created project

Signed-off-by: Fred Myerscough <oniice@gmail.com>

Author: oniice

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+- package-ecosystem: gomod
+  directory: "/"
+  schedule:
+    interval: weekly
+  open-pull-requests-limit: 10
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: weekly

.github/workflows/build.yml

@@ -0,0 +1,33 @@
+name: build
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: "0 0 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Set up Go
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Run tests
+      run: make test
+    - name: Run build
+      run: make build

.github/workflows/release.yml

@@ -0,0 +1,41 @@
+name: release
+
+on:
+  push:
+    branches:
+    - '!*'
+    tags:
+    - v*.*.*
+
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+    - name: Set up Go
+      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      with:
+        go-version-file: 'go.mod'
+    - name: Import GPG key
+      id: import_gpg
+      uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+      with:
+        gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+        passphrase: ${{ secrets.PASSPHRASE }}
+    - name: Run GoReleaser
+      uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
+      with:
+        version: latest
+        args: release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+    - uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+      with:
+        subject-path: 'dist/checksums.txt'

.gitignore

@@ -0,0 +1,2 @@
+# don't track built binary
+/tflint-ruleset-aws-meta

.goreleaser.yml

@@ -0,0 +1,35 @@
+# This is an example goreleaser.yaml file with some sane defaults.
+# Make sure to check the documentation at http://goreleaser.com
+version: 2
+env:
+  - CGO_ENABLED=0
+builds:
+  - targets:
+      - darwin_amd64
+      - darwin_arm64
+      - linux_386
+      - linux_amd64
+      - linux_arm
+      - linux_arm64
+      - windows_386
+      - windows_amd64
+    hooks:
+      post:
+        - mkdir -p ./dist/raw
+        - cp "{{ .Path }}" "./dist/raw/{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+archives:
+  - id: zip
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}"
+    formats:
+      - zip
+    files:
+      - none*
+checksum:
+  name_template: 'checksums.txt'
+  extra_files:
+    - glob: ./dist/raw/*
+signs:
+  - artifacts: checksum
+    args: ["--batch", "-u", "{{ .Env.GPG_FINGERPRINT }}", "--output", "${signature}", "--detach-sign", "${artifact}"]
+release:
+  github:

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 myerscode
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,11 @@
+default: build
+
+test:
+	go test ./...
+
+build:
+	go build
+
+install: build
+	mkdir -p ~/.tflint.d/plugins
+	mv ./tflint-ruleset-aws-meta ~/.tflint.d/plugins

README.md

@@ -0,0 +1,193 @@
+# TFLint AWS Meta Ruleset
+
+[![Build Status](https://github.com/myerscode/tflint-ruleset-aws-meta/actions/workflows/build.yml/badge.svg?branch=main)](https://github.com/myerscode/tflint-ruleset-aws-meta/actions)
+
+A TFLint ruleset for AWS best practices, focusing on preventing hardcoded values and promoting flexible, maintainable Terraform code.
+
+This ruleset helps enforce multi-region and multi-partition compatibility by detecting hardcoded AWS regions and partitions in your Terraform configurations. It provides comprehensive coverage across IAM policies, provider configurations, and all AWS resource types where hardcoded values prevent flexible deployments.
+
+## Requirements
+
+- TFLint v0.42+
+- Go v1.25
+
+## Installation
+
+TODO: This template repository does not contain release binaries, so this installation will not work. Please rewrite for your repository. See the "Building the plugin" section to get this template ruleset working.
+
+You can install the plugin with `tflint --init`. Declare a config in `.tflint.hcl` as follows:
+
+```hcl
+plugin "aws-multi" {
+  enabled = true
+
+  version = "0.1.0"
+  source  = "github.com/myerscode/tflint-ruleset-aws-meta"
+}
+```
+
+## Rules
+
+|Name|Description|Severity|Enabled|Link|
+| --- | --- | --- | --- | --- |
+|aws_iam_role_policy_hardcoded_region|Validates that there are no hardcoded AWS regions in IAM role policy documents|WARNING|✔||
+|aws_iam_role_policy_hardcoded_partition|Validates that there are no hardcoded AWS partitions in IAM role policy documents|WARNING|✔||
+|aws_iam_policy_hardcoded_region|Validates that there are no hardcoded AWS regions in IAM policy documents|WARNING|✔||
+|aws_iam_policy_hardcoded_partition|Validates that there are no hardcoded AWS partitions in IAM policy documents|WARNING|✔||
+|aws_provider_hardcoded_region|Validates that there are no hardcoded AWS regions or credentials in provider configuration|WARNING|✔||
+
+### Rule Details
+
+#### aws_iam_role_policy_hardcoded_region
+
+This rule checks `aws_iam_role_policy` resources for hardcoded AWS regions in policy documents. It examines both JSON policy strings and structured policy documents to detect:
+
+- Hardcoded regions in ARNs within policy statements (e.g., `arn:aws:s3:::bucket/us-east-1/*`)
+- Direct region references in policy JSON
+
+**Example violations:**
+```hcl
+resource "aws_iam_role_policy" "bad" {
+  policy = jsonencode({
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "s3:GetObject"
+      Resource = "arn:aws:s3:::bucket/us-east-1/*"  # ❌ Hardcoded region
+    }]
+  })
+}
+```
+
+**Recommended fix:**
+```hcl
+resource "aws_iam_role_policy" "good" {
+  policy = jsonencode({
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "s3:GetObject"
+      Resource = "arn:aws:s3:::bucket/${data.aws_region.current.name}/*"  # ✅ Dynamic region
+    }]
+  })
+}
+```
+
+#### aws_iam_role_policy_hardcoded_partition
+
+This rule checks `aws_iam_role_policy` resources for hardcoded AWS partitions in policy documents. It detects:
+
+- Hardcoded partitions in ARNs (e.g., `arn:aws:`, `arn:aws-cn:`, `arn:aws-us-gov:`)
+
+**Example violations:**
+```hcl
+resource "aws_iam_role_policy" "bad" {
+  policy = jsonencode({
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "s3:*"
+      Resource = "arn:aws:s3:::bucket/*"  # ❌ Hardcoded partition
+    }]
+  })
+}
+```
+
+**Recommended fix:**
+```hcl
+resource "aws_iam_role_policy" "good" {
+  policy = jsonencode({
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "s3:*"
+      Resource = "arn:${data.aws_partition.current.partition}:s3:::bucket/*"  # ✅ Dynamic partition
+    }]
+  })
+}
+```
+
+#### aws_iam_policy_hardcoded_region
+
+This rule checks `aws_iam_policy` resources for hardcoded AWS regions in policy documents. Similar to the role policy rule, it examines:
+
+- Hardcoded regions in ARNs within policy statements
+- Direct region references in policy JSON
+
+**Example violations:**
+```hcl
+resource "aws_iam_policy" "bad" {
+  policy = jsonencode({
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "lambda:InvokeFunction"
+      Resource = "arn:aws:lambda:eu-west-1:123456789012:function:*"  # ❌ Hardcoded region
+    }]
+  })
+}
+```
+
+**Recommended fix:**
+```hcl
+resource "aws_iam_policy" "good" {
+  policy = jsonencode({
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "lambda:InvokeFunction"
+      Resource = "arn:aws:lambda:${data.aws_region.current.name}:123456789012:function:*"  # ✅ Dynamic region
+    }]
+  })
+}
+```
+
+#### aws_iam_policy_hardcoded_partition
+
+This rule checks `aws_iam_policy` resources for hardcoded AWS partitions in policy documents. It detects:
+
+- Hardcoded partitions in ARNs within policy statements
+
+**Example violations:**
+```hcl
+resource "aws_iam_policy" "bad" {
+  policy = jsonencode({
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "sqs:*"
+      Resource = "arn:aws-us-gov:sqs:*:*:*"  # ❌ Hardcoded partition
+    }]
+  })
+}
+```
+
+**Recommended fix:**
+```hcl
+resource "aws_iam_policy" "good" {
+  policy = jsonencode({
+    Statement = [{
+      Effect   = "Allow"
+      Action   = "sqs:*"
+      Resource = "arn:${data.aws_partition.current.partition}:sqs:*:*:*"  # ✅ Dynamic partition
+    }]
+  })
+}
+```
+
+#### aws_provider_hardcoded_region
+
+This rule checks AWS provider configurations for security and flexibility issues. It detects:
+
+- Hardcoded regions in provider `region` attribute
+- Hardcoded AWS access keys and secret keys (security risk)
+- Hardcoded regions in `assume_role` ARNs
+
+**Example violations:**
+```hcl
+provider "aws" {
+  region = "us-east-1"  # ❌ Hardcoded region
+}
+```
+
+**Recommended fix:**
+```hcl
+provider "aws" {
+  region = var.aws_region  # ✅ Use variables
+}
+```
+
+

examples/failing/.tflint.hcl

@@ -0,0 +1,27 @@
+plugin "aws-multi" {
+  enabled = true
+}
+
+rule "aws_iam_role_policy_hardcoded_region" {
+  enabled = true
+}
+
+rule "aws_iam_role_policy_hardcoded_partition" {
+  enabled = true
+}
+
+rule "aws_iam_policy_hardcoded_region" {
+  enabled = true
+}
+
+rule "aws_iam_policy_hardcoded_partition" {
+  enabled = true
+}
+
+rule "aws_provider_hardcoded_region" {
+  enabled = true
+}
+
+rule "aws_hardcoded_region" {
+  enabled = true
+}