new datasource

JamesWoolfenden · Jul 26, 2024 · 347f34b · 347f34b
1 parent 58e6e70
commit 347f34b
Show file tree

Hide file tree

Showing 26 changed files with 3,621 additions and 3,451 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -43,7 +43,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@064a406de026ea27990a5b507b56911401ca2f95 # codeql-bundle-v2.18.0
+        uses: github/codeql-action/init@0e346f2c4a1b999b44f1ef93fe08bdb83dae63ab # codeql-bundle-v2.18.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@064a406de026ea27990a5b507b56911401ca2f95 # codeql-bundle-v2.18.0
+        uses: github/codeql-action/autobuild@0e346f2c4a1b999b44f1ef93fe08bdb83dae63ab # codeql-bundle-v2.18.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -70,4 +70,4 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@064a406de026ea27990a5b507b56911401ca2f95 # codeql-bundle-v2.18.0
+        uses: github/codeql-action/analyze@0e346f2c4a1b999b44f1ef93fe08bdb83dae63ab # codeql-bundle-v2.18.1
diff --git a/Makefile b/Makefile
@@ -67,6 +67,7 @@ psbump:
 update:
 	go get -u
 	go mod tidy
+	go vendor
 	pre-commit autoupdate
 
 lint:

diff --git a/README.md b/README.md
@@ -13,7 +13,7 @@
 [![codecov](https://codecov.io/gh/JamesWoolfenden/pike/graph/badge.svg?token=S5SW3BHIQQ)](https://codecov.io/gh/JamesWoolfenden/pike)
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/7032/badge)](https://www.bestpractices.dev/projects/7032)
 
-Pike is a tool, to determine the minimum permissions required to run a TF/IAC run:
+Pike is a tool to determine the minimum permissions required to run a TF/IAC run:
 
 Pike currently supports Terraform and supports multiple providers (AWS, GCP, AZURE),
 Azure is the newest with AWS having the most supported resources
@@ -23,7 +23,7 @@ merging it ASAP.
 
 **CAVEAT** The outputs of this tool are your first step, if you have AWS, you can now generate resources partially, there are no conditions and even partial resources are wildcarded (for now).
 (for AWS)
-**best practice** would go further (and I am working on it as well), you will need to modify these permissions to the minimum required in your enviornment by adding these
+**best practice** would go further (and I am working on it as well), you will need to modify these permissions to the minimum required in your environment by adding these
 restrictions, you can also deploy using short-lived credentials (using this tool or Vault) (in AWS so far), generating short-lived credentials for your build
 and then remotely (REMOTE) supply and invoke your builds (INVOKE).
 
@@ -360,18 +360,18 @@ on:
       - master
 ```
 
-To authenticate the GitHub Api you will need to set you GitHub Personal Access Token as the environment variable
+To authenticate the GitHub API you will need to set you GitHub Personal Access Token, as the environment variable
 *GITHUB_TOKEN*
 
-To Invoke a workflow it is then:
+To Invoke a workflow, it is then:
 
 ```shell
 pike invoke -workflow master.yml -branch master -repository JamesWoolfenden/terraform-aws-s3
 ```
 
 I created Invoke to be used in tandem with the new remote command which supplies temporary credentials to a workflow.
 
-**Note The gitHub API is rate limited usually 5000 calls per hour.
+**Note The GitHub API is rate limited, usually 5000 calls per hour.
 
 ```shell
 pike make -d ./module/aws/terraform-aws-s3/example/examplea

diff --git a/src/aws.go b/src/aws.go
@@ -38,7 +38,7 @@ func GetAWSPermissions(result ResourceV2) ([]string, error) {
 		}
 	default:
 		{
-			return nil, fmt.Errorf("unknown permission resource type %s", result.Name)
+			return nil, &unknownPermissionError{result.Name}
 		}
 	}
 
@@ -810,9 +810,9 @@ func AwsLookup(name string) interface{} {
 		"aws_waf_rule":                                             awsWafRule,
 		"aws_waf_rule_group":                                       awsWafRuleGroup,
 		"aws_waf_size_constraint_set":                              awsWafSizeConstraintSet,
-		"aws_waf_sql_injection_match_set":                          awsWafSqlInjectionMatchSet,
-		"aws_waf_web_acl":                                          awsWafWebAcl,
-		"aws_waf_xss_match_set":                                    awsWafXssNatchSet,
+		"aws_waf_sql_injection_match_set":                          awsWafSQLInjectionMatchSet,
+		"aws_waf_web_acl":                                          awsWafWebACL,
+		"aws_waf_xss_match_set":                                    awsWafXSSNatchSet,
 		"aws_wafregional_byte_match_set":                           awsWafregionalByteMatchSet,
 		"aws_wafregional_geo_match_set":                            awsWafregionalGeoMatchSet,
 		"aws_wafregional_ipset":                                    awsWafregionalIpset,
@@ -822,9 +822,9 @@ func AwsLookup(name string) interface{} {
 		"aws_wafregional_rule":                                     awsWafregionalRule,
 		"aws_wafregional_rule_group":                               awsWafregionalRuleGroup,
 		"aws_wafregional_size_constraint_set":                      awsWafregionalSizeConstraintSet,
-		"aws_wafregional_sql_injection_match_set":                  awsWafregionalSqlInjectionMatchSet,
-		"aws_wafregional_web_acl":                                  awsWafregionalWebAcl,
-		"aws_wafregional_xss_match_set":                            awsWafregionalXssNatchSet,
+		"aws_wafregional_sql_injection_match_set":                  awsWafregionalSQLInjectionMatchSet,
+		"aws_wafregional_web_acl":                                  awsWafregionalWebACL,
+		"aws_wafregional_xss_match_set":                            awsWafregionalXSSNatchSet,
 		"aws_wafv2_ip_set":                                         awsWafv2IpSet,
 		"aws_wafv2_regex_pattern_set":                              awsWafv2RegexPatternSet,
 		"aws_wafv2_rule_group":                                     awsWafv2RuleGroup,

diff --git a/src/aws_datasource.go b/src/aws_datasource.go
@@ -1,7 +1,5 @@
 package pike
 
-import "fmt"
-
 // GetAWSDataPermissions gets permissions required for datasource's.
 //
 //goland:noinspection GoLinter
@@ -14,7 +12,7 @@ func GetAWSDataPermissions(result ResourceV2) ([]string, error) {
 	if temp := AwsDataLookup(result.Name); temp != nil {
 		Permissions, err = GetPermissionMap(temp.([]byte), result.Attributes, result.Name)
 	} else {
-		return nil, fmt.Errorf("%s not implemented", result.Name)
+		return nil, &notImplementedDatasourceError{result.Name}
 	}
 
 	return Permissions, err
@@ -23,14 +21,15 @@ func GetAWSDataPermissions(result ResourceV2) ([]string, error) {
 // AwsDataLookup is a map to connect resource name to an object map
 //
 //nolint:funlen
-func AwsDataLookup(find string) interface{} {
+func AwsDataLookup(find string) interface{} { //nolint:maintidx
+	//goland:noinspection LongLine
 	TFLookup := map[string]interface{}{
 		"aws_acm_certificate":                                       dataAwsAcmCertificate,
 		"aws_acmpca_certificate":                                    dataAwsAcmpcaCertificate,
 		"aws_acmpca_certificate_authority":                          dataAwsAcmpcaCertificateAuthority,
 		"aws_alb":                                                   dataAwsLb,
 		"aws_ami":                                                   dataAwsAmi,
-		"aws_ami_ids":                                               dataAwsAmiIds,
+		"aws_ami_ids":                                               dataAwsAmiIDs,
 		"aws_api_gateway_api_key":                                   dataAwsAPIGateway,
 		"aws_api_gateway_authorizer":                                dataAwsAPIGateway,
 		"aws_api_gateway_authorizers":                               dataAwsAPIGateway,
@@ -152,7 +151,7 @@ func AwsDataLookup(find string) interface{} {
 		"aws_ebs_default_kms_key":                                   dataAwsEbsDefaultKmsKey,
 		"aws_ebs_encryption_by_default":                             dataAwsEbsEncryptionByDefault,
 		"aws_ebs_snapshot":                                          dataAwsEbsSnapshot,
-		"aws_ebs_snapshot_ids":                                      dataAwsEbsSnapshotIds,
+		"aws_ebs_snapshot_ids":                                      dataAwsEbsSnapshotIDs,
 		"aws_ebs_volume":                                            dataAwsEbsVolume,
 		"aws_ebs_volumes":                                           dataAwsEbsVolumes,
 		"aws_ec2_client_vpn_endpoint":                               dataAwsEc2ClientVpnEndpoint,
@@ -240,7 +239,7 @@ func AwsDataLookup(find string) interface{} {
 		"aws_glue_script":                                           dataAwsGlueScript,
 		"aws_grafana_workspace":                                     dataAwsGrafanaWorkspace,
 		"aws_guardduty_detector":                                    dataAwsGuarddutyDetector,
-		"aws_guardduty_finding_ids":                                 dataAwsGuarddutyFindingIds,
+		"aws_guardduty_finding_ids":                                 dataAwsGuarddutyFindingIDs,
 		"aws_iam_access_keys":                                       dataAwsIamAccessKeys,
 		"aws_iam_account_alias":                                     dataAwsIamAccountAlias,
 		"aws_iam_group":                                             dataAwsIamGroup,
@@ -401,9 +400,9 @@ func AwsDataLookup(find string) interface{} {
 		"aws_ssoadmin_instances":                                    dataAwsSsoadminInstances,
 		"aws_ssoadmin_permission_set":                               dataAwsSsoadminPermissionSet,
 		"aws_storagegateway_local_disk":                             placeholder,
-		"aws_subnet":                                                dataAwsSubnetIds,
-		"aws_subnet_ids":                                            dataAwsSubnetIds,
-		"aws_subnets":                                               dataAwsSubnetIds,
+		"aws_subnet":                                                dataAwsSubnetIDs,
+		"aws_subnet_ids":                                            dataAwsSubnetIDs,
+		"aws_subnets":                                               dataAwsSubnetIDs,
 		"aws_transfer_server":                                       dataAwsTransferServer,
 		"aws_vpc":                                                   dataAwsVpc,
 		"aws_vpc_dhcp_options":                                      dataAwsVpcDhcpOptions,
@@ -559,7 +558,7 @@ func AwsDataLookup(find string) interface{} {
 		"aws_batch_job_definition":                                  dataAwsBatchJobDefinition,
 		"aws_cognito_user_group":                                    dataAwsCognitoUserGroup,
 		"aws_cognito_user_groups":                                   dataAwsCognitoUserGroups,
-		"aws_db_parameter_group":                                    dataAwsDbParameterGroup,
+		"aws_db_parameter_group":                                    dataAwsDBParameterGroup,
 		"aws_medialive_input":                                       dataAwsMedialiveInput,
 		"aws_redshift_data_shares":                                  dataAwsRedshiftDataShares,
 		"aws_redshift_producer_data_shares":                         dataAwsRedshiftProducerDataShares,
@@ -579,6 +578,7 @@ func AwsDataLookup(find string) interface{} {
 		"aws_timestreamwrite_database":                              dataAwsTimestreamwriteDatabase,
 		"aws_timestreamwrite_table":                                 dataAwsTimestreamwriteTable,
 		"aws_transfer_connector":                                    dataAwsTransferConnector,
+		"aws_service_principal":                                     placeholder,
 	}
 
 	return TFLookup[find]

diff --git a/src/azure.go b/src/azure.go
@@ -1,10 +1,5 @@
 package pike
 
-import (
-	"errors"
-	"fmt"
-)
-
 // GetAZUREPermissions for GCP resources.
 func GetAZUREPermissions(result ResourceV2) ([]string, error) {
 	var (
@@ -39,10 +34,9 @@ func GetAZUREResourcePermissions(result ResourceV2) ([]string, error) {
 	if temp != nil {
 		Permissions, err = GetPermissionMap(temp.([]byte), result.Attributes, result.Name)
 	} else {
-		message := fmt.Sprintf("%s not implemented", result.Name)
 
 		//goland:noinspection GoLinter
-		return nil, errors.New(message)
+		return nil, &notImplementedResourceError{result.Name}
 	}
 
 	return Permissions, err

diff --git a/src/azure_datasource.go b/src/azure_datasource.go
@@ -1,9 +1,5 @@
 package pike
 
-import (
-	"fmt"
-)
-
 // GetAZUREDataPermissions gets permissions required for datasources.
 func GetAZUREDataPermissions(result ResourceV2) ([]string, error) {
 	temp := AzureDataLookup(result.Name)
@@ -16,7 +12,7 @@ func GetAZUREDataPermissions(result ResourceV2) ([]string, error) {
 	if temp != nil {
 		Permissions, err = GetPermissionMap(temp.([]byte), result.Attributes, result.Name)
 	} else {
-		return nil, fmt.Errorf("data.%s not implemented", result.Name)
+		return nil, &notImplementedDatasourceError{Name: result.Name}
 	}
 
 	return Permissions, err

diff --git a/src/compare.go b/src/compare.go
@@ -70,6 +70,7 @@ func CompareIAMPolicy(policy string, oldPolicy string) (bool, error) {
 
 		myFormatter := formatter.NewAsciiFormatter(aJSON, myConfig)
 		diffString, err := myFormatter.Format(compare)
+
 		if err != nil {
 			return false, err
 		}

diff --git a/src/coverage/aws.md b/src/coverage/aws.md
@@ -1,7 +1,7 @@
 # todo aws
 
-Resource percentage coverage   55.22
-Datasource percentage coverage 98.71
+Resource percentage coverage   55.18
+Datasource percentage coverage 100.00
 
 ./resource.ps1 aws_amplify_app
 ./resource.ps1 aws_amplify_backend_environment
@@ -572,6 +572,7 @@ Datasource percentage coverage 98.71
 ./resource.ps1 aws_shield_protection
 ./resource.ps1 aws_shield_protection_group
 ./resource.ps1 aws_shield_protection_health_check_association
+./resource.ps1 aws_shield_subscription
 ./resource.ps1 aws_spot_datafeed_subscription
 ./resource.ps1 aws_spot_fleet_request
 ./resource.ps1 aws_ssm_activation

diff --git a/src/coverage/azure.md b/src/coverage/azure.md
@@ -1,7 +1,7 @@
 # todo azure
 
-Resource percentage coverage   4.91
-Datasource percentage coverage 38.30
+Resource percentage coverage   4.86
+Datasource percentage coverage 37.84
 
 ./resource.ps1 azurerm_aadb2c_directory
 ./resource.ps1 azurerm_active_directory_domain_service
@@ -281,6 +281,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_data_protection_backup_instance_disk
 ./resource.ps1 azurerm_data_protection_backup_instance_kubernetes_cluster
 ./resource.ps1 azurerm_data_protection_backup_instance_postgresql
+./resource.ps1 azurerm_data_protection_backup_instance_postgresql_flexible_server
 ./resource.ps1 azurerm_data_protection_backup_policy_blob_storage
 ./resource.ps1 azurerm_data_protection_backup_policy_disk
 ./resource.ps1 azurerm_data_protection_backup_policy_kubernetes_cluster
@@ -310,6 +311,8 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_dedicated_host_group
 ./resource.ps1 azurerm_dev_center
 ./resource.ps1 azurerm_dev_center_catalog
+./resource.ps1 azurerm_dev_center_dev_box_definition
+./resource.ps1 azurerm_dev_center_environment_type
 ./resource.ps1 azurerm_dev_center_gallery
 ./resource.ps1 azurerm_dev_center_project
 ./resource.ps1 azurerm_digital_twins_endpoint_eventgrid
@@ -336,6 +339,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_elastic_san_volume
 ./resource.ps1 azurerm_elastic_san_volume_group
 ./resource.ps1 azurerm_email_communication_service
+./resource.ps1 azurerm_email_communication_service_domain
 ./resource.ps1 azurerm_eventgrid_domain
 ./resource.ps1 azurerm_eventgrid_domain_topic
 ./resource.ps1 azurerm_eventgrid_event_subscription
@@ -752,6 +756,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_resource_policy_remediation
 ./resource.ps1 azurerm_resource_provider_registration
 ./resource.ps1 azurerm_role_definition
+./resource.ps1 azurerm_role_management_policy
 ./resource.ps1 azurerm_route
 ./resource.ps1 azurerm_route_filter
 ./resource.ps1 azurerm_route_map
@@ -880,6 +885,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_sql_virtual_network_rule
 ./resource.ps1 azurerm_ssh_public_key
 ./resource.ps1 azurerm_stack_hci_cluster
+./resource.ps1 azurerm_stack_hci_logical_network
 ./resource.ps1 azurerm_static_site
 ./resource.ps1 azurerm_static_site_custom_domain
 ./resource.ps1 azurerm_static_web_app
@@ -964,7 +970,10 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_synapse_workspace_sql_aad_admin
 ./resource.ps1 azurerm_synapse_workspace_vulnerability_assessment
 ./resource.ps1 azurerm_system_center_virtual_machine_manager_availability_set
+./resource.ps1 azurerm_system_center_virtual_machine_manager_cloud
 ./resource.ps1 azurerm_system_center_virtual_machine_manager_server
+./resource.ps1 azurerm_system_center_virtual_machine_manager_virtual_machine_template
+./resource.ps1 azurerm_system_center_virtual_machine_manager_virtual_network
 ./resource.ps1 azurerm_template_deployment
 ./resource.ps1 azurerm_tenant_template_deployment
 ./resource.ps1 azurerm_traffic_manager_azure_endpoint
@@ -978,6 +987,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_virtual_desktop_host_pool
 ./resource.ps1 azurerm_virtual_desktop_host_pool_registration_info
 ./resource.ps1 azurerm_virtual_desktop_scaling_plan
+./resource.ps1 azurerm_virtual_desktop_scaling_plan_host_pool_association
 ./resource.ps1 azurerm_virtual_desktop_workspace
 ./resource.ps1 azurerm_virtual_desktop_workspace_application_group_association
 ./resource.ps1 azurerm_virtual_hub
@@ -994,6 +1004,8 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_virtual_machine_gallery_application_assignment
 ./resource.ps1 azurerm_virtual_machine_implicit_data_disk_from_source
 ./resource.ps1 azurerm_virtual_machine_packet_capture
+./resource.ps1 azurerm_virtual_machine_restore_point
+./resource.ps1 azurerm_virtual_machine_restore_point_collection
 ./resource.ps1 azurerm_virtual_machine_run_command
 ./resource.ps1 azurerm_virtual_machine_scale_set_extension
 ./resource.ps1 azurerm_virtual_machine_scale_set_packet_capture
@@ -1034,6 +1046,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_advisor_recommendations -type data
 ./resource.ps1 azurerm_arc_resource_bridge_appliance -type data
 ./resource.ps1 azurerm_attestation -type data
+./resource.ps1 azurerm_automation_runbook -type data
 ./resource.ps1 azurerm_billing_enrollment_account_scope -type data
 ./resource.ps1 azurerm_billing_mca_account_scope -type data
 ./resource.ps1 azurerm_billing_mpa_account_scope -type data
@@ -1102,6 +1115,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_elastic_cloud_elasticsearch -type data
 ./resource.ps1 azurerm_elastic_san -type data
 ./resource.ps1 azurerm_elastic_san_volume_group -type data
+./resource.ps1 azurerm_elastic_san_volume_snapshot -type data
 ./resource.ps1 azurerm_eventgrid_domain -type data
 ./resource.ps1 azurerm_eventgrid_domain_topic -type data
 ./resource.ps1 azurerm_eventgrid_system_topic -type data
@@ -1113,6 +1127,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_eventhub_namespace_authorization_rule -type data
 ./resource.ps1 azurerm_eventhub_sas -type data
 ./resource.ps1 azurerm_express_route_circuit -type data
+./resource.ps1 azurerm_express_route_circuit_peering -type data
 ./resource.ps1 azurerm_extended_locations -type data
 ./resource.ps1 azurerm_firewall -type data
 ./resource.ps1 azurerm_firewall_policy -type data
@@ -1224,6 +1239,7 @@ Datasource percentage coverage 38.30
 ./resource.ps1 azurerm_proximity_placement_group -type data
 ./resource.ps1 azurerm_public_maintenance_configurations -type data
 ./resource.ps1 azurerm_recovery_services_vault -type data
+./resource.ps1 azurerm_role_management_policy -type data
 ./resource.ps1 azurerm_sentinel_alert_rule_anomaly -type data
 ./resource.ps1 azurerm_servicebus_topic_authorization_rule -type data
 ./resource.ps1 azurerm_static_web_app -type data

diff --git a/src/coverage/coverage.go b/src/coverage/coverage.go
@@ -116,6 +116,7 @@ func coverageGcp() error {
 
 	target = Prepend + target
 	err := os.WriteFile("google.md", []byte(target), 0o700)
+
 	if err != nil {
 		return err
 	}
@@ -129,6 +130,7 @@ func importMembers(targetMembers string) members {
 	data := members{}
 
 	_ = json.Unmarshal(file, &data)
+
 	return data
 }