pike

package
v0.4.7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 26, 2026 License: Apache-2.0 Imports: 54 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ManifestSnapshotFilename = "modules.json"
)

Variables

View Source 
var Version = "999.999.999"

Version is set at build time via -ldflags.

Functions

func AZUREPolicy 

func AZUREPolicy(permissions []string, policyName string) (string, error)

AZUREPolicy creates an Azure role definition. permissions: slice of Azure permission strings in format "action:resource" Returns the policy definition as a string or an error if generation fails.

func AlmostEqual added in v0.2.96 

func AlmostEqual(a, b float64) bool

func Apply 

func Apply(target string, region string) error

Apply executes tf using a prepared role.

func AwsDataLookup added in v0.2.113 

func AwsDataLookup(name string) []byte

func AwsLookup added in v0.2.94 

func AwsLookup(name string) []byte

func AzureDataLookup added in v0.2.94 

func AzureDataLookup(name string) []byte

func AzureLookup added in v0.2.94 

func AzureLookup(name string) []byte

func Compare 

func Compare(directory string, arn string, init bool) (bool, error)

Compare IAC codebase to AWS policy.

func Contains added in v0.2.76 

func Contains(s []string, e string) bool

Contains looks if slice contains string.

func DeprecationMessage added in v0.3.98 

func DeprecationMessage(provider, name string, isData bool) (msg string, ok bool)

DeprecationMessage reports whether a given terraform resource or datasource is marked deprecated by its provider. ok is true when the provider's latest schema has flagged it; msg is the provider-supplied deprecation description (often "Deprecated: use X instead"), which may be empty even when ok is true if the provider didn't include one.

isData distinguishes a `data "foo" {}` block from a `resource "foo" {}` block: providers sometimes deprecate one without the other, so the caller must pass the correct kind.

func EncryptPlaintext added in v0.2.76 

func EncryptPlaintext(plaintext string, publicKeyB64 string) ([]byte, error)

EncryptPlaintext standard encryption.

func FileExists added in v0.2.76 

func FileExists(filename string) bool

FileExists looks for a file.

func FormatDeprecated added in v0.3.98 

func FormatDeprecated(d []ProviderDeprecations, format string) (string, error)

FormatDeprecated renders the Deprecated() output. format is one of "text" (default, grep-friendly) or "json" (pretty-printed for downstream tooling). Unknown formats fall back to text rather than erroring — the CLI surface is informational, not strict.

Text format: 

aws:
  aws_retired_thing (resource) — Deprecated: use aws_new_thing
  aws_old_data (data) — ...
azurerm:
  ...

An empty result (nothing deprecated across all requested providers) returns a single-line notice rather than an empty string so users don't mistake success for "the command silently did nothing".

func GCPDataLookup added in v0.2.94 

func GCPDataLookup(name string) []byte

func GCPLookup added in v0.2.94 

func GCPLookup(name string) []byte

func GCPPolicy 

func GCPPolicy(permissions []string, policyName string, dirName string) (string, error)

GCPPolicy create an IAM policy.

func GetAWSDataPermissions 

func GetAWSDataPermissions(result ResourceV2) ([]string, error)

GetAWSDataPermissions gets permissions required for datasources.

func GetAWSPermissions 

func GetAWSPermissions(result ResourceV2) ([]string, error)

GetAWSPermissions for AWS resources.

func GetAWSResourcePermissions 

func GetAWSResourcePermissions(result ResourceV2) ([]string, error)

GetAWSResourcePermissions looks up permissions required for resources.

func GetAZUREDataPermissions 

func GetAZUREDataPermissions(result ResourceV2) ([]string, error)

GetAZUREDataPermissions gets permissions required for datasources.

func GetAZUREPermissions 

func GetAZUREPermissions(result ResourceV2) ([]string, error)

GetAZUREPermissions for AZURE resources.

func GetAZUREResourcePermissions 

func GetAZUREResourcePermissions(result ResourceV2) ([]string, error)

GetAZUREResourcePermissions looks up permissions required for resources.

func GetBlockAttributes 

func GetBlockAttributes(attributes []string, block *hclsyntax.Block) []string

GetBlockAttributes walks through a blocks getting all blocks and attributes.

func GetEnv added in v0.3.55 

func GetEnv(key string) (*string, error)

func GetGCPDataPermissions 

func GetGCPDataPermissions(result ResourceV2) ([]string, error)

GetGCPDataPermissions gets permissions required for datasources.

func GetGithubClient added in v0.2.76 

func GetGithubClient() (context.Context, *github.Client)

GetGithubClient instantiate and return a client object for GitHub.

func GetHCLType 

func GetHCLType(resourceName string) string

GetHCLType gets the resource Name.

func GetModulePath 

func GetModulePath(block *hclsyntax.Block) string

GetModulePath extracts the source location from a module.

func GetPermissionMap 

func GetPermissionMap(raw []byte, attributes []string, resource string) ([]string, error)

GetPermissionMap Anonymous parsing.

func GetPublicKeyDetails added in v0.2.76 

func GetPublicKeyDetails(owner string, repository string) (string, string, error)

GetPublicKeyDetails obtains the public key of the owner.

func GetResourceBlocks 

func GetResourceBlocks(file string) (*hclsyntax.Body, error)

GetResourceBlocks breaks down a file into resources.

func GetRuntimePermissions added in v0.3.86 

func GetRuntimePermissions(raw []byte, attributes []string, resource string) ([]string, error)

GetRuntimePermissions extracts runtime permissions needed by service accounts from mapping files.

func GetTF 

func GetTF(dirName string) ([]string, error)

GetTF return tf files in a directory.

func GetTFFiles added in v0.2.76 

func GetTFFiles(dirName string) ([]string, error)

GetTFFiles get tf files in directory.

func HasAWSDefaultTags added in v0.4.5 

func HasAWSDefaultTags(body *hclsyntax.Body) bool

HasAWSDefaultTags reports whether any provider "aws" block in body declares a default_tags block, which causes the provider to tag every taggable resource even when the resource itself has no tags attribute.

func Init 

func Init(dirName string) (*string, []string, error)

func InvokeGithubDispatchEvent 

func InvokeGithubDispatchEvent(repository string, workflowFileName string, branch string) error

InvokeGithubDispatchEvent uses your GitHub api key (if sufficiently enabled) to invoke a GitHub action workflow.

func IsTypeOK added in v0.3.29 

func IsTypeOK(mappings any) (map[string]any, error)

func LocateTerraform 

func LocateTerraform() (string, error)

LocateTerraform finds the Terraform executable or installs it. The search and install logic lives in internal/tfinstall; this wrapper preserves the locateTerraformError type for callers that inspect it.

func Make 

func Make(directory string) (*string, error)

Make creates the required role.

func MakeAzure added in v0.4.5 

func MakeAzure(directory string) (*string, error)

MakeAzure creates the required Azure role definition.

func MakeGCP added in v0.4.5 

func MakeGCP(directory string) (*string, error)

MakeGCP creates the required GCP IAM custom role.

func Minify added in v0.3.71 

func Minify(JSONOut string) string

func RandSeq added in v0.2.76 

func RandSeq(n int) string

RandSeq generate a random sequence.

func Readme 

func Readme(dirName string, output string, init bool, autoAppend bool) error

Readme Updates a README.md file.

func Remote 

func Remote(target string, repository string, region string) error

Remote updates a repo with AWS credentials.

func ReplaceSection 

func ReplaceSection(source string, middle string, autoadd bool) error

ReplaceSection find a section in a readme and replaces the section.

func Repository added in v0.2.108 

func Repository(repository, destination, directory, output string, init, write, enableResources bool) error

func ReturnLocalAddrFromSource added in v0.3.59 

func ReturnLocalAddrFromSource(source string, listModules ModuleJson) string

func Runtime added in v0.3.86 

func Runtime(dirName string, outputType string, file *string, init bool, prov string) error

Runtime detects runtime IAM permissions needed by service accounts.

Only GCP is supported today. AWS/Azure providers are rejected with unsupportedRuntimeProviderError.

func Scan 

func Scan(dirName string, outputType string, file *string, init bool, write bool, enableResources bool, provider string, outFile string, policyName string, suppressDeprecated bool) error

Scan looks for resources in a given directory.

func SetRepoSecret 

func SetRepoSecret(repository string, keyText string, keyName string) (*github.Response, error)

SetRepoSecret sets an encrypted GitHub action secret.

func SplitHub added in v0.2.76 

func SplitHub(repository string) (string, string, error)

SplitHub return details from url.

func StringInSlice added in v0.2.76 

func StringInSlice(a string, list []string) bool

StringInSlice looks for item in slice.

func Unique added in v0.2.76 

func Unique(s []string) []string

Unique make slice unique.

func Watch 

func Watch(arn string, wait int) error

Watch looks at IAM policy for new revisions.

func WriteOutput 

func WriteOutput(outPolicy OutputPolicy, outputType string, scanPath string, outFile string) error

WriteOutput writes out the policy as JSON or Terraform.

Types

type AwsOutput 

type AwsOutput struct {
	JSONOut   string
	Terraform string
}

AwsOutput structure.

func AWSPolicy 

func AWSPolicy(permissions []string, resources bool, policyName string) (AwsOutput, error)

AWSPolicy create an IAM policy.

type EnvVariableNotSetError added in v0.3.55 

type EnvVariableNotSetError struct {
	Key string
}

func (*EnvVariableNotSetError) Error added in v0.3.55 

func (e *EnvVariableNotSetError) Error() string

type IAMBinding added in v0.3.86 

type IAMBinding struct {
	ResourceType string // e.g., "google_project_iam_member"
	ResourceName string // e.g., "app_secrets"
	Role         string // e.g., "roles/secretmanager.secretAccessor"
	Member       string // e.g., "serviceAccount:app@project.iam" or reference like "${google_service_account.app.email}"
}

IAMBinding represents an IAM binding found in Terraform.

func ExtractIAMBindings added in v0.3.86 

func ExtractIAMBindings(body *hclsyntax.Body) []IAMBinding

ExtractIAMBindings extracts IAM binding resources from parsed HCL blocks.

type ModuleJson added in v0.3.59 

type ModuleJson map[string]Record

func GetModuleJson added in v0.3.59 

func GetModuleJson(dir string) (ModuleJson, error)

func ReadModuleJson added in v0.3.59 

func ReadModuleJson(r io.Reader) (ModuleJson, error)

func ReadModuleJsonForDir added in v0.3.59 

func ReadModuleJsonForDir(dir string) (ModuleJson, error)

type OutputPolicy 

type OutputPolicy struct {
	AWS        AwsOutput
	GCP        string
	AZURE      string
	RuntimeGCP string
}

OutputPolicy is the main output type.

func GetPolicy 

func GetPolicy(actions Sorted, resources bool, policyName string, dirName string) (OutputPolicy, error)

GetPolicy creates new iam polices from a list of Permissions.

func MakePolicy 

func MakePolicy(dirName string, file *string, init bool, enableResources bool, provider string, policyName string, suppressDeprecated bool) (OutputPolicy, error)

MakePolicy does the guts of determining a policy from code.

func (OutputPolicy) AsString 

func (out OutputPolicy) AsString(format string) string

AsString converts an object into string.

type Policy 

type Policy struct {
	Version    string      `json:"Version"`
	Statements []Statement `json:"Statement"`
}

Policy represents and creates IAM policy structure.

func NewAWSPolicy 

func NewAWSPolicy(actions []string, resources bool) (Policy, error)

NewAWSPolicy constructor.

type PolicyDiff added in v0.3.18 

type PolicyDiff struct {
	Over  []string
	Under []string
}

func Inspect added in v0.3.18 

func Inspect(directory string, init bool) (PolicyDiff, error)

type ProviderDeprecations added in v0.3.98 

type ProviderDeprecations struct {
	Provider        string            `json:"provider"`
	ProviderVersion string            `json:"providerVersion,omitempty"`
	Resources       map[string]string `json:"resources,omitempty"`
	DataSources     map[string]string `json:"dataSources,omitempty"`
}

ProviderDeprecations is the serialisable shape returned by Deprecated(). Kinds are split because the same name can appear as both a resource and a datasource in the same provider, and conflating them loses detail.

func Deprecated added in v0.3.98 

func Deprecated(provider string) []ProviderDeprecations

Deprecated returns the known-deprecated resources/datasources for one provider (aws/azurerm/google, with gcp/azure aliases accepted) or for all supported providers when called with the empty string. Providers with nothing deprecated are omitted from the result so callers can cleanly skip over them.

This is the data source for the `pike deprecated` CLI. It reads from the same lazily-cached store that scan-time warnings use, so running `pike deprecated` after a scan is free.

type Record added in v0.3.59 

type Record struct {
	Key        string           `json:"Key"`
	SourceAddr string           `json:"Source"`
	Version    *version.Version `json:"-"`
	VersionStr string           `json:"Version,omitempty"`
	Dir        string           `json:"Dir"`
}

Record represents some metadata about an installed module, as part of a module JSON.

type ResourceV2 

type ResourceV2 struct {
	TypeName       string
	Name           string
	ResourceName   string
	Provider       string
	Attributes     []string
	ServiceAccount string // The service account this resource uses (if any)
}

ResourceV2 is what resources get parsed into.

func DetectBackend added in v0.2.65 

func DetectBackend(resource ResourceV2, block *hclsyntax.Block, resources []ResourceV2) []ResourceV2

DetectBackend handles permissions for backend blocks.

func GetLocalModules added in v0.2.76 

func GetLocalModules(block *hclsyntax.Block, dirName string, listModulesJson ModuleJson) ([]ResourceV2, error)

GetLocalModules return resource from a path.

func GetResources 

func GetResources(file string, dirName string) ([]ResourceV2, error)

GetResources retrieves all the resources in a tf file.

type RuntimePermission added in v0.3.86 

type RuntimePermission struct {
	ResourceType   string   // e.g., "google_cloud_run_v2_service"
	ResourceName   string   // e.g., "app" (from resource "type" "name")
	ServiceAccount string   // e.g., "my-sa@project.iam" or "default"
	Permissions    []string // e.g., ["secretmanager.versions.access"]
}

RuntimePermission tracks which resource needs which runtime permissions.

type Sorted 

type Sorted struct {
	AWS   []string
	GCP   []string
	AZURE []string
	// Runtime permissions needed by service accounts
	RuntimeGCP   []RuntimePermission
	RuntimeAWS   []RuntimePermission
	RuntimeAZURE []RuntimePermission
	// Existing IAM bindings from Terraform code
	IAMBindings []IAMBinding
}

Sorted is to help split out permission to the relevant auth.

func GetPermission 

func GetPermission(result ResourceV2) (Sorted, error)

GetPermission determines the IAM permissions required and returns a list of permission.

func GetPermissionBag added in v0.3.52 

func GetPermissionBag(resources []ResourceV2, prov string, suppressDeprecated bool) Sorted

func MakePermissionBag added in v0.3.55 

func MakePermissionBag(dirName string, file *string, init bool, provider string, suppressDeprecated bool) (Sorted, error)

MakePermissionBag returns the full set of IAM permissions required to deploy the Terraform in dirName (or a single file). Pass init=false for static analysis without running terraform init.

type Statement 

type Statement struct {
	Sid      string   `json:"Sid"`
	Effect   string   `json:"Effect"`
	Action   []string `json:"Action"`
	Resource []string `json:"Resource"`
}

Statement is the core of an IAM policy.

func NewStatement 

func NewStatement(sid string, effect string, action []string, resource []string) Statement

NewStatement constructor.

type ValidationResult added in v0.3.86 

type ValidationResult struct {
	ResourceType   string
	ResourceName   string
	ServiceAccount string
	Role           string
	Permissions    []string
	Status         string // "configured", "missing", "partial"
	ExistingMember string // If configured, what member string is used
}

ValidationResult tracks the status of an IAM binding requirement.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.