cnspec-policies
cnspec-policies copied to clipboard
mondoohq
terraform aws_iam_policy check fails when using a data source
Describe the bug cnspec's policy fails to account for using a data source for policy like this:
data "aws_iam_policy_document" "some_policy" {
statement {
actions = [ ]
resources = ["*"]
}
}
resource "aws_iam_policy" "some_policy" {
name = "SomePolicy"
...
policy = data.aws_iam_policy_document.some_policy.json
}
To Reproduce Steps to reproduce the behavior:
- Write up some terraform with an iam policy resource and a data resource for the policy as described above.
-
run cnspec scan terraformagainst it
Expected behavior
most likely, it should have an additional exception for when the value is a simple string - because in addition to data sources it's not uncommon to use file() or templatefile() functions here.
There should probably be another check here that looks for:
terraform.datasources.where(nameLabel == "aws_iam_policy_document") and runs similar checks. Perhaps file() could do something similar, but templatefile probably isn't something you can work with outside of a plan.
Desktop (please complete the following information):
- OS: Linux
- OS Version: PopOS
Additional context
The check defined here has this query:
terraform.resources.where( nameLabel == "aws_iam_policy" && arguments["policy"] != null ) {
arguments["policy"].where( _["Statement"] != null) {
_["Statement"] {
# Resource is either not * or DENY is used (where wildcard is great)
_["Resource"] != "*" || _["Effect"].upcase == "DENY"
}
}
}
This assumes that the policy will be inline - but if you're using a datasource it'll look like this instead:
arguments {
...
policy: "data.aws_iam_policy_document.some_policy.json"
}
This results in an error like this:
! Error: Ensure IAM policy do not use wildcards and instead apply the principle of least privilege Message: 1 error occurred: * 1 error occurred: * cannot find function '[]' for type 'stringslice'
