Merge pull request #282 from kmcquade/fix/GH-281-terraform-0.13-support

Adds support for Terraform 0.13

Author: kmcquade

README.md

@@ -19,6 +19,7 @@ IAM Least Privilege Policy Generator.
 - [Cheat sheets](#cheat-sheets)
   * [Policy Writing cheat sheet](#policy-writing-cheat-sheet)
   * [IAM Database Query Cheat Sheet](#iam-database-query-cheat-sheet)
+  * [Local Initialization (Optional)](#local-initialization--optional-)
 - [Other Usage](#other-usage)
   * [Commands](#commands)
   * [Python Library usage](#python-library-usage)
@@ -441,54 +442,7 @@ cat examples/yml/actions.yml | docker run -i --rm kmcquade/policy_sentry:latest
 
 ### Terraform
 
-The Terraform module is published and maintained [here](https://github.com/kmcquade/terraform-aws-policy-sentry).
-
-* Prerequisites:
-  - Install Policy Sentry (v0.7.2 or higher)
-  - Install Terraform (v0.12.8 or higher)
-
-* Create the `main.tf` in your directory with the following contents:
-
-```hcl
-module "policy_sentry_demo" {
-  source                              = "github.com/kmcquade/terraform-aws-policy-sentry"
-  name                                = var.name
-  read_access_level                   = var.read_access_level
-  write_access_level                  = var.write_access_level
-  list_access_level                   = var.list_access_level
-  tagging_access_level                = var.tagging_access_level
-  permissions_management_access_level = var.permissions_management_access_level
-  wildcard_only_actions               = var.wildcard_only_actions
-  minimize                            = var.minimize
-}
-```
-
-* Copy and paste the contents of the `variables.tf` file [here](https://github.com/kmcquade/terraform-aws-policy-sentry/blob/master/examples/demo/variables.tf) into your directory.
-
-* Create a `terraform.tfvars` file in your directory with the following contents:
-
-terraform.tfvars:
-```hcl
-name = "PolicySentryTest"
-
-list_access_level = [
-  "arn:aws:s3:::example-org",
-]
-
-read_access_level = [
-  "arn:aws:kms:us-east-1:123456789012:key/shaq"
-]
-
-write_access_level = [
-  "arn:aws:kms:us-east-1:123456789012:key/shaq"
-]
-```
-
-* Run `terraform apply` once to create the JSON policy file.
-
-* Run `terraform apply` **again** (from the same directory) to create the IAM policy.
-
-For the full example, including GIFs depicting real output, see the README for the Terraform module [here](https://github.com/kmcquade/terraform-aws-policy-sentry).
+The Terraform module is published and maintained [here](https://github.com/salesforce/policy_sentry/tree/master/terraform_module).
 
 ## References
 

terraform_module/README.md

@@ -1,11 +1,11 @@
-# terraform-aws-policy-sentry
+# Policy Sentry Terraform Module
 
 Builds secure IAM Policies with resource constraints. For more information on Policy Sentry, see [the documentation](https://policy-sentry.readthedocs.io/en/latest/).
 
 ## Prerequisites
 
 * You must have Policy Sentry 0.10.0 installed beforehand and it must be executable from your `$PATH`. Follow the installation instructions [here](https://policy-sentry.readthedocs.io/en/latest/user-guide/installation.html)
-  * This module currently requires Terraform 0.12.8
+  * This module requires Terraform 0.12.8 or higher. It has been tested through 0.13.5.
 
 ## Usage
 
@@ -69,7 +69,7 @@ write_access_level = [
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 0.12.8 |
+| terraform | >= 0.12.8 |
 | aws | ~> 2.48.0 |
 | external | ~> 1.2 |
 | local | ~> 1.3 |
@@ -85,12 +85,14 @@ No provider.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | description | The description to include for the IAM policy. | `string` | `"Generated by Policy Sentry"` | no |
+| exclude\_actions | Exclude actions from the output by specifying them here. Accepts wildcards, like kms:Delete\* | `list(string)` | `[]` | no |
 | list\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs LIST access to. | `list(string)` | `[]` | no |
-| minimize | If set to true, it will minimize the size of the IAM Policy file. Defaults to false. | `bool` | `false` | no |
+| minimize | If set to true, it will minimize the size of the IAM Policy file. Defaults to TRUE. | `bool` | `true` | no |
 | name | The name of the rendered policy file (no file extension). | `string` | n/a | yes |
 | permissions\_management\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs PERMISSIONS MANAGEMENT access to. | `list(string)` | `[]` | no |
 | read\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs READ access to. | `list(string)` | `[]` | no |
 | region | The AWS region for these resources. Defaults to us-east-1 | `string` | `"us-east-1"` | no |
+| skip\_resource\_constraints | Skip resource constraint requirements by listing individual actions here, like s3:GetObject. | `list(string)` | `[]` | no |
 | tagging\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs TAGGING access to. | `list(string)` | `[]` | no |
 | wildcard\_only\_list\_service | To generate a list of AWS service actions that (1) are at the LIST access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |
 | wildcard\_only\_permissions\_management\_service | To generate a list of AWS service actions that (1) are at the PERMISSIONS MANAGEMENT access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |
@@ -126,6 +128,3 @@ pre-commit run -a
 ## Todo
 * Publish this on Terraform module registry
 
-## License
-
-Copyright: © 2020 Kinnaird McQuade

terraform_module/demo/main.tf

@@ -13,7 +13,7 @@ module "policy_sentry_demo" {
 }
 
 terraform {
-  required_version = "~> 0.12.8"
+  required_version = ">= 0.12.8"
 }
 
 output "iam_policy_arn" {
@@ -23,5 +23,5 @@ output "iam_policy_arn" {
 
 output "iam_policy_document" {
   description = "The policy document, decoded."
-  value       = jsondecode(module.policy_sentry_demo.iam_policy_document)
+  value       = module.policy_sentry_demo.iam_policy_document
 }

terraform_module/demo/terraform.tfvars

@@ -14,3 +14,5 @@ write_access_level = [
 skip_resource_constraints = ["s3:GetObject"]
 
 exclude_actions = ["kms:Delete*"]
+
+# minimize = true

terraform_module/iam-policies/README.md

@@ -18,7 +18,7 @@ module "policies" {
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 0.12.8 |
+| terraform | >= 0.12.8 |
 | aws | ~> 2.48.0 |
 | template | ~> 2.1.2 |
 

terraform_module/iam-policies/provider.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = "~> 0.12.8"
+  required_version = ">= 0.12.8"
 }
 
 provider "aws" {

terraform_module/outputs.tf

@@ -20,5 +20,5 @@ output "iam_policy_path" {
 
 output "iam_policy_document" {
   description = "The policy document."
-  value       = module.create_iam.iam_policy_document
+  value       = jsondecode(module.create_iam.iam_policy_document)
 }

terraform_module/provider.tf

@@ -1,5 +1,5 @@
 terraform {
-  required_version = "~> 0.12.8"
+  required_version = ">= 0.12.8"
 }
 
 provider "aws" {

terraform_module/ps-template/README.md

@@ -7,7 +7,7 @@ This generates the JSON policy file with Policy Sentry.
 
 | Name | Version |
 |------|---------|
-| terraform | ~> 0.12.8 |
+| terraform | >= 0.12.8 |
 | local | ~> 1.3 |
 
 ## Providers
@@ -21,11 +21,13 @@ This generates the JSON policy file with Policy Sentry.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| exclude\_actions | Exclude actions from the output by specifying them here. Accepts wildcards, like kms:Delete\* | `list(string)` | `[]` | no |
 | list\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs LIST access to. | `list(string)` | `[]` | no |
 | minimize | If set to true, it will minimize the size of the IAM Policy file. Defaults to false. | `bool` | `false` | no |
 | name | The name of the rendered policy file (no file extension). | `string` | n/a | yes |
 | permissions\_management\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs PERMISSIONS MANAGEMENT access to. | `list(string)` | `[]` | no |
 | read\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs READ access to. | `list(string)` | `[]` | no |
+| skip\_resource\_constraints | Skip resource constraint requirements by listing individual actions here, like s3:GetObject. | `list(string)` | `[]` | no |
 | tagging\_access\_level | Provide a list of Amazon Resource Names (ARNs) that your role needs TAGGING access to. | `list(string)` | `[]` | no |
 | wildcard\_only\_list\_service | To generate a list of AWS service actions that (1) are at the LIST access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |
 | wildcard\_only\_permissions\_management\_service | To generate a list of AWS service actions that (1) are at the PERMISSIONS MANAGEMENT access level and (2) do not support resource constraints, list the service prefix here. | `list(string)` | `[]` | no |

terraform_module/ps-template/main.tf

@@ -34,6 +34,7 @@ resource "local_file" "template" {
 }
 
 data "external" "policy" {
-  program = concat(local.command, ["--input-file", local_file.template.filename])
+  program    = concat(local.command, ["--input-file", local_file.template.filename])
+  depends_on = [local_file.template]
 }