Detect string arguments where resource address attributes should instead be used.

[wayneworkman]

Introduction

Proposal

I propose that tflint introduce new functionality to detect strings being used where resource address attributes could be used instead.

For example, consider the following poorly written Terraform:

resource "aws_s3_bucket" "s3_batch_replication" {
  bucket = "s3-batch-replication-${var.region}-${data.aws_caller_identity.current.account_id}"
}
 
resource "aws_s3_bucket_acl" "s3_batch_replication" {
  bucket = "s3-batch-replication-${var.region}-${data.aws_caller_identity.current.account_id}"
  acl    = "private"
}

The best-practice way to write this Terraform would be:

resource "aws_s3_bucket" "s3_batch_replication" {
  bucket = "s3-batch-replication-${var.region}-${data.aws_caller_identity.current.account_id}"
}
 
resource "aws_s3_bucket_acl" "s3_batch_replication" {
  bucket = aws_s3_bucket.s3_batch_replication.id
  acl    = "private"
}

You can see within the poorly written Terraform the aws_s3_bucket_acl.s3_batch_replication.bucket argument being specified is using the same string concatenation as used for the bucket name in aws_s3_bucket.s3_batch_replication.bucket.

I propose tflint recognizes that aws_s3_bucket_acl.s3_batch_replication.bucket is being passed a non-resource-address attribute. When tflint sees this, it should look for an aws s3 bucket name in the project that would result in the exact same name.

In this case, tflint would find aws_s3_bucket.s3_batch_replication.bucket has the same resultant value being provided as aws_s3_bucket_acl.s3_batch_replication.bucket, and would propose to the end user that aws_s3_bucket.s3_batch_replication.id should be used instead, as shown in the best-practice example.

I think this is a fairly large feature request, as the arguments for so many resource types and data sources would need analyzed. Though, if this could be done, then I believe tflint will instantly rise to the top as the standard tool to ensure quality Terraform.