Allow unbracketed IAM policy statements (#183)

wata727 · web-flow · commit eb7f901c238f · 2021-09-25T15:26:41.000+09:00
diff --git a/rules/aws_iam_policy_sid_invalid_characters.go b/rules/aws_iam_policy_sid_invalid_characters.go
@@ -10,11 +10,14 @@ import (
 	"github.com/terraform-linters/tflint-ruleset-aws/project"
 )
 
-type AwsIAMPolicySidInvalidCharactersStatementStruct struct {
+type AwsIAMPolicySidInvalidCharactersPolicyStatement struct {
 	Sid string `json:"Sid"`
 }
-type AwsIAMPolicySidInvalidCharactersPolicyStruct struct {
-	Statement []AwsIAMPolicySidInvalidCharactersStatementStruct `json:"Statement"`
+type AwsIAMPolicySidInvalidCharactersPolicy struct {
+	Statement []AwsIAMPolicySidInvalidCharactersPolicyStatement `json:"Statement"`
+}
+type AwsIAMPolicySidInvalidCharactersPolicyWithSingleStatement struct {
+	Statement AwsIAMPolicySidInvalidCharactersPolicyStatement `json:"Statement"`
 }
 
 // AwsIAMPolicySidInvalidCharactersRule checks for invalid characters in SID
@@ -60,11 +63,20 @@ func (r *AwsIAMPolicySidInvalidCharactersRule) Check(runner tflint.Runner) error
 		err := runner.EvaluateExpr(attribute.Expr, &val, nil)
 
 		return runner.EnsureNoError(err, func() error {
-			unMarshaledPolicy := AwsIAMPolicySidInvalidCharactersPolicyStruct{}
-			if jsonErr := json.Unmarshal([]byte(val), &unMarshaledPolicy); jsonErr != nil {
-				return jsonErr
+			var statements []AwsIAMPolicySidInvalidCharactersPolicyStatement
+
+			policy := AwsIAMPolicySidInvalidCharactersPolicy{}
+			if err := json.Unmarshal([]byte(val), &policy); err != nil {
+				// If the Statement clause includes only one value, you can omit the brackets, so try unmarshal to the struct accordingly.
+				// https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html
+				policy := AwsIAMPolicySidInvalidCharactersPolicyWithSingleStatement{}
+				if err := json.Unmarshal([]byte(val), &policy); err != nil {
+					return err
+				}
+				statements = []AwsIAMPolicySidInvalidCharactersPolicyStatement{policy.Statement}
+			} else {
+				statements = policy.Statement
 			}
-			statements := unMarshaledPolicy.Statement
 
 			for _, statement := range statements {
 				if statement.Sid == "" {
diff --git a/rules/aws_iam_policy_sid_invalid_characters_test.go b/rules/aws_iam_policy_sid_invalid_characters_test.go
@@ -21,17 +21,17 @@ resource "aws_iam_policy" "policy" {
 	role = "test_role"
 	policy = <<-EOF
 {
-	"Version": "2012-10-17",
-	"Statement": [
-	  {
-			"Sid": "This contains invalid-characters.",
-	    "Action": [
-	      "ec2:Describe*"
-			],
-			"Effect": "Allow",
-			"Resource": "arn:aws:s3:::<bucketname>/*"
-	  }
-	]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "This contains invalid-characters.",
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::<bucketname>/*"
+    }
+  ]
 }
 EOF
 }
@@ -56,25 +56,25 @@ resource "aws_iam_policy" "policy2" {
 	role = "test_role"
 	policy = <<-EOF
 {
-	"Version": "2012-10-17",
-	"Statement": [
-	  {
-			"Sid": "ThisIsAValidSid",
-	    "Action": [
-	      "ec2:Describe*"
-			],
-			"Effect": "Allow",
-			"Resource": "arn:aws:s3:::<bucketname>/*"
-	  },
-	  {
-			"Sid": "This contains invalid-characters.",
-	    "Action": [
-	      "ec2:Describe*"
-			],
-			"Effect": "Allow",
-			"Resource": "arn:aws:s3:::<bucketname>/*"
-	  }
-	]
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "ThisIsAValidSid",
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::<bucketname>/*"
+    },
+    {
+      "Sid": "This contains invalid-characters.",
+      "Action": [
+        "ec2:Describe*"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::<bucketname>/*"
+    }
+  ]
 }
 EOF
 }
@@ -112,6 +112,29 @@ resource "aws_iam_policy" "policy" {
 }
 EOF
 }
+`,
+			Expected: helper.Issues{},
+		},
+		{
+			Name: "Single Statement",
+			Content: `
+resource "aws_iam_policy" "policy" {
+	name = "test_policy"
+	role = "test_role"
+	policy = <<-EOF
+{
+  "Version": "2012-10-17",
+  "Statement": {
+    "Sid": "ThisIsAValidSid",
+    "Action": [
+      "ec2:Describe*"
+    ],
+    "Effect": "Allow",
+    "Resource": "arn:aws:s3:::<bucketname>/*"
+  }
+}
+EOF
+}
 `,
 			Expected: helper.Issues{},
 		},
@@ -120,12 +143,14 @@ EOF
 	rule := NewAwsIAMPolicySidInvalidCharactersRule()
 
 	for _, tc := range cases {
-		runner := helper.TestRunner(t, map[string]string{"resource.tf": tc.Content})
+		t.Run(tc.Name, func(t *testing.T) {
+			runner := helper.TestRunner(t, map[string]string{"resource.tf": tc.Content})
 
-		if err := rule.Check(runner); err != nil {
-			t.Fatalf("Unexpected error occurred: %s", err)
-		}
+			if err := rule.Check(runner); err != nil {
+				t.Fatalf("Unexpected error occurred: %s", err)
+			}
 
-		helper.AssertIssues(t, tc.Expected, runner.Issues)
+			helper.AssertIssues(t, tc.Expected, runner.Issues)
+		})
 	}
 }
