Struggling to enforce 'ignore_changes = [tags]', limitation of the OPA HCL parser ?

[KingBain]

I think this might be a limitation of the HCL parser, but

when I have tf code like this

resource "azurerm_dns_zone" "mydomain_com_zone" {
  resource_group_name = var.resource_group_name
  name                = "mydomain.com"
  lifecycle {
    ignore_changes = [tags]
  }
}

I am struggling to create a rule to enforce that ignore_changes = [tags] must exist. The best I can manage is this rule

package tflint
import rego.v1


deny_require_lifecycle_ignore_tags contains issue if {
  res := terraform.resources("*",{"lifecycle": {"ignore_changes": "list(string)"}},{"expand_mode": "expand"})[_]
  not has_tags_ignore(res)

  issue := tflint.issue(
    sprintf("Resource %s.%s must have lifecycle.ignore_changes include \"tags\"", [res.type, res.name]),
    res.decl_range
  )
}

# helper succeeds only if there's a lifecycle.ignore_changes list and one of its elements == "tags"
has_tags_ignore(res) if {
  lifeblock := res.config.lifecycle[_]

  ic := lifeblock.config.ignore_changes

  some i
  ic.value[i] == "tags"
}

which passes when I wrap tags in the double quotations

  lifecycle {
    ignore_changes = ["tags"]
  }

,but "tags" is deprecated and a warning message is given from tf plan

Warning: Quoted references are deprecated

  on dns/mydomain.com.tf line 7, in resource "azurerm_dns_zone" "mydomain_com_zone":
   7:     ignore_changes = ["tags"]

In this context, references are expected literally rather than in quotes.
Terraform 0.11 and earlier required quotes, but quoted references are now
deprecated and will be removed in a future version of Terraform. Remove the
quotes surrounding this reference to silence this warning.

@wata727 is there a way to write a rego rule to enforce ignore_changes = [tags] or is this an actual limitation of the HCL parser ?

[wata727]

Ah, good question. Because the terraform.resources function evaluates attributes as values, there is currently no way to handle special attributes like the ignore_changes. This is a limitation of the terraform.resources function rather than a limitation of the HCL parser.

There are several possible solutions, for example introducing a function like terraform.resources_meta_arguments. I am positive about solving this issue.

[KingBain]

You did a great job expanding the functionality of the expr and its helper methods. I tested whats currently in main and it resolved my issues and I got my tests to work.

Thanks.

Do you know when youll be able to create a new release of the plugin ?

[wata727]

Sorry for the late reply, v0.9.0 has been released.
https://github.com/terraform-linters/tflint-ruleset-opa/releases/tag/v0.9.0