Merge pull request #3 from mineiros-io/mariux/improve-policies

Finalize inline policy generation

Author: mariux

.semaphore/semaphore.yml

@@ -1,25 +1,27 @@
 version: v1.0
-name: "terraform-aws-iam-user CI Pipeline"
+name: "CI/CD Pipeline"
 agent:
   machine:
     type: e1-standard-2
     os_image: ubuntu1804
 
+global_job_config:
+  # secrets:
+  #   - name: TERRAFORM_AWS_TESTACCOUNT_CREDENTIALS
+  #   - name: private-ssh-key-with-iac-library-access
+  prologue:
+    commands:
+      - checkout --use-cache
+      # - chmod 400 ~/.ssh/id_rsa_iac_library
+      # - ssh-add ~/.ssh/id_rsa_iac_library
+
 blocks:
   - name: "Tests"
     task:
-#      secrets:
-#        - name: TERRAFORM_GITHUB_CREDENTIALS
-#        - name: TERRAFORM_AWS_TESTACCOUNT_CREDENTIALS
-      prologue:
-        commands:
-          - checkout --use-cache
       jobs:
         - name: "Pre Commit Hooks"
           commands:
-            - make test/pre-commit-hooks
-
-# There are no unit tests inside this repository since it acts as a code convention example only
-#        - name: "Unit Tests"
-#          commands:
-#            - make test/unit-tests
+            - make test/pre-commit
+        - name: "Unit Tests"
+          commands:
+            - make test/unit-tests

Makefile

@@ -1,60 +1,87 @@
-SHELL := /bin/bash
+# Set default shell to bash
+SHELL := /bin/bash -o pipefail
 
-MOUNT_TARGET_DIRECTORY  = /app/src
-BUILD_TOOLS_DOCKER_REPO = mineiros/build-tools
+BUILD_TOOLS_VERSION      ?= v0.4.0
+BUILD_TOOLS_DOCKER_REPO  ?= mineiros/build-tools
+BUILD_TOOLS_DOCKER_IMAGE ?= ${BUILD_TOOLS_DOCKER_REPO}:${BUILD_TOOLS_VERSION}
 
-# Set default value for environment variable if there aren't set already
-ifndef BUILD_TOOLS_VERSION
-	BUILD_TOOLS_VERSION := latest
+# if running in CI (e.g. Semaphore CI)
+# https://docs.semaphoreci.com/ci-cd-environment/environment-variables/#ci
+#
+# to disable TF_IN_AUTOMATION in CI set it to empty
+# https://www.terraform.io/docs/commands/environment-variables.html#tf_in_automation
+#
+# we are using GNU style quiet commands to disable set V to non-empty e.g. V=1
+# https://www.gnu.org/software/automake/manual/html_node/Debugging-Make-Rules.html
+#
+ifdef CI
+	TF_IN_AUTOMATION ?= yes
+	export TF_IN_AUTOMATION
+
+	V ?= 1
 endif
 
-ifndef BUILD_TOOLS_DOCKER_IMAGE
-	BUILD_TOOLS_DOCKER_IMAGE := ${BUILD_TOOLS_DOCKER_REPO}:${BUILD_TOOLS_VERSION}
+ifndef NOCOLOR
+	GREEN  := $(shell tput -Txterm setaf 2)
+	YELLOW := $(shell tput -Txterm setaf 3)
+	WHITE  := $(shell tput -Txterm setaf 7)
+	RESET  := $(shell tput -Txterm sgr0)
 endif
 
-USER_UID := $(shell id -u)
-USER_GID := $(shell id -g)
+DOCKER_RUN_FLAGS += --rm
+DOCKER_RUN_FLAGS += -v ${PWD}:/app/src
+DOCKER_RUN_FLAGS += -e TF_IN_AUTOMATION
+DOCKER_RUN_FLAGS += -e USER_UID=$(shell id -u)
+
+DOCKER_SSH_FLAGS += -e SSH_AUTH_SOCK=/ssh-agent
+DOCKER_SSH_FLAGS += -v ${SSH_AUTH_SOCK}:/ssh-agent
+
+DOCKER_AWS_FLAGS += -e AWS_ACCESS_KEY_ID
+DOCKER_AWS_FLAGS += -e AWS_SECRET_ACCESS_KEY
+DOCKER_AWS_FLAGS += -e AWS_SESSION_TOKEN
 
-GREEN  := $(shell tput -Txterm setaf 2)
-YELLOW := $(shell tput -Txterm setaf 3)
-WHITE  := $(shell tput -Txterm setaf 7)
-RESET  := $(shell tput -Txterm sgr0)
+DOCKER_FLAGS   += ${DOCKER_RUN_FLAGS}
+DOCKER_RUN_CMD  = docker run ${DOCKER_FLAGS} ${BUILD_TOOLS_DOCKER_IMAGE}
 
-.DEFAULT_GOAL := help
+.PHONY: default
+default: help
 
-.PHONY: test/pre-commit-hooks
-## Mounts the working directory inside a docker container and runs the pre-commit hooks
-test/pre-commit-hooks:
-	@echo "${GREEN}Start running the pre-commit hooks with docker${RESET}"
-	@docker run --rm \
-		-u ${USER_UID}:${USER_GID} \
-		-v ${PWD}:${MOUNT_TARGET_DIRECTORY} \
-		${BUILD_TOOLS_DOCKER_IMAGE} \
-		sh -c "pre-commit run -a"
+## Run pre-commit hooks in build-tools docker container.
+.PHONY: test/pre-commit
+test/pre-commit: DOCKER_FLAGS += ${DOCKER_SSH_FLAGS}
+test/pre-commit:
+	$(call docker-run,pre-commit run -a)
 
+## Run go tests hooks in build-tools docker container.
 .PHONY: test/unit-tests
-## Mounts the working directory inside a new container and runs the Go tests. Requires $AWS_ACCESS_KEY_ID and $AWS_SECRET_ACCESS_KEY to be set
-# test/unit-tests:
-# 	@echo "${GREEN}Start running the unit tests with docker${RESET}"
-# 	@docker run --rm \
-# 		-e AWS_ACCESS_KEY_ID \
-# 		-e AWS_SECRET_ACCESS_KEY \
-# 		-u ${USER_UID}:${USER_GID} \
-# 		-v ${PWD}:${MOUNT_TARGET_DIRECTORY} \
-# 		${BUILD_TOOLS_DOCKER_IMAGE} \
-# 		go test -v -timeout 45m -parallel 128 test/example_test.go
+test/unit-tests: DOCKER_FLAGS += ${DOCKER_SSH_FLAGS}
+test/unit-tests: DOCKER_FLAGS += ${DOCKER_AWS_FLAGS}
+test/unit-tests:
+	@echo "${YELLOW}No tests defined.${RESET}"
+#	$(call go-test,tests)
+
+## Clean up cache and temporary files
+.PHONY: clean
+clean:
+	$(call rm-command,.terraform)
 
-.PHONY: help
 ## Display help for all targets
+.PHONY: help
 help:
-	@awk '/^[a-zA-Z_0-9%:\\\/-]+:/ { \
-		msg = match(lastLine, /^## (.*)/); \
+	@awk '/^.PHONY: / { \
+		msg = match(lastLine, /^## /); \
 			if (msg) { \
-				cmd = $$1; \
-				msg = substr(lastLine, RSTART + 3, RLENGTH); \
-				gsub("\\\\", "", cmd); \
-				gsub(":+$$", "", cmd); \
-				printf "  \x1b[32;01m%-35s\x1b[0m %s\n", cmd, msg; \
+				cmd = substr($$0, 9, 100); \
+				msg = substr(lastLine, 4, 1000); \
+				printf "  ${GREEN}%-30s${RESET} %s\n", cmd, msg; \
 			} \
 	} \
-	{ lastLine = $$0 }' $(MAKEFILE_LIST) | sort -u
+	{ lastLine = $$0 }' $(MAKEFILE_LIST)
+
+# define helper functions
+quiet-command = $(if ${V},${1},$(if ${2},@echo ${2} && ${1}, @${1}))
+
+docker-run    = $(call quiet-command,${DOCKER_RUN_CMD} ${1} | cat,"${YELLOW}[DOCKER RUN] ${GREEN}${1}${RESET}")
+go-test       = $(call quiet-command,${DOCKER_RUN_CMD} go test -v -timeout 45m -parallel 128 ${1} | cat,"${YELLOW}[TEST] ${GREEN}${1}${RESET}")
+
+rm-command    = $(call quiet-command,rm -rf ${1},"${YELLOW}[CLEAN] ${GREEN}${1}${RESET}")

main.tf

@@ -27,10 +27,40 @@ data "aws_iam_policy_document" "policy" {
     for_each = var.policy_statements
 
     content {
-      actions   = try(statement.value.actions, null)
-      effect    = try(statement.value.effect, null)
-      resources = try(statement.value.resources, null)
-      sid       = try(statement.value.sid, null)
+      sid           = try(statement.value.sid, null)
+      effect        = try(statement.value.effect, null)
+      actions       = try(statement.value.actions, null)
+      not_actions   = try(statement.value.not_actions, null)
+      resources     = try(statement.value.resources, null)
+      not_resources = try(statement.value.not_resources, null)
+
+      dynamic "principals" {
+        for_each = try(statement.value.principals, [])
+
+        content {
+          type        = principals.value.type
+          identifiers = principals.value.identifiers
+        }
+      }
+
+      dynamic "not_principals" {
+        for_each = try(statement.value.not_principals, [])
+
+        content {
+          type        = not_principals.value.type
+          identifiers = not_principals.value.identifiers
+        }
+      }
+
+      dynamic "condition" {
+        for_each = try(statement.value.conditions, [])
+
+        content {
+          test     = condition.value.test
+          variable = condition.value.variable
+          values   = condition.value.values
+        }
+      }
     }
   }
 }