From 0bb1feccef743df3649fc6e12ad3e15c156cd99d Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Mon, 27 Nov 2023 08:32:53 +0000 Subject: [PATCH] aoss --- src/aws.go | 36 ++++++----- src/azure_datasource.go | 6 +- src/azure_policy.go | 6 +- src/compare.go | 4 +- src/coverage/aws.md | 18 ++---- src/coverage/coverage.go | 2 + src/data.go | 10 +-- src/files.go | 18 ++++++ src/files_azure_datasource.go | 4 +- src/files_gcp.go | 2 +- src/files_gcp_datasource.go | 8 +-- src/gcp.go | 16 ++--- src/gcp_datasource.go | 10 +-- src/gcp_policy.go | 3 +- src/gitHub.go | 6 +- src/make.go | 5 +- ...ws_opensearchserverless_access_policy.json | 19 ++++++ .../aws_opensearchserverless_collection.json | 22 +++++++ ...opensearchserverless_lifecycle_policy.json | 20 ++++++ ..._opensearchserverless_security_config.json | 21 +++++++ ..._opensearchserverless_security_policy.json | 19 ++++++ ...aws_opensearchserverless_vpc_endpoint.json | 32 ++++++++++ src/policy.go | 10 +-- src/readme.go | 2 +- src/scan.go | 13 ++-- src/secrets.go | 2 +- src/utils.go | 4 +- src/watch.go | 2 +- .../aws_opensearchserverless_access_policy.tf | 35 +++++++++++ .../aws_opensearchserverless_collection.tf | 11 ++++ ...s_opensearchserverless_lifecycle_policy.tf | 20 ++++++ ...ws_opensearchserverless_security_config.tf | 9 +++ ...ws_opensearchserverless_security_policy.tf | 18 ++++++ .../aws_opensearchserverless_vpc_endpoint.tf | 19 ++++++ .../data.aws_emr_supported_instance_types.tf | 1 + terraform/aws/backup/idp-metadata.xml | 38 ++++++++++++ terraform/aws/idp-metadata.xml | 38 ++++++++++++ terraform/aws/role/aws_iam_policy.basic.tf | 61 ++++++++++++++++--- 38 files changed, 474 insertions(+), 96 deletions(-) create mode 100644 src/mapping/aws/resource/aoss/aws_opensearchserverless_access_policy.json create mode 100644 src/mapping/aws/resource/aoss/aws_opensearchserverless_collection.json create mode 100644 src/mapping/aws/resource/aoss/aws_opensearchserverless_lifecycle_policy.json create mode 100644 src/mapping/aws/resource/aoss/aws_opensearchserverless_security_config.json create mode 100644 src/mapping/aws/resource/aoss/aws_opensearchserverless_security_policy.json create mode 100644 src/mapping/aws/resource/aoss/aws_opensearchserverless_vpc_endpoint.json create mode 100644 terraform/aws/backup/aws_opensearchserverless_access_policy.tf create mode 100644 terraform/aws/backup/aws_opensearchserverless_collection.tf create mode 100644 terraform/aws/backup/aws_opensearchserverless_lifecycle_policy.tf create mode 100644 terraform/aws/backup/aws_opensearchserverless_security_config.tf create mode 100644 terraform/aws/backup/aws_opensearchserverless_security_policy.tf create mode 100644 terraform/aws/backup/aws_opensearchserverless_vpc_endpoint.tf create mode 100644 terraform/aws/backup/data.aws_emr_supported_instance_types.tf create mode 100644 terraform/aws/backup/idp-metadata.xml create mode 100644 terraform/aws/idp-metadata.xml diff --git a/src/aws.go b/src/aws.go index 5ef3d000..cd1f9168 100644 --- a/src/aws.go +++ b/src/aws.go @@ -8,7 +8,7 @@ import ( const terraform string = "terraform" -// GetAWSPermissions for AWS resources +// GetAWSPermissions for AWS resources. func GetAWSPermissions(result ResourceV2) ([]string, error) { var ( err error @@ -76,6 +76,10 @@ func AwsLookup(name string) interface{} { "aws_alb_listener": awsLbListener, "aws_alb_target_group": awsLbTargetGroup, "aws_alb_target_group_attachment": awsLbTargetGroupAttachment, + "aws_ami": awsAmi, + "aws_ami_copy": awsAmiCopy, + "aws_ami_from_instance": awsAmiFromInstance, + "aws_ami_launch_permission": awsAmiLauchPermission, "aws_api_gateway_account": awsAPIGatewayAccount, "aws_api_gateway_api_key": awsApigatewayv2Api, "aws_api_gateway_authorizer": awsApigatewayv2Api, @@ -142,9 +146,12 @@ func AwsLookup(name string) interface{} { "aws_batch_job_queue": awsBatchJobQueue, "aws_batch_scheduling_policy": awsBatchSchedulingPolicy, "aws_budgets_budget": awsBudgetsBudget, + "aws_budgets_budget_action": awsBudgetsBudgetAction, "aws_cloud9_environment_ec2": awsCloud9EnvironmentEc2, + "aws_cloudformation_stack": awsCloudformationStack, "aws_cloudformation_stack_set": awsCloudFormationStackSet, "aws_cloudformation_stack_set_instance": awsCloudFormationStackSetInstance, + "aws_cloudformation_type": awsCloudformationType, "aws_cloudfront_distribution": awsCloudfrontDistribution, "aws_cloudfront_field_level_encryption_config": awsCloudfrontFieldLevelEncryptionConfig, "aws_cloudfront_field_level_encryption_profile": awsCloudfrontFieldLevelEncryptionProfile, @@ -391,6 +398,14 @@ func AwsLookup(name string) interface{} { "aws_networkfirewall_rule_group": awsNetworkfirewallRuleGroup, "aws_opensearch_domain": awsElasticsearchDomain, "aws_opensearch_domain_policy": awsElasticsearchDomainPolicy, + "aws_opensearchserverless_access_policy": awsOpenseachserverlessAccessPolicy, + "aws_opensearchserverless_collection": awsOpenseachserverlessCollection, + "aws_opensearchserverless_lifecycle_policy": awsOpenseachserverlessLifecyclePolicy, + "aws_opensearchserverless_security_config": awsOpenseachserverlessSecurityConfig, + "aws_opensearchserverless_security_policy": awsOpenseachserverlessSecurityPolicy, + "aws_opensearchserverless_vpc_endpoint": awsOpenseachserverlessVpcEndpoint, + "aws_organizations_policy": awsOrganizationsPolicy, + "aws_organizations_policy_attachment": awsOrganizationsPolicyAttachment, "aws_placement_group": awsPlacementGroup, "aws_ram_principal_association": awsRAMPrincipleAssociation, "aws_ram_resource_association": awsRAMResourceAssociation, @@ -455,6 +470,8 @@ func AwsLookup(name string) interface{} { "aws_sagemaker_endpoint_configuration": awsSagemakerEndpointConfiguration, "aws_sagemaker_model": awsSagemakerModel, "aws_secretsmanager_secret": awsSecretsmanagerSecret, + "aws_secretsmanager_secret_policy": awsSecretsmanagerSecretPolicy, + "aws_secretsmanager_secret_rotation": awsSecretsmanagerSecretRotation, "aws_secretsmanager_secret_version": awsSecretsmanagerSecretVersion, "aws_security_group": awsSecurityGroup, "aws_security_group_rule": awsSecurityGroupRule, @@ -469,6 +486,7 @@ func AwsLookup(name string) interface{} { "aws_ses_receipt_rule": awsSesReceiptRule, "aws_ses_receipt_rule_set": awsSesReceiptRuleSet, "aws_sfn_activity": awsSfnActivity, + "aws_sfn_alias": awsSfnAlias, "aws_sfn_state_machine": awsSfnStateMachine, "aws_sns_sms_preferences": awsSnsSmsPreferences, "aws_sns_topic": awsSnsTopic, @@ -521,24 +539,12 @@ func AwsLookup(name string) interface{} { "aws_xray_group": awsXrayGroup, "aws_xray_sampling_rule": awsXraySamplingRule, "backend": s3backend, - "aws_ami": awsAmi, - "aws_ami_copy": awsAmiCopy, - "aws_ami_from_instance": awsAmiFromInstance, - "aws_ami_launch_permission": awsAmiLauchPermission, - "aws_budgets_budget_action": awsBudgetsBudgetAction, - "aws_cloudformation_stack": awsCloudformationStack, - "aws_cloudformation_type": awsCloudformationType, - "aws_organizations_policy": awsOrganizationsPolicy, - "aws_organizations_policy_attachment": awsOrganizationsPolicyAttachment, - "aws_secretsmanager_secret_policy": awsSecretsmanagerSecretPolicy, - "aws_secretsmanager_secret_rotation": awsSecretsmanagerSecretRotation, - "aws_sfn_alias": awsSfnAlias, } return TFLookup[name] } -// Contains looks if slice contains string +// Contains looks if slice contains string. func Contains(s []string, e string) bool { for _, a := range s { if a == e { @@ -549,7 +555,7 @@ func Contains(s []string, e string) bool { return false } -// GetPermissionMap Anonymous parsing +// GetPermissionMap Anonymous parsing. func GetPermissionMap(raw []byte, attributes []string) ([]string, error) { var mappings []interface{} err := json.Unmarshal(raw, &mappings) diff --git a/src/azure_datasource.go b/src/azure_datasource.go index 8f3c3eac..503f2c87 100644 --- a/src/azure_datasource.go +++ b/src/azure_datasource.go @@ -4,7 +4,7 @@ import ( "fmt" ) -// GetAZUREDataPermissions gets permissions required for datasources +// GetAZUREDataPermissions gets permissions required for datasources. func GetAZUREDataPermissions(result ResourceV2) ([]string, error) { temp := AzureDataLookup(result.Name) @@ -48,8 +48,8 @@ func AzureDataLookup(name string) interface{} { "azurerm_app_service_environment": dataAzurermAppServiceEnvironment, "azurerm_app_service_environment_v3": dataAzurermAppServiceEnvironmentV3, "azurerm_app_service_plan": dataAzurermAppServicePlan, - "azurerm_public_ip": dataAzurermPublicIp, - "azurerm_public_ip_prefix": dataAzurermPublicIpPrefix, + "azurerm_public_ip": dataAzurermPublicIP, + "azurerm_public_ip_prefix": dataAzurermPublicIPPrefix, "azurerm_public_ips": dataAzurermPublicIps, "azurerm_windows_function_app": dataAzurermWindowsFunctionApp, "azurerm_windows_web_app": dataAzurermWindowsWebApp, diff --git a/src/azure_policy.go b/src/azure_policy.go index 98665294..08e3bf0d 100644 --- a/src/azure_policy.go +++ b/src/azure_policy.go @@ -11,18 +11,18 @@ import ( //go:embed terraform.azurepolicy.template var policyAZURETemplate []byte -// AZUREPolicy creates an Azure role definition +// AZUREPolicy creates an Azure role definition. func AZUREPolicy(permissions []string) (string, error) { test := strings.Join(permissions, "\",\n \"") - type AzurePolicyDetails struct { + type azurePolicyDetails struct { Name string Permissions string } policyName := "terraform_pike" - theDetails := AzurePolicyDetails{policyName, test} + theDetails := azurePolicyDetails{policyName, test} var output bytes.Buffer diff --git a/src/compare.go b/src/compare.go index b4cd74e6..9ac057bf 100644 --- a/src/compare.go +++ b/src/compare.go @@ -12,7 +12,7 @@ import ( "github.com/yudai/gojsondiff/formatter" ) -// Compare IAC codebase to AWS policy +// Compare IAC codebase to AWS policy. func Compare(directory string, arn string, init bool) (bool, error) { var theSame bool // Load the Shared AWS Configuration (~/.aws/config) @@ -48,7 +48,7 @@ func Compare(directory string, arn string, init bool) (bool, error) { return theSame, err } -// CompareIAMPolicy takes to IAm policies and compares +// CompareIAMPolicy takes to IAm policies and compares. func CompareIAMPolicy(policy string, oldPolicy string) (bool, error) { differ := diff.New() compare, err := differ.Compare([]byte(policy), []byte(oldPolicy)) diff --git a/src/coverage/aws.md b/src/coverage/aws.md index a1ec045c..3cdf25f2 100644 --- a/src/coverage/aws.md +++ b/src/coverage/aws.md @@ -1,7 +1,7 @@ # todo aws -Resource percentage coverage 36.31 -Datasource percentage coverage 98.80 +Resource percentage coverage 36.75 +Datasource percentage coverage 99.80 ./resource.ps1 aws_accessanalyzer_analyzer ./resource.ps1 aws_accessanalyzer_archive_rule @@ -33,6 +33,7 @@ Datasource percentage coverage 98.80 ./resource.ps1 aws_apprunner_auto_scaling_configuration_version ./resource.ps1 aws_apprunner_connection ./resource.ps1 aws_apprunner_custom_domain_association +./resource.ps1 aws_apprunner_default_auto_scaling_configuration_version ./resource.ps1 aws_apprunner_observability_configuration ./resource.ps1 aws_apprunner_service ./resource.ps1 aws_apprunner_vpc_connector @@ -493,12 +494,6 @@ Datasource percentage coverage 98.80 ./resource.ps1 aws_opensearch_package ./resource.ps1 aws_opensearch_package_association ./resource.ps1 aws_opensearch_vpc_endpoint -./resource.ps1 aws_opensearchserverless_access_policy -./resource.ps1 aws_opensearchserverless_collection -./resource.ps1 aws_opensearchserverless_lifecycle_policy -./resource.ps1 aws_opensearchserverless_security_config -./resource.ps1 aws_opensearchserverless_security_policy -./resource.ps1 aws_opensearchserverless_vpc_endpoint ./resource.ps1 aws_opsworks_application ./resource.ps1 aws_opsworks_custom_layer ./resource.ps1 aws_opsworks_ecs_cluster_layer @@ -817,9 +812,4 @@ Datasource percentage coverage 98.80 ./resource.ps1 aws_worklink_website_certificate_authority_association ./resource.ps1 aws_workspaces_connection_alias ./resource.ps1 aws_workspaces_ip_group -./resource.ps1 aws_apigatewayv2_vpc_link -type data -./resource.ps1 aws_athena_named_query -type data -./resource.ps1 aws_bedrock_foundation_model -type data -./resource.ps1 aws_bedrock_foundation_models -type data -./resource.ps1 aws_iot_registration_code -type data -./resource.ps1 aws_opensearchserverless_lifecycle_policy -type data +./resource.ps1 aws_emr_supported_instance_types -type data diff --git a/src/coverage/coverage.go b/src/coverage/coverage.go index 3973de73..cd536070 100644 --- a/src/coverage/coverage.go +++ b/src/coverage/coverage.go @@ -45,6 +45,7 @@ func coverageAWS() error { target = Prepend + target err := os.WriteFile("aws.md", []byte(target), 0o700) + if err != nil { return err } @@ -129,6 +130,7 @@ func importMembers(targetMembers string) members { func percent(missing []string, data []string) float64 { var source float64 + var target float64 source = float64(len(missing)) diff --git a/src/data.go b/src/data.go index d5dec067..be411418 100644 --- a/src/data.go +++ b/src/data.go @@ -12,7 +12,7 @@ import ( "github.com/rs/zerolog/log" ) -// GetResources retrieves all the resources in a tf file +// GetResources retrieves all the resources in a tf file. func GetResources(file string, dirName string) ([]ResourceV2, error) { var Resources []ResourceV2 @@ -73,7 +73,7 @@ func GetResources(file string, dirName string) ([]ResourceV2, error) { return Resources, nil } -// DetectBackend handles permissions for backend blocks +// DetectBackend handles permissions for backend blocks. func DetectBackend(resource ResourceV2, block *hclsyntax.Block, resources []ResourceV2) ([]ResourceV2, error) { if resource.TypeName == terraform { if block.Body != nil && block.Body.Blocks != nil { @@ -95,7 +95,7 @@ func DetectBackend(resource ResourceV2, block *hclsyntax.Block, resources []Reso return nil, errors.New("no Backend found") } -// GetResourceBlocks breaks down a file into resources +// GetResourceBlocks breaks down a file into resources. func GetResourceBlocks(file string) (*hclsyntax.Body, error) { temp, _ := filepath.Abs(file) src, err := os.ReadFile(temp) @@ -114,7 +114,7 @@ func GetResourceBlocks(file string) (*hclsyntax.Body, error) { return parsedFile.Body.(*hclsyntax.Body), err } -// GetLocalModules return resource from path +// GetLocalModules return resource from a path. func GetLocalModules(block *hclsyntax.Block, dirName string) ([]ResourceV2, error) { var Resources []ResourceV2 @@ -162,7 +162,7 @@ func GetModulePath(block *hclsyntax.Block) string { return modulePath } -// GetBlockAttributes walks through a blocks getting all blocks and attributes +// GetBlockAttributes walks through a blocks getting all blocks and attributes. func GetBlockAttributes(attributes []string, block *hclsyntax.Block) []string { for _, attribute := range block.Body.Attributes { attributes = append(attributes, attribute.Name) diff --git a/src/files.go b/src/files.go index 4a9208a1..61efdaee 100644 --- a/src/files.go +++ b/src/files.go @@ -1251,3 +1251,21 @@ var awsSecretsmanagerSecretRotation []byte //go:embed mapping/aws/resource/states/aws_sfn_alias.json var awsSfnAlias []byte + +//go:embed mapping/aws/resource/aoss/aws_opensearchserverless_access_policy.json +var awsOpenseachserverlessAccessPolicy []byte + +//go:embed mapping/aws/resource/aoss/aws_opensearchserverless_collection.json +var awsOpenseachserverlessCollection []byte + +//go:embed mapping/aws/resource/aoss/aws_opensearchserverless_lifecycle_policy.json +var awsOpenseachserverlessLifecyclePolicy []byte + +//go:embed mapping/aws/resource/aoss/aws_opensearchserverless_security_config.json +var awsOpenseachserverlessSecurityConfig []byte + +//go:embed mapping/aws/resource/aoss/aws_opensearchserverless_security_policy.json +var awsOpenseachserverlessSecurityPolicy []byte + +//go:embed mapping/aws/resource/aoss/aws_opensearchserverless_vpc_endpoint.json +var awsOpenseachserverlessVpcEndpoint []byte diff --git a/src/files_azure_datasource.go b/src/files_azure_datasource.go index 3932e78b..5cce7c9d 100644 --- a/src/files_azure_datasource.go +++ b/src/files_azure_datasource.go @@ -68,10 +68,10 @@ var dataAzurermAppServiceEnvironmentV3 []byte var dataAzurermAppServicePlan []byte //go:embed mapping/azurerm/data/network/azurerm_public_ip.json -var dataAzurermPublicIp []byte +var dataAzurermPublicIP []byte //go:embed mapping/azurerm/data/network/azurerm_public_ip_prefix.json -var dataAzurermPublicIpPrefix []byte +var dataAzurermPublicIPPrefix []byte //go:embed mapping/azurerm/data/network/azurerm_public_ips.json var dataAzurermPublicIps []byte diff --git a/src/files_gcp.go b/src/files_gcp.go index ed0b63df..2d9c8320 100644 --- a/src/files_gcp.go +++ b/src/files_gcp.go @@ -203,7 +203,7 @@ var googleStorageBucketIamPolicy []byte var googleStorageDefaultObjectAccessControl []byte //go:embed mapping/google/resource/storage/google_storage_default_object_acl.json -var googleStorageDefaultObjectAcl []byte +var googleStorageDefaultObjectACL []byte //go:embed mapping/google/resource/storage/google_storage_hmac_key.json var googleStorageHmacKey []byte diff --git a/src/files_gcp_datasource.go b/src/files_gcp_datasource.go index 0a65a980..9e6230d0 100644 --- a/src/files_gcp_datasource.go +++ b/src/files_gcp_datasource.go @@ -341,13 +341,13 @@ var dataGoogleSourcerepoRepository []byte var dataGoogleSourcerepoRepositoryIamPolicy []byte //go:embed mapping/google/data/cloudsql/google_sql_database.json -var dataGoogleSqlDatabase []byte +var dataGoogleSQLDatabase []byte //go:embed mapping/google/data/cloudsql/google_sql_database_instance.json -var dataGoogleSqlDatabaseInstance []byte +var dataGoogleSQLDatabaseInstance []byte //go:embed mapping/google/data/cloudsql/google_sql_database_instances.json -var dataGoogleSqlDatabaseInstances []byte +var dataGoogleSQLDatabaseInstances []byte //go:embed mapping/google/data/cloudsql/google_sql_databases.json -var dataGoogleSqlDatabases []byte +var dataGoogleSQLDatabases []byte diff --git a/src/gcp.go b/src/gcp.go index 39769a86..52d21a9b 100644 --- a/src/gcp.go +++ b/src/gcp.go @@ -1,10 +1,6 @@ package pike -import ( - "github.com/rs/zerolog/log" -) - -// GetGCPPermissions for GCP resources +// GetGCPPermissions for GCP resources. func GetGCPPermissions(result ResourceV2) ([]string, error) { var ( err error @@ -26,19 +22,15 @@ func GetGCPPermissions(result ResourceV2) ([]string, error) { return Permissions, err } -// GetGCPResourcePermissions looks up permissions required for resources +// GetGCPResourcePermissions looks up permissions required for resources. func GetGCPResourcePermissions(result ResourceV2) ([]string, error) { - temp := GCPLookup(result.Name) - var ( Permissions []string err error ) - if temp != nil { + if temp := GCPLookup(result.Name); temp != nil { Permissions, err = GetPermissionMap(temp.([]byte), result.Attributes) - } else { - log.Printf("%s not implemented", result.Name) } return Permissions, err @@ -125,7 +117,7 @@ func GCPLookup(result string) interface{} { "google_storage_bucket_iam_member": googleStorageBucketIamMember, "google_storage_bucket_iam_policy": googleStorageBucketIamPolicy, "google_storage_default_object_access_control": googleStorageDefaultObjectAccessControl, - "google_storage_default_object_acl": googleStorageDefaultObjectAcl, + "google_storage_default_object_acl": googleStorageDefaultObjectACL, "google_storage_hmac_key": googleStorageHmacKey, "google_storage_insights_report_config": googleStorageInsightsReportConfig, "google_storage_object_access_control": googleStorageObjectAccessControl, diff --git a/src/gcp_datasource.go b/src/gcp_datasource.go index 7b02f1f8..ea5e6dd4 100644 --- a/src/gcp_datasource.go +++ b/src/gcp_datasource.go @@ -4,7 +4,7 @@ import ( "fmt" ) -// GetGCPDataPermissions gets permissions required for datasources +// GetGCPDataPermissions gets permissions required for datasources. func GetGCPDataPermissions(result ResourceV2) ([]string, error) { temp := GCPDataLookup(result.Name) @@ -153,10 +153,10 @@ func GCPDataLookup(result string) interface{} { "google_spanner_database_iam_policy": dataGoogleSpannerDatabaseIamPolicy, "google_spanner_instance": dataGoogleSpannerInstance, "google_spanner_instance_iam_policy": dataGoogleSpannerInstanceIamPolicy, - "google_sql_database": dataGoogleSqlDatabase, - "google_sql_database_instance": dataGoogleSqlDatabaseInstance, - "google_sql_database_instances": dataGoogleSqlDatabaseInstances, - "google_sql_databases": dataGoogleSqlDatabases, + "google_sql_database": dataGoogleSQLDatabase, + "google_sql_database_instance": dataGoogleSQLDatabaseInstance, + "google_sql_database_instances": dataGoogleSQLDatabaseInstances, + "google_sql_databases": dataGoogleSQLDatabases, "google_sql_tiers": placeholder, "google_storage_bucket": dataGoogleStorageBucket, "google_storage_bucket_iam_policy": dataGoogleStorageBucketIamPolicy, diff --git a/src/gcp_policy.go b/src/gcp_policy.go index 814db3f4..0d37cd68 100644 --- a/src/gcp_policy.go +++ b/src/gcp_policy.go @@ -11,7 +11,7 @@ import ( //go:embed terraform.gcppolicy.template var policyGCPTemplate []byte -// GCPPolicy create an IAM policy +// GCPPolicy create an IAM policy. func GCPPolicy(permissions []string) (string, error) { test := strings.Join(permissions, "\",\n \"") @@ -26,6 +26,7 @@ func GCPPolicy(permissions []string) (string, error) { theDetails := GCPPolicyDetails{PolicyName, "pike", "terraform_pike", test} var output bytes.Buffer + tmpl, err := template.New("test").Parse(string(policyGCPTemplate)) if err != nil { diff --git a/src/gitHub.go b/src/gitHub.go index 538221be..7c43ac5d 100644 --- a/src/gitHub.go +++ b/src/gitHub.go @@ -11,7 +11,7 @@ import ( "github.com/rs/zerolog/log" ) -// InvokeGithubDispatchEvent uses your gitHub api key (if sufficiently enabled) to invoke a gitHub action workflow +// InvokeGithubDispatchEvent uses your gitHub api key (if sufficiently enabled) to invoke a gitHub action workflow. func InvokeGithubDispatchEvent(repository string, workflowFileName string, branch string) error { owner, repo, err := SplitHub(repository) if err != nil { @@ -68,7 +68,7 @@ func InvokeGithubDispatchEvent(repository string, workflowFileName string, branc return nil } -// VerifyBranch checks that a branch exists in a repo +// VerifyBranch checks that a branch exists in a repo. func VerifyBranch(client *github.Client, owner string, repo string, branch string) error { ctx := context.Background() branches, _, err := client.Repositories.ListBranches(ctx, owner, repo, nil) @@ -91,7 +91,7 @@ func VerifyBranch(client *github.Client, owner string, repo string, branch strin return errors.New("branch " + branch + " not found for " + repo) } -// VerifyURL tests a url +// VerifyURL tests a url. func VerifyURL(url string) error { resp, err := http.Get(url) if err != nil { diff --git a/src/make.go b/src/make.go index fb1dce91..eb6030eb 100644 --- a/src/make.go +++ b/src/make.go @@ -13,7 +13,7 @@ import ( "github.com/rs/zerolog/log" ) -// Make creates the required role +// Make creates the required role. func Make(directory string) (*string, error) { err := Scan(directory, "terraform", nil, true, true, false) if err != nil { @@ -75,7 +75,7 @@ func tfApply(policyPath string) (*tfexec.Terraform, error) { return terraform, nil } -// Apply executes tf using prepared role +// Apply executes tf using a prepared role. func Apply(target string, region string) error { iamRole, err := Make(target) time.Sleep(5 * time.Second) @@ -129,6 +129,7 @@ func tfPlan(policyPath string) error { if err != nil { fmt.Println(err.Error()) + return err } diff --git a/src/mapping/aws/resource/aoss/aws_opensearchserverless_access_policy.json b/src/mapping/aws/resource/aoss/aws_opensearchserverless_access_policy.json new file mode 100644 index 00000000..f2ab85f3 --- /dev/null +++ b/src/mapping/aws/resource/aoss/aws_opensearchserverless_access_policy.json @@ -0,0 +1,19 @@ +[ + { + "apply": [ + "aoss:CreateAccessPolicy", + "aoss:UpdateAccessPolicy", + "aoss:DeleteAccessPolicy" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "aoss:DeleteAccessPolicy" + ], + "modify": [ + "aoss:UpdateAccessPolicy" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/aoss/aws_opensearchserverless_collection.json b/src/mapping/aws/resource/aoss/aws_opensearchserverless_collection.json new file mode 100644 index 00000000..a40c7c74 --- /dev/null +++ b/src/mapping/aws/resource/aoss/aws_opensearchserverless_collection.json @@ -0,0 +1,22 @@ +[ + { + "apply": [ + "aoss:CreateCollection", + "aoss:UpdateCollection", + "aoss:DeleteCollection", + "aoss:BatchGetCollection", + "iam:CreateServiceLinkedRole", + "aoss:ListTagsForResource" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "aoss:DeleteCollection" + ], + "modify": [ + "aoss:UpdateCollection" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/aoss/aws_opensearchserverless_lifecycle_policy.json b/src/mapping/aws/resource/aoss/aws_opensearchserverless_lifecycle_policy.json new file mode 100644 index 00000000..4e6ed803 --- /dev/null +++ b/src/mapping/aws/resource/aoss/aws_opensearchserverless_lifecycle_policy.json @@ -0,0 +1,20 @@ +[ + { + "apply": [ + "aoss:CreateLifecyclePolicy", + "aoss:BatchGetLifecyclePolicy", + "aoss:DeleteLifecyclePolicy", + "aoss:UpdateLifecyclePolicy" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "aoss:DeleteLifecyclePolicy" + ], + "modify": [ + "aoss:UpdateLifecyclePolicy" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/aoss/aws_opensearchserverless_security_config.json b/src/mapping/aws/resource/aoss/aws_opensearchserverless_security_config.json new file mode 100644 index 00000000..c9b4f1bc --- /dev/null +++ b/src/mapping/aws/resource/aoss/aws_opensearchserverless_security_config.json @@ -0,0 +1,21 @@ +[ + { + "apply": [ + "aoss:CreateSecurityConfig", + "aoss:DeleteSecurityConfig", + "aoss:GetSecurityConfig", + "aoss:UpdateSecurityConfig", + "aoss:DeleteSecurityConfig" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "aoss:DeleteSecurityConfig" + ], + "modify": [ + "aoss:UpdateSecurityConfig" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/aoss/aws_opensearchserverless_security_policy.json b/src/mapping/aws/resource/aoss/aws_opensearchserverless_security_policy.json new file mode 100644 index 00000000..0e61a4fe --- /dev/null +++ b/src/mapping/aws/resource/aoss/aws_opensearchserverless_security_policy.json @@ -0,0 +1,19 @@ +[ + { + "apply": [ + "aoss:CreateSecurityPolicy", + "aoss:DeleteSecurityPolicy", + "aoss:UpdateSecurityPolicy" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "aoss:DeleteSecurityPolicy" + ], + "modify": [ + "aoss:UpdateSecurityPolicy" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/aoss/aws_opensearchserverless_vpc_endpoint.json b/src/mapping/aws/resource/aoss/aws_opensearchserverless_vpc_endpoint.json new file mode 100644 index 00000000..1fbba40a --- /dev/null +++ b/src/mapping/aws/resource/aoss/aws_opensearchserverless_vpc_endpoint.json @@ -0,0 +1,32 @@ +[ + { + "apply": [ + "aoss:BatchGetVpcEndpoint", + "aoss:CreateVpcEndpoint", + "aoss:DeleteVpcEndpoint", + "aoss:UpdateVpcEndpoint", + "ec2:CreateTags", + "ec2:CreateVpcEndpoint", + "ec2:DeleteNetworkInterface", + "ec2:DeleteVpcEndpoints", + "ec2:DescribeSecurityGroups", + "ec2:DescribeVpcEndpoints", + "ec2:ModifyVpcEndpoints", + "route53:AssociateVPCWithHostedZone", + "ec2:DetachNetworkInterface" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "aoss:DeleteVpcEndpoint", + "ec2:DeleteVpcEndpoints", + "ec2:DeleteNetworkInterface" + ], + "modify": [ + "ec2:ModifyVpcEndpoints", + "aoss:UpdateVpcEndpoint" + ], + "plan": [] + } +] diff --git a/src/policy.go b/src/policy.go index 21a9c049..c7b21c27 100644 --- a/src/policy.go +++ b/src/policy.go @@ -80,7 +80,7 @@ func NewAWSPolicy(actions []string, resources bool) (Policy, error) { return something, nil } -// GetPolicy creates new iam polices from a list of Permissions +// GetPolicy creates new iam polices from a list of Permissions. func GetPolicy(actions Sorted, resources bool) (OutputPolicy, error) { var ( OutPolicy OutputPolicy @@ -111,6 +111,7 @@ func GetPolicy(actions Sorted, resources bool) (OutputPolicy, error) { if err != nil { log.Print(err) + continue } @@ -154,11 +155,11 @@ func GetPolicy(actions Sorted, resources bool) (OutputPolicy, error) { return OutPolicy, nil } -// AWSPolicy create an IAM policy -func AWSPolicy(Permissions []string, Resources bool) (AwsOutput, error) { +// AWSPolicy create an IAM policy. +func AWSPolicy(permissions []string, Resources bool) (AwsOutput, error) { var OutPolicy AwsOutput - Policy, err := NewAWSPolicy(Permissions, Resources) + Policy, err := NewAWSPolicy(permissions, Resources) if err != nil { return OutPolicy, err } @@ -203,6 +204,7 @@ func AWSPolicy(Permissions []string, Resources bool) (AwsOutput, error) { // Unique make slice unique func Unique(s []string) []string { inResult := make(map[string]bool) + var result []string for _, str := range s { diff --git a/src/readme.go b/src/readme.go index 1138dc2a..f338f316 100644 --- a/src/readme.go +++ b/src/readme.go @@ -8,7 +8,7 @@ import ( "github.com/rs/zerolog/log" ) -// Readme Updates a README.md file +// Readme Updates a README.md file. func Readme(dirName string, output string, init bool, autoAppend bool) error { file := dirName + "/README.md" diff --git a/src/scan.go b/src/scan.go index 3d256261..db33c64f 100644 --- a/src/scan.go +++ b/src/scan.go @@ -18,7 +18,7 @@ import ( const tfVersion = "1.5.4" -// Scan looks for resources in a given directory +// Scan looks for resources in a given directory. func Scan(dirName string, output string, file *string, init bool, write bool, enableResources bool) error { OutPolicy, err := MakePolicy(dirName, file, init, enableResources) if err != nil { @@ -37,7 +37,7 @@ func Scan(dirName string, output string, file *string, init bool, write bool, en return err } -// WriteOutput writes out the policy as json or terraform +// WriteOutput writes out the policy as json or terraform. func WriteOutput(outPolicy OutputPolicy, output, location string) error { newPath, _ := filepath.Abs(location + "/.pike") err := os.MkdirAll(newPath, os.ModePerm) @@ -51,7 +51,6 @@ func WriteOutput(outPolicy OutputPolicy, output, location string) error { d1 := []byte(outPolicy.AsString(output)) switch strings.ToLower(output) { - case terraform: outFile = newPath + "/pike.generated_policy.tf" @@ -77,7 +76,7 @@ func WriteOutput(outPolicy OutputPolicy, output, location string) error { return nil } -// Init can download and install terraform if required and then terraform init your specified directory +// Init can download and install terraform if required and then terraform init your specified directory. func Init(dirName string) (*string, []string, error) { tfPath, err := LocateTerraform() if err != nil { @@ -120,7 +119,7 @@ func Init(dirName string) (*string, []string, error) { func LocateTerraform() (string, error) { tfPath, err := exec.LookPath(terraform) - // if you don't have tf installed we have to install it + // if you don't have tf installed, we have to install it if err != nil || tfPath == "" { log.Printf("installing Terraform %s\n", tfVersion) installer := &releases.ExactVersion{ @@ -139,7 +138,7 @@ func LocateTerraform() (string, error) { return tfPath, nil } -// MakePolicy does the guts of determining a policy from code +// MakePolicy does the guts of determining a policy from code. func MakePolicy(dirName string, file *string, init bool, EnableResources bool) (OutputPolicy, error) { var ( files []string @@ -174,7 +173,7 @@ func MakePolicy(dirName string, file *string, init bool, EnableResources bool) ( return Output, err } - // is this a tfFile + // is this a tfFile? if !(FileExists(myFile)) { return Output, os.ErrNotExist } diff --git a/src/secrets.go b/src/secrets.go index e947ce21..86c96c29 100644 --- a/src/secrets.go +++ b/src/secrets.go @@ -94,7 +94,7 @@ func SetRepoSecret(repository string, keyText string, keyName string) (*github.R return response, nil } -// SplitHub return details from url +// SplitHub return details from url. func SplitHub(repository string) (string, string, error) { Splitter := strings.Split(repository, "/") diff --git a/src/utils.go b/src/utils.go index 2635ecce..2df3855c 100644 --- a/src/utils.go +++ b/src/utils.go @@ -14,7 +14,7 @@ import ( var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ") //nolint:gochecknoglobals -// RandSeq generate a randown sequence +// RandSeq generate a randown sequence. func RandSeq(n int) string { sequence := make([]rune, n) for i := range sequence { @@ -83,7 +83,7 @@ func ReplaceSection(source string, middle string, autoadd bool) error { return err } -// FileExists looks for a file +// FileExists looks for a file. func FileExists(filename string) bool { info, err := os.Stat(filename) if os.IsNotExist(err) { diff --git a/src/watch.go b/src/watch.go index 32614a03..e0a91f7e 100644 --- a/src/watch.go +++ b/src/watch.go @@ -65,7 +65,7 @@ func WaitForPolicyChange(client *iam.Client, arn string, version string, wait in return wait, errors.New("wait expired with no change") } -// GetVersion gets the version of the IAM policy +// GetVersion gets the version of the IAM policy. func GetVersion(client *iam.Client, policyArn string) (*string, error) { output, err := client.GetPolicy(context.TODO(), &iam.GetPolicyInput{PolicyArn: aws.String(policyArn)}) if err != nil { diff --git a/terraform/aws/backup/aws_opensearchserverless_access_policy.tf b/terraform/aws/backup/aws_opensearchserverless_access_policy.tf new file mode 100644 index 00000000..70cae1be --- /dev/null +++ b/terraform/aws/backup/aws_opensearchserverless_access_policy.tf @@ -0,0 +1,35 @@ +data "aws_caller_identity" "current" {} + +resource "aws_opensearchserverless_access_policy" "example" { + provider = aws.central + name = "pike" + type = "data" + description = "read and write permissions update" + policy = jsonencode([ + { + Rules = [ + { + ResourceType = "index", + Resource = [ + "index/example-collection/*" + ], + Permission = [ + "aoss:*" + ] + }, + { + ResourceType = "collection", + Resource = [ + "collection/example-collection" + ], + Permission = [ + "aoss:*" + ] + } + ], + Principal = [ + data.aws_caller_identity.current.arn + ] + } + ]) +} diff --git a/terraform/aws/backup/aws_opensearchserverless_collection.tf b/terraform/aws/backup/aws_opensearchserverless_collection.tf new file mode 100644 index 00000000..d73fd108 --- /dev/null +++ b/terraform/aws/backup/aws_opensearchserverless_collection.tf @@ -0,0 +1,11 @@ +resource "aws_opensearchserverless_collection" "pike" { + provider = aws.central + name = "pike" + tags = { + pike = "permissions" + another = "tag" + } + + depends_on = [ + aws_opensearchserverless_security_policy.pike] +} diff --git a/terraform/aws/backup/aws_opensearchserverless_lifecycle_policy.tf b/terraform/aws/backup/aws_opensearchserverless_lifecycle_policy.tf new file mode 100644 index 00000000..cdc0731f --- /dev/null +++ b/terraform/aws/backup/aws_opensearchserverless_lifecycle_policy.tf @@ -0,0 +1,20 @@ +resource "aws_opensearchserverless_lifecycle_policy" "pike" { + provider = aws.central + name = "pike" + type = "retention" + policy = jsonencode({ + "Rules" : [ + { + "ResourceType" : "index", + "Resource" : ["index/autoparts-inventory/*"], + "MinIndexRetention" : "81d" + }, + { + "ResourceType" : "index", + "Resource" : ["index/sales/orders*"], + "NoMinIndexRetention" : true + } + ] + }) + +} diff --git a/terraform/aws/backup/aws_opensearchserverless_security_config.tf b/terraform/aws/backup/aws_opensearchserverless_security_config.tf new file mode 100644 index 00000000..3b9437fd --- /dev/null +++ b/terraform/aws/backup/aws_opensearchserverless_security_config.tf @@ -0,0 +1,9 @@ +resource "aws_opensearchserverless_security_config" "pike" { + provider = aws.central + name = "pike" + type = "saml" + saml_options { + metadata = file("${path.module}/idp-metadata.xml") + } + +} diff --git a/terraform/aws/backup/aws_opensearchserverless_security_policy.tf b/terraform/aws/backup/aws_opensearchserverless_security_policy.tf new file mode 100644 index 00000000..f071bab0 --- /dev/null +++ b/terraform/aws/backup/aws_opensearchserverless_security_policy.tf @@ -0,0 +1,18 @@ +resource "aws_opensearchserverless_security_policy" "pike" { + provider = aws.central + name = "pike" + type = "encryption" + description = "encryption security policy for example-collection update" + policy = jsonencode({ + Rules = [ + { + Resource = [ + "collection/pike" + ], + ResourceType = "collection" + } + ], + AWSOwnedKey = true + }) + +} diff --git a/terraform/aws/backup/aws_opensearchserverless_vpc_endpoint.tf b/terraform/aws/backup/aws_opensearchserverless_vpc_endpoint.tf new file mode 100644 index 00000000..7b6ca513 --- /dev/null +++ b/terraform/aws/backup/aws_opensearchserverless_vpc_endpoint.tf @@ -0,0 +1,19 @@ +resource "aws_opensearchserverless_vpc_endpoint" "pike" { + provider = aws.central + name = "myendpoint" + subnet_ids = [aws_subnet.example.id] + vpc_id = aws_vpc.example.id +} + +resource "aws_subnet" "example" { + provider = aws.central + vpc_id = aws_vpc.example.id + cidr_block = "10.0.0.0/24" +} + +resource "aws_vpc" "example" { + provider = aws.central + cidr_block = "10.0.0.0/16" + enable_dns_support = true + enable_dns_hostnames = true +} diff --git a/terraform/aws/backup/data.aws_emr_supported_instance_types.tf b/terraform/aws/backup/data.aws_emr_supported_instance_types.tf new file mode 100644 index 00000000..aa901b90 --- /dev/null +++ b/terraform/aws/backup/data.aws_emr_supported_instance_types.tf @@ -0,0 +1 @@ +#data "aws_emr_supported_instance_types" "pike" {} diff --git a/terraform/aws/backup/idp-metadata.xml b/terraform/aws/backup/idp-metadata.xml new file mode 100644 index 00000000..5de177fe --- /dev/null +++ b/terraform/aws/backup/idp-metadata.xml @@ -0,0 +1,38 @@ + + + + + + + + MIIDpDCCAoygAwIBAgIGAWMnhv7cMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU + MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03NzEyMDIxHDAaBgkqhkiG9w0BCQEW + DWluZm9Ab2t0YS5jb20wHhcNMTgwNTAzMTk0MTI4WhcNMjgwNTAzMTk0MjI4WjCBkjELMAkGA1UE + BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV + BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzcxMjAyMRwwGgYJ + KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA + ugxQGqHAXpjVQZwsO9n8l8bFCoEevH3AZbz7568XuQm6MK6h7/O9wB4C5oUYddemt5t2Kc8GRhf3 + BDXX5MVZ8G9AUpG1MSqe1CLV2J96rMnwMIJsKeRXr01LYxv/J4kjnktpOC389wmcy2fE4RbPoJne + P4u2b32c2/V7xsJ7UEjPPSD4i8l2QG6qsUkkx3AyNsjo89PekMfm+Iu/dFKXkdjwXZXPxaL0HrNW + PTpzek8NS5M5rvF8yaD+eE1zS0I/HicHbPOVvLal0JZyN/f4bp0XJkxZJz6jF5DvBkwIs8/Lz5GK + nn4XW9Cqjk3equSCJPo5o1Msj8vlLrJYVarqhwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC26kYe + LgqjIkF5rvxB2QzTgcd0LVzXOuiVVTZr8Sh57l4jJqbDoIgvaQQrxRSQzD/X+hcmhuwdp9s8zPHS + JagtUJXiypwNtrzbf6M7ltrWB9sdNrqc99d1gOVRr0Kt5pLTaLe5kkq7dRaQoOIVIJhX9wgynaAK + HF/SL3mHUytjXggs88AAQa8JH9hEpwG2srN8EsizX6xwQ/p92hM2oLvK5CSMwTx4VBuGod70EOwp + 6Ta1uRLQh6jCCOCWRuZbbz2T3/sOX+sibC4rLIlwfyTkcUopF/bTSdWwknoRskK4dBekFcvN9N+C + p/qaHYcQd6i2vyor888DLHDPXhSKWhpG + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + diff --git a/terraform/aws/idp-metadata.xml b/terraform/aws/idp-metadata.xml new file mode 100644 index 00000000..5de177fe --- /dev/null +++ b/terraform/aws/idp-metadata.xml @@ -0,0 +1,38 @@ + + + + + + + + MIIDpDCCAoygAwIBAgIGAWMnhv7cMA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG + A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU + MBIGA1UECwwLU1NPUHJvdmlkZXIxEzARBgNVBAMMCmRldi03NzEyMDIxHDAaBgkqhkiG9w0BCQEW + DWluZm9Ab2t0YS5jb20wHhcNMTgwNTAzMTk0MTI4WhcNMjgwNTAzMTk0MjI4WjCBkjELMAkGA1UE + BhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDTALBgNV + BAoMBE9rdGExFDASBgNVBAsMC1NTT1Byb3ZpZGVyMRMwEQYDVQQDDApkZXYtNzcxMjAyMRwwGgYJ + KoZIhvcNAQkBFg1pbmZvQG9rdGEuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA + ugxQGqHAXpjVQZwsO9n8l8bFCoEevH3AZbz7568XuQm6MK6h7/O9wB4C5oUYddemt5t2Kc8GRhf3 + BDXX5MVZ8G9AUpG1MSqe1CLV2J96rMnwMIJsKeRXr01LYxv/J4kjnktpOC389wmcy2fE4RbPoJne + P4u2b32c2/V7xsJ7UEjPPSD4i8l2QG6qsUkkx3AyNsjo89PekMfm+Iu/dFKXkdjwXZXPxaL0HrNW + PTpzek8NS5M5rvF8yaD+eE1zS0I/HicHbPOVvLal0JZyN/f4bp0XJkxZJz6jF5DvBkwIs8/Lz5GK + nn4XW9Cqjk3equSCJPo5o1Msj8vlLrJYVarqhwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQC26kYe + LgqjIkF5rvxB2QzTgcd0LVzXOuiVVTZr8Sh57l4jJqbDoIgvaQQrxRSQzD/X+hcmhuwdp9s8zPHS + JagtUJXiypwNtrzbf6M7ltrWB9sdNrqc99d1gOVRr0Kt5pLTaLe5kkq7dRaQoOIVIJhX9wgynaAK + HF/SL3mHUytjXggs88AAQa8JH9hEpwG2srN8EsizX6xwQ/p92hM2oLvK5CSMwTx4VBuGod70EOwp + 6Ta1uRLQh6jCCOCWRuZbbz2T3/sOX+sibC4rLIlwfyTkcUopF/bTSdWwknoRskK4dBekFcvN9N+C + p/qaHYcQd6i2vyor888DLHDPXhSKWhpG + + + + + urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified + urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress + + + + diff --git a/terraform/aws/role/aws_iam_policy.basic.tf b/terraform/aws/role/aws_iam_policy.basic.tf index cb4f8af9..bbaf2553 100644 --- a/terraform/aws/role/aws_iam_policy.basic.tf +++ b/terraform/aws/role/aws_iam_policy.basic.tf @@ -7,17 +7,62 @@ resource "aws_iam_policy" "basic" { "Sid" : "0", "Effect" : "Allow", "Action" : [ + "ec2:CreateVpc", + "ec2:DescribeVpcs", + "ec2:DescribeVpcAttribute", + "ec2:DeleteVpc", + "ec2:CreateSubnet", + "ec2:DeleteSubnet", + "ec2:DescribeSubnets", + "ec2:DescribeNetworkInterfaces", + "ec2:ModifyVpcAttribute", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + //aws_opensearchserverless_vpc_endpoint + "aoss:BatchGetVpcEndpoint", + "aoss:CreateVpcEndpoint", + "aoss:DeleteVpcEndpoint", + "aoss:UpdateVpcEndpoint", + "ec2:CreateTags", + "ec2:CreateVpcEndpoint", + "ec2:DeleteNetworkInterface", + "ec2:DeleteVpcEndpoints", + "ec2:DescribeSecurityGroups", + "ec2:DescribeVpcEndpoints", + "ec2:ModifyVpcEndpoints", + "route53:AssociateVPCWithHostedZone", + "ec2:DetachNetworkInterface", + + //aws_opensearchserverless_security_config + "aoss:CreateSecurityConfig", + "aoss:DeleteSecurityConfig", + "aoss:GetSecurityConfig", + "aoss:UpdateSecurityConfig", + "aoss:DeleteSecurityConfig", + //aws_opensearchserverless_lifecycle_policy + "aoss:CreateLifecyclePolicy", "aoss:BatchGetLifecyclePolicy", - //aws_apigatewayv2_vpc_link - "apigateway:GET", - //aws_athena_named_query - "athena:ListNamedQueries", - //aws_iot_registration_code - "iot:GetRegistrationCode", + "aoss:DeleteLifecyclePolicy", + "aoss:UpdateLifecyclePolicy", + + //aws_opensearchserverless_collection + "aoss:CreateCollection", + "aoss:UpdateCollection", + "aoss:DeleteCollection", + "aoss:BatchGetCollection", + "iam:CreateServiceLinkedRole", + "aoss:ListTagsForResource", + + //aws_opensearchserverless_access_policy + "aoss:CreateAccessPolicy", + "aoss:UpdateAccessPolicy", + "aoss:DeleteAccessPolicy", - "bedrock:ListFoundationModels", - "bedrock:GetFoundationModel", + //aws_opensearchserverless_security_policy + "aoss:CreateSecurityPolicy", + "aoss:DeleteSecurityPolicy", + "aoss:UpdateSecurityPolicy", ], "Resource" : "*", }