local_file data source usage for certain config files

[rfum]

Hi, we are trying to setup aft on our end but we have security check that is preventing local_file data source on terraform. Is it possible for us to move those config files into inline definitions such as variables or locals? Also there's another file function in terraform which is file. Are there any specific reasons behind not using file instead of local_file?

Paths contains local_file definitions:

• ~/data.tf
• modules/aft-code-repositories/codebuild.tf
• modules/aft-customizations/data.tf
• modules/aft-lambda-layer/data.tf

[snebhu3]

@rfum please may you give us more context on the security check that prevents use of local_file resource?

[rbtcollins]

We have a policy check in our Atlantis setup to make sure that unsafe and unknown providers and data sources are not used.

local file (and file) can use used to exfiltrate secrets from the server running terraform, and thus we have them blocked. This prevents e.g. a compromised developer machine being used to obtain credentials.

I believe this to be pretty common in defense-in-depth setups.

[rfum]

@snebhu3 any updates on this?

[snebhu3]

@rfum , @rbtcollins thanks for the additional context. Is the feature request to replace use of local_file data source to file function to read content from a given file?

[rfum]

@snebhu3 Hi, no we'd like to get rid of file access through local_file function as @rbtcollins explained in his previous comment. We'd like to know why the function has been used in the first hand. I'm preparing a pr in our fork to make things faster but cannot ensure whether it will break anything if I move file contents into inline variables.

[hanafya]

Hey @rfum!

Thank you for bring this to our attention! I created an item in our backlog to review this request. Thanks!