tflint-ruleset-opa icon indicating copy to clipboard operation
tflint-ruleset-opa copied to clipboard

Published 20 hours ago verified publisher icon terraform-linters

Improve value handling

Open wata727 opened this issue 2 years ago • 0 comments

You have to write policies with many patterns in mind to cover all cases. For example:

  • Unknown values
  • Unknown values in the count meta-argument
  • Unknown values in the for_each meta-argument
  • Unknown values in dynamic blocks
  • Null
  • Undefined

See also https://github.com/terraform-linters/tflint-ruleset-opa/blob/v0.1.0/docs/handling_special_values.md

It can be frustrating to have to think about so much when writing a policy. Providing an option to fall back to the initial value of each type in the above cases might make it easier to write the policy.

The question is whether users prefer false positives or false negatives. The current design focuses to avoid false positives, but users who want to enforce policies prefer to avoid false negatives. We should think carefully about which one to default to.

wata727 avatar Feb 01 '23 15:02 wata727