Add `--resource-type` flag to `policy_sentry query action-table` command

[kmcquade]

It would be really nice if we could specify actions + resource type mappings entirely from command line. Right now, when you run policy_sentry query action-table, it does not give you the option for the resource type name.

Let me give an example.

Current issue

When you run policy_sentry query action-table --service ssm --access-level write, it returns a gigantic list of actions:

All IAM actions under the ssm service that have the access level write:
[
    "ssm:CancelCommand",
    "ssm:CancelMaintenanceWindowExecution",
    "ssm:CreateActivation",
    "ssm:CreateAssociation",
    "ssm:CreateAssociationBatch",
    "ssm:CreateDocument",
    "ssm:CreateMaintenanceWindow",
    "ssm:CreateOpsItem",
    "ssm:CreatePatchBaseline",
    "ssm:CreateResourceDataSync",
    "ssm:DeleteActivation",
    "ssm:DeleteAssociation",
    "ssm:DeleteDocument",
    "ssm:DeleteInventory",
    "ssm:DeleteMaintenanceWindow",
    "ssm:DeleteParameter",
    "ssm:DeleteParameters",
    "ssm:DeletePatchBaseline",
    "ssm:DeleteResourceDataSync",
    "ssm:DeregisterManagedInstance",
    "ssm:DeregisterPatchBaselineForPatchGroup",
    "ssm:DeregisterTargetFromMaintenanceWindow",
    "ssm:DeregisterTaskFromMaintenanceWindow",
    "ssm:LabelParameterVersion",
    "ssm:PutComplianceItems",
    "ssm:PutConfigurePackageResult",
    "ssm:PutInventory",
    "ssm:PutParameter",
    "ssm:RegisterDefaultPatchBaseline",
    "ssm:RegisterPatchBaselineForPatchGroup",
    "ssm:RegisterTargetWithMaintenanceWindow",
    "ssm:RegisterTaskWithMaintenanceWindow",
    "ssm:ResetServiceSetting",
    "ssm:ResumeSession",
    "ssm:SendAutomationSignal",
    "ssm:SendCommand",
    "ssm:StartAssociationsOnce",
    "ssm:StartAutomationExecution",
    "ssm:StartSession",
    "ssm:StopAutomationExecution",
    "ssm:TerminateSession",
    "ssm:UpdateAssociation",
    "ssm:UpdateAssociationStatus",
    "ssm:UpdateDocument",
    "ssm:UpdateDocumentDefaultVersion",
    "ssm:UpdateInstanceAssociationStatus",
    "ssm:UpdateInstanceInformation",
    "ssm:UpdateMaintenanceWindow",
    "ssm:UpdateMaintenanceWindowTarget",
    "ssm:UpdateMaintenanceWindowTask",
    "ssm:UpdateManagedInstanceRole",
    "ssm:UpdateOpsItem",
    "ssm:UpdatePatchBaseline",
    "ssm:UpdateResourceDataSync",
    "ssm:UpdateServiceSetting"
]

Proposed Input

policy_sentry query action-table --service ssm --access-level write --resource-type parameter

Proposed Output

[
     "ssm:DeleteParameter",
     "ssm:DeleteParameters",
     "ssm:LabelParameterVersion",
     "ssm:PutParameter"
]

Notice that these are the same actions that you'd get with this Policy Sentry template:

mode: crud
write:
- "arn:aws:ssm:*:*:parameter/myparameter"

Bonus points

Maybe we'd be able to use this to get rid of the --wildcard-only flag too.

Example input

policy_sentry query action-table --service secretsmanager --access-level list --resource-type *

Example output

[
    "secretsmanager:ListSecrets"
]

Notice that these are the same actions that you'd get with this Policy Sentry template:

mode: crud
wildcard-only:
    service-list:
        - secretsmanager

[reetasingh]

@kmcquade I will take this up. please assign it to me

[kmcquade]

@reetasingh by the way - I suggest using the parse_arn_for_resource_type utility method from https://github.com/salesforce/policy_sentry/blob/master/policy_sentry/util/arns.py#L211.

That will save you a lot of time :)

[reetasingh]

@kmcquade I see there is already a method for get_actions_with_arn_type_and_access_level

policy_sentry/policy_sentry/querying/actions.py

Line 190 in 8b41c24

def get_actions_with_arn_type_and_access_level(

so I just have to call this from command line?

also --access-level write --resource-type parameter should always be in combination when called from command line or only --resource-type parameter should also work, in which case I will have to introduce another method

[kmcquade]

This was fixed by #261. Closing