fix: add *_wo_version attribute via autofix as well

aristosvo · aristosvo · commit 6780682296b9 · 2025-04-18T15:58:32.000+03:00
diff --git a/rules/ephemeral/aws_write_only_arguments.go b/rules/ephemeral/aws_write_only_arguments.go
@@ -19,53 +19,61 @@ type AwsWriteOnlyArgumentsRule struct {
 }
 
 type writeOnlyArgument struct {
-	originalAttribute    string
-	writeOnlyAlternative string
+	originalAttribute         string
+	writeOnlyAlternative      string
+	writeOnlyVersionAttribute string
 }
 
 // NewAwsWriteOnlyArgumentsRule returns new rule with default attributes
 func NewAwsWriteOnlyArgumentsRule() *AwsWriteOnlyArgumentsRule {
 	writeOnlyArguments := map[string][]writeOnlyArgument{
 		"aws_db_instance": {
 			{
-				originalAttribute:    "password",
-				writeOnlyAlternative: "password_wo",
+				originalAttribute:         "password",
+				writeOnlyAlternative:      "password_wo",
+				writeOnlyVersionAttribute: "password_wo_version",
 			},
 		},
 		"aws_docdb_cluster": {
 			{
-				originalAttribute:    "master_password",
-				writeOnlyAlternative: "master_password_wo",
+				originalAttribute:         "master_password",
+				writeOnlyAlternative:      "master_password_wo",
+				writeOnlyVersionAttribute: "master_password_wo_version",
 			},
 		},
 		"aws_rds_cluster": {
 			{
-				originalAttribute:    "master_password",
-				writeOnlyAlternative: "master_password_wo",
+				originalAttribute:         "master_password",
+				writeOnlyAlternative:      "master_password_wo",
+				writeOnlyVersionAttribute: "master_password_wo_version",
 			},
 		},
 		"aws_redshift_cluster": {
 			{
-				originalAttribute:    "master_password",
-				writeOnlyAlternative: "master_password_wo",
+				originalAttribute:         "master_password",
+				writeOnlyAlternative:      "master_password_wo",
+				writeOnlyVersionAttribute: "master_password_wo_version",
 			},
 		},
 		"aws_redshiftserverless_namespace": {
 			{
-				originalAttribute:    "admin_user_password",
-				writeOnlyAlternative: "admin_user_password_wo",
+				originalAttribute:         "admin_user_password",
+				writeOnlyAlternative:      "admin_user_password_wo",
+				writeOnlyVersionAttribute: "admin_user_password_wo_version",
 			},
 		},
 		"aws_secretsmanager_secret_version": {
 			{
-				originalAttribute:    "secret_string",
-				writeOnlyAlternative: "secret_string_wo",
+				originalAttribute:         "secret_string",
+				writeOnlyAlternative:      "secret_string_wo",
+				writeOnlyVersionAttribute: "secret_string_wo_version",
 			},
 		},
 		"aws_ssm_parameter": {
 			{
-				originalAttribute:    "value",
-				writeOnlyAlternative: "value_wo",
+				originalAttribute:         "value",
+				writeOnlyAlternative:      "value_wo",
+				writeOnlyVersionAttribute: "value_wo_version",
 			},
 		},
 	}
@@ -120,7 +128,11 @@ func (r *AwsWriteOnlyArgumentsRule) Check(runner tflint.Runner) error {
 							fmt.Sprintf("\"%s\" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument \"%s\".", resourceAttribute.originalAttribute, resourceAttribute.writeOnlyAlternative),
 							attribute.Expr.Range(),
 							func(f tflint.Fixer) error {
-								return f.ReplaceText(attribute.NameRange, resourceAttribute.writeOnlyAlternative)
+								err := f.ReplaceText(attribute.NameRange, resourceAttribute.writeOnlyAlternative)
+								if err != nil {
+									return err
+								}
+								return f.InsertTextAfter(attribute.Range, fmt.Sprintf("\n  %s = 1", resourceAttribute.writeOnlyVersionAttribute))
 							},
 						); err != nil {
 							return fmt.Errorf("failed to call EmitIssueWithFix(): %w", err)
diff --git a/rules/ephemeral/aws_write_only_arguments_rule.go.tmpl b/rules/ephemeral/aws_write_only_arguments_rule.go.tmpl
@@ -19,8 +19,9 @@ type AwsWriteOnlyArgumentsRule struct {
 }
 
 type writeOnlyArgument struct {
-	originalAttribute    string
-	writeOnlyAlternative string
+	originalAttribute         string
+	writeOnlyAlternative      string
+	writeOnlyVersionAttribute string
 }
 
 // NewAwsWriteOnlyArgumentsRule returns new rule with default attributes
@@ -29,8 +30,9 @@ func NewAwsWriteOnlyArgumentsRule() *AwsWriteOnlyArgumentsRule {
 		{{- range $name, $value := . }}
 		"{{ $name }}": { {{- range $kk, $writeOnly := $value }}
 			{
-				originalAttribute:    "{{ $writeOnly.OriginalAttribute }}",
-				writeOnlyAlternative: "{{ $writeOnly.WriteOnlyAlternative }}",
+				originalAttribute:         "{{ $writeOnly.OriginalAttribute }}",
+				writeOnlyAlternative:      "{{ $writeOnly.WriteOnlyAlternative }}",
+				writeOnlyVersionAttribute: "{{ $writeOnly.WriteOnlyVersionAttribute }}",
 			},
 		},
 		{{- end -}}{{- end }}
@@ -86,7 +88,11 @@ func (r *AwsWriteOnlyArgumentsRule) Check(runner tflint.Runner) error {
 							fmt.Sprintf("\"%s\" is a non-ephemeral attribute, which means this secret is stored in state. Please use write-only argument \"%s\".", resourceAttribute.originalAttribute, resourceAttribute.writeOnlyAlternative),
 							attribute.Expr.Range(),
 							func(f tflint.Fixer) error {
-								return f.ReplaceText(attribute.NameRange, resourceAttribute.writeOnlyAlternative)
+								err := f.ReplaceText(attribute.NameRange, resourceAttribute.writeOnlyAlternative)
+								if err != nil {
+									return err
+								}
+								return f.InsertTextAfter(attribute.Range, fmt.Sprintf("\n  %s = 1", resourceAttribute.writeOnlyVersionAttribute))
 							},
 						); err != nil {
 							return fmt.Errorf("failed to call EmitIssueWithFix(): %w", err)
diff --git a/rules/ephemeral/aws_write_only_arguments_rule_test.go.tmpl b/rules/ephemeral/aws_write_only_arguments_rule_test.go.tmpl
@@ -32,15 +32,17 @@ resource "{{ $name }}" "test" {
 			},
 			Fixed: `
 resource "{{ $name }}" "test" {
-  {{ $writeOnly.WriteOnlyAlternative }} = "test"
+  {{ $writeOnly.WriteOnlyAlternative }}         = "test"
+  {{ $writeOnly.WriteOnlyVersionAttribute }} = 1
 }
 `,
 		},
 		{
 			Name: "everything is fine {{ $name }}",
 			Content: `
 resource "{{ $name }}" "test" {
-  {{ $writeOnly.WriteOnlyAlternative }} = "test"
+  {{ $writeOnly.WriteOnlyAlternative }}         = "test"
+  {{ $writeOnly.WriteOnlyVersionAttribute }} = 1
 }
 `,
 			Expected: helper.Issues{},
diff --git a/rules/ephemeral/aws_write_only_arguments_test.go b/rules/ephemeral/aws_write_only_arguments_test.go
@@ -30,15 +30,17 @@ resource "aws_db_instance" "test" {
 			},
 			Fixed: `
 resource "aws_db_instance" "test" {
-  password_wo = "test"
+  password_wo         = "test"
+  password_wo_version = 1
 }
 `,
 		},
 		{
 			Name: "everything is fine aws_db_instance",
 			Content: `
 resource "aws_db_instance" "test" {
-  password_wo = "test"
+  password_wo         = "test"
+  password_wo_version = 1
 }
 `,
 			Expected: helper.Issues{},
@@ -58,15 +60,17 @@ resource "aws_docdb_cluster" "test" {
 			},
 			Fixed: `
 resource "aws_docdb_cluster" "test" {
-  master_password_wo = "test"
+  master_password_wo         = "test"
+  master_password_wo_version = 1
 }
 `,
 		},
 		{
 			Name: "everything is fine aws_docdb_cluster",
 			Content: `
 resource "aws_docdb_cluster" "test" {
-  master_password_wo = "test"
+  master_password_wo         = "test"
+  master_password_wo_version = 1
 }
 `,
 			Expected: helper.Issues{},
@@ -86,15 +90,17 @@ resource "aws_rds_cluster" "test" {
 			},
 			Fixed: `
 resource "aws_rds_cluster" "test" {
-  master_password_wo = "test"
+  master_password_wo         = "test"
+  master_password_wo_version = 1
 }
 `,
 		},
 		{
 			Name: "everything is fine aws_rds_cluster",
 			Content: `
 resource "aws_rds_cluster" "test" {
-  master_password_wo = "test"
+  master_password_wo         = "test"
+  master_password_wo_version = 1
 }
 `,
 			Expected: helper.Issues{},
@@ -114,15 +120,17 @@ resource "aws_redshift_cluster" "test" {
 			},
 			Fixed: `
 resource "aws_redshift_cluster" "test" {
-  master_password_wo = "test"
+  master_password_wo         = "test"
+  master_password_wo_version = 1
 }
 `,
 		},
 		{
 			Name: "everything is fine aws_redshift_cluster",
 			Content: `
 resource "aws_redshift_cluster" "test" {
-  master_password_wo = "test"
+  master_password_wo         = "test"
+  master_password_wo_version = 1
 }
 `,
 			Expected: helper.Issues{},
@@ -142,15 +150,17 @@ resource "aws_redshiftserverless_namespace" "test" {
 			},
 			Fixed: `
 resource "aws_redshiftserverless_namespace" "test" {
-  admin_user_password_wo = "test"
+  admin_user_password_wo         = "test"
+  admin_user_password_wo_version = 1
 }
 `,
 		},
 		{
 			Name: "everything is fine aws_redshiftserverless_namespace",
 			Content: `
 resource "aws_redshiftserverless_namespace" "test" {
-  admin_user_password_wo = "test"
+  admin_user_password_wo         = "test"
+  admin_user_password_wo_version = 1
 }
 `,
 			Expected: helper.Issues{},
@@ -170,15 +180,17 @@ resource "aws_secretsmanager_secret_version" "test" {
 			},
 			Fixed: `
 resource "aws_secretsmanager_secret_version" "test" {
-  secret_string_wo = "test"
+  secret_string_wo         = "test"
+  secret_string_wo_version = 1
 }
 `,
 		},
 		{
 			Name: "everything is fine aws_secretsmanager_secret_version",
 			Content: `
 resource "aws_secretsmanager_secret_version" "test" {
-  secret_string_wo = "test"
+  secret_string_wo         = "test"
+  secret_string_wo_version = 1
 }
 `,
 			Expected: helper.Issues{},
@@ -198,15 +210,17 @@ resource "aws_ssm_parameter" "test" {
 			},
 			Fixed: `
 resource "aws_ssm_parameter" "test" {
-  value_wo = "test"
+  value_wo         = "test"
+  value_wo_version = 1
 }
 `,
 		},
 		{
 			Name: "everything is fine aws_ssm_parameter",
 			Content: `
 resource "aws_ssm_parameter" "test" {
-  value_wo = "test"
+  value_wo         = "test"
+  value_wo_version = 1
 }
 `,
 			Expected: helper.Issues{},
diff --git a/rules/ephemeral/generator/main.go b/rules/ephemeral/generator/main.go
@@ -10,8 +10,9 @@ import (
 )
 
 type writeOnlyArgument struct {
-	OriginalAttribute    string
-	WriteOnlyAlternative string
+	OriginalAttribute         string
+	WriteOnlyAlternative      string
+	WriteOnlyVersionAttribute string
 }
 
 func main() {
@@ -38,10 +39,13 @@ func findReplaceableAttribute(arguments []string, resource *tfjson.Schema) []wri
 
 	for _, argument := range arguments {
 		// Check if the argument ends with "_wo" and if the original attribute without "_wo" suffix exists in the resource schema
-		if attribute := strings.TrimSuffix(argument, "_wo"); strings.HasSuffix(argument, "_wo") && resource.Block.Attributes[attribute] != nil {
+		attribute := strings.TrimSuffix(argument, "_wo")
+		versionAttribute := attribute + "_wo_version"
+		if strings.HasSuffix(argument, "_wo") && resource.Block.Attributes[attribute] != nil && resource.Block.Attributes[versionAttribute] != nil {
 			writeOnlyArguments = append(writeOnlyArguments, writeOnlyArgument{
-				OriginalAttribute:    attribute,
-				WriteOnlyAlternative: argument,
+				OriginalAttribute:         attribute,
+				WriteOnlyAlternative:      argument,
+				WriteOnlyVersionAttribute: versionAttribute,
 			})
 		}
 	}
diff --git a/rules/provider.go b/rules/provider.go
@@ -44,6 +44,7 @@ var manualRules = []tflint.Rule{
 	NewAwsProviderMissingDefaultTagsRule(),
 	NewAwsSecurityGroupInlineRulesRule(),
 	NewAwsSecurityGroupRuleDeprecatedRule(),
+	NewAwsIAMRoleDeprecatedPolicyAttributesRule(),
 	ephemeral.NewAwsWriteOnlyArgumentsRule(),
 }
 

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,7 @@ var manualRules = []tflint.Rule{`
`44`	`44`	`NewAwsProviderMissingDefaultTagsRule(),`
`45`	`45`	`NewAwsSecurityGroupInlineRulesRule(),`
`46`	`46`	`NewAwsSecurityGroupRuleDeprecatedRule(),`
	`47`	`+ NewAwsIAMRoleDeprecatedPolicyAttributesRule(),`
`47`	`48`	`ephemeral.NewAwsWriteOnlyArgumentsRule(),`
`48`	`49`	`}`
`49`	`50`