From f1f5ae0d5a44be4284b357e7a73c450b268e6cb9 Mon Sep 17 00:00:00 2001
From: Matt Sladen <matt5188@gmail.com>
Date: Mon, 5 Sep 2022 17:15:42 +0100
Subject: [PATCH 1/4] Handle bool value in condition when importing json policy

---
 .../iam/policy_document_data_source_test.go   | 81 +++++++++++++++++++
 internal/service/iam/policy_model.go          |  3 +
 2 files changed, 84 insertions(+)

diff --git a/internal/service/iam/policy_document_data_source_test.go b/internal/service/iam/policy_document_data_source_test.go
index 8d0c27b99f3..ada503c9bea 100644
--- a/internal/service/iam/policy_document_data_source_test.go
+++ b/internal/service/iam/policy_document_data_source_test.go
@@ -50,6 +50,24 @@ func TestAccIAMPolicyDocumentDataSource_singleConditionValue(t *testing.T) {
 	})
 }
 
+func TestAccIAMPolicyDocumentDataSource_conditionWithBoolValue(t *testing.T) {
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck:                 func() { acctest.PreCheck(t) },
+		ErrorCheck:               acctest.ErrorCheck(t, iam.EndpointsID),
+		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccPolicyDocumentConfig_conditionWithBoolValue,
+				Check: resource.ComposeTestCheckFunc(
+					acctest.CheckResourceAttrEquivalentJSON("data.aws_iam_policy_document.test", "json",
+						testAccPolicyDocumentConfig_conditionWithBoolValue_expectedJson,
+					),
+				),
+			},
+		},
+	})
+}
+
 func TestAccIAMPolicyDocumentDataSource_source(t *testing.T) {
 	// This really ought to be able to be a unit test rather than an
 	// acceptance test, but just instantiating the AWS provider requires
@@ -1222,6 +1240,69 @@ data "aws_iam_policy_document" "test" {
 }
 `
 
+const testAccPolicyDocumentConfig_conditionWithBoolValue = `
+data "aws_iam_policy_document" "test" {
+  source_policy_documents = [<<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "RestrictAccessToSpecialTag",
+            "Effect": "Deny",
+            "Action": [
+                "ec2:CreateTags",
+                "ec2:DeleteTags"
+            ],
+            "Resource": "arn:aws:ec2:*:*:vpc/*",
+            "Condition": {
+                "Null": {
+                    "aws:ResourceTag/SpecialTag": false
+                },
+                "StringLike": {
+                    "aws:ResourceAccount": [
+                        "123456"
+                    ],
+                    "aws:PrincipalArn": "arn:aws:iam::*:role/AWSAFTExecution"
+                }
+            }
+        }
+    ]
+}
+EOF
+  ]
+}
+`
+
+const testAccPolicyDocumentConfig_conditionWithBoolValue_expectedJson = `
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "RestrictAccessToSpecialTag",
+            "Effect": "Deny",
+            "Action": [
+                "ec2:CreateTags",
+                "ec2:DeleteTags"
+            ],
+            "Resource": "arn:aws:ec2:*:*:vpc/*",
+            "Condition": {
+                "Null": {
+                    "aws:ResourceTag/SpecialTag": "false"
+                },
+                "StringLike": {
+                    "aws:ResourceAccount": [
+                        "123456"
+                    ],
+                    "aws:PrincipalArn": [
+						"arn:aws:iam::*:role/AWSAFTExecution"
+					]
+                }
+            }
+        }
+    ]
+}
+`
+
 func testAccPolicyDocumentExpectedJSONStatementPrincipalIdentifiersStringAndSlice() string {
 	return fmt.Sprintf(`{
   "Version": "2012-10-17",
diff --git a/internal/service/iam/policy_model.go b/internal/service/iam/policy_model.go
index ab404f9fa36..2e8329160b0 100644
--- a/internal/service/iam/policy_model.go
+++ b/internal/service/iam/policy_model.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"sort"
+	"strconv"
 )
 
 const (
@@ -199,6 +200,8 @@ func (cs *IAMPolicyStatementConditionSet) UnmarshalJSON(b []byte) error {
 			switch var_values := var_values.(type) {
 			case string:
 				out = append(out, IAMPolicyStatementCondition{Test: test_key, Variable: var_key, Values: []string{var_values}})
+			case bool:
+				out = append(out, IAMPolicyStatementCondition{Test: test_key, Variable: var_key, Values: strconv.FormatBool(var_values)})
 			case []interface{}:
 				values := []string{}
 				for _, v := range var_values {

From c75887ec1c62e516af7427860910e6270761fd0b Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Tue, 6 Sep 2022 15:14:59 -0400
Subject: [PATCH 2/4] Add CHANGELOG entry.

---
 .changelog/26657.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .changelog/26657.txt

diff --git a/.changelog/26657.txt b/.changelog/26657.txt
new file mode 100644
index 00000000000..8e9bff5987f
--- /dev/null
+++ b/.changelog/26657.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ data-source/aws_iam_policy_document: Correctly handle unquoted Boolean value in `Condition`
+```
\ No newline at end of file

From 287bc8ab4abe409f28856e4bd7683facf6c09528 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Tue, 6 Sep 2022 15:33:32 -0400
Subject: [PATCH 3/4] Fix providerlint 'AWSAT005: avoid hardcoded ARN AWS
 partitions, use aws_partition data source'.

---
 .changelog/26657.txt                                     | 2 +-
 internal/service/iam/policy_document_data_source_test.go | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.changelog/26657.txt b/.changelog/26657.txt
index 8e9bff5987f..c02902da67b 100644
--- a/.changelog/26657.txt
+++ b/.changelog/26657.txt
@@ -1,3 +1,3 @@
 ```release-note:bug
- data-source/aws_iam_policy_document: Correctly handle unquoted Boolean value in `Condition`
+ data-source/aws_iam_policy_document: Correctly handle unquoted Boolean values in `Condition`
 ```
\ No newline at end of file
diff --git a/internal/service/iam/policy_document_data_source_test.go b/internal/service/iam/policy_document_data_source_test.go
index ada503c9bea..abe048b6057 100644
--- a/internal/service/iam/policy_document_data_source_test.go
+++ b/internal/service/iam/policy_document_data_source_test.go
@@ -1241,6 +1241,8 @@ data "aws_iam_policy_document" "test" {
 `
 
 const testAccPolicyDocumentConfig_conditionWithBoolValue = `
+data "aws_partition" "current" {}
+
 data "aws_iam_policy_document" "test" {
   source_policy_documents = [<<EOF
 {
@@ -1253,7 +1255,7 @@ data "aws_iam_policy_document" "test" {
                 "ec2:CreateTags",
                 "ec2:DeleteTags"
             ],
-            "Resource": "arn:aws:ec2:*:*:vpc/*",
+            "Resource": "arn:${data.aws_partition.current.partition}:ec2:*:*:vpc/*",
             "Condition": {
                 "Null": {
                     "aws:ResourceTag/SpecialTag": false
@@ -1262,7 +1264,7 @@ data "aws_iam_policy_document" "test" {
                     "aws:ResourceAccount": [
                         "123456"
                     ],
-                    "aws:PrincipalArn": "arn:aws:iam::*:role/AWSAFTExecution"
+                    "aws:PrincipalArn": "arn:${data.aws_partition.current.partition}:iam::*:role/AWSAFTExecution"
                 }
             }
         }

From ef511c551e53f0e23cd120fcb31782d98ff7cc3c Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Kit_Ewbank@hotmail.com>
Date: Tue, 6 Sep 2022 15:37:45 -0400
Subject: [PATCH 4/4] Fix semgrep 'ci.caps2-in-const-name'.

---
 .../service/iam/policy_document_data_source_test.go  | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/internal/service/iam/policy_document_data_source_test.go b/internal/service/iam/policy_document_data_source_test.go
index abe048b6057..15f28441783 100644
--- a/internal/service/iam/policy_document_data_source_test.go
+++ b/internal/service/iam/policy_document_data_source_test.go
@@ -60,7 +60,7 @@ func TestAccIAMPolicyDocumentDataSource_conditionWithBoolValue(t *testing.T) {
 				Config: testAccPolicyDocumentConfig_conditionWithBoolValue,
 				Check: resource.ComposeTestCheckFunc(
 					acctest.CheckResourceAttrEquivalentJSON("data.aws_iam_policy_document.test", "json",
-						testAccPolicyDocumentConfig_conditionWithBoolValue_expectedJson,
+						testAccPolicyDocumentConditionWithBoolValueExpectedJSON(),
 					),
 				),
 			},
@@ -1275,8 +1275,8 @@ EOF
 }
 `
 
-const testAccPolicyDocumentConfig_conditionWithBoolValue_expectedJson = `
-{
+func testAccPolicyDocumentConditionWithBoolValueExpectedJSON() string {
+	return fmt.Sprintf(`{
     "Version": "2012-10-17",
     "Statement": [
         {
@@ -1286,7 +1286,7 @@ const testAccPolicyDocumentConfig_conditionWithBoolValue_expectedJson = `
                 "ec2:CreateTags",
                 "ec2:DeleteTags"
             ],
-            "Resource": "arn:aws:ec2:*:*:vpc/*",
+            "Resource": "arn:%[1]s:ec2:*:*:vpc/*",
             "Condition": {
                 "Null": {
                     "aws:ResourceTag/SpecialTag": "false"
@@ -1296,14 +1296,14 @@ const testAccPolicyDocumentConfig_conditionWithBoolValue_expectedJson = `
                         "123456"
                     ],
                     "aws:PrincipalArn": [
-						"arn:aws:iam::*:role/AWSAFTExecution"
+						"arn:%[1]s:iam::*:role/AWSAFTExecution"
 					]
                 }
             }
         }
     ]
+  }`, acctest.Partition())
 }
-`
 
 func testAccPolicyDocumentExpectedJSONStatementPrincipalIdentifiersStringAndSlice() string {
 	return fmt.Sprintf(`{