Home

Awesome

Terraform Parliament - Run Parliament AWS IAM Checker on Terraform Files

Parliament checks IAM policy validity against the latest AWS IAM specifications, so e.g. It'll pick up if your policy uses an older Action like billing:*, instead of the current aws-portal:*

By default, Parliament runs only on JSON IAM policies, not Terraform files. However I wanted to validate my Terraform files.

This utility parses your Terraform, finds aws_iam_policy_document elements, generates resulting IAM policy document strings, and runs Parliament on them.

It stubs any Terraform interpolations ${...} so they can be evaluated by Parliament as valid JSON.

Example run

Terraform Resource Support

Resource TypeSupported?
aws_iam_policyYes only inline policy not file()
aws_iam_policy_documentYes
aws_iam_user_policyNo
aws_iam_group_policyNo
aws_iam_role_policyNo
aws_s3_bucket_policyNo
aws_[ecr|efs|iot|media_store_container|organizations]*_policyNo
data.template_fileNo

The unsupported resource types should be pretty easy to add, if anyone feels a PR coming on :)

Issues

Usage

Docker

DockerHub Repo

Use /github/workspace/ to mount the directory containing the Terraform, since this image is intended to run as a GitHub action:

IntentionCommand
Run on the entire directorydocker run --rm -ti -v (pwd):/github/workspace/ rdkls/tf-parliament
Run on one filedocker run --rm -ti -v (pwd):/github/workspace/ rdkls/tf-parliament iam.tf
Run on some TF files onlydocker run --rm -ti -v (pwd):/github/workspace/ rdkls/tf-parliament 'iam-*.tf'

Notes

Native

pip install -r requirements.txt

tf-parliament.py my-template.tf

(also supports wildcards & directories per Docker method)

Requirements