Control: Lambda permissions should restrict service permission by source account or source arn

powerpipe control run terraform_aws_compliance.control.lambda_permission_restricted_service_permission

powerpipe login
powerpipe control run terraform_aws_compliance.control.lambda_permission_restricted_service_permission --share

select
  address as resource,
  split_part((attributes_std ->> 'principal'), '.', 2),
  case
    when not (split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws' and split_part((attributes_std ->> 'principal'), '.', 3)= 'com') then 'info'
    when split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws'
      and split_part((attributes_std ->> 'principal'), '.', 3)= 'com'
      and ((attributes_std -> 'source_arn') is not null
        or (attributes_std -> 'source_account') is not null ) then 'ok'
    else 'alarm'
  end as status,
  split_part(address, '.', 2) || case
    when not (split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws' and split_part((attributes_std ->> 'principal'), '.', 3) = 'com') then ' principal not set as service'
    when split_part((attributes_std ->> 'principal'), '.', 2) = 'amazonaws'
      and split_part((attributes_std ->> 'principal'), '.', 3)= 'com'
      and ((attributes_std -> 'source_arn') is not null
        or (attributes_std -> 'source_account') is not null ) then ' permissions to AWS services restricted by SourceArn or SourceAccount'
    else  ' permissions to AWS services not restricted by SourceArn or SourceAccount'
  end || '.' as reason
  , path || ':' || start_line
from
  terraform_resource
where
  type = 'aws_lambda_permission';