Last active
September 17, 2019 12:08
-
-
Save rkhozinov/8599009c614f54fb9b4d7f6a43d1b217 to your computer and use it in GitHub Desktop.
Allows to parse s3 bucket policies from a terraform state and convert them to aws_iam_policy_document data source
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from json import load, loads | |
| from jinja2 import Template | |
| template = """data "aws_iam_policy_document" "{{ bucket }}" { | |
| {%- for st in statement %} | |
| statement { | |
| sid = "{{ st.Sid }}" | |
| effect = "{{ st.Effect }}" | |
| actions = [ | |
| {%- if st.Action is string %} | |
| "{{ st.Action }}", | |
| {%- else %} | |
| {%- for action in st.Action %} | |
| "{{action}}", | |
| {%- endfor %} | |
| {%- endif %} | |
| ] | |
| resources = [ | |
| {%- if st.Resource is string %} | |
| "{{ st.Resource }}", | |
| {%- else %} | |
| {%- for resource in st.Resource %} | |
| "{{ resource }}", | |
| {%- endfor %} | |
| {%- endif %} | |
| ] | |
| principals { | |
| type = "AWS" | |
| identifiers = [ | |
| {%- if st.Principal.AWS is string %} | |
| "{{ st.Principal.AWS }}", | |
| {%- else %} | |
| {%- for principal in st.Principal.AWS %} | |
| "{{ principal }}", | |
| {%- endfor %} | |
| {%- endif %} | |
| ] | |
| } | |
| } | |
| {% endfor %} | |
| } | |
| resource "aws_s3_bucket_policy" "{{ bucket }}" { | |
| bucket = "{{ bucket }}" | |
| policy = "${data.aws_iam_policy_document.{{ bucket }}.json}" | |
| } | |
| """ | |
| with open('./terraform.tfstate', 'r') as state: | |
| data = load(state) | |
| resources = data.get('modules')[0].get('resources') | |
| for k, v in resources.items(): | |
| if 'policy' in k: | |
| bucket = v['primary']['attributes']['bucket'] | |
| policy = loads(v['primary']['attributes']['policy']) | |
| rendered = Template(template).render(bucket=v['primary']['attributes']['bucket'], | |
| statement=policy['Statement']) | |
| with open(f'./policies/{bucket}.tf', 'w') as policy_file: | |
| policy_file.write(rendered) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| data "aws_iam_policy_document" "policy" { | |
| statement { | |
| sid = "CurrentAccountS3FullAccess" | |
| effect = "Allow" | |
| actions = [ | |
| "s3:*", | |
| ] | |
| resources = [ | |
| "<bucket_arn>/*", | |
| "<bucket_arn>", | |
| ] | |
| principals { | |
| type = "AWS" | |
| identifiers = [ | |
| "<aws_account_id>", | |
| ] | |
| } | |
| } | |
| statement { | |
| sid = "OtherAccountS3ReadAccess" | |
| effect = "Allow" | |
| actions = [ | |
| "s3:List*", | |
| "s3:Get*", | |
| ] | |
| resources = [ | |
| "<bucket_arn>/*", | |
| "<bucket_arn", | |
| ] | |
| principals { | |
| type = "AWS" | |
| identifiers = [ | |
| "<aws_account_id>", | |
| ] | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment