Keep permissions in sync between all files

[lazize]

It is very hard to keep all files that requires common IAM permissions in sync.
For now we have the files below (that I know) and they are not in sync.

iam/create_role_to_assume_cfn.yaml
iam/prowler-additions-policy.json
util/codebuild/codebuild-prowler-audit-account-cfn.yaml
util/org-multi-account/ProwlerRole.yaml
util/org-multi-account/serverless_codebuild/templates/ProwlerRole.yaml
util/terraform-kickstarter/main.tf

How about we have a unique files that contains only the Action section of an IAM policy?
Like this example below. Notice, no format, no indentation, just the pure action name on each line.

File name: additional_actions.txt

ds:ListAuthorizedApplications
ec2:GetEbsEncryptionByDefault
ecr:Describe*
support:Describe*
tag:GetTagKeys
lambda:GetFunction
glue:GetConnections

All current files that requires those policy actions we add a place holder and use git hook or Github Actions to replace the place holder with additional_actions.txt file content.
At this script it will add all necessary format and indentation required, as it knows the file type (yaml, json, tf, etc).

If a file accepts comment (yaml, tf), we can add the place holder directly on file and leave it there.

If a files doesn't accept comment (json), we can create a template file with this place holder on it and generate the final file from its template. We will needs to instruct people to don't change final file directly, only via template.

[toniblyx]

Thanks @lazize, that is a good idea. We can also move all deployments to a dedicated repository to make that independent to the Prowler code itself.