Proposal: Policy validator for Vault

[petems]

This is a proposal of a CLI helper to validate policies written in HCL or JSON for Vault.

It seems to make sense to copy how this works for Nomad or Terraform:

The vault validate command is used to validate the syntax of policy files. Vault performs a syntax check on all the policy files in the directory, and will display an error if any of the files doesn't validate.
This command does not check formatting (e.g. tabs vs spaces, newlines, comments etc.).
The following can be reported:
invalid HCL syntax (e.g. missing trailing quote or equal sign)
invalid HCL references (e.g. variable name or attribute which doesn't exist)
same policy declared multiple times

[avoidik]

when you're applying your policy it is being validated, and exit code returned by vault, what if you delete this policy on success and raise the valid flag to true, otherwise to false.

[ncabatoff]

I wonder if hclfmt would do the trick here?

[maxb]

The vault policy fmt formatting tool actually also includes lots of validation.

A current workaround I'm using is to just make a copy of a policy file, and run the formatter.

A very easy way to close this would be to make a version of the existing command which just stopped short of writing back the formatted content.

I wonder if hclfmt would do the trick here?

That's for HCL version 2, whereas Vault is stuck on HCL version 1 - mainly, AFAICS, because the documented syntax for defining control groups is invalid according to a HCL version 2 parser.

Also, hclfmt only validates the core HCL syntax - vault policy fmt goes beyond that to detect Vault ACL policy specific issues, e.g. invalid capability names.

[HenriBlacksmith]

It would be nice to allow vault policy fmt to take a folder or multiple files as an input.

Not sure if I should create a separate issue here though.