Is it possible to validate upper levels of a resource after drill down?
marcelo-rabello-ifood opened this issue · comments
Example: aws_s3_bucket_policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal" : "*",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-0123abcd"
}
}
}
]
}Let's say that I want to validate the existence of a Condition field, but only if my Principal field is *, so I built a Scenario that looks like this:
Scenario Outline: policies that allows anonymous principals must not be created
Given I have aws_s3_bucket_policy defined
When it has policy
Then it must have policy
When it has Statement
Then it must have Statement
When its Effect is Allow
And it has principal
Then it must have principal
When its value is *
...
But after drilling down to the Principal level, I could not find a way to refer the Condition field again, because it is a subfield of Statement, and not Principal. Is there a way to do this kind of validation using terraform-compliance?
You can achieve this by using When its {key} is {value} directive.
e.g.
Scenario Outline: policies that allows anonymous principals must not be created
Given I have aws_s3_bucket_policy defined
Then it must have policy
Then it must have Statement
When its Effect is Allow
When its Principal is *
Then it must have Condition
And its value must not be nullDidn't try it on my local, but it should work. Will try soon.