feat(tflint): lambda no star rule

docs/rules/index.md

@@ -18,7 +18,7 @@ An __Info__{: class="badge badge-blue" } level means that this does not necessar
 | __Warning__{: class="badge badge-yellow" } | [Lambda Tracing](lambda/tracing.md)                                 | WS1000   | aws_lambda_function_tracing_rule |
 | __Error__{: class="badge badge-red" }      | [EventSourceMapping Failure Destination](lambda/eventsourcemapping_failure_destination.md) | ES1001   | aws_lambda_event_source_mapping_failure_destination |
 | __Warning__{: class="badge badge-yellow" } | [Lambda Permission Multiple Principals](lambda/permission_multiple_principals.md) | WS1002   | aws_lambda_permission_multiple_principals |
-| __Warning__{: class="badge badge-yellow" } | [Lambda Star Permissions](lambda/star_permissions.md)               | WS1003   |_Not implemented_|
+| __Warning__{: class="badge badge-yellow" } | [Lambda Star Permissions](lambda/star_permissions.md)               | WS1003   | aws_iam_role_lambda_no_star |
 | __Warning__{: class="badge badge-yellow" } | [Lambda Log Retention](lambda/log_retention.md)                     | WS1004   |_Not implemented_|
 | __Error__{: class="badge badge-red" }      | [Lambda Default Memory Size](lambda/default_memory_size.md)         | ES1005   | aws_lambda_function_default_memory |
 | __Error__{: class="badge badge-red" }      | [Lambda Default Timeout](lambda/default_timeout.md)                 | ES1006   | aws_lambda_function_default_timeout |

docs/rules/lambda/end_of_life_runtime.md

@@ -15,6 +15,7 @@ __tflint__: aws_lambda_function_eol_runtime
 Managed Lambda runtimes for .zip file archives are built around a combination of operating system, programming language, and software libraries that are subject to maintenance and security updates. When security updates are no longer available for a component of a runtime, Lambda deprecates the runtime.
 
 !!! info
+
     This rule is implemented natively in `cfn-lint` as rule number __E2531__.
 
 ## Implementations

docs/rules/lambda/star_permissions.md

@@ -9,16 +9,108 @@ __Initial version__: 0.1.3
 __cfn-lint__: WS1003
 {: class="badge" }
 
-__tflint__: _Not implemented_
+__tflint__: aws_iam_role_lambda_no_star
 {: class="badge" }
 
  With Lambda functions, you should follow least-privileged access and only allow the access needed to perform a given operation. Attaching a role with more permissions than necessary can open up your systems for abuse.
 
+??? warning "Limitations on policies"
+
+    This rule only works with inline policies defined as part of the IAM role resource. It will not check managed policies or policies defined as separate resources.
+
+    === "CloudFormation"
+
+        ```yaml
+        Resources:
+          MyRole:
+            Type: AWS::IAM::Role
+            Properties:
+              AssumeRolePolicyDocument:
+                Version: "2012-10-17"
+                Statement:
+                  - Effect: Allow
+                    Principal:
+                      Service:
+                        - lambda.amazonaws.com
+                    Action:
+                      - sts:AssumeRole
+              # The rule will check this policy
+              Policies:
+                - PolicyName: root
+                  PolicyDocument:
+                    Version: "2012-10-17"
+                    Statement:
+                      - Effect: Allow
+                        Action: dynamodb:Query
+                        Resource: "*"
+
+          # It will not check this policy
+          MyPolicy:
+            Type: AWS::IAM::Policy
+            Properties:
+              PolicyDocument:
+                Version: "2012-10-17"
+                    Statement:
+                      - Effect: Allow
+                        Action: dynamodb:*
+                        Resource: "*"
+              Roles:
+                - !GetAtt MyRole.Arn
+        ```
+
+    === "Terraform"
+
+        ```tf
+        resource "aws_iam_role" "this" {
+          name = "my-function-role"
+          assume_role_policy = data.aws_iam_policy_document.assume.json
+
+          # The rule will check this policy
+          inline_policy {
+            name = "FunctionPolicy"
+            policy = data.aws_iam_policy_document.valid.json
+          }
+        }
+
+        # It will not check this policy
+        resource "aws_iam_policy" "this" {
+          policy = data.aws_iam_policy_document.invalid.json
+        }
+
+        resource "aws_iam_policy_attachment" "this" {
+          roles = [aws_iam_role.this.name]
+          policy_arn = aws_iam_policy.this.arn
+        }
+
+        data "aws_iam_policy_document" "assume" {
+          statement {
+            actions = ["sts:AssumeRole"]
+            principals {
+              type       = "Service"
+              identifiers = ["lambda.amazonaws.com"]
+            }
+          }
+        }
+
+        data "aws_iam_policy_document" "valid" {
+          statement {
+            actions = ["dynamodb:Query"]
+            resources = ["arn:aws:dynamodb:eu-west-1:111122223333:table/my-table"]
+          }
+        }
+
+        data "aws_iam_policy_document" "invalid" {
+          statement {
+            actions = ["dynamodb:*"]
+            resources = ["*"]
+          }
+        }
+        ```
+
 ## Why is this a warning?
 
 If your Lambda function needs a broad range of permissions, you do not know ahead of time which permissions you will need, and you have evaluated the risks of using broad permissions for this function, you might ignore this rule.
 
-
 ## Implementations
 
 === "CDK"
@@ -119,7 +211,7 @@ If your Lambda function needs a broad range of permissions, you do not know ahea
               # instead of 's3:*' or '*'
               Action: s3:GetObject
               Resource: "arn:aws:s3:::my-bucket/*"
-        
+
     functions:
       hello:
         handler: handler.hello

tflint-ruleset-aws-serverless/Makefile

@@ -9,12 +9,7 @@ lint: format
 test:
 	go test ./...
 
-pr: lint test
-ifneq ($(shell grep -oP "^\t+New[A-Za-z0-9]+\(\)," rules/provider.go | wc -l), $(shell grep -oP "^func New[A-Za-z0-9]+\(\)" rules/* | wc -l))
-	$(error Mismatch in rule count ($(shell grep -oP "^\t+New[A-Za-z0-9]+\(\)," rules/provider.go | wc -l) vs $(shell grep -oP "^func New[A-Za-z0-9]+\(\)" rules/* | wc -l)) - check rules/provider.go)
-else
-	$(info Match in rule count)
-endif
+pr: lint test check-rules
 
 build:
 	go build
@@ -23,6 +18,15 @@ install: build
 	mkdir -p ~/.tflint.d/plugins
 	mv ./tflint-ruleset-template ~/.tflint.d/plugins
 
+# Check if the number of rules in provider.go corresponds to the total number of rules
+check-rules:
+ifneq ($(shell grep -oP "^\t+New[A-Za-z0-9]+\(\)," rules/provider.go | wc -l), $(shell grep -oP "^func New[A-Za-z0-9]+\(\)" rules/* | wc -l))
+	$(error Mismatch in rule count ($(shell grep -oP "^\t+New[A-Za-z0-9]+\(\)," rules/provider.go | wc -l) vs $(shell grep -oP "^func New[A-Za-z0-9]+\(\)" rules/* | wc -l)) - check rules/provider.go)
+else
+	$(info Match in rule count)
+endif
+
+# Create a new rule
 add-rule:
 ifeq ($(RULE_NAME),)
 	$(error Missing RULE_NAME environment variable)
@@ -31,4 +35,8 @@ ifeq ($(RULE_NAME_CC),)
 	$(error Missing RULE_NAME_CC environment variable)
 endif
 	gomplate -f templates/rule.go.tmpl -o rules/$(RULE_NAME).go
-	gomplate -f templates/rule_test.go.tmpl -o rules/$(RULE_NAME)_test.go
+	gomplate -f templates/rule_test.go.tmpl -o rules/$(RULE_NAME)_test.go
+
+# List all the rules for provider.go
+list-rules:
+	grep -ohE 'func New[^\(]+\(\)' rules/* | sed 's/func //' | sed 's/$$/,/' | sort