From 8047cf5d9d74e1175e1fb2481853577f5ca6dd1e Mon Sep 17 00:00:00 2001
From: James Ray <rihoj1@gmail.com>
Date: Wed, 11 Aug 2021 12:43:35 -0400
Subject: [PATCH] aws_iam_policy_length (#153)

* aws_iam_policy_length -  Added a rule to check against IAM policy length. fixes terraform-linters/tflint-ruleset-aws#26

* formated

* Update name of rule, update character count, ignore whitespace
---
 docs/rules/aws_iam_policy_too_long_policy.md  | 35 +++++++++
 .../aws_iam_policy_sid_invalid_characters.go  |  5 +-
 rules/aws_iam_policy_too_long_policy.go       | 63 +++++++++++++++
 rules/aws_iam_policy_too_long_policy_test.go  | 77 +++++++++++++++++++
 rules/provider.go                             |  1 +
 5 files changed, 179 insertions(+), 2 deletions(-)
 create mode 100644 docs/rules/aws_iam_policy_too_long_policy.md
 create mode 100644 rules/aws_iam_policy_too_long_policy.go
 create mode 100644 rules/aws_iam_policy_too_long_policy_test.go

diff --git a/docs/rules/aws_iam_policy_too_long_policy.md b/docs/rules/aws_iam_policy_too_long_policy.md
new file mode 100644
index 00000000..69d6ed30
--- /dev/null
+++ b/docs/rules/aws_iam_policy_too_long_policy.md
@@ -0,0 +1,35 @@
+# aws_iam_policy_too_long_policy
+
+This makes sure that a IAM policy is not longer than the 6144 AWS character limit.
+
+## Example
+
+```hcl
+resource "aws_iam_policy" "policy" {
+	name        = "test_policy"
+	path        = "/"
+	description = "My test policy"
+	policy = <<EOF
+	{
+		STRING LONGER THAN 6144
+	}
+EOF
+}
+```
+
+```
+$ tflint
+1 issue(s) found:
+Error: The policy length is %d characters and is limited to 6144 characters. (aws_iam_policy_too_long_policy)
+  on template.tf line 6:
+   6:   policy = "{POLICY}" // Policy is too long,!
+
+```
+
+## Why
+
+Terraform does not check against this rule, but it will error if an apply is attempted.
+
+## How To Fix
+
+Update policy to reduce characters. Some methods are splitting into multiple policies, or switching to using a combination of deny and allow statements to optimize the policy.
diff --git a/rules/aws_iam_policy_sid_invalid_characters.go b/rules/aws_iam_policy_sid_invalid_characters.go
index a39735ff..4e47f0c8 100644
--- a/rules/aws_iam_policy_sid_invalid_characters.go
+++ b/rules/aws_iam_policy_sid_invalid_characters.go
@@ -2,12 +2,13 @@ package rules
 
 import (
 	"encoding/json"
+	"fmt"
 	hcl "github.com/hashicorp/hcl/v2"
 	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
 	"github.com/terraform-linters/tflint-ruleset-aws/project"
 	"regexp"
-	"fmt"
 )
+
 type AwsIAMPolicySidInvalidCharactersStatementStruct struct {
 	Sid string `json:"Sid"`
 }
@@ -58,7 +59,7 @@ func (r *AwsIAMPolicySidInvalidCharactersRule) Check(runner tflint.Runner) error
 		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
 		unMarshaledPolicy := AwsIAMPolicySidInvalidCharactersPolicyStruct{}
 		if jsonErr := json.Unmarshal([]byte(val), &unMarshaledPolicy); jsonErr != nil {
-			return jsonErr;
+			return jsonErr
 		}
 		statements := unMarshaledPolicy.Statement
 
diff --git a/rules/aws_iam_policy_too_long_policy.go b/rules/aws_iam_policy_too_long_policy.go
new file mode 100644
index 00000000..1021614e
--- /dev/null
+++ b/rules/aws_iam_policy_too_long_policy.go
@@ -0,0 +1,63 @@
+package rules
+
+import (
+	"fmt"
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+	"regexp"
+)
+
+// AwsIAMPolicyTooLongPolicyRule checks that the policy length is less than 6,144 characters
+type AwsIAMPolicyTooLongPolicyRule struct {
+	resourceType  string
+	attributeName string
+}
+
+// NewAwsIAMPolicyTooLongPolicyRule returns new rule with default attributes
+func NewAwsIAMPolicyTooLongPolicyRule() *AwsIAMPolicyTooLongPolicyRule {
+	return &AwsIAMPolicyTooLongPolicyRule{
+		resourceType:  "aws_iam_policy",
+		attributeName: "policy",
+	}
+}
+
+// Name returns the rule name
+func (r *AwsIAMPolicyTooLongPolicyRule) Name() string {
+	return "aws_iam_policy_too_long_policy"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsIAMPolicyTooLongPolicyRule) Enabled() bool {
+	return true
+}
+
+// Severity returns the rule severity
+func (r *AwsIAMPolicyTooLongPolicyRule) Severity() string {
+	return tflint.ERROR
+}
+
+// Link returns the rule reference link
+func (r *AwsIAMPolicyTooLongPolicyRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks the length of the policy
+func (r *AwsIAMPolicyTooLongPolicyRule) Check(runner tflint.Runner) error {
+	return runner.WalkResourceAttributes(r.resourceType, r.attributeName, func(attribute *hcl.Attribute) error {
+		var policy string
+		err := runner.EvaluateExpr(attribute.Expr, &policy, nil)
+		whitespaceRegex := regexp.MustCompile(`\s+`)
+		policy = whitespaceRegex.ReplaceAllString(policy, "")
+		return runner.EnsureNoError(err, func() error {
+			if len(policy) > 6144 {
+				runner.EmitIssueOnExpr(
+					r,
+					fmt.Sprintf("The policy length is %d characters and is limited to 6144 characters.", len(policy)),
+					attribute.Expr,
+				)
+			}
+			return nil
+		})
+	})
+}
diff --git a/rules/aws_iam_policy_too_long_policy_test.go b/rules/aws_iam_policy_too_long_policy_test.go
new file mode 100644
index 00000000..d4f86c5f
--- /dev/null
+++ b/rules/aws_iam_policy_too_long_policy_test.go
@@ -0,0 +1,77 @@
+package rules
+
+import (
+	"math/rand"
+	"testing"
+	"time"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/helper"
+)
+
+var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
+
+func randSeq(n int) string {
+	b := make([]rune, n)
+	for i := range b {
+		b[i] = letters[rand.Intn(len(letters))]
+	}
+	return string(b)
+}
+
+func Test_AwsIAMPolicyTooLongPolicy(t *testing.T) {
+	rand.Seed(time.Now().UnixNano())
+	cases := []struct {
+		Name     string
+		Content  string
+		Expected helper.Issues
+	}{
+		{
+			Name: "policy is too long",
+			Content: `
+resource "aws_iam_policy" "policy" {
+	name        = "test_policy"
+	path        = "/"
+	description = "My test policy"
+	policy = <<EOF
+	{
+		"Version": "2012-10-17",
+		"Statement": [
+		{
+			"Action": [
+				` + randSeq(6034) + `
+			],
+			"Effect": "Allow",
+			"Resource": "arn:aws:s3:::<bucketname>/*""
+		}
+		]
+	}
+EOF
+}
+`,
+			Expected: helper.Issues{
+				{
+					Rule:    NewAwsIAMPolicyTooLongPolicyRule(),
+					Message: "The policy length is 6145 characters and is limited to 6144 characters.",
+					Range: hcl.Range{
+						Filename: "resource.tf",
+						Start:    hcl.Pos{Line: 6, Column: 11},
+						End:      hcl.Pos{Line: 19, Column: 4},
+					},
+				},
+			},
+		},
+	}
+
+	rule := NewAwsIAMPolicyTooLongPolicyRule()
+
+	for _, tc := range cases {
+		runner := helper.TestRunner(t, map[string]string{"resource.tf": tc.Content})
+
+		if err := rule.Check(runner); err != nil {
+			t.Fatalf("Unexpected error occurred: %s", err)
+		}
+
+		helper.AssertIssues(t, tc.Expected, runner.Issues)
+	}
+}
diff --git a/rules/provider.go b/rules/provider.go
index 158253f0..65b78a02 100644
--- a/rules/provider.go
+++ b/rules/provider.go
@@ -33,4 +33,5 @@ var Rules = append([]tflint.Rule{
 	NewAwsElastiCacheReplicationGroupInvalidTypeRule(),
 	NewAwsElastiCacheReplicationGroupPreviousTypeRule(),
 	NewAwsIAMPolicySidInvalidCharactersRule(),
+	NewAwsIAMPolicyTooLongPolicyRule(),
 }, models.Rules...)