new filter for provider capacity

.github/workflows/ci.yml

@@ -43,6 +43,6 @@ jobs:
         run: go test ./... -coverprofile=./cover.out
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@9fbe3b76a52fe0ee56efff0a60350122f3c4e6e2 # v5.3.0
+        uses: codecov/codecov-action@af2c6347526edfe5ff45ad690affad475d77ddb4 # v5.3.1
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

.github/workflows/codeql-analysis.yml

@@ -43,7 +43,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@d90e07f32eb48924444e8069d5f1fbaaad678989 # codeql-bundle-v2.20.2
+        uses: github/codeql-action/init@7e3036b9cd87fc26dd06747b7aa4b96c27aaef3a # codeql-bundle-v2.20.3
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@d90e07f32eb48924444e8069d5f1fbaaad678989 # codeql-bundle-v2.20.2
+        uses: github/codeql-action/autobuild@7e3036b9cd87fc26dd06747b7aa4b96c27aaef3a # codeql-bundle-v2.20.3
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -70,4 +70,4 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@d90e07f32eb48924444e8069d5f1fbaaad678989 # codeql-bundle-v2.20.2
+        uses: github/codeql-action/analyze@7e3036b9cd87fc26dd06747b7aa4b96c27aaef3a # codeql-bundle-v2.20.3

main.go

@@ -31,6 +31,7 @@ func main() {
 		region          string
 		workflow        string
 		name            string
+		provider        string
 	)
 
 	log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr})
@@ -159,13 +160,19 @@ func main() {
 						Usage:       "Add resource constraints to policy (AWS only)",
 						Destination: &enableResources,
 					},
+					&cli.StringFlag{
+						Name:        "provider",
+						Aliases:     []string{"p"},
+						Usage:       "Filter results for just this provider (e.g. aws, gcp, azure)",
+						Destination: &provider,
+					},
 				},
 				Action: func(*cli.Context) error {
 					if file == "" {
-						return pike.Scan(directory, output, nil, init, write, enableResources)
+						return pike.Scan(directory, output, nil, init, write, enableResources, provider)
 					}
 
-					return pike.Scan(directory, output, &file, init, write, enableResources)
+					return pike.Scan(directory, output, &file, init, write, enableResources, provider)
 				},
 			},
 			{

src/aws.go

@@ -1127,7 +1127,23 @@ var tFLookup = map[string]interface{}{ //nolint:gochecknoglobals
 	"aws_xray_encryption_config":                                       awsXrayEncryptionConfig,
 	"aws_xray_group":                                                   awsXrayGroup,
 	"aws_xray_sampling_rule":                                           awsXraySamplingRule,
+	"aws_ec2_instance":                                                 awsInstance,
 	"backend":                                                          s3backend,
+	"aws_codebuild_fleet":                                              awsCodeBuildFleet,
+	"aws_config_aggregate_authorization":                               awsConfigAggregateAuthorization,
+	"aws_config_organization_managed_rule":                             awsConfigOrganizationManagedRule,
+	"aws_config_remediation_configuration":                             awsConfigRemediationConfiguration,
+	"aws_ec2_instance_connect_endpoint":                                awsEc2InstanceConnectEndpoint,
+	"aws_ec2_traffic_mirror_filter_rule":                               awsEc2TrafficMirrorFilterRule,
+	"aws_ec2_traffic_mirror_session":                                   awsEc2TrafficMirrorSession,
+	"aws_ec2_traffic_mirror_filter":                                    awsEc2TrafficMirrorFilter,
+	"aws_ec2_traffic_mirror_target":                                    awsEc2TrafficMirrorTarget,
+	"aws_glue_data_quality_ruleset":                                    awsGlueDataQualityRuleset,
+	"aws_glue_dev_endpoint":                                            awsGlueDevEndpoint,
+	"aws_grafana_workspace":                                            awsGrafanaWorkspace,
+	"aws_lakeformation_data_lake_settings":                             awsLakeformationDataLakeSettings,
+	"aws_lakeformation_permissions":                                    awsLakeformationPermissions,
+	"aws_lakeformation_resource":                                       awsLakeformationResource,
 }
 
 // GetAWSPermissions for AWS resources.

src/compare.go

@@ -43,7 +43,7 @@ func Compare(directory string, arn string, init bool) (bool, error) {
 		return false, &getPolicyVersionError{err}
 	}
 
-	iacPolicy, err := MakePolicy(directory, nil, init, false)
+	iacPolicy, err := MakePolicy(directory, nil, init, false, "")
 	if err != nil {
 		return false, &getIAMVersionError{err}
 	}

src/coverage/aws.md

@@ -1,6 +1,6 @@
 # todo aws
 
-Resource percentage coverage   75.34
+Resource percentage coverage   76.43
 Datasource percentage coverage 100.00
 
 ./resource.ps1 aws_amplify_backend_environment
@@ -28,17 +28,13 @@ Datasource percentage coverage 100.00
 ./resource.ps1 aws_cloudwatch_log_delivery_destination_policy
 ./resource.ps1 aws_cloudwatch_log_delivery_source
 ./resource.ps1 aws_cloudwatch_log_index_policy
-./resource.ps1 aws_codebuild_fleet
 ./resource.ps1 aws_codeconnections_host
 ./resource.ps1 aws_cognito_managed_user_pool_client
 ./resource.ps1 aws_comprehend_entity_recognizer
 ./resource.ps1 aws_computeoptimizer_enrollment_status
 ./resource.ps1 aws_computeoptimizer_recommendation_preferences
-./resource.ps1 aws_config_aggregate_authorization
 ./resource.ps1 aws_config_organization_custom_policy_rule
 ./resource.ps1 aws_config_organization_custom_rule
-./resource.ps1 aws_config_organization_managed_rule
-./resource.ps1 aws_config_remediation_configuration
 ./resource.ps1 aws_config_retention_configuration
 ./resource.ps1 aws_connect_lambda_function_association
 ./resource.ps1 aws_costoptimizationhub_enrollment_status
@@ -85,16 +81,10 @@ Datasource percentage coverage 100.00
 ./resource.ps1 aws_ebs_fast_snapshot_restore
 ./resource.ps1 aws_ebs_snapshot_import
 ./resource.ps1 aws_ec2_capacity_block_reservation
-./resource.ps1 aws_ec2_instance
-./resource.ps1 aws_ec2_instance_connect_endpoint
 ./resource.ps1 aws_ec2_instance_metadata_defaults
 ./resource.ps1 aws_ec2_instance_state
 ./resource.ps1 aws_ec2_managed_prefix_list_entry
 ./resource.ps1 aws_ec2_subnet_cidr_reservation
-./resource.ps1 aws_ec2_traffic_mirror_filter
-./resource.ps1 aws_ec2_traffic_mirror_filter_rule
-./resource.ps1 aws_ec2_traffic_mirror_session
-./resource.ps1 aws_ec2_traffic_mirror_target
 ./resource.ps1 aws_ec2_transit_gateway_connect_peer
 ./resource.ps1 aws_ec2_transit_gateway_default_route_table_association
 ./resource.ps1 aws_ec2_transit_gateway_default_route_table_propagation
@@ -124,12 +114,9 @@ Datasource percentage coverage 100.00
 ./resource.ps1 aws_finspace_kx_volume
 ./resource.ps1 aws_fms_admin_account
 ./resource.ps1 aws_glue_catalog_table_optimizer
-./resource.ps1 aws_glue_data_quality_ruleset
-./resource.ps1 aws_glue_dev_endpoint
 ./resource.ps1 aws_glue_partition_index
 ./resource.ps1 aws_grafana_license_association
 ./resource.ps1 aws_grafana_role_association
-./resource.ps1 aws_grafana_workspace
 ./resource.ps1 aws_grafana_workspace_saml_configuration
 ./resource.ps1 aws_grafana_workspace_service_account
 ./resource.ps1 aws_grafana_workspace_service_account_token
@@ -155,10 +142,7 @@ Datasource percentage coverage 100.00
 ./resource.ps1 aws_kendra_thesaurus
 ./resource.ps1 aws_kinesis_analytics_application
 ./resource.ps1 aws_kinesisanalyticsv2_application_snapshot
-./resource.ps1 aws_lakeformation_data_lake_settings
 ./resource.ps1 aws_lakeformation_lf_tag
-./resource.ps1 aws_lakeformation_permissions
-./resource.ps1 aws_lakeformation_resource
 ./resource.ps1 aws_lakeformation_resource_lf_tags
 ./resource.ps1 aws_lambda_function_recursion_config
 ./resource.ps1 aws_lambda_runtime_management_config

src/coverage/azure.md

@@ -1,7 +1,7 @@
 # todo azure
 
 Resource percentage coverage   4.58
-Datasource percentage coverage 35.67
+Datasource percentage coverage 35.57
 
 ./resource.ps1 azurerm_aadb2c_directory
 ./resource.ps1 azurerm_active_directory_domain_service
@@ -1028,6 +1028,7 @@ Datasource percentage coverage 35.67
 ./resource.ps1 azurerm_aadb2c_directory -type data
 ./resource.ps1 azurerm_active_directory_domain_service -type data
 ./resource.ps1 azurerm_advisor_recommendations -type data
+./resource.ps1 azurerm_api_management_subscription -type data
 ./resource.ps1 azurerm_arc_resource_bridge_appliance -type data
 ./resource.ps1 azurerm_attestation -type data
 ./resource.ps1 azurerm_automation_runbook -type data

src/coverage/google.md

@@ -1,7 +1,7 @@
 # todo google
 
-Resource percentage coverage   18.44
-Datasource percentage coverage 72.75
+Resource percentage coverage   18.41
+Datasource percentage coverage 72.32
 
 ./resource.ps1 google_access_context_manager_access_level_condition
 ./resource.ps1 google_access_context_manager_service_perimeter_dry_run_egress_policy
@@ -715,6 +715,7 @@ Datasource percentage coverage 72.75
 ./resource.ps1 google_os_login_ssh_public_key
 ./resource.ps1 google_parallelstore_instance
 ./resource.ps1 google_parameter_manager_parameter
+./resource.ps1 google_parameter_manager_parameter_version
 ./resource.ps1 google_parameter_manager_regional_parameter
 ./resource.ps1 google_parameter_manager_regional_parameter_version
 ./resource.ps1 google_privateca_ca_pool
@@ -746,6 +747,7 @@ Datasource percentage coverage 72.75
 ./resource.ps1 google_pubsub_subscription_iam_policy
 ./resource.ps1 google_recaptcha_enterprise_key
 ./resource.ps1 google_redis_cluster
+./resource.ps1 google_redis_cluster_user_created_connections
 ./resource.ps1 google_resource_manager_lien
 ./resource.ps1 google_runtimeconfig_config
 ./resource.ps1 google_runtimeconfig_config_iam_binding
@@ -908,6 +910,7 @@ Datasource percentage coverage 72.75
 ./resource.ps1 google_kms_crypto_keys -type data
 ./resource.ps1 google_kms_ekm_connection_iam_policy -type data
 ./resource.ps1 google_kms_key_handle -type data
+./resource.ps1 google_kms_key_handles -type data
 ./resource.ps1 google_kms_key_rings -type data
 ./resource.ps1 google_logging_log_view_iam_policy -type data
 ./resource.ps1 google_oracle_database_autonomous_database -type data
@@ -921,6 +924,7 @@ Datasource percentage coverage 72.75
 ./resource.ps1 google_organization_iam_policy -type data
 ./resource.ps1 google_organizations -type data
 ./resource.ps1 google_parameter_manager_parameter -type data
+./resource.ps1 google_parameter_manager_parameters -type data
 ./resource.ps1 google_parameter_manager_regional_parameter -type data
 ./resource.ps1 google_parameter_manager_regional_parameters -type data
 ./resource.ps1 google_privateca_ca_pool_iam_policy -type data

src/files.go

@@ -3177,3 +3177,48 @@ var awsImagebuilderLifecyclePolicy []byte
 
 //go:embed mapping/aws/resource/iot/aws_iot_domain_configuration.json
 var awsIotDomainConfiguration []byte
+
+//go:embed mapping/aws/resource/codebuild/aws_codebuild_fleet.json
+var awsCodeBuildFleet []byte
+
+//go:embed mapping/aws/resource/config/aws_config_aggregate_authorization.json
+var awsConfigAggregateAuthorization []byte
+
+//go:embed mapping/aws/resource/config/aws_config_organization_managed_rule.json
+var awsConfigOrganizationManagedRule []byte
+
+//go:embed mapping/aws/resource/config/aws_config_remediation_configuration.json
+var awsConfigRemediationConfiguration []byte
+
+//go:embed mapping/aws/resource/ec2/aws_ec2_instance_connect_endpoint.json
+var awsEc2InstanceConnectEndpoint []byte
+
+//go:embed mapping/aws/resource/ec2/aws_ec2_traffic_mirror_filter_rule.json
+var awsEc2TrafficMirrorFilterRule []byte
+
+//go:embed mapping/aws/resource/ec2/aws_ec2_traffic_mirror_session.json
+var awsEc2TrafficMirrorSession []byte
+
+//go:embed mapping/aws/resource/ec2/aws_ec2_traffic_mirror_filter.json
+var awsEc2TrafficMirrorFilter []byte
+
+//go:embed mapping/aws/resource/ec2/aws_ec2_traffic_mirror_target.json
+var awsEc2TrafficMirrorTarget []byte
+
+//go:embed mapping/aws/resource/glue/aws_glue_data_quality_ruleset.json
+var awsGlueDataQualityRuleset []byte
+
+//go:embed mapping/aws/resource/glue/aws_glue_dev_endpoint.json
+var awsGlueDevEndpoint []byte
+
+//go:embed mapping/aws/resource/grafana/aws_grafana_workspace.json
+var awsGrafanaWorkspace []byte
+
+//go:embed mapping/aws/resource/lakeformation/aws_lakeformation_data_lake_settings.json
+var awsLakeformationDataLakeSettings []byte
+
+//go:embed mapping/aws/resource/lakeformation/aws_lakeformation_permissions.json
+var awsLakeformationPermissions []byte
+
+//go:embed mapping/aws/resource/lakeformation/aws_lakeformation_resource.json
+var awsLakeformationResource []byte

src/inspect.go

@@ -44,7 +44,7 @@ func Inspect(directory string, init bool) (PolicyDiff, error) {
 
 	var Difference PolicyDiff
 
-	rawIACPolicy, err := MakePolicy(directory, nil, init, false)
+	rawIACPolicy, err := MakePolicy(directory, nil, init, false, "")
 	if err != nil {
 		if errors.Is(err, &emptyIACError{}) {
 			log.Info().Msgf("nothing to do for IAC as %s for directory %s", err, directory)

src/make.go

@@ -20,7 +20,7 @@ func Make(directory string) (*string, error) {
 		return nil, &directoryNotFoundError{directory: directory}
 	}
 
-	err := Scan(directory, "terraform", nil, true, true, false)
+	err := Scan(directory, "terraform", nil, true, true, false, "")
 	if err != nil {
 		return nil, fmt.Errorf("failed to scan directory: %w", err)
 	}

src/mapping/aws/resource/codebuild/aws_codebuild_fleet.json

@@ -0,0 +1,26 @@
+[
+  {
+    "apply": [
+      "codebuild:BatchGetFleets",
+      "codebuild:CreateFleet",
+      "codebuild:UpdateFleet",
+      "codebuild:DeleteFleet",
+      "iam:PassRole"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "codebuild:BatchGetFleets",
+      "codebuild:DeleteFleet"
+    ],
+    "modify": [
+      "codebuild:BatchGetFleets",
+      "codebuild:UpdateFleet",
+      "iam:PassRole"
+    ],
+    "plan": [
+      "codebuild:BatchGetFleets"
+    ]
+  }
+]

src/mapping/aws/resource/config/aws_config_aggregate_authorization.json

@@ -0,0 +1,28 @@
+[
+  {
+    "apply": [
+      "config:DescribeAggregationAuthorizations",
+      "config:PutAggregationAuthorization",
+      "config:ListTagsForResource",
+      "config:DeleteAggregationAuthorization"
+    ],
+    "attributes": {
+      "tags": [
+        "config:TagResource",
+        "config:UntagResource"
+      ]
+    },
+    "destroy": [
+      "config:DescribeAggregationAuthorizations",
+      "config:DeleteAggregationAuthorization"
+    ],
+    "modify": [
+      "config:DescribeAggregationAuthorizations",
+      "config:ListTagsForResource"
+    ],
+    "plan": [
+      "config:DescribeAggregationAuthorizations",
+      "config:ListTagsForResource"
+    ]
+  }
+]

src/mapping/aws/resource/config/aws_config_organization_managed_rule.json

@@ -0,0 +1,18 @@
+[
+  {
+    "apply": [
+      "config:DescribeOrganizationConfigRules",
+      "config:DeleteOrganizationConfigRule",
+      "config:PutOrganizationConfigRule"
+    ],
+    "attributes": {
+      "tags": [
+        "config:TagResource",
+        "config:UntagResource"
+      ]
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]

src/mapping/aws/resource/config/aws_config_remediation_configuration.json

@@ -0,0 +1,18 @@
+[
+  {
+    "apply": [
+      "config:DescribeRemediationConfigurations",
+      "config:DeleteRemediationConfiguration",
+      "config:PutRemediationConfigurations"
+    ],
+    "attributes": {
+      "tags": [
+        "config:TagResource",
+        "config:UntagResource"
+      ]
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": []
+  }
+]