50
+  exclude_numbers = true
+}
+```

rules/ephemeral/aws_ephemeral_resources.go

@@ -0,0 +1,87 @@
+package ephemeral
+
+import (
+	"fmt"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+)
+
+// AwsEphemeralResourcesRule checks for data sources which can be replaced by ephemeral resources
+type AwsEphemeralResourcesRule struct {
+	tflint.DefaultRule
+
+	replacingEphemeralResources []string
+}
+
+// NewAwsEphemeralResourcesRule returns new rule with default attributes
+func NewAwsEphemeralResourcesRule() *AwsEphemeralResourcesRule {
+	return &AwsEphemeralResourcesRule{
+		replacingEphemeralResources: replacingEphemeralResources,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsEphemeralResourcesRule) Name() string {
+	return "aws_ephemeral_resources"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsEphemeralResourcesRule) Enabled() bool {
+	return false
+}
+
+// Severity returns the rule severity
+func (r *AwsEphemeralResourcesRule) Severity() tflint.Severity {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *AwsEphemeralResourcesRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks if there is an ephemeral resource which can replace an data source
+func (r *AwsEphemeralResourcesRule) Check(runner tflint.Runner) error {
+	for _, resourceType := range r.replacingEphemeralResources {
+		resources, err := GetDataSourceContent(runner, resourceType, &hclext.BodySchema{}, nil)
+		if err != nil {
+			return err
+		}
+
+		for _, resource := range resources.Blocks {
+			if err := runner.EmitIssue(
+				r,
+				fmt.Sprintf("\"%s\" is a non-ephemeral data source, which means that all (sensitive) attributes are stored in state. Please use ephemeral resource \"%s\" instead.", resourceType, resourceType),
+				resource.TypeRange,
+			); err != nil {
+				return fmt.Errorf("failed to call EmitIssue(): %w", err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func GetDataSourceContent(r tflint.Runner, name string, schema *hclext.BodySchema, opts *tflint.GetModuleContentOption) (*hclext.BodyContent, error) {
+	body, err := r.GetModuleContent(&hclext.BodySchema{
+		Blocks: []hclext.BlockSchema{
+			{Type: "data", LabelNames: []string{"type", "name"}, Body: schema},
+		},
+	}, opts)
+	if err != nil {
+		return nil, err
+	}
+
+	content := &hclext.BodyContent{Blocks: []*hclext.Block{}}
+	for _, resource := range body.Blocks {
+		if resource.Labels[0] != name {
+			continue
+		}
+
+		content.Blocks = append(content.Blocks, resource)
+	}
+
+	return content, nil
+}

rules/ephemeral/aws_ephemeral_resources_test.go

@@ -0,0 +1,48 @@
+package ephemeral
+
+import (
+	"testing"
+
+	"github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
+
+func Test_AwsEphemeralResources(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Content  string
+		Expected helper.Issues
+		Fixed    string
+	}{
+		{
+			Name: "basic aws_eks_cluster_auth",
+			Content: `
+data "aws_eks_cluster_auth" "test" {
+}
+`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAwsEphemeralResourcesRule(),
+					Message: `"aws_eks_cluster_auth" is a non-ephemeral data source, which means that all (sensitive) attributes are stored in state. Please use ephemeral resource "aws_eks_cluster_auth" instead.`,
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 2, Column: 1},
+						End:      hcl.Pos{Line: 2, Column: 5},
+					},
+				},
+			},
+		},
+	}
+
+	rule := NewAwsEphemeralResourcesRule()
+
+	for _, tc := range cases {
+		filename := "resource.tf"
+		runner := helper.TestRunner(t, map[string]string{filename: tc.Content})
+
+		if err := rule.Check(runner); err != nil {
+			t.Fatalf("Unexpected error occurred: %s", err)
+		}
+		helper.AssertIssues(t, tc.Expected, runner.Issues)
+	}
+}

rules/ephemeral/ephemeral_resources_gen.go

@@ -0,0 +1,12 @@
+// This file generated by `generator/main.go`. DO NOT EDIT
+
+package ephemeral
+
+var replacingEphemeralResources = []string{
+		"aws_eks_cluster_auth",
+		"aws_kms_secrets",
+		"aws_lambda_invocation",
+		"aws_secretsmanager_random_password",
+		"aws_secretsmanager_secret_version",
+		"aws_ssm_parameter",
+}

rules/ephemeral/ephemeral_resources_gen.go.tmpl

@@ -0,0 +1,9 @@
+// This file generated by `generator/main.go`. DO NOT EDIT
+
+package ephemeral
+
+var replacingEphemeralResources = []string{
+	{{- range $value := . }}
+		"{{ $value}}",
+	{{- end }}
+}

rules/ephemeral/generator/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"slices"
 	"strings"
 
 	tfjson "github.com/hashicorp/terraform-json"
@@ -25,8 +26,21 @@ func main() {
 		}
 	}
 
-	// Generate the write-only arguments variable to file
+	// Generate the write-only arguments variable
 	utils.GenerateFile("../../rules/ephemeral/write_only_arguments_gen.go", "../../rules/ephemeral/write_only_arguments_gen.go.tmpl", resourcesWithWriteOnly)
+
+	ephemeralResourcesAsDataAlternative := []string{}
+	// Iterate over all ephemeral resources in the AWS provider schema
+	for resourceName, _ := range awsProvider.EphemeralResourceSchemas {
+		if awsProvider.DataSourceSchemas[resourceName] != nil {
+			ephemeralResourcesAsDataAlternative = append(ephemeralResourcesAsDataAlternative, resourceName)
+		}
+	}
+
+	slices.Sort(ephemeralResourcesAsDataAlternative)
+
+	// Generate the ephemeral resources variable
+	utils.GenerateFile("../../rules/ephemeral/ephemeral_resources_gen.go", "../../rules/ephemeral/ephemeral_resources_gen.go.tmpl", ephemeralResourcesAsDataAlternative)
 }
 
 func findReplaceableAttribute(arguments []string, resource *tfjson.Schema) []writeOnlyArgument {

rules/provider.go

@@ -46,6 +46,7 @@ var manualRules = []tflint.Rule{
 	NewAwsSecurityGroupRuleDeprecatedRule(),
 	NewAwsIAMRoleDeprecatedPolicyAttributesRule(),
 	ephemeral.NewAwsWriteOnlyArgumentsRule(),
+	ephemeral.NewAwsEphemeralResourcesRule(),
 }
 
 // Rules is a list of all rules

tools/provider-schema/.terraform-version

@@ -1 +1 @@
-1.1.2
+1.11.2