infrahouse_toolkit.cli.ih_plan.cmd_min_permissions package

Subpackages

• infrahouse_toolkit.cli.ih_plan.cmd_min_permissions.tests package
  • Subpackages
    • infrahouse_toolkit.cli.ih_plan.cmd_min_permissions.tests.actionlist package
      • Submodules
      • infrahouse_toolkit.cli.ih_plan.cmd_min_permissions.tests.actionlist.test_actions module
      • infrahouse_toolkit.cli.ih_plan.cmd_min_permissions.tests.actionlist.test_add module
      • infrahouse_toolkit.cli.ih_plan.cmd_min_permissions.tests.actionlist.test_load_from_file module
      • infrahouse_toolkit.cli.ih_plan.cmd_min_permissions.tests.actionlist.test_parse_trace module
      • Module contents
  • Submodules
  • infrahouse_toolkit.cli.ih_plan.cmd_min_permissions.tests.test_min_permissions module
    • test_help()
    • test_simple()
    • test_simple_existing()
  • Module contents

Module contents

ih-plan min-permissions

A ih-plan min-permissions subcommand.

See ih-plan min-permissions --help for more details.

class infrahouse_toolkit.cli.ih_plan.cmd_min_permissions.ActionList

Bases: object

List of AWS actions. Action here is a string as in AWS’s policy e.g. ec2:DescribeInstances.

PERMISSION_NAMING_MAP = {'CompleteMultipartUpload': 'PutObject', 'CreateMultipartUpload': 'PutObject', 'DeletePublicAccessBlock': 'PutBucketPublicAccessBlock', 'GetBucketAccelerateConfiguration': 'GetAccelerateConfiguration', 'GetBucketCors': 'GetBucketCORS', 'GetBucketEncryption': 'GetEncryptionConfiguration', 'GetBucketLifecycleConfiguration': 'GetLifecycleConfiguration', 'GetBucketReplication': 'GetReplicationConfiguration', 'GetObjectLockConfiguration': 'GetBucketObjectLockConfiguration', 'GetPublicAccessBlock': 'GetBucketPublicAccessBlock', 'HeadBucket': 'ListBucket', 'HeadObject': 'GetObject', 'PutPublicAccessBlock': 'PutBucketPublicAccessBlock', 'UploadPart': 'PutObject'}

REQUIRED_EXTRA_PERMISSIONS_MAP = {'autoscaling:CreateAutoScalingGroup': ['iam:PassRole', 'iam:CreateServiceLinkedRole', 'ec2:CreateTags', 'ec2:RunInstances'], 'autoscaling:UpdateAutoScalingGroup': ['iam:PassRole'], 'ec2:CreateLaunchTemplate': ['ec2:CreateTags'], 'ec2:ImportKeyPair': ['ec2:CreateTags'], 'ec2:RunInstances': ['ec2:CreateTags'], 'elasticloadbalancing:CreateLoadBalancer': ['elasticloadbalancing:AddTags'], 'events:PutRule': ['events:TagResource'], 'events:PutTargets': ['events:TagResource'], 'iam:AddRoleToInstanceProfile': ['iam:PassRole'], 'iam:CreateInstanceProfile': ['iam:TagInstanceProfile'], 'lambda:CreateFunction': ['lambda:TagResource'], 'logs:CreateLogGroup': ['logs:TagResource'], 's3:CreateBucket': ['s3:PutBucketTagging'], 's3:PutObject': ['kms:Decrypt', 'kms:CreateGrant', 'kms:DescribeKey', 'kms:Encrypt', 's3:AbortMultipartUpload', 's3:GetObject', 's3:ListMultipartUploadParts', 's3:PutObjectTagging']}

SERVICE_NAMING_MAP = {'auto scaling': 'autoscaling', 'cloudwatch logs': 'logs', 'elastic load balancing v2': 'elasticloadbalancing', 'eventbridge': 'events', 'route 53': 'route53', 'secrets manager': 'secretsmanager'}

property actions: list

List of action strings.

add(action: str)

Add a new action. Convert service name to the AWS policy format and add dependent actions if any.

property count: int

Number of actions in the list.

load_from_file(file)

Load actions from a file with a JSON. The JSON should be an array of strings.

parse_trace(file, existing=None)

Inspect a Terraform trace file and collect actions