search

jckuester / awsweeper

A tool for cleaning your AWS account
Mozilla Public License 2.0
468 stars 45 forks source link

[0.5.0] Regex filters for aws_iam_policy → id #87

Closed skyzyx closed 4 years ago

skyzyx commented 4 years ago

We have some corporate governance stuff applied over my company's 100+ AWS accounts. We developers use Terraform, the corporate governance resources are created using a variety of other tools.

I'm trying to clean-up all IAM policies that are created by developers, and not managed by these governance tools. But it would appear that regex support is not working correctly against aws_iam_policiesid field.

I've tried:

aws_iam_policy:
  - id: NOT(CloudTrail_CloudWatchLogs_Policy)
  - id: NOT(DatapipeOpsAccessPolicy)
  - id: NOT(Kentik)
  - id: NOT(turbot)

…as well as…

aws_iam_policy:
  - id: NOT(.*CloudTrail_CloudWatchLogs_Policy.*)
  - id: NOT(.*DatapipeOpsAccessPolicy.*)
  - id: NOT(.*Kentik.*)
  - id: NOT(.*turbot.*)

Am I applying the values correctly?

skyzyx commented 4 years ago

Hmmm…

It appears that this works. Maybe it'd be worthwhile to state that each - list item is applied as a boolean OR as opposed to a boolean AND.

aws_iam_policy:
  - id: NOT(CloudTrail_CloudWatchLogs_Policy|DatapipeOpsAccessPolicy|Kentik|turbot)