{"id":21725287,"url":"https://github.com/jameswoolfenden/pike","last_synced_at":"2026-02-25T10:24:13.578Z","repository":{"id":53028178,"uuid":"499752618","full_name":"JamesWoolfenden/pike","owner":"JamesWoolfenden","description":"Pike is a tool for determining the permissions or policy required for IAC code","archived":false,"fork":false,"pushed_at":"2024-09-13T18:28:29.000Z","size":5839,"stargazers_count":556,"open_issues_count":12,"forks_count":24,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-09-14T09:35:25.443Z","etag":null,"topics":["aws","bridgecrew","gcp","iac","policy","security","terraform"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JamesWoolfenden.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-06-04T07:09:20.000Z","updated_at":"2024-09-13T18:28:33.000Z","dependencies_parsed_at":"2023-10-14T18:07:47.826Z","dependency_job_id":"b09f63e8-84ca-4ee9-8e5f-c3809b86235c","html_url":"https://github.com/JamesWoolfenden/pike","commit_stats":null,"previous_names":[],"tags_count":260,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesWoolfenden%2Fpike","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesWoolfenden%2Fpike/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesWoolfenden%2Fpike/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JamesWoolfenden%2Fpike/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JamesWoolfenden","download_url":"https://codeload.github.com/JamesWoolfenden/pike/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247242683,"owners_count":20907134,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","bridgecrew","gcp","iac","policy","security","terraform"],"created_at":"2024-11-26T03:16:59.403Z","updated_at":"2026-02-25T10:24:13.571Z","avatar_url":"https://github.com/JamesWoolfenden.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Pike\n\n![alt text](pike.jfif \"Pike\")\n\n[![Maintenance](https://img.shields.io/badge/Maintained%3F-yes-green.svg)](https://GitHub.com/jameswoolfenden/pike/graphs/commit-activity)\n[![CI](https://github.com/JamesWoolfenden/pike/actions/workflows/ci.yml/badge.svg)](https://github.com/JamesWoolfenden/pike/actions/workflows/ci.yml)\n[![Latest Release](https://img.shields.io/github/release/JamesWoolfenden/pike.svg)](https://github.com/JamesWoolfenden/pike/releases/latest)\n[![GitHub tag (latest SemVer)](https://img.shields.io/github/tag/JamesWoolfenden/pike.svg?label=latest)](https://github.com/JamesWoolfenden/pike/releases/latest)\n![OpenTofu/Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.14.0-blue.svg)\n[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit\u0026logoColor=white)](https://github.com/pre-commit/pre-commit)\n[![checkov](https://img.shields.io/badge/checkov-verified-brightgreen)](https://www.checkov.io/)\n[![Github All Releases](https://img.shields.io/github/downloads/jameswoolfenden/pike/total.svg)](https://github.com/JamesWoolfenden/pike/releases)\n[![codecov](https://codecov.io/gh/JamesWoolfenden/pike/branch/master/graph/badge.svg?token=S5SW3BHIQQ)](https://codecov.io/gh/JamesWoolfenden/pike)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/7032/badge)](https://www.bestpractices.dev/projects/7032)\n\nPike is a tool to determine the minimum IAM permissions required to run OpenTofu/Terraform infrastructure code.\n\n**What's new?**\n\n- json modules support.\n- GCP compare, checks IAC permissions required versus a deployed role.\n- Backend detection S3 and GCP.\n\nPike currently supports OpenTofu/Terraform and supports multiple providers (AWS, GCP and AZURE);\nAzure is the newest with AWS having the most supported resources\n\u003chttps://github.com/JamesWoolfenden/pike/tree/master/src/mapping\u003e.\nFeel free to submit PR or Issue if you find an issue or even better add new resources, and then I'll take a look at\nmerging it ASAP.\n\n**CAVEAT** The outputs of this tool are your first step, if you have AWS, you can now generate resources partially,\nthere are no conditions and even partial resources are wild-carded (for now).\n(for AWS)minimum\n**best practice** would go further (and I am working on it as well), you will need to modify these permissions to the\nrequired in your environment by adding these\nrestrictions, you can also deploy using short-lived credentials (using this tool or Vault) (in AWS so far), generating\nshort-lived credentials for your build\nand then remotely (REMOTE) supply and invoke your builds (INVOKE).\n\nIdeally I would like to do this for you, but these policies are currently determined statically (QUICKER), and\nunrecorded intentions can be impossible to infer.\n\n## Quick Start\n\nGet started with Pike in 3 steps:\n\n1. **Install Pike**\n\n ```shell\n # macOS\n brew tap jameswoolfenden/homebrew-tap\n brew install jameswoolfenden/tap/pike\n\n # Windows (using Scoop)\n scoop bucket add iac https://github.com/JamesWoolfenden/scoop.git\n scoop install pike\n\n # Or install from source\n go install github.com/jameswoolfenden/pike@latest\n ```\n\n2. **Scan your OpenTofu/Terraform code**\n\n ```shell\n pike scan -d ./path/to/your/terraform\n ```\n\n This outputs the minimum IAM permissions required as JSON.\n\n3. **Generate as Terraform/OpenTofu code**\n\n ```shell\n pike scan -o terraform -d ./path/to/your/terraform\n ```\n\n This creates an `aws_iam_policy` resource you can deploy.\n\n**Next steps:** Use `pike make` to deploy the policy directly, or `pike compare` to validate against existing policies. See [Usage](#usage) for all commands.\n\n## Table of Contents\n\n\u003c!--toc:start--\u003e\n\n- [Pike](#pike)\n - [Quick Start](#quick-start)\n - [Table of Contents](#table-of-contents)\n - [Install](#install)\n - [MacOS](#macos)\n - [Windows](#windows)\n - [Docker](#docker)\n - [Usage](#usage)\n - [Scan](#scan)\n - [Output](#output)\n - [Make](#make)\n - [Invoke](#invoke)\n - [Apply](#apply)\n - [Remote](#remote)\n - [Readme](#readme)\n - [Pull](#pull)\n - [Compare](#compare)\n - [Help](#help)\n - [Building](#building)\n - [Inspect](#inspect)\n - [Extending](#extending)\n - [Add Import mapping file](#add-import-mapping-file)\n - [Add to provider Scan](#add-to-provider-scan)\n - [Related Tools](#related-tools)\n\n\u003c!--toc:end--\u003e\n\n## Install\n\nDownload the latest binary here:\n\n\u003chttps://github.com/JamesWoolfenden/pike/releases\u003e\n\nInstall from code:\n\n- Clone repo\n- Run `go install`\n\nInstall remotely:\n\n```shell\ngo install github.com/jameswoolfenden/pike@latest\n```\n\n### MacOS\n\n```shell\nbrew tap jameswoolfenden/homebrew-tap\nbrew install jameswoolfenden/tap/pike\n```\n\n### Windows\n\nI'm now using Scoop to distribute releases, it's much quicker to update and easier to manage than previous methods,\nyou can install scoop from \u003chttps://scoop.sh/\u003e.\n\nAdd my scoop bucket:\n\n```shell\nscoop bucket add iac https://github.com/JamesWoolfenden/scoop.git\n```\n\nThen you can install a tool:\n\n```bash\nscoop install pike\n```\n\n### Docker\n\n```shell\ndocker pull jameswoolfenden/pike\ndocker run --tty --volume /local/path/to/tf:/tf jameswoolfenden/pike scan -d /tf\n```\n\n\u003chttps://hub.docker.com/repository/docker/jameswoolfenden/pike\u003e\n\n## Usage\n\n### Scan\n\nTo scan a directory containing OpenTofu/Terraform files:\n\n```shell\n./pike scan -d .\\terraform\\\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:MonitorInstances\",\n \"ec2:UnmonitorInstances\",\n \"ec2:DescribeInstances\",\n \"ec2:DescribeTags\",\n \"ec2:DescribeInstanceAttribute\",\n \"ec2:DescribeVolumes\",\n \"ec2:DescribeInstanceTypes\",\n \"ec2:RunInstances\",\n \"ec2:DescribeInstanceCreditSpecifications\",\n \"ec2:StopInstances\",\n \"ec2:StartInstances\",\n \"ec2:ModifyInstanceAttribute\",\n \"ec2:TerminateInstances\",\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:AuthorizeSecurityGroupEgress\",\n \"ec2:CreateSecurityGroup\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:RevokeSecurityGroupEgress\"\n ],\n \"Resource\": \"*\"\n }\n}\n```\n\nYou can also generate the policy as OpenTofu/Terraform instead:\n\n```bash\n$pike scan -o terraform -d ../modules/aws/terraform-aws-activemq\nresource \"aws_iam_policy\" \"terraformXVlBzgba\" {\n name = \"terraformXVlBzgba\"\n path = \"/\"\n description = \"Add Description\"\n\n policy = jsonencode({\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VisualEditor0\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AuthorizeSecurityGroupEgress\",\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateNetworkInterface\",\n \"ec2:CreateNetworkInterfacePermission\",\n \"ec2:CreateSecurityGroup\",\n \"ec2:CreateTags\",\n \"ec2:DeleteNetworkInterface\",\n \"ec2:DeleteNetworkInterfacePermission\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:DeleteTags\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n \"ec2:DetachNetworkInterface\",\n \"ec2:RevokeSecurityGroupEgress\",\n \"ec2:RevokeSecurityGroupIngress\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"VisualEditor1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:CreateKey\",\n \"kms:DescribeKey\",\n \"kms:EnableKeyRotation\",\n \"kms:GetKeyPolicy\",\n \"kms:GetKeyRotationStatus\",\n \"kms:ListResourceTags\",\n \"kms:ScheduleKeyDeletion\",\n \"kms:TagResource\",\n \"kms:UntagResource\"\n ],\n \"Resource\": \"*\"\n },\n {\n \"Sid\": \"VisualEditor2\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"mq:CreateBroker\",\n \"mq:CreateConfiguration\",\n \"mq:CreateTags\",\n \"mq:CreateUser\",\n \"mq:DeleteBroker\",\n \"mq:DeleteTags\",\n \"mq:DeleteUser\",\n \"mq:DescribeBroker\",\n \"mq:DescribeConfiguration\",\n \"mq:DescribeConfigurationRevision\",\n \"mq:DescribeUser\",\n \"mq:RebootBroker\",\n \"mq:UpdateBroker\",\n \"mq:UpdateConfiguration\",\n \"mq:UpdateUser\"\n ],\n \"Resource\": \"*\"\n }\n ]\n})\n}\n```\n\nAnd I am working on further enhancements to policy generation, if you have AWS auth installed:\n\n```hcl\ne:\\pike scan -d . -i -e\n9:13AM DBG terraform init at E:\\Code\\modules\\aws\\terraform-aws-activemq\n9:13AM DBG downloaded ip\nresource \"aws_iam_policy\" \"terraform_pike\" {\n name_prefix = \"terraform_pike\"\n path = \"/\"\n description = \"Pike Autogenerated policy from IAC\"\n\n policy = jsonencode({\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VisualEditor0\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ec2:AuthorizeSecurityGroupEgress\",\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:CreateNetworkInterface\",\n \"ec2:CreateNetworkInterfacePermission\",\n \"ec2:CreateSecurityGroup\",\n \"ec2:CreateTags\",\n \"ec2:DeleteNetworkInterface\",\n \"ec2:DeleteNetworkInterfacePermission\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:DeleteTags\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeVpcs\",\n \"ec2:DetachNetworkInterface\",\n \"ec2:RevokeSecurityGroupEgress\",\n \"ec2:RevokeSecurityGroupIngress\"\n ],\n \"Resource\": [\n \"arn:aws:ec2:eu-west-2:680235478471:*\"\n ]\n },\n {\n \"Sid\": \"VisualEditor1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:CreateGrant\"\n ],\n \"Resource\": [\n \"arn:aws:kms:eu-west-2:680235478471:*\"\n ]\n },\n {\n \"Sid\": \"VisualEditor2\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"mq:CreateBroker\",\n \"mq:CreateConfiguration\",\n \"mq:CreateTags\",\n \"mq:CreateUser\",\n \"mq:DeleteBroker\",\n \"mq:DeleteTags\",\n \"mq:DeleteUser\",\n \"mq:DescribeBroker\",\n \"mq:DescribeConfiguration\",\n \"mq:DescribeConfigurationRevision\",\n \"mq:DescribeUser\",\n \"mq:RebootBroker\",\n \"mq:UpdateBroker\",\n \"mq:UpdateConfiguration\",\n \"mq:UpdateUser\"\n ],\n \"Resource\": [\n \"arn:aws:mq:eu-west-2:680235478471:*\"\n ]\n }\n ]\n})\n}\n```\n\n### Output\n\nIf you select the -w flag, pike will write out the role/policy required to build your project into the .pike folder:\n\n```bash\n$pike scan -w -i -d .\n2022/09/17 13:50:51 terraform init at .\n2022/09/17 13:50:51 downloaded ip\n```\n\nThe .pike folder will contain:\n\n``` shell\naws_iam_role.terraform_pike.tf\npike.generated_policy.tf\n```\n\nWhich you can deploy using OpenTofu/Terraform to create the role/policy to build your infrastructure project.\n\n### Make\n\nYou can now deploy the policy you need directly (AWS only so far):\n\n```bash\n$pike make -d ../modules/aws/terraform-aws-apigateway/\n\n2022/09/18 08:53:41 terraform init at ..\\modules\\aws\\terraform-aws-apigateway\\\n2022/09/18 08:53:41 modules not found at ..\\modules\\aws\\terraform-aws-apigateway\\\n2022/09/18 08:53:49 aws role create/updated arn:aws:iam::680235478471:role/terraform_pike_20220918071439382800000002\n arn:aws:iam::680235478471:role/terraform_pike_20220918071439382800000002\n```\n\nThis new verb returns the ARN of the role created, and you can find the Terraform used in your .pike folder.\n\n### Invoke\n\nInvoke is currently for triggering GitHub actions, if supplied with the workflow (defaults to main.yaml), repository and\nbranch (defaults to main) flags, it will trigger the dispatch event.\n\nYou'll need to include the dispatch event in your workflow:\n\n```yaml\non:\n workflow_dispatch:\n push:\n branches:\n - master\n```\n\nTo authenticate with the GitHub API, you will need to set your GitHub Personal Access Token, as the environment variable\n*GITHUB_TOKEN*\n\nTo Invoke a workflow, it is then:\n\n```shell\npike invoke -workflow master.yml -branch master -repository JamesWoolfenden/terraform-aws-s3\n```\n\nI created Invoke to be used in tandem with the new remote command which supplies temporary credentials to a workflow.\n\n**Note The GitHub API is rate-limited, usually 5000 calls per hour.\n\n```shell\npike make -d ./module/aws/terraform-aws-s3/example/examplea\n```\n\n### Apply\n\nApply is an extension to make and will apply the policy and role and use that role to create your infrastructure:\n\n```shell\npike apply -d ./module/aws/terraform-aws-s3/example/examplea -region eu-west-2\n```\n\nIt is intended for testing and developing the permissions for Pike itself\n\n### Remote\n\nRemote uses the core code of make and apply, to write temporary AWS credentials(only so far) into your workflow.\n\n```shell\npike remote -d ./module/aws/terraform-aws-s3/example/examplea -region eu-west-2 -repository terraform-aws-s3\n```\n\n### Readme\n\nPike can now be used to update a projects README.md file:\n\n./pike readme -o terraform -d ..\\modules\\aws\\terraform-aws-activemq\\\n\nThis looks in the README for the delimiters:\n\n```html\n\u003c!-- BEGINNING OF PRE-COMMIT-PIKE DOCS HOOK --\u003e\n\u003c!-- END OF PRE-COMMIT-PIKE DOCS HOOK --\u003e\n```\n\nand replaces is either with JSON or Terraform like so:\n\n```markdown\nThis is the policy required to build this project:\n\nThe Policy required is\n\n{\n \"Version\": \"2012-10-17\",\n \"Statement\": {\n \"Effect\": \"Allow\",\n \"Action\": [\n \"mq:CreateTags\",\n \"mq:DeleteTags\",\n \"ec2:DescribeInternetGateways\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeVpcs\",\n \"ec2:DescribeSubnets\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:CreateNetworkInterface\",\n \"ec2:CreateNetworkInterfacePermission\",\n \"ec2:DeleteNetworkInterfacePermission\",\n \"ec2:DetachNetworkInterface\",\n \"ec2:DeleteNetworkInterface\",\n \"mq:CreateBroker\",\n \"mq:DescribeBroker\",\n \"mq:DescribeUser\",\n \"mq:UpdateBroker\",\n \"mq:DeleteBroker\",\n \"mq:CreateConfiguration\",\n \"mq:UpdateConfiguration\",\n \"mq:DescribeConfiguration\",\n \"mq:DescribeConfigurationRevision\",\n \"mq:RebootBroker\",\n \"ec2:CreateTags\",\n \"ec2:DeleteTags\",\n \"ec2:CreateSecurityGroup\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:RevokeSecurityGroupEgress\",\n \"kms:TagResource\",\n \"kms:UntagResource\",\n \"kms:EnableKeyRotation\",\n \"kms:CreateKey\",\n \"kms:DescribeKey\",\n \"kms:GetKeyPolicy\",\n \"kms:GetKeyRotationStatus\",\n \"kms:ListResourceTags\",\n \"kms:ScheduleKeyDeletion\"\n ],\n \"Resource\": \"*\"\n }\n}\n```\n\nYou can see an example here \u003chttps://github.com/jamesWoolfenden/terraform-aws-activemq#policy\u003e.\n\n## Compare\n\nWant to check your deployed IAM policy against your infrastructure code requirement?\n\nThis works for AWS and GCP.\n\n\u003e$./pike compare -d ../modules/aws/terraform-aws-appsync -a arn:aws:iam::680235478471:policy/basic\n\n```markdown\nIAM Policy arn:aws:iam::680235478471:policy/basic versus Infrastructure Code ../modules/aws/terraform-aws-appsync\n {\n \"Statement\": [\n 0: {\n \"Action\": [\n- 0: \"kinesisvideo:CreateStream\"\n+ 0: \"firehose:CreateDeliveryStream\"\n+ 0: \"firehose:CreateDeliveryStream\"\n+ 1: \"firehose:DeleteDeliveryStream\"\n+ 2: \"firehose:DescribeDeliveryStream\"\n+ 3: \"firehose:ListTagsForDeliveryStream\"\n+ 4: \"iam:AttachRolePolicy\"\n+ 5: \"iam:CreateRole\"\n+ 6: \"iam:DeleteRole\"\n+ 7: \"iam:DetachRolePolicy\"\n+ 8: \"iam:GetRole\"\n+ 9: \"iam:ListAttachedRolePolicies\"\n+ 10: \"iam:ListInstanceProfilesForRole\"\n+ 11: \"iam:ListRolePolicies\"\n+ 12: \"iam:PassRole\"\n+ 13: \"iam:TagRole\"\n+ 14: \"kms:CreateKey\"\n+ 15: \"kms:DescribeKey\"\n+ 16: \"kms:EnableKeyRotation\"\n+ 17: \"kms:GetKeyPolicy\"\n+ 18: \"kms:GetKeyRotationStatus\"\n+ 19: \"kms:ListResourceTags\"\n+ 20: \"kms:ScheduleKeyDeletion\"\n+ 21: \"logs:AssociateKmsKey\"\n+ 22: \"logs:CreateLogGroup\"\n+ 23: \"logs:DeleteLogGroup\"\n+ 24: \"logs:DeleteRetentionPolicy\"\n+ 25: \"logs:DescribeLogGroups\"\n+ 26: \"logs:DisassociateKmsKey\"\n+ 27: \"logs:ListTagsLogGroup\"\n+ 28: \"logs:PutRetentionPolicy\"\n+ 29: \"s3:CreateBucket\"\n+ 30: \"s3:DeleteBucket\"\n+ 31: \"s3:GetAccelerateConfiguration\"\n+ 32: \"s3:GetBucketAcl\"\n+ 33: \"s3:GetBucketCORS\"\n+ 34: \"s3:GetBucketLogging\"\n+ 35: \"s3:GetBucketObjectLockConfiguration\"\n+ 36: \"s3:GetBucketPolicy\"\n+ 37: \"s3:GetBucketPublicAccessBlock\"\n+ 38: \"s3:GetBucketRequestPayment\"\n+ 39: \"s3:GetBucketTagging\"\n+ 40: \"s3:GetBucketVersioning\"\n+ 41: \"s3:GetBucketWebsite\"\n+ 42: \"s3:GetEncryptionConfiguration\"\n+ 43: \"s3:GetLifecycleConfiguration\"\n+ 44: \"s3:GetObject\"\n+ 45: \"s3:GetObjectAcl\"\n+ 46: \"s3:GetReplicationConfiguration\"\n+ 47: \"s3:ListAllMyBuckets\"\n+ 48: \"s3:ListBucket\"\n+ 49: \"s3:PutBucketAcl\"\n+ 50: \"s3:PutBucketPublicAccessBlock\"\n+ 51: \"s3:PutEncryptionConfiguration\"\n+ 52: \"wafv2:CreateWebACL\"\n+ 53: \"wafv2:DeleteWebACL\"\n+ 54: \"wafv2:GetWebACL\"\n ],\n \"Effect\": \"Allow\",\n \"Resource\": \"*\",\n- \"Sid\": \"\"\n+ \"Sid\": \"VisualEditor0\"\n }\n ],\n \"Version\": \"2012-10-17\"\n }\n```\n\n## Pull\n\nPull adds the ability to work with Git repositories (thanks to **go-git**),\nto output the required permissions in JSON or OpenTofu/Terraform:\n\n```bash\n./pike pull\nNAME:\n pike pull - Clones remote repo and scans it using pike\n\nUSAGE:\n pike pull [command options] [arguments...]\n\nOPTIONS:\n --directory value, -d value Directory to scan (defaults to .) (default: \".\")\n --destination value, --dest value Where to clone repository (default: \".destination\")\n --output json, -o json Policy Output types e.g. json terraform (default: \"terraform\") [%OUTPUT%]\n --repository value, -r value Repository url\n --init, -i Run Terraform init to download modules (default: false)\n --write, -w Write the policy output to a file at .pike (default: false)\n --help, -h show help\n\n```\n\nLike so:\n\n```hcl\n$ ./pike.exe pull -r https://github.com/JamesWoolfenden/terraform-aws-codebuild -i -d .\n10:31PM INF .destination was not empty, removing\n10:31PM INF git clone https://github.com/JamesWoolfenden/terraform-aws-codebuild .destination --recursive\n10:31PM DBG terraform init at E:\\Code\\pike\\.destination\n10:31PM DBG modules not found at .destination\nresource \"aws_iam_policy\" \"terraform_pike\" {\n name_prefix = \"terraform_pike\"\n path = \"/\"\n description = \"Pike Autogenerated policy from IAC\"\n\n policy = jsonencode({\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VisualEditor0\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"codebuild:BatchGetProjects\",\n \"codebuild:CreateProject\",\n \"codebuild:DeleteProject\",\n \"codebuild:UpdateProject\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Sid\": \"VisualEditor1\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"events:DeleteRule\",\n \"events:DescribeRule\",\n \"events:ListTagsForResource\",\n \"events:ListTargetsByRule\",\n \"events:PutRule\",\n \"events:PutTargets\",\n \"events:RemoveTargets\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Sid\": \"VisualEditor2\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"iam:AttachRolePolicy\",\n \"iam:CreatePolicy\",\n \"iam:CreateRole\",\n \"iam:DeletePolicy\",\n \"iam:DeleteRole\",\n \"iam:DeleteRolePolicy\",\n \"iam:DetachRolePolicy\",\n \"iam:GetPolicy\",\n \"iam:GetPolicyVersion\",\n \"iam:GetRole\",\n \"iam:GetRolePolicy\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:ListInstanceProfilesForRole\",\n \"iam:ListPolicyVersions\",\n \"iam:ListRolePolicies\",\n \"iam:PassRole\",\n \"iam:PutRolePolicy\",\n \"iam:TagRole\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Sid\": \"VisualEditor3\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Decrypt\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Sid\": \"VisualEditor4\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:CreateBucket\",\n \"s3:DeleteBucket\",\n \"s3:GetAccelerateConfiguration\",\n \"s3:GetBucketAcl\",\n \"s3:GetBucketCORS\",\n \"s3:GetBucketLogging\",\n \"s3:GetBucketObjectLockConfiguration\",\n \"s3:GetBucketPolicy\",\n \"s3:GetBucketPublicAccessBlock\",\n \"s3:GetBucketRequestPayment\",\n \"s3:GetBucketTagging\",\n \"s3:GetBucketVersioning\",\n \"s3:GetBucketWebsite\",\n \"s3:GetEncryptionConfiguration\",\n \"s3:GetLifecycleConfiguration\",\n \"s3:GetObject\",\n \"s3:GetObjectAcl\",\n \"s3:GetReplicationConfiguration\",\n \"s3:ListAllMyBuckets\",\n \"s3:ListBucket\",\n \"s3:PutBucketAcl\",\n \"s3:PutBucketLogging\",\n \"s3:PutBucketPublicAccessBlock\",\n \"s3:PutBucketVersioning\",\n \"s3:PutEncryptionConfiguration\",\n \"s3:PutLifecycleConfiguration\"\n ],\n \"Resource\": [\n \"*\"\n ]\n },\n {\n \"Sid\": \"VisualEditor5\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"ssm:AddTagsToResource\",\n \"ssm:DeleteParameter\",\n \"ssm:DescribeParameters\",\n \"ssm:GetParameter\",\n \"ssm:GetParameters\",\n \"ssm:ListTagsForResource\",\n \"ssm:PutParameter\"\n ],\n \"Resource\": [\n \"*\"\n ]\n }\n ]\n})\n}\n\n```\n\n## Help\n\n```bash\n./pike -h\nNAME:\n pike - Generate IAM policy from your IAC code\n\nUSAGE:\n pike [global options] command [command options]\n\nVERSION:\n 9.9.9\n\nAUTHOR:\n James Woolfenden \u003cjames.woolfenden@gmail.com\u003e\n\nCOMMANDS:\n apply, a Create a policy and use it to instantiate the IAC\n compare, c policy comparison of deployed versus IAC\n inspect, x policy comparison of environment versus IAC\n invoke, i Triggers a gitHub action specified with the workflow flag\n make, m make the policy/role required for this IAC to deploy\n parse, p Triggers a gitHub action specified with the workflow flag\n pull, l Clones remote repo and scans it using pike\n readme, r Looks in dir for a README.md and updates it with the Policy required to build the code\n remote, o Create/Update the Policy and set credentials/secret for Github Action\n scan, s scan a directory for IAM code\n version, v Outputs the application version\n watch, w Waits for policy update\n help, h Shows a list of commands or help for one command\n\nGLOBAL OPTIONS:\n --help, -h show help\n --version, -v print the version\n\n```\n\n## Building\n\n```shell\ngo build\n```\n\nor\n\n```Make\nMake build\n```\n\n## Inspect\n\nThis new feature is in *beta* and is not yet fully supported and currently only for AWS.\nWhen Pike is run with inspect, it will scan your code and output a policy that is required to deploy the code, as normal,\nbut it will also detect the running IAM credentials.\nIt will then report on the overlap between the running credentials and the minimum policy.\n\nThis works with AWS IAM user, group and role/assumed role credentials.\n\n```bash\n./pike inspect -d terraform/aws\nThe following are over-permissive:\ns3:*\ns3-object-lambda:*\n*\naccount:GetAccountInformation\naws-portal:*Billing\naws-portal:*PaymentMethods\naws-portal:*Usage\nbilling:GetBillingData\nbilling:GetBillingDetails\nbilling:GetBillingNotifications\nbilling:GetBillingPreferences\n\n```\n\nThis currently uses a different AWS profile to run the scan - presently hardcoded to \"basic\",\nwhich only has the following permissions:\n\n```json\nstatement {\n effect = \"Allow\"\n actions = [\n \"iam:ListUserPolicies\",\n \"iam:ListAttachedUserPolicies\",\n \"iam:ListRolePolicies\",\n \"iam:ListAttachedRolePolicies\",\n \"iam:ListGroupPolicies\",\n \"iam:ListAttachedGroupPolicies\",\n \"iam:GetPolicy\",\n \"iam:GetPolicyVersion\",\n \"iam:GetUserPolicy\",\n \"iam:GetRolePolicy\",\n \"iam:GetGroupPolicy\",\n \"iam:ListGroupsForUser\"\n ]\n resources = [\"*\"]\n }\n```\n\n## Extending\n\nDetermine and create IAM mapping files (\"./src/mapping\") by\nworking out the permissions required for your resource.\nFor example, *aws_security_group.json*:\n\n```json\n[\n {\n \"apply\": [\n \"ec2:CreateSecurityGroup\",\n \"ec2:DescribeSecurityGroups\",\n \"ec2:DescribeAccountAttributes\",\n \"ec2:DescribeNetworkInterfaces\",\n \"ec2:DeleteSecurityGroup\",\n \"ec2:RevokeSecurityGroupEgress\"\n ],\n \"attributes\": {\n \"ingress\": [\n \"ec2:AuthorizeSecurityGroupIngress\",\n \"ec2:AuthorizeSecurityGroupEgress\"\n ],\n \"tags\": [\n \"ec2:CreateTags\",\n \"ec2:DeleteTags\"\n ]\n },\n \"destroy\": [\n \"ec2:DeleteSecurityGroup\"\n ],\n \"modify\": [],\n \"plan\": []\n }\n]\n\n```\n\n### How\n\nDatasources are the easiest to start with. There's a script (resource.ps1 - requires pwsh: **brew install --cask powershell**)\nthat creates a blank mapping file and .tf resource file, but you've seen the example JSON file - make one without any entries.\nYou also need to create a minimal resource/datasource that you are trying to figure out the permissions for, and place\nit in the correct directory (e.g., ../terraform/aws). There's a script for making a profile in the role directory.\nYou can then run OpenTofu/Terraform using the empty role against the resource/datasource with no permissions.\nThe debug output from the run will help you figure out the permissions you need to add to your basic role.\nYou then update your \"basic\" role.\n\nIssues?\nThe providers, don't always tell you what you need to add,\nyou will need to check the IAM docs and the online IAM policymakers.\nNot all resources are as easy as others, anything that make/scripts CF internally.\nSome roles require *Passrole* and *CreateLinkedRole* but won't say so. Trail and error\n\n#### What about \"attributes\"?\n\nSome cloud providers require extra permissions depending on the attributes you add; this is how this is handled.\nBuild out your .tf resources to cover all reasonable scenarios.\n\n#### Eventual consistency\n\nSome cloud providers follow this model which means your test IAM role will take time after you change it to be\nchanged, how long? This seems to vary on time of day and the resource. Whilst other providers like\nAzure just take a long time for the TF to change.\n\n### Add Import mapping file\n\nUpdate **files.go** with:\n\n```txt\n//go:embed aws_security_group.json\nvar securityGroup []byte\n```\n\n### Add to provider Scan\n\nOnce you have added the JSON import, as above, you then need to update the lookup table,\nso we can read it and get the permissions:\n\n```txt\nfunc GetAWSResourcePermissions(result template) []interface{} {\n TFLookup := map[string]interface{}{\n \"aws_s3_bucket\": awsS3Bucket,\n \"aws_s3_bucket_acl\": awsS3BucketACL,\n+ \"aws_security_group\": awsSecurityGroup,\n\n```\n\nAlso add an example .tf file into the folder **terraform/\u003ccloud\u003e/backups**. This helps test that all your\nnew code is picked up by pike.\n\n## Related Tools\n\n\u003chttps://github.com/iann0036/iamlive\u003e\n\n## Star History\n\n[![Star History Chart](https://api.star-history.com/svg?repos=jameswoolfenden/pike\u0026type=Date)](https://star-history.com/#jameswoolfenden/pike\u0026Date)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjameswoolfenden%2Fpike","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjameswoolfenden%2Fpike","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjameswoolfenden%2Fpike/lists"}