[0.5.0] Regex filters for aws_iam_policy → id

Question

[0.5.0] Regex filters for aws_iam_policy → id

skyzyx opened this issue 5 years ago · 1 comments

We have some corporate governance stuff applied over my company's 100+ AWS accounts. We developers use Terraform, the corporate governance resources are created using a variety of other tools.

I'm trying to clean-up all IAM policies that are created by developers, and not managed by these governance tools. But it would appear that regex support is not working correctly against aws_iam_policies → id field.

I've tried:

aws_iam_policy:
  - id: NOT(CloudTrail_CloudWatchLogs_Policy)
  - id: NOT(DatapipeOpsAccessPolicy)
  - id: NOT(Kentik)
  - id: NOT(turbot)

…as well as…

aws_iam_policy:
  - id: NOT(.*CloudTrail_CloudWatchLogs_Policy.*)
  - id: NOT(.*DatapipeOpsAccessPolicy.*)
  - id: NOT(.*Kentik.*)
  - id: NOT(.*turbot.*)

Am I applying the values correctly?

Answer 1 · 2020-03-02T17:52:44.000Z

Hmmm…

It appears that this works. Maybe it'd be worthwhile to state that each - list item is applied as a boolean OR as opposed to a boolean AND.

aws_iam_policy:
  - id: NOT(CloudTrail_CloudWatchLogs_Policy|DatapipeOpsAccessPolicy|Kentik|turbot)