feat: add aws lint iam policies workflow (#187)

jdassonvil · web-flow · commit aedaa19cf8c0 · 2025-02-07T14:51:56.000+01:00
diff --git a/.github/workflows/aws-lint-iam-policy-v1.yml b/.github/workflows/aws-lint-iam-policy-v1.yml
@@ -0,0 +1,30 @@
+---
+name: Lint AWS IAM policies
+
+on:
+  workflow_call:
+    inputs:
+      directory:
+        type: string
+        required: true
+      minimum_severity:
+        type: string
+        default: HIGH
+
+jobs:
+  # https://github.com/duo-labs/parliament
+  lint_policies:
+    runs-on: ubuntu-latest-arm64
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Setup python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      - name: Install dependencies
+        run: |
+          pip install parliament
+      - name: Lint AWS IAM policies
+        run: |
+          parliament --directory ${{ inputs.directory }} --include_policy_extension json --minimum_severity ${{ inputs.minimum_severity }}
diff --git a/README.md b/README.md
@@ -311,34 +311,20 @@ jobs:
       db_instance: my-instance-name
 ```
 
-### node-module-cache
+## IAM policy linter
 
-This action handles `node_modules` caching after installing dependencies for javascript projects. This has to be called
-while merging a main branch so further GitHub action execution can benefit from this cache later on.
+This action will lint a directory containing IAM policies in JSON format.
 
 ```yaml
----
-name: Update node_modules cache
-
-on:
-  push:
-    branches:
-      - master
-    paths:
-      - package-lock.json
-      - package.json
 jobs:
-  update_cache:
-    uses: sencrop/github-workflows/.github/workflows/node_modules_cache-v1.yml@master
+  lint:
+    uses: sencrop/github-workflows/.github/workflows/aws-lint-iam-policy-v1.yml@master
     secrets: inherit
     with:
-      use_legacy_peer_deps: false
-      use_ignore_scripts: true
+      directory: policies/
+      minimum_severity: MEDIUM
 ```
 
-Once the `node_modules` cache is filled in, it can be used later on to prevent unnecessary dependencies install
-operations (see [npm-ci-with-cache](README.md#npm-ci-with-cache)).
-
 ## Standard actions
 
 Standard actions can be reused in any custom or standard workflows.
@@ -430,3 +416,31 @@ see [node-module-cache](README.md#node-module-cache)):
     use_legacy_peer_deps: false
     use_ignore_scripts: true
 ```
+
+### node-module-cache
+
+This action handles `node_modules` caching after installing dependencies for javascript projects. This has to be called
+while merging a main branch so further GitHub action execution can benefit from this cache later on.
+
+```yaml
+---
+name: Update node_modules cache
+
+on:
+  push:
+    branches:
+      - master
+    paths:
+      - package-lock.json
+      - package.json
+jobs:
+  update_cache:
+    uses: sencrop/github-workflows/.github/workflows/node_modules_cache-v1.yml@master
+    secrets: inherit
+    with:
+      use_legacy_peer_deps: false
+      use_ignore_scripts: true
+```
+
+Once the `node_modules` cache is filled in, it can be used later on to prevent unnecessary dependencies install
+operations (see [npm-ci-with-cache](README.md#npm-ci-with-cache)).
