Skip to content
/ aph Public

aph is a tool to build a list of permissions and resources used by Terraform when creating in order to lock down a CI/CD role to only use the permissions it absolutely needs

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

detnon/aph

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
aph.py
aph.py
 
 

Repository files navigation

aph

aph is a script to build a list of permissions and resources used by Terraform when creating in order to lock down a CI/CD role to only use the permissions it absolutely needs and output them formatted as JSON to aws_requests.json

Usage

Firstly, you will need to enable the correct logging level by terraform, before the next step run:

export TF_LOG=TRACE

Generate a logfile by running terraform and outputting everything to a file

aws-vault exec <account> -- terraform init
aws-vault exec <account> -- terraform plan
aws-vault exec <account> -- terraform apply --auto-approve 2>&1 | tee log.log

extract the requests by either moving the log file to aws_requests.py or vice versa and run

python aph.py log.log

This will generate a JSON file grouped by service and ordered alphabeticaly eg:

{
    "acm": [
        "DescribeCertificate",
        "ListTagsForCertificate",
        "RequestCertificate"
    ],
    "ec2": [
        "AuthorizeSecurityGroupEgress",
        "AuthorizeSecurityGroupIngress",
        "CreateSecurityGroup",
    ],
    "ecs": [
        "CreateCluster",
        "CreateService",
        "DescribeClusters",
        "DescribeServices",
    ]
}

About

aph is a tool to build a list of permissions and resources used by Terraform when creating in order to lock down a CI/CD role to only use the permissions it absolutely needs

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages