Skip to content

Instantly share code, notes, and snippets.

View kmcquade's full-sized avatar

Kinnaird McQuade kmcquade

337 followers · 286 following
View GitHub Profile
@kmcquade
kmcquade / bad_bucket_tfstate.json
Last active July 22, 2019 21:27
opa-terraform-troubleshooting
{
"format_version": "0.1",
"terraform_version": "0.12.2",
"planned_values": {
"root_module": {
"resources": [
{
"address": "aws_s3_bucket.bad_bucket",
"mode": "managed",
"type": "aws_s3_bucket",
@kmcquade
kmcquade / parse_arn.py
Created August 3, 2019 20:05 — forked from gene1wood/parse_arn.py
Parse an AWS ARN (Amazon Resource Name) into it's constituent elements
def parse_arn(arn):
# http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
elements = arn.split(':')
result = {'arn': elements[0],
'partition': elements[1],
'service': elements[2],
'region': elements[3],
'account': elements[4]
}
if len(elements) == 7:
@kmcquade
kmcquade / OPA-help-overview.md
Last active September 25, 2019 17:55
OPA help code

Code I'm using in seeking help from the OPA Slack channel.

Here's the idea.

For the resource_key_value_matches function, I want to allow users to specify the path within a resource, with any number of nested levels deep.

For an example call, see the common_test.rego file.

resource_key_value_matches(s3_bucket_plan.resource_changes[0], "server_side_encryption_configuration[0].rule[0].apply_server_side_encryption_by_default[0].sse_algorithm", "AES256")

@kmcquade
kmcquade / common.rego
Last active September 27, 2019 19:45
Rego negation question
package common
# ---------------------------------------------------------------------------------------------------------------------
# Not Working
# ---------------------------------------------------------------------------------------------------------------------
list_should_not_contain(attributes_list, undesired_item) {
list_item = attributes_list[_]
list_item != undesired_item
@kmcquade
kmcquade / AWS API calls that return credentials.md
Last active May 2, 2024 14:39
AWS API calls that return credentials
@kmcquade
kmcquade / ec2.py
Created January 8, 2020 22:07
Quick patched Lyft cartography file so we can see Instance profiles
import logging
import time
import botocore.config
from cartography.util import run_cleanup_job
logger = logging.getLogger(__name__)
@kmcquade
kmcquade / a_Policy_sentry_blog_tables.md
Created January 9, 2020 00:02
Stuff for the Policy Sentry blog - thanks, Medium, for not supporting Tables in your blogs

Medium doesn't support tables in their blogs so I have to put them here as CSV files first. SMH

@kmcquade
kmcquade / ec2-actions-table-sample.csv
Created January 9, 2020 00:03
Actions Resource Types
ec2:AuthorizeSecurityGroupIngress security-group*
ec2:AuthorizeSecurityGroupEgress security-group*
@kmcquade
kmcquade / ec2-arn-table-sample.csv
Created January 9, 2020 00:04
Resource Types ARN
security-group arn:${Partition}:ec2:${Region}:${Account}:security-group/${SecurityGroupId}
@kmcquade
kmcquade / ssm-action-table-sample.csv
Created January 9, 2020 00:05
Actions Access Level Resource Type
ssm:GetParameter Read parameter
ssm:DescribeParameters List parameter
ssm:PutParameter Write parameter
secretsmanager:PutResourcePolicy Permissions management secret
secretsmanager:TagResource Tagging secret