feat(terraform): add expanded actions to Terraform AWS IAM resources

[gruebel]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

• added a new metadata field extensions to support features, which modifies on how the graph checks work
• added the extension IAM_ACTION_EXPANSION to expand wildcard IAM actions in AWS resources

Now it is possible to check for precise AWS IAM actions, even when the resource is using wildcards, ex.

check

metadata:
  name: "Ensure CreateRole and CreatePolicy are not used"
  id: "CKV2_CUSTOM_1"
  category: "IAM"
  extensions:
    - IAM_ACTION_EXPANSION
definition:
  or:
    - cond_type: "attribute"
      resource_types:
        - "data.aws_iam_policy_document"
      attribute: "statement[?(@.effect == Allow)].actions[*]"
      operator: "jsonpath_not_within"
      value:
       - "iam:CreatePolicy"
       - "iam:CreateRole"

resource

data "aws_iam_policy_document" "example" {
  statement {
    sid    = "Example"
    effect = "Allow"

    actions = [
      "iam:*",
      "ec2:*",
    ]
  }
}

result

Check: CKV2_CUSTOM_1: "Ensure something important"
	FAILED for resource: aws_iam_policy_document.example
	File: /main.tf:199-209

		199 | data "aws_iam_policy_document" "example" {
		200 |   statement {
		201 |     sid    = "Example"
		202 |     effect = "Allow"
		203 | 
		204 |     actions = [
		205 |       "iam:*",
		206 |       "ec2:*",
		207 |     ]
		208 |   }
		209 | }

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my feature, policy, or fix is effective and works
• New and existing tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[tsmithv11]

Suggested change

	The following policy will fail, when `iam:CreatePolicy` or `iam:CreateRole` is used in `aws_iam_policy_document` data block by exact name or via wildcards.
	The following policy will fail if iam:CreatePolicy or iam:CreateRole are used directly or through wildcards (e.g., iam:* or iam:Create*) in the aws_iam_policy_document data block.

[tsmithv11]

Suggested change

	extensions:
	- IAM_ACTION_EXPANSION
	extensions: # Optional as IAM_ACTION_EXPANSION is enabled by default
	- IAM_ACTION_EXPANSION

[tsmithv11]

WDYT about making it the inverse logic for this flag? IAM Action Expansion is always on unless you use extension: DISABLE_IAM_ACTION_EXPANSION?

[tsmithv11]

Suggested change

	By enabling the IAM_ACTION_EXPANSION extension additional data is added to the `Action` field of AWS Terraform resources.
	Every action with a `*` wildcard will be expanded to the actual actions to give the possibility to query easily for precise permission names.
	By enabling the IAM_ACTION_EXPANSION extension, additional data is added to the `Action` field of AWS Terraform resources. Every action with a `*` wildcard will be expanded to the actual actions, making it easier to query for specific permission names.

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com
Thanks!

[stale]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!

[pazbechor]

@gruebel
Closing this one as conflicts exists & inactivity :)
Open it in the future if it's still relevant!