github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/rules/cloud/policies/aws/iam/no_policy_wildcards.tf.go (about) 1 package iam 2 3 var terraformNoPolicyWildcardsGoodExamples = []string{ 4 ` 5 resource "aws_iam_role_policy" "test_policy" { 6 name = "test_policy" 7 role = aws_iam_role.test_role.id 8 9 policy = data.aws_iam_policy_document.s3_policy.json 10 } 11 12 resource "aws_iam_role" "test_role" { 13 name = "test_role" 14 assume_role_policy = jsonencode({ 15 Version = "2012-10-17" 16 Statement = [ 17 { 18 Action = "sts:AssumeRole" 19 Effect = "Allow" 20 Sid = "" 21 Principal = { 22 Service = "s3.amazonaws.com" 23 } 24 }, 25 ] 26 }) 27 } 28 29 data "aws_iam_policy_document" "s3_policy" { 30 statement { 31 principals { 32 type = "AWS" 33 identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 34 } 35 actions = ["s3:GetObject"] 36 resources = [aws_s3_bucket.example.arn] 37 } 38 } 39 `, 40 } 41 42 var terraformNoPolicyWildcardsBadExamples = []string{ 43 ` 44 resource "aws_iam_role_policy" "test_policy" { 45 name = "test_policy" 46 role = aws_iam_role.test_role.id 47 48 policy = data.aws_iam_policy_document.s3_policy.json 49 } 50 51 resource "aws_iam_role" "test_role" { 52 name = "test_role" 53 assume_role_policy = jsonencode({ 54 Version = "2012-10-17" 55 Statement = [ 56 { 57 Action = "sts:AssumeRole" 58 Effect = "Allow" 59 Sid = "" 60 Principal = { 61 Service = "s3.amazonaws.com" 62 } 63 }, 64 ] 65 }) 66 } 67 68 data "aws_iam_policy_document" "s3_policy" { 69 statement { 70 principals { 71 type = "AWS" 72 identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 73 } 74 actions = ["s3:*"] 75 resources = ["*"] 76 } 77 } 78 `, 79 } 80 81 var terraformNoPolicyWildcardsLinks = []string{ 82 `https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document`, 83 } 84 85 var terraformNoPolicyWildcardsRemediationMarkdown = ``