Skip to content

[TechDebt]: Review wildcard usage in IAM role trust policies for acceptance tests #45139

New issue
New issue
Open
Open
[TechDebt]: Review wildcard usage in IAM role trust policies for acceptance tests#45139
Labels
technical-debtAddresses areas of the codebase that need refactoring or redesign.testsPRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
@jar-b

Description

@jar-b
jar-b
opened on Nov 19, 2025

Description

We should review any instances where the trust policy of an IAM role provisioned via and acceptance test includes a Principal with a wildcard (*). These broad permissions may not be necessary for the functionality of the test and scoped to something smaller.

A short list of files to review:

% rg -l "\"AWS\"\: \"\*\"" $(rg -l "\"Principal\"" internal/service/**/*_test.go) | sort
internal/service/appintegrations/data_integration_test.go
internal/service/autoscaling/lifecycle_hook_test.go
internal/service/cloudformation/stack_test.go
internal/service/codebuild/report_group_test.go
internal/service/cognitoidp/user_pool_test.go
internal/service/configservice/delivery_channel_test.go
internal/service/dlm/lifecycle_policy_test.go
internal/service/docdb/cluster_instance_test.go
internal/service/docdb/cluster_test.go
internal/service/ec2/ebs_volume_test.go
internal/service/ec2/ec2_launch_template_test.go
internal/service/ec2/vpc_endpoint_policy_test.go
internal/service/ec2/vpc_endpoint_test.go
internal/service/ecs/service_test.go
internal/service/efs/file_system_policy_test.go
internal/service/elastictranscoder/pipeline_test.go
internal/service/glacier/vault_test.go
internal/service/glue/data_catalog_encryption_settings_test.go
internal/service/glue/resource_policy_test.go
internal/service/iam/policy_document_data_source_test.go
internal/service/iam/policy_model_test.go
internal/service/kinesis/stream_data_source_test.go
internal/service/kinesis/stream_test.go
internal/service/lambda/event_source_mapping_test.go
internal/service/lambda/function_test.go
internal/service/logs/group_test.go
internal/service/mwaa/environment_test.go
internal/service/neptune/cluster_instance_test.go
internal/service/redshift/cluster_data_source_test.go
internal/service/redshift/cluster_test.go
internal/service/sagemaker/notebook_instance_test.go
internal/service/secretsmanager/secret_data_source_test.go
internal/service/secretsmanager/secret_policy_test.go
internal/service/securitylake/data_lake_test.go
internal/service/sns/topic_test.go
internal/service/storagegateway/cached_iscsi_volume_test.go
internal/service/storagegateway/stored_iscsi_volume_test.go
internal/service/timestreamwrite/database_data_source_test.go
internal/service/timestreamwrite/database_test.go
internal/service/xray/encryption_config_test.go

Important Facts and References

No response

Would you like to implement a relevant change?

No

Metadata

Metadata

Assignees

No one assigned

    Labels

    technical-debtAddresses areas of the codebase that need refactoring or redesign.testsPRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions