I am looking for the operator logic to check values in an array (terraform) - has anyone tackled a similar problem and has a solution?
the resource is like this
resource "google_project_iam_binding" "my_project_iam_bigquery_dataviewer" {
provider = google.my-project
project = "my-project"
role = "roles/bigquery.admin"
members = [
"group:[email protected]",
"group:[email protected]"
]
}
I have tried adding a * (like with lists) to the attribute but - without success
- cond_type: "attribute"
resource_types:
- "google_project_iam_member"
- "google_project_iam_binding"
attribute: "members.*"
operator: "starting_with"
value: "group"
otherwise, my thoughts of an operator that knows to iterate over the array
- cond_type: "attribute"
resource_types:
- "google_project_iam_member"
- "google_project_iam_binding"
attribute: "members"
operator: "iterate_array.starting_with"
value: "group"
edit: this is how the python custom policy checks each value of the members array: https://github.com/bridgecrewio/checkov/blob/HEAD/checkov/terraform/checks/resource/gcp/ArtifactRegistryPrivateRepo.py#L34-L42
for context. If I was to check the value of an attribute that isn't an array i.e. member in a resource:
resource "google_project_iam_binding" "my_project_iam_bigquery_dataviewer" {
provider = google.my-project
project = "my-project"
role = "roles/bigquery.admin"
member = "group:[email protected]"
}
I can (and do) use this yaml
- cond_type: "attribute"
resource_types:
- "google_project_iam_member"
- "google_project_iam_binding"
attribute: "member"
operator: "starting_with"
value: "group"
I cannot find a way to do the same check for members