Skip to content

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rule: aws_iam_policy_document - Sid string check #149

Closed
andormarkus opened this issue Aug 3, 2021 · 5 comments · Fixed by #155
Closed

rule: aws_iam_policy_document - Sid string check #149

andormarkus opened this issue Aug 3, 2021 · 5 comments · Fixed by #155
Labels
enhancement New feature or request

Comments

@andormarkus
Copy link

Hi Community,

The plugin currently does not validates aws_iam_policy_document sid_string.
Based on AWS documentation basic alphanumeric characters (A-Z,a-z,0-9) are the only allowed characters in the Sid value.

It would be great if there would be rule to check the sid_string.

Thanks,
Andor
@wata727 wata727 added the enhancement New feature or request label Aug 7, 2021
@Rihoj Rihoj mentioned this issue Aug 9, 2021
Merged
@wata727
Copy link
Member

wata727 commented Aug 10, 2021

#155 was a rule for the aws_iam_policy resource. This issue is a rule request for the aws_iam_policy_document data resource, so reopen the issue.

@wata727 wata727 reopened this Aug 10, 2021
@gilbert-hsu
Copy link

gilbert-hsu commented Aug 31, 2021
edited
Loading

Should we valid sid pattern even sid absent from statement ?

Error: The policy's sid ("") does not match "^[a-zA-Z0-9]+$". 
(aws_iam_policy_sid_invalid_characters)
  on iam-policy.tf line 22:
  22:   policy = <<EOF
  23: {
  24:   "Version": "2012-10-17",
  25:   "Statement": [
  26:     {
  27:       "Action": [],
  34:       "Effect": "Allow",
  35:       "Resource": "*"
  36:     }
  37:   ]
  38: }
  39: EOF

@wata727 wata727 mentioned this issue Aug 31, 2021
Merged
@wata727
Copy link
Member

wata727 commented Sep 2, 2021

@gilbert-hsu Oops, this is a false positive. We have released v0.7.1 with this fix, so please try it.

@gilbert-hsu
Copy link

Thanks a lot!
v0.7.1 is fine in my environment!

@kyblik
Copy link

kyblik commented Sep 22, 2021

Got a failing use case even though this is a valid policy (notice the lack of [] in Statement):

resource "aws_iam_policy" "failing" {
  name   = "failing"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "*"
  }
}
EOF
}

resource "aws_iam_policy" "passing" {
  name   = "passing"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "*"
  }]
}
EOF
}

Error messages:

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Failed to check ruleset. An error occurred:

Error: Failed to check `aws_iam_policy_sid_invalid_characters` rule: json: cannot unmarshal object into Go struct field AwsIAMPolicySidInvalidCharactersPolicyStruct.Statement of type []rules.AwsIAMPolicySidInvalidCharactersStatementStruct

Version

TFLint version 0.32.1
+ ruleset.aws (0.7.1-bundled)

@wata727 wata727 mentioned this issue Sep 23, 2021
Closed
@terraform-linters terraform-linters locked and limited conversation to collaborators Dec 7, 2022
@bendrucker bendrucker converted this issue into discussion #421 Dec 7, 2022

This issue was moved to a discussion.

You can continue the conversation there. Go to discussion →

Assignees
No one assigned
Labels
enhancement New feature or request
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

aws_iam_policy_sid Rihoj/tflint-ruleset-aws
4 participants
@kyblik @wata727 @gilbert-hsu @andormarkus