Validate SecretsManager secret policy document size (#6)

thinkinglabs · Aug 25, 2024 · ef00e04 · ef00e04
1 parent 8613834
commit ef00e04
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/src/policy/policy.ts b/src/policy/policy.ts
@@ -79,6 +79,9 @@ export class PolicyDocument {
       if (policyType === PolicyType.S3 && doc.length > 20*1024) {
         errors.push(`The size of an S3 bucket policy document (${doc.length}) should not exceed 20kB.`);
       }
+      if (policyType === PolicyType.SecretsManager && doc.length > 20*1024) {
+        errors.push(`The size of a SecretsManager secret policy document (${doc.length}) should not exceed 20kB.`);
+      }
     }
     return errors;
   }

diff --git a/tests/policy/policy.spec.ts b/tests/policy/policy.spec.ts
@@ -313,4 +313,22 @@ describe('#PolicyDocument', function() {
       ]);
     });
   });
+
+  describe('SecretsManager secret policy document longer than 20kB', function() {
+    const policy = new PolicyDocument();
+    for (let i = 1; i < 154; i++) {
+      policy.addStatements(new Statement({
+        sid: '' + i,
+        principals: [new RolePrincipal('123456789000', 'a_role')],
+        actions: ['action'],
+        resources: ['resource'],
+      }));
+    }
+    it('should be invalid', function() {
+      const errors = policy.validate(PolicyType.SecretsManager);
+      expect(errors).to.deep.equal([
+        'The size of a SecretsManager secret policy document (20585) should not exceed 20kB.',
+      ]);
+    });
+  });
 });