Feature/wildcard policy rules

cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/rule.yml

@@ -0,0 +1,26 @@
+---
+version: 1
+description: Terraform rules
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+rules:
+
+  - id: CLOUDWATCH_WILDCARD_PRINCIPAL
+    message: Cloudwatch destination policy allow policy should not use a wildcard princpal
+    resource: aws_cloudwatch_log_destination_policy
+    severity: FAILURE
+    assertions:
+      - none:
+          key: access_policy.Statement
+          expressions:
+            - key: Effect
+              op: eq
+              value: Allow
+            - key: Principal
+              op: contains
+              value: "*"
+    tags:
+      - cloudwatch
+      - policy

cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf

@@ -0,0 +1,116 @@
+# Test that CloudWatch log destination policy is not using a wildcard principal
+# https://www.terraform.io/docs/providers/aws/r/cloudwatch_log_destination_policy.html#access_policy
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+# PASS: Allow statement does not use a wildcard principal
+resource "aws_cloudwatch_log_destination_policy" "cw_destination_no_wildcard" {
+  destination_name = "cloudwatch_destination"
+  access_policy    = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "cloudwatch:*",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::1234567890:user/foo"
+                ]
+            },
+            "Effect": "Allow",
+            "Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
+        }
+    ]
+}
+EOF
+}
+
+# PASS: Deny statement does not use a wildcard principal
+resource "aws_cloudwatch_log_destination_policy" "cw_destination_deny_no_wildcard" {
+  destination_name = "cloudwatch_destination"
+  access_policy    = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "cloudwatch:*",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::1234567890:user/foo"
+                ]
+            },
+            "Effect": "Deny",
+            "Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
+        }
+    ]
+}
+EOF
+}
+
+# PASS: Deny statement uses a wildcard principal
+resource "aws_cloudwatch_log_destination_policy" "cw_destination_deny_with_wildcard" {
+  destination_name = "cloudwatch_destination"
+  access_policy    = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "cloudwatch:*",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::1234567890:user/*"
+                ]
+            },
+            "Effect": "Deny",
+            "Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
+        }
+    ]
+}
+EOF
+}
+
+# FAIL: Allow statement uses a wildcard principal
+resource "aws_cloudwatch_log_destination_policy" "cw_destination_allow_with_wildcard" {
+  destination_name = "cloudwatch_destination"
+  access_policy    = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "cloudwatch:*",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::1234567890:user/*"
+                ]
+            },
+            "Effect": "Allow",
+            "Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
+        }
+    ]
+}
+EOF
+}
+
+# FAIL: Allow statement uses a wildcard principal
+resource "aws_cloudwatch_log_destination_policy" "cw_destination_principal_is_wildcard" {
+  destination_name = "cloudwatch_destination"
+  access_policy    = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "cloudwatch:*",
+            "Principal": {
+                "AWS": [
+                    "*"
+                ]
+            },
+            "Effect": "Allow",
+            "Resource": "arn:aws:logs:us-west-1:123456789012:log-group:/mystack-testgroup-12ABC1AB12A1:*"
+        }
+    ]
+}
+EOF
+}

cli/assets/terraform/aws/cloudwatch/cloudwatch_log_destination_policy/wildcard_principal/tests/test.yml

@@ -0,0 +1,14 @@
+---
+version: 1
+description: Terraform 12 tests
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+tests:
+  -
+    ruleId: CLOUDWATCH_WILDCARD_PRINCIPAL
+    warnings: 0
+    failures: 2
+    tags:
+      - "terraform12"

cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/rule.yml

@@ -0,0 +1,26 @@
+---
+version: 1
+description: Terraform rules
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+rules:
+
+  - id: ECR_WILDCARD_PRINCIPAL
+    message: ECR allow policy should not use a wildcard princpal
+    resource: aws_ecr_repository_policy
+    severity: FAILURE
+    assertions:
+      - none:
+          key: policy.Statement
+          expressions:
+            - key: Effect
+              op: eq
+              value: Allow
+            - key: Principal
+              op: contains
+              value: "*"
+    tags:
+      - ecr
+      - policy

cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf

@@ -0,0 +1,91 @@
+# Test that ECR allow policy is not using a wildcard principal
+# https://www.terraform.io/docs/providers/aws/r/ecr_repository_policy.html#policy
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+# PASS: Allow policy not using wildcard principal
+resource "aws_ecr_repository_policy" "ecr_allow_no_wildcard" {
+  repository = "ecr-repo"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": "arn:aws:iam::1234567890:user/foo",
+            "Action": [
+                "ecr:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+
+# PASS: Deny policy using wildcard principal
+resource "aws_ecr_repository_policy" "ecr_deny_wildcard" {
+  repository = "ecr-repo"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Principal": "arn:aws:iam::1234567890:user/*",
+            "Action": [
+                "ecr:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+# FAIL Allow policy using wildcard principal
+resource "aws_ecr_repository_policy" "ecr_allow_with_wildcard" {
+  repository = "ecr-repo"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": "arn:aws:iam::1234567890:user/*",
+            "Action": [
+                "ecr:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+# FAIL: Allow policy where principal is a wildcard
+resource "aws_ecr_repository_policy" "ecr_allow_principal_is_wildcard" {
+  repository = "ecr-repo"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": [
+                "ecr:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}

cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/test.yml

@@ -0,0 +1,14 @@
+---
+version: 1
+description: Terraform 12 tests
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+tests:
+  -
+    ruleId: ECR_WILDCARD_PRINCIPAL
+    warnings: 0
+    failures: 2
+    tags:
+      - "terraform12"

cli/assets/terraform/aws/elasticsearch/shared/wildcard_principal/rule.yml

@@ -0,0 +1,28 @@
+---
+version: 1
+description: Terraform rules
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+rules:
+
+  - id: ELASTICSEARCH_POLICY_WILDCARD_PRINCIPAL
+    message: Elasticsearch allow policy should not use a wildcard princpal
+    resources:
+      - aws_elasticsearch_domain_policy
+      - aws_elasticsearch_domain
+    severity: FAILURE
+    assertions:
+      - none:
+          key: access_policies.Statement
+          expressions:
+            - key: Effect
+              op: eq
+              value: Allow
+            - key: Principal
+              op: contains
+              value: "*"
+    tags:
+      - elasticsearch
+      - policy