Skip to content
TFLint AWS Meta Ruleset

Hardcoded Service Principal DNS Suffixes

Rule: aws_service_principal_hardcoded

This rule checks for hardcoded AWS service principal DNS suffixes in expressions and strings across Terraform files.

It matches service principal forms like service.amazonaws.com, service.amazonaws.com.cn, and service.amazonaws-us-gov.com and emits an issue suggesting use of data sources (e.g., data.aws_service_principal.<name>.name) for multi-partition compatibility.

Note: This rule is enabled by default. It detects hardcoded DNS suffixes and recommends using data sources for multi-partition compatibility.

Example violations

Section titled “Example violations”
resource "aws_iam_role" "lambda_role" {
  assume_role_policy = jsonencode({
    Statement = [{
      Principal = {
        Service = "lambda.amazonaws.com"  # ❌ Hardcoded DNS suffix
      }
    }]
  })
}


resource "aws_iam_role" "ec2_role" {
  assume_role_policy = jsonencode({
    Statement = [{
      Principal = {
        Service = "ec2.amazonaws-us-gov.com"  # ❌ Hardcoded GovCloud DNS suffix
      }
    }]
  })
}
Section titled “Recommended fixes”
data "aws_service_principal" "lambda" {
  service_name = "lambda"
}


data "aws_service_principal" "ec2" {
  service_name = "ec2"
}


resource "aws_iam_role" "lambda_role" {
  assume_role_policy = jsonencode({
    Statement = [{
      Principal = {
        Service = data.aws_service_principal.lambda.name  # ✅ Using data source
      }
    }]
  })
}


resource "aws_iam_role" "ec2_role" {
  assume_role_policy = jsonencode({
    Statement = [{
      Principal = {
        Service = data.aws_service_principal.ec2.name  # ✅ Using data source
      }
    }]
  })
}

Disabling this rule

Section titled “Disabling this rule”

This rule is enabled by default. To disable it, add the following to your .tflint.hcl:

rule "aws_service_principal_hardcoded" {
  enabled = false
}