flosell/iam-policy-json-to-terraform

Reverse terraform back to json

nitrocode opened this issue · 2 comments

I know I could simply get the output

temp_tf_dir=/tmp/tf-get-json-of-iam-policy
mkdir -p $temp_tf_dir
rm $temp_tf_dir/*
cd $temp_tf_dir
# paste contents of data source
# add an output
vim $temp_tf_dir/main.tf
terraform apply

But it would be nice if the tool allowed me to do it without having to create all of the above

Interesting suggestion - I feel though that this isn't the main purpose of this particular tool, I'd prefer to keep it focused on that.

I might be convinced otherwise though if there's a strong feedback that this would be a useful thing (either in this tool or a separate one). So those finding this issue relevant and useful, please react with a 👍 on the initial comment or add your thoughts below.

I'd be particularly interested what kind of scenarios this would support. Are we talking about migrating existing terraform code back to JSON? The terraform console and terraform state commands seem to be doing the job fine in this case. They can be used to discover which data sources exist in the state, then get their outputs:

$ terraform state list
data.aws_iam_policy_document.policy
$ echo "data.aws_iam_policy_document.policy.json" | terraform console
<<EOT
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "ec2:Describe*",
      "Resource": "*"
    }
  ]
}
EOT

We used this tool originally when converting some JSON based policy documents used in SCPs. I much prefer to keep the SCP policys as HCL but we're reaching the point where we're hitting the policy document limits (5K characters) and SCP limits (5 per OU).

My thought was to use this kind of feature to reverse the HCL to JSON, then run that through a Python script to "optimize" the SCP statement placements. The script would then dump JSON which we use this tool to reverse back to HCL.

Right now we perform this optimize process manually but it's cumbersome and boring work. Much rather spend my time writing a script to do it.

An alternative to this approach would be to write the policy documents in JSON natively, and skip the use of HCL. But HCL is nicer to write/read and we like to provide comments inline.