tflint: Rules across multiple resources are not supported

[nmoutschen]

Some rules, such as aws_cloudwatch_log_group_lambda_retention need to evaluate the relationship between different resources defined in Terraform. Usually, this is done by passing references to other resources. For example, for the aforementioned rule:

resource "aws_cloudwatch_log_group" "this" {
  name              = "/aws/lambda/${aws_lambda_function.this.function_name}
  retention_in_days = 7
}

The name property above is not known ahead of time, which isn't supported by TFLint. See this issue for TFLint.

Expected Behavior

Linting terraform files should be able to run with rules that cross-reference resources.

Current Behavior

tflint fails with an Unevaluable expression found error.

Possible Solution

1. Disable all rules that cross-reference resources.
2. Build that feature for tflint.
3. Find another linter for Terraform.
4. Abandon linting for Terraform and implement an alternative solution, such as evaluating resources running on AWS.

I will first disable all rules that cross-reference resources for now, while exploring other solutions.

Steps to Reproduce (for bugs)

1. Clone the repository and checkout the test/tflint branch

git clone https://github.com/awslabs/serverless-rules.git
cd serverless-rules
git checkout test/tflint

2. Run tests for tflint

cd tflint-ruleset-aws-serverless
make test

3. Get an error that the expression is unevaluable.

Error: Failed to check `aws_cloudwatch_log_group_lambda_retention` rule: Unevaluable expression found in XXX/serverless-rules/tflint-ruleset-aws-serverless/tests/aws_cloudwatch_log_group_lambda_retention.pass.tf:10

Environment

• Infrastructure as code technology used:
• (for cfn-lint) Python, cfn-lint, and cfn-lint-serverless versions:
• (for tflint) Go, tflint versions:
• Debugging logs