pull

README.md

@@ -41,6 +41,7 @@ Ideally I would like to do this for you, but these policies are determined stati
     - [Apply](#apply)
     - [Remote](#remote)
     - [Readme](#readme)
+    - [Pull](#pull)
   - [Compare](#compare)
   - [Help](#help)
   - [Building](#building)
@@ -453,6 +454,168 @@ IAM Policy arn:aws:iam::680235478471:policy/basic versus Local ../modules/aws/te
    ],
    "Version": "2012-10-17"
  }
+```
+
+## Pull
+
+Pull adds the ability to work with Git repositories (thanks to **go-git**),
+to output the required permissions in json or Terraform:
+
+```bash
+./pike  pull
+NAME:
+   pike pull - Clones remote repo and scans it using pike
+
+USAGE:
+   pike pull [command options] [arguments...]
+
+OPTIONS:
+   --directory value, -d value        Directory to scan (defaults to .) (default: ".")
+   --destination value, --dest value  Where to clone repository (default: ".destination")
+   --output json, -o json             Policy Output types e.g. json terraform (default: "terraform") [%OUTPUT%]
+   --repository value, -r value       Repository url
+   --init, -i                         Run Terraform init to download modules (default: false)
+   --write, -w                        Write the policy output to a file at .pike (default: false)
+   --help, -h                         show help
+
+```
+
+Like so:
+
+```hcl
+$ ./pike.exe pull -r https://github.com/JamesWoolfenden/terraform-aws-codebuild -i -d .
+10:31PM INF .destination was not empty, removing
+10:31PM INF git clone https://github.com/JamesWoolfenden/terraform-aws-codebuild .destination --recursive
+10:31PM DBG terraform init at E:\Code\pike\.destination
+10:31PM DBG modules not found at .destination
+resource "aws_iam_policy" "terraform_pike" {
+  name_prefix = "terraform_pike"
+  path        = "/"
+  description = "Pike Autogenerated policy from IAC"
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "codebuild:BatchGetProjects",
+                "codebuild:CreateProject",
+                "codebuild:DeleteProject",
+                "codebuild:UpdateProject"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": [
+                "events:DeleteRule",
+                "events:DescribeRule",
+                "events:ListTagsForResource",
+                "events:ListTargetsByRule",
+                "events:PutRule",
+                "events:PutTargets",
+                "events:RemoveTargets"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "VisualEditor2",
+            "Effect": "Allow",
+            "Action": [
+                "iam:AttachRolePolicy",
+                "iam:CreatePolicy",
+                "iam:CreateRole",
+                "iam:DeletePolicy",
+                "iam:DeleteRole",
+                "iam:DeleteRolePolicy",
+                "iam:DetachRolePolicy",
+                "iam:GetPolicy",
+                "iam:GetPolicyVersion",
+                "iam:GetRole",
+                "iam:GetRolePolicy",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListInstanceProfilesForRole",
+                "iam:ListPolicyVersions",
+                "iam:ListRolePolicies",
+                "iam:PassRole",
+                "iam:PutRolePolicy",
+                "iam:TagRole"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "VisualEditor3",
+            "Effect": "Allow",
+            "Action": [
+                "kms:Decrypt"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "VisualEditor4",
+            "Effect": "Allow",
+            "Action": [
+                "s3:CreateBucket",
+                "s3:DeleteBucket",
+                "s3:GetAccelerateConfiguration",
+                "s3:GetBucketAcl",
+                "s3:GetBucketCORS",
+                "s3:GetBucketLogging",
+                "s3:GetBucketObjectLockConfiguration",
+                "s3:GetBucketPolicy",
+                "s3:GetBucketPublicAccessBlock",
+                "s3:GetBucketRequestPayment",
+                "s3:GetBucketTagging",
+                "s3:GetBucketVersioning",
+                "s3:GetBucketWebsite",
+                "s3:GetEncryptionConfiguration",
+                "s3:GetLifecycleConfiguration",
+                "s3:GetObject",
+                "s3:GetObjectAcl",
+                "s3:GetReplicationConfiguration",
+                "s3:ListAllMyBuckets",
+                "s3:ListBucket",
+                "s3:PutBucketAcl",
+                "s3:PutBucketLogging",
+                "s3:PutBucketPublicAccessBlock",
+                "s3:PutBucketVersioning",
+                "s3:PutEncryptionConfiguration",
+                "s3:PutLifecycleConfiguration"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "VisualEditor5",
+            "Effect": "Allow",
+            "Action": [
+                "ssm:AddTagsToResource",
+                "ssm:DeleteParameter",
+                "ssm:DescribeParameters",
+                "ssm:GetParameter",
+                "ssm:GetParameters",
+                "ssm:ListTagsForResource",
+                "ssm:PutParameter"
+            ],
+            "Resource": [
+                "*"
+            ]
+        }
+    ]
+})
+}
 
 ```
 
@@ -467,23 +630,26 @@ USAGE:
    pike [global options] command [command options] [arguments...]
 
 VERSION:
-   v0.2.1
+   v0.2.107
 
 AUTHOR:
-   James Woolfenden <support@bridgecrew.io>
+   James Woolfenden <james.woolfenden@gmail.com>
 
 COMMANDS:
    apply, a    Create a policy and use it to instantiate the IAC
    compare, c  policy comparison of deployed versus IAC
    invoke, i   Triggers a gitHub action specified with the workflow flag
    make, m     make the policy/role required for this IAC to deploy
+   parse, p    Triggers a gitHub action specified with the workflow flag
+   pull, p     Clones remote repo and scans it using pike
    readme, r   Looks in dir for a README.md and updates it with the Policy required to build the code
    remote, m   Create/Update the Policy and set credentials/secret for Github Action
    scan, s     scan a directory for IAM code
    version, v  Outputs the application version
    watch, w    Waits for policy update
    help, h     Shows a list of commands or help for one command
 
+
 GLOBAL OPTIONS:
    --help, -h     show help (default: false)
    --version, -v  print the version (default: false)

src/aws.go

@@ -553,7 +553,6 @@ func Contains(s []string, e string) bool {
 func GetPermissionMap(raw []byte, attributes []string) ([]string, error) {
 	var mappings []interface{}
 	err := json.Unmarshal(raw, &mappings)
-
 	if err != nil {
 		return nil, fmt.Errorf("failed to unmarshal json %w", err)
 	}

src/aws_datasource.go

@@ -20,7 +20,7 @@ func GetAWSDataPermissions(result ResourceV2) ([]string, error) {
 	return Permissions, err
 }
 
-//nolint:funlen
+// nolint:funlen
 func AwsDataLoookup(find string) interface{} {
 	TFLookup := map[string]interface{}{
 		"aws_acm_certificate":                                       dataAwsAcmCertificate,

src/aws_test.go

@@ -261,8 +261,10 @@ func TestGetPermissionMap(t *testing.T) {
 			name: "bogus",
 			args: args{
 				raw:        []byte("bogus"),
-				attributes: []string{}},
-			wantErr: true},
+				attributes: []string{},
+			},
+			wantErr: true,
+		},
 	}
 
 	for _, tt := range tests {

src/azure_datasource_test.go

@@ -14,7 +14,7 @@ func TestGetAZUREDataPermissions(t *testing.T) {
 		result pike.ResourceV2
 	}
 
-	var tests = []struct {
+	tests := []struct {
 		name    string
 		args    args
 		want    []string

src/compare.go

@@ -52,7 +52,6 @@ func Compare(directory string, arn string, init bool) (bool, error) {
 func CompareIAMPolicy(policy string, oldPolicy string) (bool, error) {
 	differ := diff.New()
 	compare, err := differ.Compare([]byte(policy), []byte(oldPolicy))
-
 	if err != nil {
 		return false, err
 	}
@@ -72,7 +71,6 @@ func CompareIAMPolicy(policy string, oldPolicy string) (bool, error) {
 
 		myFormatter := formatter.NewAsciiFormatter(aJSON, myConfig)
 		diffString, err := myFormatter.Format(compare)
-
 		if err != nil {
 			return false, err
 		}

src/coverage/aws.md

@@ -1,6 +1,6 @@
 # todo aws
 
-Resource percentage coverage   36.68
+Resource percentage coverage   36.65
 Datasource percentage coverage 100.00
 
 ./resource.ps1 aws_accessanalyzer_analyzer
@@ -346,6 +346,7 @@ Datasource percentage coverage 100.00
 ./resource.ps1 aws_internetmonitor_monitor
 ./resource.ps1 aws_iot_authorizer
 ./resource.ps1 aws_iot_certificate
+./resource.ps1 aws_iot_domain_configuration
 ./resource.ps1 aws_iot_indexing_configuration
 ./resource.ps1 aws_iot_logging_options
 ./resource.ps1 aws_iot_policy

src/coverage/azure.md

@@ -713,6 +713,7 @@ Datasource percentage coverage 12.83
 ./resource.ps1 azurerm_resource_group_policy_remediation
 ./resource.ps1 azurerm_resource_group_template_deployment
 ./resource.ps1 azurerm_resource_management_private_link
+./resource.ps1 azurerm_resource_management_private_link_association
 ./resource.ps1 azurerm_resource_policy_assignment
 ./resource.ps1 azurerm_resource_policy_exemption
 ./resource.ps1 azurerm_resource_policy_remediation

src/coverage/coverage.go

@@ -16,7 +16,6 @@ type members struct {
 }
 
 func coverageAWS() error {
-
 	data := importMembers("../parse/aws-members.json")
 	missing := members{}
 	target := ""
@@ -45,8 +44,7 @@ func coverageAWS() error {
 	Prepend += fmt.Sprintf("Datasource percentage coverage %3.2f \n\n", percent(missing.DataSources, data.DataSources))
 
 	target = Prepend + target
-	err := os.WriteFile("aws.md", []byte(target), 0700)
-
+	err := os.WriteFile("aws.md", []byte(target), 0o700)
 	if err != nil {
 		return err
 	}
@@ -55,7 +53,6 @@ func coverageAWS() error {
 }
 
 func coverageAzure() error {
-
 	data := importMembers("../parse/azurerm-members.json")
 	missing := members{}
 	target := ""
@@ -80,7 +77,7 @@ func coverageAzure() error {
 	Prepend += fmt.Sprintf("Datasource percentage coverage %3.2f \n\n", percent(missing.DataSources, data.DataSources))
 
 	target = Prepend + target
-	err := os.WriteFile("azure.md", []byte(target), 0700)
+	err := os.WriteFile("azure.md", []byte(target), 0o700)
 	if err != nil {
 		return err
 	}
@@ -89,7 +86,6 @@ func coverageAzure() error {
 }
 
 func coverageGcp() error {
-
 	data := importMembers("../parse/google-members.json")
 	missing := members{}
 	target := ""
@@ -114,7 +110,7 @@ func coverageGcp() error {
 	Prepend += fmt.Sprintf("Datasource percentage coverage %3.2f \n\n", percent(missing.DataSources, data.DataSources))
 
 	target = Prepend + target
-	err := os.WriteFile("google.md", []byte(target), 0700)
+	err := os.WriteFile("google.md", []byte(target), 0o700)
 	if err != nil {
 		return err
 	}

src/coverage/google.md

@@ -1,7 +1,7 @@
 # todo google
 
-Resource percentage coverage   8.85
-Datasource percentage coverage 29.67
+Resource percentage coverage   8.84
+Datasource percentage coverage 29.55
 
 ./resource.ps1 google_access_context_manager_access_level
 ./resource.ps1 google_access_context_manager_access_level_condition
@@ -58,6 +58,7 @@ Datasource percentage coverage 29.67
 ./resource.ps1 google_app_engine_flexible_app_version
 ./resource.ps1 google_app_engine_service_network_settings
 ./resource.ps1 google_app_engine_service_split_traffic
+./resource.ps1 google_app_engine_standard_app_version
 ./resource.ps1 google_artifact_registry_vpcsc_config
 ./resource.ps1 google_assured_workloads_workload
 ./resource.ps1 google_backup_dr_management_server
@@ -569,6 +570,7 @@ Datasource percentage coverage 29.67
 ./resource.ps1 google_monitoring_slo
 ./resource.ps1 google_monitoring_uptime_check_config
 ./resource.ps1 google_network_connectivity_hub
+./resource.ps1 google_network_connectivity_policy_based_route
 ./resource.ps1 google_network_connectivity_service_connection_policy
 ./resource.ps1 google_network_connectivity_spoke
 ./resource.ps1 google_network_security_address_group
@@ -639,6 +641,7 @@ Datasource percentage coverage 29.67
 ./resource.ps1 google_pubsub_subscription_iam_policy
 ./resource.ps1 google_recaptcha_enterprise_key
 ./resource.ps1 google_redis_cluster
+./resource.ps1 google_redis_instance
 ./resource.ps1 google_resource_manager_lien
 ./resource.ps1 google_runtimeconfig_config
 ./resource.ps1 google_runtimeconfig_config_iam_binding
@@ -743,6 +746,7 @@ Datasource percentage coverage 29.67
 ./resource.ps1 google_beyondcorp_app_connection -type data
 ./resource.ps1 google_beyondcorp_app_connector -type data
 ./resource.ps1 google_beyondcorp_app_gateway -type data
+./resource.ps1 google_bigquery_dataset -type data
 ./resource.ps1 google_billing_account -type data
 ./resource.ps1 google_billing_account_iam_policy -type data
 ./resource.ps1 google_binary_authorization_attestor_iam_policy -type data
@@ -874,6 +878,7 @@ Datasource percentage coverage 29.67
 ./resource.ps1 google_project_iam_policy -type data
 ./resource.ps1 google_project_organization_policy -type data
 ./resource.ps1 google_pubsub_schema_iam_policy -type data
+./resource.ps1 google_redis_instance -type data
 ./resource.ps1 google_runtimeconfig_config -type data
 ./resource.ps1 google_runtimeconfig_config_iam_policy -type data
 ./resource.ps1 google_runtimeconfig_variable -type data

src/credentials.go

@@ -11,7 +11,6 @@ import (
 )
 
 func getAWSCredentials(IAMRole string, region string) (*sts.AssumeRoleOutput, error) {
-
 	const waitForConsistency = 900
 
 	config := aws.NewConfig()