Merge pull request #1506 from alphagov/appease_tflint

Appease TFLint

Author: sarahseewhy

.github/workflows/terraform-ci.yml

@@ -152,16 +152,7 @@ jobs:
 
       - name: Run tflint
         run: |
-          tflint_deadline=$(date -d 2025-06-01 +%s)
-          now=$(date +%s)
-          info_only=true
-          
-          if [ "${now}" -ge "${tflint_deadline}" ]; then
-            echo "The deadline for addressing tflint errors has passed. They have begun failing the tests"
-            info_only=false
-          fi
-          
-          make tflint TFLINT_INFO_ONLY=$info_only
+          make tflint
 
       - name: Run Checkov against Terraform
         uses: "docker://ghcr.io/bridgecrewio/checkov:3.2.386"

.tflint.hcl

@@ -8,3 +8,13 @@ plugin "aws" {
   version = "0.37.0"
   source  = "github.com/terraform-linters/tflint-ruleset-aws"
 }
+
+rule "terraform_unused_declarations" {
+  # disabled because we use a shared "inputs.tf" file and a set of ".tfvars" filesin a lot of places
+  # and tflint is unable to tell the difference between a variable being unused in a particular root
+  # and a variable being completely unused.
+  #
+  # If asked to fix the problem, tflint will simply delete all the variables it thinks aren't used,
+  # which results in half the variables being deleted erronously.
+  enabled = false
+}

Makefile

@@ -2,11 +2,6 @@ ROOT_DIR:=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
 CODEBUILD_CI ?= false
 SHELL=/usr/bin/env bash
 
-TFLINT_INFO_ONLY ?= false
-ifeq ($(TFLINT_INFO_ONLY), true)
-	TFLINT_ARGS = --force
-endif
-
 ##
 # Environment targets
 ##
@@ -173,23 +168,34 @@ tflint_init:
 
 .PHONY: tflint_modules
 tflint_modules:
-	tflint --chdir=infra/modules/ --recursive --config "$$(pwd)/.tflint.hcl" ${TFLINT_ARGS}
+	@# some rules are disabled because modules don't
+	@# need to define the things those rules check for
+	tflint --chdir=infra/modules/ --recursive --config "$$(pwd)/.tflint.hcl" \
+		--disable-rule "terraform_required_version" \
+		--disable-rule "terraform_required_providers" \
+		${TFLINT_ARGS}
 
 .PHONY: tflint_deploy
 tflint_deploy:
-	tflint --chdir=infra/deployments/deploy/ --recursive --config "$$(pwd)/.tflint.hcl" ${TFLINT_ARGS}
+	for root in $(DEPLOY_TF_ROOTS); do \
+		tflint --chdir="infra/deployments/$${root}" --config "$$(pwd)/.tflint.hcl" ${TFLINT_ARGS}; \
+	done;
 
 .PHONY: tflint_forms
 tflint_forms:
-	tflint --chdir=infra/deployments/forms/ --recursive --config "$$(pwd)/.tflint.hcl" ${TFLINT_ARGS} \
-		--var-file="$$(pwd)/infra/deployments/forms/tfvars/production.tfvars" \
-		--var-file="$$(pwd)/infra/deployments/forms/account/tfvars/backends/production.tfvars"
+	for root in $(FORMS_TF_ROOTS); do \
+		tflint --chdir="infra/deployments/$${root}" --config "$$(pwd)/.tflint.hcl" ${TFLINT_ARGS} \
+			--var-file="$$(pwd)/infra/deployments/forms/tfvars/production.tfvars" \
+			--var-file="$$(pwd)/infra/deployments/forms/account/tfvars/backends/production.tfvars"; \
+	done;
 
 .PHONY: tflint_integration
 tflint_integration:
-	tflint --chdir=infra/deployments/integration/ --recursive --config "$$(pwd)/.tflint.hcl" ${TFLINT_ARGS} \
-		--var-file="$$(pwd)/infra/deployments/integration/tfvars/integration.tfvars" \
-		--var-file="$$(pwd)/infra/deployments/integration/tfvars/backend/integration.tfvars"
+	for root in $(INTEGRATION_TF_ROOTS); do \
+		tflint --chdir="infra/deployments/$${root}" --config "$$(pwd)/.tflint.hcl" ${TFLINT_ARGS} \
+			--var-file="$$(pwd)/infra/deployments/integration/tfvars/integration.tfvars" \
+			--var-file="$$(pwd)/infra/deployments/integration/tfvars/backend/integration.tfvars"; \
+	done;
 
 ##
 # Help text
@@ -274,9 +280,14 @@ TASKS
 	help		This help text
 	fmt		Automatically format all Terraform code
 	lint		Run all linting tasks
-	checkov		Run Checkov (a Terraform linter) against all Terraform code
 	lint_ruby	Run Rubocop against all Ruby code
 	spec		Run Rspec tests against Ruby and Terraform code
+
+	checkov		Run Checkov (a Terraform linter) against all Terraform code
+			Checkov is evaluating how we configure things in AWS.
+
+	tflint		Run TFLint (a Terraform linter) against all Terraform code.
+			TFLint is evaluating the quality of our Terraform code.	
 endef
 export help_tasks
 

infra/modules/code-build-docker-build/iam.tf

@@ -38,7 +38,7 @@ data "aws_iam_policy_document" "codebuild" {
     ]
     resources = [
       "${var.artifact_store_arn}/*",
-      "${var.artifact_store_arn}"
+      var.artifact_store_arn
     ]
     effect = "Allow"
   }

infra/modules/code-build-run-e2e-tests/iam.tf

@@ -34,7 +34,7 @@ data "aws_iam_policy_document" "codebuild" {
     ]
     resources = [
       "${var.artifact_store_arn}/*",
-      "${var.artifact_store_arn}"
+      var.artifact_store_arn
     ]
     effect = "Allow"
   }

infra/modules/environment/alb.tf

@@ -147,7 +147,7 @@ module "acm_certicate_with_validation" {
   }
 
   domain_name               = var.root_domain
-  subject_alternative_names = lookup(local.subject_alternative_names, var.env_name)
+  subject_alternative_names = local.subject_alternative_names[var.env_name]
 }
 
 resource "aws_lb_listener" "listener" {

infra/modules/environment/cloudfront.tf

@@ -8,7 +8,7 @@ module "cloudfront" {
   }
 
   env_name                = var.env_name
-  domain_name             = "${lookup(local.domain_names, var.env_name)}forms.service.gov.uk"
+  domain_name             = "${local.domain_names[var.env_name]}forms.service.gov.uk"
   alb_dns_name            = aws_lb.alb.dns_name
   ip_rate_limit           = var.ip_rate_limit
   ips_to_block            = var.ips_to_block
@@ -19,7 +19,7 @@ module "cloudfront" {
     aws_nat_gateway.nat_c.public_ip,
   ]
 
-  subject_alternative_names = lookup(local.subject_alternative_names, var.env_name)
+  subject_alternative_names = local.subject_alternative_names[var.env_name]
 }
 
 resource "aws_ssm_parameter" "email_zendesk" {

infra/modules/forms-product-page/variables.tf

@@ -24,6 +24,7 @@ variable "memory" {
 variable "zendesk_subdomain" {
   description = "The Zendesk tenant the support form should create tickets on"
   default     = "govuk"
+  type        = string
 }
 
 variable "admin_base_url" {

infra/modules/gds-user-role/variables.tf

@@ -1,6 +1,12 @@
-variable "role_suffix" {}
+variable "role_suffix" {
+  type        = string
+  description = "The value to be used as a suffix on each role. This value will be prefixed with a dash, so it does not need to be included"
+}
 
-variable "email" {}
+variable "email" {
+  type        = string
+  description = "The email address of the human who will use this role"
+}
 
 variable "iam_policy_arns" {
   type = list(any)

infra/modules/rds/rds.tf

@@ -1,7 +1,7 @@
 locals {
   rds_port            = 5432
   timestamp           = timestamp()
-  timestamp_sanitized = replace("${local.timestamp}", "/[- TZ:]/", "")
+  timestamp_sanitized = replace(local.timestamp, "/[- TZ:]/", "")
 }
 
 data "aws_ssm_parameter" "database_password" {