audit manager

JamesWoolfenden · Jan 19, 2024 · bf11ba1 · bf11ba1
1 parent 927a144
commit bf11ba1
Show file tree

Hide file tree

Showing 21 changed files with 999 additions and 661 deletions.
diff --git a/src/aws.go b/src/aws.go
diff --git a/src/coverage/aws.md b/src/coverage/aws.md
@@ -1,6 +1,6 @@
 # todo aws
 
-Resource percentage coverage   49.66
+Resource percentage coverage   50.27
 Datasource percentage coverage 100.00
 
 ./resource.ps1 aws_accessanalyzer_archive_rule
@@ -53,14 +53,6 @@ Datasource percentage coverage 100.00
 ./resource.ps1 aws_appsync_resolver
 ./resource.ps1 aws_appsync_type
 ./resource.ps1 aws_athena_prepared_statement
-./resource.ps1 aws_auditmanager_account_registration
-./resource.ps1 aws_auditmanager_assessment
-./resource.ps1 aws_auditmanager_assessment_delegation
-./resource.ps1 aws_auditmanager_assessment_report
-./resource.ps1 aws_auditmanager_control
-./resource.ps1 aws_auditmanager_framework
-./resource.ps1 aws_auditmanager_framework_share
-./resource.ps1 aws_auditmanager_organization_admin_account_registration
 ./resource.ps1 aws_bedrock_model_invocation_logging_configuration
 ./resource.ps1 aws_chime_voice_connector
 ./resource.ps1 aws_chime_voice_connector_group

diff --git a/src/files.go b/src/files.go
@@ -1800,3 +1800,27 @@ var awsCodestarconnectionsHost []byte
 
 //go:embed mapping/aws/resource/codestar-notifications/aws_codestarnotifications_notification_rule.json
 var awsCodestarconnectionsNotificationsRule []byte
+
+//go:embed mapping/aws/resource/auditmanager/aws_auditmanager_account_registration.json
+var awsAuditmanagerAccountRegistration []byte
+
+//go:embed mapping/aws/resource/auditmanager/aws_auditmanager_assessment.json
+var awsAuditmanagerAssessment []byte
+
+//go:embed mapping/aws/resource/auditmanager/aws_auditmanager_assessment_delegation.json
+var awsAuditmanagerAssessmentDelegation []byte
+
+//go:embed mapping/aws/resource/auditmanager/aws_auditmanager_assessment_report.json
+var awsAuditmanagerAssessmentReport []byte
+
+//go:embed mapping/aws/resource/auditmanager/aws_auditmanager_control.json
+var awsAuditmanagerControl []byte
+
+//go:embed mapping/aws/resource/auditmanager/aws_auditmanager_framework.json
+var awsAuditmanagerFramework []byte
+
+//go:embed mapping/aws/resource/auditmanager/aws_auditmanager_framework_share.json
+var awsAuditmanagerFrameworkShare []byte
+
+//go:embed mapping/aws/resource/auditmanager/aws_auditmanager_organization_admin_account_registration.json
+var awsAuditmanagerOrganizationAdminAccountRegistration []byte
diff --git a/src/mapping/aws/resource/auditmanager/aws_auditmanager_account_registration.json b/src/mapping/aws/resource/auditmanager/aws_auditmanager_account_registration.json
@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "auditmanager:RegisterAccount",
+      "auditmanager:DeregisterAccount",
+      "iam:CreateServiceLinkedRole",
+      "events:PutRule",
+      "events:PutTargets",
+      "auditmanager:GetAccountStatus"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "auditmanager:DeregisterAccount"
+    ],
+    "modify": [],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/auditmanager/aws_auditmanager_assessment.json b/src/mapping/aws/resource/auditmanager/aws_auditmanager_assessment.json
@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "auditmanager:GetAssessment",
+      "auditmanager:CreateAssessment",
+      "auditmanager:DeleteAssessment",
+      "auditmanager:UpdateAssessment"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "auditmanager:DeleteAssessment"
+    ],
+    "modify": [
+      "auditmanager:UpdateAssessment"
+    ],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/auditmanager/aws_auditmanager_assessment_delegation.json b/src/mapping/aws/resource/auditmanager/aws_auditmanager_assessment_delegation.json
@@ -0,0 +1,16 @@
+[
+  {
+    "apply": [
+      "auditmanager:GetDelegations",
+      "auditmanager:BatchDeleteDelegationByAssessment"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "auditmanager:BatchDeleteDelegationByAssessment"
+    ],
+    "modify": [],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/auditmanager/aws_auditmanager_assessment_report.json b/src/mapping/aws/resource/auditmanager/aws_auditmanager_assessment_report.json
@@ -0,0 +1,11 @@
+[
+  {
+    "apply": [],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/auditmanager/aws_auditmanager_control.json b/src/mapping/aws/resource/auditmanager/aws_auditmanager_control.json
@@ -0,0 +1,23 @@
+[
+  {
+    "apply": [
+      "auditmanager:GetControl",
+      "auditmanager:CreateControl",
+      "auditmanager:DeleteControl",
+      "auditmanager:UpdateControl"
+    ],
+    "attributes": {
+      "tags": [
+        "auditmanager:TagResource",
+        "auditmanager:UntagResource"
+      ]
+    },
+    "destroy": [
+      "auditmanager:DeleteControl"
+    ],
+    "modify": [
+      "auditmanager:UpdateControl"
+    ],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/auditmanager/aws_auditmanager_framework.json b/src/mapping/aws/resource/auditmanager/aws_auditmanager_framework.json
@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "auditmanager:DeleteAssessmentFramework",
+      "auditmanager:CreateAssessmentFramework",
+      "auditmanager:GetAssessmentFramework",
+      "auditmanager:UpdateAssessmentFramework"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "auditmanager:DeleteAssessmentFramework"
+    ],
+    "modify": [
+      "auditmanager:UpdateAssessmentFramework"
+    ],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/auditmanager/aws_auditmanager_framework_share.json b/src/mapping/aws/resource/auditmanager/aws_auditmanager_framework_share.json
@@ -0,0 +1,20 @@
+[
+  {
+    "apply": [
+      "auditmanager:DeleteAssessmentFrameworkShare",
+      "auditmanager:StartAssessmentFrameworkShare",
+      "auditmanager:UpdateAssessmentFrameworkShare",
+      "auditmanager:ListAssessmentFrameworkShareRequests"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "auditmanager:DeleteAssessmentFrameworkShare"
+    ],
+    "modify": [
+      "auditmanager:UpdateAssessmentFrameworkShare"
+    ],
+    "plan": []
+  }
+]
diff --git a/...g/aws/resource/auditmanager/aws_auditmanager_organization_admin_account_registration.json b/...g/aws/resource/auditmanager/aws_auditmanager_organization_admin_account_registration.json
@@ -0,0 +1,17 @@
+[
+  {
+    "apply": [
+      "auditmanager:RegisterOrganizationAdminAccount",
+      "auditmanager:DeregisterOrganizationAdminAccount",
+      "auditmanager:GetOrganizationAdminAccount"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "auditmanager:DeregisterOrganizationAdminAccount"
+    ],
+    "modify": [],
+    "plan": []
+  }
+]
diff --git a/terraform/aws/backup/aws_auditmanager_account_registration.tf b/terraform/aws/backup/aws_auditmanager_account_registration.tf
@@ -0,0 +1,3 @@
+resource "aws_auditmanager_account_registration" "pike" {
+  deregister_on_destroy = true
+}
diff --git a/terraform/aws/backup/aws_auditmanager_assessment.tf b/terraform/aws/backup/aws_auditmanager_assessment.tf
@@ -0,0 +1,35 @@
+resource "aws_auditmanager_assessment" "pike" {
+  name = "example"
+
+  assessment_reports_destination {
+    destination      = "s3://${aws_s3_bucket.test.id}"
+    destination_type = "S3"
+  }
+
+  framework_id = aws_auditmanager_framework.pike.id
+
+  roles {
+    role_arn  = aws_iam_role.example.arn
+    role_type = "PROCESS_OWNER"
+  }
+
+  scope {
+    aws_accounts {
+      id = data.aws_caller_identity.current.account_id
+    }
+    aws_services {
+      service_name = "S3"
+    }
+  }
+
+  tags = {
+    pike = "permissions"
+  }
+}
+
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_s3_bucket" "test" {
+  bucket = "reports-${data.aws_caller_identity.current.account_id}"
+}
diff --git a/terraform/aws/backup/aws_auditmanager_assessment_delegation.tf b/terraform/aws/backup/aws_auditmanager_assessment_delegation.tf
@@ -0,0 +1,23 @@
+resource "aws_auditmanager_assessment_delegation" "pike" {
+  assessment_id  = aws_auditmanager_assessment.pike.id
+  role_arn       = aws_iam_role.example.arn
+  role_type      = "RESOURCE_OWNER"
+  control_set_id = "example"
+}
+
+
+resource "aws_iam_role" "example" {
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
diff --git a/terraform/aws/backup/aws_auditmanager_assessment_report.tf b/terraform/aws/backup/aws_auditmanager_assessment_report.tf
@@ -0,0 +1,4 @@
+resource "aws_auditmanager_assessment_report" "pike" {
+  name          = "example"
+  assessment_id = aws_auditmanager_assessment.pike.id
+}
diff --git a/terraform/aws/backup/aws_auditmanager_control.tf b/terraform/aws/backup/aws_auditmanager_control.tf
@@ -0,0 +1,12 @@
+resource "aws_auditmanager_control" "pike" {
+  name = "example"
+
+  control_mapping_sources {
+    source_name          = "example"
+    source_set_up_option = "Procedural_Controls_Mapping"
+    source_type          = "MANUAL"
+  }
+  tags = {
+    pike = "permission"
+  }
+}
diff --git a/terraform/aws/backup/aws_auditmanager_framework.tf b/terraform/aws/backup/aws_auditmanager_framework.tf
@@ -0,0 +1,10 @@
+resource "aws_auditmanager_framework" "pike" {
+  name = "example"
+
+  control_sets {
+    name = "example"
+    controls {
+      id = aws_auditmanager_control.pike.id
+    }
+  }
+}
diff --git a/terraform/aws/backup/aws_auditmanager_framework_share.tf b/terraform/aws/backup/aws_auditmanager_framework_share.tf
@@ -0,0 +1,5 @@
+resource "aws_auditmanager_framework_share" "pike" {
+  destination_account = "680235478471"
+  destination_region  = "us-east-1"
+  framework_id        = aws_auditmanager_framework.pike.id
+}
diff --git a/terraform/aws/backup/aws_auditmanager_organization_admin_account_registration.tf b/terraform/aws/backup/aws_auditmanager_organization_admin_account_registration.tf
@@ -0,0 +1,3 @@
+resource "aws_auditmanager_organization_admin_account_registration" "pike" {
+  admin_account_id = "680235478471"
+}
diff --git a/terraform/aws/role/aws_iam_policy.basic.tf b/terraform/aws/role/aws_iam_policy.basic.tf
@@ -7,13 +7,75 @@ resource "aws_iam_policy" "basic" {
         "Sid" : "0",
         "Effect" : "Allow",
         "Action" : [
+          "s3:CreateBucket",
+          "s3:DeleteBucket",
+          "s3:GetAccelerateConfiguration",
+          "s3:GetBucketAcl",
+          "s3:GetBucketCORS",
+          "s3:GetBucketLogging",
+          "s3:GetBucketObjectLockConfiguration",
+          "s3:GetBucketPolicy",
+          "s3:GetBucketRequestPayment",
+          "s3:GetBucketTagging",
+          "s3:GetBucketVersioning",
+          "s3:GetBucketWebsite",
+          "s3:GetEncryptionConfiguration",
+          "s3:GetLifecycleConfiguration",
+          "s3:GetObject",
+          "s3:GetObjectAcl",
+          "s3:GetReplicationConfiguration",
+          "s3:ListBucket",
+          "iam:CreateRole",
+          "iam:DeleteRole",
+          "iam:GetRole",
+          "iam:ListAttachedRolePolicies",
+          "iam:ListInstanceProfilesForRole",
+          "iam:ListRolePolicies",
 
-          //aws_mq_broker_engine_types
-          "mq:DescribeBrokerEngineTypes",
-          //aws_msk_bootstrap_brokers
-          "kafka:GetBootstrapBrokers",
-          //aws_verifiedpermissions_policy_store
-          "verifiedpermissions:getpolicystore"
+
+          //aws_auditmanager_assessment
+          "auditmanager:GetAssessment",
+          "auditmanager:CreateAssessment",
+          "auditmanager:DeleteAssessment",
+          "auditmanager:UpdateAssessment",
+
+          //aws_auditmanager_control
+          "auditmanager:GetControl",
+          "auditmanager:CreateControl",
+          "auditmanager:DeleteControl",
+          "auditmanager:UpdateControl",
+          "auditmanager:TagResource",
+          "auditmanager:UntagResource",
+
+          //aws_auditmanager_framework_share
+          "auditmanager:DeleteAssessmentFrameworkShare",
+          "auditmanager:StartAssessmentFrameworkShare",
+          "auditmanager:UpdateAssessmentFrameworkShare",
+          "auditmanager:ListAssessmentFrameworkShareRequests",
+
+          //aws_auditmanager_organization_admin_account_registration
+          "auditmanager:RegisterOrganizationAdminAccount",
+          "auditmanager:DeregisterOrganizationAdminAccount",
+          "auditmanager:GetOrganizationAdminAccount",
+
+          //aws_auditmanager_account_registration
+          "auditmanager:RegisterAccount",
+          "auditmanager:DeregisterAccount",
+          "iam:CreateServiceLinkedRole",
+          "events:PutRule",
+          "events:PutTargets",
+          "auditmanager:GetAccountStatus",
+
+
+          //aws_auditmanager_framework
+          "auditmanager:DeleteAssessmentFramework",
+          "auditmanager:CreateAssessmentFramework",
+          "auditmanager:GetAssessmentFramework",
+          "auditmanager:UpdateAssessmentFramework",
+
+          //aws_auditmanager_assessment_delegation
+          "auditmanager:GetDelegations",
+          "auditmanager:BatchDeleteDelegationByAssessment"
         ],
         "Resource" : "*",
       }