terraform-linters
diff --git a/‎docs/rules/aws_ephemeral_resources.md‎
Lines changed: 44 additions & 0 deletions b/‎docs/rules/aws_ephemeral_resources.md‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎rules/ephemeral/aws_ephemeral_resources.go‎
Lines changed: 100 additions & 0 deletions b/‎rules/ephemeral/aws_ephemeral_resources.go‎
Lines changed: 100 additions & 0 deletions
diff --git a/‎rules/ephemeral/aws_ephemeral_resources_rule.go.tmpl‎
Lines changed: 97 additions & 0 deletions b/‎rules/ephemeral/aws_ephemeral_resources_rule.go.tmpl‎
Lines changed: 97 additions & 0 deletions
diff --git a/‎rules/ephemeral/aws_ephemeral_resources_rule_test.go.tmpl‎
Lines changed: 57 additions & 0 deletions b/‎rules/ephemeral/aws_ephemeral_resources_rule_test.go.tmpl‎
Lines changed: 57 additions & 0 deletions
@@ -0,0 +1,44 @@
+# aws_ephemeral_resources
+
+Recommends using available [ephemeral resources](https://developer.hashicorp.com/terraform/language/resources/ephemeral/reference) instead of the original data source. This is only valid for Terraform v1.10+.
+
+## Example
+
+This example uses `aws_secretsmanager_random_password`, but the rule applies to all data sources with an ephemeral equivalent:
+
+```hcl
+data "aws_secretsmanager_random_password" "test" {
+  password_length = 50
+  exclude_numbers = true
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+
+Warning: [Fixable] "aws_secretsmanager_random_password" is a non-ephemeral data source, which means that all (sensitive) attributes are stored in state. Please use ephemeral resource "aws_secretsmanager_random_password" instead. (aws_ephemeral_resources)
+
+  on test.tf line 2:
+   2: data "aws_secretsmanager_random_password" "test"
+
+```
+
+## Why
+
+By default, sensitive attributes are still stored in state, just hidden from view in plan output. Other resources are able to refer to these attributes. Current versions of Terraform also include support for ephemeral resources, which are not persisted to state. Other resources can refer to their values, but executing of the lookup is defered until the apply stage.
+
+Using ephemeral resources mitigates the risk of a malicious actor obtaining privileged credentials by accessing Terraform state files directly. Prefer using them over the original data sources for sensitive data.
+
+## How To Fix
+
+Replace the data source with its ephemeral resource equivalent. Use resources with write-only arguments or in provider configuration to ensure that the sensitive value is not persisted to state.
+
+In case of the previously shown `aws_secretsmanager_random_password` data source, replace `data` by `ephemeral`:
+
+```hcl
+ephemeral "aws_secretsmanager_random_password" "test" {
+  password_length = 50
+  exclude_numbers = true
+}
+```
@@ -0,0 +1,100 @@
+// This file generated by `generator/main.go`. DO NOT EDIT
+
+package ephemeral
+
+import (
+	"fmt"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+)
+
+// TODO: Write the rule's description here
+// AwsEphemeralResourcesRule checks ...
+type AwsEphemeralResourcesRule struct {
+	tflint.DefaultRule
+
+	replacingEphemeralResources []string
+}
+
+// NewAwsEphemeralResourcesRule returns new rule with default attributes
+func NewAwsEphemeralResourcesRule() *AwsEphemeralResourcesRule {
+	return &AwsEphemeralResourcesRule{
+		replacingEphemeralResources: []string{
+			"aws_eks_cluster_auth",
+			"aws_kms_secrets",
+			"aws_lambda_invocation",
+			"aws_secretsmanager_random_password",
+			"aws_secretsmanager_secret_version",
+			"aws_ssm_parameter",
+		},
+	}
+}
+
+// Name returns the rule name
+func (r *AwsEphemeralResourcesRule) Name() string {
+	return "aws_ephemeral_resources"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsEphemeralResourcesRule) Enabled() bool {
+	return false
+}
+
+// Severity returns the rule severity
+func (r *AwsEphemeralResourcesRule) Severity() tflint.Severity {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *AwsEphemeralResourcesRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks if there is an ephemeral resource which can replace an data source
+func (r *AwsEphemeralResourcesRule) Check(runner tflint.Runner) error {
+	for _, resourceType := range r.replacingEphemeralResources {
+		resources, err := GetDataSourceContent(runner, resourceType, &hclext.BodySchema{}, nil)
+		if err != nil {
+			return err
+		}
+
+		for _, resource := range resources.Blocks {
+			if err := runner.EmitIssueWithFix(
+				r,
+				fmt.Sprintf("\"%s\" is a non-ephemeral data source, which means that all (sensitive) attributes are stored in state. Please use ephemeral resource \"%s\" instead.", resourceType, resourceType),
+				resource.TypeRange,
+				func(f tflint.Fixer) error {
+					return f.ReplaceText(resource.TypeRange, "ephemeral")
+				},
+			); err != nil {
+				return fmt.Errorf("failed to call EmitIssueWithFix(): %w", err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func GetDataSourceContent(r tflint.Runner, name string, schema *hclext.BodySchema, opts *tflint.GetModuleContentOption) (*hclext.BodyContent, error) {
+	body, err := r.GetModuleContent(&hclext.BodySchema{
+		Blocks: []hclext.BlockSchema{
+			{Type: "data", LabelNames: []string{"type", "name"}, Body: schema},
+		},
+	}, opts)
+	if err != nil {
+		return nil, err
+	}
+
+	content := &hclext.BodyContent{Blocks: []*hclext.Block{}}
+	for _, resource := range body.Blocks {
+		if resource.Labels[0] != name {
+			continue
+		}
+
+		content.Blocks = append(content.Blocks, resource)
+	}
+
+	return content, nil
+}
@@ -0,0 +1,97 @@
+// This file generated by `generator/main.go`. DO NOT EDIT
+
+package ephemeral
+
+import (
+	"fmt"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+)
+
+// TODO: Write the rule's description here
+// AwsEphemeralResourcesRule checks ...
+type AwsEphemeralResourcesRule struct {
+	tflint.DefaultRule
+
+	replacingEphemeralResources []string
+}
+
+// NewAwsEphemeralResourcesRule returns new rule with default attributes
+func NewAwsEphemeralResourcesRule() *AwsEphemeralResourcesRule {
+	return &AwsEphemeralResourcesRule{
+		replacingEphemeralResources: []string{
+		{{- range $value := . }}
+			"{{ $value}}",
+		{{- end }}
+		},
+	}
+}
+
+// Name returns the rule name
+func (r *AwsEphemeralResourcesRule) Name() string {
+	return "aws_ephemeral_resources"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsEphemeralResourcesRule) Enabled() bool {
+	return false
+}
+
+// Severity returns the rule severity
+func (r *AwsEphemeralResourcesRule) Severity() tflint.Severity {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *AwsEphemeralResourcesRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks if there is an ephemeral resource which can replace an data source
+func (r *AwsEphemeralResourcesRule) Check(runner tflint.Runner) error {
+	for _, resourceType := range r.replacingEphemeralResources {
+		resources, err := GetDataSourceContent(runner, resourceType, &hclext.BodySchema{}, nil)
+		if err != nil {
+			return err
+		}
+
+		for _, resource := range resources.Blocks {
+			if err := runner.EmitIssueWithFix(
+				r,
+				fmt.Sprintf("\"%s\" is a non-ephemeral data source, which means that all (sensitive) attributes are stored in state. Please use ephemeral resource \"%s\" instead.", resourceType, resourceType),
+				resource.TypeRange,
+				func(f tflint.Fixer) error {
+					return f.ReplaceText(resource.TypeRange, "ephemeral")
+				},
+			); err != nil {
+				return fmt.Errorf("failed to call EmitIssueWithFix(): %w", err)
+			}
+		}
+	}
+
+	return nil
+}
+
+func GetDataSourceContent(r tflint.Runner, name string, schema *hclext.BodySchema, opts *tflint.GetModuleContentOption) (*hclext.BodyContent, error) {
+	body, err := r.GetModuleContent(&hclext.BodySchema{
+		Blocks: []hclext.BlockSchema{
+			{Type: "data", LabelNames: []string{"type", "name"}, Body: schema},
+		},
+	}, opts)
+	if err != nil {
+		return nil, err
+	}
+
+	content := &hclext.BodyContent{Blocks: []*hclext.Block{}}
+	for _, resource := range body.Blocks {
+		if resource.Labels[0] != name {
+			continue
+		}
+
+		content.Blocks = append(content.Blocks, resource)
+	}
+
+	return content, nil
+}
@@ -0,0 +1,57 @@
+// This file generated by `generator/main.go`. DO NOT EDIT
+
+package ephemeral
+
+import (
+	"testing"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
+
+func Test_AwsEphemeralResources(t *testing.T) {
+	cases := []struct {
+		Name     string
+		Content  string
+		Expected helper.Issues
+		Fixed    string
+	}{
+
+		{{- range $value := . }}
+		{
+			Name: "basic {{ $value }}",
+			Content: `
+data "{{ $value }}" "test" {
+}
+`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAwsEphemeralResourcesRule(),
+					Message: `"{{ $value }}" is a non-ephemeral data source, which means that all (sensitive) attributes are stored in state. Please use ephemeral resource "{{ $value }}" instead.`,
+				},
+			},
+			Fixed: `
+ephemeral "{{ $value }}" "test" {
+}
+`,
+		},
+		{{- end }}
+	}
+
+	rule := NewAwsEphemeralResourcesRule()
+
+	for _, tc := range cases {
+		filename := "resource.tf"
+		runner := helper.TestRunner(t, map[string]string{filename: tc.Content})
+
+		if err := rule.Check(runner); err != nil {
+			t.Fatalf("Unexpected error occurred: %s", err)
+		}
+		helper.AssertIssuesWithoutRange(t, tc.Expected, runner.Issues)
+
+		want := map[string]string{}
+		if tc.Fixed != "" {
+			want[filename] = tc.Fixed
+		}
+		helper.AssertChanges(t, want, runner.Changes())
+	}
+}