Adding ECR and IOT allow policy wildcard principal rules

cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/rule.yml

@@ -0,0 +1,26 @@
+---
+version: 1
+description: Terraform rules
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+rules:
+
+  - id: ECR_WILDCARD_PRINCIPAL
+    message: ECR allow policy should not use a wildcard princpal
+    resource: aws_ecr_repository_policy
+    severity: FAILURE
+    assertions:
+      - none:
+          key: policy.Statement
+          expressions:
+            - key: Effect
+              op: eq
+              value: Allow
+            - key: Principal
+              op: contains
+              value: "*"
+    tags:
+      - ecr
+      - policy

cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf

@@ -0,0 +1,91 @@
+# Test that ECR allow policy is not using a wildcard principal
+# https://www.terraform.io/docs/providers/aws/r/ecr_repository_policy.html#policy
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+# PASS: Allow policy not using wildcard principal
+resource "aws_ecr_repository_policy" "ecr_allow_no_wildcard" {
+  repository = "ecr-repo"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": "arn:aws:iam::1234567890:user/foo",
+            "Action": [
+                "ecr:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+
+# PASS: Deny policy using wildcard principal
+resource "aws_ecr_repository_policy" "ecr_deny_wildcard" {
+  repository = "ecr-repo"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Deny",
+            "Principal": "arn:aws:iam::1234567890:user/*",
+            "Action": [
+                "ecr:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+# FAIL Allow policy using wildcard principal
+resource "aws_ecr_repository_policy" "ecr_allow_with_wildcard" {
+  repository = "ecr-repo"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": "arn:aws:iam::1234567890:user/*",
+            "Action": [
+                "ecr:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+# FAIL: Allow policy where principal is a wildcard
+resource "aws_ecr_repository_policy" "ecr_allow_principal_is_wildcard" {
+  repository = "ecr-repo"
+
+  policy = <<EOF
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": "*",
+            "Action": [
+                "ecr:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}

cli/assets/terraform/aws/ecr/ecr_repository_policy/wildcard_principal/tests/test.yml

@@ -0,0 +1,14 @@
+---
+version: 1
+description: Terraform 12 tests
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+tests:
+  -
+    ruleId: ECR_WILDCARD_PRINCIPAL
+    warnings: 0
+    failures: 2
+    tags:
+      - "terraform12"

cli/assets/terraform/aws/iot/iot_policy/wildcard_principal/rule.yml

@@ -0,0 +1,26 @@
+---
+version: 1
+description: Terraform rules
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+rules:
+
+  - id: IOT_WILDCARD_PRINCIPAL
+    message: IOT allow policy should not use a wildcard princpal
+    resource: aws_iot_policy
+    severity: FAILURE
+    assertions:
+      - none:
+          key: policy.Statement
+          expressions:
+            - key: Effect
+              op: eq
+              value: Allow
+            - key: Principal
+              op: contains
+              value: "*"
+    tags:
+      - iot
+      - policy

cli/assets/terraform/aws/iot/iot_policy/wildcard_principal/tests/terraform12/wildcard_principal.tf

@@ -0,0 +1,111 @@
+# Test that IOT allow statement is not using a wildcard principal
+# https://www.terraform.io/docs/providers/aws/r/iot_policy.html#policy
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+# PASS: Allow with no wildcard principal
+resource "aws_iot_policy" "iot_allow_no_wildcard" {
+  name = "PubSubToAnyTopic"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iot:*"
+      ],
+      "Principal": "arn:aws:iam::1234567890:user/foo",
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+# PASS: Deny with no wildcard principal
+resource "aws_iot_policy" "iot_deny_no_wildcard" {
+  name = "PubSubToAnyTopic"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iot:*"
+      ],
+      "Principal": "arn:aws:iam::1234567890:user/foo",
+      "Effect": "Deny",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+# PASS: Deny with a wildcard principal
+resource "aws_iot_policy" "iot_deny_with_wildcard" {
+  name = "PubSubToAnyTopic"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iot:*"
+      ],
+      "Principal": "arn:aws:iam::1234567890:user/*",
+      "Effect": "Deny",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+# FAIL: Allow with wildcard principal
+resource "aws_iot_policy" "iot_allow_with_wildcard" {
+  name = "PubSubToAnyTopic"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iot:*"
+      ],
+      "Principal": "arn:aws:iam::1234567890:user/*",
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+# FAIL: Allow with wildcard principal
+resource "aws_iot_policy" "iot_allow_principal_is_wildcard" {
+  name = "PubSubToAnyTopic"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "iot:*"
+      ],
+      "Principal": "*",
+      "Effect": "Allow",
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}

cli/assets/terraform/aws/iot/iot_policy/wildcard_principal/tests/test.yml

@@ -0,0 +1,14 @@
+---
+version: 1
+description: Terraform 12 tests
+type: Terraform
+files:
+  - "*.tf"
+  - "*.tfvars"
+tests:
+  -
+    ruleId: IOT_WILDCARD_PRINCIPAL
+    warnings: 0
+    failures: 2
+    tags:
+      - "terraform12"