Hello all My team is writing a `ResourceValidationPolicy` fo Pulumi Community #general

Hello all, My team is writing a `ResourceValidatio...

busy-dentist-99842

04/07/2022, 4:21 PM

Hello all, My team is writing a

ResourceValidationPolicy

for CrossGuard that is looking for S3 Bucket Policies that would allow public traffic. We are running into complications with the

PolicyDocument.Statement

being a type of

Input<Input<PolicyStatement>[]>

. How can we get at the

PolicyStatement

fields to verify things like

PolicyStatement.Principal

is not set to

without a

PolicyStatement.Condition

? Thanks in advance for the help.

little-cartoon-10569

04/07/2022, 10:00 PM

You need to do your verifications inside apply()s. This pseudo-code might help?

Copy code

validateResource: validateResourceOfType(aws.s3.BucketPolicy, (policy, args, reportViolation) => {
  policy.statements.apply((statements: PolicyStatement[]) => {
    statements.forEach(statement => {
      if (statement.principals.length == 1 && statement.principals[0] == "*" && statement.conditions.length == 0) {
        reportViolation(`Statement ${statement.sid} allows any principal but has no conditions applied`);
      }
    });
  });
})

(Code completely untested.. it's just pseudo-code..)

miniature-musician-31262

04/08/2022, 12:18 AM

policy

here is an

UnwrappedObject<aws.s3.BucketPolicyArgs>

, and

policy.policy

(which contains the Statement) is a

string | UnwrappedObject<aws.iam.PolicyDocument>

. For me, it ends up a

string

, which means you’ll have to JSON.parse it (and then cast that) to examine its contents. This seems to work for me:

Copy code

...
validateResource: validateResourceOfType(aws.s3.BucketPolicy, (policy, args, reportViolation) => {
    const policyDoc = JSON.parse(policy.policy as string) as UnwrappedObject<aws.iam.PolicyDocument>;

    const violations = policyDoc.Statement
        .filter(statement => statement.Principal === "*");

    if (violations.length > 0) {
        reportViolation("Hey -- don't do that.");
    }
}),
...

👍 2

miniature-musician-31262

04/08/2022, 12:25 AM

There may well be a more elegant way to do this, but hopefully this’ll at least work for ya. 🤞

little-cartoon-10569

04/08/2022, 12:28 AM

I think aws,iam.PolicyDocument should be an implicit cast-with-marshalling thanks to some Pulumi magic.. if not, then maybe an issue should be raised? It works in Role and other places that use PolicyDocuments.

miniature-musician-31262

04/08/2022, 12:30 AM

That may well be, too. Here’s what I see, at least, in my IDE:

miniature-musician-31262

04/08/2022, 12:32 AM

I haven’t used PAC much, though — if this is different from the norm, then yeah maybe an issue should be filed. It definitely doesn’t feel quite right though I agree.

miniature-musician-31262

04/08/2022, 12:55 AM

I must be looking at the wrong thing. 🤔 When I

validateResourceOfType(aws.iam.Role…)

, I see the same thing —

role

is an

UnwrappedObject

, and

role.assumeRolePolicy

is a

string | UnwrappedObject

as well:

little-cartoon-10569

04/08/2022, 1:01 AM

And you can't just cast it to an aws.iam.PolicyDocument? Darn. That'd be nice...

miniature-musician-31262

04/08/2022, 3:36 AM

Yeah, I agree. I’ll see if I can file something to consider for this one. Thanks!

busy-dentist-99842

04/08/2022, 12:34 PM

@little-cartoon-10569 and @miniature-musician-31262 Thanks for the help. We appreciate it. We also discovered that it always comes in as a

string

and we can do the parsing @miniature-musician-31262 suggested. Thanks again.

Open in Slack

Previous Next