better handling of invalid or empty JSON strings in policy strings

linter/terraform.go

@@ -196,8 +196,10 @@ func replaceVariables(templateResource interface{}, variables []Variable) interf
 	switch v := templateResource.(type) {
 	case map[string]interface{}:
 		return replaceVariablesInMap(v, variables)
+	case string:
+		return resolveValue(v, variables)
 	default:
-		assertion.Debugf("replaceVariables cannot process type %T\n", v)
+		assertion.Debugf("replaceVariables cannot process type %T: %v\n", v, v)
 		return templateResource
 	}
 }
@@ -251,9 +253,11 @@ func parsePolicy(resource interface{}) (interface{}, error) {
 		if policyAttribute, hasPolicyString := properties[attribute]; hasPolicyString {
 			if policyString, isString := policyAttribute.(string); isString {
 				var policy interface{}
-				err := json.Unmarshal([]byte(policyString), &policy)
-				if err != nil {
-					return properties, err
+				if policyString != "" {
+					err := json.Unmarshal([]byte(policyString), &policy)
+					if err != nil {
+						assertion.Debugf("Unable to parse '%s' as JSON\n", policyString)
+					}
 				}
 				properties[attribute] = policy
 			}

linter/terraform_test.go

@@ -141,6 +141,18 @@ func TestTerraformLinterCases(t *testing.T) {
 			1,
 			"TEST_POLICY",
 		},
+		"PolicyInvalidJSON": {
+			"./testdata/resources/terraform_policy_invalid_json.tf",
+			"./testdata/rules/terraform_policy.yml",
+			0,
+			"",
+		},
+		"PolicyEmpty": {
+			"./testdata/resources/terraform_policy_empty.tf",
+			"./testdata/rules/terraform_policy.yml",
+			0,
+			"",
+		},
 	}
 	for name, tc := range testCases {
 		options := Options{

linter/testdata/resources/terraform_policy_empty.tf

@@ -0,0 +1,5 @@
+resource "aws_iam_role" "role1" {
+    name = "role1"
+    assume_role_policy = <<EOF
+EOF
+}

linter/testdata/resources/terraform_policy_invalid_json.tf

@@ -0,0 +1,10 @@
+resource "aws_iam_role" "role1" {
+    name = "role1"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": }
+}
+EOF
+}
+