Skip to content

Commit

Permalink
Merge pull request #202 from stelligent/feature/wildcard_policy_rules
Browse files Browse the repository at this point in the history
Feature/wildcard policy rules
  • Loading branch information
Keith Monihen authored Apr 20, 2020
2 parents d9cbfc0 + e280e57 commit e8c4b55
Show file tree
Hide file tree
Showing 31 changed files with 1,731 additions and 1 deletion.
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
version: 1
description: Terraform rules
type: Terraform
files:
- "*.tf"
- "*.tfvars"
rules:

- id: CLOUDWATCH_WILDCARD_PRINCIPAL
message: Cloudwatch destination policy allow policy should not use a wildcard princpal
resource: aws_cloudwatch_log_destination_policy
severity: FAILURE
assertions:
- none:
key: access_policy.Statement
expressions:
- key: Effect
op: eq
value: Allow
- key: Principal
op: contains
value: "*"
tags:
- cloudwatch
- policy
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# Test that CloudWatch log destination policy is not using a wildcard principal
# https://www.terraform.io/docs/providers/aws/r/cloudwatch_log_destination_policy.html#access_policy

provider "aws" {
region = "us-east-1"
}

# PASS: Allow statement does not use a wildcard principal
resource "aws_cloudwatch_log_destination_policy" "cw_destination_no_wildcard" {
destination_name = "cloudwatch_destination"
access_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudwatch:*",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/foo"
]
},
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
}
]
}
EOF
}

# PASS: Deny statement does not use a wildcard principal
resource "aws_cloudwatch_log_destination_policy" "cw_destination_deny_no_wildcard" {
destination_name = "cloudwatch_destination"
access_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudwatch:*",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/foo"
]
},
"Effect": "Deny",
"Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
}
]
}
EOF
}

# PASS: Deny statement uses a wildcard principal
resource "aws_cloudwatch_log_destination_policy" "cw_destination_deny_with_wildcard" {
destination_name = "cloudwatch_destination"
access_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudwatch:*",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/*"
]
},
"Effect": "Deny",
"Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
}
]
}
EOF
}

# FAIL: Allow statement uses a wildcard principal
resource "aws_cloudwatch_log_destination_policy" "cw_destination_allow_with_wildcard" {
destination_name = "cloudwatch_destination"
access_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudwatch:*",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/*"
]
},
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
}
]
}
EOF
}

# FAIL: Allow statement uses a wildcard principal
resource "aws_cloudwatch_log_destination_policy" "cw_destination_principal_is_wildcard" {
destination_name = "cloudwatch_destination"
access_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "cloudwatch:*",
"Principal": {
"AWS": [
"*"
]
},
"Effect": "Allow",
"Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
}
]
}
EOF
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
version: 1
description: Terraform 12 tests
type: Terraform
files:
- "*.tf"
- "*.tfvars"
tests:
-
ruleId: CLOUDWATCH_WILDCARD_PRINCIPAL
warnings: 0
failures: 2
tags:
- "terraform12"
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
version: 1
description: Terraform rules
type: Terraform
files:
- "*.tf"
- "*.tfvars"
rules:

- id: ECR_WILDCARD_PRINCIPAL
message: ECR allow policy should not use a wildcard princpal
resource: aws_ecr_repository_policy
severity: FAILURE
assertions:
- none:
key: policy.Statement
expressions:
- key: Effect
op: eq
value: Allow
- key: Principal
op: contains
value: "*"
tags:
- ecr
- policy
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
# Test that ECR allow policy is not using a wildcard principal
# https://www.terraform.io/docs/providers/aws/r/ecr_repository_policy.html#policy

provider "aws" {
region = "us-east-1"
}

# PASS: Allow policy not using wildcard principal
resource "aws_ecr_repository_policy" "ecr_allow_no_wildcard" {
repository = "ecr-repo"

policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "arn:aws:iam::1234567890:user/foo",
"Action": [
"ecr:*"
],
"Resource": "*"
}
]
}
EOF
}


# PASS: Deny policy using wildcard principal
resource "aws_ecr_repository_policy" "ecr_deny_wildcard" {
repository = "ecr-repo"

policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "arn:aws:iam::1234567890:user/*",
"Action": [
"ecr:*"
],
"Resource": "*"
}
]
}
EOF
}

# FAIL Allow policy using wildcard principal
resource "aws_ecr_repository_policy" "ecr_allow_with_wildcard" {
repository = "ecr-repo"

policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "arn:aws:iam::1234567890:user/*",
"Action": [
"ecr:*"
],
"Resource": "*"
}
]
}
EOF
}

# FAIL: Allow policy where principal is a wildcard
resource "aws_ecr_repository_policy" "ecr_allow_principal_is_wildcard" {
repository = "ecr-repo"

policy = <<EOF
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"ecr:*"
],
"Resource": "*"
}
]
}
EOF
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
version: 1
description: Terraform 12 tests
type: Terraform
files:
- "*.tf"
- "*.tfvars"
tests:
-
ruleId: ECR_WILDCARD_PRINCIPAL
warnings: 0
failures: 2
tags:
- "terraform12"
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
version: 1
description: Terraform rules
type: Terraform
files:
- "*.tf"
- "*.tfvars"
rules:

- id: ELASTICSEARCH_POLICY_WILDCARD_PRINCIPAL
message: Elasticsearch allow policy should not use a wildcard princpal
resources:
- aws_elasticsearch_domain_policy
- aws_elasticsearch_domain
severity: FAILURE
assertions:
- none:
key: access_policies.Statement
expressions:
- key: Effect
op: eq
value: Allow
- key: Principal
op: contains
value: "*"
tags:
- elasticsearch
- policy
Loading

0 comments on commit e8c4b55

Please sign in to comment.