in rules/terraform_sensitive_variable_no_default.go [44:83]
func (r *TerraformSensitiveVariableNoDefaultRule) CheckFile(runner tflint.Runner, file *hcl.File) error {
body, ok := file.Body.(*hclsyntax.Body)
if !ok {
logger.Debug("skip terraform_sensitive_variable_no_default check since it's not hcl file")
return nil
}
blocks := body.Blocks
var err error
for _, block := range blocks {
if block.Type != "variable" {
continue
}
sensitive := false
if attr, sensitiveSet := block.Body.Attributes["sensitive"]; sensitiveSet {
val, diags := attr.Expr.Value(nil)
if diags.HasErrors() {
err = multierror.Append(err, diags)
}
sensitive = val.True()
}
if !sensitive {
continue
}
nullOrEmpty, evalDefaultErr := nullOrZeroDefaultValue(block)
if evalDefaultErr != nil {
return evalDefaultErr
}
if !nullOrEmpty {
subErr := runner.EmitIssue(
r,
fmt.Sprintf("Default value is not expected to be set for sensitive variable `%s`", block.Labels[0]),
block.Body.Attributes["default"].NameRange,
)
if subErr != nil {
err = multierror.Append(err, subErr)
}
}
}
return err
}