diff --git a/src/aws.go b/src/aws.go index d3ae0895..2d697df4 100644 --- a/src/aws.go +++ b/src/aws.go @@ -1108,6 +1108,15 @@ func AwsLookup(name string) interface{} { "aws_m2_environment": awsM2Environment, "aws_memorydb_user": awsMemorydbUser, "aws_sagemaker_human_task_ui": awsSagemakerHumanTaskUi, + "aws_cloudfrontkeyvaluestore_key": awsCloudfrontkeyvaluestoreKey, + "aws_ecs_tag": awsEcsTag, + "aws_lb_trust_store": awsLbTrustStore, + "aws_lb_trust_store_revocation": awsLbTrustStoreRevocation, + "aws_quicksight_folder": awsQuicksightFolder, + "aws_quicksight_group": awsQuicksightGroup, + "aws_quicksight_group_membership": awsQuicksightGroupMembership, + "aws_quicksight_namespace": awsQuicksightNamespace, + "aws_quicksight_user": awsQuicksightUser, } return TFLookup[name] diff --git a/src/coverage/aws.md b/src/coverage/aws.md index 6026007b..a1519aa3 100644 --- a/src/coverage/aws.md +++ b/src/coverage/aws.md @@ -1,7 +1,7 @@ # todo aws -Resource percentage coverage 72.56 -Datasource percentage coverage 99.82 +Resource percentage coverage 73.18 +Datasource percentage coverage 100.00 ./resource.ps1 aws_amplify_backend_environment ./resource.ps1 aws_amplify_webhook @@ -41,7 +41,6 @@ Datasource percentage coverage 99.82 ./resource.ps1 aws_cloud9_environment_membership ./resource.ps1 aws_cloudcontrolapi_resource ./resource.ps1 aws_cloudformation_stack_instances -./resource.ps1 aws_cloudfrontkeyvaluestore_key ./resource.ps1 aws_cloudhsm_v2_cluster ./resource.ps1 aws_cloudhsm_v2_hsm ./resource.ps1 aws_cloudtrail_organization_delegated_admin_account @@ -129,7 +128,6 @@ Datasource percentage coverage 99.82 ./resource.ps1 aws_ec2_transit_gateway_vpc_attachment_accepter ./resource.ps1 aws_ecs_account_setting_default ./resource.ps1 aws_ecs_cluster_capacity_providers -./resource.ps1 aws_ecs_tag ./resource.ps1 aws_eip_domain_name ./resource.ps1 aws_eks_access_policy_association ./resource.ps1 aws_elasticache_reserved_cache_node @@ -195,8 +193,6 @@ Datasource percentage coverage 99.82 ./resource.ps1 aws_lambda_runtime_management_config ./resource.ps1 aws_lb_listener_certificate ./resource.ps1 aws_lb_ssl_negotiation_policy -./resource.ps1 aws_lb_trust_store -./resource.ps1 aws_lb_trust_store_revocation ./resource.ps1 aws_lexv2models_bot ./resource.ps1 aws_lexv2models_bot_locale ./resource.ps1 aws_lexv2models_bot_version @@ -283,15 +279,10 @@ Datasource percentage coverage 99.82 ./resource.ps1 aws_prometheus_workspace ./resource.ps1 aws_qldb_ledger ./resource.ps1 aws_quicksight_account_subscription -./resource.ps1 aws_quicksight_folder ./resource.ps1 aws_quicksight_folder_membership -./resource.ps1 aws_quicksight_group -./resource.ps1 aws_quicksight_group_membership ./resource.ps1 aws_quicksight_iam_policy_assignment ./resource.ps1 aws_quicksight_ingestion -./resource.ps1 aws_quicksight_namespace ./resource.ps1 aws_quicksight_template_alias -./resource.ps1 aws_quicksight_user ./resource.ps1 aws_quicksight_vpc_connection ./resource.ps1 aws_ram_resource_share_accepter ./resource.ps1 aws_ram_sharing_with_organization @@ -396,4 +387,3 @@ Datasource percentage coverage 99.82 ./resource.ps1 aws_wafregional_web_acl_association ./resource.ps1 aws_worklink_fleet ./resource.ps1 aws_worklink_website_certificate_authority_association -./resource.ps1 aws_route53profiles_profiles -type data diff --git a/src/files.go b/src/files.go index 9f26a1a8..53005790 100644 --- a/src/files.go +++ b/src/files.go @@ -2967,3 +2967,30 @@ var awsMemorydbUser []byte //go:embed mapping/aws/resource/sagemaker/aws_sagemaker_human_task_ui.json var awsSagemakerHumanTaskUi []byte + +//go:embed mapping/aws/resource/cloudfront-keyvaluestore/aws_cloudfrontkeyvaluestore_key.json +var awsCloudfrontkeyvaluestoreKey []byte + +//go:embed mapping/aws/resource/ecs/aws_ecs_tag.json +var awsEcsTag []byte + +//go:embed mapping/aws/resource/elasticloadbalancing/aws_lb_trust_store.json +var awsLbTrustStore []byte + +//go:embed mapping/aws/resource/elasticloadbalancing/aws_lb_trust_store_revocation.json +var awsLbTrustStoreRevocation []byte + +//go:embed mapping/aws/resource/quicksight/aws_quicksight_folder.json +var awsQuicksightFolder []byte + +//go:embed mapping/aws/resource/quicksight/aws_quicksight_group.json +var awsQuicksightGroup []byte + +//go:embed mapping/aws/resource/quicksight/aws_quicksight_group_membership.json +var awsQuicksightGroupMembership []byte + +//go:embed mapping/aws/resource/quicksight/aws_quicksight_namespace.json +var awsQuicksightNamespace []byte + +//go:embed mapping/aws/resource/quicksight/aws_quicksight_user.json +var awsQuicksightUser []byte diff --git a/src/mapping/aws/resource/cloudfront-keyvaluestore/aws_cloudfrontkeyvaluestore_key.json b/src/mapping/aws/resource/cloudfront-keyvaluestore/aws_cloudfrontkeyvaluestore_key.json new file mode 100644 index 00000000..3e363f92 --- /dev/null +++ b/src/mapping/aws/resource/cloudfront-keyvaluestore/aws_cloudfrontkeyvaluestore_key.json @@ -0,0 +1,15 @@ +[ + { + "apply": [ + "cloudfront-keyvaluestore:DescribeKeyValueStore", + "cloudfront-keyvaluestore:PutKey", + "cloudfront-keyvaluestore:GetKey" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ecs/aws_ecs_tag.json b/src/mapping/aws/resource/ecs/aws_ecs_tag.json new file mode 100644 index 00000000..75286315 --- /dev/null +++ b/src/mapping/aws/resource/ecs/aws_ecs_tag.json @@ -0,0 +1,14 @@ +[ + { + "apply": [ + "ecs:TagResource", + "ecs:UntagResource" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/elasticloadbalancing/aws_lb_trust_store.json b/src/mapping/aws/resource/elasticloadbalancing/aws_lb_trust_store.json new file mode 100644 index 00000000..79d9837b --- /dev/null +++ b/src/mapping/aws/resource/elasticloadbalancing/aws_lb_trust_store.json @@ -0,0 +1,15 @@ +[ + { + "apply": [ + "elasticloadbalancing:CreateTrustStore", + "elasticloadbalancing:DeleteTrustStore", + "elasticloadbalancing:ModifyTrustStore" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/elasticloadbalancing/aws_lb_trust_store_revocation.json b/src/mapping/aws/resource/elasticloadbalancing/aws_lb_trust_store_revocation.json new file mode 100644 index 00000000..f764fc9d --- /dev/null +++ b/src/mapping/aws/resource/elasticloadbalancing/aws_lb_trust_store_revocation.json @@ -0,0 +1,13 @@ +[ + { + "apply": [ + "elasticloadbalancing:DeleteTrustStore" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/quicksight/aws_quicksight_folder.json b/src/mapping/aws/resource/quicksight/aws_quicksight_folder.json new file mode 100644 index 00000000..cad05bd3 --- /dev/null +++ b/src/mapping/aws/resource/quicksight/aws_quicksight_folder.json @@ -0,0 +1,16 @@ +[ + { + "apply": [ + "quicksight:CreateFolder", + "quicksight:DescribeFolder", + "quicksight:DeleteFolder", + "quicksight:UpdateFolder" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/quicksight/aws_quicksight_group.json b/src/mapping/aws/resource/quicksight/aws_quicksight_group.json new file mode 100644 index 00000000..6df7682c --- /dev/null +++ b/src/mapping/aws/resource/quicksight/aws_quicksight_group.json @@ -0,0 +1,16 @@ +[ + { + "apply": [ + "quicksight:CreateGroup", + "quicksight:DescribeGroup", + "quicksight:DeleteGroup", + "quicksight:UpdateGroup" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/quicksight/aws_quicksight_group_membership.json b/src/mapping/aws/resource/quicksight/aws_quicksight_group_membership.json new file mode 100644 index 00000000..1b3d7868 --- /dev/null +++ b/src/mapping/aws/resource/quicksight/aws_quicksight_group_membership.json @@ -0,0 +1,15 @@ +[ + { + "apply": [ + "quicksight:DescribeGroupMembership", + "quicksight:CreateGroupMembership", + "quicksight:DeleteGroupMembership" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/quicksight/aws_quicksight_namespace.json b/src/mapping/aws/resource/quicksight/aws_quicksight_namespace.json new file mode 100644 index 00000000..7c4bab32 --- /dev/null +++ b/src/mapping/aws/resource/quicksight/aws_quicksight_namespace.json @@ -0,0 +1,14 @@ +[ + { + "apply": [ + "quicksight:CreateNamespace", + "quicksight:DeleteNamespace" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/quicksight/aws_quicksight_user.json b/src/mapping/aws/resource/quicksight/aws_quicksight_user.json new file mode 100644 index 00000000..6f37875e --- /dev/null +++ b/src/mapping/aws/resource/quicksight/aws_quicksight_user.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "quicksight:RegisterUser", + "quicksight:DescribeUser", + "quicksight:CreateUser", + "quicksight:DeleteUser", + "quicksight:UpdateUser" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/parse/aws-members.json b/src/parse/aws-members.json index 3012b4ff..d98343dc 100755 --- a/src/parse/aws-members.json +++ b/src/parse/aws-members.json @@ -438,7 +438,6 @@ "aws_route53_traffic_policy_document", "aws_route53_zone", "aws_route53_zones", - "aws_route53profiles_profiles", "aws_route_table", "aws_route_tables", "aws_s3_account_public_access_block", diff --git a/terraform/aws/backup/aws_cloudfrontkeyvaluestore_key.tf b/terraform/aws/backup/aws_cloudfrontkeyvaluestore_key.tf new file mode 100644 index 00000000..29248fc7 --- /dev/null +++ b/terraform/aws/backup/aws_cloudfrontkeyvaluestore_key.tf @@ -0,0 +1,10 @@ +resource "aws_cloudfront_key_value_store" "example" { + name = "ExampleKeyValueStore" + comment = "This is an example key value store" +} + +resource "aws_cloudfrontkeyvaluestore_key" "example" { + key_value_store_arn = aws_cloudfront_key_value_store.example.arn + key = "Test Key" + value = "Test Value" +} diff --git a/terraform/aws/backup/aws_ecs_tag.tf b/terraform/aws/backup/aws_ecs_tag.tf new file mode 100644 index 00000000..502748a5 --- /dev/null +++ b/terraform/aws/backup/aws_ecs_tag.tf @@ -0,0 +1,38 @@ +resource "aws_ecs_tag" "pike" { + resource_arn = aws_batch_compute_environment.pike.ecs_cluster_arn + key = "Name" + value = "Hello World" +} + +resource "aws_batch_compute_environment" "pike" { + compute_environment_name_prefix = "pike" + service_role = "arn:aws:iam::680235478471:role/aws-service-role/batch.amazonaws.com/AWSServiceRoleForBatch" + type = "MANAGED" + + compute_resources { + bid_percentage = 0 + desired_vcpus = 0 + instance_role = "arn:aws:iam::680235478471:instance-profile/ecsInstanceRole" + instance_type = [ + "optimal", + ] + max_vcpus = 256 + min_vcpus = 0 + security_group_ids = [ + "sg-05b27cb61c9c46bd2", + ] + + subnets = [ + "subnet-03fdfb13a135366a7", + ] + tags = { + pike = "permissions" + } + type = "EC2" + } + + + tags = { + pike = "permissions" + } +} diff --git a/terraform/aws/backup/aws_lb_trust_store.tf b/terraform/aws/backup/aws_lb_trust_store.tf new file mode 100644 index 00000000..a8f430e9 --- /dev/null +++ b/terraform/aws/backup/aws_lb_trust_store.tf @@ -0,0 +1,4 @@ +resource "aws_lb_trust_store" "pike" { + ca_certificates_bundle_s3_bucket = aws_s3_bucket.truststore.bucket + ca_certificates_bundle_s3_key = "trust" +} diff --git a/terraform/aws/backup/aws_lb_trust_store_revocation.tf b/terraform/aws/backup/aws_lb_trust_store_revocation.tf new file mode 100644 index 00000000..b862785d --- /dev/null +++ b/terraform/aws/backup/aws_lb_trust_store_revocation.tf @@ -0,0 +1,9 @@ +resource "aws_lb_trust_store_revocation" "pike" { + trust_store_arn = aws_lb_trust_store.pike.arn + + revocations_s3_bucket = aws_s3_bucket.truststore.bucket + revocations_s3_key = "trust" +} + + +resource "aws_s3_bucket" "truststore" {} diff --git a/terraform/aws/backup/aws_quicksight_folder.tf b/terraform/aws/backup/aws_quicksight_folder.tf new file mode 100644 index 00000000..0ad7ed8c --- /dev/null +++ b/terraform/aws/backup/aws_quicksight_folder.tf @@ -0,0 +1,4 @@ +resource "aws_quicksight_folder" "pike" { + folder_id = "example-id" + name = "example-name" +} diff --git a/terraform/aws/backup/aws_quicksight_group.tf b/terraform/aws/backup/aws_quicksight_group.tf new file mode 100644 index 00000000..7fe1470e --- /dev/null +++ b/terraform/aws/backup/aws_quicksight_group.tf @@ -0,0 +1,4 @@ +resource "aws_quicksight_group" "pike" { + group_name = "pike" + namespace = aws_quicksight_namespace.pike.namespace +} diff --git a/terraform/aws/backup/aws_quicksight_group_membership.tf b/terraform/aws/backup/aws_quicksight_group_membership.tf new file mode 100644 index 00000000..2913f113 --- /dev/null +++ b/terraform/aws/backup/aws_quicksight_group_membership.tf @@ -0,0 +1,4 @@ +resource "aws_quicksight_group_membership" "pike" { + group_name = aws_quicksight_group.pike.group_name + member_name = "jameswoolfenden" +} diff --git a/terraform/aws/backup/aws_quicksight_namespace.tf b/terraform/aws/backup/aws_quicksight_namespace.tf new file mode 100644 index 00000000..56dd916e --- /dev/null +++ b/terraform/aws/backup/aws_quicksight_namespace.tf @@ -0,0 +1,3 @@ +resource "aws_quicksight_namespace" "pike" { + namespace = "pike" +} diff --git a/terraform/aws/backup/aws_quicksight_user.tf b/terraform/aws/backup/aws_quicksight_user.tf new file mode 100644 index 00000000..97f50c73 --- /dev/null +++ b/terraform/aws/backup/aws_quicksight_user.tf @@ -0,0 +1,8 @@ +resource "aws_quicksight_user" "pike" { + session_name = "an-author" + email = "author@example.com" + namespace = aws_quicksight_namespace.pike.namespace + identity_type = "IAM" + iam_arn = "arn:aws:iam::680235478471:user/jameswoolfenden" + user_role = "AUTHOR" +} diff --git a/terraform/aws/role/aws_iam_policy.basic.tf b/terraform/aws/role/aws_iam_policy.basic.tf index 39de0fb1..880e2fed 100644 --- a/terraform/aws/role/aws_iam_policy.basic.tf +++ b/terraform/aws/role/aws_iam_policy.basic.tf @@ -7,50 +7,76 @@ resource "aws_iam_policy" "basic" { "Sid" : "VisualEditor0", "Effect" : "Allow", "Action" : [ - //aws_iam_user_policies_exclusive - "iam:ListUserPolicies", - "iam:PutUserPolicy", + //aws_cloudfrontkeyvaluestore_key + "cloudfront-keyvaluestore:DescribeKeyValueStore", + "cloudfront-keyvaluestore:PutKey", + "cloudfront-keyvaluestore:GetKey", - //aws_iam_role_policies_exclusive - "iam:ListRolePolicies", - "iam:PutRolePolicy", + //aws-ecs_tag + "ecs:TagResource", + "ecs:UntagResource", - //aws_iam_group_policies_exclusive - "iam:ListGroupPolicies", - "iam:PutGroupPolicy", + //aws_lb_trust_store + "elasticloadbalancing:CreateTrustStore", + "elasticloadbalancing:DeleteTrustStore", + "elasticloadbalancing:ModifyTrustStore", - //aws_sagemaker_human_task_ui - "sagemaker:CreateHumanTaskUi", - "sagemaker:DescribeHumanTaskUi", - "sagemaker:ListTags", - "sagemaker:DeleteHumanTaskUi", - "sagemaker:AddTags", - "sagemaker:DeleteTags", + //aws_quicksight_folder + "quicksight:CreateFolder", + "quicksight:DescribeFolder", + "quicksight:DeleteFolder", + "quicksight:UpdateFolder", - //aws_memorydb_user - "memorydb:CreateUser", - "memorydb:DescribeUsers", - "memorydb:ListTags", - "memorydb:DeleteUser", - "memorydb:TagResource", - "memorydb:UntagResource", + //aws_quicksight_user + "quicksight:RegisterUser", + "quicksight:DescribeUser", + "quicksight:CreateUser", + "quicksight:DeleteUser", + "quicksight:UpdateUser", - //aws_m2_environment - "m2:CreateEnvironment", - "m2:GetEnvironment", - "m2:DeleteEnvironment", - "m2:UpdateEnvironment", + //aws_quicksight_namespace + "quicksight:CreateNamespace", + "quicksight:DeleteNamespace", - //aws_m2_deployment - "m2:GetDeployment", - "m2:CreateDeployment", + //aws_quicksight_group + "quicksight:CreateGroup", + "quicksight:DescribeGroup", + "quicksight:DeleteGroup", + "quicksight:UpdateGroup", - //aws_m2_application - "m2:GetApplication", - "m2:CreateApplication", - "m2:DeleteApplication", - "m2:UpdateApplication", + //aws_quicksight_group_membership + "quicksight:DescribeGroupMembership", + "quicksight:CreateGroupMembership", + "quicksight:DeleteGroupMembership", + "batch:CreateComputeEnvironment", + "batch:DeleteComputeEnvironment", + "batch:DescribeComputeEnvironments", + "batch:TagResource", + "batch:UntagResource", + "batch:UpdateComputeEnvironment" + ], + "Resource" : [ + "*" + ] + }, + { + "Sid" : "VisualEditor1", + "Effect" : "Allow", + "Action" : [ + "cloudfront:CreateKeyValueStore", + "cloudfront:DeleteKeyValueStore", + "cloudfront:DescribeKeyValueStore", + "cloudfront:UpdateKeyValueStore" + ], + "Resource" : [ + "*" + ] + }, + { + "Sid" : "VisualEditor2", + "Effect" : "Allow", + "Action" : [ "dynamodb:DeleteItem", "dynamodb:DescribeTable", "dynamodb:GetItem", @@ -61,34 +87,67 @@ resource "aws_iam_policy" "basic" { ] }, { - "Sid" : "VisualEditor1", + "Sid" : "VisualEditor3", "Effect" : "Allow", "Action" : [ - "iam:CreateUser", - "iam:DeleteUser", - "iam:GetUser", - "iam:ListGroupsForUser", - "iam:CreateRole", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:DeleteRole", - "iam:CreatePolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:ListPolicyVersions", - "iam:DeletePolicy" + "ec2:DescribeAccountAttributes", + "ec2:DescribeImages", + "ec2:DescribeKeyPairs", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs" ], "Resource" : [ "*" ] }, { - "Sid" : "VisualEditor2", + "Sid" : "VisualEditor4", + "Effect" : "Allow", + "Action" : [ + "ecs:Describe*", + "ecs:DescribeClusters", + "ecs:List*" + ], + "Resource" : [ + "*" + ] + }, + { + "Sid" : "VisualEditor5", "Effect" : "Allow", "Action" : [ + "iam:CreateServiceLinkedRole", + "iam:PassRole" + ], + "Resource" : [ + "*" + ] + }, + { + "Sid" : "VisualEditor6", + "Effect" : "Allow", + "Action" : [ + "s3:CreateBucket", + "s3:DeleteBucket", "s3:DeleteObject", + "s3:GetAccelerateConfiguration", + "s3:GetBucketAcl", + "s3:GetBucketCORS", + "s3:GetBucketLogging", + "s3:GetBucketObjectLockConfiguration", + "s3:GetBucketPolicy", + "s3:GetBucketRequestPayment", + "s3:GetBucketTagging", + "s3:GetBucketVersioning", + "s3:GetBucketWebsite", + "s3:GetEncryptionConfiguration", + "s3:GetLifecycleConfiguration", "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetReplicationConfiguration", "s3:ListBucket", "s3:PutObject" ], @@ -97,6 +156,7 @@ resource "aws_iam_policy" "basic" { ] } + ] }) tags = {