https://pulumi.com logo
Powered by
#general
Title
# general
b

busy-dentist-99842

04/07/2022, 4:21 PM
Hello all, My team is writing a 
ResourceValidationPolicy
for CrossGuard that is looking for S3 Bucket Policies that would allow public traffic. We are running into complications with the 
PolicyDocument.Statement
being a type of 
Input<Input<PolicyStatement>[]>
. How can we get at the 
PolicyStatement
fields to verify things like 
PolicyStatement.Principal
is not set to 
*
without a 
PolicyStatement.Condition
? Thanks in advance for the help.
l

little-cartoon-10569

04/07/2022, 10:00 PM
You need to do your verifications inside apply()s. This pseudo-code might help?
Copy code
validateResource: validateResourceOfType(aws.s3.BucketPolicy, (policy, args, reportViolation) => {
  policy.statements.apply((statements: PolicyStatement[]) => {
    statements.forEach(statement => {
      if (statement.principals.length == 1 && statement.principals[0] == "*" && statement.conditions.length == 0) {
        reportViolation(`Statement ${statement.sid} allows any principal but has no conditions applied`);
      }
    });
  });
})
(Code completely untested.. it's just pseudo-code..)
m

miniature-musician-31262

04/08/2022, 12:18 AM
policy
here is an 
UnwrappedObject<aws.s3.BucketPolicyArgs>
, and 
policy.policy
(which contains the Statement) is a 
string | UnwrappedObject<aws.iam.PolicyDocument>
. For me, it ends up a 
string
, which means you’ll have to JSON.parse it (and then cast that) to examine its contents. This seems to work for me:
Copy code
...
validateResource: validateResourceOfType(aws.s3.BucketPolicy, (policy, args, reportViolation) => {
    const policyDoc = JSON.parse(policy.policy as string) as UnwrappedObject<aws.iam.PolicyDocument>;

    const violations = policyDoc.Statement
        .filter(statement => statement.Principal === "*");

    if (violations.length > 0) {
        reportViolation("Hey -- don't do that.");
    }
}),
...
👍 2
There may well be a more elegant way to do this, but hopefully this’ll at least work for ya. 🤞
l

little-cartoon-10569

04/08/2022, 12:28 AM
I think aws,iam.PolicyDocument should be an implicit cast-with-marshalling thanks to some Pulumi magic.. if not, then maybe an issue should be raised? It works in Role and other places that use PolicyDocuments.
m

miniature-musician-31262

04/08/2022, 12:30 AM
That may well be, too. Here’s what I see, at least, in my IDE:
I haven’t used PAC much, though — if this is different from the norm, then yeah maybe an issue should be filed. It definitely doesn’t feel quite right though I agree.
I must be looking at the wrong thing. 🤔 When I 
validateResourceOfType(aws.iam.Role…)
, I see the same thing — 
role
is an 
UnwrappedObject
, and 
role.assumeRolePolicy
is a 
string | UnwrappedObject
as well:
l

little-cartoon-10569

04/08/2022, 1:01 AM
And you can't just cast it to an aws.iam.PolicyDocument? Darn. That'd be nice...
m

miniature-musician-31262

04/08/2022, 3:36 AM
Yeah, I agree. I’ll see if I can file something to consider for this one. Thanks!
b

busy-dentist-99842

04/08/2022, 12:34 PM
@little-cartoon-10569 and @miniature-musician-31262 Thanks for the help. We appreciate it. We also discovered that it always comes in as a 
string
and we can do the parsing @miniature-musician-31262 suggested. Thanks again.
Powered by