merge

.gitignore

@@ -9,3 +9,4 @@ pike
 *.backup
 __debug_bin.exe
 .DS_Store
+*.orig

src/aws.go

@@ -22,7 +22,10 @@ func GetAWSPermissions(result template) []string {
 		Permissions = GetPermissionMap(aws_lambda_function, myAttributes)
 	case "aws_vpc":
 		Permissions = GetPermissionMap(aws_vpc, myAttributes)
-
+	case "aws_subnet":
+		Permissions = GetPermissionMap(aws_subnet, myAttributes)
+	case "aws_network_acl":
+		Permissions = GetPermissionMap(aws_network_acl, myAttributes)
 	default:
 		log.Printf("%s %s not found", result.Template, result.Resource.name)
 	}

src/data.go

@@ -20,7 +20,11 @@ func GetResources(file string) []Resource {
 		log.Fatal(err)
 	}
 
-	myCode, _ := hcl.Parse(string(src))
+	myCode, err := hcl.Parse(string(src))
+
+	if err != nil {
+		log.Printf("failed to parse %s", file)
+	}
 
 	Tree := myCode.Node.(*ast.ObjectList)
 

src/files.go

@@ -19,5 +19,11 @@ var aws_lambda_function []byte
 //go:embed mapping/aws/aws_vpc.json
 var aws_vpc []byte
 
+//go:embed mapping/aws/aws_subnet.json
+var aws_subnet []byte
+
+//go:embed mapping/aws/aws_network_acl.json
+var aws_network_acl []byte
+
 //go:embed mapping/gcp/google_compute_instance.json
 var google_compute_instance []byte

src/mapping/aws/aws_network_acl.json

@@ -0,0 +1,23 @@
+[
+  {
+    "apply": [
+      "ec2:DescribeAccountAttributes",
+      "ec2:CreateNetworkAcl",
+      "ec2:CreateNetworkAclEntry",
+      "ec2:DescribeNetworkAcls",
+      "ec2:DeleteNetworkAcl"
+    ],
+    "attributes": {
+      "tags": [
+        "ec2:CreateTags",
+        "ec2:DeleteTags"
+      ]
+    },
+    "destroy": [
+      "ec2:DeleteNetworkAcl"
+    ],
+    "modify": [
+    ],
+    "plan": []
+  }
+]

src/mapping/aws/aws_subnet.json

@@ -0,0 +1,22 @@
+[
+  {
+    "apply": [ 
+      "ec2:CreateSubnet",
+      "ec2:DescribeAccountAttributes",
+      "ec2:DescribeSubnets",
+      "ec2:DeleteSubnet"
+    ],
+    "attributes": {
+      "tags": [
+        "ec2:CreateTags",
+        "ec2:DeleteTags"
+      ]
+    },
+    "destroy": [
+      "ec2:DeleteSubnet"
+    ],
+    "modify": [
+    ],
+    "plan": []
+  }
+]

src/mapping/aws/template.json

@@ -0,0 +1,16 @@
+[
+  {
+    "apply": [
+    ],
+    "attributes": {
+      "tags": [
+
+      ]
+    },
+    "destroy": [
+    ],
+    "modify": [
+    ],
+    "plan": []
+  }
+]

terraform/backup/aws_network_acl.tf

@@ -0,0 +1,25 @@
+resource "aws_network_acl" "example" {
+  vpc_id = "vpc-0c9622709bb598517"
+
+  egress {
+    protocol   = "tcp"
+    rule_no    = 200
+    action     = "allow"
+    cidr_block = "10.3.0.0/18"
+    from_port  = 443
+    to_port    = 443
+  }
+
+  ingress {
+    protocol   = "tcp"
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "10.3.0.0/18"
+    from_port  = 80
+    to_port    = 80
+  }
+
+  # tags = {
+  #   Name = "main"
+  # }
+}

terraform/backup/aws_subnet.tf

@@ -0,0 +1,8 @@
+resource "aws_subnet" "example" {
+  vpc_id     = "vpc-0c9622709bb598517"
+  cidr_block = "10.0.0.0/24"
+
+#   tags = {
+#     Name = "Main"
+#   }
+}

terraform/backup/route.tf

@@ -0,0 +1,3 @@
+resource "aws_route" "placeholder" {
+  #subnet-0243b982356b4a0f0
+}

terraform/role/aws_iam_policy.basic.tf

@@ -5,8 +5,7 @@ resource "aws_iam_policy" "basic" {
     Statement = [
       {
         Action = [
-          "ec2:DescribeAccountAttributes",
-        ]
+          "ec2:DescribeAccountAttributes"]
         Effect   = "Allow"
         Resource = "*"
       },

terraform/role/aws_network_acl.md

@@ -0,0 +1,33 @@
+resource "aws_iam_policy" "basic" {
+  name = "basic"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ec2:DescribeAccountAttributes",
+          "ec2:CreateNetworkAcl",
+          "ec2:CreateNetworkAclEntry",
+          "ec2:DescribeNetworkAcls",
+          "ec2:DeleteNetworkAcl",
+          "ec2:CreateTags",
+          "ec2:DeleteTags"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
+  tags = { createdby = "JamesWoolfenden" }
+}
+
+resource "aws_iam_role_policy_attachment" "basic" {
+  role       = aws_iam_role.basic.name
+  policy_arn = aws_iam_policy.basic.arn
+}
+
+resource "aws_iam_user_policy_attachment" "basic" {
+  # checkov:skip=CKV_AWS_40: By design
+  user       = "basic"
+  policy_arn = aws_iam_policy.basic.arn
+}

terraform/role/aws_subnet.md

@@ -0,0 +1,32 @@
+resource "aws_iam_policy" "basic" {
+  name = "basic"
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "ec2:CreateSubnet",
+          "ec2:DescribeAccountAttributes",
+          "ec2:DescribeSubnets",
+          "ec2:DeleteSubnet",
+          "ec2:CreateTags",
+          "ec2:DeleteTags"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+    ]
+  })
+  tags = { createdby = "JamesWoolfenden" }
+}
+
+resource "aws_iam_role_policy_attachment" "basic" {
+  role       = aws_iam_role.basic.name
+  policy_arn = aws_iam_policy.basic.arn
+}
+
+resource "aws_iam_user_policy_attachment" "basic" {
+  # checkov:skip=CKV_AWS_40: By design
+  user       = "basic"
+  policy_arn = aws_iam_policy.basic.arn
+}

todo.md

@@ -28,10 +28,11 @@ aws_route53_zone
 sqs
 sns
 
-nacl
-subnet
 route_table
 nat_gateway
 
 handle
 2022/07/24 07:00:37 data aws_caller_identity not found
+
+parse/ignore variables hcl.parse the correct parser?
+https://discuss.hashicorp.com/t/parse-hcl-treating-variables-or-functions-as-raw-strings-hashicorp-hcl/5859/2