Add optional linting rules for govcloud IAM policies (#55)

* add optional linting rules for govcloud iam policies

* address PR review, ensure nested blocks in data source dont break

Author: circa10a

docs/rules/README.md

@@ -22,6 +22,9 @@ These rules warn of possible errors that can occur at `terraform apply`. Rules m
 |aws_elb_invalid_instance|✔|
 |aws_elb_invalid_security_group|✔|
 |aws_elb_invalid_subnet|✔|
+|[aws_iam_policy_document_gov_friendly](aws_iam_policy_document_gov_friendly.md)||
+|[aws_iam_policy_gov_friendly](aws_iam_policy_gov_friendly.md)||
+|[aws_iam_role_policy_gov_friendly](aws_iam_role_policy_gov_friendly.md)||
 |aws_instance_invalid_ami|✔|
 |aws_instance_invalid_iam_profile|✔|
 |aws_instance_invalid_key_name|✔|

docs/rules/aws_iam_policy_document_gov_friendly.md

@@ -0,0 +1,79 @@
+# aws_iam_policy_document_gov_friendly
+
+Ensure `iam_policy_document` data sources do not contain `arn:aws:` ARN's.
+
+## Configuration
+
+```hcl
+rule "aws_iam_policy_document_gov_friendly" {
+  enabled = true
+}
+```
+
+## Examples
+
+```hcl
+data "aws_iam_policy_document" "example" {
+  statement {
+    sid = "1"
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation",
+    ]
+    resources = [
+      "arn:aws:s3:::*",
+    ]
+  }
+
+  statement {
+    sid = "1"
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation",
+    ]
+    resources = [
+      "arn:aws-us-gov:s3:::*",
+    ]
+  }
+}
+```
+
+```sh
+❯ tflint policy.tf
+1 issue(s) found:
+
+Warning: ARN detected in IAM policy document that could potentially fail in AWS GovCloud due to resource pattern: arn:aws:.* (aws_iam_policy_document_gov_friendly_arns)
+
+  on policy.tf line 8:
+   8:     resources = [
+   9:       "arn:aws:s3:::*",
+  10:     ]
+```
+
+## Why
+
+1. Some firms have strict requirements for what AWS resources have access to government accounts. Usually only resources within the `arn:aws-us-gov:` scope are allowed.
+2. When developing reusable terraform modules for many AWS accounts, arn separators are usually converted into variables when creating resources in gov and non-gov accounts like so :
+
+```hcl
+locals {
+  arn_sep = var.is_govcloud ? "aws-us-gov" : "aws"
+}
+
+resource "aws_iam_policy_document" "example" {
+  statement {
+    sid = "1"
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation",
+    ]
+    resources = [
+      "arn:${local.arn_sep}:s3:::my_bucket",
+    ]
+  }
+}
+```
+
+## How To Fix
+
+Ensure there are no `arn:aws:` scoped ARN's in your policy documents.

docs/rules/aws_iam_policy_gov_friendly.md

@@ -0,0 +1,93 @@
+# aws_iam_policy_gov_friendly
+
+Ensure `iam_policy` resources do not contain `arn:aws:` ARN's.
+
+## Configuration
+
+```hcl
+rule "aws_iam_policy_gov_friendly" {
+  enabled = true
+}
+```
+
+## Examples
+
+```hcl
+resource "aws_iam_policy" "policy" {
+  name        = "test_policy"
+  path        = "/"
+  description = "My test policy"
+  policy = <<EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+	  {
+	    "Action": [
+		  "ec2:Describe*"
+	    ],
+	    "Effect": "Allow",
+	    "Resource": "arn:aws:s3:::<bucketname>/*""
+	  }
+    ]
+  }
+EOF
+}
+```
+
+```sh
+❯ tflint policy.tf
+1 issue(s) found:
+
+Warning: ARN detected in IAM policy that could potentially fail in AWS GovCloud due to resource pattern: arn:aws:.* (aws_iam_policy_gov_friendly_arns)
+
+  on policy.tf line 5:
+   5:   policy      = <<EOF
+   6:   {
+   7:     "Version": "2012-10-17",
+   8:     "Statement": [
+   9:     {
+  10:       "Action": [
+  11:             "ec2:Describe*"
+  12:       ],
+  13:       "Effect": "Allow",
+  14:       "Resource": "arn:aws:s3:::<bucketname>/*""
+  15:     }
+  16:     ]
+  17:   }
+  18: EOF
+```
+
+## Why
+
+1. Some firms have strict requirements for what AWS resources have access to government accounts. Usually only resources within the `arn:aws-us-gov:` scope are allowed.
+2. When developing reusable terraform modules for many AWS accounts, arn separators are usually converted into variables when creating resources in gov and non-gov accounts like so :
+
+```hcl
+locals {
+  arn_sep = var.is_govcloud ? "aws-us-gov" : "aws"
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = "test_policy"
+  path        = "/"
+  description = "My test policy"
+  policy      = <<EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+	  {
+	    "Action": [
+		  "ec2:Describe*"
+	    ],
+	    "Effect": "Allow",
+	    "Resource": "arn:${local.arn_sep}:s3:::my_bucket/*""
+	  }
+    ]
+  }
+EOF
+}
+```
+
+## How To Fix
+
+Ensure there are no `arn:aws:` scoped ARN's in your policy documents.

docs/rules/aws_iam_role_policy_gov_friendly.md

@@ -0,0 +1,92 @@
+# aws_iam_role_policy_gov_friendly
+
+Ensure `iam_role_policy` resources do not contain `arn:aws:` ARN's.
+
+## Configuration
+
+```hcl
+rule "aws_iam_role_policy_gov_friendly" {
+  enabled = true
+}
+```
+
+## Examples
+
+```hcl
+resource "aws_iam_role_policy" "test_policy" {
+  name = "test_policy"
+  role = "test_role"
+  policy = <<-EOF
+  {
+	  "Version": "2012-10-17",
+	  "Statement": [
+	    {
+		  "Action": [
+		    "ec2:Describe*"
+		  ],
+		  "Effect": "Allow",
+		  "Resource": "arn:aws:s3:::<bucketname>/*"
+	    }
+	  ]
+  }
+EOF
+}
+```
+
+```sh
+❯ tflint policy.tf
+1 issue(s) found:
+
+Warning: ARN detected in IAM role policy that could potentially fail in AWS GovCloud due to resource pattern: arn:aws:.* (aws_iam_role_policy_gov_friendly_arns)
+
+  on policy.tf line 4:
+   4:   policy = <<-EOF
+   5:   {
+   6:     "Version": "2012-10-17",
+   7:     "Statement": [
+   8:       {
+   9:             "Action": [
+  10:               "ec2:Describe*"
+  11:             ],
+  12:             "Effect": "Allow",
+  13:             "Resource": "arn:aws:s3:::<bucketname>/*"
+  14:       }
+  15:     ]
+  16:   }
+  17: EOF
+```
+
+## Why
+
+1. Some firms have strict requirements for what AWS resources have access to government accounts. Usually only resources within the `arn:aws-us-gov:` scope are allowed.
+2. When developing reusable terraform modules for many AWS accounts, arn separators are usually converted into variables when creating resources in gov and non-gov accounts like so :
+
+```hcl
+locals {
+  arn_sep = var.is_govcloud ? "aws-us-gov" : "aws"
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = "test_policy"
+  path        = "/"
+  description = "My test policy"
+  policy      = <<EOF
+  {
+    "Version": "2012-10-17",
+    "Statement": [
+	  {
+	    "Action": [
+		  "ec2:Describe*"
+	    ],
+	    "Effect": "Allow",
+	    "Resource": "arn:${local.arn_sep}:s3:::mu_bucket/*""
+	  }
+    ]
+  }
+EOF
+}
+```
+
+## How To Fix
+
+Ensure there are no `arn:aws:` scoped ARN's in your policy documents.

rules/aws_iam_policy_document_gov_friendly_arns.go

@@ -0,0 +1,80 @@
+package rules
+
+import (
+	"fmt"
+	"log"
+	"regexp"
+
+	hcl "github.com/hashicorp/hcl/v2"
+	"github.com/terraform-linters/tflint-plugin-sdk/tflint"
+	"github.com/terraform-linters/tflint-ruleset-aws/project"
+)
+
+const statementBlockName = "statement"
+
+// AwsIAMPolicyDocumentGovFriendlyArnsRule checks for non-GovCloud arns
+type AwsIAMPolicyDocumentGovFriendlyArnsRule struct {
+	resourceType  string
+	attributeName string
+	pattern       *regexp.Regexp
+}
+
+// AwsIAMPolicyDocumentGovFriendlyArnsRule returns new rule with default attributes
+func NewAwsIAMPolicyDocumentGovFriendlyArnsRule() *AwsIAMPolicyDocumentGovFriendlyArnsRule {
+	return &AwsIAMPolicyDocumentGovFriendlyArnsRule{
+		resourceType:  "aws_iam_policy_document",
+		attributeName: "resources",
+		// AWS GovCloud arn separator is arn:aws-us-gov
+		// https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/using-govcloud-arns.html
+		pattern: regexp.MustCompile(`arn:aws:.*`),
+	}
+}
+
+// Name returns the rule name
+func (r *AwsIAMPolicyDocumentGovFriendlyArnsRule) Name() string {
+	return "aws_iam_policy_document_gov_friendly_arns"
+}
+
+// Enabled returns whether the rule is enabled by default
+func (r *AwsIAMPolicyDocumentGovFriendlyArnsRule) Enabled() bool {
+	return false
+}
+
+// Severity returns the rule severity
+func (r *AwsIAMPolicyDocumentGovFriendlyArnsRule) Severity() string {
+	return tflint.WARNING
+}
+
+// Link returns the rule reference link
+func (r *AwsIAMPolicyDocumentGovFriendlyArnsRule) Link() string {
+	return project.ReferenceLink(r.Name())
+}
+
+// Check checks the pattern is valid
+func (r *AwsIAMPolicyDocumentGovFriendlyArnsRule) Check(runner tflint.Runner) error {
+	log.Printf("[TRACE] Check `%s` rule", r.Name())
+	return runner.WalkResourceBlocks(r.resourceType, statementBlockName, func(statementBlock *hcl.Block) error {
+		content, _, diags := statementBlock.Body.PartialContent(&hcl.BodySchema{
+			Attributes: []hcl.AttributeSchema{
+				{Name: r.attributeName},
+			},
+		})
+		if diags.HasErrors() {
+			return diags
+		}
+		var val []string
+		err := runner.EvaluateExpr(content.Attributes[r.attributeName].Expr, &val, nil)
+		return runner.EnsureNoError(err, func() error {
+			for _, arn := range val {
+				if r.pattern.MatchString(arn) {
+					runner.EmitIssueOnExpr(
+						r,
+						fmt.Sprintf(`ARN detected in IAM policy document that could potentially fail in AWS GovCloud due to resource pattern: %s`, r.pattern),
+						content.Attributes[r.attributeName].Expr,
+					)
+				}
+			}
+			return nil
+		})
+	})
+}