Merge remote-tracking branch 'origin/master' into kayma/secgrp-ingress-egress

Author: kayman-mk

.github/workflows/maintenance.yaml

@@ -13,9 +13,9 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
-      - run: |
-          go get github.com/aws/aws-sdk-go
-          go mod tidy
+      - uses: hashicorp/setup-terraform@v3
+      - name: go generate ./...
+        run: |
           cd tools/provider-schema
           terraform init -upgrade
           terraform providers schema -json > schema.json

CHANGELOG.md

@@ -1,3 +1,28 @@
+## 0.37.0 (2024-12-31)
+
+### Breaking Changes
+
+- [#789](https://github.com/terraform-linters/tflint-ruleset-aws/pull/789) [#798](https://github.com/terraform-linters/tflint-ruleset-aws/pull/798): Update AWS provider/module and generated content
+  - Removed the following rules
+    - `aws_service_discovery_http_namespace_invalid_name`
+    - `aws_service_discovery_private_dns_namespace_invalid_name`
+    - `aws_service_discovery_public_dns_namespace_invalid_name`
+
+### Enhancements
+
+- [#787](https://github.com/terraform-linters/tflint-ruleset-aws/pull/787) [#800](https://github.com/terraform-linters/tflint-ruleset-aws/pull/800): Add new db.m8g, r8g, r7i, r6i-preconfigured, m7i, c6gd instances ([@gnetsman](https://github.com/gnetsman), [@wata727](https://github.com/wata727))
+- [#786](https://github.com/terraform-linters/tflint-ruleset-aws/pull/786): feat: add `aws_iam_policy_attachment_exclusive_attachment` rule ([@kayman-mk](https://github.com/kayman-mk))
+- [#790](https://github.com/terraform-linters/tflint-ruleset-aws/pull/790): feat: add `aws_security_group_rule_deprecated` rule ([@kayman-mk](https://github.com/kayman-mk))
+- [#801](https://github.com/terraform-linters/tflint-ruleset-aws/pull/801): rules: Add missing DB engines ([@wata727](https://github.com/wata727))
+- [#802](https://github.com/terraform-linters/tflint-ruleset-aws/pull/802): rules: Add cache.c7gn high-bandwidth node type ([@wata727](https://github.com/wata727))
+- [#803](https://github.com/terraform-linters/tflint-ruleset-aws/pull/803): rules: Update Lambda runtime deprecations ([@wata727](https://github.com/wata727))
+
+### Chores
+
+- [#791](https://github.com/terraform-linters/tflint-ruleset-aws/pull/791) [#795](https://github.com/terraform-linters/tflint-ruleset-aws/pull/795) [#797](https://github.com/terraform-linters/tflint-ruleset-aws/pull/797): Bump aws-sdk-go-v2
+- [#792](https://github.com/terraform-linters/tflint-ruleset-aws/pull/792): Bump github.com/hashicorp/terraform-json from 0.23.0 to 0.24.0
+- [#796](https://github.com/terraform-linters/tflint-ruleset-aws/pull/796): Bump golang.org/x/net from 0.32.0 to 0.33.0
+
 ## 0.36.0 (2024-12-08)
 
 ### Breaking Changes

README.md

@@ -19,7 +19,7 @@ You can install the plugin by adding a config to `.tflint.hcl` and running `tfli
 ```hcl
 plugin "aws" {
     enabled = true
-    version = "0.36.0"
+    version = "0.37.0"
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 ```

docs/rules/README.md

@@ -68,13 +68,15 @@ These rules enforce best practices and naming conventions:
 |[aws_elasticache_replication_group_previous_type](aws_elasticache_replication_group_previous_type.md)|Disallow using previous node types|✔|
 |[aws_elasticache_replication_group_default_parameter_group](aws_elasticache_replication_group_default_parameter_group.md)|Disallow using default parameter group|✔|
 |[aws_instance_previous_type](aws_instance_previous_type.md)|Disallow using previous generation instance types|✔|
+|[aws_iam_policy_attachment_exclusive_attachment](aws_iam_policy_attachment_exclusive_attachment.md)|Consider alternative resources to `aws_iam_policy_attachment`||
 |[aws_iam_policy_document_gov_friendly_arns](aws_iam_policy_document_gov_friendly_arns.md)|Ensure `iam_policy_document` data sources do not contain `arn:aws:` ARN's||
 |[aws_iam_policy_gov_friendly_arns](aws_iam_policy_gov_friendly_arns.md)|Ensure `iam_policy` resources do not contain `arn:aws:` ARN's||
 |[aws_iam_role_policy_gov_friendly_arns](aws_iam_role_policy_gov_friendly_arns.md)|Ensure `iam_role_policy` resources do not contain `arn:aws:` ARN's||
 |[aws_lambda_function_deprecated_runtime](aws_lambda_function_deprecated_runtime.md)|Disallow deprecated runtimes for Lambda Function|✔|
 |[aws_resource_missing_tags](aws_resource_missing_tags.md)|Require specific tags for all AWS resource types that support them||
 |[aws_s3_bucket_name](aws_s3_bucket_name.md)|Ensures all S3 bucket names match the naming rules|✔|
 |[aws_security_group_inline_rules](aws_security_group_inline_rules.md)|Disallow `ingress` and `egress` arguments of the `aws_security_group` resource||
+|[aws_security_group_rule_deprecated](aws_security_group_rule_deprecated.md)|Disallow using `aws_security_group_rule` resource||
 |[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||
 
 ### SDK-based Validations
@@ -1176,14 +1178,11 @@ These rules enforce best practices and naming conventions:
 |aws_securityhub_standards_control_invalid_standards_control_arn|✔|
 |aws_securityhub_standards_subscription_invalid_standards_arn|✔|
 |aws_service_discovery_http_namespace_invalid_description|✔|
-|aws_service_discovery_http_namespace_invalid_name|✔|
 |aws_service_discovery_instance_invalid_instance_id|✔|
 |aws_service_discovery_instance_invalid_service_id|✔|
 |aws_service_discovery_private_dns_namespace_invalid_description|✔|
-|aws_service_discovery_private_dns_namespace_invalid_name|✔|
 |aws_service_discovery_private_dns_namespace_invalid_vpc|✔|
 |aws_service_discovery_public_dns_namespace_invalid_description|✔|
-|aws_service_discovery_public_dns_namespace_invalid_name|✔|
 |aws_service_discovery_service_invalid_description|✔|
 |aws_servicecatalog_budget_resource_association_invalid_budget_name|✔|
 |aws_servicecatalog_budget_resource_association_invalid_resource_id|✔|

docs/rules/README.md.tmpl

@@ -68,13 +68,15 @@ These rules enforce best practices and naming conventions:
 |[aws_elasticache_replication_group_previous_type](aws_elasticache_replication_group_previous_type.md)|Disallow using previous node types|✔|
 |[aws_elasticache_replication_group_default_parameter_group](aws_elasticache_replication_group_default_parameter_group.md)|Disallow using default parameter group|✔|
 |[aws_instance_previous_type](aws_instance_previous_type.md)|Disallow using previous generation instance types|✔|
+|[aws_iam_policy_attachment_exclusive_attachment](aws_iam_policy_attachment_exclusive_attachment.md)|Consider alternative resources to `aws_iam_policy_attachment`||
 |[aws_iam_policy_document_gov_friendly_arns](aws_iam_policy_document_gov_friendly_arns.md)|Ensure `iam_policy_document` data sources do not contain `arn:aws:` ARN's||
 |[aws_iam_policy_gov_friendly_arns](aws_iam_policy_gov_friendly_arns.md)|Ensure `iam_policy` resources do not contain `arn:aws:` ARN's||
 |[aws_iam_role_policy_gov_friendly_arns](aws_iam_role_policy_gov_friendly_arns.md)|Ensure `iam_role_policy` resources do not contain `arn:aws:` ARN's||
 |[aws_lambda_function_deprecated_runtime](aws_lambda_function_deprecated_runtime.md)|Disallow deprecated runtimes for Lambda Function|✔|
 |[aws_resource_missing_tags](aws_resource_missing_tags.md)|Require specific tags for all AWS resource types that support them||
 |[aws_s3_bucket_name](aws_s3_bucket_name.md)|Ensures all S3 bucket names match the naming rules|✔|
 |[aws_security_group_inline_rules](aws_security_group_inline_rules.md)|Disallow `ingress` and `egress` arguments of the `aws_security_group` resource||
+|[aws_security_group_rule_deprecated](aws_security_group_rule_deprecated.md)|Disallow using `aws_security_group_rule` resource||
 |[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||
 
 ### SDK-based Validations

docs/rules/aws_iam_policy_attachment_exclusive_attachment.md

@@ -0,0 +1,37 @@
+# aws_iam_policy_attachment_exclusive_attachment
+
+This rule checks whether the `aws_iam_policy_attachment` resource is used.
+
+The `aws_iam_policy_attachment` resource creates exclusive attachments for IAM policies. Within the entire AWS account, all users, roles, and groups that a single policy is attached to must be specified by a single aws_iam_policy_attachment resource. 
+
+## Configuration
+
+```hcl
+rule "aws_iam_policy_attachment_exclusive_attachment" {
+  enabled = true
+}
+```
+
+## Example
+
+```hcl
+resource "aws_iam_policy_attachment" "attachment" {
+	name = "test_attachment"
+}
+```
+
+```shell
+$ tflint
+1 issue(s) found:
+Warning: Within the entire AWS account, all users, roles, and groups that a single policy is attached to must be specified by a single aws_iam_policy_attachment resource. Consider aws_iam_role_policy_attachment, aws_iam_user_policy_attachment, or aws_iam_group_policy_attachment instead. (aws_iam_policy_attachment_has_alternatives)
+  on template.tf line 2:
+   2:  resource "aws_iam_policy_attachment" "attachment" {
+```
+
+## Why
+
+The [`aws_iam_policy_attachment`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) resource creates exclusive attachments of IAM policies. Across the entire AWS account, all the users/roles/groups to which a single policy is attached must be declared by a single `aws_iam_policy_attachment` resource. This means that even any users/roles/groups that have the attached policy via any other mechanism (including other Terraform resources) will have that attached policy revoked by this resource.
+
+## How To Fix
+
+Consider using `aws_iam_role_policy_attachment`, `aws_iam_user_policy_attachment`, or `aws_iam_group_policy_attachment` instead. These resources do not enforce exclusive attachment of an IAM policy.

docs/rules/aws_security_group_rule_deprecated.md

@@ -0,0 +1,30 @@
+# aws_security_group_rule_deprecated
+
+The `aws_security_group_rule` resource should be replaced with `aws_vpc_security_group_egress_rule` or `aws_vpc_security_group_ingress_rule`. It lacks support of unique IDs, tags, and descriptions, and has difficulties managing multiple CIDR blocks.
+
+## Example
+
+```hcl
+resource "aws_security_group_rule" "foo" {
+  security_group_id = "sg-12345678"
+  type              = "ingress"
+}
+```
+
+```sh
+❯ tflint
+1 issue(s) found:
+
+Warning: Consider using aws_vpc_security_group_egress_rule or aws_vpc_security_group_ingress_rule instead. (aws_security_group_rule_deprecated)
+
+  on bastion.tf line 4:
+   4:   resource "aws_security_group_rule" "foo" {
+```
+
+## Why
+
+Avoid using the [`aws_security_group_rule`](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) resource because it has difficulties managing multiple CIDR blocks and historically lacks unique IDs, tags, and descriptions. To prevent these issues, follow the current best practice of using the `aws_vpc_security_group_egress_rule` and `aws_vpc_security_group_ingress_rule` resources.
+
+## How To Fix
+
+Depending on `type`, you can fix the issue by using either `aws_vpc_security_group_egress_rule` or `aws_vpc_security_group_ingress_rule`.

go.mod

@@ -15,43 +15,43 @@ require (
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
 	github.com/terraform-linters/tflint-plugin-sdk v0.21.0
-	github.com/zclconf/go-cty v1.15.1
+	github.com/zclconf/go-cty v1.16.0
 	google.golang.org/grpc v1.65.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 )
 
 require (
-	github.com/aws/aws-sdk-go-v2/service/ec2 v1.195.0
-	github.com/aws/aws-sdk-go-v2/service/ecs v1.52.1
-	github.com/aws/aws-sdk-go-v2/service/elasticache v1.44.1
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.28.6
-	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.43.1
-	github.com/aws/aws-sdk-go-v2/service/iam v1.38.2
-	github.com/aws/aws-sdk-go-v2/service/rds v1.92.0
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.198.1
+	github.com/aws/aws-sdk-go-v2/service/ecs v1.53.2
+	github.com/aws/aws-sdk-go-v2/service/elasticache v1.44.2
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing v1.28.7
+	github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2 v1.43.2
+	github.com/aws/aws-sdk-go-v2/service/iam v1.38.3
+	github.com/aws/aws-sdk-go-v2/service/rds v1.93.2
 	github.com/aws/smithy-go v1.22.1
 	github.com/hashicorp/aws-sdk-go-base/v2 v2.0.0-beta.59
-	github.com/hashicorp/terraform-json v0.23.0
+	github.com/hashicorp/terraform-json v0.24.0
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
-	golang.org/x/net v0.32.0
+	golang.org/x/net v0.33.0
 )
 
 require (
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.32.6 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.32.7 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.6 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.28.0 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.41 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.17 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.21 // indirect
 	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.36.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.10.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.66.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sqs v1.36.2 // indirect