rule: aws_iam_policy_includes_effect

[jamiekt]

I just had terraform apply fail on me and the root cause was that a statement in a aws_iam_policy resource didn't contain Effect. The error was

Missing Effect: Add an Effect element to the policy statement with a value of Allow or Deny

Rather annoyingly I could only get this error message from the AWS console. All I got from terraform apply was

Error: error updating IAM policy arn:aws:iam::9876543210:policy/name: MalformedPolicyDocument: Syntax errors in policy.

If tflint could warn me about such a thing then it would have saved me oodles of lost time here.

[kadu-vido]

Oh man, +1M -- if this was possible it would save me so much time going through failed applies because someone forgot part of a statement.

[jamiekt]

I notice there is a aws_iam_policy_invalid_policy rule (see README > sdk-based-validations) which is Enabled by default however it didn't catch my problem above. Does anyone know what this rule considers to be an invalid policy?

---

UPDATE. Looks as though that rule doesn't check that Effect element exists, see code.

[bendrucker]

The aws_iam_policy_invalid_policy rule is a very simple rule generated from the SDK:

https://github.com/aws/aws-sdk-ruby/blob/a4fa679416677717ae303b297e0039f32e096a0e/apis/iam/2010-05-08/api-2.json#L6346-L6351

In general I'd say most users should be using the policy document data source to reduce errors:

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document

If someone wanted to contribute a rule that further validates the policy document, we could accept that. That said, it would probably need to rely on something from the AWS Go SDK and not try to implement validation from scratch.

[jamiekt]

Ok good feedback, thanks Ben

[bendrucker]

In essence aws_iam_policy_invalid_policy is just asserting that the length is less than 131072. The pattern is virtually useless.