Terraform: Add support for skip_resource_constraints and exclude_actions - Fixes #278 (#279)

* Clean up variables file and readme in Terraform modules

* Fixes #278 - improved IAM policy output format, added exclude_actions and skip_resource_constraints fields

Author: kmcquade

.editorconfig

@@ -1,3 +1,6 @@
+# top-most EditorConfig file
+root = true
+
 [*]
 indent_style = space
 indent_size = 4
@@ -16,3 +19,7 @@ max_line_length = 119
 
 [docs/**.txt]
 max_line_length = 79
+
+[*.{tf,tfvars}]
+indent_size = 2
+indent_style = space

README.md

@@ -16,10 +16,9 @@ IAM Least Privilege Policy Generator.
   * [Step 1: Create the Template](#step-1--create-the-template)
   * [Step 2: Copy/paste ARNs](#step-2--copy-paste-arns)
   * [Step 3: Write-policy command](#step-3--write-policy-command)
-- [Cheat Sheets](#cheat-sheets)
+- [Cheat sheets](#cheat-sheets)
   * [Policy Writing cheat sheet](#policy-writing-cheat-sheet)
   * [IAM Database Query Cheat Sheet](#iam-database-query-cheat-sheet)
-  * [Local Initialization (Optional)](#local-initialization--optional-)
 - [Other Usage](#other-usage)
   * [Commands](#commands)
   * [Python Library usage](#python-library-usage)

terraform_module/README.md

@@ -39,6 +39,8 @@ module "policy_sentry_demo" {
   permissions_management_access_level = var.permissions_management_access_level
   wildcard_only_single_actions               = var.wildcard_only_actions
   minimize                            = var.minimize
+  skip_resource_constraints           = var.skip_resource_constraints
+  exclude_actions                     = var.exclude_actions
 }
 ```
 

terraform_module/demo/main.tf

@@ -8,8 +8,20 @@ module "policy_sentry_demo" {
   permissions_management_access_level = var.permissions_management_access_level
   wildcard_only_single_actions        = var.wildcard_only_single_actions
   minimize                            = var.minimize
+  skip_resource_constraints           = var.skip_resource_constraints
+  exclude_actions                     = var.exclude_actions
 }
 
 terraform {
   required_version = "~> 0.12.8"
 }
+
+output "iam_policy_arn" {
+  description = "The ARN assigned by AWS to this policy."
+  value       = module.policy_sentry_demo.iam_policy_arn
+}
+
+output "iam_policy_document" {
+  description = "The policy document, decoded."
+  value       = jsondecode(module.policy_sentry_demo.iam_policy_document)
+}

terraform_module/demo/terraform.tfvars

@@ -9,4 +9,8 @@ read_access_level = [
 ]
 write_access_level = [
   "arn:aws:kms:us-east-1:123456789012:key/shaq"
-]
+]
+
+skip_resource_constraints = ["s3:GetObject"]
+
+exclude_actions = ["kms:Delete*"]

terraform_module/demo/variables.tf

@@ -74,3 +74,15 @@ variable "wildcard_only_permissions_management_service" {
   type        = list(string)
   default     = []
 }
+
+variable "skip_resource_constraints" {
+  description = "Skip resource constraint requirements by listing individual actions here, like s3:GetObject."
+  type        = list(string)
+  default     = []
+}
+
+variable "exclude_actions" {
+  description = "Exclude actions from the output by specifying them here. Accepts wildcards, like kms:Delete*"
+  type        = list(string)
+  default     = []
+}

terraform_module/iam-policies/outputs.tf

@@ -1,24 +1,24 @@
 output "iam_policy_id" {
   description = "The policy's ID."
-  value       = aws_iam_policy.policy.*.id
+  value       = aws_iam_policy.policy.id
 }
 
 output "iam_policy_arn" {
   description = "The ARN assigned by AWS to this policy."
-  value       = aws_iam_policy.policy.*.arn
+  value       = aws_iam_policy.policy.arn
 }
 
 output "iam_policy_name" {
   description = "The name of the policy."
-  value       = aws_iam_policy.policy.*.name
+  value       = aws_iam_policy.policy.name
 }
 
 output "iam_policy_path" {
   description = "The path of the policy in IAM"
-  value       = aws_iam_policy.policy.*.path
+  value       = aws_iam_policy.policy.path
 }
 
 output "iam_policy_document" {
   description = "The policy document."
-  value       = aws_iam_policy.policy.*.policy
+  value       = aws_iam_policy.policy.policy
 }

terraform_module/main.tf

@@ -8,6 +8,8 @@ module "create_template" {
   permissions_management_access_level = var.permissions_management_access_level
   wildcard_only_single_actions        = var.wildcard_only_single_actions
   minimize                            = var.minimize
+  skip_resource_constraints           = var.skip_resource_constraints
+  exclude_actions                     = var.exclude_actions
 }
 
 module "create_iam" {

terraform_module/ps-template/README.md

@@ -21,19 +21,19 @@ This generates the JSON policy file with Policy Sentry.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| list\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs LIST access to. | `list` | <pre>[<br>  ""<br>]</pre> | no |
+| list\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs LIST access to. | `list(string)` | `[]` | no |
 | minimize | If set to true, it will minimize the size of the IAM Policy file. Defaults to false. | `bool` | `false` | no |
 | name | The name of the rendered policy file (no file extension). | `string` | n/a | yes |
-| permissions\_management\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs PERMISSIONS MANAGEMENT access to. | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| read\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs READ access to. | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| tagging\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs TAGGING access to. | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| wildcard\_only\_list\_service | To generate a list of AWS service actions that (1) are at the LIST access level and (2) do not support resource constraints, list the service prefix here. | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| wildcard\_only\_permissions\_management\_service | To generate a list of AWS service actions that (1) are at the PERMISSIONS MANAGEMENT access level and (2) do not support resource constraints, list the service prefix here. | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| wildcard\_only\_read\_service | To generate a list of AWS service actions that (1) are at the READ access level and (2) do not support resource constraints, list the service prefix here. | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| wildcard\_only\_single\_actions | Individual actions that do not support resource constraints. For example, s3:ListAllMyBuckets | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| wildcard\_only\_tagging\_service | To generate a list of AWS service actions that (1) are at the TAGGING access level and (2) do not support resource constraints, list the service prefix here. | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| wildcard\_only\_write\_service | To generate a list of AWS service actions that (1) are at the WRITE access level and (2) do not support resource constraints, list the service prefix here. | `list` | <pre>[<br>  ""<br>]</pre> | no |
-| write\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs WRITE access to. | `list` | <pre>[<br>  ""<br>]</pre> | no |
+| permissions\_management\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs PERMISSIONS MANAGEMENT access to. | `list(string)` | `[]` | no |
+| read\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs READ access to. | `list(string)` | `[]` | no |
+| tagging\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs TAGGING access to. | `list(string)` | `[]` | no |
+| wildcard\_only\_list\_service | To generate a list of AWS service actions that (1) are at the LIST access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |
+| wildcard\_only\_permissions\_management\_service | To generate a list of AWS service actions that (1) are at the PERMISSIONS MANAGEMENT access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |
+| wildcard\_only\_read\_service | To generate a list of AWS service actions that (1) are at the READ access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |
+| wildcard\_only\_single\_actions | Individual actions that do not support resource constraints. For example, s3:ListAllMyBuckets | `list(string)` | `[]` | no |
+| wildcard\_only\_tagging\_service | To generate a list of AWS service actions that (1) are at the TAGGING access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |
+| wildcard\_only\_write\_service | To generate a list of AWS service actions that (1) are at the WRITE access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |
+| write\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs WRITE access to. | `list(string)` | `[]` | no |
 
 ## Outputs
 

terraform_module/ps-template/main.tf

@@ -18,7 +18,9 @@ locals {
       "service-list" : var.wildcard_only_list_service,
       "service-tagging" : var.wildcard_only_tagging_service,
       "service-permissions-management" : var.wildcard_only_permissions_management_service,
-    }
+    },
+    "exclude-actions" : var.exclude_actions,
+    "skip-resource-constraints" : var.skip_resource_constraints
   }
   rendered_template = jsonencode(local.policy_sentry_template)
   decoded_template  = jsondecode(jsonencode(local.policy_sentry_template))