fix: disabled by default, DB Instance added, wo attribute -> wo argument rewrite

Author: aristosvo

docs/rules/aws_write_only_attributes.md

@@ -1,10 +1,10 @@
-# aws_write_only_attributes
+# aws_write_only_arguments
 
 Recommends using available [write-only arguments](https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only) instead of the original sensitive attribute. This is only valid for Terraform v1.11+.
 
 ## Example
 
-This example uses `aws_secretsmanager_secret_version`, but the rule applies to all resources with write-only attributes:
+This example uses `aws_secretsmanager_secret_version`, but the rule applies to all resources with write-only arguments:
 
 ```hcl
 resource "aws_secretsmanager_secret_version" "test" {
@@ -16,7 +16,7 @@ resource "aws_secretsmanager_secret_version" "test" {
 $ tflint
 1 issue(s) found:
 
-Warning: [Fixable] "secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use "secret_string_wo". (aws_write_only_attributes)
+Warning: [Fixable] "secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use "secret_string_wo". (aws_write_only_arguments)
 
   on test.tf line 3:
    3:   secret_string = var.secret
@@ -48,7 +48,7 @@ resource "aws_secretsmanager_secret_version" "test" {
 ```hcl
 variable "test" {
   type        = string
-  ephemeral   = true # Optional, non-ephemeral values can also be used for write-only attributes
+  ephemeral   = true # Optional, non-ephemeral values can also be used for write-only arguments
   description = "Input variable for a secret"
 }
 

rules/aws_write_only_argurments.go

@@ -0,0 +1,121 @@
+package rules
+
+import (
+	"fmt"
+
+	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+	"github.com/zclconf/go-cty/cty"
+)
+
+// AwsWriteOnlyArgumentsRule checks if a write-only argument is available for sensitive input attributes
+type AwsWriteOnlyArgumentsRule struct {
+	tflint.DefaultRule
+
+	writeOnlyArguments map[string]writeOnlyArgument
+}
+
+type writeOnlyArgument struct {
+	originalAttribute    string
+	writeOnlyAlternative string
+}
+
+// NewAwsWriteOnlyArgumentsRule returns new rule with default attributes
+func NewAwsWriteOnlyArgumentsRule() *AwsWriteOnlyArgumentsRule {
+	writeOnlyArguments := map[string]writeOnlyArgument{
+		"aws_secretsmanager_secret_version": {
+			originalAttribute:    "secret_string",
+			writeOnlyAlternative: "secret_string_wo",
+		},
+		"aws_rds_cluster": {
+			originalAttribute:    "master_password",
+			writeOnlyAlternative: "master_password_wo",
+		},
+		"aws_db_instance": {
+			originalAttribute:    "password",
+			writeOnlyAlternative: "password_wo",
+		},
+		"aws_redshift_cluster": {
+			originalAttribute:    "master_password",
+			writeOnlyAlternative: "master_password_wo",
+		},
+		"aws_docdb_cluster": {
+			originalAttribute:    "master_password",
+			writeOnlyAlternative: "master_password_wo",
+		},
+		"aws_redshiftserverless_namespace": {
+			originalAttribute:    "admin_password",
+			writeOnlyAlternative: "admin_password_wo",
+		},
+		"aws_ssm_parameter": {
+			originalAttribute:    "value",
+			writeOnlyAlternative: "value_wo",
+		},
+	}
+	return &AwsWriteOnlyArgumentsRule{
+		writeOnlyArguments: writeOnlyArguments,
+	}
+}
+
+// Name returns the rule name
+func (r *AwsWriteOnlyArgumentsRule) Name() string {
+	return "aws_write_only_arguments"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsWriteOnlyArgumentsRule) Enabled() bool {
+	return false
+}
+
+// Severity returns the rule severity
+func (r *AwsWriteOnlyArgumentsRule) Severity() tflint.Severity {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *AwsWriteOnlyArgumentsRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks whether the sensitive attribute exists
+func (r *AwsWriteOnlyArgumentsRule) Check(runner tflint.Runner) error {
+	for resourceType, attributes := range r.writeOnlyArguments {
+		resources, err := runner.GetResourceContent(resourceType, &hclext.BodySchema{
+			Attributes: []hclext.AttributeSchema{
+				{Name: attributes.originalAttribute},
+			},
+		}, nil)
+		if err != nil {
+			return err
+		}
+
+		for _, resource := range resources.Blocks {
+			attribute, exists := resource.Body.Attributes[attributes.originalAttribute]
+			if !exists {
+				continue
+			}
+
+			err := runner.EvaluateExpr(attribute.Expr, func(val cty.Value) error {
+				if !val.IsNull() {
+					if err := runner.EmitIssueWithFix(
+						r,
+						fmt.Sprintf("\"%s\" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument \"%s\".", attributes.originalAttribute, attributes.writeOnlyAlternative),
+						attribute.Expr.Range(),
+						func(f tflint.Fixer) error {
+							return f.ReplaceText(attribute.NameRange, attributes.writeOnlyAlternative)
+						},
+					); err != nil {
+						return fmt.Errorf("failed to call EmitIssueWithFix(): %w", err)
+					}
+				}
+				return nil
+			}, nil)
+			if err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}

rules/aws_write_only_attributes_test.go rules/aws_write_only_argurments_test.gorules/aws_write_only_attributes_test.go renamed to rules/aws_write_only_argurments_test.go

@@ -23,8 +23,8 @@ resource "aws_secretsmanager_secret_version" "test" {
 `,
 			Expected: helper.Issues{
 				{
-					Rule:    NewAwsWriteOnlyAttributesRule(),
-					Message: `"secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only attribute "secret_string_wo".`,
+					Rule:    NewAwsWriteOnlyArgumentsRule(),
+					Message: `"secret_string" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "secret_string_wo".`,
 					Range: hcl.Range{
 						Filename: "resource.tf",
 						Start:    hcl.Pos{Line: 3, Column: 19},
@@ -56,8 +56,8 @@ resource "aws_rds_cluster" "test" {
 `,
 			Expected: helper.Issues{
 				{
-					Rule:    NewAwsWriteOnlyAttributesRule(),
-					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only attribute "master_password_wo". Alternatively, you can use "manage_master_user_password" to manage the secret in an different way.`,
+					Rule:    NewAwsWriteOnlyArgumentsRule(),
+					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
 					Range: hcl.Range{
 						Filename: "resource.tf",
 						Start:    hcl.Pos{Line: 3, Column: 21},
@@ -77,6 +77,40 @@ resource "aws_rds_cluster" "test" {
 resource "aws_rds_cluster" "test" {
   master_password_wo = "test"
 }
+`,
+			Expected: helper.Issues{},
+		},
+
+		{
+			Name: "basic aws_db_instance",
+			Content: `
+resource "aws_db_instance" "test" {
+  password = "test"
+}
+`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAwsWriteOnlyArgumentsRule(),
+					Message: `"password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "password_wo".`,
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 3, Column: 14},
+						End:      hcl.Pos{Line: 3, Column: 20},
+					},
+				},
+			},
+			Fixed: `
+resource "aws_db_instance" "test" {
+  password_wo = "test"
+}
+`,
+		},
+		{
+			Name: "everything is fine aws_db_instance",
+			Content: `
+resource "aws_db_instance" "test" {
+  password_wo = "test"
+}
 `,
 			Expected: helper.Issues{},
 		},
@@ -89,8 +123,8 @@ resource "aws_redshift_cluster" "test" {
 `,
 			Expected: helper.Issues{
 				{
-					Rule:    NewAwsWriteOnlyAttributesRule(),
-					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only attribute "master_password_wo". Alternatively, you can use "manage_master_password" to manage the secret in an different way.`,
+					Rule:    NewAwsWriteOnlyArgumentsRule(),
+					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
 					Range: hcl.Range{
 						Filename: "resource.tf",
 						Start:    hcl.Pos{Line: 3, Column: 21},
@@ -122,8 +156,8 @@ resource "aws_docdb_cluster" "test" {
 `,
 			Expected: helper.Issues{
 				{
-					Rule:    NewAwsWriteOnlyAttributesRule(),
-					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only attribute "master_password_wo".`,
+					Rule:    NewAwsWriteOnlyArgumentsRule(),
+					Message: `"master_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "master_password_wo".`,
 					Range: hcl.Range{
 						Filename: "resource.tf",
 						Start:    hcl.Pos{Line: 3, Column: 21},
@@ -156,8 +190,8 @@ resource "aws_redshiftserverless_namespace" "test" {
 `,
 			Expected: helper.Issues{
 				{
-					Rule:    NewAwsWriteOnlyAttributesRule(),
-					Message: `"admin_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only attribute "admin_password_wo". Alternatively, you can use "manage_admin_password" to manage the secret in an different way.`,
+					Rule:    NewAwsWriteOnlyArgumentsRule(),
+					Message: `"admin_password" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "admin_password_wo".`,
 					Range: hcl.Range{
 						Filename: "resource.tf",
 						Start:    hcl.Pos{Line: 3, Column: 20},
@@ -189,8 +223,8 @@ resource "aws_ssm_parameter" "test" {
 `,
 			Expected: helper.Issues{
 				{
-					Rule:    NewAwsWriteOnlyAttributesRule(),
-					Message: `"value" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only attribute "value_wo".`,
+					Rule:    NewAwsWriteOnlyArgumentsRule(),
+					Message: `"value" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument "value_wo".`,
 					Range: hcl.Range{
 						Filename: "resource.tf",
 						Start:    hcl.Pos{Line: 3, Column: 11},
@@ -216,7 +250,7 @@ resource "aws_ssm_parameter" "test" {
 		},
 	}
 
-	rule := NewAwsWriteOnlyAttributesRule()
+	rule := NewAwsWriteOnlyArgumentsRule()
 
 	for _, tc := range cases {
 		filename := "resource.tf"