From 195b041cd52cc015250422ebc853e062fbd8d90d Mon Sep 17 00:00:00 2001
From: Doug Neal <doug@neal.me.uk>
Date: Thu, 8 Dec 2016 15:16:40 +0000
Subject: [PATCH] Validate `effect` in aws_iam_policy_document data source
 (#10608)

AWS allows only the case-sensitive strings `Allow` and `Deny` to appear
in the `Effect` fields of IAM policy documents. Catch deviations from
this, including mis-casing, before hitting the API and generating an
error (the error is a generic 400 and doesn't indicate what part of the
policy doc is invalid).
---
 .../aws/data_source_aws_iam_policy_document.go        | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/builtin/providers/aws/data_source_aws_iam_policy_document.go b/builtin/providers/aws/data_source_aws_iam_policy_document.go
index 5bea111eec..2366ae4bc7 100644
--- a/builtin/providers/aws/data_source_aws_iam_policy_document.go
+++ b/builtin/providers/aws/data_source_aws_iam_policy_document.go
@@ -1,6 +1,8 @@
 package aws
 
 import (
+	"fmt"
+
 	"encoding/json"
 	"strings"
 
@@ -41,6 +43,15 @@ func dataSourceAwsIamPolicyDocument() *schema.Resource {
 							Type:     schema.TypeString,
 							Optional: true,
 							Default:  "Allow",
+							ValidateFunc: func(v interface{}, k string) (ws []string, es []error) {
+								switch v.(string) {
+								case "Allow", "Deny":
+									return
+								default:
+									es = append(es, fmt.Errorf("%q must be either \"Allow\" or \"Deny\"", k))
+									return
+								}
+							},
 						},
 						"actions":        setOfString,
 						"not_actions":    setOfString,