diff --git a/go.mod b/go.mod index bd7522e9..e8fcb06a 100644 --- a/go.mod +++ b/go.mod @@ -11,8 +11,11 @@ require ( github.com/coreos/go-oidc/v3 v3.4.0 github.com/deepmap/oapi-codegen v1.12.4 github.com/getkin/kin-openapi v0.107.0 + github.com/go-git/go-git/v5 v5.13.0 github.com/goccy/go-graphviz v0.1.0 github.com/google/uuid v1.6.0 + github.com/hashicorp/terraform-exec v0.22.0 + github.com/hashicorp/terraform-json v0.24.0 github.com/iancoleman/strcase v0.2.0 github.com/markkurossi/tabulate v0.0.0-20211112080948-67dabd3f2db2 github.com/nfnt/resize v0.0.0-20160724205520-891127d8d1b5 @@ -25,7 +28,7 @@ require ( github.com/spf13/viper v1.13.0 github.com/suessflorian/gqlfetch v0.6.0 github.com/vishalkuo/bimap v0.0.0-20220726225509-e0b4f20de28b - golang.org/x/exp v0.0.0-20230124195608-d38c7dcee874 + golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 golang.org/x/oauth2 v0.12.0 golang.org/x/sync v0.11.0 k8s.io/api v0.29.0 @@ -35,22 +38,31 @@ require ( ) require ( + dario.cat/mergo v1.0.0 // indirect + github.com/Microsoft/go-winio v0.6.1 // indirect + github.com/ProtonMail/go-crypto v1.1.3 // indirect github.com/agnivade/levenshtein v1.2.1 // indirect github.com/alexflint/go-arg v1.5.1 // indirect github.com/alexflint/go-scalar v1.2.0 // indirect github.com/apapsch/go-jsonmerge/v2 v2.0.0 // indirect + github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/bmatcuk/doublestar/v4 v4.8.1 // indirect github.com/bugsnag/panicwrap v1.3.4 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect + github.com/cloudflare/circl v1.3.7 // indirect + github.com/cyphar/filepath-securejoin v0.2.5 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/eapache/go-resiliency v1.2.0 // indirect github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 // indirect github.com/eapache/queue v1.1.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect + github.com/emirpasic/gods v1.18.1 // indirect github.com/evanphx/json-patch/v5 v5.8.0 // indirect github.com/fogleman/gg v1.3.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect + github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect + github.com/go-git/go-billy/v5 v5.6.0 // indirect github.com/go-logr/logr v1.4.1 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect @@ -66,11 +78,13 @@ require ( github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/go-multierror v1.1.1 // indirect github.com/hashicorp/go-uuid v1.0.3 // indirect + github.com/hashicorp/go-version v1.7.0 // indirect github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect github.com/hashicorp/hcl v1.0.1-vault-3 // indirect github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/invopop/yaml v0.1.0 // indirect + github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect github.com/jcmturner/aescts/v2 v2.0.0 // indirect github.com/jcmturner/dnsutils/v2 v2.0.0 // indirect github.com/jcmturner/gofork v1.0.0 // indirect @@ -79,6 +93,7 @@ require ( github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect + github.com/kevinburke/ssh_config v1.2.0 // indirect github.com/klauspost/compress v1.16.0 // indirect github.com/labstack/echo/v4 v4.9.1 // indirect github.com/labstack/gommon v0.4.0 // indirect @@ -97,12 +112,15 @@ require ( github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.0.8 // indirect github.com/pierrec/lz4/v4 v4.1.14 // indirect + github.com/pjbgf/sha1cd v0.3.0 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/prometheus/client_golang v1.18.0 // indirect github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/common v0.45.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 // indirect + github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect + github.com/skeema/knownhosts v1.3.0 // indirect github.com/spf13/afero v1.9.2 // indirect github.com/spf13/cast v1.5.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect @@ -112,6 +130,8 @@ require ( github.com/valyala/fasttemplate v1.2.2 // indirect github.com/vektah/gqlparser v1.3.1 // indirect github.com/vektah/gqlparser/v2 v2.5.22 // indirect + github.com/xanzy/ssh-agent v0.3.3 // indirect + github.com/zclconf/go-cty v1.16.1 // indirect golang.org/x/crypto v0.33.0 // indirect golang.org/x/image v0.10.0 // indirect golang.org/x/mod v0.23.0 // indirect @@ -127,6 +147,7 @@ require ( gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/square/go-jose.v2 v2.6.0 // indirect + gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect k8s.io/apiextensions-apiserver v0.29.0 // indirect diff --git a/go.sum b/go.sum index 054e7b0f..dfcfaf64 100644 --- a/go.sum +++ b/go.sum @@ -58,12 +58,19 @@ cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RX cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo= cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= +dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk= +dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/Khan/genqlient v0.8.0 h1:Hd1a+E1CQHYbMEKakIkvBH3zW0PWEeiX6Hp1i2kP2WE= github.com/Khan/genqlient v0.8.0/go.mod h1:hn70SpYjWteRGvxTwo0kfaqg4wxvndECGkfa1fdDdYI= +github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= +github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow= +github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM= github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= +github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk= +github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk= github.com/Shopify/sarama v1.34.1 h1:pVCQO7BMAK3s1jWhgi5v1W6lwZ6Veiekfc2vsgRS06Y= github.com/Shopify/sarama v1.34.1/go.mod h1:NZSNswsnStpq8TUdFaqnpXm2Do6KRzTIjdBdVlL1YRM= @@ -85,9 +92,13 @@ github.com/amit7itz/goset v1.2.1 h1:usFphDJfZgwnqfbKT8zI+2juuOgsZ6O8UA7NMRUVG7s= github.com/amit7itz/goset v1.2.1/go.mod h1:i8ni2YcxUMAwLBOkHWpy3glFviYdTcWqCvFgp91EMGI= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/apapsch/go-jsonmerge/v2 v2.0.0 h1:axGnT1gRIfimI7gJifB699GoE/oq+F2MU7Dml6nw9rQ= github.com/apapsch/go-jsonmerge/v2 v2.0.0/go.mod h1:lvDnEdqiQrp0O42VQGgmlKpxL1AP2+08jFMw88y4klk= +github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY= +github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= @@ -118,6 +129,8 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= +github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU= +github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk= @@ -134,6 +147,8 @@ github.com/corona10/goimagehash v1.0.2/go.mod h1:/l9umBhvcHQXVtQO1V6Gp1yD20STawk github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= +github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo= +github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -147,8 +162,12 @@ github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 h1:YEetp8 github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21/go.mod h1:+020luEh2TKB4/GOp8oxxtq0Daoen/Cii55CzbTV6DU= github.com/eapache/queue v1.1.0 h1:YOEu7KNc61ntiQlcEeUIoDTJ2o8mQznoNvUhiigpIqc= github.com/eapache/queue v1.1.0/go.mod h1:6eCeP0CKFpHLu8blIFXhExK/dRa7WDZfr6jVFPTqq+I= +github.com/elazarl/goproxy v1.2.1 h1:njjgvO6cRG9rIqN2ebkqy6cQz2Njkx7Fsfv/zIZqgug= +github.com/elazarl/goproxy v1.2.1/go.mod h1:YfEbZtqP4AetfO6d40vWchF3znWX7C7Vd6ZMfdL8z64= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= +github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= @@ -174,6 +193,16 @@ github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyT github.com/getkin/kin-openapi v0.107.0 h1:bxhL6QArW7BXQj8NjXfIJQy680NsMKd25nwhvpCXchg= github.com/getkin/kin-openapi v0.107.0/go.mod h1:9Dhr+FasATJZjS4iOLvB0hkaxgYdulrNYm2e9epLWOo= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= +github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c= +github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI= +github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic= +github.com/go-git/go-billy/v5 v5.6.0 h1:w2hPNtoehvJIxR00Vb4xX94qHQi/ApZfX+nBE2Cjio8= +github.com/go-git/go-billy/v5 v5.6.0/go.mod h1:sFDq7xD3fn3E0GOwUSZqHo9lrkmx8xJhA0ZrfvjBRGM= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= +github.com/go-git/go-git/v5 v5.13.0 h1:vLn5wlGIh/X78El6r3Jr+30W16Blk0CTcxTYcYPWi5E= +github.com/go-git/go-git/v5 v5.13.0/go.mod h1:Wjo7/JyVKtQgUNdXYXIepzWfJQkUEIGvkvVkiXRR/zw= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= @@ -314,17 +343,29 @@ github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFb github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= +github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= +github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= +github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8= github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= +github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKeRZfjY= +github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA= github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k= github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM= +github.com/hashicorp/hc-install v0.9.1 h1:gkqTfE3vVbafGQo6VZXcy2v5yoz2bE0+nhZXruCuODQ= +github.com/hashicorp/hc-install v0.9.1/go.mod h1:pWWvN/IrfeBK4XPeXXYkL6EjMufHkCK5DvwxeLKuBf0= github.com/hashicorp/hcl v1.0.1-vault-3 h1:V95v5KSTu6DB5huDSKiq4uAfILEuNigK/+qPET6H/Mg= github.com/hashicorp/hcl v1.0.1-vault-3/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= +github.com/hashicorp/terraform-exec v0.22.0 h1:G5+4Sz6jYZfRYUCg6eQgDsqTzkNXV+fP8l+uRmZHj64= +github.com/hashicorp/terraform-exec v0.22.0/go.mod h1:bjVbsncaeh8jVdhttWYZuBGj21FcYw6Ia/XfHcNO7lQ= +github.com/hashicorp/terraform-json v0.24.0 h1:rUiyF+x1kYawXeRth6fKFm/MdfBS6+lW4NbeATsYz8Q= +github.com/hashicorp/terraform-json v0.24.0/go.mod h1:Nfj5ubo9xbu9uiAoZVBsNOjvNKB66Oyrvtit74kC7ow= github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0= github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho= github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc= @@ -335,6 +376,8 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/invopop/yaml v0.1.0 h1:YW3WGUoJEXYfzWBjn00zIlrw7brGVD0fUKRYDPAPhrc= github.com/invopop/yaml v0.1.0/go.mod h1:2XuRLgs/ouIrW3XNzuNj7J3Nvu/Dig5MXvbCEdiBN3Q= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A= +github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo= github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8= github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs= github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo= @@ -363,6 +406,8 @@ github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7V github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 h1:iQTw/8FWTuc7uiaSepXwyf3o52HaUYcV+Tu66S3F5GA= github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8= +github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= +github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.15.6/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU= @@ -425,8 +470,8 @@ github.com/nfnt/resize v0.0.0-20160724205520-891127d8d1b5 h1:BvoENQQU+fZ9uukda/R github.com/nfnt/resize v0.0.0-20160724205520-891127d8d1b5/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8= github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= -github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= -github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k= +github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY= github.com/oriser/regroup v0.0.0-20210730155327-fca8d7531263 h1:Qd1Ml+uEhpesT8Og0ysEhu5+DGhbhW+qxjapH8t1Kvs= github.com/oriser/regroup v0.0.0-20210730155327-fca8d7531263/go.mod h1:odkMeLkWS8G6+WP2z3Pn2vkzhPSvBtFhAUYTKXAtZMQ= github.com/otterize/intents-operator/src v0.0.0-20250210080526-406ad1b23e76 h1:41RHXhHzcrZrmEv5ymrNE7M7jxv/kus+/fPyTviR57s= @@ -437,6 +482,8 @@ github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZ github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4= github.com/pierrec/lz4/v4 v4.1.14 h1:+fL8AQEZtz/ijeNnpduH0bROTu0O3NZAlPjQxGn8LwE= github.com/pierrec/lz4/v4 v4.1.14/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4= +github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= +github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -477,22 +524,25 @@ github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqn github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc= -github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= -github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= +github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/samber/lo v1.47.0 h1:z7RynLwP5nbyRscyvcD043DWYoOcYRv3mV8lBeqOCLc= github.com/samber/lo v1.47.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU= github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo= -github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8= -github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I= +github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8= +github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ= github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ= +github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY= +github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw= github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= @@ -539,6 +589,8 @@ github.com/vektah/gqlparser/v2 v2.5.22 h1:yaaeJ0fu+nv1vUMW0Hl+aS1eiv1vMfapBNjpff github.com/vektah/gqlparser/v2 v2.5.22/go.mod h1:xMl+ta8a5M1Yo1A1Iwt/k7gSpscwSnHZdw7tfhEGfTM= github.com/vishalkuo/bimap v0.0.0-20220726225509-e0b4f20de28b h1:Wrh+B5ZP52L9v5h9h3owZTzgotdbBd9sfirUbRmCWD4= github.com/vishalkuo/bimap v0.0.0-20220726225509-e0b4f20de28b/go.mod h1:dxXQNHjw3hAY1z8izMtjimf/IjtT/o7ZZezj7XI8Vy0= +github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= +github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI= github.com/xdg-go/scram v1.1.1/go.mod h1:RaEWvsqvNKKvBPvcKeFjrG2cJqOkHTiyTpzz23ni57g= github.com/xdg-go/stringprep v1.0.3/go.mod h1:W3f5j4i+9rC0kuIEJL0ky1VpHXQU3ocBgklLGvcBnW8= @@ -548,6 +600,8 @@ github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= +github.com/zclconf/go-cty v1.16.1 h1:a5TZEPzBFFR53udlIKApXzj8JIF4ZNQ6abH79z5R1S0= +github.com/zclconf/go-cty v1.16.1/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= @@ -574,6 +628,7 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus= golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= @@ -586,8 +641,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230124195608-d38c7dcee874 h1:kWC3b7j6Fu09SnEBr7P4PuQyM0R6sqyH9R+EjIvT1nQ= -golang.org/x/exp v0.0.0-20230124195608-d38c7dcee874/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= +golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/image v0.0.0-20200119044424-58c23975cae1/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= @@ -1074,6 +1129,8 @@ gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k= gopkg.in/square/go-jose.v2 v2.6.0 h1:NGk74WTnPKBNUhNzQX7PYcTLUjoq7mzKk2OKbvwk2iI= gopkg.in/square/go-jose.v2 v2.6.0/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= +gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME= +gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI= gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.3/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/src/cmd/groups/integrations.go b/src/cmd/groups/integrations.go new file mode 100644 index 00000000..c0e54226 --- /dev/null +++ b/src/cmd/groups/integrations.go @@ -0,0 +1,8 @@ +package groups + +import "github.com/spf13/cobra" + +var IntegrationsGroup = &cobra.Group{ + ID: "integrations", + Title: "Integrations Commands:", +} diff --git a/src/cmd/root.go b/src/cmd/root.go index 98d52b0c..0194f3df 100644 --- a/src/cmd/root.go +++ b/src/cmd/root.go @@ -14,6 +14,7 @@ import ( "github.com/otterize/otterize-cli/src/cmd/networkmapper" "github.com/otterize/otterize-cli/src/cmd/organizations" "github.com/otterize/otterize-cli/src/cmd/services" + "github.com/otterize/otterize-cli/src/cmd/terraform" "github.com/otterize/otterize-cli/src/cmd/users" "github.com/otterize/otterize-cli/src/cmd/version" "github.com/otterize/otterize-cli/src/pkg/config" @@ -126,6 +127,9 @@ func init() { RootCmd.AddCommand(accessgraph.AccessGraphCmd) RootCmd.AddCommand(clientintents.ClientIntentsCmd) + RootCmd.AddGroup(groups.IntegrationsGroup) + RootCmd.AddCommand(terraform.TerraformCmd) + RootCmd.AddGroup(groups.OSSGroup) RootCmd.AddCommand(networkmapper.MapperCmd) } diff --git a/src/cmd/terraform/get/get-resource-info.go b/src/cmd/terraform/get/get-resource-info.go new file mode 100644 index 00000000..d0a772d5 --- /dev/null +++ b/src/cmd/terraform/get/get-resource-info.go @@ -0,0 +1,61 @@ +package get + +import ( + "bytes" + "context" + "encoding/json" + cloudclient "github.com/otterize/otterize-cli/src/pkg/cloudclient/restapi" + "github.com/otterize/otterize-cli/src/pkg/cloudclient/restapi/cloudapi" + "github.com/otterize/otterize-cli/src/pkg/config" + "github.com/otterize/otterize-cli/src/pkg/errors" + "github.com/otterize/otterize-cli/src/pkg/git" + "github.com/otterize/otterize-cli/src/pkg/utils/prints" + "github.com/spf13/cobra" +) + +var GetResourceInfoCmd = &cobra.Command{ + Use: "get-resource-info", + Short: "Queries Otterize Cloud for the given module's saved Terraform resource information", + SilenceUsage: true, + RunE: func(cmd *cobra.Command, args []string) error { + workingDir, _ := cmd.Flags().GetString("tf-dir") + + gitInfo, err := git.GetGitRepoInformation(workingDir) + if err != nil { + return errors.Errorf("error getting git information: %w", err) + } + + ctxTimeout, cancel := context.WithTimeout(context.Background(), config.DefaultTimeout) + defer cancel() + + c, err := cloudclient.NewClient(ctxTimeout) + if err != nil { + return errors.Wrap(err) + } + + resp, err := c.TerraformResourceByIdentityQueryWithResponse(ctxTimeout, + &cloudapi.TerraformResourceByIdentityQueryParams{ + ModulePath: gitInfo.RelativePath, + GitOriginUrl: gitInfo.OriginUrl, + GitCommitHash: gitInfo.Commit, + }, + ) + if err != nil { + return errors.Wrap(err) + } + + prints.PrintCliOutput("Resources found for current tfmodule:") + var prettyJSON bytes.Buffer + err = json.Indent(&prettyJSON, resp.Body, "", " ") + if err != nil { + return errors.Wrap(err) + } + prints.PrintCliOutput(prettyJSON.String()) + + return nil + }, +} + +func init() { + GetResourceInfoCmd.PersistentFlags().String("tf-dir", "", "Specifies the path of the Terraform module to be analyzed. If not specified, autodetects the path.") +} diff --git a/src/cmd/terraform/terraform.go b/src/cmd/terraform/terraform.go new file mode 100644 index 00000000..3977be93 --- /dev/null +++ b/src/cmd/terraform/terraform.go @@ -0,0 +1,26 @@ +package terraform + +import ( + "github.com/otterize/otterize-cli/src/cmd/groups" + "github.com/otterize/otterize-cli/src/cmd/terraform/get" + "github.com/otterize/otterize-cli/src/cmd/terraform/upload" + "github.com/otterize/otterize-cli/src/pkg/cloudclient" + "github.com/spf13/cobra" +) + +var debug bool + +var TerraformCmd = &cobra.Command{ + Use: "terraform", + GroupID: groups.IntegrationsGroup.ID, + Aliases: []string{"terraform", "tf"}, + Short: "Terraform Integration", +} + +func init() { + cloudclient.RegisterAPIFlags(TerraformCmd) + TerraformCmd.PersistentFlags().BoolVar(&debug, "dry-run", false, "Simulate the command without making any requests to Otterize Cloud") + + TerraformCmd.AddCommand(get.GetResourceInfoCmd) + TerraformCmd.AddCommand(upload.UploadResourceInfoCmd) +} diff --git a/src/cmd/terraform/upload/upload-resource-info.go b/src/cmd/terraform/upload/upload-resource-info.go new file mode 100644 index 00000000..2bcbe1ed --- /dev/null +++ b/src/cmd/terraform/upload/upload-resource-info.go @@ -0,0 +1,101 @@ +package upload + +import ( + "context" + "encoding/json" + cloudclient "github.com/otterize/otterize-cli/src/pkg/cloudclient/restapi" + "github.com/otterize/otterize-cli/src/pkg/cloudclient/restapi/cloudapi" + "github.com/otterize/otterize-cli/src/pkg/config" + "github.com/otterize/otterize-cli/src/pkg/errors" + "github.com/otterize/otterize-cli/src/pkg/git" + "github.com/otterize/otterize-cli/src/pkg/terraform" + "github.com/otterize/otterize-cli/src/pkg/utils/prints" + "github.com/samber/lo" + "github.com/spf13/cobra" +) + +var UploadResourceInfoCmd = &cobra.Command{ + Use: "upload-resource-info", + Short: "Creates a mapping between Terraform-configured AWS IAM roles and policies and their actual ARNs on AWS based on the Terraform state, and uploads it to Otterize Cloud", + SilenceUsage: true, + RunE: func(cmd *cobra.Command, args []string) error { + ctxTimeout, cancel := context.WithTimeout(context.Background(), config.DefaultTimeout) + defer cancel() + + dryRun, _ := cmd.Flags().GetBool("dry-run") + workingDir, _ := cmd.Flags().GetString("tf-dir") + + tfClient, err := terraform.GetTerraformClient(workingDir) + if err != nil { + return errors.Errorf("error initializing terraform client: %w", err) + } + + state, err := tfClient.Show(ctxTimeout) + if err != nil { + return errors.Errorf("error pulling Terraform state: %w", err) + } + + gitInfo, err := git.GetGitRepoInformation(workingDir) + if err != nil { + return errors.Errorf("error getting git information: %w", err) + } + + terraformIamInfo := terraform.TerraformResourceInfo{} + terraformIamInfo.AwsRoles, err = terraform.ExtractAwsRoleAndPolicies(state) + if err != nil { + return errors.Wrap(err) + } + + // Generate the resource info + awsRoles := lo.Map(terraformIamInfo.AwsRoles, func(info terraform.AwsRoleInfo, _ int) map[string]interface{} { + return info.ToMap() + }) + resourceInfo := cloudapi.InputTerraformResourceInfo{ + AwsRoles: &awsRoles, + ModulePath: gitInfo.RelativePath, + GitOriginUrl: gitInfo.OriginUrl, + GitCommitHash: gitInfo.Commit, + } + + if !dryRun { + prints.PrintCliOutput("Uploading Terraform AWS role & policy information to Otterize Cloud...") + err := reportTerraformResourcesToCloud(ctxTimeout, resourceInfo) + if err != nil { + return errors.Wrap(err) + } + } else { + prints.PrintCliOutput("Dry run enabled: not uploading data to Otterize Cloud") + } + + prints.PrintCliOutput("Resources reported:") + jsonData, err := json.MarshalIndent(resourceInfo, "", " ") + if err != nil { + return errors.Wrap(err) + } + prints.PrintCliOutput(string(jsonData)) + + return nil + }, +} + +func reportTerraformResourcesToCloud(ctx context.Context, resourceInfo cloudapi.InputTerraformResourceInfo) error { + c, err := cloudclient.NewClient(ctx) + if err != nil { + return errors.Wrap(err) + } + + _, err = c.ReportTerraformResourcesMutationWithResponse(ctx, + cloudapi.ReportTerraformResourcesMutationJSONRequestBody{ + ResourceInfo: resourceInfo, + }, + ) + if err != nil { + return errors.Wrap(err) + } + + return nil +} + +func init() { + UploadResourceInfoCmd.PersistentFlags().String("tf-dir", "", "Manually specify the terraform module location") +} diff --git a/src/data/aws/aws-policies.json b/src/data/aws/aws-policies.json new file mode 100644 index 00000000..7236f81d --- /dev/null +++ b/src/data/aws/aws-policies.json @@ -0,0 +1,1337 @@ +[ + "arn:aws:iam::aws:policy/AdministratorAccess", + "arn:aws:iam::aws:policy/PowerUserAccess", + "arn:aws:iam::aws:policy/ReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSCloudFormationReadOnlyAccess", + "arn:aws:iam::aws:policy/CloudFrontFullAccess", + "arn:aws:iam::aws:policy/AWSCloudHSMFullAccess", + "arn:aws:iam::aws:policy/AWSCloudHSMReadOnlyAccess", + "arn:aws:iam::aws:policy/ResourceGroupsandTagEditorFullAccess", + "arn:aws:iam::aws:policy/ResourceGroupsandTagEditorReadOnlyAccess", + "arn:aws:iam::aws:policy/CloudFrontReadOnlyAccess", + "arn:aws:iam::aws:policy/CloudSearchFullAccess", + "arn:aws:iam::aws:policy/CloudSearchReadOnlyAccess", + "arn:aws:iam::aws:policy/CloudWatchFullAccess", + "arn:aws:iam::aws:policy/CloudWatchReadOnlyAccess", + "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess", + "arn:aws:iam::aws:policy/CloudWatchLogsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSDirectConnectFullAccess", + "arn:aws:iam::aws:policy/AWSDirectConnectReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonAppStreamFullAccess", + "arn:aws:iam::aws:policy/AmazonAppStreamReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess", + "arn:aws:iam::aws:policy/AmazonDynamoDBReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonDynamoDBFullAccesswithDataPipeline", + "arn:aws:iam::aws:policy/AmazonEC2FullAccess", + "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonElastiCacheFullAccess", + "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonElasticMapReduceFullAccess", + "arn:aws:iam::aws:policy/AmazonElasticMapReduceReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonGlacierReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonGlacierFullAccess", + "arn:aws:iam::aws:policy/AmazonKinesisFullAccess", + "arn:aws:iam::aws:policy/AmazonKinesisReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSMarketplaceRead-only", + "arn:aws:iam::aws:policy/AWSMarketplaceManageSubscriptions", + "arn:aws:iam::aws:policy/AmazonMobileAnalyticsFullAccess", + "arn:aws:iam::aws:policy/AmazonMobileAnalyticsFinancialReportAccess", + "arn:aws:iam::aws:policy/AmazonMobileAnalyticsNon-financialReportAccess", + "arn:aws:iam::aws:policy/AmazonMobileAnalyticsWriteOnlyAccess", + "arn:aws:iam::aws:policy/IAMFullAccess", + "arn:aws:iam::aws:policy/IAMReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSKeyManagementServicePowerUser", + "arn:aws:iam::aws:policy/AmazonWorkMailFullAccess", + "arn:aws:iam::aws:policy/AmazonWorkMailReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSImportExportReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSImportExportFullAccess", + "arn:aws:iam::aws:policy/AWSLambdaExecute", + "arn:aws:iam::aws:policy/AWSLambdaInvocation-DynamoDB", + "arn:aws:iam::aws:policy/AmazonRedshiftFullAccess", + "arn:aws:iam::aws:policy/AmazonRedshiftReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonRDSFullAccess", + "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonRoute53FullAccess", + "arn:aws:iam::aws:policy/AmazonRoute53ReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonRoute53DomainsFullAccess", + "arn:aws:iam::aws:policy/AmazonRoute53DomainsReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonS3FullAccess", + "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess", + "arn:aws:iam::aws:policy/SecurityAudit", + "arn:aws:iam::aws:policy/AmazonSESFullAccess", + "arn:aws:iam::aws:policy/AmazonSESReadOnlyAccess", + "arn:aws:iam::aws:policy/SimpleWorkflowFullAccess", + "arn:aws:iam::aws:policy/AmazonSNSFullAccess", + "arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonSQSFullAccess", + "arn:aws:iam::aws:policy/AmazonSQSReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSStorageGatewayFullAccess", + "arn:aws:iam::aws:policy/AWSStorageGatewayReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSSupportAccess", + "arn:aws:iam::aws:policy/AWSDirectoryServiceFullAccess", + "arn:aws:iam::aws:policy/AWSDirectoryServiceReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonZocaloFullAccess", + "arn:aws:iam::aws:policy/AmazonZocaloReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonVPCFullAccess", + "arn:aws:iam::aws:policy/AmazonVPCReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSAccountActivityAccess", + "arn:aws:iam::aws:policy/AWSAccountUsageReportAccess", + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole", + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforEC2Role", + "arn:aws:iam::aws:policy/service-role/AutoScalingNotificationAccessRole", + "arn:aws:iam::aws:policy/service-role/AWSCloudHSMRole", + "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforDataPipelineRole", + "arn:aws:iam::aws:policy/service-role/AmazonElasticTranscoderRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaRole", + "arn:aws:iam::aws:policy/service-role/RDSCloudHsmAuthorizationRole", + "arn:aws:iam::aws:policy/service-role/AmazonSNSRole", + "arn:aws:iam::aws:policy/AWSConnector", + "arn:aws:iam::aws:policy/AWSMarketplaceFullAccess", + "arn:aws:iam::aws:policy/AWSConfigUserAccess", + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", + "arn:aws:iam::aws:policy/AmazonCognitoReadOnly", + "arn:aws:iam::aws:policy/AmazonCognitoPowerUser", + "arn:aws:iam::aws:policy/AmazonCognitoDeveloperAuthenticatedIdentities", + "arn:aws:iam::aws:policy/AmazonWorkSpacesApplicationManagerAdminAccess", + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaDynamoDBExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaKinesisExecutionRole", + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole", + "arn:aws:iam::aws:policy/AmazonMachineLearningBatchPredictionsAccess", + "arn:aws:iam::aws:policy/AmazonMachineLearningCreateOnlyAccess", + "arn:aws:iam::aws:policy/AmazonMachineLearningFullAccess", + "arn:aws:iam::aws:policy/AmazonMachineLearningManageRealTimeEndpointOnlyAccess", + "arn:aws:iam::aws:policy/AmazonMachineLearningReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonMachineLearningRealTimePredictionOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRole", + "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeploy", + "arn:aws:iam::aws:policy/AWSCodeDeployFullAccess", + "arn:aws:iam::aws:policy/AWSCodeDeployDeployerAccess", + "arn:aws:iam::aws:policy/AWSCodeDeployReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonElasticFileSystemFullAccess", + "arn:aws:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonSSMFullAccess", + "arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM", + "arn:aws:iam::aws:policy/CloudWatchActionsEC2Access", + "arn:aws:iam::aws:policy/AWSCodePipelineCustomActionAccess", + "arn:aws:iam::aws:policy/AWSCodeCommitFullAccess", + "arn:aws:iam::aws:policy/AWSCodeCommitReadOnly", + "arn:aws:iam::aws:policy/AWSCodeCommitPowerUser", + "arn:aws:iam::aws:policy/IAMUserSSHKeys", + "arn:aws:iam::aws:policy/AmazonAPIGatewayAdministrator", + "arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess", + "arn:aws:iam::aws:policy/AWSDeviceFarmFullAccess", + "arn:aws:iam::aws:policy/AmazonDRSVPCManagement", + "arn:aws:iam::aws:policy/service-role/VMImportExportRoleForAWSConnector", + "arn:aws:iam::aws:policy/AmazonWorkSpacesAdmin", + "arn:aws:iam::aws:policy/AmazonESFullAccess", + "arn:aws:iam::aws:policy/AmazonESReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSWAFReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSWAFFullAccess", + "arn:aws:iam::aws:policy/AmazonInspectorReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonInspectorFullAccess", + "arn:aws:iam::aws:policy/AmazonKinesisFirehoseReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonKinesisFirehoseFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSIoTRuleActions", + "arn:aws:iam::aws:policy/service-role/AWSIoTLogging", + "arn:aws:iam::aws:policy/AWSIoTFullAccess", + "arn:aws:iam::aws:policy/AWSIoTDataAccess", + "arn:aws:iam::aws:policy/AWSIoTConfigAccess", + "arn:aws:iam::aws:policy/AWSIoTConfigReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AWSQuickSightDescribeRDS", + "arn:aws:iam::aws:policy/service-role/AWSQuickSightDescribeRedshift", + "arn:aws:iam::aws:policy/service-role/AWSQuickSightListIAM", + "arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole", + "arn:aws:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs", + "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole", + "arn:aws:iam::aws:policy/AmazonMechanicalTurkFullAccess", + "arn:aws:iam::aws:policy/AmazonMechanicalTurkReadOnly", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPowerUser", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryFullAccess", + "arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole", + "arn:aws:iam::aws:policy/CloudWatchEventsReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/CloudWatchEventsBuiltInTargetExecutionAccess", + "arn:aws:iam::aws:policy/service-role/CloudWatchEventsInvocationAccess", + "arn:aws:iam::aws:policy/CloudWatchEventsFullAccess", + "arn:aws:iam::aws:policy/AWSCertificateManagerFullAccess", + "arn:aws:iam::aws:policy/AWSCertificateManagerReadOnly", + "arn:aws:iam::aws:policy/AWSElasticBeanstalkWebTier", + "arn:aws:iam::aws:policy/AWSElasticBeanstalkWorkerTier", + "arn:aws:iam::aws:policy/AWSElasticBeanstalkMulticontainerDocker", + "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkEnhancedHealth", + "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole", + "arn:aws:iam::aws:policy/service-role/AmazonRDSDirectoryServiceAccess", + "arn:aws:iam::aws:policy/AWSMarketplaceMeteringFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkService", + "arn:aws:iam::aws:policy/service-role/AmazonDMSRedshiftS3Role", + "arn:aws:iam::aws:policy/AWSApplicationDiscoveryServiceFullAccess", + "arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentAccess", + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole", + "arn:aws:iam::aws:policy/AWSOpsWorksInstanceRegistration", + "arn:aws:iam::aws:policy/AWSCodePipelineApproverAccess", + "arn:aws:iam::aws:policy/AWSAgentlessDiscoveryService", + "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetAutoscaleRole", + "arn:aws:iam::aws:policy/AmazonKinesisAnalyticsReadOnly", + "arn:aws:iam::aws:policy/AmazonKinesisAnalyticsFullAccess", + "arn:aws:iam::aws:policy/ServerMigrationConnector", + "arn:aws:iam::aws:policy/job-function/ViewOnlyAccess", + "arn:aws:iam::aws:policy/job-function/SupportUser", + "arn:aws:iam::aws:policy/job-function/SystemAdministrator", + "arn:aws:iam::aws:policy/job-function/DatabaseAdministrator", + "arn:aws:iam::aws:policy/job-function/DataScientist", + "arn:aws:iam::aws:policy/job-function/NetworkAdministrator", + "arn:aws:iam::aws:policy/job-function/Billing", + "arn:aws:iam::aws:policy/IAMUserChangePassword", + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceforAutoScalingRole", + "arn:aws:iam::aws:policy/service-role/AmazonAppStreamServiceAccess", + "arn:aws:iam::aws:policy/AWSOpsWorksCMInstanceProfileRole", + "arn:aws:iam::aws:policy/service-role/AWSOpsWorksCMServiceRole", + "arn:aws:iam::aws:policy/AmazonRekognitionFullAccess", + "arn:aws:iam::aws:policy/AmazonRekognitionReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonAthenaFullAccess", + "arn:aws:iam::aws:policy/AmazonPollyFullAccess", + "arn:aws:iam::aws:policy/AmazonPollyReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole", + "arn:aws:iam::aws:policy/AWSXrayWriteOnlyAccess", + "arn:aws:iam::aws:policy/AWSXrayReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSXrayFullAccess", + "arn:aws:iam::aws:policy/AWSCodeBuildDeveloperAccess", + "arn:aws:iam::aws:policy/AWSCodeBuildReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess", + "arn:aws:iam::aws:policy/service-role/AmazonSSMAutomationRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaENIManagementAccess", + "arn:aws:iam::aws:policy/AWSHealthFullAccess", + "arn:aws:iam::aws:policy/AWSBatchFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSBatchServiceRole", + "arn:aws:iam::aws:policy/service-role/AWSQuicksightAthenaAccess", + "arn:aws:iam::aws:policy/IAMSelfManageServiceSpecificCredentials", + "arn:aws:iam::aws:policy/AWSStepFunctionsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSStepFunctionsFullAccess", + "arn:aws:iam::aws:policy/AWSStepFunctionsConsoleFullAccess", + "arn:aws:iam::aws:policy/AutoScalingFullAccess", + "arn:aws:iam::aws:policy/AutoScalingReadOnlyAccess", + "arn:aws:iam::aws:policy/AutoScalingConsoleFullAccess", + "arn:aws:iam::aws:policy/AutoScalingConsoleReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSDataPipeline_FullAccess", + "arn:aws:iam::aws:policy/AWSDataPipeline_PowerUser", + "arn:aws:iam::aws:policy/service-role/ApplicationAutoScalingForAmazonAppStreamAccess", + "arn:aws:iam::aws:policy/service-role/AWSGreengrassResourceAccessRolePolicy", + "arn:aws:iam::aws:policy/AWSElasticBeanstalkCustomPlatformforEC2Role", + "arn:aws:iam::aws:policy/AmazonCloudDirectoryFullAccess", + "arn:aws:iam::aws:policy/AmazonCloudDirectoryReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSMarketplaceGetEntitlements", + "arn:aws:iam::aws:policy/AWSOpsWorksCloudWatchLogs", + "arn:aws:iam::aws:policy/AmazonLexRunBotsOnly", + "arn:aws:iam::aws:policy/AmazonLexReadOnly", + "arn:aws:iam::aws:policy/AmazonLexFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSCodeStarServiceRole", + "arn:aws:iam::aws:policy/AWSCodeStarFullAccess", + "arn:aws:iam::aws:policy/AWSGreengrassFullAccess", + "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole", + "arn:aws:iam::aws:policy/service-role/QuickSightAccessForS3StorageManagementAnalyticsReadOnly", + "arn:aws:iam::aws:policy/service-role/AmazonEC2SpotFleetTaggingRole", + "arn:aws:iam::aws:policy/aws-service-role/AmazonElasticsearchServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonVPCCrossAccountNetworkInterfaceOperations", + "arn:aws:iam::aws:policy/AmazonSSMAutomationApproverAccess", + "arn:aws:iam::aws:policy/service-role/AWSMigrationHubDiscoveryAccess", + "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole", + "arn:aws:iam::aws:policy/AWSGlueConsoleFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSGlueServiceNotebookRole", + "arn:aws:iam::aws:policy/service-role/AWSMigrationHubSMSAccess", + "arn:aws:iam::aws:policy/service-role/AWSMigrationHubDMSAccess", + "arn:aws:iam::aws:policy/AWSMigrationHubFullAccess", + "arn:aws:iam::aws:policy/service-role/AmazonMacieServiceRole", + "arn:aws:iam::aws:policy/AmazonMacieFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSElasticBeanstalkServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSEC2SpotServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonRedshiftServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSElasticLoadBalancingServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSElasticLoadBalancingClassicServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSEnhancedClassicNetworkingMangementPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEMRCleanupPolicy", + "arn:aws:iam::aws:policy/aws-service-role/LexChannelPolicy", + "arn:aws:iam::aws:policy/aws-service-role/LexBotPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSLambdaReplicator", + "arn:aws:iam::aws:policy/aws-service-role/AWSOrganizationsServiceTrustPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForEC2ScheduledInstances", + "arn:aws:iam::aws:policy/aws-service-role/AmazonECSServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingRDSClusterPolicy", + "arn:aws:iam::aws:policy/aws-service-role/APIGatewayServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingAppStreamFleetPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingDynamoDBTablePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSEC2SpotFleetServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingEC2SpotFleetRequestPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingECSServicePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingEMRInstanceGroupPolicy", + "arn:aws:iam::aws:policy/AmazonChimeReadOnly", + "arn:aws:iam::aws:policy/AmazonChimeFullAccess", + "arn:aws:iam::aws:policy/AmazonChimeUserManagement", + "arn:aws:iam::aws:policy/aws-service-role/CloudHSMServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonECS_FullAccess", + "arn:aws:iam::aws:policy/aws-service-role/DynamoDBReplicationServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonSSMServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/CloudWatchEventsServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonInspectorServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSPriceListServiceFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambda", + "arn:aws:iam::aws:policy/AmazonMQFullAccess", + "arn:aws:iam::aws:policy/AmazonMQReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonGuardDutyServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonGuardDutyReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonGuardDutyFullAccess", + "arn:aws:iam::aws:policy/AmazonSageMakerReadOnly", + "arn:aws:iam::aws:policy/AmazonSageMakerFullAccess", + "arn:aws:iam::aws:policy/AmazonFreeRTOSFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSDeepLensServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSDeepLensLambdaFunctionAccessPolicy", + "arn:aws:iam::aws:policy/service-role/AmazonRekognitionServiceRole", + "arn:aws:iam::aws:policy/AWSQuickSightIoTAnalyticsAccess", + "arn:aws:iam::aws:policy/ComprehendFullAccess", + "arn:aws:iam::aws:policy/ComprehendReadOnly", + "arn:aws:iam::aws:policy/service-role/GreengrassOTAUpdateArtifactAccess", + "arn:aws:iam::aws:policy/TranslateReadOnly", + "arn:aws:iam::aws:policy/aws-service-role/AWSCloud9ServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSCloud9User", + "arn:aws:iam::aws:policy/AWSCloud9Administrator", + "arn:aws:iam::aws:policy/AWSCloud9EnvironmentMember", + "arn:aws:iam::aws:policy/AlexaForBusinessFullAccess", + "arn:aws:iam::aws:policy/AlexaForBusinessReadOnlyAccess", + "arn:aws:iam::aws:policy/AlexaForBusinessDeviceSetup", + "arn:aws:iam::aws:policy/AlexaForBusinessGatewayExecution", + "arn:aws:iam::aws:policy/service-role/AWSIoTThingsRegistration", + "arn:aws:iam::aws:policy/AmazonKinesisVideoStreamsReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonKinesisVideoStreamsFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSSSOServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/ElastiCacheServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSIoTOTAUpdate", + "arn:aws:iam::aws:policy/AWSElementalMediaPackageFullAccess", + "arn:aws:iam::aws:policy/AWSElementalMediaPackageReadOnly", + "arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AutoScalingServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonRoute53AutoNamingReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonRoute53AutoNamingFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingSageMakerEndpointPolicy", + "arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess", + "arn:aws:iam::aws:policy/AWSServiceCatalogEndUserFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonESCognitoAccess", + "arn:aws:iam::aws:policy/service-role/AWSBatchServiceEventTargetRole", + "arn:aws:iam::aws:policy/aws-service-role/DAXServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSElementalMediaStoreFullAccess", + "arn:aws:iam::aws:policy/CloudWatchAgentAdminPolicy", + "arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy", + "arn:aws:iam::aws:policy/AWSResourceGroupsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSElementalMediaStoreReadOnly", + "arn:aws:iam::aws:policy/AmazonRoute53AutoNamingRegistrantAccess", + "arn:aws:iam::aws:policy/service-role/AWSConfigRoleForOrganizations", + "arn:aws:iam::aws:policy/AWSAppSyncAdministrator", + "arn:aws:iam::aws:policy/AWSAppSyncSchemaAuthor", + "arn:aws:iam::aws:policy/AWSAppSyncInvokeFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSEC2FleetServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/FMSServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonTranscribeReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonTranscribeFullAccess", + "arn:aws:iam::aws:policy/SecretsManagerReadWrite", + "arn:aws:iam::aws:policy/service-role/AWSAppSyncPushToCloudWatchLogs", + "arn:aws:iam::aws:policy/service-role/AWSArtifactAccountSync", + "arn:aws:iam::aws:policy/AmazonElasticTranscoder_FullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonRDSBetaServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSFMAdminFullAccess", + "arn:aws:iam::aws:policy/AWSFMAdminReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSFMMemberReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSIoT1ClickReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSIoT1ClickFullAccess", + "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy", + "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy", + "arn:aws:iam::aws:policy/AmazonEKSServicePolicy", + "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy", + "arn:aws:iam::aws:policy/NeptuneReadOnlyAccess", + "arn:aws:iam::aws:policy/NeptuneFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSConfigServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonRDSPreviewServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoScalingCustomResourcePolicy", + "arn:aws:iam::aws:policy/service-role/AWSShieldDRTAccessPolicy", + "arn:aws:iam::aws:policy/AmazonElasticTranscoder_ReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonElasticTranscoder_JobsSubmitter", + "arn:aws:iam::aws:policy/aws-service-role/AWSCloudFrontLogger", + "arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole", + "arn:aws:iam::aws:policy/AWSIoTAnalyticsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSIoTAnalyticsFullAccess", + "arn:aws:iam::aws:policy/NeptuneConsoleFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonMacieServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSElementalMediaConvertReadOnly", + "arn:aws:iam::aws:policy/AWSElementalMediaConvertFullAccess", + "arn:aws:iam::aws:policy/AWSSSOReadOnly", + "arn:aws:iam::aws:policy/AWSSSOMasterAccountAdministrator", + "arn:aws:iam::aws:policy/AWSSSOMemberAccountAdministrator", + "arn:aws:iam::aws:policy/service-role/AmazonMacieHandshakeRole", + "arn:aws:iam::aws:policy/service-role/AWSDataLifecycleManagerServiceRole", + "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderAudit", + "arn:aws:iam::aws:policy/AWSMarketplaceImageBuildFullAccess", + "arn:aws:iam::aws:policy/AWSDiscoveryContinuousExportFirehosePolicy", + "arn:aws:iam::aws:policy/aws-service-role/ApplicationDiscoveryServiceContinuousExportServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSAutoScalingPlansEC2AutoScalingPolicy", + "arn:aws:iam::aws:policy/aws-service-role/WAFRegionalLoggingServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/WAFLoggingServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonFreeRTOSOTAUpdate", + "arn:aws:iam::aws:policy/AWSXRayDaemonWriteAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonConnectServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/ElasticLoadBalancingReadOnly", + "arn:aws:iam::aws:policy/ElasticLoadBalancingFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/LightsailExportAccess", + "arn:aws:iam::aws:policy/AmazonRedshiftQueryEditor", + "arn:aws:iam::aws:policy/AWSGlueConsoleSageMakerNotebookFullAccess", + "arn:aws:iam::aws:policy/AmazonConnectReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSCertificateManagerPrivateCAAuditor", + "arn:aws:iam::aws:policy/AWSCertificateManagerPrivateCAUser", + "arn:aws:iam::aws:policy/AWSCertificateManagerPrivateCAFullAccess", + "arn:aws:iam::aws:policy/AWSCertificateManagerPrivateCAReadOnly", + "arn:aws:iam::aws:policy/aws-service-role/CloudTrailServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSGreengrassReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSSSODirectoryReadOnly", + "arn:aws:iam::aws:policy/AWSSSODirectoryAdministrator", + "arn:aws:iam::aws:policy/AWSOrganizationsFullAccess", + "arn:aws:iam::aws:policy/AWSOrganizationsReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForIoTSiteWise", + "arn:aws:iam::aws:policy/aws-service-role/AWSResourceAccessManagerServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSKeyManagementServiceCustomKeyStoresServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/KafkaServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceEditorsRole", + "arn:aws:iam::aws:policy/AmazonRDSDataFullAccess", + "arn:aws:iam::aws:policy/AWSRoboMakerReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSRoboMakerServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSRoboMakerServicePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSVPCTransitGatewayServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerMasterAccountRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerMemberAccountRolePolicy", + "arn:aws:iam::aws:policy/service-role/ServerMigrationServiceLaunchRole", + "arn:aws:iam::aws:policy/GlobalAcceleratorReadOnlyAccess", + "arn:aws:iam::aws:policy/GlobalAcceleratorFullAccess", + "arn:aws:iam::aws:policy/AWSPrivateMarketplaceAdminFullAccess", + "arn:aws:iam::aws:policy/ComprehendMedicalFullAccess", + "arn:aws:iam::aws:policy/AWSCodeDeployRoleForECS", + "arn:aws:iam::aws:policy/AWSCodeDeployRoleForECSLimited", + "arn:aws:iam::aws:policy/TranslateFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSSecurityHubServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSSecurityHubFullAccess", + "arn:aws:iam::aws:policy/AWSSecurityHubReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonFSxServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/FSxDeleteServiceLinkedRoleAccess", + "arn:aws:iam::aws:policy/AmazonFSxReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonFSxFullAccess", + "arn:aws:iam::aws:policy/AmazonFSxConsoleReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonFSxConsoleFullAccess", + "arn:aws:iam::aws:policy/AmazonTextractFullAccess", + "arn:aws:iam::aws:policy/service-role/AmazonTextractServiceRole", + "arn:aws:iam::aws:policy/AWSCloudMapReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSCloudMapFullAccess", + "arn:aws:iam::aws:policy/AWSCloudMapDiscoverInstanceAccess", + "arn:aws:iam::aws:policy/AWSCloudMapRegisterInstanceAccess", + "arn:aws:iam::aws:policy/WellArchitectedConsoleFullAccess", + "arn:aws:iam::aws:policy/WellArchitectedConsoleReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/CloudwatchApplicationInsightsServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/AWSIoTSiteWiseFullAccess", + "arn:aws:iam::aws:policy/AWSIoTSiteWiseReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AmazonPersonalizeFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/ClientVPNServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonMQApiReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonMQApiFullAccess", + "arn:aws:iam::aws:policy/AmazonDocDBFullAccess", + "arn:aws:iam::aws:policy/AmazonDocDBReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonDocDBConsoleFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForBackup", + "arn:aws:iam::aws:policy/AWSIoTEventsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSIoTEventsFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSElasticBeanstalkMaintenance", + "arn:aws:iam::aws:policy/service-role/AWSBackupServiceRolePolicyForRestores", + "arn:aws:iam::aws:policy/service-role/AWSTransferLoggingAccess", + "arn:aws:iam::aws:policy/AmazonMSKFullAccess", + "arn:aws:iam::aws:policy/AmazonMSKReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonForecastFullAccess", + "arn:aws:iam::aws:policy/AWSDataSyncReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSDataSyncFullAccess", + "arn:aws:iam::aws:policy/WorkLinkServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSDeepRacerServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSDeepRacerCloudFormationAccessPolicy", + "arn:aws:iam::aws:policy/AWSDeepRacerRoboMakerAccessPolicy", + "arn:aws:iam::aws:policy/service-role/ComprehendDataAccessRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AlexaForBusinessNetworkProfileServicePolicy", + "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore", + "arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonCognitoIdpEmailServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSIQFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSGlobalAcceleratorSLRPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonWorkMailEventsServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSAppMeshFullAccess", + "arn:aws:iam::aws:policy/AWSAppMeshReadOnly", + "arn:aws:iam::aws:policy/AmazonManagedBlockchainConsoleFullAccess", + "arn:aws:iam::aws:policy/AmazonManagedBlockchainFullAccess", + "arn:aws:iam::aws:policy/AmazonManagedBlockchainReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSDenyAll", + "arn:aws:iam::aws:policy/service-role/AWSControlTowerServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonRoute53ResolverFullAccess", + "arn:aws:iam::aws:policy/AmazonRoute53ResolverReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSIoTSiteWiseConsoleFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSAppMeshServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSResourceAccessManagerFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/MigrationHubServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/MigrationHubDMSAccessServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/MigrationHubSMSAccessServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSConfigMultiAccountSetupPolicy", + "arn:aws:iam::aws:policy/AWSOpsWorksRegisterCLI_OnPremises", + "arn:aws:iam::aws:policy/AWSOpsWorksRegisterCLI_EC2", + "arn:aws:iam::aws:policy/aws-service-role/AWSConfigRemediationServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSAppMeshPreviewServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSCertificateManagerPrivateCAPrivilegedUser", + "arn:aws:iam::aws:policy/aws-service-role/LakeFormationDataAccessServiceRolePolicy", + "arn:aws:iam::aws:policy/IAMAccessAdvisorReadOnly", + "arn:aws:iam::aws:policy/aws-service-role/ServiceQuotasServiceRolePolicy", + "arn:aws:iam::aws:policy/ServiceQuotasReadOnlyAccess", + "arn:aws:iam::aws:policy/ServiceQuotasFullAccess", + "arn:aws:iam::aws:policy/AWSMarketplaceProcurementSystemAdminFullAccess", + "arn:aws:iam::aws:policy/EC2InstanceConnect", + "arn:aws:iam::aws:policy/AmazonWorkSpacesServiceAccess", + "arn:aws:iam::aws:policy/AmazonWorkSpacesSelfServiceAccess", + "arn:aws:iam::aws:policy/AWSMarketplaceSellerFullAccess", + "arn:aws:iam::aws:policy/AWSMarketplaceSellerProductsFullAccess", + "arn:aws:iam::aws:policy/AWSMarketplaceSellerProductsReadOnly", + "arn:aws:iam::aws:policy/AWSAppMeshEnvoyAccess", + "arn:aws:iam::aws:policy/AmazonEventBridgeReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonEventBridgeFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/CloudWatch-CrossAccountAccess", + "arn:aws:iam::aws:policy/CloudWatchAutomaticDashboardsAccess", + "arn:aws:iam::aws:policy/aws-service-role/ConfigConformsServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSCloudFormationFullAccess", + "arn:aws:iam::aws:policy/ElementalAppliancesSoftwareFullAccess", + "arn:aws:iam::aws:policy/AWSAppMeshPreviewEnvoyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSVPCS2SVpnServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForSMS", + "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderEnableIoTLoggingMitigationAction", + "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderPublishFindingsToSNSMitigationAction", + "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderReplaceDefaultPolicyMitigationAction", + "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderUpdateCACertMitigationAction", + "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderUpdateDeviceCertMitigationAction", + "arn:aws:iam::aws:policy/service-role/AWSIoTDeviceDefenderAddThingsToThingGroupMitigationAction", + "arn:aws:iam::aws:policy/AWSLakeFormationDataAdmin", + "arn:aws:iam::aws:policy/aws-service-role/AWSIQContractServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSIQPermissionServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonQLDBReadOnly", + "arn:aws:iam::aws:policy/AmazonQLDBFullAccess", + "arn:aws:iam::aws:policy/AmazonQLDBConsoleFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonChimeVoiceConnectorServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonChimeServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForLogDeliveryPolicy", + "arn:aws:iam::aws:policy/AlexaForBusinessPolyDelegatedAccessPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonSageMakerNotebooksServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingLambdaConcurrencyPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSSystemsManagerAccountDiscoveryServicePolicy", + "arn:aws:iam::aws:policy/AWSServiceCatalogEndUserReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSServiceCatalogAdminReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSPrivateMarketplaceRequests", + "arn:aws:iam::aws:policy/AWSForWordPressPluginPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSCodeStarNotificationsServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonElasticFileSystemServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSSavingsPlansFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/WAFV2LoggingServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForAmazonEKSNodegroup", + "arn:aws:iam::aws:policy/AmazonEC2RolePolicyForLaunchWizard", + "arn:aws:iam::aws:policy/AWSDataExchangeReadOnly", + "arn:aws:iam::aws:policy/AWSDataExchangeSubscriberFullAccess", + "arn:aws:iam::aws:policy/AWSDataExchangeProviderFullAccess", + "arn:aws:iam::aws:policy/AWSDataExchangeFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSIoTSiteWiseMonitorServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingComprehendEndpointPolicy", + "arn:aws:iam::aws:policy/aws-service-role/DynamoDBCloudWatchContributorInsightsServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSChatbotServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/AWSBackupFullAccess", + "arn:aws:iam::aws:policy/AWSBackupOperatorAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSTrustedAdvisorReportingServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage", + "arn:aws:iam::aws:policy/aws-service-role/AWSElasticBeanstalkManagedUpdatesServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSForFargateServiceRolePolicy", + "arn:aws:iam::aws:policy/CloudWatchSyntheticsFullAccess", + "arn:aws:iam::aws:policy/CloudWatchSyntheticsReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEventBridgeSchemasServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonEventBridgeSchemasReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonEventBridgeSchemasFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForImageBuilder", + "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilder", + "arn:aws:iam::aws:policy/IAMAccessAnalyzerFullAccess", + "arn:aws:iam::aws:policy/IAMAccessAnalyzerReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AccessAnalyzerServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonCodeGuruReviewerServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonCodeGuruReviewerFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/ComputeOptimizerServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonCodeGuruReviewerReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerFullAccess", + "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonMCSFullAccess", + "arn:aws:iam::aws:policy/AmazonMCSReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSNetworkManagerServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonKendraReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonKendraFullAccess", + "arn:aws:iam::aws:policy/AmazonSageMakerMechanicalTurkAccess", + "arn:aws:iam::aws:policy/AmazonAugmentedAIHumanLoopFullAccess", + "arn:aws:iam::aws:policy/AmazonAugmentedAIFullAccess", + "arn:aws:iam::aws:policy/AWSNetworkManagerReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSNetworkManagerFullAccess", + "arn:aws:iam::aws:policy/AmazonFraudDetectorFullAccessPolicy", + "arn:aws:iam::aws:policy/AWSResourceAccessManagerResourceShareParticipantAccess", + "arn:aws:iam::aws:policy/AWSResourceAccessManagerReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/CloudFormationStackSetsOrgMemberServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/CloudFormationStackSetsOrgAdminServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/Health_OrganizationsServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSImageBuilderReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSImageBuilderFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/EC2FleetTimeShiftableServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonRekognitionCustomLabelsFullAccess", + "arn:aws:iam::aws:policy/AmazonWorkDocsReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientReadWriteAccess", + "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonElasticFileSystemClientFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSQuickSightSageMakerPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonManagedBlockchainServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSAppSyncServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonChimeSDK", + "arn:aws:iam::aws:policy/AWSIoTDeviceTesterForFreeRTOSFullAccess", + "arn:aws:iam::aws:policy/AWSIoTDeviceTesterForGreengrassFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSServiceRolePolicy", + "arn:aws:iam::aws:policy/ComputeOptimizerReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingCassandraTablePolicy", + "arn:aws:iam::aws:policy/ElementalAppliancesSoftwareReadOnlyAccess", + "arn:aws:iam::aws:policy/GameLiftGameServerGroupPolicy", + "arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess", + "arn:aws:iam::aws:policy/AWSWAFConsoleReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonWorkDocsFullAccess", + "arn:aws:iam::aws:policy/AmazonAugmentedAIIntegratedAPIAccess", + "arn:aws:iam::aws:policy/AmazonKeyspacesFullAccess", + "arn:aws:iam::aws:policy/AmazonKeyspacesReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonDetectiveFullAccess", + "arn:aws:iam::aws:policy/AWSPurchaseOrdersServiceRolePolicy", + "arn:aws:iam::aws:policy/ServerMigrationServiceConsoleFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSBackupServiceLinkedRolePolicyForBackupTest", + "arn:aws:iam::aws:policy/AmazonSSMPatchAssociation", + "arn:aws:iam::aws:policy/AWSCloud9SSMInstanceProfile", + "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForCloudFormation", + "arn:aws:iam::aws:policy/service-role/AWSIoTSiteWiseMonitorPortalAccess", + "arn:aws:iam::aws:policy/AWSThinkboxAWSPortalGatewayPolicy", + "arn:aws:iam::aws:policy/AWSThinkboxAWSPortalWorkerPolicy", + "arn:aws:iam::aws:policy/AWSThinkboxAssetServerPolicy", + "arn:aws:iam::aws:policy/AWSThinkboxDeadlineResourceTrackerAccessPolicy", + "arn:aws:iam::aws:policy/AWSThinkboxDeadlineResourceTrackerAdminPolicy", + "arn:aws:iam::aws:policy/AWSThinkboxDeadlineSpotEventPluginWorkerPolicy", + "arn:aws:iam::aws:policy/AWSThinkboxDeadlineSpotEventPluginAdminPolicy", + "arn:aws:iam::aws:policy/AWSThinkboxAWSPortalAdminPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSBackupServiceLinkedRolePolicyForBackup", + "arn:aws:iam::aws:policy/AmazonAppFlowReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonAppFlowFullAccess", + "arn:aws:iam::aws:policy/AlexaForBusinessLifesizeDelegatedAccessPolicy", + "arn:aws:iam::aws:policy/ElementalActivationsFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkRoleWorkerTier", + "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkRoleSNS", + "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkRoleRDS", + "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkRoleECS", + "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkRoleCore", + "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalkRoleCWL", + "arn:aws:iam::aws:policy/AWSCodeArtifactAdminAccess", + "arn:aws:iam::aws:policy/AWSBackupOrganizationAdminAccess", + "arn:aws:iam::aws:policy/service-role/AmazonMachineLearningRoleforRedshiftDataSourceV3", + "arn:aws:iam::aws:policy/AmazonHoneycodeTeamAssociationReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonHoneycodeWorkbookReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonHoneycodeFullAccess", + "arn:aws:iam::aws:policy/AmazonHoneycodeReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonHoneycodeTeamAssociationFullAccess", + "arn:aws:iam::aws:policy/AmazonHoneycodeWorkbookFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/CertificateManagerServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSCodeArtifactReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForCodeGuru-Profiler", + "arn:aws:iam::aws:policy/aws-service-role/AmazonCognitoIdpServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSElementalMediaLiveReadOnly", + "arn:aws:iam::aws:policy/AWSElementalMediaLiveFullAccess", + "arn:aws:iam::aws:policy/AmazonSageMakerGroundTruthExecution", + "arn:aws:iam::aws:policy/service-role/ServerMigrationServiceRoleForInstanceValidation", + "arn:aws:iam::aws:policy/AWSCodePipeline_ReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSCodePipeline_FullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonBraketServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSLakeFormationCrossAccountManager", + "arn:aws:iam::aws:policy/AmazonBraketFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSLambdaMSKExecutionRole", + "arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantine", + "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController", + "arn:aws:iam::aws:policy/aws-service-role/Route53ResolverServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/ClientVPNServiceConnectionsRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited", + "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforAWSCodeDeployLimited", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingKafkaClusterPolicy", + "arn:aws:iam::aws:policy/AWSTransferReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSBillingReadOnlyAccess", + "arn:aws:iam::aws:policy/ElementalActivationsReadOnlyAccess", + "arn:aws:iam::aws:policy/ElementalActivationsGenerateLicenses", + "arn:aws:iam::aws:policy/ElementalActivationsDownloadSoftwareAccess", + "arn:aws:iam::aws:policy/service-role/AWSQuickSightElasticsearchPolicy", + "arn:aws:iam::aws:policy/AmazonRedshiftDataFullAccess", + "arn:aws:iam::aws:policy/AWSRoboMaker_FullAccess", + "arn:aws:iam::aws:policy/service-role/AWS_ConfigRole", + "arn:aws:iam::aws:policy/aws-service-role/MediaPackageServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSMarketplaceAmiIngestion", + "arn:aws:iam::aws:policy/AmazonElasticMapReducePlacementGroupPolicy", + "arn:aws:iam::aws:policy/AmazonElasticFileSystemsUtils", + "arn:aws:iam::aws:policy/Ec2ImageBuilderCrossAccountDistributionAccess", + "arn:aws:iam::aws:policy/service-role/AWSQuickSightTimestreamPolicy", + "arn:aws:iam::aws:policy/AmazonTimestreamReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonTimestreamFullAccess", + "arn:aws:iam::aws:policy/AmazonTimestreamConsoleFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForCloudWatchAlarmsActionSSMServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonS3OutpostsFullAccess", + "arn:aws:iam::aws:policy/AmazonS3OutpostsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSDeepRacerFullAccess", + "arn:aws:iam::aws:policy/CloudWatchLambdaInsightsExecutionRolePolicy", + "arn:aws:iam::aws:policy/AWSCloudTrail_FullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSSupportServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSBudgetsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSBudgetsActionsWithAWSResourceControlAccess", + "arn:aws:iam::aws:policy/service-role/AWSDataLifecycleManagerServiceRoleForAMIManagement", + "arn:aws:iam::aws:policy/aws-service-role/AmazonMQServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSOutpostsServiceRolePolicy", + "arn:aws:iam::aws:policy/AwsGlueDataBrewFullAccessPolicy", + "arn:aws:iam::aws:policy/aws-service-role/DynamoDBKinesisReplicationServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSServiceCatalogAppRegistryFullAccess", + "arn:aws:iam::aws:policy/AWSServiceCatalogAppRegistryReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSNetworkFirewallServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSLambda_ReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSLambda_FullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonHoneycodeServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/S3StorageLensServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSGlueSchemaRegistryFullAccess", + "arn:aws:iam::aws:policy/AWSGlueSchemaRegistryReadonlyAccess", + "arn:aws:iam::aws:policy/AmazonConnect_FullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonMWAAServiceRolePolicy", + "arn:aws:iam::aws:policy/CloudWatchApplicationInsightsFullAccess", + "arn:aws:iam::aws:policy/CloudWatchApplicationInsightsReadOnlyAccess", + "arn:aws:iam::aws:policy/ElementalSupportCenterFullAccess", + "arn:aws:iam::aws:policy/AmazonSageMakerAdmin-ServiceCatalogProductsServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonDevOpsGuruServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSPanoramaGreengrassGroupRolePolicy", + "arn:aws:iam::aws:policy/AWSPanoramaFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSPanoramaApplianceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSPanoramaSageMakerRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSPanoramaServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonElasticContainerRegistryPublicPowerUser", + "arn:aws:iam::aws:policy/AmazonSageMakerFeatureStoreAccess", + "arn:aws:iam::aws:policy/AmazonDevOpsGuruReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonDevOpsGuruFullAccess", + "arn:aws:iam::aws:policy/AmazonElasticContainerRegistryPublicFullAccess", + "arn:aws:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly", + "arn:aws:iam::aws:policy/AdministratorAccess-Amplify", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForMonitronPolicy", + "arn:aws:iam::aws:policy/AmazonMonitronFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSMarketplaceLicenseManagementServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSGlueDataBrewServiceRole", + "arn:aws:iam::aws:policy/aws-service-role/ECRReplicationServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/IVSRecordToS3", + "arn:aws:iam::aws:policy/aws-service-role/AWSSystemsManagerChangeManagementServicePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSAuditManagerServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerEdgeDeviceFleetPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEMRContainersServiceRolePolicy", + "arn:aws:iam::aws:policy/EC2InstanceProfileForImageBuilderECRContainerBuilds", + "arn:aws:iam::aws:policy/AWSAuditManagerAdministratorAccess", + "arn:aws:iam::aws:policy/AWSTransferConsoleFullAccess", + "arn:aws:iam::aws:policy/AWSTransferFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSIoTFleetHubFederationAccess", + "arn:aws:iam::aws:policy/AWSIoTWirelessFullAccess", + "arn:aws:iam::aws:policy/AWSIoTWirelessReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSIoTWirelessFullPublishAccess", + "arn:aws:iam::aws:policy/AWSIoTWirelessGatewayCertManager", + "arn:aws:iam::aws:policy/AWSIoTWirelessDataAccess", + "arn:aws:iam::aws:policy/AWSIoTWirelessLogging", + "arn:aws:iam::aws:policy/AWSCloudShellFullAccess", + "arn:aws:iam::aws:policy/AmazonPrometheusFullAccess", + "arn:aws:iam::aws:policy/AmazonPrometheusConsoleFullAccess", + "arn:aws:iam::aws:policy/AmazonPrometheusQueryAccess", + "arn:aws:iam::aws:policy/AmazonPrometheusRemoteWriteAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonFISServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonSageMakerCoreServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonLexV2BotPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonLexChannelsAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSDirectConnectServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSOpsWorks_FullAccess", + "arn:aws:iam::aws:policy/AWSElasticBeanstalkReadOnly", + "arn:aws:iam::aws:policy/AdministratorAccess-AWSElasticBeanstalk", + "arn:aws:iam::aws:policy/AmazonWorkMailMessageFlowReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonCodeGuruProfilerAgentAccess", + "arn:aws:iam::aws:policy/AmazonWorkMailMessageFlowFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEventBridgeApiDestinationsServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonHealthLakeFullAccess", + "arn:aws:iam::aws:policy/AmazonHealthLakeReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSProtonDeveloperAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSStorageGatewayServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSProtonFullAccess", + "arn:aws:iam::aws:policy/AWSProtonReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSGrafanaConsoleReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSGrafanaWorkspacePermissionManagement", + "arn:aws:iam::aws:policy/AWSGrafanaAccountAdministrator", + "arn:aws:iam::aws:policy/AWSElasticBeanstalkManagedUpdatesCustomerRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/BatchServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonEMRServicePolicy_v2", + "arn:aws:iam::aws:policy/AmazonEMRReadOnlyAccessPolicy_v2", + "arn:aws:iam::aws:policy/AmazonEMRFullAccessPolicy_v2", + "arn:aws:iam::aws:policy/AWSSecurityHubOrganizationsAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationMigrationServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSApplicationMigrationConversionServerPolicy", + "arn:aws:iam::aws:policy/AWSApplicationMigrationFullAccess", + "arn:aws:iam::aws:policy/AWSApplicationMigrationAgentPolicy", + "arn:aws:iam::aws:policy/AWSApplicationMigrationEC2Access", + "arn:aws:iam::aws:policy/service-role/AWSApplicationMigrationMGHAccess", + "arn:aws:iam::aws:policy/AWSApplicationMigrationReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AWSApplicationMigrationReplicationServerPolicy", + "arn:aws:iam::aws:policy/AmazonLookoutEquipmentFullAccess", + "arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV2", + "arn:aws:iam::aws:policy/aws-service-role/AWSSystemsManagerOpsDataSyncServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSCloudWatchAlarms_ActionSSMIncidentsServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonNimbleStudio-LaunchProfileWorker", + "arn:aws:iam::aws:policy/AmazonNimbleStudio-StudioAdmin", + "arn:aws:iam::aws:policy/AmazonNimbleStudio-StudioUser", + "arn:aws:iam::aws:policy/AmazonLookoutEquipmentReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonLookoutMetricsReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonLookoutMetricsFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSIncidentManagerServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSIncidentManagerResolverAccess", + "arn:aws:iam::aws:policy/AmazonLookoutVisionReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonLookoutVisionFullAccess", + "arn:aws:iam::aws:policy/AmazonLookoutVisionConsoleReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonLookoutVisionConsoleFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AppRunnerServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSAppRunnerServicePolicyForECRAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceCatalogAppRegistryServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSDeviceFarmTestGridServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSKeyManagementServiceMultiRegionKeysServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSSSMOpsInsightsServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSBugBustServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSBugBustFullAccess", + "arn:aws:iam::aws:policy/AWSBugBustPlayerAccess", + "arn:aws:iam::aws:policy/aws-service-role/Route53RecoveryReadinessServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerPipelinesIntegrations", + "arn:aws:iam::aws:policy/aws-service-role/AmazonChimeTranscriptionServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSLicenseManagerConsumptionPolicy", + "arn:aws:iam::aws:policy/aws-service-role/MemoryDBServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingElastiCacheRGPolicy", + "arn:aws:iam::aws:policy/service-role/AmazonS3ObjectLambdaExecutionRolePolicy", + "arn:aws:iam::aws:policy/AmazonRoute53RecoveryReadinessFullAccess", + "arn:aws:iam::aws:policy/AmazonRoute53RecoveryClusterReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonRoute53RecoveryControlConfigFullAccess", + "arn:aws:iam::aws:policy/AmazonRoute53RecoveryControlConfigReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonRoute53RecoveryReadinessReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonRoute53RecoveryClusterFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupReports", + "arn:aws:iam::aws:policy/AWSBackupAuditAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonOpenSearchServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonOpenSearchServiceCognitoAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingNeptuneClusterPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSConnectorServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/KafkaConnectServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSQuicksightOpenSearchPolicy", + "arn:aws:iam::aws:policy/AmazonOpenSearchServiceFullAccess", + "arn:aws:iam::aws:policy/AmazonOpenSearchServiceReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSMediaTailorServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonMSKConnectReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonConnectCampaignsServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2FullAccess", + "arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2NoSharing", + "arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2ReadSharing", + "arn:aws:iam::aws:policy/AmazonRedshiftQueryEditorV2ReadWriteSharing", + "arn:aws:iam::aws:policy/AmazonConnectVoiceIDFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSEC2CapacityReservationFleetRolePolicy", + "arn:aws:iam::aws:policy/AWSAccountManagementFullAccess", + "arn:aws:iam::aws:policy/AWSAccountManagementReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonMemoryDBFullAccess", + "arn:aws:iam::aws:policy/AmazonMemoryDBReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonRDSCustomServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonRDSCustomPreviewServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSMigrationHubStrategyServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSMigrationHubStrategyConsoleFullAccess", + "arn:aws:iam::aws:policy/AWSMigrationHubStrategyCollector", + "arn:aws:iam::aws:policy/aws-service-role/AWSPanoramaServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSPanoramaApplianceServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSMarketplacePurchaseOrdersServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSDeepRacerAccountAdminAccess", + "arn:aws:iam::aws:policy/AWSDeepRacerDefaultMultiUserAccess", + "arn:aws:iam::aws:policy/service-role/AWSCostAndUsageReportAutomationPolicy", + "arn:aws:iam::aws:policy/AmazonRedshiftAllCommandsFullAccess", + "arn:aws:iam::aws:policy/AWSApplicationMigrationVCenterClientPolicy", + "arn:aws:iam::aws:policy/AmazonDevOpsGuruOrganizationsAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonInspector2ServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryRecoveryInstancePolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryAgentPolicy", + "arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryAgentInstallationPolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryFailbackPolicy", + "arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryConsoleFullAccess", + "arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSElasticDisasterRecoveryServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryFailbackInstallationPolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryReplicationServerPolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryConversionServerPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSShieldServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonCloudWatchRUMServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonDetectiveServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonGrafanaAthenaAccess", + "arn:aws:iam::aws:policy/AWSElementalMediaTailorFullAccess", + "arn:aws:iam::aws:policy/AWSElementalMediaTailorReadOnly", + "arn:aws:iam::aws:policy/aws-service-role/AWSProtonSyncServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonBraketJobsExecutionPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSECRPullThroughCache_ServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonGrafanaRedshiftAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSMigrationHubRefactorSpacesServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSMigrationHubRefactorSpacesFullAccess", + "arn:aws:iam::aws:policy/AmazonCloudWatchEvidentlyReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonCloudWatchEvidentlyFullAccess", + "arn:aws:iam::aws:policy/AmazonCloudWatchRUMReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonCloudWatchRUMFullAccess", + "arn:aws:iam::aws:policy/AmazonInspector2FullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonWorkSpacesWebServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonWorkSpacesWebReadOnly", + "arn:aws:iam::aws:policy/aws-service-role/AWSIPAMServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSPrivateNetworksServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonDevOpsGuruConsoleFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/EC2FastLaunchServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSAppRunnerFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AppRunnerNetworkingServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonInspector2ReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore", + "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsGlueServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsCodePipelineServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsEventsServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsFirehoseServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSAppRunnerReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSIdentitySyncFullAccess", + "arn:aws:iam::aws:policy/AWSIdentitySyncReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsApiGatewayServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsCloudformationServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerServiceCatalogProductsCodeBuildServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerServiceCatalogProductsLambdaServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonChimeSDKMediaPipelinesServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/AmazonRDSPerformanceInsightsReadOnly", + "arn:aws:iam::aws:policy/ROSAManageSubscription", + "arn:aws:iam::aws:policy/AWSBillingConductorFullAccess", + "arn:aws:iam::aws:policy/AWSBillingConductorReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AwsGlueSessionUserRestrictedServiceRole", + "arn:aws:iam::aws:policy/AwsGlueSessionUserRestrictedPolicy", + "arn:aws:iam::aws:policy/AwsGlueSessionUserRestrictedNotebookPolicy", + "arn:aws:iam::aws:policy/service-role/AwsGlueSessionUserRestrictedNotebookServiceRole", + "arn:aws:iam::aws:policy/aws-service-role/AWSMigrationHubOrchestratorServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSMigrationHubOrchestratorPlugin", + "arn:aws:iam::aws:policy/AWSMigrationHubOrchestratorConsoleFullAccess", + "arn:aws:iam::aws:policy/AWSMigrationHubOrchestratorInstanceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/MonitronServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEMRServerlessServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSBudgetsActions_RolePolicyForResourceAdministrationWithSSM", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryStagingAccountPolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryEc2InstancePolicy", + "arn:aws:iam::aws:policy/service-role/AWSApplicationMigrationAgentPolicy_v2", + "arn:aws:iam::aws:policy/aws-service-role/AWSM2ServicePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSManagedServicesDeploymentToolkitPolicy", + "arn:aws:iam::aws:policy/AWSCloudTrail_ReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSApplicationMigrationAgentInstallationPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSWellArchitectedOrganizationsServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSRolesAnywhereServicePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSNetworkManagerCloudWANServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonGuardDutyMalwareProtectionServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSVendorInsightsVendorFullAccess", + "arn:aws:iam::aws:policy/AWSVendorInsightsVendorReadOnly", + "arn:aws:iam::aws:policy/AWSVendorInsightsAssessorFullAccess", + "arn:aws:iam::aws:policy/AWSVendorInsightsAssessorReadOnly", + "arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerUserSubscriptionsServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityFullAccess", + "arn:aws:iam::aws:policy/AWSTrustedAdvisorPriorityReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSApplicationDiscoveryAgentlessCollectorAccess", + "arn:aws:iam::aws:policy/AWSSupportAppFullAccess", + "arn:aws:iam::aws:policy/AWSSupportAppReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSLocalOutpostServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerCanvasForecastAccess", + "arn:aws:iam::aws:policy/AmazonEKSLocalOutpostClusterPolicy", + "arn:aws:iam::aws:policy/GroundTruthSyntheticConsoleReadOnlyAccess", + "arn:aws:iam::aws:policy/GroundTruthSyntheticConsoleFullAccess", + "arn:aws:iam::aws:policy/AmazonSSMManagedEC2InstanceDefaultPolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerCanvasFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonCloudWatchEvidentlyServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSDeviceFarmServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSIoTFleetwiseServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSSupportPlansReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSSupportPlansFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AppIntegrationsServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonAppStreamPCAAccess", + "arn:aws:iam::aws:policy/AWSRefactoringToolkitSidecarPolicy", + "arn:aws:iam::aws:policy/AWSRefactoringToolkitFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSResourceExplorerServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorSSMAccess", + "arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorRDSAccess", + "arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorNetworkAccess", + "arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorEKSAccess", + "arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorECSAccess", + "arn:aws:iam::aws:policy/service-role/AWSFaultInjectionSimulatorEC2Access", + "arn:aws:iam::aws:policy/AWSResourceExplorerReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSResourceExplorerFullAccess", + "arn:aws:iam::aws:policy/AmazonWorkspacesPCAAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonGrafanaServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/AWSProtonCodeBuildProvisioningBasicAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSProtonCodeBuildProvisioningServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonEventBridgeSchedulerFullAccess", + "arn:aws:iam::aws:policy/AmazonEventBridgeSchedulerReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSBackupRestoreAccessForSAPHANA", + "arn:aws:iam::aws:policy/AWSBackupDataTransferAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceCatalogSyncServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSSSMForSAPServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/AWSSystemsManagerForSAPFullAccess", + "arn:aws:iam::aws:policy/AWSSystemsManagerForSAPReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonOpenSearchIngestionServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSReachabilityAnalyzerServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonOpenSearchServerlessServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSApplicationMigrationSSMAccess", + "arn:aws:iam::aws:policy/OAMReadOnlyAccess", + "arn:aws:iam::aws:policy/OAMFullAccess", + "arn:aws:iam::aws:policy/AWSXrayCrossAccountSharingConfiguration", + "arn:aws:iam::aws:policy/CloudWatchLogsCrossAccountSharingConfiguration", + "arn:aws:iam::aws:policy/CloudWatchCrossAccountSharingConfiguration", + "arn:aws:iam::aws:policy/aws-service-role/CloudWatchInternetMonitorServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSWickrFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSVPCVerifiedAccessServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonOmicsReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/SecurityLakeServiceLinkedRole", + "arn:aws:iam::aws:policy/AmazonSecurityLakePermissionsBoundary", + "arn:aws:iam::aws:policy/AmazonSageMakerModelGovernanceUseAccess", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerGeospatialFullAccess", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerGeospatialExecutionRole", + "arn:aws:iam::aws:policy/aws-service-role/AmazonDocDB-ElasticServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSVpcLatticeServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonEventBridgePipesFullAccess", + "arn:aws:iam::aws:policy/AmazonEventBridgePipesReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonEventBridgePipesOperatorAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForGroundStationDataflowEndpointGroupPolicy", + "arn:aws:iam::aws:policy/service-role/AWSBackupGatewayServiceRolePolicyForVirtualMachineMetadataSync", + "arn:aws:iam::aws:policy/aws-service-role/AWSManagedServices_DetectiveControlsConfig_ServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSLicenseManagerLinuxSubscriptionsServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSOutpostsAuthorizeServerPolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryStagingAccountPolicy_v2", + "arn:aws:iam::aws:policy/aws-service-role/ResourceGroupsServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSCleanRoomsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSCleanRoomsFullAccess", + "arn:aws:iam::aws:policy/AWSCleanRoomsFullAccessNoQuerying", + "arn:aws:iam::aws:policy/aws-service-role/AWSHealth_EventProcessorServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonDetectiveMemberAccess", + "arn:aws:iam::aws:policy/AmazonDetectiveInvestigatorAccess", + "arn:aws:iam::aws:policy/aws-service-role/Ec2InstanceConnectEndpoint", + "arn:aws:iam::aws:policy/AmazonCognitoUnauthenticatedIdentities", + "arn:aws:iam::aws:policy/aws-service-role/AWSManagedServices_EventsServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSPrivateCAUser", + "arn:aws:iam::aws:policy/AWSPrivateCAFullAccess", + "arn:aws:iam::aws:policy/AWSPrivateCAPrivilegedUser", + "arn:aws:iam::aws:policy/AWSPrivateCAReadOnly", + "arn:aws:iam::aws:policy/AWSPrivateCAAuditor", + "arn:aws:iam::aws:policy/AmazonOmicsFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSSupplyChainFederationAdminAccess", + "arn:aws:iam::aws:policy/AmazonDetectiveOrganizationsAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonChimeSDKMessagingServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSDMSFleetAdvisorServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/CustomerProfilesServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSDataSyncDiscoveryServiceRolePolicy", + "arn:aws:iam::aws:policy/MediaConnectGatewayInstanceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSManagedServices_ContactsServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerCanvasAIServicesAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForCodeWhispererPolicy", + "arn:aws:iam::aws:policy/service-role/AmazonGrafanaCloudWatchAccess", + "arn:aws:iam::aws:policy/AWSGroundStationAgentInstancePolicy", + "arn:aws:iam::aws:policy/VPCLatticeServicesInvokeAccess", + "arn:aws:iam::aws:policy/VPCLatticeReadOnlyAccess", + "arn:aws:iam::aws:policy/VPCLatticeFullAccess", + "arn:aws:iam::aws:policy/AWSMigrationHubRefactorSpaces-EnvironmentsWithoutBridgesFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSMediaConnectServicePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSProtonServiceGitSyncServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceCatalogOrgsDataSyncServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerModelRegistryFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSUserNotificationsServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonCodeCatalystSupportAccess", + "arn:aws:iam::aws:policy/AmazonCodeCatalystReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonCodeCatalystFullAccess", + "arn:aws:iam::aws:policy/service-role/ROSACloudNetworkConfigOperatorPolicy", + "arn:aws:iam::aws:policy/service-role/ROSAWorkerInstancePolicy", + "arn:aws:iam::aws:policy/service-role/ROSAAmazonEBSCSIDriverOperatorPolicy", + "arn:aws:iam::aws:policy/service-role/ROSAIngressOperatorPolicy", + "arn:aws:iam::aws:policy/service-role/ROSAControlPlaneOperatorPolicy", + "arn:aws:iam::aws:policy/AmazonOpenSearchIngestionReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonOpenSearchIngestionFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSWellArchitectedDiscoveryServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/ROSAKubeControllerPolicy", + "arn:aws:iam::aws:policy/service-role/ROSAKMSProviderPolicy", + "arn:aws:iam::aws:policy/service-role/ROSAImageRegistryOperatorPolicy", + "arn:aws:iam::aws:policy/AmazonVPCReachabilityAnalyzerPathComponentReadPolicy", + "arn:aws:iam::aws:policy/aws-service-role/KeyspacesReplicationServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonCodeGuruSecurityScanAccess", + "arn:aws:iam::aws:policy/AmazonCodeGuruSecurityFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSFinSpaceServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryCrossAccountReplicationPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSDMSServerlessServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonSecurityLakeAdministrator", + "arn:aws:iam::aws:policy/service-role/ROSASRESupportPolicy", + "arn:aws:iam::aws:policy/AmazonDocDBElasticFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSControlTowerAccountServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/ROSAInstallerPolicy", + "arn:aws:iam::aws:policy/AmazonDocDBElasticReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/ROSANodePoolManagementPolicy", + "arn:aws:iam::aws:policy/service-role/AWSElasticDisasterRecoveryNetworkReplicationPolicy", + "arn:aws:iam::aws:policy/AmazonVPCReachabilityAnalyzerFullAccessPolicy", + "arn:aws:iam::aws:policy/AmazonMacieReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonVPCNetworkAccessAnalyzerFullAccessPolicy", + "arn:aws:iam::aws:policy/aws-service-role/EMRDescribeClusterPolicyForEMRWAL", + "arn:aws:iam::aws:policy/aws-service-role/AWSAppFabricServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSResilienceHubAsssessmentExecutionPolicy", + "arn:aws:iam::aws:policy/AWSAppFabricFullAccess", + "arn:aws:iam::aws:policy/AWSAppFabricReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonCognitoUnAuthedIdentitiesSessionPolicy", + "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy", + "arn:aws:iam::aws:policy/AWSElementalMediaPackageV2FullAccess", + "arn:aws:iam::aws:policy/AWSElementalMediaPackageV2ReadOnly", + "arn:aws:iam::aws:policy/AWSHealthImagingFullAccess", + "arn:aws:iam::aws:policy/AWSHealthImagingReadOnlyAccess", + "arn:aws:iam::aws:policy/CloudWatchFullAccessV2", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerPartnerServiceCatalogProductsLambdaServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerPartnerServiceCatalogProductsApiGatewayServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerPartnerServiceCatalogProductsCloudFormationServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AWSMigrationHubRefactorSpaces-SSMAutomationPolicy", + "arn:aws:iam::aws:policy/AmazonRDSPerformanceInsightsFullAccess", + "arn:aws:iam::aws:policy/AWSEntityResolutionConsoleFullAccess", + "arn:aws:iam::aws:policy/AWSEntityResolutionConsoleReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSArtifactServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSApplicationMigrationServiceEc2InstancePolicy", + "arn:aws:iam::aws:policy/AmazonLaunchWizardFullAccessV2", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForCloudWatchMetrics_DbPerfInsightsServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonDataZoneEnvironmentRolePermissionsBoundary", + "arn:aws:iam::aws:policy/AmazonKeyspacesReadOnlyAccess_v2", + "arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryLaunchActionsPolicy", + "arn:aws:iam::aws:policy/AmazonDataZoneFullAccess", + "arn:aws:iam::aws:policy/service-role/AmazonDataZoneRedshiftManageAccessRolePolicy", + "arn:aws:iam::aws:policy/AmazonDataZoneRedshiftGlueProvisioningPolicy", + "arn:aws:iam::aws:policy/service-role/AmazonDataZoneGlueManageAccessRolePolicy", + "arn:aws:iam::aws:policy/AmazonDataZoneFullUserAccess", + "arn:aws:iam::aws:policy/service-role/AmazonDataZoneDomainExecutionRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSS3OnOutpostsServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/AmazonSageMakerCanvasDirectDeployAccess", + "arn:aws:iam::aws:policy/service-role/AmplifyBackendDeployFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonConnectSynchronizationServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerCanvasDataPrepFullAccess", + "arn:aws:iam::aws:policy/service-role/AWSDataLifecycleManagerSSMFullAccess", + "arn:aws:iam::aws:policy/AWSIAMIdentityCenterAllowListForIdentityContext", + "arn:aws:iam::aws:policy/aws-service-role/CloudWatchApplicationSignalsServiceRolePolicy", + "arn:aws:iam::aws:policy/PartnerCentralAccountManagementUserRoleAssociation", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRolePolicyForBackupRestoreTesting", + "arn:aws:iam::aws:policy/AWSIncidentManagerIncidentAccessServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSIoTTwinMakerServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSResourceExplorerOrganizationsAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSrePostPrivateCloudWatchAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSMarketplaceDeploymentServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSGitSyncServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/EC2ImageBuilderLifecycleExecutionPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonInspector2AgentlessServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/CostOptimizationHubServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonPrometheusScraperServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSRepostSpaceSupportOperationsPolicy", + "arn:aws:iam::aws:policy/AWSElasticDisasterRecoveryConsoleFullAccess_v2", + "arn:aws:iam::aws:policy/AmazonOneEnterpriseFullAccess", + "arn:aws:iam::aws:policy/AmazonOneEnterpriseReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonOneEnterpriseInstallerAccess", + "arn:aws:iam::aws:policy/AmazonQFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForNeptuneGraphPolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerClusterInstanceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSZonalAutoshiftPracticeRunSLRPolicy", + "arn:aws:iam::aws:policy/AWSCleanRoomsMLReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSCleanRoomsMLFullAccess", + "arn:aws:iam::aws:policy/NeptuneGraphReadOnlyAccess", + "arn:aws:iam::aws:policy/IVSReadOnlyAccess", + "arn:aws:iam::aws:policy/service-role/AWSMSKReplicatorExecutionRole", + "arn:aws:iam::aws:policy/AmazonBedrockFullAccess", + "arn:aws:iam::aws:policy/AmazonBedrockReadOnly", + "arn:aws:iam::aws:policy/CostOptimizationHubReadOnlyAccess", + "arn:aws:iam::aws:policy/IVSFullAccess", + "arn:aws:iam::aws:policy/CostOptimizationHubAdminAccess", + "arn:aws:iam::aws:policy/aws-service-role/CloudWatchNetworkMonitorServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonOpenSearchDashboardsServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSArtifactReportsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSGrafanaWorkspacePermissionManagementV2", + "arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForVolumes", + "arn:aws:iam::aws:policy/service-role/AmazonECSInfrastructureRolePolicyForServiceConnectTransportLayerSecurity", + "arn:aws:iam::aws:policy/service-role/AmazonSecurityLakeMetastoreManager", + "arn:aws:iam::aws:policy/AmazonInspector2ManagedCisPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonLexReplicationPolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerCanvasBedrockAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForPrivateMarketplaceAdminPolicy", + "arn:aws:iam::aws:policy/AmazonRDSCustomInstanceProfileRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSMarketplaceResaleAuthorizationServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonTimestreamInfluxDBServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonTimestreamInfluxDBFullAccess", + "arn:aws:iam::aws:policy/AWSEC2VssSnapshotPolicy", + "arn:aws:iam::aws:policy/AWSQuickSightAssetBundleExportPolicy", + "arn:aws:iam::aws:policy/AWSQuickSightAssetBundleImportPolicy", + "arn:aws:iam::aws:policy/AWSDeadlineCloud-UserAccessFarms", + "arn:aws:iam::aws:policy/AWSDeadlineCloud-UserAccessFleets", + "arn:aws:iam::aws:policy/AWSDeadlineCloud-UserAccessJobs", + "arn:aws:iam::aws:policy/AWSDeadlineCloud-UserAccessQueues", + "arn:aws:iam::aws:policy/AWSDeadlineCloud-FleetWorker", + "arn:aws:iam::aws:policy/AWSDeadlineCloud-WorkerHost", + "arn:aws:iam::aws:policy/aws-service-role/SplitCostAllocationDataServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonDataZoneSageMakerEnvironmentRolePermissionsBoundary", + "arn:aws:iam::aws:policy/AmazonDataZoneSageMakerProvisioningRolePolicy", + "arn:aws:iam::aws:policy/AmazonDataZoneSageMakerManageAccessRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForAmazonQDeveloper", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForUserSubscriptions", + "arn:aws:iam::aws:policy/aws-service-role/QBusinessServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonRoute53ProfilesReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonRoute53ProfilesFullAccess", + "arn:aws:iam::aws:policy/AmazonOpenSearchDirectQueryGlueCreateAccess", + "arn:aws:iam::aws:policy/EC2FastLaunchFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonSESServiceRolePolicy", + "arn:aws:iam::aws:policy/CloudWatchApplicationSignalsReadOnlyAccess", + "arn:aws:iam::aws:policy/CloudWatchApplicationSignalsFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSBCMDataExportsServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/OpensearchIngestionSelfManagedVpcePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSApplicationAutoscalingWorkSpacesPoolPolicy", + "arn:aws:iam::aws:policy/aws-service-role/ECRTemplateServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonWorkSpacesSecureBrowserReadOnly", + "arn:aws:iam::aws:policy/aws-service-role/SSMQuickSetupRolePolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyBaselineAccess", + "arn:aws:iam::aws:policy/AWSSystemsManagerEnableConfigRecordingExecutionPolicy", + "arn:aws:iam::aws:policy/AWSSystemsManagerEnableExplorerExecutionPolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupDevOpsGuruPermissionsBoundary", + "arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyPermissionsBoundary", + "arn:aws:iam::aws:policy/AWSQuickSetupSSMHostMgmtPermissionsBoundary", + "arn:aws:iam::aws:policy/AWSQuickSetupDistributorPermissionsBoundary", + "arn:aws:iam::aws:policy/AWSQuickSetupCFGCPacksPermissionsBoundary", + "arn:aws:iam::aws:policy/AWSQuickSetupSchedulerPermissionsBoundary", + "arn:aws:iam::aws:policy/AWSQuickSetupDeploymentRolePolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupPatchPolicyDeploymentRolePolicy", + "arn:aws:iam::aws:policy/AmazonWorkSpacesPoolServiceAccess", + "arn:aws:iam::aws:policy/AmazonQDeveloperAccess", + "arn:aws:iam::aws:policy/aws-service-role/AppStudioServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonWorkSpacesThinClientReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonSageMakerCanvasEMRServerlessExecutionRolePolicy", + "arn:aws:iam::aws:policy/AmazonBedrockStudioPermissionsBoundary", + "arn:aws:iam::aws:policy/AmazonWorkSpacesThinClientFullAccess", + "arn:aws:iam::aws:policy/AWSCompromisedKeyQuarantineV3", + "arn:aws:iam::aws:policy/aws-service-role/AWSPCSServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AmazonSageMakerHyperPodServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSDirectoryServiceDataFullAccess", + "arn:aws:iam::aws:policy/AWSDirectoryServiceDataReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/QAppsServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonEKSWorkerNodeMinimalPolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSServiceRoleForProcurementInsightsPolicy", + "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly", + "arn:aws:iam::aws:policy/aws-service-role/AWSDataSyncServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSDataExchangeServiceRolePolicyForOrganizationDiscovery", + "arn:aws:iam::aws:policy/aws-service-role/AWSDataExchangeServiceRolePolicyForLicenseManagement", + "arn:aws:iam::aws:policy/aws-service-role/AWSSocialMessagingServiceRolePolicy", + "arn:aws:iam::aws:policy/ResourceGroupsTaggingAPITagUntagSupportedResources", + "arn:aws:iam::aws:policy/AmazonVerifiedPermissionsFullAccess", + "arn:aws:iam::aws:policy/AmazonVerifiedPermissionsReadOnlyAccess", + "arn:aws:iam::aws:policy/CloudWatchLambdaApplicationSignalsExecutionRolePolicy", + "arn:aws:iam::aws:policy/CloudWatchInternetMonitorFullAccess", + "arn:aws:iam::aws:policy/AWSDataExchangeDataGrantOwnerFullAccess", + "arn:aws:iam::aws:policy/AWSDataExchangeDataGrantReceiverFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSCloudFrontVPCOriginServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy", + "arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy", + "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy", + "arn:aws:iam::aws:policy/AmazonEKSComputePolicy", + "arn:aws:iam::aws:policy/GameLiftContainerFleetPolicy", + "arn:aws:iam::aws:policy/service-role/AmazonDataZoneBedrockModelManagementPolicy", + "arn:aws:iam::aws:policy/service-role/AmazonDataZoneBedrockModelConsumptionPolicy", + "arn:aws:iam::aws:policy/CloudWatchInternetMonitorReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AmazonODBServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/SMSVoiceServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSPartnerCentralOpportunityManagement", + "arn:aws:iam::aws:policy/AWSPartnerCentralSandboxFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/SecurityLakeResourceManagementServiceRolePolicy", + "arn:aws:iam::aws:policy/root-task/SQSUnlockQueuePolicy", + "arn:aws:iam::aws:policy/root-task/S3UnlockBucketPolicy", + "arn:aws:iam::aws:policy/root-task/IAMAuditRootUserCredentials", + "arn:aws:iam::aws:policy/root-task/IAMCreateRootUserPassword", + "arn:aws:iam::aws:policy/root-task/IAMDeleteRootUserCredentials", + "arn:aws:iam::aws:policy/AmazonECSInfrastructureRolePolicyForVpcLattice", + "arn:aws:iam::aws:policy/AWSQuickSetupEnableDHMCExecutionPolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupManagedInstanceProfileExecutionPolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupSSMLifecycleManagementExecutionPolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupSSMDeploymentS3BucketRolePolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupEnableAREXExecutionPolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupSSMManageResourcesExecutionPolicy", + "arn:aws:iam::aws:policy/AWSQuickSetupSSMDeploymentRolePolicy", + "arn:aws:iam::aws:policy/AWS-SSM-Automation-DiagnosisBucketPolicy", + "arn:aws:iam::aws:policy/AWS-SSM-DiagnosisAutomation-AdministrationRolePolicy", + "arn:aws:iam::aws:policy/AWS-SSM-DiagnosisAutomation-ExecutionRolePolicy", + "arn:aws:iam::aws:policy/AWS-SSM-DiagnosisAutomation-OperationalAccountAdministrationRolePolicy", + "arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-AdministrationRolePolicy", + "arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-ExecutionRolePolicy", + "arn:aws:iam::aws:policy/AWS-SSM-RemediationAutomation-OperationalAccountAdministrationRolePolicy", + "arn:aws:iam::aws:policy/AWSPartnerCentralFullAccess", + "arn:aws:iam::aws:policy/AWSMarketplaceSellerOfferManagement", + "arn:aws:iam::aws:policy/SageMakerStudioProjectRoleMachineLearningPolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioDomainServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioDomainExecutionRolePolicy", + "arn:aws:iam::aws:policy/SageMakerStudioProjectUserRolePermissionsBoundary", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioProjectProvisioningRolePolicy", + "arn:aws:iam::aws:policy/SageMakerStudioProjectUserRolePolicy", + "arn:aws:iam::aws:policy/AWSArtifactAgreementsFullAccess", + "arn:aws:iam::aws:policy/AWSArtifactAgreementsReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSPartnerLedSupportReadOnlyAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSObservabilityAdminServiceRolePolicy", + "arn:aws:iam::aws:policy/SageMakerStudioFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/DeclarativePoliciesEC2Report", + "arn:aws:iam::aws:policy/aws-service-role/AWSSecurityIncidentResponseServiceRolePolicy", + "arn:aws:iam::aws:policy/aws-service-role/AWSSecurityIncidentResponseTriageServiceRolePolicy", + "arn:aws:iam::aws:policy/CloudWatchOpenSearchDashboardsFullAccess", + "arn:aws:iam::aws:policy/CloudWatchOpenSearchDashboardAccess", + "arn:aws:iam::aws:policy/aws-service-role/CloudWatchNetworkFlowMonitorServiceRolePolicy", + "arn:aws:iam::aws:policy/CloudWatchNetworkFlowMonitorAgentPublishPolicy", + "arn:aws:iam::aws:policy/aws-service-role/CloudWatchNetworkFlowMonitorTopologyServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSSecurityIncidentResponseReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSSecurityIncidentResponseCaseFullAccess", + "arn:aws:iam::aws:policy/AWSSecurityIncidentResponseFullAccess", + "arn:aws:iam::aws:policy/AIOpsAssistantPolicy", + "arn:aws:iam::aws:policy/AIOpsConsoleAdminPolicy", + "arn:aws:iam::aws:policy/AIOpsReadOnlyAccess", + "arn:aws:iam::aws:policy/AIOpsOperatorAccess", + "arn:aws:iam::aws:policy/aws-service-role/AuroraDsqlServiceLinkedRolePolicy", + "arn:aws:iam::aws:policy/AmazonS3TablesReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonAuroraDSQLReadOnlyAccess", + "arn:aws:iam::aws:policy/AmazonS3TablesFullAccess", + "arn:aws:iam::aws:policy/QBusinessQuicksightPluginPolicy", + "arn:aws:iam::aws:policy/AmazonAuroraDSQLConsoleFullAccess", + "arn:aws:iam::aws:policy/AmazonAuroraDSQLFullAccess", + "arn:aws:iam::aws:policy/AmazonSageMakerTrainingPlanCreateAccess", + "arn:aws:iam::aws:policy/AmazonSageMakerCanvasSMDataScienceAssistantAccess", + "arn:aws:iam::aws:policy/AWSPartnerCentralSellingResourceSnapshotJobExecutionRolePolicy", + "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForIndexing", + "arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForItemRestores", + "arn:aws:iam::aws:policy/aws-service-role/AWSManagedServices_SelfServiceReporting_ServiceRolePolicy", + "arn:aws:iam::aws:policy/AmazonSageMakerPartnerAppsFullAccess", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioQueryExecutionRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioEMRServiceRolePolicy", + "arn:aws:iam::aws:policy/AWSElementalMediaConnectReadOnlyAccess", + "arn:aws:iam::aws:policy/AWSElementalMediaConnectFullAccess", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockAgentServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockChatAgentUserRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockFlowServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockPromptUserRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockEvaluationJobServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockKnowledgeBaseServiceRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockKnowledgeBaseCustomResourcePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockFunctionExecutionRolePolicy", + "arn:aws:iam::aws:policy/service-role/SageMakerStudioEMRInstanceRolePolicy", + "arn:aws:iam::aws:policy/AWSBackupSearchOperatorAccess", + "arn:aws:iam::aws:policy/AWSIoTManagedIntegrationsFullAccess", + "arn:aws:iam::aws:policy/aws-service-role/AWSIoTManagedIntegrationsRolePolicy" +] diff --git a/src/data/data.go b/src/data/data.go new file mode 100644 index 00000000..413e1868 --- /dev/null +++ b/src/data/data.go @@ -0,0 +1,6 @@ +package data + +import _ "embed" + +//go:embed aws/aws-policies.json +var AwsManagedPolicies []byte diff --git a/src/data/generate.go b/src/data/generate.go new file mode 100644 index 00000000..319518a8 --- /dev/null +++ b/src/data/generate.go @@ -0,0 +1,5 @@ +//go:build data + +package data + +//go:generate sh -c "aws iam list-policies --scope AWS --query 'Policies[*].Arn' --output json > aws/aws-policies.json" diff --git a/src/pkg/cloudclient/graphql/cloudapi/schema.graphql b/src/pkg/cloudclient/graphql/cloudapi/schema.graphql index 257b6249..c0c0fa69 100644 --- a/src/pkg/cloudclient/graphql/cloudapi/schema.graphql +++ b/src/pkg/cloudclient/graphql/cloudapi/schema.graphql @@ -154,6 +154,7 @@ input AWSVisibilitySettingsInput { type AccessApprovalRuleset { id: ID! + order: Int! origin: AccessApprovalRulesetFilter! target: AccessApprovalRulesetFilter! action: AccessApprovalRulesetAction! @@ -301,6 +302,11 @@ enum AuthRole { VIEWER } +type AutoApproveMoreRestrictiveIntentsByEnv { + environmentId: ID! + enabled: Boolean! +} + enum AutomateThirdPartyNetworkPolicy { OFF ALWAYS @@ -735,6 +741,8 @@ enum EdgeAccessStatusReason { ALLOWED_BY_APPLIED_INTENTS_KAFKA_OVERLY_PERMISSIVE ALLOWED_BY_APPLIED_INTENTS_DATABASE_OVERLY_PERMISSIVE ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY + ALLOWED_BY_INTERNET_EGRESS_NETWORK_POLICY + ALLOWED_BY_INTERNET_INGRESS_NETWORK_POLICY WOULD_BE_ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY BLOCKED_BY_APPLIED_INTENTS_UNDER_PERMISSIVE BLOCKED_BY_APPLIED_INTENTS_RESOURCE_MISMATCH @@ -746,6 +754,8 @@ enum EdgeAccessStatusReason { BLOCKED_BY_APPLIED_INTENTS_DATABASE_UNDER_PERMISSIVE BLOCKED_BY_APPLIED_INTENTS_DATABASE_RESOURCE_MISMATCH BLOCKED_BY_DATABASE_ENFORCEMENT_CONFIG_MISSING_APPLIED_INTENTS + BLOCKED_BY_INTERNET_EGRESS_NETWORK_POLICY + BLOCKED_BY_INTERNET_INGRESS_NETWORK_POLICY BLOCKED_BY_DEFAULT_DENY SHARED_SERVICE_ACCOUNT CLIENT_ISTIO_SIDECAR_MISSING @@ -880,6 +890,7 @@ type FeatureFlags { useTypedIntentsCTE: Boolean enableInternetIntentsSuggestions: Boolean enableIAMIntentsSuggestions: Boolean + enableNetworkPoliciesInAccessGraph: Boolean } type Finding { @@ -1000,12 +1011,14 @@ type GitHubRepoInfo { repository: String! baseBranch: String! intentsPath: String! + terraformPath: String } input GitHubRepoInfoInput { repository: String! baseBranch: String! intentsPath: String! + terraformPath: String } type GitHubSettings { @@ -1040,6 +1053,7 @@ input GitLabRepoInfoInput { projectPath: String! baseBranch: String! intentsPath: String! + terraformPath: String } type GitLabSettings { @@ -1094,6 +1108,12 @@ enum IPFamily { UNKNOWN } +"""IP filters""" +type IPFilterValue { + cidr: String! + exclude: [String!] +} + input IncomingInternetSourceInput { ip: String! } @@ -1107,6 +1127,7 @@ input IncomingTrafficIntentInput { serverName: String! namespace: String! source: IncomingInternetSourceInput! + connectionsCount: ConnectionsCount } input IngressControllerConfigInput { @@ -1119,6 +1140,8 @@ input IngressControllerConfigInput { input InputAccessApprovalRuleset { """Ruleset""" id: ID! +"""Ruleset""" + order: Int! """Ruleset""" origin: InputAccessApprovalRulesetConfigFilter! """Ruleset""" @@ -1198,6 +1221,11 @@ input InputAppliedIntentsRequestFilter { approvalStatuses: InputIDFilterValue } +input InputAutoApproveMoreRestrictiveIntentsByEnv { + environmentId: ID! + enabled: Boolean! +} + input InputDefaultIntentsApprovalActionByEnv { environmentId: ID! action: AccessApprovalRulesetAction! @@ -1211,6 +1239,7 @@ input InputFeatureFlags { useTypedIntentsCTE: Boolean enableInternetIntentsSuggestions: Boolean enableIAMIntentsSuggestions: Boolean + enableNetworkPoliciesInAccessGraph: Boolean } """ Findings filter """ @@ -1279,6 +1308,11 @@ input InputNumericFilterValue { operator: NumericFilterOperators! } +input InputOffsetPagination { + page: Int + size: Int +} + input InputResourceInventoryFilter { serviceIds: InputIDFilterValue environmentIds: InputIDFilterValue @@ -1302,15 +1336,21 @@ input InputServiceFilter { integrationIds: [ID!] } +input InputTerraformAwsInlinePolicyInfo { + name: String! + policy: String! +} + input InputTerraformAwsPolicyInfo { arn: String! + policy: String! address: String! } input InputTerraformAwsRoleInfo { arn: String! address: String! - inlinePolicy: String! + inlinePolicy: [InputTerraformAwsInlinePolicyInfo!] attachedPolicies: [InputTerraformAwsPolicyInfo!] } @@ -1589,6 +1629,11 @@ type Invite { status: InviteStatus! } +input InviteOrgMembershipInput { + inviteId: ID! + membership: OrganizationMembershipInput! +} + enum InviteStatus { PENDING ACCEPTED @@ -1856,6 +1901,7 @@ or, for users with a single organization, this is that single selected organizat This is selected by the X-Otterize-Organization header, or, for users with a single organization, this is that single selected organization.""" selectedUserOrganization: UserOrganizationAssociation! + selectedOrganizationRestrictionResources: OrganizationMembershipRestrictionResources } type MeMutation { @@ -2127,6 +2173,9 @@ type Mutation { acceptInvite( id: ID! ): Invite! + saveInviteOrgMemberships( + memberships: [InviteOrgMembershipInput!]! + ): Boolean! reportK8sServices( namespace: String! services: [K8sServiceInput!]! @@ -2268,6 +2317,11 @@ type NetworkMapperComponent { status: ComponentStatus! } +type NetworkPoliciesPage { + data: [NetworkPolicy!]! + meta: PaginationMeta +} + enum NetworkPoliciesStep { """Connect cluster""" CREATE_CLUSTER @@ -2297,6 +2351,7 @@ type NetworkPolicy { workloadsAffected: Int! spec: String! lastUsed: Time + metadata: NetworkPolicyMetadata } input NetworkPolicyInput { @@ -2311,6 +2366,12 @@ enum NetworkPolicyKind { CILIUM_CLUSTER_WIDE_NETWORK_POLICY } +type NetworkPolicyMetadata { + isEgress: Boolean! + isIngress: Boolean! + hasIpBlocks: Boolean! +} + enum NetworkPolicyScope { PRIMARY EGRESS @@ -2347,6 +2408,7 @@ type Organization { } type OrganizationMembership { + organizationId: ID! role: AuthRole! restrictions: OrganizationMembershipRestrictions restrictionResources: OrganizationMembershipRestrictionResources @@ -2385,6 +2447,8 @@ type OrganizationSettings { defaultIntentsApprovalActionByEnv: [DefaultIntentsApprovalActionByEnv!]! ignoreInternetIntents: Boolean domainsDefaultRole: AuthRole! + defaultInviteMembership: OrganizationMembership! + autoApproveMoreRestrictiveIntentsByEnv: [AutoApproveMoreRestrictiveIntentsByEnv!]! } input OrganizationSettingsInput { @@ -2393,6 +2457,8 @@ input OrganizationSettingsInput { ignoredCloudDomains: [String!] defaultIntentsApprovalActionByEnv: [InputDefaultIntentsApprovalActionByEnv!] ignoreInternetIntents: Boolean + defaultInviteMembership: OrganizationMembershipInput + autoApproveMoreRestrictiveIntentsByEnv: [InputAutoApproveMoreRestrictiveIntentsByEnv!] } input PaginationInput { @@ -2602,7 +2668,8 @@ type Query { ): NetworkPolicy networkPolicies( filter: InputNetworkPolicyFilter - ): [NetworkPolicy!]! + pagination: InputOffsetPagination + ): NetworkPoliciesPage """List organizations""" organizations: [Organization!]! """Get organization""" @@ -2652,8 +2719,6 @@ type Query { ): TerraformResourceInfo! """List users""" users: [User!]! -"""List users with restriction resources""" - orgUsersWithRestrictionResources: UsersWithRestrictionResources! orgUsers: [UserOrganizationAssociation!]! """Get user""" user( @@ -2944,6 +3009,7 @@ enum ServiceType { KUBERNETES_LOAD_BALANCER AWS_VISIBILITY_EKS DETECTED_CLOUD_SERVER + CONTROL_PLANE } type ServicesResponse { @@ -3022,13 +3088,13 @@ scalar String type TLSConfiguration { caCertificate: String - certificate: String! + certificate: String } input TLSConfigurationInput { caCertificate: String - certificate: String! - key: String! + certificate: String + key: String } enum TelemetryComponentType { @@ -3051,21 +3117,28 @@ input TelemetryInput { data: TelemetryData! } +type TerraformAwsInlinePolicyInfo { + name: String! + policy: String! +} + type TerraformAwsPolicyInfo { arn: String! + policy: String! address: String! } type TerraformAwsRoleInfo { arn: String! address: String! - inlinePolicy: String! + inlinePolicy: [TerraformAwsInlinePolicyInfo!] attachedPolicies: [TerraformAwsPolicyInfo!] } type TerraformResourceInfo { modulePath: String! - gitOriginUrl: String! + gitPlatform: String! + gitOrigin: String! gitCommitHash: String! awsRoles: [TerraformAwsRoleInfo!] } @@ -3190,11 +3263,6 @@ type UserTutorial { stepSeen: String! } -type UsersWithRestrictionResources { - orgUsers: [UserOrganizationAssociation!]! - restrictionResources: OrganizationMembershipRestrictionResources -} - """ Used to validate ID based filters """ type ValidIDFilter { clusterIds: IDFilterValue diff --git a/src/pkg/cloudclient/restapi/cloudapi/api.gen.go b/src/pkg/cloudclient/restapi/cloudapi/api.gen.go index 7f502785..c34fa5d9 100644 --- a/src/pkg/cloudclient/restapi/cloudapi/api.gen.go +++ b/src/pkg/cloudclient/restapi/cloudapi/api.gen.go @@ -130,6 +130,8 @@ const ( EdgeAccessStatusReasonALLOWEDBYAPPLIEDINTENTSOVERLYPERMISSIVE EdgeAccessStatusReason = "ALLOWED_BY_APPLIED_INTENTS_OVERLY_PERMISSIVE" EdgeAccessStatusReasonALLOWEDBYEXTERNALLYMANAGEDNETWORKPOLICY EdgeAccessStatusReason = "ALLOWED_BY_EXTERNALLY_MANAGED_NETWORK_POLICY" EdgeAccessStatusReasonALLOWEDBYEXTERNALTRAFFICNETWORKPOLICY EdgeAccessStatusReason = "ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY" + EdgeAccessStatusReasonALLOWEDBYINTERNETEGRESSNETWORKPOLICY EdgeAccessStatusReason = "ALLOWED_BY_INTERNET_EGRESS_NETWORK_POLICY" + EdgeAccessStatusReasonALLOWEDBYINTERNETINGRESSNETWORKPOLICY EdgeAccessStatusReason = "ALLOWED_BY_INTERNET_INGRESS_NETWORK_POLICY" EdgeAccessStatusReasonALLOWEDBYMETRICSCOLLECTIONTRAFFICNETWORKPOLICY EdgeAccessStatusReason = "ALLOWED_BY_METRICS_COLLECTION_TRAFFIC_NETWORK_POLICY" EdgeAccessStatusReasonBLOCKEDBYAPPLIEDINTENTSDATABASERESOURCEMISMATCH EdgeAccessStatusReason = "BLOCKED_BY_APPLIED_INTENTS_DATABASE_RESOURCE_MISMATCH" EdgeAccessStatusReasonBLOCKEDBYAPPLIEDINTENTSDATABASEUNDERPERMISSIVE EdgeAccessStatusReason = "BLOCKED_BY_APPLIED_INTENTS_DATABASE_UNDER_PERMISSIVE" @@ -143,6 +145,8 @@ const ( EdgeAccessStatusReasonBLOCKEDBYDATABASEENFORCEMENTCONFIGMISSINGAPPLIEDINTENTS EdgeAccessStatusReason = "BLOCKED_BY_DATABASE_ENFORCEMENT_CONFIG_MISSING_APPLIED_INTENTS" EdgeAccessStatusReasonBLOCKEDBYDEFAULTDENY EdgeAccessStatusReason = "BLOCKED_BY_DEFAULT_DENY" EdgeAccessStatusReasonBLOCKEDBYDEFAULTDENYMISSINGEXTERNALTRAFFICPOLICY EdgeAccessStatusReason = "BLOCKED_BY_DEFAULT_DENY_MISSING_EXTERNAL_TRAFFIC_POLICY" + EdgeAccessStatusReasonBLOCKEDBYINTERNETEGRESSNETWORKPOLICY EdgeAccessStatusReason = "BLOCKED_BY_INTERNET_EGRESS_NETWORK_POLICY" + EdgeAccessStatusReasonBLOCKEDBYINTERNETINGRESSNETWORKPOLICY EdgeAccessStatusReason = "BLOCKED_BY_INTERNET_INGRESS_NETWORK_POLICY" EdgeAccessStatusReasonBLOCKEDBYKAFKAENFORCEMENTCONFIGMISSINGAPPLIEDINTENTS EdgeAccessStatusReason = "BLOCKED_BY_KAFKA_ENFORCEMENT_CONFIG_MISSING_APPLIED_INTENTS" EdgeAccessStatusReasonCLIENTISTIOSIDECARMISSING EdgeAccessStatusReason = "CLIENT_ISTIO_SIDECAR_MISSING" EdgeAccessStatusReasonIGNOREDINCALCULATION EdgeAccessStatusReason = "IGNORED_IN_CALCULATION" @@ -172,6 +176,8 @@ const ( EdgeAccessStatusReasonsALLOWEDBYAPPLIEDINTENTSOVERLYPERMISSIVE EdgeAccessStatusReasons = "ALLOWED_BY_APPLIED_INTENTS_OVERLY_PERMISSIVE" EdgeAccessStatusReasonsALLOWEDBYEXTERNALLYMANAGEDNETWORKPOLICY EdgeAccessStatusReasons = "ALLOWED_BY_EXTERNALLY_MANAGED_NETWORK_POLICY" EdgeAccessStatusReasonsALLOWEDBYEXTERNALTRAFFICNETWORKPOLICY EdgeAccessStatusReasons = "ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY" + EdgeAccessStatusReasonsALLOWEDBYINTERNETEGRESSNETWORKPOLICY EdgeAccessStatusReasons = "ALLOWED_BY_INTERNET_EGRESS_NETWORK_POLICY" + EdgeAccessStatusReasonsALLOWEDBYINTERNETINGRESSNETWORKPOLICY EdgeAccessStatusReasons = "ALLOWED_BY_INTERNET_INGRESS_NETWORK_POLICY" EdgeAccessStatusReasonsALLOWEDBYMETRICSCOLLECTIONTRAFFICNETWORKPOLICY EdgeAccessStatusReasons = "ALLOWED_BY_METRICS_COLLECTION_TRAFFIC_NETWORK_POLICY" EdgeAccessStatusReasonsBLOCKEDBYAPPLIEDINTENTSDATABASERESOURCEMISMATCH EdgeAccessStatusReasons = "BLOCKED_BY_APPLIED_INTENTS_DATABASE_RESOURCE_MISMATCH" EdgeAccessStatusReasonsBLOCKEDBYAPPLIEDINTENTSDATABASEUNDERPERMISSIVE EdgeAccessStatusReasons = "BLOCKED_BY_APPLIED_INTENTS_DATABASE_UNDER_PERMISSIVE" @@ -185,6 +191,8 @@ const ( EdgeAccessStatusReasonsBLOCKEDBYDATABASEENFORCEMENTCONFIGMISSINGAPPLIEDINTENTS EdgeAccessStatusReasons = "BLOCKED_BY_DATABASE_ENFORCEMENT_CONFIG_MISSING_APPLIED_INTENTS" EdgeAccessStatusReasonsBLOCKEDBYDEFAULTDENY EdgeAccessStatusReasons = "BLOCKED_BY_DEFAULT_DENY" EdgeAccessStatusReasonsBLOCKEDBYDEFAULTDENYMISSINGEXTERNALTRAFFICPOLICY EdgeAccessStatusReasons = "BLOCKED_BY_DEFAULT_DENY_MISSING_EXTERNAL_TRAFFIC_POLICY" + EdgeAccessStatusReasonsBLOCKEDBYINTERNETEGRESSNETWORKPOLICY EdgeAccessStatusReasons = "BLOCKED_BY_INTERNET_EGRESS_NETWORK_POLICY" + EdgeAccessStatusReasonsBLOCKEDBYINTERNETINGRESSNETWORKPOLICY EdgeAccessStatusReasons = "BLOCKED_BY_INTERNET_INGRESS_NETWORK_POLICY" EdgeAccessStatusReasonsBLOCKEDBYKAFKAENFORCEMENTCONFIGMISSINGAPPLIEDINTENTS EdgeAccessStatusReasons = "BLOCKED_BY_KAFKA_ENFORCEMENT_CONFIG_MISSING_APPLIED_INTENTS" EdgeAccessStatusReasonsCLIENTISTIOSIDECARMISSING EdgeAccessStatusReasons = "CLIENT_ISTIO_SIDECAR_MISSING" EdgeAccessStatusReasonsIGNOREDINCALCULATION EdgeAccessStatusReasons = "IGNORED_IN_CALCULATION" @@ -381,6 +389,7 @@ const ( ServiceAccessGraphTypesAWS ServiceAccessGraphTypes = "AWS" ServiceAccessGraphTypesAWSVISIBILITYEKS ServiceAccessGraphTypes = "AWS_VISIBILITY_EKS" ServiceAccessGraphTypesAZURE ServiceAccessGraphTypes = "AZURE" + ServiceAccessGraphTypesCONTROLPLANE ServiceAccessGraphTypes = "CONTROL_PLANE" ServiceAccessGraphTypesDATABASE ServiceAccessGraphTypes = "DATABASE" ServiceAccessGraphTypesDATABASEUSER ServiceAccessGraphTypes = "DATABASE_USER" ServiceAccessGraphTypesDETECTEDCLOUDSERVER ServiceAccessGraphTypes = "DETECTED_CLOUD_SERVER" @@ -572,6 +581,12 @@ type AccessLogEdge struct { Timestamp time.Time `json:"timestamp"` } +// AutoApproveMoreRestrictiveIntentsByEnv defines model for AutoApproveMoreRestrictiveIntentsByEnv. +type AutoApproveMoreRestrictiveIntentsByEnv struct { + Enabled bool `json:"enabled"` + EnvironmentId string `json:"environmentId"` +} + // AzureInfo defines model for AzureInfo. type AzureInfo struct { AksClusterName string `json:"aksClusterName"` @@ -885,13 +900,14 @@ type Error struct { // FeatureFlags defines model for FeatureFlags. type FeatureFlags struct { - EnableFindingsV2 *bool `json:"enableFindingsV2,omitempty"` - EnableIAMIntentsSuggestions *bool `json:"enableIAMIntentsSuggestions,omitempty"` - EnableInternetIntentsSuggestions *bool `json:"enableInternetIntentsSuggestions,omitempty"` - IsCloudSecurityEnabled *bool `json:"isCloudSecurityEnabled,omitempty"` - IsCloudServicesDetectionEnabled *bool `json:"isCloudServicesDetectionEnabled,omitempty"` - UseClientIntentsV2 *bool `json:"useClientIntentsV2,omitempty"` - UseTypedIntentsCTE *bool `json:"useTypedIntentsCTE,omitempty"` + EnableFindingsV2 *bool `json:"enableFindingsV2,omitempty"` + EnableIAMIntentsSuggestions *bool `json:"enableIAMIntentsSuggestions,omitempty"` + EnableInternetIntentsSuggestions *bool `json:"enableInternetIntentsSuggestions,omitempty"` + EnableNetworkPoliciesInAccessGraph *bool `json:"enableNetworkPoliciesInAccessGraph,omitempty"` + IsCloudSecurityEnabled *bool `json:"isCloudSecurityEnabled,omitempty"` + IsCloudServicesDetectionEnabled *bool `json:"isCloudServicesDetectionEnabled,omitempty"` + UseClientIntentsV2 *bool `json:"useClientIntentsV2,omitempty"` + UseTypedIntentsCTE *bool `json:"useTypedIntentsCTE,omitempty"` } // GCPInfo defines model for GCPInfo. @@ -930,9 +946,10 @@ type GitHubRepoFilterPair struct { // GitHubRepoInfo defines model for GitHubRepoInfo. type GitHubRepoInfo struct { - BaseBranch string `json:"baseBranch"` - IntentsPath string `json:"intentsPath"` - Repository string `json:"repository"` + BaseBranch string `json:"baseBranch"` + IntentsPath string `json:"intentsPath"` + Repository string `json:"repository"` + TerraformPath *string `json:"terraformPath,omitempty"` } // GitHubSettings defines model for GitHubSettings. @@ -1007,13 +1024,14 @@ type InputAccessLogFilter struct { // InputFeatureFlags defines model for InputFeatureFlags. type InputFeatureFlags struct { - EnableFindingsV2 *bool `json:"enableFindingsV2,omitempty"` - EnableIAMIntentsSuggestions *bool `json:"enableIAMIntentsSuggestions,omitempty"` - EnableInternetIntentsSuggestions *bool `json:"enableInternetIntentsSuggestions,omitempty"` - IsCloudSecurityEnabled *bool `json:"isCloudSecurityEnabled,omitempty"` - IsCloudServicesDetectionEnabled *bool `json:"isCloudServicesDetectionEnabled,omitempty"` - UseClientIntentsV2 *bool `json:"useClientIntentsV2,omitempty"` - UseTypedIntentsCTE *bool `json:"useTypedIntentsCTE,omitempty"` + EnableFindingsV2 *bool `json:"enableFindingsV2,omitempty"` + EnableIAMIntentsSuggestions *bool `json:"enableIAMIntentsSuggestions,omitempty"` + EnableInternetIntentsSuggestions *bool `json:"enableInternetIntentsSuggestions,omitempty"` + EnableNetworkPoliciesInAccessGraph *bool `json:"enableNetworkPoliciesInAccessGraph,omitempty"` + IsCloudSecurityEnabled *bool `json:"isCloudSecurityEnabled,omitempty"` + IsCloudServicesDetectionEnabled *bool `json:"isCloudServicesDetectionEnabled,omitempty"` + UseClientIntentsV2 *bool `json:"useClientIntentsV2,omitempty"` + UseTypedIntentsCTE *bool `json:"useTypedIntentsCTE,omitempty"` } // InputServiceFilter Service filter @@ -1208,9 +1226,10 @@ type LabelValueTuple struct { // Me defines model for Me. type Me struct { - Invites []Invite `json:"invites"` - User User `json:"user"` - UserOrganizations []UserOrganizationAssociation `json:"userOrganizations"` + Invites []Invite `json:"invites"` + SelectedOrganizationRestrictionResources *OrganizationMembershipRestrictionResources `json:"selectedOrganizationRestrictionResources,omitempty"` + User User `json:"user"` + UserOrganizations []UserOrganizationAssociation `json:"userOrganizations"` } // MergedYAMLFile defines model for MergedYAMLFile. @@ -1271,8 +1290,9 @@ type Organization struct { // OrganizationMembership defines model for OrganizationMembership. type OrganizationMembership struct { - Restrictions *OrganizationMembershipRestrictions `json:"restrictions,omitempty"` - Role OrganizationMembershipRole `json:"role"` + OrganizationId string `json:"organizationId"` + Restrictions *OrganizationMembershipRestrictions `json:"restrictions,omitempty"` + Role OrganizationMembershipRole `json:"role"` } // OrganizationMembershipRole defines model for OrganizationMembership.Role. @@ -1287,6 +1307,22 @@ type OrganizationMembershipInput struct { // OrganizationMembershipInputRole defines model for OrganizationMembershipInput.Role. type OrganizationMembershipInputRole string +// OrganizationMembershipRestrictionResources defines model for OrganizationMembershipRestrictionResources. +type OrganizationMembershipRestrictionResources struct { + Clusters []struct { + Id string `json:"id"` + } `json:"clusters"` + Environments []struct { + Id string `json:"id"` + } `json:"environments"` + Namespaces []struct { + Id string `json:"id"` + } `json:"namespaces"` + Services []struct { + Id string `json:"id"` + } `json:"services"` +} + // OrganizationMembershipRestrictions defines model for OrganizationMembershipRestrictions. type OrganizationMembershipRestrictions struct { ClusterIds *IDFilterValue `json:"clusterIds,omitempty"` @@ -1297,12 +1333,14 @@ type OrganizationMembershipRestrictions struct { // OrganizationSettings defines model for OrganizationSettings. type OrganizationSettings struct { - DefaultIntentsApprovalActionByEnv []DefaultIntentsApprovalActionByEnv `json:"defaultIntentsApprovalActionByEnv"` - Domains *[]string `json:"domains,omitempty"` - DomainsDefaultRole OrganizationSettingsDomainsDefaultRole `json:"domainsDefaultRole"` - EnforcedRegulations *[]string `json:"enforcedRegulations,omitempty"` - IgnoreInternetIntents *bool `json:"ignoreInternetIntents,omitempty"` - IgnoredCloudDomains *[]string `json:"ignoredCloudDomains,omitempty"` + AutoApproveMoreRestrictiveIntentsByEnv []AutoApproveMoreRestrictiveIntentsByEnv `json:"autoApproveMoreRestrictiveIntentsByEnv"` + DefaultIntentsApprovalActionByEnv []DefaultIntentsApprovalActionByEnv `json:"defaultIntentsApprovalActionByEnv"` + DefaultInviteMembership OrganizationMembership `json:"defaultInviteMembership"` + Domains *[]string `json:"domains,omitempty"` + DomainsDefaultRole OrganizationSettingsDomainsDefaultRole `json:"domainsDefaultRole"` + EnforcedRegulations *[]string `json:"enforcedRegulations,omitempty"` + IgnoreInternetIntents *bool `json:"ignoreInternetIntents,omitempty"` + IgnoredCloudDomains *[]string `json:"ignoredCloudDomains,omitempty"` } // OrganizationSettingsDomainsDefaultRole defines model for OrganizationSettings.DomainsDefaultRole. @@ -1310,11 +1348,13 @@ type OrganizationSettingsDomainsDefaultRole string // OrganizationSettingsInput defines model for OrganizationSettingsInput. type OrganizationSettingsInput struct { - DefaultIntentsApprovalActionByEnv *[]map[string]interface{} `json:"defaultIntentsApprovalActionByEnv,omitempty"` - Domains *[]string `json:"domains,omitempty"` - EnforcedRegulations *[]string `json:"enforcedRegulations,omitempty"` - IgnoreInternetIntents *bool `json:"ignoreInternetIntents,omitempty"` - IgnoredCloudDomains *[]string `json:"ignoredCloudDomains,omitempty"` + AutoApproveMoreRestrictiveIntentsByEnv *[]map[string]interface{} `json:"autoApproveMoreRestrictiveIntentsByEnv,omitempty"` + DefaultIntentsApprovalActionByEnv *[]map[string]interface{} `json:"defaultIntentsApprovalActionByEnv,omitempty"` + DefaultInviteMembership *map[string]interface{} `json:"defaultInviteMembership,omitempty"` + Domains *[]string `json:"domains,omitempty"` + EnforcedRegulations *[]string `json:"enforcedRegulations,omitempty"` + IgnoreInternetIntents *bool `json:"ignoreInternetIntents,omitempty"` + IgnoredCloudDomains *[]string `json:"ignoredCloudDomains,omitempty"` } // PaginationInput defines model for PaginationInput. @@ -1509,28 +1549,36 @@ type SlackSettingsInput struct { // TLSConfiguration defines model for TLSConfiguration. type TLSConfiguration struct { CaCertificate *string `json:"caCertificate,omitempty"` - Certificate string `json:"certificate"` + Certificate *string `json:"certificate,omitempty"` +} + +// TerraformAwsInlinePolicyInfo defines model for TerraformAwsInlinePolicyInfo. +type TerraformAwsInlinePolicyInfo struct { + Name string `json:"name"` + Policy string `json:"policy"` } // TerraformAwsPolicyInfo defines model for TerraformAwsPolicyInfo. type TerraformAwsPolicyInfo struct { Address string `json:"address"` Arn string `json:"arn"` + Policy string `json:"policy"` } // TerraformAwsRoleInfo defines model for TerraformAwsRoleInfo. type TerraformAwsRoleInfo struct { - Address string `json:"address"` - Arn string `json:"arn"` - AttachedPolicies *[]TerraformAwsPolicyInfo `json:"attachedPolicies,omitempty"` - InlinePolicy string `json:"inlinePolicy"` + Address string `json:"address"` + Arn string `json:"arn"` + AttachedPolicies *[]TerraformAwsPolicyInfo `json:"attachedPolicies,omitempty"` + InlinePolicy *[]TerraformAwsInlinePolicyInfo `json:"inlinePolicy,omitempty"` } // TerraformResourceInfo defines model for TerraformResourceInfo. type TerraformResourceInfo struct { AwsRoles *[]TerraformAwsRoleInfo `json:"awsRoles,omitempty"` GitCommitHash string `json:"gitCommitHash"` - GitOriginUrl string `json:"gitOriginUrl"` + GitOrigin string `json:"gitOrigin"` + GitPlatform string `json:"gitPlatform"` ModulePath string `json:"modulePath"` } diff --git a/src/pkg/cloudclient/restapi/cloudapi/openapi.json b/src/pkg/cloudclient/restapi/cloudapi/openapi.json index c270d56f..3f9d9e42 100644 --- a/src/pkg/cloudclient/restapi/cloudapi/openapi.json +++ b/src/pkg/cloudclient/restapi/cloudapi/openapi.json @@ -558,6 +558,21 @@ ], "type": "object" }, + "AutoApproveMoreRestrictiveIntentsByEnv": { + "properties": { + "enabled": { + "type": "boolean" + }, + "environmentId": { + "type": "string" + } + }, + "required": [ + "environmentId", + "enabled" + ], + "type": "object" + }, "AzureInfo": { "properties": { "aksClusterName": { @@ -1426,6 +1441,8 @@ "ALLOWED_BY_APPLIED_INTENTS_KAFKA_OVERLY_PERMISSIVE", "ALLOWED_BY_APPLIED_INTENTS_DATABASE_OVERLY_PERMISSIVE", "ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY", + "ALLOWED_BY_INTERNET_EGRESS_NETWORK_POLICY", + "ALLOWED_BY_INTERNET_INGRESS_NETWORK_POLICY", "WOULD_BE_ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY", "BLOCKED_BY_APPLIED_INTENTS_UNDER_PERMISSIVE", "BLOCKED_BY_APPLIED_INTENTS_RESOURCE_MISMATCH", @@ -1437,6 +1454,8 @@ "BLOCKED_BY_APPLIED_INTENTS_DATABASE_UNDER_PERMISSIVE", "BLOCKED_BY_APPLIED_INTENTS_DATABASE_RESOURCE_MISMATCH", "BLOCKED_BY_DATABASE_ENFORCEMENT_CONFIG_MISSING_APPLIED_INTENTS", + "BLOCKED_BY_INTERNET_EGRESS_NETWORK_POLICY", + "BLOCKED_BY_INTERNET_INGRESS_NETWORK_POLICY", "BLOCKED_BY_DEFAULT_DENY", "SHARED_SERVICE_ACCOUNT", "CLIENT_ISTIO_SIDECAR_MISSING", @@ -1470,6 +1489,8 @@ "ALLOWED_BY_APPLIED_INTENTS_KAFKA_OVERLY_PERMISSIVE", "ALLOWED_BY_APPLIED_INTENTS_DATABASE_OVERLY_PERMISSIVE", "ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY", + "ALLOWED_BY_INTERNET_EGRESS_NETWORK_POLICY", + "ALLOWED_BY_INTERNET_INGRESS_NETWORK_POLICY", "WOULD_BE_ALLOWED_BY_EXTERNAL_TRAFFIC_NETWORK_POLICY", "BLOCKED_BY_APPLIED_INTENTS_UNDER_PERMISSIVE", "BLOCKED_BY_APPLIED_INTENTS_RESOURCE_MISMATCH", @@ -1481,6 +1502,8 @@ "BLOCKED_BY_APPLIED_INTENTS_DATABASE_UNDER_PERMISSIVE", "BLOCKED_BY_APPLIED_INTENTS_DATABASE_RESOURCE_MISMATCH", "BLOCKED_BY_DATABASE_ENFORCEMENT_CONFIG_MISSING_APPLIED_INTENTS", + "BLOCKED_BY_INTERNET_EGRESS_NETWORK_POLICY", + "BLOCKED_BY_INTERNET_INGRESS_NETWORK_POLICY", "BLOCKED_BY_DEFAULT_DENY", "SHARED_SERVICE_ACCOUNT", "CLIENT_ISTIO_SIDECAR_MISSING", @@ -1648,6 +1671,9 @@ "enableInternetIntentsSuggestions": { "type": "boolean" }, + "enableNetworkPoliciesInAccessGraph": { + "type": "boolean" + }, "isCloudSecurityEnabled": { "type": "boolean" }, @@ -1794,6 +1820,9 @@ }, "repository": { "type": "string" + }, + "terraformPath": { + "type": "string" } }, "required": [ @@ -1813,6 +1842,9 @@ }, "repository": { "type": "string" + }, + "terraformPath": { + "type": "string" } }, "required": [ @@ -1924,6 +1956,9 @@ }, "projectPath": { "type": "string" + }, + "terraformPath": { + "type": "string" } }, "required": [ @@ -2076,6 +2111,21 @@ }, "type": "object" }, + "InputAutoApproveMoreRestrictiveIntentsByEnv": { + "properties": { + "enabled": { + "type": "boolean" + }, + "environmentId": { + "type": "string" + } + }, + "required": [ + "environmentId", + "enabled" + ], + "type": "object" + }, "InputDefaultIntentsApprovalActionByEnv": { "properties": { "action": { @@ -2107,6 +2157,9 @@ "enableInternetIntentsSuggestions": { "type": "boolean" }, + "enableNetworkPoliciesInAccessGraph": { + "type": "boolean" + }, "isCloudSecurityEnabled": { "type": "boolean" }, @@ -2291,6 +2344,21 @@ }, "type": "object" }, + "InputTerraformAwsInlinePolicyInfo": { + "properties": { + "name": { + "type": "string" + }, + "policy": { + "type": "string" + } + }, + "required": [ + "name", + "policy" + ], + "type": "object" + }, "InputTerraformAwsPolicyInfo": { "properties": { "address": { @@ -2298,10 +2366,14 @@ }, "arn": { "type": "string" + }, + "policy": { + "type": "string" } }, "required": [ "arn", + "policy", "address" ], "type": "object" @@ -2321,13 +2393,15 @@ "type": "array" }, "inlinePolicy": { - "type": "string" + "items": { + "type": "object" + }, + "type": "array" } }, "required": [ "arn", - "address", - "inlinePolicy" + "address" ], "type": "object" }, @@ -3078,6 +3152,9 @@ }, "type": "array" }, + "selectedOrganizationRestrictionResources": { + "$ref": "#/components/schemas/OrganizationMembershipRestrictionResources" + }, "user": { "$ref": "#/components/schemas/User", "description": "The logged-in user details." @@ -3267,6 +3344,9 @@ "format": "date-time", "type": "string" }, + "metadata": { + "$ref": "#/components/schemas/NetworkPolicyMetadata" + }, "name": { "type": "string" }, @@ -3310,6 +3390,25 @@ ], "type": "object" }, + "NetworkPolicyMetadata": { + "properties": { + "hasIpBlocks": { + "type": "boolean" + }, + "isEgress": { + "type": "boolean" + }, + "isIngress": { + "type": "boolean" + } + }, + "required": [ + "isEgress", + "isIngress", + "hasIpBlocks" + ], + "type": "object" + }, "NetworkPolicyWorkload": { "properties": { "scope": { @@ -3395,6 +3494,9 @@ }, "OrganizationMembership": { "properties": { + "organizationId": { + "type": "string" + }, "restrictions": { "$ref": "#/components/schemas/OrganizationMembershipRestrictions" }, @@ -3407,6 +3509,7 @@ } }, "required": [ + "organizationId", "role" ], "type": "object" @@ -3429,6 +3532,73 @@ ], "type": "object" }, + "OrganizationMembershipRestrictionResources": { + "properties": { + "clusters": { + "items": { + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + "id" + ], + "type": "object" + }, + "type": "array" + }, + "environments": { + "items": { + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + "id" + ], + "type": "object" + }, + "type": "array" + }, + "namespaces": { + "items": { + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + "id" + ], + "type": "object" + }, + "type": "array" + }, + "services": { + "items": { + "properties": { + "id": { + "type": "string" + } + }, + "required": [ + "id" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "clusters", + "services", + "namespaces", + "environments" + ], + "type": "object" + }, "OrganizationMembershipRestrictions": { "properties": { "clusterIds": { @@ -3465,12 +3635,21 @@ }, "OrganizationSettings": { "properties": { + "autoApproveMoreRestrictiveIntentsByEnv": { + "items": { + "$ref": "#/components/schemas/AutoApproveMoreRestrictiveIntentsByEnv" + }, + "type": "array" + }, "defaultIntentsApprovalActionByEnv": { "items": { "$ref": "#/components/schemas/DefaultIntentsApprovalActionByEnv" }, "type": "array" }, + "defaultInviteMembership": { + "$ref": "#/components/schemas/OrganizationMembership" + }, "domains": { "items": { "type": "string" @@ -3502,18 +3681,29 @@ }, "required": [ "defaultIntentsApprovalActionByEnv", - "domainsDefaultRole" + "domainsDefaultRole", + "defaultInviteMembership", + "autoApproveMoreRestrictiveIntentsByEnv" ], "type": "object" }, "OrganizationSettingsInput": { "properties": { + "autoApproveMoreRestrictiveIntentsByEnv": { + "items": { + "type": "object" + }, + "type": "array" + }, "defaultIntentsApprovalActionByEnv": { "items": { "type": "object" }, "type": "array" }, + "defaultInviteMembership": { + "type": "object" + }, "domains": { "items": { "type": "string" @@ -3951,7 +4141,8 @@ "DATABASE_USER", "KUBERNETES_LOAD_BALANCER", "AWS_VISIBILITY_EKS", - "DETECTED_CLOUD_SERVER" + "DETECTED_CLOUD_SERVER", + "CONTROL_PLANE" ], "type": "string" }, @@ -4176,9 +4367,6 @@ "type": "string" } }, - "required": [ - "certificate" - ], "type": "object" }, "TLSConfigurationInput": { @@ -4193,9 +4381,20 @@ "type": "string" } }, + "type": "object" + }, + "TerraformAwsInlinePolicyInfo": { + "properties": { + "name": { + "type": "string" + }, + "policy": { + "type": "string" + } + }, "required": [ - "certificate", - "key" + "name", + "policy" ], "type": "object" }, @@ -4206,10 +4405,14 @@ }, "arn": { "type": "string" + }, + "policy": { + "type": "string" } }, "required": [ "arn", + "policy", "address" ], "type": "object" @@ -4229,13 +4432,15 @@ "type": "array" }, "inlinePolicy": { - "type": "string" + "items": { + "$ref": "#/components/schemas/TerraformAwsInlinePolicyInfo" + }, + "type": "array" } }, "required": [ "arn", - "address", - "inlinePolicy" + "address" ], "type": "object" }, @@ -4250,7 +4455,10 @@ "gitCommitHash": { "type": "string" }, - "gitOriginUrl": { + "gitOrigin": { + "type": "string" + }, + "gitPlatform": { "type": "string" }, "modulePath": { @@ -4259,7 +4467,8 @@ }, "required": [ "modulePath", - "gitOriginUrl", + "gitPlatform", + "gitOrigin", "gitCommitHash" ], "type": "object" @@ -4415,7 +4624,7 @@ "info": { "title": "Otterize API Server", "version": "v1beta", - "x-revision": "fed83e7133faef5e9b8ed7a801c3fb39b681efaa" + "x-revision": "da79d06c3db3865027b8106013dae6bbcd6515e7" }, "openapi": "3.0.0", "paths": { diff --git a/src/pkg/git/types.go b/src/pkg/git/types.go new file mode 100644 index 00000000..7b7fb73d --- /dev/null +++ b/src/pkg/git/types.go @@ -0,0 +1,7 @@ +package git + +type LocalGitInformation struct { + Commit string + OriginUrl string + RelativePath string +} diff --git a/src/pkg/git/utils.go b/src/pkg/git/utils.go new file mode 100644 index 00000000..d15bb5c8 --- /dev/null +++ b/src/pkg/git/utils.go @@ -0,0 +1,61 @@ +package git + +import ( + "github.com/go-git/go-git/v5" + "github.com/otterize/otterize-cli/src/pkg/errors" + "os" + "path/filepath" +) + +func GetGitRoot(repo *git.Repository) (string, error) { + wt, err := repo.Worktree() + if err != nil { + return "", errors.Wrap(err) + } + return wt.Filesystem.Root(), nil +} + +func GetGitRepoInformation(workingDir string) (*LocalGitInformation, error) { + var err error + if workingDir == "" { + workingDir = os.Getenv("PWD") + } + + repo, err := git.PlainOpenWithOptions(workingDir, &git.PlainOpenOptions{DetectDotGit: true}) + if err != nil { + return nil, errors.Wrap(err) + } + + remotes, err := repo.Remotes() + if err != nil { + return nil, errors.Wrap(err) + } + + headRef, err := repo.Head() + if err != nil { + return nil, errors.Wrap(err) + } + + gitRoot, err := GetGitRoot(repo) + if err != nil { + return nil, errors.Wrap(err) + } + + var gitInfo LocalGitInformation + gitInfo.Commit = headRef.Hash().String() + + relativePath, err := filepath.Rel(gitRoot, workingDir) + if err != nil { + return nil, errors.Wrap(err) + } + gitInfo.RelativePath = relativePath + + for _, remote := range remotes { + if remote.Config().Name == "origin" { + gitInfo.OriginUrl = remote.Config().URLs[0] // Get the first URL + break + } + } + + return &gitInfo, nil +} diff --git a/src/pkg/mapperclient/schema.graphql b/src/pkg/mapperclient/schema.graphql index 93259d40..8d7f1b44 100644 --- a/src/pkg/mapperclient/schema.graphql +++ b/src/pkg/mapperclient/schema.graphql @@ -43,6 +43,11 @@ type GroupVersionKind { kind: String! } +type TCPDestResolveBugfixData { + isSrcControlPlane: Boolean! + resolvedUsingIp: Boolean! +} + type IdentityResolutionData { host: String podHostname: String @@ -53,6 +58,7 @@ type IdentityResolutionData { lastSeen: String extraInfo: String hasLinkerdSidecar: Boolean + tcpDestResolveFixData: TCPDestResolveBugfixData } type OtterizeServiceIdentity { diff --git a/src/pkg/terraform/aws.go b/src/pkg/terraform/aws.go new file mode 100644 index 00000000..f830b4a4 --- /dev/null +++ b/src/pkg/terraform/aws.go @@ -0,0 +1,160 @@ +package terraform + +import ( + "bytes" + "encoding/json" + tfjson "github.com/hashicorp/terraform-json" + "github.com/otterize/otterize-cli/src/data" + "github.com/otterize/otterize-cli/src/pkg/errors" + "github.com/otterize/otterize-cli/src/pkg/utils/prints" + "github.com/sirupsen/logrus" +) + +var AwsManagedPolicies map[string]bool + +func init() { + var policyList []string + err := json.Unmarshal(data.AwsManagedPolicies, &policyList) + if err != nil { + logrus.Fatalf("Failed to unmarshal AWS managed policies: %v", err) + } + + AwsManagedPolicies = make(map[string]bool) + for _, policy := range policyList { + AwsManagedPolicies[policy] = true + } +} + +func ExtractAwsRoleAndPolicies(state *tfjson.State) ([]AwsRoleInfo, error) { + roleIdToInfo := make(map[string]AwsRoleInfo) + policyArnToInfo := make(map[string]AwsPolicyInfo) + roleIdToPolicies := make(map[string][]string) + + if state.Values == nil { + return []AwsRoleInfo{}, nil + } + + for _, resource := range state.Values.RootModule.Resources { + if resource.Type == "aws_iam_role" { + err := extractAwsIamRoleInfo(resource, roleIdToInfo) + if err != nil { + return nil, errors.Wrap(err) + } + } + if resource.Type == "aws_iam_policy" { + err := extractAwsIamPolicyInfo(resource, policyArnToInfo) + if err != nil { + return nil, errors.Wrap(err) + } + } + if resource.Type == "aws_iam_role_policy_attachment" { + extractAwsIamRolePolicyAttachmentInfo(resource, roleIdToPolicies) + } + + // Support older format + if resource.Type == "aws_iam_policy_attachment" { + extractAwsIamPolicyAttachmentInfo(resource, roleIdToPolicies) + } + } + + for _, childModule := range state.Values.RootModule.ChildModules { + for _, resource := range childModule.Resources { + if resource.Type == "aws_iam_role" { + err := extractAwsIamRoleInfo(resource, roleIdToInfo) + if err != nil { + return nil, errors.Wrap(err) + } + } + if resource.Type == "aws_iam_policy" { + err := extractAwsIamPolicyInfo(resource, policyArnToInfo) + if err != nil { + return nil, errors.Wrap(err) + } + } + if resource.Type == "aws_iam_role_policy_attachment" { + extractAwsIamRolePolicyAttachmentInfo(resource, roleIdToPolicies) + } + } + } + + // Return all roles that we found in the terraform state and their attached policies + var roleInfoList []AwsRoleInfo + for id, roleInfo := range roleIdToInfo { + if policies, ok := roleIdToPolicies[id]; ok { + roleInfo.AttachedPolicies = []AwsPolicyInfo{} + + for _, policyArn := range policies { + if policyInfo, ok := policyArnToInfo[policyArn]; ok { + roleInfo.AttachedPolicies = append(roleInfo.AttachedPolicies, policyInfo) + } else { + _, isManagedPolicy := AwsManagedPolicies[policyArn] + if !isManagedPolicy { + prints.PrintCliOutput("Did not find policy matching ARN '%s', deleted in this version?", policyArn) + } + } + } + } + + roleInfoList = append(roleInfoList, roleInfo) + } + + return roleInfoList, nil +} + +func extractAwsIamRoleInfo(resource *tfjson.StateResource, roleIdToArn map[string]AwsRoleInfo) error { + inlinePolicyBytes, err := json.Marshal(resource.AttributeValues["inline_policy"]) + if err != nil { + return errors.Wrap(err) + } + + var inlinePolicies []AwsInlinePolicyInfo + err = json.Unmarshal(inlinePolicyBytes, &inlinePolicies) + if err != nil { + return errors.Wrap(err) + } + + id := resource.AttributeValues["id"].(string) + arn := resource.AttributeValues["arn"].(string) + roleIdToArn[id] = AwsRoleInfo{ + Arn: arn, + Address: resource.Address, + InlinePolicy: inlinePolicies, + } + + return nil +} + +func extractAwsIamRolePolicyAttachmentInfo(resource *tfjson.StateResource, roleIdToPolicies map[string][]string) { + roleId := resource.AttributeValues["role"].(string) + policyArn := resource.AttributeValues["policy_arn"].(string) + + roleIdToPolicies[roleId] = append(roleIdToPolicies[roleId], policyArn) +} + +func extractAwsIamPolicyAttachmentInfo(resource *tfjson.StateResource, roleIdToPolicies map[string][]string) { + policyArn := resource.AttributeValues["policy_arn"].(string) + + roles := resource.AttributeValues["roles"].([]interface{}) + for _, role := range roles { + roleId := role.(string) + roleIdToPolicies[roleId] = append(roleIdToPolicies[roleId], policyArn) + } +} + +func extractAwsIamPolicyInfo(resource *tfjson.StateResource, policyArnToInfo map[string]AwsPolicyInfo) error { + policyArn := resource.AttributeValues["arn"].(string) + + policyBuffer := &bytes.Buffer{} + policyString := resource.AttributeValues["policy"].(string) + if err := json.Compact(policyBuffer, []byte(policyString)); err != nil { + panic(err) + } + + policyArnToInfo[policyArn] = AwsPolicyInfo{ + Arn: policyArn, + Policy: policyBuffer.String(), + Address: resource.Address, + } + + return nil +} diff --git a/src/pkg/terraform/types.go b/src/pkg/terraform/types.go new file mode 100644 index 00000000..b317373f --- /dev/null +++ b/src/pkg/terraform/types.go @@ -0,0 +1,53 @@ +package terraform + +type AwsInlinePolicyInfo struct { + Name string + Policy string +} + +type AwsPolicyInfo struct { + Arn string + Address string + Policy string +} + +type AwsRoleInfo struct { + Arn string + Address string + InlinePolicy []AwsInlinePolicyInfo + AttachedPolicies []AwsPolicyInfo +} + +func (a *AwsRoleInfo) ToMap() map[string]interface{} { + result := make(map[string]interface{}) + + result["arn"] = a.Arn + result["address"] = a.Address + + // Convert inline policies to map + result["inlinePolicy"] = make([]map[string]string, 0) + for _, policy := range a.InlinePolicy { + policyMap := make(map[string]string) + policyMap["name"] = policy.Name + policyMap["policy"] = policy.Policy + + result["inlinePolicy"] = append(result["inlinePolicy"].([]map[string]string), policyMap) + } + + // Convert attached policies to map + result["attachedPolicies"] = make([]map[string]interface{}, 0) + for _, policy := range a.AttachedPolicies { + policyMap := make(map[string]interface{}) + policyMap["arn"] = policy.Arn + policyMap["policy"] = policy.Policy + policyMap["address"] = policy.Address + + result["attachedPolicies"] = append(result["attachedPolicies"].([]map[string]interface{}), policyMap) + } + + return result +} + +type TerraformResourceInfo struct { + AwsRoles []AwsRoleInfo +} diff --git a/src/pkg/terraform/utils.go b/src/pkg/terraform/utils.go new file mode 100644 index 00000000..3e1b5b4b --- /dev/null +++ b/src/pkg/terraform/utils.go @@ -0,0 +1,36 @@ +package terraform + +import ( + "github.com/hashicorp/terraform-exec/tfexec" + "github.com/otterize/otterize-cli/src/pkg/errors" + "os" + "os/exec" +) + +func GetTerraformPath() (string, error) { + terraformPath, err := exec.LookPath("terraform") + if err != nil { + return "", errors.New("terraform binary not found") + } + + return terraformPath, nil +} + +func GetTerraformClient(workingDir string) (*tfexec.Terraform, error) { + var err error + if workingDir == "" { + workingDir = os.Getenv("PWD") + } + + terraformPath, err := GetTerraformPath() + if err != nil { + return nil, errors.Wrap(err) + } + + tf, err := tfexec.NewTerraform(workingDir, terraformPath) + if err != nil { + return nil, errors.Wrap(err) + } + + return tf, nil +}