Skip to content

[BUG] Policies are not validated #27

New issue
New issue
Open
Open
[BUG] Policies are not validated#27
Labels
bugSomething isn't working
@nimaft

Description

@nimaft
nimaft
opened on Mar 5, 2024

Describe the bug
I have a solution that creates and deploys IAM roles using Terraform. Users can use aws_iam_policy_document resources to define an IAM policy and it will be added as an inline policy to an aws_iam_role resource and finally gets deployed. You can view the repository here.

When I run Terraform IAM policy validator in my pipeline, I get following results:

2024-02-22 03:34:48,577 - INFO - No policy found at: module.example-pod-identity_Production.aws_iam_role.main.assume_role_policy
2024-02-22 03:34:48,577 - INFO - No policy found at: module.example-pod-identity_Production.aws_iam_role.main.assume_role_policy
2024-02-22 03:34:48,578 - INFO - No policy found at: module.example-pod-identity_Production.aws_iam_role_policy.inline_policy[0].policy
2024-02-22 03:34:48,578 - INFO - No policy found at: module.example-pod-identity_Production.aws_iam_role_policy.workflow_role_state_access.policy
2024-02-22 03:34:48,578 - INFO - Printing findings to the console...
{
    "BlockingFindings": [],
    "NonBlockingFindings": []
}

I checked my Terraform plan and policies are all included in the plan. I'm not sure why they don't get processed. My plan did not fit in the issue so I created a gist and added a link to the gist.

To Reproduce
Steps to reproduce the behavior:

  1. Copy the Terraform plan included above
  2. Run validator
  3. View results

Expected behavior
Expected to see validation results properly.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):
N/A

Smartphone (please complete the following information):
N/A

Additional context
Running Terraform Policy Validation as a part of my GitHub workflow, and this is how I set it up:

- name: Set up Python
        if: ${{ steps.plan.outputs.exitcode == '2' }}
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'

      - name: Install IAM Policy Validator for Terraform
        if: ${{ steps.plan.outputs.exitcode == '2' }}
        run: pip install tf-policy-validator

      - name: IAM Policy Validator for Terraform
        if: ${{ steps.plan.outputs.exitcode == '2' }}
        run: |
          VALIDATOR_PATH=$(python -c "import iam_check; print(iam_check.__path__[0])")
          terraform show -json terraform.tfplan > tf.json
          tf-policy-validator validate --enable-logging --config $VALIDATOR_PATH/config/default.yaml --template-path tf.json --region ${{ steps.dotenv.outputs.aws_region }}

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions