Support Policy Templates

[georgealton]

Many cases IAM Policy templates use template strings that are then filled in at compile time. In their raw template state they won't validate successfully against AWS APIs.

It would be useful to inject values for Policy Template strings used in the following IaC tools

terraform templatefile (interpolation, not directives)
cloudformation (!Sub function)

they both have the same interpolation syntax
${key}

CloudFormation has some builtin PseudoParameters like ${AWS::Region} as wel

As a first pass the templating context should require the literal String use within the interpolation, so the lookup will always be a str -> str. Won't support looking up against an object.

{
"key.xyz": "key-was-a-string"
}

What about Conditionals in terraform?
https://www.terraform.io/language/configuration-0-11/interpolation#conditionals
We believe conditionals should be evaluated outside of the scope of a Policy template.

the context, a simple str -> str map should be supplied when iam-sarif-report is called. This should be from either a file or command line parameters

Policy Variables

          "sns:endpoint": "https://example.com/${aws:username}/"

IAM supports its own interpolation too using Policy Variables

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-wheretouse

any render would have to be to avoid interpolation of these