WIP

JamesWoolfenden · Aug 5, 2022 · e2478d2 · e2478d2
1 parent 817130f
commit e2478d2
Show file tree

Hide file tree

Showing 14 changed files with 374 additions and 6 deletions.
diff --git a/src/aws.go b/src/aws.go
@@ -8,6 +8,18 @@ import (
 // GetAWSPermissions for AWS resources
 func GetAWSPermissions(result ResourceV2) []string {
 
+	var Permissions []string
+	if result.TypeName == "resource" {
+		Permissions = GetAWSResourcePermissions(result)
+	} else {
+		Permissions = GetAWSDataPermissions(result)
+	}
+
+	return Permissions
+}
+
+// GetAWSResourcePermissions looks up permissions required for resources
+func GetAWSResourcePermissions(result ResourceV2) []string {
 	var Permissions []string
 	switch result.Name {
 	case "aws_s3_bucket":
@@ -24,10 +36,49 @@ func GetAWSPermissions(result ResourceV2) []string {
 		Permissions = GetPermissionMap(aws_subnet, result.Attributes)
 	case "aws_network_acl":
 		Permissions = GetPermissionMap(aws_network_acl, result.Attributes)
+	case "aws_kms_key":
+		Permissions = GetPermissionMap(aws_kms_key, result.Attributes)
+	case "aws_iam_role":
+		Permissions = GetPermissionMap(aws_iam_role, result.Attributes)
+	case "aws_mq_broker":
+		Permissions = GetPermissionMap(aws_mq_broker, result.Attributes)
+	case "aws_mq_configuration":
+		Permissions = GetPermissionMap(aws_mq_configuration, result.Attributes)
 	default:
 		log.Printf("%s not implemented", result.Name)
 	}
+	return Permissions
+}
 
+// GetAWSDataPermissions gets permissions required for datasources
+func GetAWSDataPermissions(result ResourceV2) []string {
+	var Permissions []string
+	switch result.Name {
+	//case "aws_s3_bucket":
+	//	Permissions = GetPermissionMap(aws_s3_bucket, result.Attributes)
+	//case "aws_instance":
+	//	Permissions = GetPermissionMap(aws_instance, result.Attributes)
+	//case "aws_security_group":
+	//	Permissions = GetPermissionMap(aws_security_group, result.Attributes)
+	//case "aws_lambda_function":
+	//	Permissions = GetPermissionMap(aws_lambda_function, result.Attributes)
+	//case "aws_vpc":
+	//	Permissions = GetPermissionMap(aws_vpc, result.Attributes)
+	//case "aws_subnet":
+	//	Permissions = GetPermissionMap(aws_subnet, result.Attributes)
+	//case "aws_network_acl":
+	//	Permissions = GetPermissionMap(aws_network_acl, result.Attributes)
+	//case "aws_kms_key":
+	//	Permissions = GetPermissionMap(aws_kms_key, result.Attributes)
+	//case "aws_iam_role":
+	//	Permissions = GetPermissionMap(aws_iam_role, result.Attributes)
+	//case "aws_mq_broker":
+	//	Permissions = GetPermissionMap(aws_mq_broker, result.Attributes)
+	//case "aws_mq_configuration":
+	//	Permissions = GetPermissionMap(aws_mq_configuration, result.Attributes)
+	default:
+		log.Printf("%s.%s not implemented", result.TypeName, result.Name)
+	}
 	return Permissions
 }
 

diff --git a/src/data.go b/src/data.go
@@ -1,7 +1,6 @@
 package pike
 
 import (
-	"errors"
 	"io/ioutil"
 	"log"
 	"strings"
@@ -34,7 +33,7 @@ func GetResources(file string) ([]ResourceV2, error) {
 		var resource ResourceV2
 		resource.TypeName = block.Type
 
-		ignore := []string{"terraform", "output", "provider", "variable", "locals"}
+		ignore := []string{"terraform", "output", "provider", "variable", "locals", "module", "template"}
 
 		if stringInSlice(resource.TypeName, ignore) {
 			continue
@@ -74,11 +73,13 @@ func GetPermission(result ResourceV2) (Sorted, error) {
 	switch result.Provider {
 	case "aws":
 		myPermission.AWS = GetAWSPermissions(result)
-	case "azure":
-		return myPermission, errors.New("not implemented")
+	case "azurerm", "oci", "digitalocean", "linode", "helm":
+		log.Printf("Provider %s not yet implemented", result.Provider)
+		return myPermission, nil
 	case "gcp", "google":
 		myPermission.GCP = GetGCPPermissions(result)
-	case "provider":
+	case "provider", "random", "main", "ip", "http", "test", "local",
+		"archive", "tls", "template", "null", "time":
 		return myPermission, nil
 	default:
 		if result.Provider != "" {

diff --git a/src/files.go b/src/files.go
@@ -25,5 +25,17 @@ var aws_subnet []byte
 //go:embed mapping/aws/aws_network_acl.json
 var aws_network_acl []byte
 
+//go:embed mapping/aws/aws_kms_key.json
+var aws_kms_key []byte
+
+//go:embed mapping/aws/aws_iam_role.json
+var aws_iam_role []byte
+
+//go:embed mapping/aws/aws_mq_broker.json
+var aws_mq_broker []byte
+
+//go:embed mapping/aws/aws_mq_configuration.json
+var aws_mq_configuration []byte
+
 //go:embed mapping/gcp/google_compute_instance.json
 var google_compute_instance []byte
diff --git a/src/mapping/aws/aws_iam_role.json b/src/mapping/aws/aws_iam_role.json
@@ -0,0 +1,39 @@
+[
+  {
+    "apply": [
+      "iam:CreateRole"
+    ],
+    "attributes": {
+      "description": [
+        "iam:UpdateRoleDescription"
+      ],
+      "inline_policy": [
+        "iam:PutRolePolicy",
+        "iam:GetRolePolicy"
+      ],
+      "managed_policy_arns": [
+        "iam:AttachRolePolicy",
+        "iam:DetachRolePolicy",
+        "iam:DeleteRolePolicy"
+      ],
+      "permissions_boundary": [
+        "iam:PutRolePermissionsBoundary",
+        "iam:DeleteRolePermissionsBoundary"
+      ],
+      "tags": [
+        "iam:TagRole"
+      ]
+    },
+    "destroy": [
+      "iam:DeleteRole"
+    ],
+    "modify": [
+      "iam:GetRole",
+      "iam:ListRolePolicies",
+      "iam:ListAttachedRolePolicies",
+      "iam:ListInstanceProfilesForRole",
+      "iam:DeleteRole"
+    ],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/aws_kms_key.json b/src/mapping/aws/aws_kms_key.json
@@ -0,0 +1,33 @@
+[
+  {
+    "apply": [
+      "kms:CreateKey"
+    ],
+    "attributes": {
+      "enable_key_rotation": [
+        "kms:EnableKeyRotation"
+      ],
+      "is_enabled": [
+        "kms:DisableKey",
+        "kms:EnableKey"
+      ],
+      "policy": [
+        "kms:PutKeyPolicy"
+      ],
+      "tags": [
+        "kms:TagResource",
+        "kms:UntagResource"
+      ]
+    },
+    "destroy": [],
+    "modify": [
+      "kms:ScheduleKeyDeletion"
+    ],
+    "plan": [
+      "kms:DescribeKey",
+      "kms:GetKeyPolicy",
+      "kms:GetKeyRotationStatus",
+      "kms:ListResourceTags"
+    ]
+  }
+]
diff --git a/src/mapping/aws/aws_mq_broker.json b/src/mapping/aws/aws_mq_broker.json
@@ -0,0 +1,24 @@
+[
+  {
+    "apply": [
+      "ec2:CreateNetworkInterface",
+      "ec2:CreateNetworkInterfacePermission",
+      "ec2:DeleteNetworkInterface",
+      "ec2:DeleteNetworkInterfacePermission",
+      "ec2:DetachNetworkInterface",
+      "ec2:DescribeInternetGateways",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DescribeNetworkInterfacePermissions",
+      "ec2:DescribeRouteTables",
+      "ec2:DescribeSecurityGroups",
+      "ec2:DescribeSubnets",
+      "ec2:DescribeVpcs"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/aws_mq_configuration.json b/src/mapping/aws/aws_mq_configuration.json
@@ -0,0 +1,11 @@
+[
+  {
+    "apply": [],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]
diff --git a/terraform/aws_mq_broker.test.tf b/terraform/aws_mq_broker.test.tf
@@ -0,0 +1,40 @@
+resource "aws_mq_broker" "broker" {
+  broker_name = "mybrokername"
+  #  auto_minor_version_upgrade = true
+  #
+  #  configuration {
+  #    id       = aws_mq_configuration.broker.id
+  #    revision = aws_mq_configuration.broker.latest_revision
+  #  }
+  #
+  engine_type        = "ACTIVEMQ" //RABBITMQ
+  engine_version     = "5.15.9"
+  host_instance_type = "mq.t2.micro"
+  #  deployment_mode     = var.mq_broker["deployment_mode"]
+  #  publicly_accessible = var.mq_broker["publicly_accessible"]
+  #  security_groups     = [aws_security_group.broker.id]
+  #
+  user {
+    username = "Fred"
+    password = "QuimbyWasAGod"
+  }
+  #
+  #  maintenance_window_start_time {
+  #    day_of_week = var.maintenance_window_start_time["day_of_week"]
+  #    time_of_day = var.maintenance_window_start_time["time_of_day"]
+  #    time_zone   = var.maintenance_window_start_time["time_zone"]
+  #  }
+  #
+  #  encryption_options {
+  #    kms_key_id        = var.kms_key_id
+  #    use_aws_owned_key = false
+  #  }
+  #
+  #  logs {
+  #    general = true
+  #    audit   = true
+  #  }
+  #
+  #  subnet_ids = var.subnet_ids
+  tags = { name = "some_tags" }
+}
diff --git a/terraform/backup/aws_iam_role.test.tf b/terraform/backup/aws_iam_role.test.tf
@@ -0,0 +1,38 @@
+resource "aws_iam_role" "test" {
+  assume_role_policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Effect" : "Allow",
+          "Principal" : { "AWS" : "arn:aws:iam::680235478471:root" },
+          "Action" : "sts:AssumeRole",
+        }
+      ]
+    }
+  )
+  //  tags = {name="policytest"}
+  #  inline_policy {
+  #    name = "my_inline_policy"
+  #
+  #    policy = jsonencode({
+  #      Version = "2012-10-17"
+  #      Statement = [
+  #        {
+  #          Action   = ["ec2:Describe*"]
+  #          Effect   = "Allow"
+  #          Resource = "*"
+  #        },
+  #      ]
+  #    })
+  #  }
+  description = "a policy bigger"
+  name        = "test2"
+  //permissions_boundary = "arn:aws:iam::aws:policy/AmazonEC2FullAccess"
+  //path="/service-role/"
+  //max_session_duration = 3600
+  //managed_policy_arns=["arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess"]
+
+  //arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess
+  //force_detach_policies = true
+}
diff --git a/terraform/backup/aws_kms_key.example.tf b/terraform/backup/aws_kms_key.example.tf
@@ -0,0 +1,28 @@
+resource "aws_kms_key" "example" {
+
+  enable_key_rotation                = true
+  is_enabled                         = true
+  key_usage                          = "ENCRYPT_DECRYPT"
+  description                        = "myfavouritekey"
+  bypass_policy_lockout_safety_check = false
+  deletion_window_in_days            = 7
+  multi_region                       = false
+  policy                             = <<POLICY
+{
+    "Version": "2012-10-17",
+    "Id": "key-default-1",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::680235478471:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        }
+    ]
+}
+POLICY
+  tags                               = { name = "myfavouritekey" }
+}
diff --git a/terraform/role/aws_iam_policy.basic.tf b/terraform/role/aws_iam_policy.basic.tf
@@ -5,7 +5,19 @@ resource "aws_iam_policy" "basic" {
     Statement = [
       {
         Action = [
-          "ec2:DescribeAccountAttributes"]
+          "ec2:DescribeAccountAttributes",
+          "ec2:CreateNetworkInterface",
+          "ec2:CreateNetworkInterfacePermission",
+          "ec2:DeleteNetworkInterface",
+          "ec2:DeleteNetworkInterfacePermission",
+          "ec2:DetachNetworkInterface",
+          "ec2:DescribeInternetGateways",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DescribeNetworkInterfacePermissions",
+          "ec2:DescribeRouteTables",
+          "ec2:DescribeSecurityGroups",
+          "ec2:DescribeSubnets",
+        "ec2:DescribeVpcs"]
         Effect   = "Allow"
         Resource = "*"
       },

diff --git a/terraform/role/aws_iam_role.basic.tf b/terraform/role/aws_iam_role.basic.tf
@@ -1,4 +1,5 @@
 resource "aws_iam_role" "basic" {
+  name = "pike-test-role"
   assume_role_policy = jsonencode(
     {
       "Version" : "2012-10-17",