Normalizes an AWS IAM policy converting all possible single-value elements into their array equivalents

normalize-iam-policy.jq

# Wraps the provided elements in an array if the input not already contained in one (ex: "abc" -> ["abc"])
# TODO: If the input is a literal 'null', this (incorrectly) removes the key when used with the '|=' operator
def normalize:
    if type == "null" then empty
    elif type == "array" then .
    else [.] end;

# Convert the Statement into an array (if needed), then normalize the contents of each
.Statement |= (normalize | map(
    (.Principal, .NotPrincipal) |= (
        # TODO: Technically it's not _always_ valid to map "*" to {"AWS": "*"}
        if . == "*" then {"AWS": ["*"]}
        elif type == "null" then empty
        else map_values(normalize) end
    ) |
    (.Action, .NotAction, .Resource, .NotResource) |= normalize |
    .Condition |= (
        if type == "null" then empty
        else map_values(map_values(normalize)) end
    )
))

normalize-iam-policy.sh

alias iam-normalize=jq 'def normalize: if type == "null" then empty elif type == "array" then . else [.] end; .Statement |= (normalize | map((.Principal, .NotPrincipal) |= (if . == "*" then {"AWS": ["*"]} elif type == "null" then empty else map_values(normalize) end) | (.Action, .NotAction, .Resource, .NotResource) |= normalize | .Condition |= (if type == "null" then empty else map_values(map_values(normalize)) end)))'