azure

.run/go build github.com_jameswoolfenden_pike.run.xml → .run/scan.run.xml

@@ -1,5 +1,5 @@
 <component name="ProjectRunConfigurationManager">
-  <configuration default="false" name="go build github.com/jameswoolfenden/pike" type="GoApplicationRunConfiguration" factoryName="Go Application" nameIsGenerated="true">
+  <configuration default="false" name="scan" type="GoApplicationRunConfiguration" factoryName="Go Application">
     <module name="pike" />
     <working_directory value="$PROJECT_DIR$" />
     <parameters value="scan -d terraform/aws/backup" />

main.go

@@ -144,7 +144,11 @@ func main() {
 					},
 				},
 				Action: func(*cli.Context) error {
-					return pike.Scan(directory, output, file, init, write)
+					if file == "" {
+						return pike.Scan(directory, output, nil, init, write)
+					}
+
+					return pike.Scan(directory, output, &file, init, write)
 				},
 			},
 			{

src/aws.go

@@ -322,6 +322,7 @@ func GetAWSResourcePermissions(result ResourceV2) ([]string, error) {
 		"aws_vpc_endpoint_route_table_association":           awsVpcEndpointRouteTableAssociation,
 		"aws_appconfig_configuration_profile":                awsAppconfigConfigurationProfile,
 		"aws_appconfig_application":                          awsAppconfigApplication,
+		"aws_dax_cluster":                                    awsDaxCluster,
 	}
 
 	var Permissions []string

src/aws_datasource.go

@@ -108,6 +108,8 @@ func GetAWSDataPermissions(result ResourceV2) ([]string, error) {
 		"aws_kms_custom_key_store":                  dataAwsKmsCustomKeyStore,
 		"aws_vpc_ipam_pool_cidrs":                   dataAwsVpcIpamPoolCidrs,
 		"aws_vpc_ipam_pool":                         dataAwsVpcIpamPoolCidrs,
+		"aws_elastic_beanstalk_hosted_zone":         placeholder,
+		"aws_elastic_beanstalk_application":         dataAwsElasticBeanstalkApplication,
 	}
 
 	var Permissions []string

src/compare.go

@@ -30,7 +30,7 @@ func Compare(directory string, arn string, init bool) (bool, error) {
 
 	Policy, _ := GetPolicyVersion(client, arn, *Version)
 
-	iacPolicy, err := MakePolicy(directory, "", init)
+	iacPolicy, err := MakePolicy(directory, nil, init)
 
 	if err != nil {
 		return theSame, err

src/files.go

@@ -816,3 +816,6 @@ var awsAppconfigConfigurationProfile []byte
 
 //go:embed mapping/aws/resource/appconfig/aws_appconfig_application.json
 var awsAppconfigApplication []byte
+
+//go:embed mapping/aws/resource/dax/aws_dax_cluster.json
+var awsDaxCluster []byte

src/files_datasource.go

@@ -246,3 +246,6 @@ var dataAwsKmsCustomKeyStore []byte
 
 //go:embed mapping/aws/data/ec2/aws_vpc_ipam_pool_cidrs.json
 var dataAwsVpcIpamPoolCidrs []byte
+
+//go:embed mapping/aws/data/elasticbeanstalk/aws_elastic_beanstalk_application.json
+var dataAwsElasticBeanstalkApplication []byte

src/files_gcp.go

@@ -40,7 +40,7 @@ var googleCloudfunctionsFunctionIamPolicy []byte
 //go:embed mapping/gcp/resource/iam/google_project_iam_custom_role.json
 var googleProjectIamCustomRole []byte
 
-//go:embed mapping/gcp/resource/iam/google_sevice_account.json
+//go:embed mapping/gcp/resource/iam/google_service_account.json
 var googleServiceAccount []byte
 
 //go:embed mapping/gcp/resource/cloudkms/google_kms_key_ring.json

src/gitHub.go

@@ -8,7 +8,7 @@ import (
 	"github.com/google/go-github/v47/github"
 )
 
-// InvokeGithubDispatchEvent uses your gitHub api key (if sufficiently enabled) to invoke a github action workflow
+// InvokeGithubDispatchEvent uses your gitHub api key (if sufficiently enabled) to invoke a gitHub action workflow
 func InvokeGithubDispatchEvent(repository string, workflowFileName string, branch string) error {
 	owner, repo, err := splitHub(repository)
 

src/make.go

@@ -16,7 +16,7 @@ func Make(directory string) (*string, error) {
 	err := Scan(
 		directory,
 		"terraform",
-		"",
+		nil,
 		true,
 		true,
 	)

src/mapping/aws/data/elasticbeanstalk/aws_elastic_beanstalk_application.json

@@ -0,0 +1,14 @@
+[
+  {
+    "apply": [],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": [
+      "elasticbeanstalk:DescribeApplications",
+      "ec2:DescribeAccountAttributes"
+    ]
+  }
+]

src/mapping/aws/data/elasticbeanstalk/aws_elastic_beanstalk_solution_stack.json

@@ -1,13 +1,14 @@
-[
-  {
-    "apply": [
-      "elasticbeanstalk:ListAvailableSolutionStacks"
-    ],
-    "attributes": {
-      "tags": []
-    },
-    "destroy": [],
-    "modify": [],
-    "plan": []
-  }
-]
+[
+  {
+    "apply": [],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [],
+    "modify": [],
+    "plan": [
+      "ec2:DescribeAccountAttributes",
+      "elasticbeanstalk:ListAvailableSolutionStacks"
+    ]
+  }
+]

src/mapping/aws/resource/dax/aws_dax_cluster.json

@@ -0,0 +1,27 @@
+[
+  {
+    "apply": [
+      "ec2:DescribeAccountAttributes",
+      "dax:CreateCluster",
+      "dax:DescribeClusters",
+      "dax:DeleteCluster",
+      "dax:ListTags"
+    ],
+    "attributes": {
+      "iam_role_arn": [
+        "iam:PassRole"
+      ],
+      "tags": [
+        "dax:TagResource",
+        "dax:UntagResource"
+      ]
+    },
+    "destroy": [
+      "dax:DeleteCluster"
+    ],
+    "modify": [
+      "dax:UpdateCluster"
+    ],
+    "plan": []
+  }
+]

src/mapping/aws/resource/eks/aws_eks_addon.json

@@ -0,0 +1,23 @@
+[
+  {
+    "apply": [
+      "eks:CreateAddon",
+      "eks:DescribeAddon",
+      "eks:DescribeAddonVersions",
+      "eks:DeleteAddon"
+    ],
+    "attributes": {
+      "tags": [
+        "eks:TagResource",
+        "eks:UntagResource"
+      ]
+    },
+    "destroy": [
+      "eks:DeleteAddon"
+    ],
+    "modify": [
+      "eks:UpdateAddon"
+    ],
+    "plan": []
+  }
+]

src/mapping/aws/resource/eks/aws_eks_cluster.json

@@ -0,0 +1,25 @@
+[
+  {
+    "apply": [
+      "ec2:DescribeAccountAttributes",
+      "eks:CreateCluster",
+      "eks:DeleteCluster",
+      "eks:ListTagsForResource",
+      "iam:PassRole",
+      "eks:DescribeCluster"
+    ],
+    "attributes": {
+      "tags": [
+        "eks:TagResource",
+        "eks:UntagResource"
+      ]
+    },
+    "destroy": [
+      "eks:DeleteCluster"
+    ],
+    "modify": [
+      "eks:UpdateClusterConfig"
+    ],
+    "plan": []
+  }
+]

src/mapping/aws/resource/eks/aws_eks_node_group.json

@@ -0,0 +1,27 @@
+[
+  {
+    "apply": [
+      "ec2:DescribeAccountAttributes",
+      "eks:CreateNodegroup",
+      "eks:DeleteNodegroup",
+      "iam:GetRole",
+      "iam:ListAttachedRolePolicies",
+      "ec2:DescribeSubnets",
+      "iam:CreateServiceLinkedRole",
+      "eks:DescribeNodegroup"
+    ],
+    "attributes": {
+      "tags": [
+        "eks:TagResource",
+        "eks:UntagResource"
+      ]
+    },
+    "destroy": [
+      "eks:DeleteNodegroup"
+    ],
+    "modify": [
+      "eks:UpdateNodegroupConfig"
+    ],
+    "plan": []
+  }
+]

src/mapping/gcp/resource/iam/google_sevice_account.json → src/mapping/gcp/resource/iam/google_service_account.json

@@ -1,18 +1,18 @@
-[
-  {
-    "apply": [
-      "iam.serviceAccounts.create",
-      "iam.serviceAccounts.get"
-    ],
-    "attributes": {
-      "tags": []
-    },
-    "destroy": [
-      "iam.serviceAccounts.delete"
-    ],
-    "modify": [
-      "iam.serviceAccounts.update"
-    ],
-    "plan": []
-  }
-]
+[
+  {
+    "apply": [
+      "iam.serviceAccounts.create",
+      "iam.serviceAccounts.get"
+    ],
+    "attributes": {
+      "tags": []
+    },
+    "destroy": [
+      "iam.serviceAccounts.delete"
+    ],
+    "modify": [
+      "iam.serviceAccounts.update"
+    ],
+    "plan": []
+  }
+]

src/readme.go

@@ -15,7 +15,7 @@ func Readme(dirName string, output string, init bool, autoAppend bool) error {
 		return err
 	}
 
-	OutPolicy, err2 := MakePolicy(dirName, "", init)
+	OutPolicy, err2 := MakePolicy(dirName, nil, init)
 	if err2 != nil {
 		return err2
 	}
@@ -27,7 +27,7 @@ func Readme(dirName string, output string, init bool, autoAppend bool) error {
 	case "json":
 		markdown = "\nThe Policy required is:\n\n```json\n" + OutPolicy.AsString(output) + "\n```\n"
 	default:
-		return errors.New("Output formats are terraform or json")
+		return errors.New("output formats are terraform or json")
 	}
 
 	err := ReplaceSection(file, markdown, autoAppend)

src/scan.go

@@ -19,7 +19,7 @@ import (
 const tfVersion = "1.2.3"
 
 // Scan looks for resources in a given directory
-func Scan(dirName string, output string, file string, init bool, write bool) error {
+func Scan(dirName string, output string, file *string, init bool, write bool) error {
 
 	OutPolicy, err := MakePolicy(dirName, file, init)
 	if err != nil {
@@ -138,10 +138,10 @@ func LocateTerraform() (string, error) {
 }
 
 // MakePolicy does the guts of determining a policy from code
-func MakePolicy(dirName string, file string, init bool) (OutputPolicy, error) {
+func MakePolicy(dirName string, file *string, init bool) (OutputPolicy, error) {
 	var files []string
 	var Output OutputPolicy
-	if file == "" {
+	if file == nil {
 		fullPath, err := filepath.Abs(dirName)
 
 		if err != nil {
@@ -163,7 +163,7 @@ func MakePolicy(dirName string, file string, init bool) (OutputPolicy, error) {
 			return Output, err
 		}
 	} else {
-		myFile, err := filepath.Abs(file)
+		myFile, err := filepath.Abs(*file)
 
 		if err != nil {
 			return Output, err

src/scan_test.go

@@ -14,18 +14,19 @@ func TestScan(t *testing.T) {
 		output  string
 		write   bool
 	}
+	testpath, _ := filepath.Abs("../terraform/aws/backup")
 	tests := []struct {
 		name    string
 		args    args
 		wantErr bool
 	}{
-		{"aws", args{"../terraform/aws/backup", "json", false}, false},
-		{"aws-out", args{"../terraform/aws/backup", "terraform", true}, false},
-		{"gcp", args{"../terraform/gcp/backup", "json", false}, false},
+		{"aws", args{testpath, "json", false}, false},
+		{"aws-out", args{testpath, "terraform", true}, false},
+		{"gcp", args{testpath, "json", false}, false},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := Scan(tt.args.dirname, tt.args.output, "", false, tt.args.write); (err != nil) != tt.wantErr {
+			if err := Scan(tt.args.dirname, tt.args.output, nil, false, tt.args.write); (err != nil) != tt.wantErr {
 				t.Errorf("Scan() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
@@ -119,26 +120,29 @@ func TestInit(t *testing.T) {
 func TestMakePolicy(t *testing.T) {
 	type args struct {
 		dirName string
-		file    string
+		file    *string
 		init    bool
 	}
+
+	bogus := "testdata/scan/examples/simple/bogus.tf"
+	real := "testdata/scan/examples/simple/aws_s3_bucket.pike.tf"
 	tests := []struct {
 		name    string
 		args    args
 		want    string
 		wantErr bool
 	}{
 		{"basic", args{
-			"testdata/init/nicconf", "", true},
-			"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"VisualEditor0\",\"Effect\":\"Allow\",\"Action\":[\"apigateway:DELETE\",\"apigateway:GET\",\"apigateway:PATCH\",\"apigateway:POST\",\"apigateway:PUT\"],\"Resource\":[\"*\"]},{\"Sid\":\"VisualEditor1\",\"Effect\":\"Allow\",\"Action\":[\"application-autoscaling:DeleteScalingPolicy\",\"application-autoscaling:DeregisterScalableTarget\",\"application-autoscaling:DescribeScalableTargets\",\"application-autoscaling:DescribeScalingPolicies\",\"application-autoscaling:PutScalingPolicy\",\"application-autoscaling:RegisterScalableTarget\"],\"Resource\":[\"*\"]},{\"Sid\":\"VisualEditor2\",\"Effect\":\"Allow\",\"Action\":[\"dynamodb:CreateTable\",\"dynamodb:DeleteTable\",\"dynamodb:DescribeContinuousBackups\",\"dynamodb:DescribeTable\",\"dynamodb:DescribeTimeToLive\",\"dynamodb:ListTagsOfResource\",\"dynamodb:TagResource\",\"dynamodb:UntagResource\",\"dynamodb:UpdateTable\",\"dynamodb:UpdateTimeToLive\"],\"Resource\":[\"*\"]},{\"Sid\":\"VisualEditor3\",\"Effect\":\"Allow\",\"Action\":[\"ec2:DescribeAccountAttributes\"],\"Resource\":[\"*\"]},{\"Sid\":\"VisualEditor4\",\"Effect\":\"Allow\",\"Action\":[\"iam:AttachRolePolicy\",\"iam:CreatePolicy\",\"iam:CreateRole\",\"iam:CreateServiceLinkedRole\",\"iam:DeletePolicy\",\"iam:DeleteRole\",\"iam:DeleteRolePermissionsBoundary\",\"iam:DetachRolePolicy\",\"iam:GetPolicy\",\"iam:GetPolicyVersion\",\"iam:GetRole\",\"iam:ListAttachedRolePolicies\",\"iam:ListInstanceProfilesForRole\",\"iam:ListPolicies\",\"iam:ListPolicyVersions\",\"iam:ListRolePolicies\",\"iam:PassRole\",\"iam:PutRolePermissionsBoundary\",\"iam:TagPolicy\",\"iam:TagRole\",\"iam:UntagPolicy\",\"iam:UpdateRoleDescription\"],\"Resource\":[\"*\"]},{\"Sid\":\"VisualEditor5\",\"Effect\":\"Allow\",\"Action\":[\"lambda:AddPermission\",\"lambda:CreateFunction\",\"lambda:DeleteFunction\",\"lambda:DeleteLayerVersion\",\"lambda:GetFunction\",\"lambda:GetFunctionCodeSigningConfig\",\"lambda:GetLayerVersion\",\"lambda:GetPolicy\",\"lambda:ListVersionsByFunction\",\"lambda:PublishLayerVersion\",\"lambda:RemovePermission\",\"lambda:TagResource\",\"lambda:UntagResource\"],\"Resource\":[\"*\"]},{\"Sid\":\"VisualEditor6\",\"Effect\":\"Allow\",\"Action\":[\"logs:AssociateKmsKey\",\"logs:CreateLogGroup\",\"logs:DeleteLogGroup\",\"logs:DeleteRetentionPolicy\",\"logs:DescribeLogGroups\",\"logs:DisassociateKmsKey\",\"logs:ListTagsLogGroup\",\"logs:PutRetentionPolicy\",\"logs:TagLogGroup\",\"logs:UntagLogGroup\"],\"Resource\":[\"*\"]},{\"Sid\":\"VisualEditor7\",\"Effect\":\"Allow\",\"Action\":[\"s3:DeleteObject\",\"s3:GetObject\",\"s3:GetObjectTagging\",\"s3:PutObject\"],\"Resource\":[\"*\"]}]}",
+			"testdata/init/nicconf", nil, true},
+			"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"VisualEditor0\",\"Effect\":\"Allow\",\"Action\":[\"apigateway:DELETE\",\"apigateway:GET\",\"apigateway:PATCH\",\"apigateway:POST\",\"apigateway:PUT\"],\"Resource\":\"*\"},{\"Sid\":\"VisualEditor1\",\"Effect\":\"Allow\",\"Action\":[\"application-autoscaling:DeleteScalingPolicy\",\"application-autoscaling:DeregisterScalableTarget\",\"application-autoscaling:DescribeScalableTargets\",\"application-autoscaling:DescribeScalingPolicies\",\"application-autoscaling:PutScalingPolicy\",\"application-autoscaling:RegisterScalableTarget\"],\"Resource\":\"*\"},{\"Sid\":\"VisualEditor2\",\"Effect\":\"Allow\",\"Action\":[\"dynamodb:CreateTable\",\"dynamodb:DeleteTable\",\"dynamodb:DescribeContinuousBackups\",\"dynamodb:DescribeTable\",\"dynamodb:DescribeTimeToLive\",\"dynamodb:ListTagsOfResource\",\"dynamodb:TagResource\",\"dynamodb:UntagResource\",\"dynamodb:UpdateTable\",\"dynamodb:UpdateTimeToLive\"],\"Resource\":\"*\"},{\"Sid\":\"VisualEditor3\",\"Effect\":\"Allow\",\"Action\":[\"ec2:DescribeAccountAttributes\"],\"Resource\":\"*\"},{\"Sid\":\"VisualEditor4\",\"Effect\":\"Allow\",\"Action\":[\"iam:AttachRolePolicy\",\"iam:CreatePolicy\",\"iam:CreateRole\",\"iam:CreateServiceLinkedRole\",\"iam:DeletePolicy\",\"iam:DeleteRole\",\"iam:DeleteRolePermissionsBoundary\",\"iam:DetachRolePolicy\",\"iam:GetPolicy\",\"iam:GetPolicyVersion\",\"iam:GetRole\",\"iam:ListAttachedRolePolicies\",\"iam:ListInstanceProfilesForRole\",\"iam:ListPolicies\",\"iam:ListPolicyVersions\",\"iam:ListRolePolicies\",\"iam:PassRole\",\"iam:PutRolePermissionsBoundary\",\"iam:TagPolicy\",\"iam:TagRole\",\"iam:UntagPolicy\",\"iam:UpdateRoleDescription\"],\"Resource\":\"*\"},{\"Sid\":\"VisualEditor5\",\"Effect\":\"Allow\",\"Action\":[\"lambda:AddPermission\",\"lambda:CreateFunction\",\"lambda:DeleteFunction\",\"lambda:DeleteLayerVersion\",\"lambda:GetFunction\",\"lambda:GetFunctionCodeSigningConfig\",\"lambda:GetLayerVersion\",\"lambda:GetPolicy\",\"lambda:ListVersionsByFunction\",\"lambda:PublishLayerVersion\",\"lambda:RemovePermission\",\"lambda:TagResource\",\"lambda:UntagResource\"],\"Resource\":\"*\"},{\"Sid\":\"VisualEditor6\",\"Effect\":\"Allow\",\"Action\":[\"logs:AssociateKmsKey\",\"logs:CreateLogGroup\",\"logs:DeleteLogGroup\",\"logs:DeleteRetentionPolicy\",\"logs:DescribeLogGroups\",\"logs:DisassociateKmsKey\",\"logs:ListTagsLogGroup\",\"logs:PutRetentionPolicy\",\"logs:TagLogGroup\",\"logs:UntagLogGroup\"],\"Resource\":\"*\"},{\"Sid\":\"VisualEditor7\",\"Effect\":\"Allow\",\"Action\":[\"s3:DeleteObject\",\"s3:GetObject\",\"s3:GetObjectTagging\",\"s3:PutObject\"],\"Resource\":\"*\"}]}",
 			false},
-		{"not a dir", args{"bogus", "", true},
+		{"not a dir", args{"bogus", nil, true},
 			"",
 			true},
-		{"a file", args{"", "testdata/scan/examples/simple/aws_s3_bucket.pike.tf", false},
-			"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"VisualEditor0\",\"Effect\":\"Allow\",\"Action\":[\"s3:CreateBucket\",\"s3:DeleteBucket\",\"s3:GetAccelerateConfiguration\",\"s3:GetBucketAcl\",\"s3:GetBucketCORS\",\"s3:GetBucketLogging\",\"s3:GetBucketObjectLockConfiguration\",\"s3:GetBucketPolicy\",\"s3:GetBucketRequestPayment\",\"s3:GetBucketTagging\",\"s3:GetBucketVersioning\",\"s3:GetBucketWebsite\",\"s3:GetEncryptionConfiguration\",\"s3:GetLifecycleConfiguration\",\"s3:GetObject\",\"s3:GetObjectAcl\",\"s3:GetReplicationConfiguration\",\"s3:ListBucket\"],\"Resource\":[\"*\"]}]}",
+		{"a file", args{"", &real, false},
+			"{\"Version\":\"2012-10-17\",\"Statement\": [{\"Sid\": \"VisualEditor0\",\"Effect\": \"Allow\",\"Action\": [\"s3:CreateBucket\",\"s3:DeleteBucket\",\"s3:GetAccelerateConfiguration\",\"s3:GetBucketAcl\",\"s3:GetBucketCORS\",\"s3:GetBucketLogging\",\"s3:GetBucketObjectLockConfiguration\",\"s3:GetBucketPolicy\",\"s3:GetBucketRequestPayment\",\"s3:GetBucketTagging\",\"s3:GetBucketVersioning\",\"s3:GetBucketWebsite\",\"s3:GetEncryptionConfiguration\",\"s3:GetLifecycleConfiguration\",\"s3:GetObject\",\"s3:GetObjectAcl\",\"s3:GetReplicationConfiguration\",\"s3:ListBucket\"],\"Resource\": \"*\"}]}",
 			false},
-		{"not a file", args{"", "testdata/scan/examples/simple/bogus.tf", false},
+		{"not a file", args{"", &bogus, false},
 			"",
 			true},
 	}

terraform/aws/aws_eks_addon.tf

@@ -0,0 +1,4 @@
+resource "aws_eks_addon" "pike" {
+  cluster_name = aws_eks_cluster.pike.name
+  addon_name   = "vpc-cni"
+}