feat(rule): check values of service principals

Signed-off-by: Fred Myerscough <oniice@gmail.com>

Author: oniice

README.md

@@ -28,14 +28,16 @@ plugin "aws-meta" {
 
 ## Rules
 
-|Name|Description|Severity|Enabled|Link|
+|Name|Description|Severity|Enabled By Default|Link|
 | --- | --- | --- | --- | --- |
-|aws_meta_hardcoded|Validates that there are no hardcoded AWS regions or partitions in ARN values across all resource types|WARNING|✔|[docs](docs/rules.md#aws_meta_hardcoded)|
-|aws_iam_role_policy_hardcoded_region|Validates that there are no hardcoded AWS regions in IAM role policy documents|WARNING||[docs](docs/rules.md#aws_iam_role_policy_hardcoded_region)|
-|aws_iam_role_policy_hardcoded_partition|Validates that there are no hardcoded AWS partitions in IAM role policy documents|WARNING||[docs](docs/rules.md#aws_iam_role_policy_hardcoded_partition)|
-|aws_iam_policy_hardcoded_region|Validates that there are no hardcoded AWS regions in IAM policy documents|WARNING||[docs](docs/rules.md#aws_iam_policy_hardcoded_region)|
-|aws_iam_policy_hardcoded_partition|Validates that there are no hardcoded AWS partitions in IAM policy documents|WARNING||[docs](docs/rules.md#aws_iam_policy_hardcoded_partition)|
-|aws_provider_hardcoded_region|Validates that there are no hardcoded AWS regions in provider configuration|WARNING||[docs](docs/rules.md#aws_provider_hardcoded_region)|
+|aws_meta_hardcoded|Validates that there are no hardcoded AWS regions or partitions in ARN values across all resource types|WARNING|✅|[docs](docs/rules.md#aws_meta_hardcoded)|
+|aws_iam_role_policy_hardcoded_region|Validates that there are no hardcoded AWS regions in IAM role policy documents|WARNING|❌|[docs](docs/rules.md#aws_iam_role_policy_hardcoded_region)|
+|aws_iam_role_policy_hardcoded_partition|Validates that there are no hardcoded AWS partitions in IAM role policy documents|WARNING|❌|[docs](docs/rules.md#aws_iam_role_policy_hardcoded_partition)|
+|aws_iam_policy_hardcoded_region|Validates that there are no hardcoded AWS regions in IAM policy documents|WARNING|❌|[docs](docs/rules.md#aws_iam_policy_hardcoded_region)|
+|aws_iam_policy_hardcoded_partition|Validates that there are no hardcoded AWS partitions in IAM policy documents|WARNING|❌|[docs](docs/rules.md#aws_iam_policy_hardcoded_partition)|
+|aws_provider_hardcoded_region|Validates that there are no hardcoded AWS regions in provider configuration|WARNING|❌|[docs](docs/rules.md#aws_provider_hardcoded_region)|
+|aws_service_principal_hardcoded|Validates that service principals don't use hardcoded DNS suffixes (e.g., amazonaws.com)|WARNING|❌|[docs](docs/rules.md#aws_service_principal_hardcoded)|
+|aws_service_principal_dns_suffix|Validates that service principals don't use dns_suffix interpolation|WARNING|✅|[docs](docs/rules.md#aws_service_principal_dns_suffix)|
 
 For detailed examples and usage information, see the [Rule Details documentation](docs/rules.md).
 

examples/failing/.tflint.hcl

@@ -24,4 +24,13 @@ rule "aws_provider_hardcoded_region" {
 
 rule "aws_meta_hardcoded" {
   enabled = true
-}
+}
+
+
+rule "aws_service_principal_hardcoded" {
+  enabled = true
+}
+
+rule "aws_service_principal_dns_suffix" {
+  enabled = true
+}

examples/failing/main.tf

@@ -90,3 +90,94 @@ resource "aws_cloudwatch_event_target" "example" {
   rule = "my-rule"
   arn  = "arn:aws-cn:lambda:cn-north-1:123456789012:function:my-function"
 }
+
+# Get partition data
+data "aws_partition" "current" {}
+
+# IAM role with hardcoded service principal DNS suffix (potential future rule)
+resource "aws_iam_role" "service_principal_bad_hardcoded" {
+  name = "service-principal-bad-hardcoded"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "s3.amazonaws.com" # ❌ Hardcoded DNS suffix (should use data.aws_service_principal)
+      }
+    }]
+  })
+}
+
+# IAM role using dns_suffix (not best practice - potential future rule)
+resource "aws_iam_role" "service_principal_bad_dns_suffix" {
+  name = "service-principal-bad-dns-suffix"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "s3.${data.aws_partition.current.dns_suffix}"
+      }
+    }]
+  })
+}
+
+# IAM role with multiple hardcoded service principals (potential future rule)
+resource "aws_iam_role" "multi_service_principal_bad_hardcoded" {
+  name = "multi-service-bad-hardcoded"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = [
+          "lambda.amazonaws.com",
+          "ec2.amazonaws.com",
+          "ecs-tasks.amazonaws.com"
+        ]
+      }
+    }]
+  })
+}
+
+# IAM role with multiple service principals using dns_suffix (not best practice)
+resource "aws_iam_role" "multi_service_principal_bad_dns_suffix" {
+  name = "multi-service-bad-dns-suffix"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = [
+          "lambda.${data.aws_partition.current.dns_suffix}",
+          "ec2.${data.aws_partition.current.dns_suffix}",
+          "ecs-tasks.${data.aws_partition.current.dns_suffix}"
+        ]
+      }
+    }]
+  })
+}
+
+# IAM role with China partition hardcoded (potential future rule)
+resource "aws_iam_role" "china_service_principal_bad" {
+  name = "china-service-bad"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "lambda.amazonaws.com.cn"
+      }
+    }]
+  })
+}

examples/passing/.tflint.hcl

@@ -25,3 +25,11 @@ rule "aws_provider_hardcoded_region" {
 rule "aws_meta_hardcoded" {
   enabled = true
 }
+
+rule "aws_service_principal_hardcoded" {
+  enabled = true
+}
+
+rule "aws_service_principal_dns_suffix" {
+  enabled = true
+}

examples/passing/main.tf

@@ -14,13 +14,6 @@ terraform {
   }
 }
 
-# Use variables for region configuration
-variable "aws_region" {
-  description = "AWS region"
-  type        = string
-  # No default value to avoid hardcoding
-}
-
 # Use data sources to get current region and partition
 data "aws_region" "current" {}
 data "aws_partition" "current" {}
@@ -40,11 +33,25 @@ resource "random_id" "bucket_suffix" {
   byte_length = 4
 }
 
-# IAM role with dynamic ARN construction
+# Get service principal for EC2
+data "aws_service_principal" "ec2_for_role" {
+  service_name = "ec2"
+}
+
+# IAM role with dynamic service principal (best practice)
 resource "aws_iam_role" "example" {
   name = "example-role"
-  
-  assume_role_policy = "{\"Version\": \"2012-10-17\", \"Statement\": [{\"Action\": \"sts:AssumeRole\", \"Effect\": \"Allow\", \"Principal\": {\"Service\": \"ec2.amazonaws.com\"}}]}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = data.aws_service_principal.ec2_for_role.name
+      }
+    }]
+  })
 }
 
 # IAM role policy with dynamic ARNs
@@ -65,12 +72,17 @@ resource "aws_iam_policy" "example" {
 data "aws_caller_identity" "current" {}
 
 
-# Lambda permission with dynamic ARN (best practice)
+# Get service principal for S3 (for Lambda permission)
+data "aws_service_principal" "s3_for_lambda" {
+  service_name = "s3"
+}
+
+# Lambda permission with dynamic ARN and service principal (best practice)
 resource "aws_lambda_permission" "example" {
   statement_id  = "AllowS3Invoke"
   action        = "lambda:InvokeFunction"
   function_name = "my-function"
-  principal     = "s3.amazonaws.com"
+  principal     = data.aws_service_principal.s3_for_lambda.name
   source_arn    = "arn:${data.aws_partition.current.partition}:s3:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:bucket/my-bucket"
 }
 
@@ -84,6 +96,7 @@ resource "aws_sns_topic_subscription" "example" {
 # KMS grant with dynamic ARN (best practice)
 resource "aws_kms_grant" "example" {
   name              = "my-grant"
+  operations        = ["Encrypt", "Decrypt", "GenerateDataKey"]
   key_id            = "arn:${data.aws_partition.current.partition}:kms:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:key/12345678-1234-1234-1234-123456789012"
   grantee_principal = "arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.account_id}:role/my-role"
 }
@@ -93,3 +106,56 @@ resource "aws_cloudwatch_event_target" "example" {
   rule = "my-rule"
   arn  = "arn:${data.aws_partition.current.partition}:lambda:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:function:my-function"
 }
+
+# Get service principal names dynamically (best practice)
+data "aws_service_principal" "s3" {
+  service_name = "s3"
+}
+
+data "aws_service_principal" "lambda" {
+  service_name = "lambda"
+}
+
+data "aws_service_principal" "ec2" {
+  service_name = "ec2"
+}
+
+data "aws_service_principal" "ecs_tasks" {
+  service_name = "ecs-tasks"
+}
+
+# IAM role with service principal using data source (best practice)
+resource "aws_iam_role" "service_principal_example" {
+  name = "service-principal-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = data.aws_service_principal.s3.name
+      }
+    }]
+  })
+}
+
+# IAM role with multiple service principals using data sources (best practice)
+resource "aws_iam_role" "multi_service_principal" {
+  name = "multi-service-role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = [
+          data.aws_service_principal.lambda.name,
+          data.aws_service_principal.ec2.name,
+          data.aws_service_principal.ecs_tasks.name
+        ]
+      }
+    }]
+  })
+}

main.go

@@ -18,6 +18,8 @@ func main() {
 				rules.NewAwsIamPolicyHardcodedRegionRule(),
 				rules.NewAwsIamPolicyHardcodedPartitionRule(),
 				rules.NewAwsProviderHardcodedRegionRule(),
+				rules.NewAwsServicePrincipalHardcodedRule(),
+				rules.NewAwsServicePrincipalDNSSuffixRule(),
 			},
 		},
 	})