func()

in tflint-ruleset-aws-serverless/rules/aws_iam_role_lambda_no_star.go [140:227]

• 69 lines of code
• 10 McCabe index (conditional complexity)

func (r *AwsIamRoleLambdaNoStarRule) Check(runner tflint.Runner) error {
	return runner.WalkResources(r.resourceType, func(resource *configs.Resource) error {
		// Get principal
		body, _, diags := resource.Config.PartialContent(&hcl.BodySchema{
			Blocks: []hcl.BlockHeaderSchema{
				{
					Type: r.inlineBlockName,
				},
			},
			Attributes: []hcl.AttributeSchema{
				{
					Name: r.assumeAttrName,
				},
			},
		})

		if diags.HasErrors() {
			return diags
		}

		// Load assume role policy
		assumeAttr, ok := body.Attributes[r.assumeAttrName]
		if !ok {
			// This is a mandatory attribute
			runner.EmitIssue(
				r,
				fmt.Sprintf("\"%s\" is not present.", r.assumeAttrName),
				body.MissingItemRange,
			)

			return nil
		}

		// Check if it contains the right principal
		hasLambda, err := r.matchPrincipal(runner, assumeAttr)
		if err != nil {
			return err
		}
		if !hasLambda {
			return nil
		}

		// Load inline policy
		inlineBlocks := body.Blocks.OfType(r.inlineBlockName)
		for _, inlineBlock := range inlineBlocks {
			body, _, diags = inlineBlock.Body.PartialContent(&hcl.BodySchema{
				Attributes: []hcl.AttributeSchema{
					{
						Name: r.policyName,
					},
				},
			})

			if diags.HasErrors() {
				return diags
			}

			policyAttr, ok := body.Attributes[r.policyName]
			if !ok {
				// This is a mandatory attribute
				runner.EmitIssue(
					r,
					fmt.Sprintf("\"%s\" is not present.", r.policyName),
					body.MissingItemRange,
				)

				return nil
			}

			// Check if policy contains stars
			hasStar, err := r.matchStarAction(runner, policyAttr)

			if err != nil {
				return err
			}

			if hasStar {
				runner.EmitIssueOnExpr(
					r,
					"Inline policy for role with Lambda as principal has policy actions with stars.",
					policyAttr.Expr,
				)
			}
		}

		return nil
	})
}