Skip to content

Instantly share code, notes, and snippets.

@nmrad-91

nmrad-91/README.md

Forked from nitrocode/README.md
Created April 14, 2020 22:40
Show Gist options
  • Save nmrad-91/31c1a692ce671de748aa566ffe4ba294 to your computer and use it in GitHub Desktop.
Save nmrad-91/31c1a692ce671de748aa566ffe4ba294 to your computer and use it in GitHub Desktop.
Download ZIP
Cloud custodian iam policy in terraform
Raw
README.md

CloudCustodian IAM Policy

Extracts perms from cloud-custodian repo, sanitizes extracted data, and transforms into terraform

Dependency is ripgrep and git which can be installed using brew

brew install rg git

The code will

  1. search for permissions = (get this data) over multiline
  2. print only the captured group
  3. remove the file names from rg output
  4. make all quotes single quotes
  5. insert a new line in between single quoted strings
  6. make all quotes double quotes
  7. remove leading whitespace and empty lines
  8. remove any lines that don't begin with a quote
  9. remove all quotes
  10. remove all commas
  11. sort output
  12. only return unique values
  13. run python script against that to create the iam policy
  14. profit

Usage

  1. Install ripgrep and git
  2. Download extract-perms.sh and convert-extracted-cloud-custodian-perms-to-terraform.py
  3. Run extract-perms.sh

The output terraform will be saved in cloud-custodian-iam-policy.tf and the list of perms will be saved in perms.txt.

Raw
cloud-custodian-iam-policy.tf
# last generated from 0.8.46.0 2e239e880e8436c5afd55dfcaf9735684705ac99 using extract-perms.sh
data "aws_iam_policy_document" "default" {
statement {
sid = "S3"
effect = "Allow"
resources = ["*"]
actions = [
"S3:PutObject",
]
}
statement {
sid = "acm"
effect = "Allow"
resources = ["*"]
actions = [
"acm:DeleteCertificate",
]
}
statement {
sid = "apigateway"
effect = "Allow"
resources = ["*"]
actions = [
"apigateway:DELETE",
"apigateway:GET",
"apigateway:PATCH",
]
}
statement {
sid = "autoscaling"
effect = "Allow"
resources = ["*"]
actions = [
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DeleteTags",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses",
"autoscaling:UpdateAutoScalingGroup",
]
}
statement {
sid = "batch"
effect = "Allow"
resources = ["*"]
actions = [
"batch:DeleteComputeEnvironment",
"batch:DeregisterJobDefinition",
"batch:UpdateComputeEnvironment",
]
}
statement {
sid = "cloudWatch"
effect = "Allow"
resources = ["*"]
actions = [
"cloudWatch:PutMetricData",
]
}
statement {
sid = "cloudformation"
effect = "Allow"
resources = ["*"]
actions = [
"cloudformation:DeleteStack",
"cloudformation:UpdateStack",
]
}
statement {
sid = "cloudfront"
effect = "Allow"
resources = ["*"]
actions = [
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudfront:UpdateDistribution",
"cloudfront:UpdateStreamingDistribution",
]
}
statement {
sid = "cloudhsm"
effect = "Allow"
resources = ["*"]
actions = [
"cloudhsm:TagResource",
"cloudhsm:UntagResource",
]
}
statement {
sid = "cloudsearch"
effect = "Allow"
resources = ["*"]
actions = [
"cloudsearch:DeleteDomain",
]
}
statement {
sid = "cloudtrail"
effect = "Allow"
resources = ["*"]
actions = [
"cloudtrail:CreateTrail",
"cloudtrail:DeleteTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail",
]
}
statement {
sid = "cloudwatch"
effect = "Allow"
resources = ["*"]
actions = [
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:PutMetricAlarm",
]
}
statement {
sid = "codebuild"
effect = "Allow"
resources = ["*"]
actions = [
"codebuild:DeleteProject",
]
}
statement {
sid = "codecommit"
effect = "Allow"
resources = ["*"]
actions = [
"codecommit:DeleteRepository",
]
}
statement {
sid = "cognito-identity"
effect = "Allow"
resources = ["*"]
actions = [
"cognito-identity:DeleteIdentityPool",
]
}
statement {
sid = "cognito-idp"
effect = "Allow"
resources = ["*"]
actions = [
"cognito-idp:DeleteUserPool",
]
}
statement {
sid = "config"
effect = "Allow"
resources = ["*"]
actions = [
"config:DeleteConfigRule",
"config:DescribeComplianceByConfigRule",
"config:DescribeConfigRuleEvaluationStatus",
"config:DescribeConfigurationRecorderStatus",
"config:DescribeConfigurationRecorders",
"config:DescribeDeliveryChannels",
"config:GetResourceConfigHistory",
]
}
statement {
sid = "datapipeline"
effect = "Allow"
resources = ["*"]
actions = [
"datapipeline:AddTags",
"datapipeline:DeletePipeline",
"datapipeline:RemoveTags",
]
}
statement {
sid = "dax"
effect = "Allow"
resources = ["*"]
actions = [
"dax:DeleteCluster",
"dax:ListTags",
"dax:TagResource",
"dax:UntagResource",
"dax:UpdateCluster",
]
}
statement {
sid = "dms"
effect = "Allow"
resources = ["*"]
actions = [
"dms:AddTagsToResource",
"dms:DeleteEndpoint",
"dms:DeleteReplicationInstance",
"dms:ModifyEndpoint",
"dms:ModifyReplicationInstance",
"dms:RemoveTagsFromResource",
]
}
statement {
sid = "ds"
effect = "Allow"
resources = ["*"]
actions = [
"ds:AddTagsToResource",
"ds:RemoveTagsFromResource",
]
}
statement {
sid = "dynamodb"
effect = "Allow"
resources = ["*"]
actions = [
"dynamodb:CreateBackup",
"dynamodb:DeleteBackup",
"dynamodb:DeleteTable",
"dynamodb:UpdateTable",
]
}
statement {
sid = "ec2"
effect = "Allow"
resources = ["*"]
actions = [
"ec2:AssociateIamInstanceProfile",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateFlowLogs",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeregisterImage",
"ec2:DescribeDhcpOptions",
"ec2:DescribeFlowLogs",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroups + LaunchInfo.permissions",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:DisableEbsEncryptionByDefault",
"ec2:DisassociateAddress",
"ec2:DisassociateIamInstanceProfile",
"ec2:EnableEbsEncryptionByDefault",
"ec2:GetEbsEncryptionByDefault",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVolumeAttribute",
"ec2:MonitorInstances",
"ec2:RebootInstances",
"ec2:ReleaseAddress",
"ec2:ResetImageAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UnmonitorInstances",
]
}
statement {
sid = "ecr"
effect = "Allow"
resources = ["*"]
actions = [
"ecr:DeleteLifecyclePolicy",
"ecr:GetLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:PutImageScanningConfiguration",
"ecr:PutImageTagMutability",
"ecr:PutLifecyclePolicy",
"ecr:SetRepositoryPolicy",
"ecr:TagResource",
"ecr:UntagResource",
]
}
statement {
sid = "ecs"
effect = "Allow"
resources = ["*"]
actions = [
"ecs:DeleteService",
"ecs:DeregisterTaskDefinition",
"ecs:DescribeTaskDefinition",
"ecs:ListTaskDefinitions",
"ecs:StopTask",
"ecs:TagResource",
"ecs:UntagResource",
"ecs:UpdateContainerAgent",
"ecs:UpdateContainerInstancesState",
"ecs:UpdateService",
]
}
statement {
sid = "eks"
effect = "Allow"
resources = ["*"]
actions = [
"eks:DeleteCluster",
"eks:TagResource",
"eks:UntagResource",
"eks:UpdateClusterConfig",
]
}
statement {
sid = "elasticache"
effect = "Allow"
resources = ["*"]
actions = [
"elasticache:CreateSnapshot",
"elasticache:DeleteCacheCluster",
"elasticache:DeleteReplicationGroup",
"elasticache:DeleteSnapshot",
"elasticache:ListTagsForResource",
"elasticache:ModifyReplicationGroup",
]
}
statement {
sid = "elasticbeanstalk"
effect = "Allow"
resources = ["*"]
actions = [
"elasticbeanstalk:AddTags",
"elasticbeanstalk:ListTagsForResource",
"elasticbeanstalk:RemoveTags",
"elasticbeanstalk:TerminateEnvironment",
]
}
statement {
sid = "elasticfilesystem"
effect = "Allow"
resources = ["*"]
actions = [
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeMountTargets",
"elasticfilesystem:PutLifecycleConfiguration",
]
}
statement {
sid = "elasticloadbalancing"
effect = "Allow"
resources = ["*"]
actions = [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetSecurityGroups",
]
}
statement {
sid = "elasticmapreduce"
effect = "Allow"
resources = ["*"]
actions = [
"elasticmapreduce:AddTags",
"elasticmapreduce:RemoveTags",
"elasticmapreduce:TerminateJobFlows",
]
}
statement {
sid = "es"
effect = "Allow"
resources = ["*"]
actions = [
"es:AddTags",
"es:DeleteElasticsearchDomain",
"es:RemoveTags",
"es:UpdateElasticsearchDomainConfig",
]
}
statement {
sid = "events"
effect = "Allow"
resources = ["*"]
actions = [
"events:ListTargetsByRule",
"events:RemoveTargets",
]
}
statement {
sid = "firehose"
effect = "Allow"
resources = ["*"]
actions = [
"firehose:DeleteDeliveryStream",
"firehose:UpdateDestination",
]
}
statement {
sid = "fsx"
effect = "Allow"
resources = ["*"]
actions = [
"fsx:CreateBackup",
"fsx:DeleteBackup",
"fsx:DeleteFileSystem",
"fsx:TagResource",
"fsx:UntagResource",
"fsx:UpdateFileSystem",
]
}
statement {
sid = "glacier"
effect = "Allow"
resources = ["*"]
actions = [
"glacier:GetVaultAccessPolicy",
"glacier:ListTagsForVault",
"glacier:SetVaultAccessPolicy",
]
}
statement {
sid = "glue"
effect = "Allow"
resources = ["*"]
actions = [
"glue:DeleteConnection",
"glue:DeleteCrawler",
"glue:DeleteDatabase",
"glue:DeleteDevEndpoint",
"glue:DeleteJob",
"glue:DeleteTable",
"glue:GetConnections",
"glue:GetCrawlers",
"glue:GetDataCatalogEncryptionSettings",
"glue:GetDevEndpoints",
"glue:GetJobs",
]
}
statement {
sid = "guardduty"
effect = "Allow"
resources = ["*"]
actions = [
"guardduty:GetDetector",
"guardduty:GetMasterAccount",
"guardduty:ListDetectors",
]
}
statement {
sid = "health"
effect = "Allow"
resources = ["*"]
actions = [
"health:DescribeAffectedEntities",
"health:DescribeEventDetails",
"health:DescribeEvents",
]
}
statement {
sid = "iam"
effect = "Allow"
resources = ["*"]
actions = [
"iam:AddUserToGroup",
"iam:AttachRolePolicy",
"iam:DeactivateMFADevice",
"iam:DeleteAccessKey",
"iam:DeleteLoginProfile",
"iam:DeletePolicy",
"iam:DeleteRole",
"iam:DeleteSSHPublicKey",
"iam:DeleteSigningCertificate",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:DetachRolePolicy",
"iam:DetachUserPolicy",
"iam:GenerateCredentialReport",
"iam:GenerateServiceLastAccessedDetails",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:GetServiceLastAccessedDetails",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListMFADevices",
"iam:ListPolicies",
"iam:ListPolicyVersions",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListSSHPublicKeys",
"iam:ListServiceSpecificCredentials",
"iam:ListSigningCertificates",
"iam:ListUserPolicies",
"iam:ListVirtualMFADevices",
"iam:PassRole",
"iam:RemoveUserFromGroup",
"iam:TagRole",
"iam:TagUser",
"iam:UntagRole",
"iam:UntagUser",
"iam:UpdateAccessKey",
]
}
statement {
sid = "kafka"
effect = "Allow"
resources = ["*"]
actions = [
"kafka:DeleteCluster",
]
}
statement {
sid = "kinesis"
effect = "Allow"
resources = ["*"]
actions = [
"kinesis:DeleteStream",
"kinesis:UpdateShardCount",
]
}
statement {
sid = "kinesisanalytics"
effect = "Allow"
resources = ["*"]
actions = [
"kinesisanalytics:DeleteApplication",
]
}
statement {
sid = "kms"
effect = "Allow"
resources = ["*"]
actions = [
"kms:DescribeKey",
"kms:EnableKeyRotation",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListAliases",
"kms:ListGrants",
"kms:PutKeyPolicy",
]
}
statement {
sid = "lambda"
effect = "Allow"
resources = ["*"]
actions = [
"lambda:*",
"lambda:DeleteFunction",
"lambda:DeleteFunctionConcurrency",
"lambda:DeleteLayerVersion",
"lambda:GetFunction",
"lambda:GetLayerVersionPolicy",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:PutFunctionConcurrency",
"lambda:RemoveLayerVersionPermission",
"lambda:RemovePermission",
"lambda:UpdateFunctionConfiguration",
]
}
statement {
sid = "logs"
effect = "Allow"
resources = ["*"]
actions = [
"logs:AssociateKmsKey",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:DescribeSubscriptionFilters",
"logs:DisassociateKmsKey",
"logs:GetResourcePolicy",
"logs:PutResourcePolicy",
"logs:PutRetentionPolicy",
]
}
statement {
sid = "machinelearning"
effect = "Allow"
resources = ["*"]
actions = [
"machinelearning:DeleteMLModel",
]
}
statement {
sid = "mq"
effect = "Allow"
resources = ["*"]
actions = [
"mq:CreateTags",
"mq:DeleteBroker",
"mq:DeleteTags",
"mq:ListBrokers",
"mq:ListTags",
]
}
statement {
sid = "opsworks-cm"
effect = "Allow"
resources = ["*"]
actions = [
"opsworks-cm:DeleteServer",
]
}
statement {
sid = "opsworks"
effect = "Allow"
resources = ["*"]
actions = [
"opsworks:DeleteApp",
"opsworks:DeleteInstance",
"opsworks:DeleteLayer",
"opsworks:DeleteStack",
"opsworks:DescribeApps",
"opsworks:DescribeInstances",
"opsworks:DescribeLayers",
"opsworks:StopStack",
]
}
statement {
sid = "rds"
effect = "Allow"
resources = ["*"]
actions = [
"rds:AddTagsToResource",
"rds:CopyDBClusterParameterGroup",
"rds:CopyDBParameterGroup",
"rds:CopyDBSnapshot",
"rds:CreateDBClusterSnapshot",
"rds:CreateDBSnapshot",
"rds:DeleteDBCluster",
"rds:DeleteDBClusterParameterGroup",
"rds:DeleteDBClusterSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBParameterGroup",
"rds:DeleteDBSnapshot",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBClusterParameters",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:ModifyDBCluster",
"rds:ModifyDBClusterParameterGroup",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:ModifyOptionGroup",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:StartDBCluster",
"rds:StartDBInstance",
"rds:StopDBCluster",
"rds:StopDBInstance",
]
}
statement {
sid = "redshift"
effect = "Allow"
resources = ["*"]
actions = [
"redshift:CreateClusterSnapshot",
"redshift:CreateTags",
"redshift:DeleteCluster",
"redshift:DeleteClusterSnapshot",
"redshift:DeleteTags",
"redshift:DescribeClusterParameters",
"redshift:DescribeClusterSnapshots",
"redshift:DescribeLoggingStatus",
"redshift:ModifyCluster",
"redshift:RevokeSnapshotAccess",
]
}
statement {
sid = "resourcegroupstaggingapi"
effect = "Allow"
resources = ["*"]
actions = [
"resourcegroupstaggingapi:TagResources",
]
}
statement {
sid = "route53"
effect = "Allow"
resources = ["*"]
actions = [
"route53:CreateQueryLoggingConfig",
"route53:DeleteQueryLoggingConfig",
"route53:GetHostedZone",
"route53:GetQueryLoggingConfig",
"route53:ListTagsForResources",
]
}
statement {
sid = "route53domains"
effect = "Allow"
resources = ["*"]
actions = [
"route53domains:DeleteTagsForDomain",
"route53domains:ListTagsForDomain",
"route53domains:UpdateTagsForDomain",
]
}
statement {
sid = "s3"
effect = "Allow"
resources = ["*"]
actions = [
"s3:*",
"s3:CreateBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:DeleteObjectVersion",
"s3:GetAccountPublicAccessBlock",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"s3:GetInventoryConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:PutAccountPublicAccessBlock",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutInventoryConfiguration",
"s3:PutLifecycleConfiguration",
"s3:PutObject",
"s3:RestoreObject",
]
}
statement {
sid = "sagemaker"
effect = "Allow"
resources = ["*"]
actions = [
"sagemaker:AddTags",
"sagemaker:DeleteEndpoint",
"sagemaker:DeleteEndpointConfig",
"sagemaker:DeleteModel",
"sagemaker:DeleteNotebookInstance",
"sagemaker:DeleteTags",
"sagemaker:ListTags",
"sagemaker:StartNotebookInstance",
"sagemaker:StopNotebookInstance",
"sagemaker:StopTrainingJob",
"sagemaker:StopTransformJob",
]
}
statement {
sid = "sdb"
effect = "Allow"
resources = ["*"]
actions = [
"sdb:DeleteDomain",
"sdb:DomainMetadata",
]
}
statement {
sid = "secretsmanager"
effect = "Allow"
resources = ["*"]
actions = [
"secretsmanager:GetResourcePolicy",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:TagResource",
"secretsmanager:UntagResource",
]
}
statement {
sid = "securityhub"
effect = "Allow"
resources = ["*"]
actions = [
"securityhub:BatchImportFindings",
"securityhub:GetFindings",
]
}
statement {
sid = "shield"
effect = "Allow"
resources = ["*"]
actions = [
"shield:CreateProtection",
"shield:CreateSubscription",
"shield:DeleteSubscription",
"shield:DescribeSubscription",
"shield:ListProtections",
]
}
statement {
sid = "sns"
effect = "Allow"
resources = ["*"]
actions = [
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sns:ListTagsForResource",
"sns:SetTopicAttributes",
"sns:TagResource",
"sns:UntagResource",
]
}
statement {
sid = "sqs"
effect = "Allow"
resources = ["*"]
actions = [
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:RemovePermission",
"sqs:SetQueueAttributes",
]
}
statement {
sid = "ssm"
effect = "Allow"
resources = ["*"]
actions = [
"ssm:CreateOpsItem",
"ssm:DeleteActivation",
"ssm:DescribeActivations",
"ssm:DescribeInstanceInformation",
"ssm:DescribeOpsItems",
"ssm:DescribeParameters",
"ssm:GetParameters",
"ssm:SendCommand",
"ssm:UpdateOpsItem",
]
}
statement {
sid = "states"
effect = "Allow"
resources = ["*"]
actions = [
"states:StartExecution",
"states:TagResource",
"states:UntagResource",
]
}
statement {
sid = "support"
effect = "Allow"
resources = ["*"]
actions = [
"support:CreateCase",
"support:DescribeTrustedAdvisorCheckResult",
"support:RefreshTrustedAdvisorCheck",
]
}
statement {
sid = "tag"
effect = "Allow"
resources = ["*"]
actions = [
"tag:TagResources",
"tag:UntagResources",
]
}
statement {
sid = "waf-regional"
effect = "Allow"
resources = ["*"]
actions = [
"waf-regional:AssociateWebACL",
"waf-regional:ListResourcesForWebACL",
"waf-regional:ListWebACLs",
]
}
statement {
sid = "waf"
effect = "Allow"
resources = ["*"]
actions = [
"waf:ListWebACLs",
]
}
statement {
sid = "workspaces"
effect = "Allow"
resources = ["*"]
actions = [
"workspaces:DescribeWorkspacesConnectionStatus",
]
}
statement {
sid = "xray"
effect = "Allow"
resources = ["*"]
actions = [
"xray:GetEncryptionConfig",
"xray:PutEncryptionConfig",
]
}
}
Raw
convert-extracted-cloud-custodian-perms-to-terraform.py
import sys
def statement(sid, actions):
print('')
print(' statement {')
print(' sid = "{0}"'.format(sid))
print(' effect = "Allow"')
print(' resources = ["*"]')
print('')
print(' actions = [')
for action in actions:
print(' "{0}",'.format(action))
print(' ]')
print(' }')
print('data "aws_iam_policy_document" "default" {')
actions = []
last_sline = None
for stdline in sys.stdin:
line = stdline
sline = line.split(':')
if last_sline and sline[0] != last_sline[0]:
statement(last_sline[0], actions)
actions = [line.rstrip('\n')]
else:
actions.append(line.rstrip('\n'))
last_sline = sline
statement(last_sline[0], actions)
print('}')
Raw
extract-perms.sh
# get code
git clone [email protected]:cloud-custodian/cloud-custodian.git
cd cloud-custodian
# extract and transform
# purposely did not lowercase everything `tr '[:upper:]' '[:lower:]'` because we want to keep the casing
rg 'permissions\s+=\s+\((.*?)\)' \
--multiline-dotall --multiline -r '$1' -I | \
tr '"' "'" | \
sed $'s/\', \'/\', \\\n\'/g' | \
tr "'" '"' | \
awk '{$1=$1};1' | \
sed '/^[[:space:]]*$/d' | \
grep -e '^"' | \
tr -d '"' | \
tr -d ',' | \
sort | \
uniq > perms.txt
# run python script to convert to terraform
cat perms.txt | python convert-extracted-cloud-custodian-perms-to-terraform.py > cloud-custodian-iam-policy.tf
Raw
iam.tf
locals {
name = "cloud-custodian"
tags = {
application = local.name
}
}
# source: https://github.com/cloud-custodian/cloud-custodian/issues/1693
# command: iam-policy-json-to-terraform < cloud-custodian-iam-policy.json | pbcopy
# This is NOT generated from the latest code but from that jira issue.
# For the latest generated example, see cloud-custodian-iam-policy.tf
data "aws_iam_policy_document" "default" {
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"health:DescribeEvents",
"health:DescribeAffectedEntities",
"health:DescribeEventDetails",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"lambda:DeleteFunction",
"lambda:GetPolicy",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:UntagResource",
"lambda:InvokeFunction",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"cloudtrail:CreateTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
"cloudtrail:GetTrailStatus",
"config:DescribeDeliveryChannels",
"config:DescribeConfigurationRecorders",
"config:DescribeConfigurationRecorderStatus",
"config:GetResourceConfigHistory",
"support:CreateCase",
"support:DescribeTrustedAdvisorCheckResult",
"support:RefreshTrustedAdvisorCheck",
"shield:CreateSubscription",
"shield:DescribeSubscription",
"shield:DeleteSubscription",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"ec2:AssociateIamInstanceProfile",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CopySnapshot",
"ec2:CreateSnapshot",
"ec2:DeleteVolume",
"ec2:DeleteNatGateway",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeregisterImage",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeFlowLogs",
"ec2:DescribePrefixLists",
"ec2:DescribeRouteTables",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcs",
"ec2:DisassociateIamInstanceProfile",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DetachVolume",
"ec2:ModifyVolumeAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ResetImageAttribute",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"tag:TagResources",
"tag:UntagResources",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"waf-regional:AssociateWebACL",
"waf-regional:ListResourcesForWebACL",
"waf-regional:ListWebACLs",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"autoscaling:CreateOrUpdateTags",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:DeleteTags",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"cloudfront:UpdateDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudfront:UpdateStreamingDistribution",
"waf:ListWebACLs",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"cloudwatch:DeleteAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudWatch:PutMetricData",
"logs:DeleteLogGroup",
"logs:DescribeLogStreams",
"logs:PutRetentionPolicy",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"dynamodb:DeleteTable",
"dynamodb:ListTagsOfResource",
"dynamodb:TagResource",
"dynamodb:UntagResource",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"elasticfilesystem:DeleteFileSystem",
"elasticfilesystem:DeleteMountTarget",
"elasticfilesystem:DescribeMountTargets",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"elasticache:CreateSnapshot",
"elasticache:ListTagsForResource",
"elasticache:ModifyReplicationGroup",
"elasticache:DeleteCacheCluster",
"elasticache:DeleteReplicationGroup",
"elasticache:DeleteSnapshot",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:SetQueueAttributes",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"sns:GetTopicAttributes",
"sns:SetTopicAttributes",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = ["es:DeleteElasticsearchDomain"]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"rds:AddTagsToResource",
"rds:CopyDBSnapshot",
"rds:CreateDBSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBSnapshot",
"rds:DescribeDBEngineVersions",
"rds:DescribeDBInstances",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshotAttributes",
"rds:DescribeDBSnapshots",
"rds:ModifyDBCluster",
"rds:ModifyDBInstance",
"rds:ModifyDBParameterGroup",
"rds:RemoveTagsFromResource",
"rds:RebootDBInstance",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"sts:AssumeRole",
"iam:DeleteAccessKey",
"iam:GenerateCredentialReport",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:GetCredentialReport",
"iam:GetGroup",
"iam:ListAccessKeys",
"iam:ListAccountAliases",
"iam:ListAttachedUserPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListPolicyVersions",
"iam:ListGroupPolicies",
"iam:ListGroupsForUser",
"iam:ListMfaDevices",
"iam:ListPolicies",
"iam:ListRolePolicies",
"iam:ListVirtualMFADevices",
"iam:UpdateAccessKey",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"s3:DeleteBucketPolicy",
"s3:DeleteBucketWebsite",
"s3:ListAllMyBuckets",
"s3:ListBucket",
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetInventoryConfiguration",
"s3:PutBucketAcl",
"s3:PutBucketPolicy",
"s3:PutBucketVersioning",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutInventoryConfiguration",
"s3:PutObject",
]
}
statement {
sid = ""
effect = "Allow"
resources = ["*"]
actions = [
"cloudtrail:DescribeTrails",
"cloudtrail:GetEventSelectors",
]
}
}
data "aws_iam_policy_document" "assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}
resource "aws_iam_role_policy" "default" {
name = local.name
role = local.name
policy = data.aws_iam_policy_document.default.json
}
resource "aws_iam_role" "default" {
name = local.name
assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
tags = local.tags
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment