Merge pull request #1493 from snyk/feat/add_aws_iam_group_policy_attachment

Add `aws iam group policy attachment`

pkg/iac/terraform/state/terraform_state_reader_test.go

@@ -131,6 +131,7 @@ func TestTerraformStateReader_AWS_Resources(t *testing.T) {
 		{name: "IAM role policy attachment", dirName: "aws_iam_role_policy_attachment", wantErr: false},
 		{name: "IAM user policy attachment", dirName: "aws_iam_user_policy_attachment", wantErr: false},
 		{name: "IAM group policy", dirName: "aws_iam_group_policy", wantErr: false},
+		{name: "IAM group policy attachment", dirName: "aws_iam_group_policy_attachment", wantErr: false},
 		{name: "VPC security group rule", dirName: "aws_vpc_security_group_rule", wantErr: false},
 		{name: "route table", dirName: "aws_route_table", wantErr: false},
 		{name: "route table associations", dirName: "aws_route_assoc", wantErr: false},

pkg/iac/terraform/state/test/aws_iam_group_policy_attachment/results.golden.json

@@ -0,0 +1,11 @@
+[
+ {
+  "Id": "test-group-20220509135152620300000001",
+  "Type": "aws_iam_group_policy_attachment",
+  "Attrs": {
+   "group": "test-group",
+   "id": "test-group-20220509135152620300000001",
+   "policy_arn": "arn:aws:iam::929327065333:policy/test-policy"
+  }
+ }
+]

pkg/iac/terraform/state/test/aws_iam_group_policy_attachment/terraform.tfstate

@@ -0,0 +1,31 @@
+{
+  "version": 4,
+  "terraform_version": "1.1.6",
+  "serial": 37,
+  "lineage": "f4b4fc7c-0808-f110-3f67-fe15e7daec97",
+  "outputs": {},
+  "resources": [
+    {
+      "mode": "managed",
+      "type": "aws_iam_group_policy_attachment",
+      "name": "test-attach",
+      "provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
+      "instances": [
+        {
+          "schema_version": 0,
+          "attributes": {
+            "group": "test-group",
+            "id": "test-group-20220509135152620300000001",
+            "policy_arn": "arn:aws:iam::929327065333:policy/test-policy"
+          },
+          "sensitive_attributes": [],
+          "private": "bnVsbA==",
+          "dependencies": [
+            "aws_iam_group.group",
+            "aws_iam_policy.policy"
+          ]
+        }
+      ]
+    }
+  ]
+}

pkg/middlewares/aws_iam_policy_attachement_transformer.go

@@ -31,7 +31,8 @@ func (m IamPolicyAttachmentTransformer) transform(resources *[]*resource.Resourc
 	var newResources []*resource.Resource
 	for _, res := range *resources {
 		if res.ResourceType() != aws.AwsIamUserPolicyAttachmentResourceType &&
-			res.ResourceType() != aws.AwsIamRolePolicyAttachmentResourceType {
+			res.ResourceType() != aws.AwsIamRolePolicyAttachmentResourceType &&
+			res.ResourceType() != aws.AwsIamGroupPolicyAttachmentResourceType {
 			newResources = append(newResources, res)
 			continue
 		}
@@ -67,6 +68,22 @@ func (m IamPolicyAttachmentTransformer) transform(resources *[]*resource.Resourc
 			newResources = append(newResources, policyAttachment)
 			continue
 		}
+
+		if res.ResourceType() == aws.AwsIamGroupPolicyAttachmentResourceType {
+			attrs := *res.Attributes()
+			policyAttachmentData := resource.Attributes{
+				"id":         res.ResourceId(),
+				"policy_arn": attrs["policy_arn"],
+				"users":      []interface{}{},
+				"groups":     []interface{}{attrs["group"]},
+				"roles":      []interface{}{},
+			}
+
+			policyAttachment := m.resourceFactory.CreateAbstractResource(aws.AwsIamPolicyAttachmentResourceType, res.ResourceId(), policyAttachmentData)
+
+			newResources = append(newResources, policyAttachment)
+			continue
+		}
 	}
 	return newResources
 }

pkg/middlewares/aws_iam_policy_attachement_transformer_test.go

@@ -201,6 +201,95 @@ func TestIamPolicyAttachmentTransformer_Execute(t *testing.T) {
 				}, nil)
 			},
 		},
+		{
+			name: "transform group_policy_attachment",
+			args: argRes{
+				RemoteResources: &[]*resource.Resource{
+					{
+						Id:   "id1",
+						Type: aws.AwsIamGroupPolicyAttachmentResourceType,
+						Attrs: &resource.Attributes{
+							"policy_arn": "policy_arn1",
+							"group":      "group1",
+						},
+					},
+				},
+				ResourcesFromState: &[]*resource.Resource{
+					{
+						Id:   "id2",
+						Type: aws.AwsIamGroupPolicyAttachmentResourceType,
+						Attrs: &resource.Attributes{
+							"policy_arn": "policy_arn2",
+							"group":      "group2",
+						},
+					},
+				},
+			},
+			expected: argRes{
+				RemoteResources: &[]*resource.Resource{
+					{
+						Id:   "id1",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+						Attrs: &resource.Attributes{
+							"id":         "id1",
+							"policy_arn": "policy_arn1",
+							"users":      []interface{}{},
+							"groups":     []interface{}{"group1"},
+							"roles":      []interface{}{},
+						},
+					},
+				},
+				ResourcesFromState: &[]*resource.Resource{
+					{
+						Id:   "id2",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+						Attrs: &resource.Attributes{
+							"id":         "id2",
+							"policy_arn": "policy_arn2",
+							"users":      []interface{}{},
+							"groups":     []interface{}{"group2"},
+							"roles":      []interface{}{},
+						},
+					},
+				},
+			},
+			mocks: func(factory *terraform.MockResourceFactory) {
+				factory.On("CreateAbstractResource", aws.AwsIamPolicyAttachmentResourceType, "id1", map[string]interface{}{
+					"id":         "id1",
+					"policy_arn": "policy_arn1",
+					"users":      []interface{}{},
+					"groups":     []interface{}{"group1"},
+					"roles":      []interface{}{},
+				}).Once().Return(&resource.Resource{
+					Id:   "id1",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+					Attrs: &resource.Attributes{
+						"id":         "id1",
+						"policy_arn": "policy_arn1",
+						"users":      []interface{}{},
+						"groups":     []interface{}{"group1"},
+						"roles":      []interface{}{},
+					},
+				}, nil)
+				factory.On("CreateAbstractResource", aws.AwsIamPolicyAttachmentResourceType, "id2", map[string]interface{}{
+					"id":         "id2",
+					"policy_arn": "policy_arn2",
+					"users":      []interface{}{},
+					"groups":     []interface{}{"group2"},
+					"roles":      []interface{}{},
+				}).Once().Return(&resource.Resource{
+					Id:   "id2",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+					Attrs: &resource.Attributes{
+						"id":         "id2",
+						"policy_arn": "policy_arn2",
+						"users":      []interface{}{},
+						"groups":     []interface{}{"group2"},
+						"roles":      []interface{}{},
+					},
+				}, nil)
+			},
+		},
 		{
 			name: "transform nothing",
 			args: argRes{

pkg/middlewares/iam_policy_attachment_expander.go

@@ -80,5 +80,20 @@ func (m IamPolicyAttachmentExpander) expand(policyAttachment *resource.Resource)
 		)
 		newResources = append(newResources, newAttachment)
 	}
+
+	groups := policyAttachment.Attrs.GetSlice("groups")
+	// we create one attachment per group
+	for _, group := range groups {
+		group := group.(string)
+		newAttachment := m.resourceFactory.CreateAbstractResource(
+			resourceaws.AwsIamPolicyAttachmentResourceType,
+			fmt.Sprintf("%s-%s", group, (*policyAttachment.Attrs)["policy_arn"]),
+			map[string]interface{}{
+				"policy_arn": *policyAttachment.Attrs.GetString("policy_arn"),
+				"groups":     []interface{}{group},
+			},
+		)
+		newResources = append(newResources, newAttachment)
+	}
 	return newResources
 }

pkg/middlewares/iam_policy_attachment_expander_test.go

@@ -345,6 +345,166 @@ func TestIamPolicyAttachmentExpander_Execute(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "Split Groups and ReId",
+			mocks: func(factory *terraform.MockResourceFactory) {
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsIamPolicyAttachmentResourceType,
+					"group1-arn",
+					map[string]interface{}{
+						"policy_arn": "arn",
+						"groups":     []interface{}{"group1"},
+					},
+				).Once().Return(&resource.Resource{
+					Id:   "group1-arn",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+				})
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsIamPolicyAttachmentResourceType,
+					"group2-arn",
+					map[string]interface{}{
+						"policy_arn": "arn",
+						"groups":     []interface{}{"group2"},
+					},
+				).Once().Return(&resource.Resource{
+					Id:   "group2-arn",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+				})
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsIamPolicyAttachmentResourceType,
+					"foobar-arn",
+					map[string]interface{}{
+						"policy_arn": "arn",
+						"groups":     []interface{}{"foobar"},
+					},
+				).Once().Return(&resource.Resource{
+					Id:   "foobar-arn",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+				})
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsIamPolicyAttachmentResourceType,
+					"group1-thisisarn",
+					map[string]interface{}{
+						"policy_arn": "thisisarn",
+						"groups":     []interface{}{"group1"},
+					},
+				).Once().Return(&resource.Resource{
+					Id:   "group1-thisisarn",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+				})
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsIamPolicyAttachmentResourceType,
+					"group2-thisisarn",
+					map[string]interface{}{
+						"policy_arn": "thisisarn",
+						"groups":     []interface{}{"group2"},
+					},
+				).Once().Return(&resource.Resource{
+					Id:   "group2-thisisarn",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+				})
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsIamPolicyAttachmentResourceType,
+					"group3-thisisarn",
+					map[string]interface{}{
+						"policy_arn": "thisisarn",
+						"groups":     []interface{}{"group3"},
+					},
+				).Once().Return(&resource.Resource{
+					Id:   "group3-thisisarn",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+				})
+				factory.On(
+					"CreateAbstractResource",
+					aws.AwsIamPolicyAttachmentResourceType,
+					"group1-fromstatearn",
+					map[string]interface{}{
+						"policy_arn": "fromstatearn",
+						"groups":     []interface{}{"group1"},
+					},
+				).Once().Return(&resource.Resource{
+					Id:   "group1-fromstatearn",
+					Type: aws.AwsIamPolicyAttachmentResourceType,
+				})
+			},
+			args: struct {
+				RemoteResources    *[]*resource.Resource
+				ResourcesFromState *[]*resource.Resource
+			}{
+				RemoteResources: &[]*resource.Resource{
+					{
+						Id:   "wrongId",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+						Attrs: &resource.Attributes{
+							"policy_arn": "arn",
+							"groups":     []interface{}{"group1", "group2", "foobar"},
+						},
+					},
+					{
+						Id:   "wrongId2",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+						Attrs: &resource.Attributes{
+							"policy_arn": "thisisarn",
+							"groups":     []interface{}{"group1", "group2", "group3"},
+						},
+					},
+				},
+				ResourcesFromState: &[]*resource.Resource{
+					{
+						Id:   "wrongId",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+						Attrs: &resource.Attributes{
+							"policy_arn": "fromstatearn",
+							"groups":     []interface{}{"group1"},
+						},
+					},
+				},
+			},
+			expected: struct {
+				RemoteResources    *[]*resource.Resource
+				ResourcesFromState *[]*resource.Resource
+			}{
+				RemoteResources: &[]*resource.Resource{
+					{
+						Id:   "group1-arn",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+					},
+					{
+						Id:   "group2-arn",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+					},
+					{
+						Id:   "foobar-arn",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+					},
+					{
+						Id:   "group1-thisisarn",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+					},
+					{
+						Id:   "group2-thisisarn",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+					},
+					{
+						Id:   "group3-thisisarn",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+					},
+				},
+				ResourcesFromState: &[]*resource.Resource{
+					{
+						Id:   "group1-fromstatearn",
+						Type: aws.AwsIamPolicyAttachmentResourceType,
+					},
+				},
+			},
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

pkg/remote/aws/iam_group_policy_attachment_enumerator.go

@@ -0,0 +1,56 @@
+package aws
+
+import (
+	"fmt"
+
+	"github.com/snyk/driftctl/pkg/remote/aws/repository"
+	remoteerror "github.com/snyk/driftctl/pkg/remote/error"
+	"github.com/snyk/driftctl/pkg/resource"
+	resourceaws "github.com/snyk/driftctl/pkg/resource/aws"
+)
+
+type IamGroupPolicyAttachmentEnumerator struct {
+	repository repository.IAMRepository
+	factory    resource.ResourceFactory
+}
+
+func NewIamGroupPolicyAttachmentEnumerator(repository repository.IAMRepository, factory resource.ResourceFactory) *IamGroupPolicyAttachmentEnumerator {
+	return &IamGroupPolicyAttachmentEnumerator{
+		repository,
+		factory,
+	}
+}
+
+func (e *IamGroupPolicyAttachmentEnumerator) SupportedType() resource.ResourceType {
+	return resourceaws.AwsIamGroupPolicyAttachmentResourceType
+}
+
+func (e *IamGroupPolicyAttachmentEnumerator) Enumerate() ([]*resource.Resource, error) {
+	groups, err := e.repository.ListAllGroups()
+	if err != nil {
+		return nil, remoteerror.NewResourceListingErrorWithType(err, string(e.SupportedType()), resourceaws.AwsIamGroupResourceType)
+	}
+
+	results := make([]*resource.Resource, 0)
+
+	policyAttachments, err := e.repository.ListAllGroupPolicyAttachments(groups)
+	if err != nil {
+		return nil, remoteerror.NewResourceListingError(err, string(e.SupportedType()))
+	}
+
+	for _, attachedPol := range policyAttachments {
+		results = append(
+			results,
+			e.factory.CreateAbstractResource(
+				string(e.SupportedType()),
+				fmt.Sprintf("%s-%s", *attachedPol.PolicyName, attachedPol.GroupName),
+				map[string]interface{}{
+					"group":      attachedPol.GroupName,
+					"policy_arn": *attachedPol.PolicyArn,
+				},
+			),
+		)
+	}
+
+	return results, nil
+}

pkg/remote/aws/init.go

@@ -183,6 +183,7 @@ func Init(version string, alerter *alerter.Alerter,
 	remoteLibrary.AddDetailsFetcher(aws.AwsIamUserPolicyAttachmentResourceType, common.NewGenericDetailsFetcher(aws.AwsIamUserPolicyAttachmentResourceType, provider, deserializer))
 	remoteLibrary.AddEnumerator(NewIamGroupPolicyEnumerator(iamRepository, factory))
 	remoteLibrary.AddEnumerator(NewIamGroupEnumerator(iamRepository, factory))
+	remoteLibrary.AddEnumerator(NewIamGroupPolicyAttachmentEnumerator(iamRepository, factory))
 
 	remoteLibrary.AddEnumerator(NewECRRepositoryEnumerator(ecrRepository, factory))
 	remoteLibrary.AddDetailsFetcher(aws.AwsEcrRepositoryResourceType, common.NewGenericDetailsFetcher(aws.AwsEcrRepositoryResourceType, provider, deserializer))

pkg/remote/aws/repository/iam_repository.go

@@ -21,6 +21,7 @@ type IAMRepository interface {
 	ListAllUserPolicies([]*iam.User) ([]string, error)
 	ListAllGroups() ([]*iam.Group, error)
 	ListAllGroupPolicies([]*iam.Group) ([]string, error)
+	ListAllGroupPolicyAttachments([]*iam.Group) ([]*AttachedGroupPolicy, error)
 }
 
 type iamRepository struct {
@@ -311,6 +312,40 @@ func (r *iamRepository) ListAllGroupPolicies(groups []*iam.Group) ([]string, err
 	return resources, nil
 }
 
+func (r *iamRepository) ListAllGroupPolicyAttachments(groups []*iam.Group) ([]*AttachedGroupPolicy, error) {
+	var resources []*AttachedGroupPolicy
+	for _, group := range groups {
+		cacheKey := fmt.Sprintf("iamListAllGroupPolicyAttachments_%s", *group.GroupId)
+		if v := r.cache.Get(cacheKey); v != nil {
+			resources = append(resources, v.([]*AttachedGroupPolicy)...)
+			continue
+		}
+
+		attachedGroupPolicies := make([]*AttachedGroupPolicy, 0)
+		input := &iam.ListAttachedGroupPoliciesInput{
+			GroupName: group.GroupName,
+		}
+		err := r.client.ListAttachedGroupPoliciesPages(input, func(res *iam.ListAttachedGroupPoliciesOutput, lastPage bool) bool {
+			for _, policy := range res.AttachedPolicies {
+				p := *policy
+				attachedGroupPolicies = append(attachedGroupPolicies, &AttachedGroupPolicy{
+					AttachedPolicy: p,
+					GroupName:      *input.GroupName,
+				})
+			}
+			return !lastPage
+		})
+		if err != nil {
+			return nil, err
+		}
+
+		r.cache.Put(cacheKey, attachedGroupPolicies)
+		resources = append(resources, attachedGroupPolicies...)
+	}
+
+	return resources, nil
+}
+
 type AttachedUserPolicy struct {
 	iam.AttachedPolicy
 	UserName string
@@ -321,6 +356,11 @@ type AttachedRolePolicy struct {
 	RoleName string
 }
 
+type AttachedGroupPolicy struct {
+	iam.AttachedPolicy
+	GroupName string
+}
+
 type RolePolicy struct {
 	Policy   string
 	RoleName string

pkg/remote/aws/repository/mock_IAMRepository.go

@@ -58,6 +58,29 @@ func (_m *MockIAMRepository) ListAllGroupPolicies(_a0 []*iam.Group) ([]string, e
 	return r0, r1
 }
 
+// ListAllGroupPolicyAttachments provides a mock function with given fields: _a0
+func (_m *MockIAMRepository) ListAllGroupPolicyAttachments(_a0 []*iam.Group) ([]*AttachedGroupPolicy, error) {
+	ret := _m.Called(_a0)
+
+	var r0 []*AttachedGroupPolicy
+	if rf, ok := ret.Get(0).(func([]*iam.Group) []*AttachedGroupPolicy); ok {
+		r0 = rf(_a0)
+	} else {
+		if ret.Get(0) != nil {
+			r0 = ret.Get(0).([]*AttachedGroupPolicy)
+		}
+	}
+
+	var r1 error
+	if rf, ok := ret.Get(1).(func([]*iam.Group) error); ok {
+		r1 = rf(_a0)
+	} else {
+		r1 = ret.Error(1)
+	}
+
+	return r0, r1
+}
+
 // ListAllGroups provides a mock function with given fields:
 func (_m *MockIAMRepository) ListAllGroups() ([]*iam.Group, error) {
 	ret := _m.Called()

pkg/resource/aws/aws_iam_group_policy_attachment.go

@@ -0,0 +1,3 @@
+package aws
+
+const AwsIamGroupPolicyAttachmentResourceType = "aws_iam_group_policy_attachment"

pkg/resource/aws/aws_iam_group_policy_attachment_test.go

@@ -0,0 +1,31 @@
+package aws_test
+
+import (
+	"testing"
+
+	"github.com/snyk/driftctl/test"
+	"github.com/snyk/driftctl/test/acceptance"
+)
+
+func TestAcc_Aws_IamGroupPolicyAttachment(t *testing.T) {
+	acceptance.Run(t, acceptance.AccTestCase{
+		TerraformVersion: "0.15.5",
+		Paths:            []string{"./testdata/acc/aws_iam_group_policy_attachment"},
+		Args:             []string{"scan", "--filter", "starts_with(Id, 'test-acc-group')"},
+		Checks: []acceptance.AccCheck{
+			{
+				Env: map[string]string{
+					"AWS_REGION": "us-east-1",
+				},
+				Check: func(result *test.ScanResult, stdout string, err error) {
+					if err != nil {
+						t.Fatal(err)
+					}
+					result.AssertInfrastructureIsInSync()
+					result.AssertManagedCount(1)
+					result.Equal("aws_iam_policy_attachment", result.Analysis.Managed()[0].Type)
+				},
+			},
+		},
+	})
+}

pkg/resource/aws/metadata_test.go

@@ -73,6 +73,7 @@ func TestAWS_Metadata_Flags(t *testing.T) {
 		AwsIamUserPolicyResourceType:                   {resource.FlagDeepMode},
 		AwsIamUserPolicyAttachmentResourceType:         {resource.FlagDeepMode},
 		AwsIamGroupPolicyResourceType:                  {},
+		AwsIamGroupPolicyAttachmentResourceType:        {},
 		AwsInstanceResourceType:                        {resource.FlagDeepMode},
 		AwsInternetGatewayResourceType:                 {resource.FlagDeepMode},
 		AwsKeyPairResourceType:                         {resource.FlagDeepMode},

pkg/resource/aws/testdata/acc/aws_iam_group_policy_attachment/.driftignore

@@ -0,0 +1,2 @@
+*
+!aws_iam_policy_attachment

pkg/resource/aws/testdata/acc/aws_iam_group_policy_attachment/.terraform.lock.hcl

@@ -0,0 +1,20 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "3.19.0"
+  constraints = "3.19.0"
+  hashes = [
+    "h1:+7Vi7p13+cnrxjXbfJiTimGSFR97xCaQwkkvWcreLns=",
+    "zh:185a5259153eb9ee4699d4be43b3d509386b473683392034319beee97d470c3b",
+    "zh:2d9a0a01f93e8d16539d835c02b8b6e1927b7685f4076e96cb07f7dd6944bc6c",
+    "zh:703f6da36b1b5f3497baa38fccaa7765fb8a2b6440344e4c97172516b49437dd",
+    "zh:770855565462abadbbddd98cb357d2f1a8f30f68a358cb37cbd5c072cb15b377",
+    "zh:8008db43149fe4345301f81e15e6d9ddb47aa5e7a31648f9b290af96ad86e92a",
+    "zh:8cdd27d375da6dcb7687f1fed126b7c04efce1671066802ee876dbbc9c66ec79",
+    "zh:be22ae185005690d1a017c1b909e0d80ab567e239b4f06ecacdba85080667c1c",
+    "zh:d2d02e72dbd80f607636cd6237a6c862897caabc635c7b50c0cb243d11246723",
+    "zh:d8f125b66a1eda2555c0f9bbdf12036a5f8d073499a22ca9e4812b68067fea31",
+    "zh:f5a98024c64d5d2973ff15b093725a074c0cb4afde07ef32c542e69f17ac90bc",
+  ]
+}

pkg/resource/aws/testdata/acc/aws_iam_group_policy_attachment/terraform.tf

@@ -0,0 +1,35 @@
+provider "aws" {
+    region = "us-east-1"
+}
+
+terraform {
+    required_providers {
+        aws = "3.19.0"
+    }
+}
+
+resource "aws_iam_group" "group" {
+    name = "test-acc-group"
+}
+
+resource "aws_iam_policy" "policy" {
+    name        = "test-policy"
+    description = "A test policy"
+        policy = jsonencode({
+            Version = "2012-10-17"
+            Statement = [
+                {
+                    Action = [
+                        "ec2:Describe*",
+                    ]
+                    Effect   = "Allow"
+                    Resource = "*"
+                },
+            ]
+        })
+}
+
+resource "aws_iam_group_policy_attachment" "test-attach" {
+    group      = aws_iam_group.group.name
+    policy_arn = aws_iam_policy.policy.arn
+}

pkg/resource/resource_types.go

@@ -51,6 +51,9 @@ var supportedTypes = map[string]ResourceTypeMeta{
 	"aws_iam_role_policy_attachment": {children: []ResourceType{
 		"aws_iam_policy_attachment",
 	}},
+	"aws_iam_group_policy_attachment": {children: []ResourceType{
+		"aws_iam_policy_attachment",
+	}},
 	"aws_iam_user": {children: []ResourceType{
 		"aws_iam_user_policy",
 	}},