Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/salesforce/terraform-provider-policyguru

Terraform provider for Policy Sentry (IAM least privilege generator and auditor)
https://github.com/salesforce/terraform-provider-policyguru

aws aws-security cloud cloudsecurity hacktoberfest iam salesforce security

Last synced: about 1 month ago
JSON representation

Terraform provider for Policy Sentry (IAM least privilege generator and auditor)

Awesome Lists containing this project

README

        

# terraform-provider-policyguru

[![continuous-integration](https://github.com/salesforce/terraform-provider-policyguru/workflows/continuous-integration/badge.svg)](https://github.com/salesforce/terraform-provider-policyguru/actions?query=workflow%3Acontinuous-integration)
[![Go Report Card](https://goreportcard.com/badge/github.com/salesforce/terraform-provider-policyguru)](https://goreportcard.com/report/github.com/salesforce/terraform-provider-policyguru)

This is the Terraform Provider for [Policy Sentry](https://github.com/salesforce/policy_sentry/) - the IAM Least Privilege Policy Generator.

We have Policy Sentry hosted as a REST API and this Terraform provider points to the REST API.

**Using this Terraform provider, you can write Least Privilege IAM Policies without ever leaving your code editor!**

## Requirements

* This requires Terraform `>= v0.13.0`

## Example

Consider the following example Terraform code:

```hcl
terraform {
required_providers {
policyguru = {
source = "salesforce/policyguru"
version = "2.0.4"
}
aws = {
source = "hashicorp/aws"
version = "~> 3.0"
}
}
}

# Configure the AWS Provider
provider "aws" {
region = "us-east-1"
}

# This creates the policy document.
data "policyguru_document" "example" {
actions_for_resources_at_access_level {
write = list("arn:aws:kms:us-east-1:123456789012:key/aaaa-bbbb-cccc")
read = list("arn:aws:s3:::mybucket/*")
}

actions_for_service_without_resource_constraint_support {
include_single_actions = ["ssm:GetParameter"]
}
exclude_actions = list("kms:Decrypt*", "kms:Delete*", "kms:Disable", "kms:Schedule*")
}

# This creates an IAM Policy leveraging policyguru
resource "aws_iam_policy" "policy" {
name = "policyguru-example"
path = "/"
description = "this uses the policyguru document data source"
policy = data.policyguru_document.example.json
}

# This shows you the output value
output "policy_document_json" {
value = data.policyguru_document.example.json
}
```

That will create an IAM Policy titled `policyguru-example` which will contain the following policy:

```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3ReadObject",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectLegalHold",
"s3:GetObjectRetention",
"s3:GetObjectTagging",
"s3:GetObjectTorrent",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:GetObjectVersionForReplication",
"s3:GetObjectVersionTagging",
"s3:GetObjectVersionTorrent"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
},
{
"Sid": "KmsWriteKey",
"Effect": "Allow",
"Action": [
"kms:CancelKeyDeletion",
"kms:CreateAlias",
"kms:DisableKey",
"kms:DisableKeyRotation",
"kms:EnableKey",
"kms:EnableKeyRotation",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyPair",
"kms:GenerateDataKeyPairWithoutPlaintext",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:ImportKeyMaterial",
"kms:ReEncryptFrom",
"kms:ReEncryptTo",
"kms:Sign",
"kms:UpdateAlias",
"kms:UpdateKeyDescription",
"kms:Verify"
],
"Resource": [
"arn:aws:kms:us-east-1:123456789012:key/aaaa-bbbb-cccc"
]
},
{
"Sid": "SkipResourceConstraints",
"Effect": "Allow",
"Action": [
"ssm:GetParameter"
],
"Resource": [
"*"
]
}
]
}
```

## Contributing

Command | Description
--------------------| --------------------
```make build ``` | Build
```make install ``` | Build and install
```make fmt``` | Format code
```make lint``` | Run golint
```make terraform-demo``` | Install and run terraform apply for file under examples folder
```make clean``` | Clean terraform state files created under examples folder

For documentation on using provider, check https://registry.terraform.io/providers/salesforce/policyguru/latest/docs