Merge pull request #40562 from hashicorp/add-validation-for-iam-polic…

…y-document-sid add validation for iam policy document sid
hashicorp · Dec 13, 2024 · 83bf679 · 83bf679
2 parents 43dfec0 + d716a3d
commit 83bf679
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 2 deletions.
diff --git a/.changelog/40562.txt b/.changelog/40562.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+data-source/aws_iam_policy_document: Add plan-time validation that the `statement` `sid` is valid, including on alphanumeric characters
+```
diff --git a/internal/service/iam/policy_document_data_source.go b/internal/service/iam/policy_document_data_source.go
@@ -11,6 +11,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/YakDriver/regexache"
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
@@ -143,8 +144,9 @@ func dataSourcePolicyDocument() *schema.Resource {
 							"principals":        principalsSchema(),
 							names.AttrResources: setOfStringSchema(),
 							"sid": {
-								Type:     schema.TypeString,
-								Optional: true,
+								Type:         schema.TypeString,
+								Optional:     true,
+								ValidateFunc: validation.StringMatch(regexache.MustCompile(`^[a-zA-Z0-9]*$`), "must only include alphanumeric characters"),
 							},
 						},
 					},

diff --git a/internal/service/iam/policy_document_data_source_test.go b/internal/service/iam/policy_document_data_source_test.go
@@ -236,6 +236,21 @@ func TestAccIAMPolicyDocumentDataSource_overrideList(t *testing.T) {
 	})
 }
 
+func TestAccIAMPolicyDocumentDataSource_validateSid(t *testing.T) {
+	ctx := acctest.Context(t)
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(ctx, t) },
+		ErrorCheck:               acctest.ErrorCheck(t, names.IAMServiceID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccPolicyDocumentDataSourceConfig_invalidSid,
+				ExpectError: regexache.MustCompile(`must only include alphanumeric characters`),
+			},
+		},
+	})
+}
+
 func TestAccIAMPolicyDocumentDataSource_noStatementMerge(t *testing.T) {
 	ctx := acctest.Context(t)
 	resource.ParallelTest(t, resource.TestCase{
@@ -1022,6 +1037,18 @@ data "aws_iam_policy_document" "test_source_conflicting" {
 }
 `
 
+var testAccPolicyDocumentDataSourceConfig_invalidSid = `
+data "aws_iam_policy_document" "test" {
+  statement {
+    sid = "Invalid_SID"
+    actions = [
+      "s3:ListAllMyBuckets",
+      "s3:GetBucketLocation",
+    ]
+  }
+}
+`
+
 var testAccPolicyDocumentSourceConflictingExpectedJSON = `{
   "Version": "2012-10-17",
   "Statement": [