Warn against secrets in state and promote ephemeral resources and write-only arguments

[aristosvo]

Introduction

I have introduced two rules for ephemeral resources/write-only arguments for the AWS provider linter based on this issue, the last one being under review (tflint-ruleset-aws #861).

The question is how to bring these rules towards other providers, because this is not an issue limited to one provider.

Proposals

• Proposal 1:
  The first proposal is to implement these two rules for every provider ruleset. This should not take long, as the code can be basically copy-pasted into each ruleset. The rules logic could lean more on the SDK to reduce the amount of code duplication.

• Proposal 2:
  As the specific rulesets don't cover all known providers (and most specifically the hashicorp/random provider), we miss one of the most of the ephemeral replacement options:
  resource.random_password ➡ ephemeral.random_password

  • Option a:
    To fix that we would have to include the same two rules for all other (or just a list of most used, to be extended) providers in tflint itself.
  • Option b:
    To fix that we would have to include the same two rules for all other (or just a list of most used, to be extended) providers in a separate ruleset.

References

• https://registry.terraform.io/providers/hashicorp/random/latest/docs/ephemeral-resources/password
• https://developer.hashicorp.com/terraform/language/resources/ephemeral
• https://developer.hashicorp.com/terraform/language/resources/ephemeral/write-only