Failed to check aws_kms_key_invalid_policy rule: oversize unknown value refinement #1791
Description
Summary
After upgrading tflint from 0.46.1 to 0.47.0, we get an "Failed to check aws_kms_key_invalid_policy rule: oversize unknown value refinement" based on the code below:
Command
tflint
Terraform Configuration
resource "aws_kms_key" "tf-kms-key-alerting" {
description = "KMS key for encrypting alerting data via SNS"
deletion_window_in_days = 7
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
enable_key_rotation = true
policy = templatefile(
"${path.module}/policies/kms-policy.json.tmpl",
{
K8SACCOUNTID = var.aws_alias_2_aws_id[var.aws_alias_2_k8s_alias[data.aws_iam_account_alias.current.account_alias]]
HUIDIGACCOUNTID = data.aws_caller_identity.current.account_id
}
)
}TFLint Configuration
config {
format = "compact"
plugin_dir = "~/.tflint.d/plugins"
module = false
force = false
disabled_by_default = false
}
plugin "aws" {
enabled = true
version = "0.23.1"
source = "github.com/terraform-linters/tflint-ruleset-aws"
}
plugin "opa" {
enabled = true
version = "0.2.0"
source = "github.com/terraform-linters/tflint-ruleset-opa"
}
plugin "terraform" {
enabled = true
version = "0.4.0"
source = "github.com/terraform-linters/tflint-ruleset-terraform"
}
rule "terraform_required_providers" {
enabled = false
}
rule "terraform_naming_convention" {
enabled = false
}
rule "terraform_standard_module_structure" {
enabled = false
}Output
Failed to check `aws_kms_key_invalid_policy` rule: oversize unknown value refinementThe trace logs looks like:
14:51:35 [DEBUG] [email protected]/client.go:1046: tflint-ruleset-aws: 14:51:35 [TRACE] models/aws_kms_key_invalid_policy.go:58: Check `%s` rule: EXTRA_VALUE_AT_END=aws_kms_key_invalid_policy
14:51:35 [TRACE] interceptor/logging.go:15: gRPC request: direction=plugin2host method=/proto.Runner/GetModuleContent req="schema:{blocks:{type:\"resource\" label_names:\"type\" label_names:\"name\" body:{attributes:{name:\"policy\"} Mode:SCHEMA_MODE_DEFAULT}} Mode:SCHEMA_MODE_DEFAULT} option:{module_ctx:MODULE_CTX_TYPE_SELF hint:{resource_type:\"aws_kms_key\"} expand_mode:EXPAND_MODE_EXPAND}"
14:51:35 [TRACE] interceptor/logging.go:15: gRPC request: direction=plugin2host method=/proto.Runner/GetFile req="name:\"kms.tf\""
14:51:35 [TRACE] interceptor/logging.go:15: gRPC request: direction=plugin2host method=/proto.Runner/EvaluateExpr req="option:{type:\"\\"string\\"\" module_ctx:MODULE_CTX_TYPE_SELF} expression:{bytes:\"templatefile(\r\n \\"${path.module}/policies/kms-policy.json.tmpl\\",\r\n {\r\n K8SACCOUNTID = var.aws_alias_2_aws_id[var.aws_alias_2_k8s_alias[data.aws_iam_account_alias.current.account_alias]]\r\n HUIDIGACCOUNTID = data.aws_caller_identity.current.account_id\r\n }\r\n )\" range:{filename:\"kms.tf\" start:{line:7 column:12 byte:301} end:{line:13 column:4 byte:580}}} 1:\"templatefile(\r\n \\"${path.module}/policies/kms-policy.json.tmpl\\",\r\n {\r\n K8SACCOUNTID = var.aws_alias_2_aws_id[var.aws_alias_2_k8s_alias[data.aws_iam_account_alias.current.account_alias]]\r\n HUIDIGACCOUNTID = data.aws_caller_identity.current.account_id\r\n }\r\n )\" 2:\"\n\x06kms.tf\x12\x07\x08\x07\x10\x0c\x18\xad\x02\x1a\x07\x08\r\x10\x04\x18\xc4\x04\""
14:51:35 [DEBUG] [email protected]/client.go:1046: tflint-ruleset-aws: 14:51:35 [ERROR] interceptor/logging.go:18: failed to gRPC request: direction=host2plugin method=/proto.RuleSet/Check err="rpc error: code = Aborted desc = Failed to check `aws_kms_key_invalid_policy` rule: oversize unknown value refinement"TFLint Version
TFLint version 0.47.0
+ ruleset.aws (0.23.1)
+ ruleset.opa (0.2.0)
+ ruleset.terraform (0.4.0)
Terraform Version
# terraform version
Terraform v1.4.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v4.67.0
+ provider registry.terraform.io/hashicorp/external v2.3.1
Operating System
- Linux
- macOS
- Windows