.ci/semgrep: add disappears-expect-resource-action rule (#47914)

jar-b · web-flow · commit 33740189a8b0 · 2026-05-14T16:17:47.000-04:00
This rule requires that `_disappears` acceptance tests include a `PostApplyPostRefresh` config plan check that asserts the resource under test is planned for creation. This ensures that the expected non-empty plan is caused by the resource being tested and not a dependency or other side-effect of the apply.
diff --git a/.ci/semgrep/acctest/disappears.go b/.ci/semgrep/acctest/disappears.go
@@ -0,0 +1,259 @@
+// Copyright IBM Corp. 2014, 2026
+// SPDX-License-Identifier: MPL-2.0
+
+package main
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
+	"github.com/hashicorp/terraform-provider-aws/names"
+)
+
+func testSDKDisappearsWithoutPlanCheck(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ruleid: disappears-expect-resource-action
+					acctest.CheckSDKResourceDisappears(ctx, t, ResourceThing(), resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func testSDKDisappearsWithPlanCheck(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ok: disappears-expect-resource-action
+					acctest.CheckSDKResourceDisappears(ctx, t, ResourceThing(), resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionCreate),
+					},
+				},
+			},
+		},
+	})
+}
+
+func testSDKDisappearsWithWrongAction(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ruleid: disappears-expect-resource-action
+					acctest.CheckSDKResourceDisappears(ctx, t, ResourceThing(), resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+		},
+	})
+}
+
+func testFrameworkDisappearsWithoutPlanCheck(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ruleid: disappears-expect-resource-action
+					acctest.CheckFrameworkResourceDisappears(ctx, t, ResourceThing, resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func testFrameworkDisappearsWithPlanCheck(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ok: disappears-expect-resource-action
+					acctest.CheckFrameworkResourceDisappears(ctx, t, ResourceThing, resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionCreate),
+					},
+				},
+			},
+		},
+	})
+}
+
+func testFrameworkDisappearsWithWrongAction(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ruleid: disappears-expect-resource-action
+					acctest.CheckFrameworkResourceDisappears(ctx, t, ResourceThing, resourceName),
+				),
+				ExpectNonEmptyPlan: true,
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+		},
+	})
+}
+
+func testFrameworkStateFuncDisappearsWithoutPlanCheck(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ruleid: disappears-expect-resource-action
+					acctest.CheckFrameworkResourceDisappearsWithStateFunc(ctx, t, ResourceThing, resourceName, stateFunc),
+				),
+				ExpectNonEmptyPlan: true,
+			},
+		},
+	})
+}
+
+func testFrameworkStateFuncDisappearsWithPlanCheck(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ok: disappears-expect-resource-action
+					acctest.CheckFrameworkResourceDisappearsWithStateFunc(ctx, t, ResourceThing, resourceName, stateFunc),
+				),
+				ExpectNonEmptyPlan: true,
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionCreate),
+					},
+				},
+			},
+		},
+	})
+}
+
+func testFrameworkStateFuncDisappearsWithWrongAction(t *testing.T) {
+	ctx := acctest.Context(t)
+
+	const resourceName = "aws_example_thing.test"
+
+	acctest.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.EC2ServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		CheckDestroy:             testAccCheckDestroy(ctx),
+		Steps: []resource.TestStep{
+			{
+				Config: testAccConfig_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckExists(ctx, t, resourceName),
+					// ruleid: disappears-expect-resource-action
+					acctest.CheckFrameworkResourceDisappearsWithStateFunc(ctx, t, ResourceThing, resourceName, stateFunc),
+				),
+				ExpectNonEmptyPlan: true,
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PostApplyPostRefresh: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(resourceName, plancheck.ResourceActionUpdate),
+					},
+				},
+			},
+		},
+	})
+}
diff --git a/.ci/semgrep/acctest/disappears.yml b/.ci/semgrep/acctest/disappears.yml
@@ -22,3 +22,46 @@ rules:
     pattern: acctest.CheckFrameworkResourceDisappearsWithStateFunc(ctx, acctest.Provider, $RES, $NAME, $F)
     fix: acctest.CheckFrameworkResourceDisappearsWithStateFunc(ctx, t, $RES, $NAME, $F)
     severity: ERROR
+
+  - id: disappears-expect-resource-action
+    languages: [go]
+    message: |
+      Disappears acceptance tests should include `ConfigPlanChecks` with a `PostApplyPostRefresh` plan check
+      using `plancheck.ExpectResourceAction` to verify the resource is planned for re-creation.
+    severity: ERROR
+    patterns:
+      - pattern-either:
+          - pattern: acctest.CheckSDKResourceDisappears(...)
+          - pattern: acctest.CheckFrameworkResourceDisappears(...)
+          - pattern: acctest.CheckFrameworkResourceDisappearsWithStateFunc(...)
+      - pattern-inside: |
+          Steps: []resource.TestStep{
+            ...,
+          }
+      - pattern-not-inside: |
+          {
+            ...,
+            ConfigPlanChecks: resource.ConfigPlanChecks{
+              ...,
+              PostApplyPostRefresh: []plancheck.PlanCheck{
+                ...,
+                plancheck.ExpectResourceAction($NAME, plancheck.ResourceActionCreate),
+                ...,
+              },
+              ...,
+            },
+            ...,
+          }
+    # To roll out gradually, only fully-compliant services are included in the
+    # paths list below. As each service is updated, add its path to the list.
+    paths:
+      include:
+        - "/internal/service/bedrockagentcore/*_test.go"
+        - "/internal/service/billing/*_test.go"
+        - "/internal/service/cur/*_test.go"
+        - "/internal/service/networkflowmonitor/*_test.go"
+        - "/internal/service/notifications/*_test.go"
+        - "/internal/service/notificationscontacts/*_test.go"
+        - "/internal/service/observabilityadmin/*_test.go"
+        - "/internal/service/timestreaminfluxdb/*_test.go"
+        - "/internal/service/workmail/*_test.go"
