resource group

JamesWoolfenden · Dec 18, 2022 · dccaebe · dccaebe
1 parent ca9a514
commit dccaebe
Show file tree

Hide file tree

Showing 8 changed files with 115 additions and 8 deletions.
diff --git a/src/aws.go b/src/aws.go
@@ -395,6 +395,8 @@ func GetAWSResourcePermissions(result ResourceV2) ([]string, error) {
 		"aws_xray_group":                                     awsXrayGroup,
 		"aws_xray_sampling_rule":                             awsXraySamplingRule,
 		"aws_kms_grant":                                      awsKmsGrant,
+		"aws_applicationinsights_application":                awsApplicationinsightsApplication,
+		"aws_resourcegroups_group":                           awsResourcegroupsGroup,
 	}
 
 	var Permissions []string

diff --git a/src/files.go b/src/files.go
@@ -993,3 +993,9 @@ var awsXraySamplingRule []byte
 
 //go:embed mapping/aws/resource/kms/aws_kms_grant.json
 var awsKmsGrant []byte
+
+//go:embed mapping/aws/resource/applicationinsights/aws_applicationinsights_application.json
+var awsApplicationinsightsApplication []byte
+
+//go:embed mapping/aws/resource/resource-groups/aws_resourcegroups_group.json
+var awsResourcegroupsGroup []byte
diff --git a/src/mapping/aws/resource/applicationinsights/aws_applicationinsights_application.json b/src/mapping/aws/resource/applicationinsights/aws_applicationinsights_application.json
@@ -0,0 +1,25 @@
+[
+  {
+    "apply": [
+      "applicationinsights:CreateApplication",
+      "iam:CreateServiceLinkedRole",
+      "logs:DescribeLogGroups",
+      "applicationinsights:DescribeApplication",
+      "applicationinsights:ListTagsForResource",
+      "applicationinsights:DeleteApplication"
+    ],
+    "attributes": {
+      "tags": [
+        "applicationinsights:TagResource",
+        "applicationinsights:UntagResource"
+      ]
+    },
+    "destroy": [
+      "applicationinsights:DeleteApplication"
+    ],
+    "modify": [
+      "applicationinsights:UpdateApplication"
+    ],
+    "plan": []
+  }
+]
diff --git a/src/mapping/aws/resource/resource-groups/aws_resourcegroups_group.json b/src/mapping/aws/resource/resource-groups/aws_resourcegroups_group.json
@@ -0,0 +1,24 @@
+[
+  {
+    "apply": [
+      "resource-groups:CreateGroup",
+      "resource-groups:GetGroup",
+      "resource-groups:GetGroupQuery",
+      "resource-groups:GetTags",
+      "resource-groups:DeleteGroup"
+    ],
+    "attributes": {
+      "tags": [
+        "resource-groups:Untag",
+        "resource-groups:Tag"
+      ]
+    },
+    "destroy": [
+      "resource-groups:DeleteGroup"
+    ],
+    "modify": [
+      "resource:UpdateGroup"
+    ],
+    "plan": []
+  }
+]
diff --git a/terraform/aws/backup/aws_applicationinsights_application.tf b/terraform/aws/backup/aws_applicationinsights_application.tf
@@ -0,0 +1,15 @@
+resource "aws_applicationinsights_application" "pike" {
+  resource_group_name    = aws_resourcegroups_group.pike.name
+  auto_config_enabled    = true
+  auto_create            = true
+  ops_center_enabled     = true
+  ops_item_sns_topic_arn = data.aws_sns_topic.pike.arn
+  tags = {
+    pike = "permissions"
+  }
+}
+
+
+data "aws_sns_topic" "pike" {
+  name = "pike"
+}
diff --git a/terraform/aws/backup/aws_resourcegroups_group.tf b/terraform/aws/backup/aws_resourcegroups_group.tf
@@ -0,0 +1,24 @@
+resource "aws_resourcegroups_group" "pike" {
+  name = "pike"
+
+  resource_query {
+    query = <<JSON
+    {
+        "ResourceTypeFilters": [
+          "AWS::EC2::Instance"
+        ],
+        "TagFilters": [
+          {
+            "Key": "Stage",
+            "Values": [
+              "Test"
+            ]
+          }
+        ]
+      }
+JSON
+  }
+  tags = {
+    pike = "permissions"
+  }
+}
diff --git a/terraform/aws/role/aws_iam_policy.basic.tf b/terraform/aws/role/aws_iam_policy.basic.tf
@@ -8,15 +8,27 @@ resource "aws_iam_policy" "basic" {
         "Effect" : "Allow",
         "Action" : [
           "ec2:DescribeAccountAttributes",
-          "kms:DescribeKey",
+          "SNS:ListTopics",
 
-          #data role
-          "iam:GetRole",
+          "resource-groups:CreateGroup",
+          "resource-groups:GetGroup",
+          "resource-groups:GetGroupQuery",
+          "resource-groups:GetTags",
+          "resource-groups:DeleteGroup",
+          "resource-groups:Untag",
+          "resource-groups:Tag",
+          "resource:UpdateGroup",
 
-          #grant
-          "kms:CreateGrant",
-          "kms:ListGrants",
-          "kms:RevokeGrant"
+          "applicationinsights:CreateApplication",
+          "applicationinsights:TagResource",
+          "applicationinsights:UntagResource",
+          "iam:CreateServiceLinkedRole",
+          "logs:DescribeLogGroups",
+          "applicationinsights:DescribeApplication",
+          "applicationinsights:ListTagsForResource",
+          "applicationinsights:DeleteApplication",
+
+          "applicationinsights:UpdateApplication"
         ],
         "Resource" : "*",
       }

diff --git a/todo.md b/todo.md
@@ -1,7 +1,6 @@
 # todo
 
 ./resource.ps1 aws_acm_certificate -type data
-./resource.ps1 aws_applicationinsights_application
 ./resource.ps1 aws_appmesh_gateway_route
 ./resource.ps1 aws_appmesh_mesh
 ./resource.ps1 aws_appmesh_mesh -type data