Is it possible to validate upper levels of a resource after drill down?
marcelo-rabello-ifood opened this issue · comments
marcelo-rabello-ifood commented
Example: aws_s3_bucket_policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal" : "*",
"Action": [
"s3:List*",
"s3:Get*"
],
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringEquals": {
"aws:sourceVpce": "vpce-0123abcd"
}
}
}
]
}
Let's say that I want to validate the existence of a Condition
field, but only if my Principal
field is *
, so I built a Scenario that looks like this:
Scenario Outline: policies that allows anonymous principals must not be created
Given I have aws_s3_bucket_policy defined
When it has policy
Then it must have policy
When it has Statement
Then it must have Statement
When its Effect is Allow
And it has principal
Then it must have principal
When its value is *
...
But after drilling down to the Principal
level, I could not find a way to refer the Condition
field again, because it is a subfield of Statement
, and not Principal
. Is there a way to do this kind of validation using terraform-compliance?
Emre Erkunt commented
You can achieve this by using When its {key} is {value}
directive.
e.g.
Scenario Outline: policies that allows anonymous principals must not be created
Given I have aws_s3_bucket_policy defined
Then it must have policy
Then it must have Statement
When its Effect is Allow
When its Principal is *
Then it must have Condition
And its value must not be null
Didn't try it on my local, but it should work. Will try soon.