Raise Error when trying to put a bucket policy to a bucket that its' block_public_policy is false ?

[tsugumi-sys]

When trying to put bucket policy to a bucket that its' block_public_policy is false, no tools (terraform plan, validate, e.t.c) raise error and terraform apply raises an error.

I think it would be greate if tflint catch this error before terraform apply. What do you think?

[tsugumi-sys]

I did some simple test for this case and this case may be out of scope of tflint....

I tried to catch aws_s3_bucket_policy resource error using like the code below (raise error at all times), and tflint does not throw error. But if I changed bucket = aws_s3_bucket.test-bucket.id(variable) in aws_s3_bucket_policy to bucket = "test" (string), tflint throws error.

add new rule

package rules

import (
  "fmt"

	"github.com/terraform-linters/tflint-plugin-sdk/hclext"
	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
	"github.com/terraform-linters/tflint-ruleset-aws/project"
)

// TODO: Write the rule's description here
// AwsS3BucketPolicyInvalidAttachRule checks ...
type AwsS3BucketPolicyInvalidAttachRule struct {
	tflint.DefaultRule

	resourceType  string
	attributeName string
}

// NewAwsS3BucketPolicyInvalidAttachRule returns new rule with default attributes
func NewAwsS3BucketPolicyInvalidAttachRule() *AwsS3BucketPolicyInvalidAttachRule {
	return &AwsS3BucketPolicyInvalidAttachRule{
		// TODO: Write resource type and attribute name here
		resourceType:  "aws_s3_bucket_policy",
		attributeName: "bucket",
	}
}

// Name returns the rule name
func (r *AwsS3BucketPolicyInvalidAttachRule) Name() string {
	return "aws_s3_bucket_policy_invalid_attach"
}

// Enabled returns whether the rule is enabled by default
func (r *AwsS3BucketPolicyInvalidAttachRule) Enabled() bool {
	// TODO: Determine whether the rule is enabled by default
	return true
}

// Severity returns the rule severity
func (r *AwsS3BucketPolicyInvalidAttachRule) Severity() tflint.Severity {
	// TODO: Determine the rule's severiry
	return tflint.WARNING
}

// Link returns the rule reference link
func (r *AwsS3BucketPolicyInvalidAttachRule) Link() string {
	// TODO: If the rule is so trivial that no documentation is needed, return "" instead.
	return project.ReferenceLink(r.Name())
}

// TODO: Write the details of the inspection
// Check checks ...
func (r *AwsS3BucketPolicyInvalidAttachRule) Check(runner tflint.Runner) error {
	// TODO: Write the implementation here. See this documentation for what tflint.Runner can do.
	//       https://pkg.go.dev/github.com/terraform-linters/tflint-plugin-sdk/tflint#Runner

	resources, err := runner.GetResourceContent(r.resourceType, &hclext.BodySchema{
		Attributes: []hclext.AttributeSchema{
			{Name: r.attributeName},
		},
	}, nil)
	if err != nil {
		return err
	}

	for _, resource := range resources.Blocks {
		attribute, exists := resource.Body.Attributes[r.attributeName]
		if !exists {
			continue
		}

		var bucket_name string
		err := runner.EvaluateExpr(attribute.Expr, &bucket_name, nil)

		err = runner.EnsureNoError(err, func() error {
			if true {
				runner.EmitIssue(
					r,
					fmt.Sprintf(`The bucket is "%s"`, bucket_name),
					attribute.Expr.Range(),
				)
			}
			return nil
		})
		if err != nil {
			return err
		}
	}

	return nil
}

test.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.16"
    }
  }

  required_version = ">= 1.2.0"
}

provider "aws" {
  region = "us-west-2"
}

resource "aws_s3_bucket" "test-bucket" {
  bucket = "test-bucket"
}

resource "aws_s3_bucket_public_access_block" "test-acl" {
  bucket = aws_s3_bucket.test-bucket.id

  block_public_policy     = true
}

resource "aws_s3_bucket_policy" "test-bucket-policy" {
  bucket = aws_s3_bucket.test-bucket.id
  # If the settings are variable (like aws_s3_bucket.bucket.id), the tflint does not catch the resource.
  policy = data.aws_iam_policy_document.test-bucket-policy.json
}

data "aws_iam_policy_document" "test-bucket-policy" {
  statement {
    principals {
      type        = "AWS"
      identifiers = ["*"]
    }
    actions   = ["s3:GetObject"]
    resources = ["${aws_s3_bucket.test-bucket}/*"]
  }
}

[wata727]

The reason the issue is not reported is that the aws_s3_bucket.test-bucket.id cannot be evaluated.
https://github.com/terraform-linters/tflint/blob/v0.42.2/docs/user-guide/compatibility.md#unsupported-named-values

In this case, the EvaluateExpr() API returns an error and does not invoke the EnsureNoError() callback.