From 3354b5277d9be4613aeabd4aec3c84f75feb867e Mon Sep 17 00:00:00 2001 From: James Woolfenden Date: Fri, 14 Jun 2024 10:26:29 +0100 Subject: [PATCH] aws odds --- src/aws.go | 10 +++ src/coverage/aws.md | 12 +-- src/files.go | 30 +++++++ .../aws_accessanalyzer_analyzer.json | 6 +- .../aws_accessanalyzer_archive_rule.json | 20 +++++ .../resource/account/aws_account_region.json | 14 +++ .../acm-pa/aws_acmpca_permission.json | 17 ++++ .../resource/acm-pa/aws_acmpca_policy.json | 17 ++++ ...aws_snapshot_create_volume_permission.json | 13 +++ .../aws/resource/sdb/aws_simpledb_domain.json | 17 ++++ .../sns/aws_sns_platform_application.json | 18 ++++ .../synthetics/aws_synthetics_canary.json | 20 +++++ .../synthetics/aws_synthetics_group.json | 17 ++++ .../aws_synthetics_group_association.json | 14 +++ .../backup/aws_accessanalyzer_archive_rule.tf | 23 +++++ terraform/aws/backup/aws_account_region.tf | 4 + terraform/aws/backup/aws_acmpca_permission.tf | 3 + terraform/aws/backup/aws_acmpca_policy.tf | 2 + terraform/aws/backup/aws_simpledb_domain.tf | 4 + .../aws_snapshot_create_volume_permission.tf | 15 ++++ .../backup/aws_sns_platform_application.tf | 5 ++ terraform/aws/backup/aws_synthetics_canary.tf | 14 +++ terraform/aws/backup/aws_synthetics_group.tf | 3 + .../aws_synthetics_group_association.tf | 4 + terraform/aws/role/aws_iam_policy.basic.tf | 89 +++++-------------- 25 files changed, 308 insertions(+), 83 deletions(-) create mode 100644 src/mapping/aws/resource/access-analyzer/aws_accessanalyzer_archive_rule.json create mode 100644 src/mapping/aws/resource/account/aws_account_region.json create mode 100644 src/mapping/aws/resource/acm-pa/aws_acmpca_permission.json create mode 100644 src/mapping/aws/resource/acm-pa/aws_acmpca_policy.json create mode 100644 src/mapping/aws/resource/ec2/aws_snapshot_create_volume_permission.json create mode 100644 src/mapping/aws/resource/sdb/aws_simpledb_domain.json create mode 100644 src/mapping/aws/resource/sns/aws_sns_platform_application.json create mode 100644 src/mapping/aws/resource/synthetics/aws_synthetics_canary.json create mode 100644 src/mapping/aws/resource/synthetics/aws_synthetics_group.json create mode 100644 src/mapping/aws/resource/synthetics/aws_synthetics_group_association.json create mode 100644 terraform/aws/backup/aws_accessanalyzer_archive_rule.tf create mode 100644 terraform/aws/backup/aws_account_region.tf create mode 100644 terraform/aws/backup/aws_acmpca_permission.tf create mode 100644 terraform/aws/backup/aws_acmpca_policy.tf create mode 100644 terraform/aws/backup/aws_simpledb_domain.tf create mode 100644 terraform/aws/backup/aws_snapshot_create_volume_permission.tf create mode 100644 terraform/aws/backup/aws_sns_platform_application.tf create mode 100644 terraform/aws/backup/aws_synthetics_canary.tf create mode 100644 terraform/aws/backup/aws_synthetics_group.tf create mode 100644 terraform/aws/backup/aws_synthetics_group_association.tf diff --git a/src/aws.go b/src/aws.go index 503f5064..464a4d27 100644 --- a/src/aws.go +++ b/src/aws.go @@ -804,6 +804,16 @@ func AwsLookup(name string) interface{} { "aws_ec2_client_vpn_route": awsEc2ClientVpnRoute, "aws_ec2_fleet": awsEc2Fleet, "aws_ec2_host": awsEc2Host, + "aws_accessanalyzer_archive_rule": awsAccessAnalyzerArchiveRule, + "aws_account_region": awsAccountRegion, + "aws_acmpca_permission": awsAcmpcaPermission, + "aws_acmpca_policy": awsAcmpcaPolicy, + "aws_simpledb_domain": awsSimpledbDomain, + "aws_snapshot_create_volume_permission": awsSnapshotCreateVolumePermission, + "aws_sns_platform_application": awsSnsPlatformApplication, + "aws_synthetics_canary": awsSyntheticsCanary, + "aws_synthetics_group": awsSyntheticsGroup, + "aws_synthetics_group_association": awsSyntheticsGroupAssociation, } return TFLookup[name] diff --git a/src/coverage/aws.md b/src/coverage/aws.md index 07b2caa7..7fb43be6 100644 --- a/src/coverage/aws.md +++ b/src/coverage/aws.md @@ -1,12 +1,8 @@ # todo aws -Resource percentage coverage 53.07 +Resource percentage coverage 54.31 Datasource percentage coverage 100.00 -./resource.ps1 aws_accessanalyzer_archive_rule -./resource.ps1 aws_account_region -./resource.ps1 aws_acmpca_permission -./resource.ps1 aws_acmpca_policy ./resource.ps1 aws_amplify_app ./resource.ps1 aws_amplify_backend_environment ./resource.ps1 aws_amplify_branch @@ -577,9 +573,6 @@ Datasource percentage coverage 100.00 ./resource.ps1 aws_shield_protection ./resource.ps1 aws_shield_protection_group ./resource.ps1 aws_shield_protection_health_check_association -./resource.ps1 aws_simpledb_domain -./resource.ps1 aws_snapshot_create_volume_permission -./resource.ps1 aws_sns_platform_application ./resource.ps1 aws_spot_datafeed_subscription ./resource.ps1 aws_spot_fleet_request ./resource.ps1 aws_ssm_activation @@ -601,9 +594,6 @@ Datasource percentage coverage 100.00 ./resource.ps1 aws_ssoadmin_permission_set_inline_policy ./resource.ps1 aws_ssoadmin_permissions_boundary_attachment ./resource.ps1 aws_ssoadmin_trusted_token_issuer -./resource.ps1 aws_synthetics_canary -./resource.ps1 aws_synthetics_group -./resource.ps1 aws_synthetics_group_association ./resource.ps1 aws_transcribe_language_model ./resource.ps1 aws_transcribe_medical_vocabulary ./resource.ps1 aws_transcribe_vocabulary diff --git a/src/files.go b/src/files.go index c4dd9c05..6a8887ac 100644 --- a/src/files.go +++ b/src/files.go @@ -2052,3 +2052,33 @@ var awsEc2Fleet []byte //go:embed mapping/aws/resource/ec2/aws_ec2_host.json var awsEc2Host []byte + +//go:embed mapping/aws/resource/access-analyzer/aws_accessanalyzer_archive_rule.json +var awsAccessAnalyzerArchiveRule []byte + +//go:embed mapping/aws/resource/account/aws_account_region.json +var awsAccountRegion []byte + +//go:embed mapping/aws/resource/acm-pa/aws_acmpca_permission.json +var awsAcmpcaPermission []byte + +//go:embed mapping/aws/resource/acm-pa/aws_acmpca_policy.json +var awsAcmpcaPolicy []byte + +//go:embed mapping/aws/resource/sdb/aws_simpledb_domain.json +var awsSimpledbDomain []byte + +//go:embed mapping/aws/resource/ec2/aws_snapshot_create_volume_permission.json +var awsSnapshotCreateVolumePermission []byte + +//go:embed mapping/aws/resource/sns/aws_sns_platform_application.json +var awsSnsPlatformApplication []byte + +//go:embed mapping/aws/resource/synthetics/aws_synthetics_canary.json +var awsSyntheticsCanary []byte + +//go:embed mapping/aws/resource/synthetics/aws_synthetics_group.json +var awsSyntheticsGroup []byte + +//go:embed mapping/aws/resource/synthetics/aws_synthetics_group_association.json +var awsSyntheticsGroupAssociation []byte diff --git a/src/mapping/aws/resource/access-analyzer/aws_accessanalyzer_analyzer.json b/src/mapping/aws/resource/access-analyzer/aws_accessanalyzer_analyzer.json index 517ae15a..409ae353 100644 --- a/src/mapping/aws/resource/access-analyzer/aws_accessanalyzer_analyzer.json +++ b/src/mapping/aws/resource/access-analyzer/aws_accessanalyzer_analyzer.json @@ -5,7 +5,7 @@ "access-analyzer:DeleteAnalyzer", "access-analyzer:GetAnalyzer", "access-analyzer:ListAnalyzers", - "access-analyzer:UpdateAnalyzer" + "iam:CreateServiceLinkedRole" ], "attributes": { "tags": [ @@ -16,9 +16,7 @@ "destroy": [ "access-analyzer:DeleteAnalyzer" ], - "modify": [ - "access-analyzer:UpdateAnalyzer" - ], + "modify": [], "plan": [] } ] diff --git a/src/mapping/aws/resource/access-analyzer/aws_accessanalyzer_archive_rule.json b/src/mapping/aws/resource/access-analyzer/aws_accessanalyzer_archive_rule.json new file mode 100644 index 00000000..b01af32a --- /dev/null +++ b/src/mapping/aws/resource/access-analyzer/aws_accessanalyzer_archive_rule.json @@ -0,0 +1,20 @@ +[ + { + "apply": [ + "access-analyzer:DeleteArchiveRule", + "access-analyzer:CreateArchiveRule", + "access-analyzer:GetArchiveRule", + "access-analyzer:UpdateArchiveRule" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "access-analyzer:DeleteArchiveRule" + ], + "modify": [ + "access-analyzer:UpdateArchiveRule" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/account/aws_account_region.json b/src/mapping/aws/resource/account/aws_account_region.json new file mode 100644 index 00000000..4008011d --- /dev/null +++ b/src/mapping/aws/resource/account/aws_account_region.json @@ -0,0 +1,14 @@ +[ + { + "apply": [ + "account:EnableRegion", + "account:DisableRegion" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/acm-pa/aws_acmpca_permission.json b/src/mapping/aws/resource/acm-pa/aws_acmpca_permission.json new file mode 100644 index 00000000..c0245561 --- /dev/null +++ b/src/mapping/aws/resource/acm-pa/aws_acmpca_permission.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "acm-pca:CreatePermission", + "acm-pca:DeletePermission", + "acm-pca:ListPermissions" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "acm-pca:DeletePermission" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/acm-pa/aws_acmpca_policy.json b/src/mapping/aws/resource/acm-pa/aws_acmpca_policy.json new file mode 100644 index 00000000..bc048210 --- /dev/null +++ b/src/mapping/aws/resource/acm-pa/aws_acmpca_policy.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "acm-pca:GetPolicy", + "acm-pca:DeletePolicy", + "acm-pca:PutPolicy" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "acm-pca:DeletePolicy" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_snapshot_create_volume_permission.json b/src/mapping/aws/resource/ec2/aws_snapshot_create_volume_permission.json new file mode 100644 index 00000000..5909adde --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_snapshot_create_volume_permission.json @@ -0,0 +1,13 @@ +[ + { + "apply": [ + "ec2:ModifySnapshotAttribute" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/sdb/aws_simpledb_domain.json b/src/mapping/aws/resource/sdb/aws_simpledb_domain.json new file mode 100644 index 00000000..64ab6134 --- /dev/null +++ b/src/mapping/aws/resource/sdb/aws_simpledb_domain.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "sdb:CreateDomain", + "sdb:DomainMetadata", + "sdb:DeleteDomain" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "sdb:DeleteDomain" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/sns/aws_sns_platform_application.json b/src/mapping/aws/resource/sns/aws_sns_platform_application.json new file mode 100644 index 00000000..e3301f83 --- /dev/null +++ b/src/mapping/aws/resource/sns/aws_sns_platform_application.json @@ -0,0 +1,18 @@ +[ + { + "apply": [ + "sns:CreatePlatformApplication", + "sns:DeletePlatformApplication", + "sns:SetPlatformApplicationAttributes", + "sns:GetPlatformApplicationAttributes" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "sns:DeletePlatformApplication" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/synthetics/aws_synthetics_canary.json b/src/mapping/aws/resource/synthetics/aws_synthetics_canary.json new file mode 100644 index 00000000..5070264d --- /dev/null +++ b/src/mapping/aws/resource/synthetics/aws_synthetics_canary.json @@ -0,0 +1,20 @@ +[ + { + "apply": [ + "synthetics:GetCanary", + "synthetics:CreateCanary", + "synthetics:DeleteCanary", + "synthetics:UpdateCanary" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "synthetics:DeleteCanary" + ], + "modify": [ + "synthetics:UpdateCanary" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/synthetics/aws_synthetics_group.json b/src/mapping/aws/resource/synthetics/aws_synthetics_group.json new file mode 100644 index 00000000..beb72438 --- /dev/null +++ b/src/mapping/aws/resource/synthetics/aws_synthetics_group.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "synthetics:CreateGroup", + "synthetics:GetGroup", + "synthetics:DeleteGroup" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "synthetics:DeleteGroup" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/synthetics/aws_synthetics_group_association.json b/src/mapping/aws/resource/synthetics/aws_synthetics_group_association.json new file mode 100644 index 00000000..e8c7f9c5 --- /dev/null +++ b/src/mapping/aws/resource/synthetics/aws_synthetics_group_association.json @@ -0,0 +1,14 @@ +[ + { + "apply": [ + "synthetics:AssociateResource", + "synthetics:DisassociateResource" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/terraform/aws/backup/aws_accessanalyzer_archive_rule.tf b/terraform/aws/backup/aws_accessanalyzer_archive_rule.tf new file mode 100644 index 00000000..8e566096 --- /dev/null +++ b/terraform/aws/backup/aws_accessanalyzer_archive_rule.tf @@ -0,0 +1,23 @@ +resource "aws_accessanalyzer_archive_rule" "pike" { + analyzer_name = aws_accessanalyzer_analyzer.pike.analyzer_name + rule_name = "example-rule" + + filter { + criteria = "condition.aws:UserId" + eq = ["userid"] + } + + filter { + criteria = "error" + exists = true + } + + filter { + criteria = "isPublic" + eq = ["false"] + } +} + +resource "aws_accessanalyzer_analyzer" "pike" { + analyzer_name = "pike" +} diff --git a/terraform/aws/backup/aws_account_region.tf b/terraform/aws/backup/aws_account_region.tf new file mode 100644 index 00000000..37280fb4 --- /dev/null +++ b/terraform/aws/backup/aws_account_region.tf @@ -0,0 +1,4 @@ +resource "aws_account_region" "pike" { + region_name = "eu-west-2" + enabled = true +} diff --git a/terraform/aws/backup/aws_acmpca_permission.tf b/terraform/aws/backup/aws_acmpca_permission.tf new file mode 100644 index 00000000..0c4fc6d8 --- /dev/null +++ b/terraform/aws/backup/aws_acmpca_permission.tf @@ -0,0 +1,3 @@ +resource "aws_acmpca_permission" "pike" { + +} diff --git a/terraform/aws/backup/aws_acmpca_policy.tf b/terraform/aws/backup/aws_acmpca_policy.tf new file mode 100644 index 00000000..69537ddd --- /dev/null +++ b/terraform/aws/backup/aws_acmpca_policy.tf @@ -0,0 +1,2 @@ +resource "aws_acmpca_policy" "pike" { +} diff --git a/terraform/aws/backup/aws_simpledb_domain.tf b/terraform/aws/backup/aws_simpledb_domain.tf new file mode 100644 index 00000000..ba8a8c7d --- /dev/null +++ b/terraform/aws/backup/aws_simpledb_domain.tf @@ -0,0 +1,4 @@ +resource "aws_simpledb_domain" "pike" { + provider = aws.central + name = "pike" +} diff --git a/terraform/aws/backup/aws_snapshot_create_volume_permission.tf b/terraform/aws/backup/aws_snapshot_create_volume_permission.tf new file mode 100644 index 00000000..3cd6bc80 --- /dev/null +++ b/terraform/aws/backup/aws_snapshot_create_volume_permission.tf @@ -0,0 +1,15 @@ +resource "aws_snapshot_create_volume_permission" "pike" { + account_id = "1234567890" + snapshot_id = aws_ebs_snapshot.example_snapshot.id +} + +resource "aws_ebs_volume" "example" { + availability_zone = "eu-west-2a" + size = 40 +} + +resource "aws_ebs_snapshot" "example_snapshot" { + volume_id = aws_ebs_volume.example.id +} + +#data "aws_caller_identity" "current" {} diff --git a/terraform/aws/backup/aws_sns_platform_application.tf b/terraform/aws/backup/aws_sns_platform_application.tf new file mode 100644 index 00000000..1f1c2c9d --- /dev/null +++ b/terraform/aws/backup/aws_sns_platform_application.tf @@ -0,0 +1,5 @@ +resource "aws_sns_platform_application" "pike" { + name = "pike" + platform = "GCM" + platform_credential = "" +} diff --git a/terraform/aws/backup/aws_synthetics_canary.tf b/terraform/aws/backup/aws_synthetics_canary.tf new file mode 100644 index 00000000..1667df34 --- /dev/null +++ b/terraform/aws/backup/aws_synthetics_canary.tf @@ -0,0 +1,14 @@ +resource "aws_synthetics_canary" "pike" { + name = "pike" + schedule { + expression = "" + } + + artifact_s3_location = "" + handler = "" + runtime_version = "" + execution_role_arn = "" + tags = { + pike = "permissions" + } +} diff --git a/terraform/aws/backup/aws_synthetics_group.tf b/terraform/aws/backup/aws_synthetics_group.tf new file mode 100644 index 00000000..62d00afe --- /dev/null +++ b/terraform/aws/backup/aws_synthetics_group.tf @@ -0,0 +1,3 @@ +resource "aws_synthetics_group" "pike" { + name = "pike" +} diff --git a/terraform/aws/backup/aws_synthetics_group_association.tf b/terraform/aws/backup/aws_synthetics_group_association.tf new file mode 100644 index 00000000..52223bbb --- /dev/null +++ b/terraform/aws/backup/aws_synthetics_group_association.tf @@ -0,0 +1,4 @@ +resource "aws_synthetics_group_association" "pike" { + group_name = "pike" + canary_arn = aws_synthetics_canary.pike.arn +} diff --git a/terraform/aws/role/aws_iam_policy.basic.tf b/terraform/aws/role/aws_iam_policy.basic.tf index b0145677..8737c8c9 100644 --- a/terraform/aws/role/aws_iam_policy.basic.tf +++ b/terraform/aws/role/aws_iam_policy.basic.tf @@ -7,82 +7,35 @@ resource "aws_iam_policy" "basic" { "Sid" : "0", "Effect" : "Allow", "Action" : [ - //aws_ec2_client_vpn_authorization_rule - "ec2:DescribeClientVpnAuthorizationRules", - - //aws_ec2_client_vpn_network_association - "ec2:AssociateClientVpnTargetNetwork", - "ec2:DisassociateClientVpnTargetNetwork", - - //aws_ec2_client_vpn_route - "ec2:CreateClientVpnRoute", - "ec2:DescribeClientVpnRoutes", - "ec2:DeleteClientVpnRoute", - - //aws_ec2_host - "ec2:AllocateHosts", - "ec2:DescribeHosts", - "ec2:ReleaseHosts", - "ec2:CreateTags", - "ec2:DeleteTags", - - //aws_ec2_client_vpn_endpoint - "ec2:CreateClientVpnEndpoint", - "ec2:DeleteClientVpnEndpoint", - "ec2:DescribeClientVpnEndpoints", - "ec2:ModifyClientVpnEndpoint", - "iam:CreateServiceLinkedRole", - "ec2:CreateTags", - "ec2:DeleteTags", - - //aws_ec2_carrier_gateway - "ec2:CreateCarrierGateway", - "ec2:DeleteCarrierGateway", - "ec2:DescribeCarrierGateways", - "ec2:CreateTags", - "ec2:DeleteTags", - - //aws_ec2_fleet - "ec2:CreateFleet", - "ec2:RunInstances", - "ec2:DescribeFleets", - "ec2:DeleteFleets", - "ec2:CreateTags", - "ec2:DeleteTags", - - "ec2:DescribeNetworkInterfaces", - "acm:AddTagsToCertificate", - "acm:DeleteCertificate", - "acm:DescribeCertificate", - "acm:ListTagsForCertificate", - "acm:RemoveTagsFromCertificate", - "acm:RequestCertificate", "dynamodb:DeleteItem", "dynamodb:DescribeTable", "dynamodb:GetItem", "dynamodb:PutItem", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:CreateSubnet", - "ec2:DeleteLaunchTemplate", - "ec2:DeleteSubnet", - "ec2:DescribeAccountAttributes", - "ec2:DescribeInstanceTypes", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeSubnets", - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:DeleteLogGroup", - "logs:DeleteLogStream", - "logs:DescribeLogGroups", - "logs:DescribeLogStreams", - "logs:ListTagsLogGroup", + "ec2:CreateSnapshot", + "ec2:CreateVolume", + "ec2:DeleteSnapshot", + "ec2:DeleteVolume", + "ec2:DescribeSnapshots", + "ec2:DescribeVolumes", + "ec2:ModifyVolume", "s3:DeleteObject", "s3:GetObject", "s3:ListBucket", - "s3:PutObject" + "s3:PutObject", + + //aws_sns_platform_application + "sns:CreatePlatformApplication", + "sns:DeletePlatformApplication", + "sns:SetPlatformApplicationAttributes", + "sns:GetPlatformApplicationAttributes", + + //aws_simpledb_domain + "sdb:CreateDomain", + "sdb:DomainMetadata", + "sdb:DeleteDomain", + //aws_snapshot_create_volume_permission + "ec2:ModifySnapshotAttribute" ], "Resource" : "*", }