contains should match substrings even in lists, more IAM rule cleanup…

… for Terraform

assertion/contains.go

@@ -10,6 +10,9 @@ func interfaceListContains(v []interface{}, key, value string) (MatchResult, err
 			if stringElement == value {
 				return matches()
 			}
+			if strings.Contains(stringElement, value) {
+				return matches()
+			}
 		}
 	}
 	return doesNotMatch("%v does not contain %v", key, value)
@@ -20,6 +23,9 @@ func stringListContains(v []string, key, value string) (MatchResult, error) {
 		if stringElement == value {
 			return matches()
 		}
+		if strings.Contains(stringElement, value) {
+			return matches()
+		}
 	}
 	return doesNotMatch("%v does not contain %v", key, value)
 }

assertion/contains_test.go

@@ -1,6 +1,7 @@
 package assertion
 
 import (
+	"github.com/stretchr/testify/assert"
 	"testing"
 )
 
@@ -21,3 +22,17 @@ func TestDoesNotContainWithNonJSONType(t *testing.T) {
 		t.Errorf("Expecting doesNotContain to return an error for non JSON encodable data")
 	}
 }
+
+func TestContainsWithString(t *testing.T) {
+	s := "s3:Get*"
+	match, err := contains(s, "Action", "*")
+	assert.Nil(t, err, "Expecting no error from contains")
+	assert.True(t, match.Match, "Expecting match for string")
+}
+
+func TestContainsWithSliceOfStrings(t *testing.T) {
+	s := []string{"s3:Get*"}
+	match, err := contains(s, "Action", "*")
+	assert.Nil(t, err, "Expecting no error from contains")
+	assert.True(t, match.Match, "Expecting match for string")
+}

assertion/match_test.go

@@ -67,15 +67,15 @@ func TestIsMatch(t *testing.T) {
 		"containsTrueForString":          {"Foo", "contains", "oo", "", true},
 		"containsFalseForString":         {"Foo", "contains", "aa", "", false},
 		"containsTrueForSlice":           {sliceOfTags, "contains", "Bar", "", true},
-		"containsFalseForSubstring":      {sliceOfTags, "contains", "oo", "", false},
+		"containsFalseForSubstring":      {sliceOfTags, "contains", "abc", "", false},
 		"containsTrueForSliceOfStrings":  {stringSlice, "contains", "One", "", true},
 		"containsFalseForSliceOfStrings": {stringSlice, "contains", "Three", "", false},
 		"containsTrueForInt":             {1, "contains", "1", "", true},
 		"containsFalseForInt":            {1, "contains", "One", "", false},
 		"notContainsFalseForString":      {"Foo", "does-not-contain", "oo", "", false},
 		"notContainsTrueForString":       {"Foo", "does-not-contain", "aa", "", true},
 		"notContainsFalseForSlice":       {sliceOfTags, "does-not-contain", "Bar", "", false},
-		"notContainsTrueForSubstring":    {sliceOfTags, "does-not-contain", "oo", "", true},
+		"notContainsTrueForSubstring":    {sliceOfTags, "does-not-contain", "abc", "", true},
 		"regexTrueForEndOfString":        {"Foo", "regex", "o$", "", true},
 		"regexFalseForEndOfString":       {"Bar", "regex", "o$", "", false},
 		"regExTrueForBeginningOfString":  {"Foo", "regex", "^F", "", true},

cli/assets/terraform.yml

@@ -275,6 +275,24 @@ rules:
       - iam
       - policy
 
+  - id: IAM_POLICY_WILDCARD_RESOURCE
+    message: Should not use wildcard resource in IAM policy
+    resource: aws_iam_policy
+    severity: WARNING
+    assertions:
+      - none:
+          key: policy.Statement[]
+          expressions:
+            - key: Effect
+              op: eq
+              value: Allow
+            - key: Resource
+              op: contains
+              value: "*"
+    tags:
+      - iam
+      - policy
+
   - id: ELB_ACCESS_LOGGING
     message: ELB should enable access logging
     resource: aws_elb
@@ -478,7 +496,7 @@ rules:
       - iam
 
   - id: IAM_USER_POLICY_ATTACHMENT
-    message: IAM should not have policies attached (make user a member of a group instead)
+    message: IAM user should not have policies attached (make user a member of a group instead)
     resource: aws_iam_user_policy_attachment
     severity: FAILURE
     assertions: