From 8ca828030030fd4f9ef43ecf13b0556582446c7c Mon Sep 17 00:00:00 2001 From: Mounika AWS Date: Wed, 17 Apr 2024 10:20:12 +0000 Subject: [PATCH] Fix the formatting in the result --- .github/workflows/policy-validator-tf.yaml | 87 +++++++++++++++++++ main.py | 2 +- .../iam_users_groups_policies.yaml | 75 ++++++++++++++++ .../cfn/iam_users_groups_policies.yaml | 75 ++++++++++++++++ .../cfn/reference-policy.json | 12 +++ .../tf/identity_reference_policy.json | 14 +++ .../tf/reference-policy.json | 12 +++ test/check-no-new-access/tf/test.tf | 67 ++++++++++++++ test/check-no-new-access/tf/test_plan.json | 1 + 9 files changed, 344 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/policy-validator-tf.yaml create mode 100644 test/check-access-not-granted/iam_users_groups_policies.yaml create mode 100644 test/check-no-new-access/cfn/iam_users_groups_policies.yaml create mode 100644 test/check-no-new-access/cfn/reference-policy.json create mode 100644 test/check-no-new-access/tf/identity_reference_policy.json create mode 100644 test/check-no-new-access/tf/reference-policy.json create mode 100644 test/check-no-new-access/tf/test.tf create mode 100644 test/check-no-new-access/tf/test_plan.json diff --git a/.github/workflows/policy-validator-tf.yaml b/.github/workflows/policy-validator-tf.yaml new file mode 100644 index 0000000..b7dbd3f --- /dev/null +++ b/.github/workflows/policy-validator-tf.yaml @@ -0,0 +1,87 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer +# To use this workflow, you will need to complete the following set up steps before start using it: +# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. +# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo. +# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates. +# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow. + +name: Validate AWS IAM policies in Terraform templates using Policy Validator +on: + push: + branches: [$default-branch, $protected-branches,'test-workflows'] + pull_request: + # The branches below must be a subset of the branches above + branches: [$default-branch] +env: + AWS_ROLE: ${{ secrets.POLICY_VALIDATOR_ROLE }} # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions + REGION: us-west-2 # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1 + TEMPLATE_PATH: test/check-no-new-access/tf/test_plan.json # set this to the file path to the terraform plan in JSON + ACTIONS: 'cloudformation:*, s3:*' # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type. + REFERENCE_POLICY: test/check-no-new-access/tf/reference-policy.json # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + REFERENCE_POLICY_TYPE: IDENTITY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type. + +jobs: + policy-validator: + runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable) + #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow + #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/ + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners + name: Policy Validator checks for AWS IAM policies + steps: + # checkout the repo for workflow to access the contents + - name: Checkout + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 + # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 + with: + role-to-assume: ${{ env.AWS_ROLE }} + aws-region: ${{ env.REGION }} + # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer ValidatePolicy check + id: run-aws-validate-policy + uses: ./ #v1.0.0 + with: + policy-check-type: "VALIDATE_POLICY" + template-path: ${{ env.TEMPLATE_PATH }} + region: ${{ env.REGION }} + # Print result from VALIDATE_POLICY check + - name: Print the result for ValidatePolicy check + if: success() || failure() + run: echo "${{ steps.run-aws-validate-policy.outputs.result }}" + # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + - name: Run AWS AccessAnalyzer CheckAccessNotGranted check + id: run-aws-check-access-not-granted + uses: ./ #v1.0.0 + with: + policy-check-type: "CHECK_ACCESS_NOT_GRANTED" + template-path: ${{ env.TEMPLATE_PATH }} + actions: ${{ env.ACTIONS }} + region: ${{ env.REGION }} + # Print result from CHECK_ACCESS_NOT_GRANTED check + - name: Print the result for CheckAccessNotGranted check + if: success() || failure() + run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}" + # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator + # reference-policy is stored in GitHub secrets + - name: Run AWS AccessAnalyzer CheckNoNewAccess check + id: run-aws-check-no-new-access + uses: ./ #v1.0.0 + with: + policy-check-type: "CHECK_NO_NEW_ACCESS" + template-path: ${{ env.TEMPLATE_PATH }} + reference-policy: ${{ env.REFERENCE_POLICY }} + reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }} + region: ${{ env.REGION }} + # Print result from CHECK_NO_NEW_ACCESS check + - name: Print the result CheckNoNewAccess check + if: success() || failure() + run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}" diff --git a/main.py b/main.py index 0acebb9..79dc12c 100644 --- a/main.py +++ b/main.py @@ -203,7 +203,7 @@ def set_output(val): def format_result(result): - result = re.sub(r"[\n\t\s]*", "", result) + result = re.sub(r"[\n\t]*|\s{2,}", "", result) print("result={}".format(result)) return result diff --git a/test/check-access-not-granted/iam_users_groups_policies.yaml b/test/check-access-not-granted/iam_users_groups_policies.yaml new file mode 100644 index 0000000..4aac84e --- /dev/null +++ b/test/check-access-not-granted/iam_users_groups_policies.yaml @@ -0,0 +1,75 @@ +AWSTemplateFormatVersion: '2010-09-09' +Metadata: + License: Apache-2.0 +Description: 'AWS CloudFormation Sample Template IAM_Users_Groups_and_Policies: Sample + template showing how to create IAM users, groups and policies. It creates a single + user that is a member of a users group and an admin group. The groups each have + different IAM policies associated with them. Note: This example also creates an + AWSAccessKeyId/AWSSecretKey pair associated with the new user. The example is somewhat + contrived since it creates all of the users and groups, typically you would be creating + policies, users and/or groups that contain references to existing users or groups + in your environment. Note that you will need to specify the CAPABILITY_IAM flag + when you create the stack to allow this template to execute. You can do this through + the AWS management console by clicking on the check box acknowledging that you understand + this template creates IAM resources or by specifying the CAPABILITY_IAM flag to + the cfn-create-stack command line tool or CreateStack API call.' +# Parameters: +# Password: +# NoEcho: 'true' +# Type: String +# Description: New account password +# MinLength: '1' +# MaxLength: '41' +# Default: "test" +# ConstraintDescription: the password must be between 1 and 41 characters +Resources: + CFNUser: + Type: AWS::IAM::User + Properties: + LoginProfile: + Password: "test" + CFNUserGroup: + Type: AWS::IAM::Group + CFNAdminGroup: + Type: AWS::IAM::Group + Users: + Type: AWS::IAM::UserToGroupAddition + Properties: + GroupName: !Ref 'CFNUserGroup' + Users: [!Ref 'CFNUser'] + Admins: + Type: AWS::IAM::UserToGroupAddition + Properties: + GroupName: !Ref 'CFNAdminGroup' + Users: [!Ref 'CFNUser'] + CFNUserPolicies: + Type: AWS::IAM::Policy + Properties: + PolicyName: CFNUsers + PolicyDocument: + Statement: + - Effect: Allow + Action: ['cloudformation:Describe*', 'cloudformation:List*', 'cloudformation:Get*'] + Resource: '*' + Groups: [!Ref 'CFNUserGroup'] + CFNAdminPolicies: + Type: AWS::IAM::Policy + Properties: + PolicyName: CFNAdmins + PolicyDocument: + Statement: + - Effect: Allow + Action: cloudformation:* + Resource: '*' + Groups: [!Ref 'CFNAdminGroup'] + CFNKeys: + Type: AWS::IAM::AccessKey + Properties: + UserName: !Ref 'CFNUser' +Outputs: + AccessKey: + Value: !Ref 'CFNKeys' + Description: AWSAccessKeyId of new user + SecretKey: + Value: !GetAtt [CFNKeys, SecretAccessKey] + Description: AWSSecretAccessKey of new user \ No newline at end of file diff --git a/test/check-no-new-access/cfn/iam_users_groups_policies.yaml b/test/check-no-new-access/cfn/iam_users_groups_policies.yaml new file mode 100644 index 0000000..4aac84e --- /dev/null +++ b/test/check-no-new-access/cfn/iam_users_groups_policies.yaml @@ -0,0 +1,75 @@ +AWSTemplateFormatVersion: '2010-09-09' +Metadata: + License: Apache-2.0 +Description: 'AWS CloudFormation Sample Template IAM_Users_Groups_and_Policies: Sample + template showing how to create IAM users, groups and policies. It creates a single + user that is a member of a users group and an admin group. The groups each have + different IAM policies associated with them. Note: This example also creates an + AWSAccessKeyId/AWSSecretKey pair associated with the new user. The example is somewhat + contrived since it creates all of the users and groups, typically you would be creating + policies, users and/or groups that contain references to existing users or groups + in your environment. Note that you will need to specify the CAPABILITY_IAM flag + when you create the stack to allow this template to execute. You can do this through + the AWS management console by clicking on the check box acknowledging that you understand + this template creates IAM resources or by specifying the CAPABILITY_IAM flag to + the cfn-create-stack command line tool or CreateStack API call.' +# Parameters: +# Password: +# NoEcho: 'true' +# Type: String +# Description: New account password +# MinLength: '1' +# MaxLength: '41' +# Default: "test" +# ConstraintDescription: the password must be between 1 and 41 characters +Resources: + CFNUser: + Type: AWS::IAM::User + Properties: + LoginProfile: + Password: "test" + CFNUserGroup: + Type: AWS::IAM::Group + CFNAdminGroup: + Type: AWS::IAM::Group + Users: + Type: AWS::IAM::UserToGroupAddition + Properties: + GroupName: !Ref 'CFNUserGroup' + Users: [!Ref 'CFNUser'] + Admins: + Type: AWS::IAM::UserToGroupAddition + Properties: + GroupName: !Ref 'CFNAdminGroup' + Users: [!Ref 'CFNUser'] + CFNUserPolicies: + Type: AWS::IAM::Policy + Properties: + PolicyName: CFNUsers + PolicyDocument: + Statement: + - Effect: Allow + Action: ['cloudformation:Describe*', 'cloudformation:List*', 'cloudformation:Get*'] + Resource: '*' + Groups: [!Ref 'CFNUserGroup'] + CFNAdminPolicies: + Type: AWS::IAM::Policy + Properties: + PolicyName: CFNAdmins + PolicyDocument: + Statement: + - Effect: Allow + Action: cloudformation:* + Resource: '*' + Groups: [!Ref 'CFNAdminGroup'] + CFNKeys: + Type: AWS::IAM::AccessKey + Properties: + UserName: !Ref 'CFNUser' +Outputs: + AccessKey: + Value: !Ref 'CFNKeys' + Description: AWSAccessKeyId of new user + SecretKey: + Value: !GetAtt [CFNKeys, SecretAccessKey] + Description: AWSSecretAccessKey of new user \ No newline at end of file diff --git a/test/check-no-new-access/cfn/reference-policy.json b/test/check-no-new-access/cfn/reference-policy.json new file mode 100644 index 0000000..f4436e8 --- /dev/null +++ b/test/check-no-new-access/cfn/reference-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": "*", + "NotAction": [ + "cloudformation:*" + ] + } + ] +} \ No newline at end of file diff --git a/test/check-no-new-access/tf/identity_reference_policy.json b/test/check-no-new-access/tf/identity_reference_policy.json new file mode 100644 index 0000000..2b634ff --- /dev/null +++ b/test/check-no-new-access/tf/identity_reference_policy.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowListActions", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "iam:ListVirtualMFADevices" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/test/check-no-new-access/tf/reference-policy.json b/test/check-no-new-access/tf/reference-policy.json new file mode 100644 index 0000000..f4436e8 --- /dev/null +++ b/test/check-no-new-access/tf/reference-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Resource": "*", + "NotAction": [ + "cloudformation:*" + ] + } + ] +} \ No newline at end of file diff --git a/test/check-no-new-access/tf/test.tf b/test/check-no-new-access/tf/test.tf new file mode 100644 index 0000000..5a4bc3d --- /dev/null +++ b/test/check-no-new-access/tf/test.tf @@ -0,0 +1,67 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} + +resource "aws_s3_bucket" "example" { + bucket = "my-tf-test-bucket" +} + +resource "aws_s3_bucket_policy" "allow_access_from_another_account" { + bucket = aws_s3_bucket.example.id + policy = data.aws_iam_policy_document.allow_access_from_another_account.json +} + +data "aws_iam_policy_document" "allow_access_from_another_account" { + statement { + principals { + type = "AWS" + identifiers = ["123456789012"] + } + + actions = [ + "s3:GetObject", + "s3:ListBucket", + ] + + resources = [ + "*", + ] + } +} +resource "aws_iam_user" "lb" { + name = "loadbalancer" + path = "/system/" + + tags = { + tag-key = "tag-value" + } +} + +resource "aws_iam_access_key" "lb" { + user = aws_iam_user.lb.name +} + +resource "aws_iam_user_policy" "lb_ro" { + name = "test" + user = aws_iam_user.lb.name + + # Terraform's "jsonencode" function converts a + # Terraform expression result to valid JSON syntax. + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ec2:Describe*", + ] + Effect = "Allow" + Resource = "*" + }, + ] + }) +} \ No newline at end of file diff --git a/test/check-no-new-access/tf/test_plan.json b/test/check-no-new-access/tf/test_plan.json new file mode 100644 index 0000000..e48f7e4 --- /dev/null +++ b/test/check-no-new-access/tf/test_plan.json @@ -0,0 +1 @@ +{"format_version":"1.2","terraform_version":"1.5.7","planned_values":{"root_module":{"resources":[{"address":"aws_iam_access_key.lb","mode":"managed","type":"aws_iam_access_key","name":"lb","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"pgp_key":null,"status":"Active","user":"loadbalancer"},"sensitive_values":{}},{"address":"aws_iam_group.my_developers","mode":"managed","type":"aws_iam_group","name":"my_developers","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"name":"developers","path":"/users/"},"sensitive_values":{}},{"address":"aws_iam_group_policy.my_developer_policy","mode":"managed","type":"aws_iam_group_policy","name":"my_developer_policy","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"group":"developers","name":"my_developer_policy","name_prefix":null,"policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2:Allocate*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"},"sensitive_values":{}},{"address":"aws_iam_policy.policy","mode":"managed","type":"aws_iam_policy","name":"policy","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"description":"My test policy","name":"test_policy","path":"/","policy":"{\"Statement\":[{\"Action\":[\"ec2:List*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}],\"Version\":\"2012-10-17\"}","tags":null},"sensitive_values":{"tags_all":{}}},{"address":"aws_iam_role.example","mode":"managed","type":"aws_iam_role","name":"example","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"assume_role_policy":"{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}","description":null,"force_detach_policies":false,"inline_policy":[{"name":"my_inline_policy","policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2:Accept*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"},{"name":"policy-8675309","policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"ec2:Apply*\",\"Effect\":\"Allow\",\"Resource\":\"*\",\"Sid\":\"\"}]}"}],"max_session_duration":3600,"name":"yak_role","path":"/","permissions_boundary":null,"tags":null},"sensitive_values":{"inline_policy":[{},{}],"managed_policy_arns":[],"role_last_used":[],"tags_all":{}}},{"address":"aws_iam_role.test_role","mode":"managed","type":"aws_iam_role","name":"test_role","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"assume_role_policy":"{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}","description":null,"force_detach_policies":false,"max_session_duration":3600,"name":"test_role","path":"/","permissions_boundary":null,"tags":null},"sensitive_values":{"inline_policy":[],"managed_policy_arns":[],"role_last_used":[],"tags_all":{}}},{"address":"aws_iam_role_policy.test_policy","mode":"managed","type":"aws_iam_role_policy","name":"test_policy","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"name":"test_policy","name_prefix":null,"policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2:Assign*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"},"sensitive_values":{}},{"address":"aws_iam_user.lb","mode":"managed","type":"aws_iam_user","name":"lb","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"force_destroy":false,"name":"loadbalancer","path":"/system/","permissions_boundary":null,"tags":null},"sensitive_values":{"tags_all":{}}},{"address":"aws_iam_user_policy.lb_ro","mode":"managed","type":"aws_iam_user_policy","name":"lb_ro","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"name":"test","name_prefix":null,"policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}","user":"loadbalancer"},"sensitive_values":{}}]}},"resource_changes":[{"address":"aws_iam_access_key.lb","mode":"managed","type":"aws_iam_access_key","name":"lb","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"pgp_key":null,"status":"Active","user":"loadbalancer"},"after_unknown":{"create_date":true,"encrypted_secret":true,"encrypted_ses_smtp_password_v4":true,"id":true,"key_fingerprint":true,"secret":true,"ses_smtp_password_v4":true},"before_sensitive":false,"after_sensitive":{"secret":true,"ses_smtp_password_v4":true}}},{"address":"aws_iam_group.my_developers","mode":"managed","type":"aws_iam_group","name":"my_developers","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"name":"developers","path":"/users/"},"after_unknown":{"arn":true,"id":true,"unique_id":true},"before_sensitive":false,"after_sensitive":{}}},{"address":"aws_iam_group_policy.my_developer_policy","mode":"managed","type":"aws_iam_group_policy","name":"my_developer_policy","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"group":"developers","name":"my_developer_policy","name_prefix":null,"policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2:Allocate*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"},"after_unknown":{"id":true},"before_sensitive":false,"after_sensitive":{}}},{"address":"aws_iam_policy.policy","mode":"managed","type":"aws_iam_policy","name":"policy","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"description":"My test policy","name":"test_policy","path":"/","policy":"{\"Statement\":[{\"Action\":[\"ec2:List*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}],\"Version\":\"2012-10-17\"}","tags":null},"after_unknown":{"arn":true,"id":true,"name_prefix":true,"policy_id":true,"tags_all":true},"before_sensitive":false,"after_sensitive":{"tags_all":{}}}},{"address":"aws_iam_role.example","mode":"managed","type":"aws_iam_role","name":"example","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"assume_role_policy":"{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}","description":null,"force_detach_policies":false,"inline_policy":[{"name":"my_inline_policy","policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2:Accept*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"},{"name":"policy-8675309","policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":\"ec2:Apply*\",\"Effect\":\"Allow\",\"Principal\":\"*\",\"Resource\":\"*\",\"Sid\":\"\"}]}"}],"max_session_duration":3600,"name":"yak_role","path":"/","permissions_boundary":null,"tags":null},"after_unknown":{"arn":true,"create_date":true,"id":true,"inline_policy":[{},{}],"managed_policy_arns":true,"name_prefix":true,"role_last_used":true,"tags_all":true,"unique_id":true},"before_sensitive":false,"after_sensitive":{"inline_policy":[{},{}],"managed_policy_arns":[],"role_last_used":[],"tags_all":{}}}},{"address":"aws_iam_role.test_role","mode":"managed","type":"aws_iam_role","name":"test_role","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"assume_role_policy":"{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}","description":null,"force_detach_policies":false,"max_session_duration":3600,"name":"test_role","path":"/","permissions_boundary":null,"tags":null},"after_unknown":{"arn":true,"create_date":true,"id":true,"inline_policy":true,"managed_policy_arns":true,"name_prefix":true,"role_last_used":true,"tags_all":true,"unique_id":true},"before_sensitive":false,"after_sensitive":{"inline_policy":[],"managed_policy_arns":[],"role_last_used":[],"tags_all":{}}}},{"address":"aws_iam_role_policy.test_policy","mode":"managed","type":"aws_iam_role_policy","name":"test_policy","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"name":"test_policy","name_prefix":null,"policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2:Assign*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}"},"after_unknown":{"id":true,"role":true},"before_sensitive":false,"after_sensitive":{}}},{"address":"aws_iam_user.lb","mode":"managed","type":"aws_iam_user","name":"lb","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"force_destroy":false,"name":"loadbalancer","path":"/system/","permissions_boundary":null,"tags":null},"after_unknown":{"arn":true,"id":true,"tags_all":true,"unique_id":true},"before_sensitive":false,"after_sensitive":{"tags_all":{}}}},{"address":"aws_iam_user_policy.lb_ro","mode":"managed","type":"aws_iam_user_policy","name":"lb_ro","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"name":"test","name_prefix":null,"policy":"{\"Version\":\"2012-10-17\",\"Statement\":[{\"Action\":[\"ec2:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}]}","user":"loadbalancer"},"after_unknown":{"id":true},"before_sensitive":false,"after_sensitive":{}}}],"prior_state":{"format_version":"1.0","terraform_version":"1.5.7","values":{"root_module":{"resources":[{"address":"data.aws_iam_policy_document.inline_policy","mode":"data","type":"aws_iam_policy_document","name":"inline_policy","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"id":"2662099322","json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"ec2:Apply*\",\n \"Resource\": \"*\"\n }\n ]\n}","override_json":null,"override_policy_documents":null,"policy_id":null,"source_json":null,"source_policy_documents":null,"statement":[{"actions":["ec2:Apply*"],"condition":[],"effect":"Allow","not_actions":[],"not_principals":[],"not_resources":[],"principals":[],"resources":["*"],"sid":""}],"version":"2012-10-17"},"sensitive_values":{"statement":[{"actions":[false],"condition":[],"not_actions":[],"not_principals":[],"not_resources":[],"principals":[],"resources":[false]}]}},{"address":"data.aws_iam_policy_document.instance_assume_role_policy","mode":"data","type":"aws_iam_policy_document","name":"instance_assume_role_policy","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"id":"1903849331","json":"{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}","override_json":null,"override_policy_documents":null,"policy_id":null,"source_json":null,"source_policy_documents":null,"statement":[{"actions":["sts:AssumeRole"],"condition":[],"effect":"Allow","not_actions":[],"not_principals":[],"not_resources":[],"principals":[{"identifiers":["ec2.amazonaws.com"],"type":"Service"}],"resources":[],"sid":""}],"version":"2012-10-17"},"sensitive_values":{"statement":[{"actions":[false],"condition":[],"not_actions":[],"not_principals":[],"not_resources":[],"principals":[{"identifiers":[false]}],"resources":[]}]}}]}}},"configuration":{"provider_config":{"aws":{"name":"aws","full_name":"registry.terraform.io/hashicorp/aws","version_constraint":"~\u003e 4.0"}},"root_module":{"resources":[{"address":"aws_iam_access_key.lb","mode":"managed","type":"aws_iam_access_key","name":"lb","provider_config_key":"aws","expressions":{"user":{"references":["aws_iam_user.lb.name","aws_iam_user.lb"]}},"schema_version":0},{"address":"aws_iam_group.my_developers","mode":"managed","type":"aws_iam_group","name":"my_developers","provider_config_key":"aws","expressions":{"name":{"constant_value":"developers"},"path":{"constant_value":"/users/"}},"schema_version":0},{"address":"aws_iam_group_policy.my_developer_policy","mode":"managed","type":"aws_iam_group_policy","name":"my_developer_policy","provider_config_key":"aws","expressions":{"group":{"references":["aws_iam_group.my_developers.name","aws_iam_group.my_developers"]},"name":{"constant_value":"my_developer_policy"},"policy":{}},"schema_version":0},{"address":"aws_iam_policy.policy","mode":"managed","type":"aws_iam_policy","name":"policy","provider_config_key":"aws","expressions":{"description":{"constant_value":"My test policy"},"name":{"constant_value":"test_policy"},"path":{"constant_value":"/"},"policy":{}},"schema_version":0},{"address":"aws_iam_role.example","mode":"managed","type":"aws_iam_role","name":"example","provider_config_key":"aws","expressions":{"assume_role_policy":{"references":["data.aws_iam_policy_document.instance_assume_role_policy.json","data.aws_iam_policy_document.instance_assume_role_policy"]},"inline_policy":[{"name":{"constant_value":"my_inline_policy"},"policy":{}},{"name":{"constant_value":"policy-8675309"},"policy":{"references":["data.aws_iam_policy_document.inline_policy.json","data.aws_iam_policy_document.inline_policy"]}}],"name":{"constant_value":"yak_role"}},"schema_version":0},{"address":"aws_iam_role.test_role","mode":"managed","type":"aws_iam_role","name":"test_role","provider_config_key":"aws","expressions":{"assume_role_policy":{"references":["data.aws_iam_policy_document.instance_assume_role_policy.json","data.aws_iam_policy_document.instance_assume_role_policy"]},"name":{"constant_value":"test_role"}},"schema_version":0},{"address":"aws_iam_role_policy.test_policy","mode":"managed","type":"aws_iam_role_policy","name":"test_policy","provider_config_key":"aws","expressions":{"name":{"constant_value":"test_policy"},"policy":{},"role":{"references":["aws_iam_role.test_role.id","aws_iam_role.test_role"]}},"schema_version":0},{"address":"aws_iam_user.lb","mode":"managed","type":"aws_iam_user","name":"lb","provider_config_key":"aws","expressions":{"name":{"constant_value":"loadbalancer"},"path":{"constant_value":"/system/"}},"schema_version":0},{"address":"aws_iam_user_policy.lb_ro","mode":"managed","type":"aws_iam_user_policy","name":"lb_ro","provider_config_key":"aws","expressions":{"name":{"constant_value":"test"},"policy":{},"user":{"references":["aws_iam_user.lb.name","aws_iam_user.lb"]}},"schema_version":0},{"address":"data.aws_iam_policy_document.inline_policy","mode":"data","type":"aws_iam_policy_document","name":"inline_policy","provider_config_key":"aws","expressions":{"statement":[{"actions":{"constant_value":["ec2:Apply*"]},"resources":{"constant_value":["*"]}}]},"schema_version":0},{"address":"data.aws_iam_policy_document.instance_assume_role_policy","mode":"data","type":"aws_iam_policy_document","name":"instance_assume_role_policy","provider_config_key":"aws","expressions":{"statement":[{"actions":{"constant_value":["sts:AssumeRole"]},"principals":[{"identifiers":{"constant_value":["ec2.amazonaws.com"]},"type":{"constant_value":"Service"}}]}]},"schema_version":0}]}},"relevant_attributes":[{"resource":"aws_iam_group.my_developers","attribute":["name"]},{"resource":"aws_iam_user.lb","attribute":["name"]},{"resource":"data.aws_iam_policy_document.instance_assume_role_policy","attribute":["json"]},{"resource":"data.aws_iam_policy_document.inline_policy","attribute":["json"]},{"resource":"aws_iam_role.test_role","attribute":["id"]}],"timestamp":"2023-11-07T23:42:52Z"} \ No newline at end of file