Merge pull request #26640 from mtt88/validate-invalid-json

Add validation to on aws_iam_policy_document source_policy_documents
hashicorp · Sep 7, 2022 · 4d44ff5 · 4d44ff5
2 parents 1aad3f4 + df075ee
commit 4d44ff5
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/.changelog/26640.txt b/.changelog/26640.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ data-source/aws_iam_policy_document: Prevent crash when `source_policy_documents` contains empty or invalid JSON documents
+```
diff --git a/internal/service/iam/policy_document_data_source.go b/internal/service/iam/policy_document_data_source.go
@@ -54,7 +54,10 @@ func DataSourcePolicyDocument() *schema.Resource {
 			"source_policy_documents": {
 				Type:     schema.TypeList,
 				Optional: true,
-				Elem:     &schema.Schema{Type: schema.TypeString},
+				Elem: &schema.Schema{
+					Type:         schema.TypeString,
+					ValidateFunc: validation.StringIsJSON,
+				},
 			},
 			"statement": {
 				Type:     schema.TypeList,
@@ -136,6 +139,10 @@ func dataSourcePolicyDocumentRead(d *schema.ResourceData, meta interface{}) erro
 
 		// merge sourceDocs in order specified
 		for sourceJSONIndex, sourceJSON := range v.([]interface{}) {
+			if sourceJSON == nil {
+				continue
+			}
+
 			sourceDoc := &IAMPolicyDoc{}
 			if err := json.Unmarshal([]byte(sourceJSON.(string)), sourceDoc); err != nil {
 				return err

diff --git a/internal/service/iam/policy_document_data_source_test.go b/internal/service/iam/policy_document_data_source_test.go
@@ -241,6 +241,28 @@ func TestAccIAMPolicyDocumentDataSource_duplicateSid(t *testing.T) {
 	})
 }
 
+func TestAccIAMPolicyDocumentDataSource_sourcePolicyValidJSON(t *testing.T) {
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, iam.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccPolicyDocumentDataSourceConfig_invalidJSON,
+				ExpectError: regexp.MustCompile(`"source_policy_documents.0" contains an invalid JSON: unexpected end of JSON input`),
+			},
+			{
+				Config: testAccPolicyDocumentDataSourceConfig_emptyString,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.aws_iam_policy_document.test", "json",
+						testAccPolicyDocumentExpectedJSONNoStatement,
+					),
+				),
+			},
+		},
+	})
+}
+
 // Reference: https://github.com/hashicorp/terraform-provider-aws/issues/10777
 func TestAccIAMPolicyDocumentDataSource_StatementPrincipalIdentifiers_stringAndSlice(t *testing.T) {
 	dataSourceName := "data.aws_iam_policy_document.test"
@@ -1360,6 +1382,22 @@ data "aws_iam_policy_document" "test" {
 }
 `
 
+var testAccPolicyDocumentDataSourceConfig_emptyString = `
+data "aws_iam_policy_document" "test" {
+  source_policy_documents = [""]
+}
+`
+
+var testAccPolicyDocumentDataSourceConfig_invalidJSON = `
+data "aws_iam_policy_document" "test" {
+  source_policy_documents = ["{"]
+}
+`
+
+var testAccPolicyDocumentExpectedJSONNoStatement = `{
+  "Version": "2012-10-17"
+}`
+
 func testAccPolicyDocumentExpectedJSONStatementPrincipalIdentifiersMultiplePrincipals() string {
 	return fmt.Sprintf(`{
   "Version": "2012-10-17",

diff --git a/internal/service/iam/policy_model.go b/internal/service/iam/policy_model.go
@@ -14,7 +14,7 @@ const (
 type IAMPolicyDoc struct {
 	Version    string                `json:",omitempty"`
 	Id         string                `json:",omitempty"`
-	Statements []*IAMPolicyStatement `json:"Statement"`
+	Statements []*IAMPolicyStatement `json:"Statement,omitempty"`
 }
 
 type IAMPolicyStatement struct {