fix cloudformation and tf templates

Author: vik-nullify

aws-integration-setup/cloudformation/nullify-cloudformation-template.json

@@ -102,7 +102,6 @@
                 "Action": [
                   "s3:GetObject",
                   "s3:GetObject*",
-                  "s3:PutObject*",
                   "s3:DeleteObject*",
                   "s3:RestoreObject",
                   "ecr:GetDownloadUrlForLayer",

aws-integration-setup/terraform/examples/basic/main.tf

@@ -12,7 +12,7 @@ terraform {
 }
 
 provider "aws" {
-  region = "us-east-1"
+  region = "ap-southeast-2"
 }
 
 module "nullify_aws_integration" {
@@ -24,7 +24,7 @@ module "nullify_aws_integration" {
   nullify_role_arn = "arn:aws:iam::NULLIFY-ACCOUNT-ID:role/NULLIFY-ROLE-NAME"
 
   # Optional - using defaults for most values
-  aws_region = "us-east-1"
+  aws_region = "ap-southeast-2"
 
   # Custom tags
   tags = {

aws-integration-setup/terraform/examples/with-kubernetes/variables.tf

@@ -22,7 +22,7 @@ variable "nullify_role_arn" {
 variable "aws_region" {
   type        = string
   description = "The AWS region where resources are deployed"
-  default     = "us-east-1"
+  default     = "ap-southeast-2"
 }
 
 variable "eks_cluster_name" {

aws-integration-setup/terraform/modules/nullify-aws-integration/data.tf

@@ -280,71 +280,8 @@ data "aws_iam_policy_document" "readonly_policy_part2" {
       "launchwizard:Describe*",
       "launchwizard:GetWorkload",
       "launchwizard:List*",
-      "lex:DescribeBot",
-      "lex:DescribeBotAlias",
-      "lex:DescribeBotChannel",
-      "lex:DescribeBotLocale",
-      "lex:DescribeBotReplica",
-      "lex:DescribeBotVersion",
-      "lex:DescribeExport",
-      "lex:DescribeImport",
-      "lex:DescribeIntent",
-      "lex:DescribeResourcePolicy",
-      "lex:DescribeSlot",
-      "lex:DescribeSlotType",
-      "lex:List*",
       "license-manager:List*",
-      "lightsail:GetActiveNames",
-      "lightsail:GetAlarms",
-      "lightsail:GetAutoSnapshots",
-      "lightsail:GetBlueprints",
-      "lightsail:GetBucketAccessKeys",
-      "lightsail:GetBucketBundles",
-      "lightsail:GetBucketMetricData",
-      "lightsail:GetBuckets",
-      "lightsail:GetBundles",
-      "lightsail:GetCertificates",
-      "lightsail:GetCloudFormationStackRecords",
-      "lightsail:GetContainerAPIMetadata",
-      "lightsail:GetContainerImages",
-      "lightsail:GetContainerServiceDeployments",
-      "lightsail:GetContainerServiceMetricData",
-      "lightsail:GetContainerServicePowers",
-      "lightsail:GetContainerServices",
-      "lightsail:GetDiskSnapshot",
-      "lightsail:GetDiskSnapshots",
-      "lightsail:GetDistributionBundles",
-      "lightsail:GetDistributionLatestCacheReset",
-      "lightsail:GetDistributionMetricData",
-      "lightsail:GetDistributions",
-      "lightsail:GetDomain",
-      "lightsail:GetDomains",
-      "lightsail:GetExportSnapshotRecords",
-      "lightsail:GetInstancePortStates",
-      "lightsail:GetInstances",
-      "lightsail:GetInstanceSnapshot",
-      "lightsail:GetInstanceSnapshots",
-      "lightsail:GetInstanceState",
-      "lightsail:GetLoadBalancer",
-      "lightsail:GetLoadBalancerMetricData",
-      "lightsail:GetLoadBalancers",
-      "lightsail:GetLoadBalancerTlsCertificates",
-      "lightsail:GetOperation",
-      "lightsail:GetOperations",
-      "lightsail:GetOperationsForResource",
-      "lightsail:GetRegions",
-      "lightsail:GetRelationalDatabaseBlueprints",
-      "lightsail:GetRelationalDatabaseBundles",
-      "lightsail:GetRelationalDatabaseEvents",
-      "lightsail:GetRelationalDatabaseLogEvents",
-      "lightsail:GetRelationalDatabaseLogStreams",
-      "lightsail:GetRelationalDatabaseMetricData",
-      "lightsail:GetRelationalDatabaseParameters",
-      "lightsail:GetRelationalDatabases",
-      "lightsail:GetRelationalDatabaseSnapshot",
-      "lightsail:GetRelationalDatabaseSnapshots",
-      "lightsail:GetStaticIp",
-      "lightsail:GetStaticIps",
+      "lightsail:Get*",
       "logs:Describe*",
       "logs:FilterLogEvents",
       "logs:List*",
@@ -353,27 +290,7 @@ data "aws_iam_policy_document" "readonly_policy_part2" {
       "logs:StopLiveTail",
       "logs:StopQuery",
       "logs:TestMetricFilter",
-      "m2:GetApplicationVersion",
-      "m2:GetDataSetDetails",
-      "m2:GetDataSetImportTask",
-      "m2:GetDeployment",
-      "m2:GetEnvironment",
-      "m2:List*",
       "machinelearning:Describe*",
-      "macie2:Get*",
-      "macie2:GetFindingsPublicationConfiguration",
-      "macie2:GetFindingStatistics",
-      "macie2:GetInvitationsCount",
-      "macie2:GetMacieSession",
-      "macie2:GetMember",
-      "macie2:GetResourceProfile",
-      "macie2:GetRevealConfiguration",
-      "macie2:GetSensitiveDataOccurrencesAvailability",
-      "macie2:GetSensitivityInspectionTemplate",
-      "macie2:GetUsageStatistics",
-      "macie2:GetUsageTotals",
-      "macie2:List*",
-      "macie2:SearchResources",
       "managedblockchain:GetMember",
       "managedblockchain:GetNetwork",
       "managedblockchain:GetNode",
@@ -410,10 +327,11 @@ data "aws_iam_policy_document" "readonly_policy_part2" {
       "nimble:List*",
       "notifications-contacts:List*",
       "notifications:Get*",
+      "notifications:List*",
       "notifications:GetManagedNotificationEvent",
       "notifications:GetNotificationConfiguration",
-      "notifications:GetNotificationEvent",
       "notifications:GetNotificationsAccessForOrganization",
+      "notifications:GetNotificationEvent",
       "notifications:List*",
       "observabilityadmin:ListResourceTelemetry",
       "observabilityadmin:ListResourceTelemetryForOrganization",
@@ -468,13 +386,8 @@ data "aws_iam_policy_document" "readonly_policy_part2" {
       "route53domains:Get*",
       "route53domains:List*",
       "route53domains:View*",
-      "route53profiles:GetProfile",
-      "route53profiles:GetProfileAssociation",
-      "route53profiles:GetProfileResourceAssociation",
-      "route53profiles:ListProfileAssociations",
-      "route53profiles:ListProfileResourceAssociations",
-      "route53profiles:ListProfiles",
-      "route53profiles:ListTagsForResource",
+      "route53profiles:Get*",
+      "route53profiles:List*",
       "route53resolver:Get*",
       "route53resolver:List*",
       "rum:GetAppMonitor",
@@ -484,8 +397,8 @@ data "aws_iam_policy_document" "readonly_policy_part2" {
       "s3-outposts:Get*",
       "s3-outposts:List*",
       "s3:Describe*",
-      "s3:GetBucketLocation",
       "s3:List*",
+      "s3:GetBucketLocation",
       "sagemaker:Describe*",
       "sagemaker:List*",
       "scheduler:List*",
@@ -530,8 +443,8 @@ data "aws_iam_policy_document" "readonly_policy_part2" {
       "sns:List*",
       "sqs:List*",
       "ssm-contacts:List*",
-      "ssm-quicksetup:List*",
       "ssm-sap:List*",
+      "ssm-quicksetup:List*",
       "ssm:List*",
       "sso-directory:List*",
       "sso:List*",
@@ -546,13 +459,6 @@ data "aws_iam_policy_document" "readonly_policy_part2" {
       "sts:GetSessionToken",
       "support:Describe*",
       "support:SearchForCases",
-      "supportplans:ListSupportPlanModifiers",
-      "sustainability:GetCarbonFootprintSummary",
-      "swf:Count*",
-      "swf:Describe*",
-      "swf:List*",
-      "synthetics:Describe*",
-      "synthetics:List*",
       "tag:Describe*",
       "tag:Get*",
       "tax:ListTaxRegistrations",
@@ -571,36 +477,15 @@ data "aws_iam_policy_document" "readonly_policy_part2" {
       "verifiedpermissions:IsAuthorized",
       "verifiedpermissions:IsAuthorizedWithToken",
       "verifiedpermissions:List*",
-      "vpc-lattice:GetAccessLogSubscription",
-      "vpc-lattice:GetAuthPolicy",
-      "vpc-lattice:GetListener",
-      "vpc-lattice:GetResourcePolicy",
-      "vpc-lattice:GetRule",
-      "vpc-lattice:GetService",
-      "vpc-lattice:GetServiceNetwork",
-      "vpc-lattice:GetServiceNetworkServiceAssociation",
-      "vpc-lattice:GetServiceNetworkVpcAssociation",
-      "vpc-lattice:GetTargetGroup",
+      "vpc-lattice:Get*",
       "vpc-lattice:List*",
       "waf-regional:List*",
       "waf:List*",
       "wafv2:CheckCapacity",
       "wafv2:Describe*",
       "wafv2:List*",
       "wellarchitected:ExportLens",
-      "wellarchitected:GetAnswer",
-      "wellarchitected:GetConsolidatedReport",
-      "wellarchitected:GetLens",
-      "wellarchitected:GetLensReview",
-      "wellarchitected:GetLensReviewReport",
-      "wellarchitected:GetLensVersionDifference",
-      "wellarchitected:GetMilestone",
-      "wellarchitected:GetProfile",
-      "wellarchitected:GetProfileTemplate",
-      "wellarchitected:GetReviewTemplate",
-      "wellarchitected:GetReviewTemplateAnswer",
-      "wellarchitected:GetReviewTemplateLensReview",
-      "wellarchitected:GetWorkload",
+      "wellarchitected:Get*",
       "wellarchitected:List*",
       "workdocs:CheckAlias",
       "workdocs:Describe*",
@@ -639,9 +524,52 @@ data "aws_iam_policy_document" "deny_actions_policy" {
     actions = [
       "s3:GetObject",
       "s3:GetObject*",
+      "s3:DeleteObject*",
+      "s3:RestoreObject",
       "ecr:GetDownloadUrlForLayer",
       "ecr:BatchGetImage",
-      "ecr:GetAuthorizationToken"
+      "ecr:GetAuthorizationToken",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "ssm:GetParameter*",
+      "ssm:PutParameter*",
+      "ssm:DeleteParameter*",
+      "kms:Decrypt",
+      "kms:DescribeKey",
+      "kms:GenerateDataKey*",
+      "kms:CreateGrant",
+      "lambda:InvokeFunction",
+      "lambda:InvokeAsync",
+      "sts:AssumeRole",
+      "iam:PassRole",
+      "iam:CreateRole",
+      "iam:DeleteRole",
+      "iam:AttachRolePolicy",
+      "iam:DetachRolePolicy",
+      "iam:PutRolePolicy",
+      "iam:DeleteRolePolicy",
+      "iam:CreateUser",
+      "iam:DeleteUser",
+      "iam:CreateAccessKey",
+      "iam:DeleteAccessKey",
+      "iam:UpdateAccessKey",
+      "ec2:RunInstances",
+      "ec2:TerminateInstances",
+      "ec2:StopInstances",
+      "ec2:StartInstances",
+      "ec2:RebootInstances",
+      "ec2:CreateSnapshot",
+      "ec2:DeleteSnapshot",
+      "ec2:CreateImage",
+      "ec2:DeregisterImage",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DeleteLogGroup",
+      "logs:DeleteLogStream"
     ]
     resources = ["*"]
   }