#This sentinel policy checks AWS IAM policies for full admin permissions
#Full admin permissions are similar to:
    #Effect: Allow
    #Action: SQS:*
    #Resource: *
#the * is the problematic part of this statement

import "tfplan-functions" as plan
import "tfplan/v2" as tfplan
import "json"
import "module-functions" as modules

forbidden = ["*"]

#filter out all resources except policies 
iam_policy_types = filter tfplan.resource_changes as _, rc {
    rc.type is "aws_iam_policy" or
    rc.type is "aws_iam_role_policy" or
    rc.type is "aws_iam_user_policy" or
    rc.type is "aws_iam_group_policy" and
    (rc.change.actions contains "create" or   rc.change.actions contains "update" or
    rc.change.actions contains "read" or rc.change.actions contains "no-op")
}

administrative_policies = 0
#for each policy type extract the action and resources section and check it
for iam_policy_types as index, my_types {
    policy = {}
    policy = my_types.change.after.policy
    print(json.unmarshal(policy))
    json_holder = json.unmarshal(policy)
    action = json_holder.Statement[0]["Action"][0]
    resource = json_holder.Statement[0]["Resource"][0]
    access_is_valid = modules.prevent_admin_access(action, resource)
    if access_is_valid is false {
        print(my_types.change.after.name, "allows admin access to all resources")
        administrative_policies +=1
    }
}

print ("here is the end result")
print("there are", administrative_policies, "full administrative policies")
main = rule { 
    administrative_policies is 0
}