diff --git a/src/aws.go b/src/aws.go index 4250604f..8ab32c76 100644 --- a/src/aws.go +++ b/src/aws.go @@ -587,6 +587,16 @@ func AwsLookup(name string) interface{} { "aws_waf_sql_injection_match_set": awsWafSqlInjectionMatchSet, "aws_waf_web_acl": awsWafWebAcl, "aws_waf_xss_match_set": awsWafXssNatchSet, + "aws_vpc_ipam": awsVpcIpam, + "aws_vpc_ipam_pool": awsVpcIpamPool, + "aws_vpc_ipam_pool_cidr": awsVpcIpamPoolCidr, + "aws_vpc_ipam_pool_cidr_allocation": awsVpcIpamPoolCidrAllocation, + "aws_vpc_ipam_preview_next_cidr": awsVpcIpamPreviewNextCidr, + "aws_vpc_ipam_resource_discovery": awsVpcIpamResourceDiscovery, + "aws_vpc_ipam_resource_discovery_association": awsVpcIpamResourceDiscoveryAssociation, + "aws_vpc_ipam_scope": awsVpcIpamScope, + "aws_vpc_security_group_egress_rule": awsVpcSecurityGroupEgressRule, + "aws_vpc_security_group_ingress_rule": awsVpcSecurityGroupIngressRule, } return TFLookup[name] diff --git a/src/coverage/aws.md b/src/coverage/aws.md index 17491041..89bdd072 100644 --- a/src/coverage/aws.md +++ b/src/coverage/aws.md @@ -743,19 +743,9 @@ Datasource percentage coverage 99.60 ./resource.ps1 aws_vpc_endpoint_policy ./resource.ps1 aws_vpc_endpoint_security_group_association ./resource.ps1 aws_vpc_endpoint_service_allowed_principal -./resource.ps1 aws_vpc_ipam ./resource.ps1 aws_vpc_ipam_organization_admin_account -./resource.ps1 aws_vpc_ipam_pool -./resource.ps1 aws_vpc_ipam_pool_cidr -./resource.ps1 aws_vpc_ipam_pool_cidr_allocation -./resource.ps1 aws_vpc_ipam_preview_next_cidr -./resource.ps1 aws_vpc_ipam_resource_discovery -./resource.ps1 aws_vpc_ipam_resource_discovery_association -./resource.ps1 aws_vpc_ipam_scope ./resource.ps1 aws_vpc_ipv6_cidr_block_association ./resource.ps1 aws_vpc_network_performance_metric_subscription -./resource.ps1 aws_vpc_security_group_egress_rule -./resource.ps1 aws_vpc_security_group_ingress_rule ./resource.ps1 aws_vpclattice_access_log_subscription ./resource.ps1 aws_vpclattice_auth_policy ./resource.ps1 aws_vpclattice_listener diff --git a/src/files.go b/src/files.go index 969f4645..0b1b5fff 100644 --- a/src/files.go +++ b/src/files.go @@ -1413,3 +1413,33 @@ var awsWafWebAcl []byte //go:embed mapping/aws/resource/waf/aws_waf_xss_match_set.json var awsWafXssNatchSet []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_ipam.json +var awsVpcIpam []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_ipam_pool.json +var awsVpcIpamPool []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_ipam_pool_cidr.json +var awsVpcIpamPoolCidr []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_ipam_pool_cidr_allocation.json +var awsVpcIpamPoolCidrAllocation []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_ipam_preview_next_cidr.json +var awsVpcIpamPreviewNextCidr []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_ipam_resource_discovery.json +var awsVpcIpamResourceDiscovery []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_ipam_resource_discovery_association.json +var awsVpcIpamResourceDiscoveryAssociation []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_ipam_scope.json +var awsVpcIpamScope []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_security_group_egress_rule.json +var awsVpcSecurityGroupEgressRule []byte + +//go:embed mapping/aws/resource/ec2/aws_vpc_security_group_ingress_rule.json +var awsVpcSecurityGroupIngressRule []byte diff --git a/src/mapping/aws/resource/ec2/aws_vpc_ipam.json b/src/mapping/aws/resource/ec2/aws_vpc_ipam.json new file mode 100644 index 00000000..9a8fa85d --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_ipam.json @@ -0,0 +1,25 @@ +[ + { + "apply": [ + "ec2:CreateIpam", + "iam:CreateServiceLinkedRole", + "ec2:DescribeIpams", + "ec2:DeleteIpam", + "ec2:ModifyIpam", + "ec2:DescribeTags" + ], + "attributes": { + "tags": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ] + }, + "destroy": [ + "ec2:DeleteIpam" + ], + "modify": [ + "ec2:ModifyIpam" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool.json b/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool.json new file mode 100644 index 00000000..d92a1452 --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool.json @@ -0,0 +1,23 @@ +[ + { + "apply": [ + "ec2:CreateIpamPool", + "ec2:DescribeIpamPools", + "ec2:DeleteIpamPool", + "ec2:ModifyIpamPool" + ], + "attributes": { + "tags": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ] + }, + "destroy": [ + "ec2:DeleteIpamPool" + ], + "modify": [ + "ec2:ModifyIpamPool" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool_cidr.json b/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool_cidr.json new file mode 100644 index 00000000..ebed2ce1 --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool_cidr.json @@ -0,0 +1,14 @@ +[ + { + "apply": [ + "ec2:ProvisionIpamPoolCidr", + "ec2:GetIpamPoolCidrs" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool_cidr_allocation.json b/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool_cidr_allocation.json new file mode 100644 index 00000000..fe1116b7 --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_ipam_pool_cidr_allocation.json @@ -0,0 +1,19 @@ +[ + { + "apply": [ + "ec2:AllocateIpamPoolCidr", + "ec2:GetIpamPoolAllocations", + "ec2:ReleaseIpamPoolAllocation", + "ec2:DeprovisionIpamPoolCidr" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "ec2:DeprovisionIpamPoolCidr", + "ec2:ReleaseIpamPoolAllocation" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_ipam_preview_next_cidr.json b/src/mapping/aws/resource/ec2/aws_vpc_ipam_preview_next_cidr.json new file mode 100644 index 00000000..68ccf02c --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_ipam_preview_next_cidr.json @@ -0,0 +1,13 @@ +[ + { + "apply": [ + "ec2:AllocateIpamPoolCidr" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_ipam_resource_discovery.json b/src/mapping/aws/resource/ec2/aws_vpc_ipam_resource_discovery.json new file mode 100644 index 00000000..69d2c18b --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_ipam_resource_discovery.json @@ -0,0 +1,22 @@ +[ + { + "apply": [ + "ec2:CreateIpamResourceDiscovery", + "ec2:DescribeIpamResourceDiscoveries", + "ec2:DescribeTags" + ], + "attributes": { + "tags": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ] + }, + "destroy": [ + "ec2:DeleteIpamResourceDiscovery" + ], + "modify": [ + "ec2:ModifyIpamResourceDiscovery" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_ipam_resource_discovery_association.json b/src/mapping/aws/resource/ec2/aws_vpc_ipam_resource_discovery_association.json new file mode 100644 index 00000000..524502f9 --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_ipam_resource_discovery_association.json @@ -0,0 +1,20 @@ +[ + { + "apply": [ + "ec2:AssociateIpamResourceDiscovery", + "ec2:DescribeIpamResourceDiscoveryAssociations", + "ec2:DisassociateIpamResourceDiscovery" + ], + "attributes": { + "tags": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ] + }, + "destroy": [ + "ec2:DisassociateIpamResourceDiscovery" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_ipam_scope.json b/src/mapping/aws/resource/ec2/aws_vpc_ipam_scope.json new file mode 100644 index 00000000..d969fec7 --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_ipam_scope.json @@ -0,0 +1,20 @@ +[ + { + "apply": [ + "ec2:CreateIpamScope", + "ec2:DescribeIpamScopes", + "ec2:DeleteIpamScope" + ], + "attributes": { + "tags": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ] + }, + "destroy": [ + "ec2:DeleteIpamScope" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_security_group_egress_rule.json b/src/mapping/aws/resource/ec2/aws_vpc_security_group_egress_rule.json new file mode 100644 index 00000000..8436d0be --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_security_group_egress_rule.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DescribeSecurityGroupRules", + "ec2:RevokeSecurityGroupEgress" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [ + "ec2:RevokeSecurityGroupEgress" + ] + } +] diff --git a/src/mapping/aws/resource/ec2/aws_vpc_security_group_ingress_rule.json b/src/mapping/aws/resource/ec2/aws_vpc_security_group_ingress_rule.json new file mode 100644 index 00000000..73592c46 --- /dev/null +++ b/src/mapping/aws/resource/ec2/aws_vpc_security_group_ingress_rule.json @@ -0,0 +1,17 @@ +[ + { + "apply": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DescribeSecurityGroupRules", + "ec2:RevokeSecurityGroupIngress" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "ec2:RevokeSecurityGroupIngress" + ], + "modify": [], + "plan": [] + } +] diff --git a/terraform/aws/backup/aws_vpc_ipam.tf b/terraform/aws/backup/aws_vpc_ipam.tf new file mode 100644 index 00000000..e8496430 --- /dev/null +++ b/terraform/aws/backup/aws_vpc_ipam.tf @@ -0,0 +1,10 @@ +resource "aws_vpc_ipam" "example" { + description = "this" + operating_regions { + region_name = data.aws_region.current.name + } + tags = { + pike = "permissions" + another = "tag" + } +} diff --git a/terraform/aws/backup/aws_vpc_ipam_pool.tf b/terraform/aws/backup/aws_vpc_ipam_pool.tf new file mode 100644 index 00000000..59c63405 --- /dev/null +++ b/terraform/aws/backup/aws_vpc_ipam_pool.tf @@ -0,0 +1,9 @@ +resource "aws_vpc_ipam_pool" "example" { + description = "this" + address_family = "ipv4" + ipam_scope_id = aws_vpc_ipam.example.private_default_scope_id + locale = data.aws_region.current.name + tags = { + pike = "permissions" + } +} diff --git a/terraform/aws/backup/aws_vpc_ipam_pool_cidr.tf b/terraform/aws/backup/aws_vpc_ipam_pool_cidr.tf new file mode 100644 index 00000000..f4db2a75 --- /dev/null +++ b/terraform/aws/backup/aws_vpc_ipam_pool_cidr.tf @@ -0,0 +1,4 @@ +resource "aws_vpc_ipam_pool_cidr" "example" { + ipam_pool_id = aws_vpc_ipam_pool.example.id + cidr = "172.20.0.0/16" +} diff --git a/terraform/aws/backup/aws_vpc_ipam_pool_cidr_allocation.tf b/terraform/aws/backup/aws_vpc_ipam_pool_cidr_allocation.tf new file mode 100644 index 00000000..2786f14d --- /dev/null +++ b/terraform/aws/backup/aws_vpc_ipam_pool_cidr_allocation.tf @@ -0,0 +1,10 @@ +data "aws_region" "current" {} +# +resource "aws_vpc_ipam_pool_cidr_allocation" "example" { + ipam_pool_id = aws_vpc_ipam_pool.example.id + cidr = "172.20.0.0/24" + depends_on = [ + aws_vpc_ipam_pool_cidr.example + ] + description = "pike" +} diff --git a/terraform/aws/backup/aws_vpc_ipam_preview_next_cidr.tf b/terraform/aws/backup/aws_vpc_ipam_preview_next_cidr.tf new file mode 100644 index 00000000..6a8c4cdb --- /dev/null +++ b/terraform/aws/backup/aws_vpc_ipam_preview_next_cidr.tf @@ -0,0 +1,13 @@ +resource "aws_vpc_ipam_preview_next_cidr" "example" { + ipam_pool_id = aws_vpc_ipam_pool.example.id + netmask_length = 28 + + disallowed_cidrs = [ + "172.2.0.0/32", + ] + + depends_on = [ + aws_vpc_ipam_pool_cidr.example + ] + +} diff --git a/terraform/aws/backup/aws_vpc_ipam_resource_discovery.tf b/terraform/aws/backup/aws_vpc_ipam_resource_discovery.tf new file mode 100644 index 00000000..89096528 --- /dev/null +++ b/terraform/aws/backup/aws_vpc_ipam_resource_discovery.tf @@ -0,0 +1,10 @@ +resource "aws_vpc_ipam_resource_discovery" "pike" { + description = "My IPAM Resource Discovery" + operating_regions { + region_name = data.aws_region.current.name + } + + tags = { + another = "tag" + } +} diff --git a/terraform/aws/backup/aws_vpc_ipam_resource_discovery_association.tf b/terraform/aws/backup/aws_vpc_ipam_resource_discovery_association.tf new file mode 100644 index 00000000..3ea83833 --- /dev/null +++ b/terraform/aws/backup/aws_vpc_ipam_resource_discovery_association.tf @@ -0,0 +1,10 @@ +resource "aws_vpc_ipam_resource_discovery_association" "test" { + ipam_id = aws_vpc_ipam.example.id + ipam_resource_discovery_id = aws_vpc_ipam_resource_discovery.pike.id + + tags = { + "Name" = "test" + pike = "permissions" + another = "tag" + } +} diff --git a/terraform/aws/backup/aws_vpc_ipam_scope.tf b/terraform/aws/backup/aws_vpc_ipam_scope.tf new file mode 100644 index 00000000..7a7ddeea --- /dev/null +++ b/terraform/aws/backup/aws_vpc_ipam_scope.tf @@ -0,0 +1,8 @@ +resource "aws_vpc_ipam_scope" "example" { + ipam_id = aws_vpc_ipam.example.id + description = "Another Scope" + tags = { + pike = "permissions" + another = "tag" + } +} diff --git a/terraform/aws/backup/aws_vpc_security_group_egress_rule.tf b/terraform/aws/backup/aws_vpc_security_group_egress_rule.tf new file mode 100644 index 00000000..67b6cb3c --- /dev/null +++ b/terraform/aws/backup/aws_vpc_security_group_egress_rule.tf @@ -0,0 +1,14 @@ +resource "aws_vpc_security_group_egress_rule" "pike" { + security_group_id = aws_security_group.pike.id + + cidr_ipv4 = "10.0.0.0/8" + from_port = 80 + ip_protocol = "tcp" + to_port = 80 + tags = { + pike = "permissions" + another = "tag" + } +} + +resource "aws_security_group" "pike" {} diff --git a/terraform/aws/backup/aws_vpc_security_group_ingress_rule.tf b/terraform/aws/backup/aws_vpc_security_group_ingress_rule.tf new file mode 100644 index 00000000..eb6f1bf2 --- /dev/null +++ b/terraform/aws/backup/aws_vpc_security_group_ingress_rule.tf @@ -0,0 +1,11 @@ +resource "aws_vpc_security_group_ingress_rule" "pike" { + security_group_id = aws_security_group.pike.id + + cidr_ipv4 = "10.0.0.0/8" + from_port = 80 + ip_protocol = "tcp" + to_port = 80 + tags = { + pike = "permissions" + } +} diff --git a/terraform/aws/role/aws_iam_policy.basic.tf b/terraform/aws/role/aws_iam_policy.basic.tf index 37cc1c45..252808fc 100644 --- a/terraform/aws/role/aws_iam_policy.basic.tf +++ b/terraform/aws/role/aws_iam_policy.basic.tf @@ -7,8 +7,42 @@ resource "aws_iam_policy" "basic" { "Sid" : "0", "Effect" : "Allow", "Action" : [ - //aws_waf_rate_based_rule - "waf:CreateRateBasedRule" + //dependson + "ec2:CreateSecurityGroup", + "ec2:DescribeSecurityGroups", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteSecurityGroup", + + //aws_vpc_ipam + "ec2:CreateIpam", + "ec2:ModifyIpam", + "iam:CreateServiceLinkedRole", + "ec2:DescribeIpams", + "ec2:DeleteIpam", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags", + + //aws_vpc_ipam_pool + "ec2:CreateIpamPool", + "ec2:DescribeIpamPools", + "ec2:DeleteIpamPool", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:ModifyIpamPool", + + //aws_vpc_ipam_pool_cidr + "ec2:ProvisionIpamPoolCidr", + "ec2:GetIpamPoolCidrs", + + //aws_vpc_ipam_preview_next_cidr + "ec2:AllocateIpamPoolCidr", + + //aws_vpc_ipam_pool_cidr_allocation + "ec2:AllocateIpamPoolCidr", + "ec2:GetIpamPoolAllocations", + "ec2:ReleaseIpamPoolAllocation", + "ec2:DeprovisionIpamPoolCidr", ], "Resource" : "*", } diff --git a/terraform/aws/test.tf b/terraform/aws/test.tf deleted file mode 100644 index 6eae70fb..00000000 --- a/terraform/aws/test.tf +++ /dev/null @@ -1,7 +0,0 @@ -data "aws_emr_supported_instance_types" "example" { - release_label = "emr-6.15.0" -} - -output "label" { - value = data.aws_emr_supported_instance_types.example -}