Merge branch 'terraform-linters:master' into Add-aws_iam_policy_attachment_has_alternatives-rule

Author: metafeather

.github/workflows/build.yml

@@ -21,7 +21,7 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v3
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version-file: 'go.mod'
         cache: true

.github/workflows/e2e.yml

@@ -24,11 +24,13 @@ jobs:
     - name: Checkout
       uses: actions/checkout@v3
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version-file: 'go.mod'
     - name: Install TFLint
       run: curl -sL https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Install plugin (Linux)
       if: runner.os == 'Linux'
       run: make install

.github/workflows/generated_code_checks.yml

@@ -8,10 +8,10 @@ jobs:
     steps:
     - name: Checkout
       uses: actions/checkout@v3
-      with:
-        submodules: true
+    - name: Checkout submodules
+      run: git submodule update --init --depth=0
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version-file: 'go.mod'
         cache: true

.github/workflows/goreleaser.yml

@@ -17,11 +17,11 @@ jobs:
       with:
         fetch-depth: 0
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version-file: 'go.mod'
     - name: goreleaser check
-      uses: goreleaser/goreleaser-action@v3
+      uses: goreleaser/goreleaser-action@v4
       with:
-        version: v1.7.0
+        version: v1.12.3
         args: check

.github/workflows/maintenance.yaml

@@ -2,16 +2,15 @@ on:
   push:
     branches: [ master ]
   schedule:
-    - cron: '*/5 * * * *'
+    - cron: '0 0 * * 1'
   workflow_dispatch: # Enables on-demand/manual triggering
 jobs:
   job:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
-        with:
-          submodules: true
-      - uses: actions/setup-go@v3
+      - run: git submodule update --init --depth=0
+      - uses: actions/setup-go@v4
         with:
           go-version-file: 'go.mod'
       - run: |
@@ -23,12 +22,11 @@ jobs:
           cd ../..
           git submodule update --remote
           go generate ./...
-      - uses: peter-evans/create-pull-request@v4
+      - uses: peter-evans/create-pull-request@v5
         with:
           commit-message: |
-            autogenerated maintenance
-          title: autogenerated maintenance
+            Update AWS provider/module and generated content
+          title: Update AWS provider/module and generated content
           delete-branch: true
           body: |
-            If tests are stuck on https://github.com/peter-evans/create-pull-request/issues/48:
-            ["Manually close pull requests and immediately reopen them. This will enable `on: pull_request` workflows to run and be added as checks."](https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#triggering-further-workflow-runs)
+            This is an automated pull request triggered by GitHub Actions. To trigger check runs, close and re-open it.

.github/workflows/release.yml

@@ -7,6 +7,10 @@ on:
     tags:
     - v*.*.*
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -16,14 +20,16 @@ jobs:
       with:
         fetch-depth: 0
     - name: Set up Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v4
       with:
         go-version-file: 'go.mod'
         cache: true
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
     - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@v3
+      uses: goreleaser/goreleaser-action@v4
       with:
-        version: v1.7.0
+        version: v1.12.3
         args: release --rm-dist
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yml

@@ -22,6 +22,18 @@ changelog:
   skip: true
 checksum:
   name_template: 'checksums.txt'
+signs:
+  - cmd: cosign
+    signature: '${artifact}.keyless.sig'
+    certificate: '${artifact}.pem'
+    output: true
+    artifacts: checksum
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+      - --yes
 release:
   github:
     owner: terraform-linters

CHANGELOG.md

@@ -1,3 +1,130 @@
+## 0.23.1 (2023-05-22)
+
+### Enhancements
+
+- [#484](https://github.com/terraform-linters/tflint-ruleset-aws/pull/484): `aws_route_not_specified_target`: Add core_network_arn as target ([@ttretau](https://github.com/ttretau))
+- [#485](https://github.com/terraform-linters/tflint-ruleset-aws/pull/485) [#487](https://github.com/terraform-linters/tflint-ruleset-aws/pull/487) [#490](https://github.com/terraform-linters/tflint-ruleset-aws/pull/490) [#495](https://github.com/terraform-linters/tflint-ruleset-aws/pull/495): Update AWS provider/module and generated content
+
+### Chores
+
+- [#493](https://github.com/terraform-linters/tflint-ruleset-aws/pull/493): Bump golang.org/x/net from 0.9.0 to 0.10.0
+
+## 0.23.0 (2023-04-22)
+
+### Enhancements
+
+- [#471](https://github.com/terraform-linters/tflint-ruleset-aws/pull/471) [#480](https://github.com/terraform-linters/tflint-ruleset-aws/pull/480): Update AWS provider/module and generated content
+
+### Chores
+
+- [#436](https://github.com/terraform-linters/tflint-ruleset-aws/pull/436): Use NewRunner hook ([@wata727](https://github.com/wata727))
+- [#468](https://github.com/terraform-linters/tflint-ruleset-aws/pull/468): Bump actions/setup-go from 3 to 4
+- [#469](https://github.com/terraform-linters/tflint-ruleset-aws/pull/469): Bump github.com/zclconf/go-cty from 1.13.0 to 1.13.1
+- [#473](https://github.com/terraform-linters/tflint-ruleset-aws/pull/473): Bump peter-evans/create-pull-request from 4 to 5
+- [#475](https://github.com/terraform-linters/tflint-ruleset-aws/pull/475): Bump github.com/terraform-linters/tflint-plugin-sdk from 0.15.0 to 0.16.1
+- [#477](https://github.com/terraform-linters/tflint-ruleset-aws/pull/477): docs: copy edits for deep check ([@bendrucker](https://github.com/bendrucker))
+- [#481](https://github.com/terraform-linters/tflint-ruleset-aws/pull/481): Follow up of the EnsureNoError deprecation ([@wata727](https://github.com/wata727))
+
+## 0.22.1 (2023-03-18)
+
+- [#465](https://github.com/terraform-linters/tflint-ruleset-aws/pull/465): Fix Cosign v2 signing ([@wata727](https://github.com/wata727))
+
+## 0.22.0 (2023-03-18)
+
+### Breaking Changes
+
+- [#462](https://github.com/terraform-linters/tflint-ruleset-aws/pull/462): appsync: Remove invalid regexp rules ([@wata727](https://github.com/wata727))
+
+### Enhancements
+
+- [#444](https://github.com/terraform-linters/tflint-ruleset-aws/pull/444) [#451](https://github.com/terraform-linters/tflint-ruleset-aws/pull/451) [#454](https://github.com/terraform-linters/tflint-ruleset-aws/pull/454): Update AWS provider/module and generated content
+
+### BugFixes
+
+- [#455](https://github.com/terraform-linters/tflint-ruleset-aws/pull/455): aws_acm_certificate: fix false positive for private CA ([@bendrucker](https://github.com/bendrucker) [@wata727](https://github.com/wata727))
+
+### Chores
+
+- [#445](https://github.com/terraform-linters/tflint-ruleset-aws/pull/445) [#452](https://github.com/terraform-linters/tflint-ruleset-aws/pull/452) [#460](https://github.com/terraform-linters/tflint-ruleset-aws/pull/460): Bump github.com/hashicorp/hcl/v2 from 2.15.0 to 2.16.2
+- [#447](https://github.com/terraform-linters/tflint-ruleset-aws/pull/447) [#449](https://github.com/terraform-linters/tflint-ruleset-aws/pull/449) [#459](https://github.com/terraform-linters/tflint-ruleset-aws/pull/459): Bump golang.org/x/net from 0.5.0 to 0.8.0
+- [#450](https://github.com/terraform-linters/tflint-ruleset-aws/pull/450): Fix submodule checkout issue ([@wata727](https://github.com/wata727))
+- [#457](https://github.com/terraform-linters/tflint-ruleset-aws/pull/457): Bump github.com/zclconf/go-cty from 1.12.1 to 1.13.0
+- [#458](https://github.com/terraform-linters/tflint-ruleset-aws/pull/458): Bump sigstore/cosign-installer from 2 to 3
+- [#463](https://github.com/terraform-linters/tflint-ruleset-aws/pull/463): Fix generated_code_checks workflow step ([@wata727](https://github.com/wata727))
+- [#464](https://github.com/terraform-linters/tflint-ruleset-aws/pull/464): go 1.20 ([@wata727](https://github.com/wata727))
+
+## 0.21.2 (2023-02-03)
+
+### Enhancements
+
+- [#431](https://github.com/terraform-linters/tflint-ruleset-aws/pull/431) [#442](https://github.com/terraform-linters/tflint-ruleset-aws/pull/442): Update AWS provider/module and generated content
+
+### Chores
+
+- [#433](https://github.com/terraform-linters/tflint-ruleset-aws/pull/433) [#441](https://github.com/terraform-linters/tflint-ruleset-aws/pull/441): Bump golang.org/x/net from 0.2.0 to 0.5.0
+- [#434](https://github.com/terraform-linters/tflint-ruleset-aws/pull/434): Bump goreleaser/goreleaser-action from 3 to 4
+- [#435](https://github.com/terraform-linters/tflint-ruleset-aws/pull/435): Pass `GITHUB_TOKEN` to e2e test workflow ([@wata727](https://github.com/wata727))
+- [#437](https://github.com/terraform-linters/tflint-ruleset-aws/pull/437): Bump github.com/terraform-linters/tflint-plugin-sdk from 0.14.0 to 0.15.0
+
+## 0.21.1 (2022-12-12)
+
+### BugFixes
+
+- [#430](https://github.com/terraform-linters/tflint-ruleset-aws/pull/430): `elasticache_cluster_previous_type`: fix panic on empty string ([@bendrucker](https://github.com/bendrucker))
+
+### Chores
+
+- [#407](https://github.com/terraform-linters/tflint-ruleset-aws/pull/407): autogenerated maintenance
+
+## 0.21.0 (2022-12-05)
+
+### Enhancements
+
+- [#403](https://github.com/terraform-linters/tflint-ruleset-aws/pull/403): autogenerated maintenance
+- [#405](https://github.com/terraform-linters/tflint-ruleset-aws/pull/405) [#406](https://github.com/terraform-linters/tflint-ruleset-aws/pull/406): Add assume role configuration to plugin config ([@kaito3desuyo](https://github.com/kaito3desuyo))
+
+## 0.20.0 (2022-11-27)
+
+### Enhancements
+
+- [#400](https://github.com/terraform-linters/tflint-ruleset-aws/pull/400): autogenerated maintenance
+
+### Chores
+
+- [#399](https://github.com/terraform-linters/tflint-ruleset-aws/pull/399): Bump up GoReleaser version in release.yml ([@wata727](https://github.com/wata727))
+- [#401](https://github.com/terraform-linters/tflint-ruleset-aws/pull/401): Bump golang.org/x/net from 0.1.0 to 0.2.0
+
+## 0.19.0 (2022-11-14)
+
+### Enhancements
+
+- [#390](https://github.com/terraform-linters/tflint-ruleset-aws/pull/390): autogenerated maintenance
+
+### BugFixes
+
+- [#397](https://github.com/terraform-linters/tflint-ruleset-aws/pull/397): Prefer credentials in "plugin" blocks over "provider" blocks ([@wata727](https://github.com/wata727))
+
+### Chores
+
+- [#394](https://github.com/terraform-linters/tflint-ruleset-aws/pull/394): Add signatures for keyless signing ([@wata727](https://github.com/wata727))
+- [#395](https://github.com/terraform-linters/tflint-ruleset-aws/pull/395): Bump github.com/hashicorp/hcl/v2 from 2.14.1 to 2.15.0
+- [#398](https://github.com/terraform-linters/tflint-ruleset-aws/pull/398): Bump up GoReleaser version ([@wata727](https://github.com/wata727))
+
+## 0.18.0 (2022-10-24)
+
+### Breaking Changes
+
+- [#367](https://github.com/terraform-linters/tflint-ruleset-aws/pull/367): remove hardcoded S3 region rule ([@PatMyron](https://github.com/PatMyron))
+
+### Enhancements
+
+- [#382](https://github.com/terraform-linters/tflint-ruleset-aws/pull/382): autogenerated maintenance
+- [#388](https://github.com/terraform-linters/tflint-ruleset-aws/pull/388): Bump tflint-plugin-sdk to v0.14.0 ([@wata727](https://github.com/wata727))
+
+### Chores
+
+- [#387](https://github.com/terraform-linters/tflint-ruleset-aws/pull/387): Bump github.com/dave/dst from 0.27.0 to 0.27.2
+
 ## 0.17.1 (2022-09-29)
 
 ### Enhancements

README.md

@@ -10,7 +10,7 @@ This ruleset focus on possible errors and best practices about AWS resources. Ma
 ## Requirements
 
 - TFLint v0.40+
-- Go v1.19
+- Go v1.20
 
 ## Installation
 
@@ -19,7 +19,7 @@ You can install the plugin by adding a config to `.tflint.hcl` and running `tfli
 ```hcl
 plugin "aws" {
     enabled = true
-    version = "0.17.1"
+    version = "0.23.1"
     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
 ```

aws/config.go

@@ -1,21 +1,38 @@
 package aws
 
+type AssumeRole struct {
+	RoleARN     string `hclext:"role_arn,optional"`
+	ExternalID  string `hclext:"external_id,optional"`
+	Policy      string `hclext:"policy,optional"`
+	SessionName string `hclext:"session_name,optional"`
+}
+
 // Config is the configuration for the ruleset.
 type Config struct {
-	DeepCheck             bool   `hclext:"deep_check,optional"`
-	AccessKey             string `hclext:"access_key,optional"`
-	SecretKey             string `hclext:"secret_key,optional"`
-	Region                string `hclext:"region,optional"`
-	Profile               string `hclext:"profile,optional"`
-	SharedCredentialsFile string `hclext:"shared_credentials_file,optional"`
+	DeepCheck              bool       `hclext:"deep_check,optional"`
+	AccessKey              string     `hclext:"access_key,optional"`
+	SecretKey              string     `hclext:"secret_key,optional"`
+	Region                 string     `hclext:"region,optional"`
+	Profile                string     `hclext:"profile,optional"`
+	SharedCredentialsFile  string     `hclext:"shared_credentials_file,optional"`
+	AssumeRole            *AssumeRole `hclext:"assume_role,block"`
 }
 
 func (c *Config) toCredentials() Credentials {
-	return Credentials{
+	credentials := Credentials{
 		AccessKey: c.AccessKey,
 		SecretKey: c.SecretKey,
 		Region:    c.Region,
 		Profile:   c.Profile,
 		CredsFile: c.SharedCredentialsFile,
 	}
+
+	if c.AssumeRole != nil {
+		credentials.AssumeRoleARN         = c.AssumeRole.RoleARN
+		credentials.AssumeRoleExternalID  = c.AssumeRole.ExternalID
+		credentials.AssumeRolePolicy      = c.AssumeRole.Policy
+		credentials.AssumeRoleSessionName = c.AssumeRole.SessionName
+	}
+
+	return credentials
 }