Initial commit post refactor

Author: Sindre Lindstad

.gitignore

@@ -1,10 +1,42 @@
-*.pyc
-
 # IDE
 *.iml
 
+# Compiled Python bytecode
+*.py[cod]
+*.pyc
+
+# Log files
+*.log
+
+# JetBrains IDE
+.idea/
+
+# Unit test reports
+TEST*.xml
+
+# Generated by MacOS
+.DS_Store
+
+# Generated by Windows
+Thumbs.db
+
+# Applications
+*.app
+*.exe
+*.war
+
+# Large media files
+*.mp4
+*.tiff
+*.avi
+*.flv
+*.mov
+*.wmv
+
+# Application specific
+*.pem
+*.tmp
 cache
 *.csv
 csv
-*.sh
-*.html
+*.html

Dockerfile

@@ -0,0 +1,16 @@
+FROM python:3-alpine
+
+RUN addgroup -g 2000 app && adduser -u 2000 --disabled-password --gecos '' app --ingroup app
+WORKDIR /usr/src/app
+
+COPY src/ ./src
+COPY entrypoint.sh .
+
+RUN pip install --no-cache-dir -r src/requirements.txt
+
+RUN chown -R app:app /home/app
+USER app
+
+EXPOSE 8080
+
+CMD ["/bin/sh", "entrypoint.sh"]

LICENSE

@@ -186,7 +186,8 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright {yyyy} {name of copyright owner}
+   Copyright 2017 Marcin Kolda
+   Copyright 2021 Sindre Lindstad
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

README.md

@@ -1,43 +1,106 @@
-# gcp-iam-collector
-Python scripts for collecting and visualising [Google Cloud Platform](https://cloud.google.com/) IAM permissions
+# GCP IAM Visualizer
 
-GCP IAM graph is created using [vis.js](http://visjs.org/) and it's static HTML page, see [example interactive graph](https://storage.googleapis.com/gcp-iam-collector/iam_graph_example.html)
+Creates an interactive graph of Google Cloud Platform (GCP) IAM policies, allowing for easier exploration of complex IAM structures.
 
-[![Example graph](https://raw.githubusercontent.com/marcin-kolda/gcp-iam-collector/master/example_graph.png)](https://storage.googleapis.com/gcp-iam-collector/iam_graph_example.html)
+Uses Python 3 to construct a static HTML page using [vis.js](http://visjs.org/).
 
-## Features
+Currently supports:
+* IAM policies assigned to folders
+* IAM policies assigned to projects
+* User Accounts (members)
+* Service Accounts
+* Groups
+* Filtering by users, user types, groups and roles
 
-GCP IAM collector iterates over projects using [Google Cloud Resource Manager API](https://cloud.google.com/resource-manager/reference/rest/v1/projects/list) and dumps to CSV files:
-* all available GCP projects,
-* projects IAM permissions,
-* projects service account and their keys,
-* BigQuery dataset ACLs,
-* Cloud Storage bucket ACLs
+![Example overview](src/assets/img/example_overview.png)
+![Example graph](src/assets/img/example_graph.png)
 
-IAM graph currently supports:
-* GCP projects and their permissions,
-* Service accounts and their permissions
+# Getting started
 
-# Setup
+## Initial steps
 
-1. Install dependencies:
+### 1. Install dependencies
+* [Google Cloud CLI](https://cloud.google.com/sdk/gcloud/)
+
+### 2. Configure [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials)
+```
+gcloud auth application-default login
 ```
-pip install -r requirements.txt
+
+If necessary, set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to point to the location of the created credentials file.
+
+**Example**
 ```
-2. Install [gcloud](https://cloud.google.com/sdk/gcloud/) CLI tool.
-3. Setup [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials):
+export GOOGLE_APPLICATION_CREDENTIALS=~/.config/gcloud/application_default_credentials.json
 ```
-gcloud auth application-default login
+
+### 3. Set the collection scope
+
+Set the environment variable `IAM_GRAPH_SCOPE` to determine the hierarchical starting point from where policies should be collected. This must be a folder or an organization. Use the standard Google API format, e.g. `organizations/93823423523` or `folders/9382372422`.
+
+**Example**
+```
+export IAM_GRAPH_SCOPE='organizations/83747734232'
+```
+
+By setting the scope to an organization or folder, IAM policies for all contained folders and projects will be collected, recursively.
+
+# Run it
+The easiest way is to run it as an ephemeral Docker container.
+
+<details open>
+  <summary>Docker</summary>
+
+### 1. Install dependencies
+* [Docker](https://docs.docker.com/get-docker/)
+
+### 2. Build it and run it
+
+```
+# Build the Docker image
+docker build -t gcp-iam-graph .
+
+# Run the Docker image
+docker run -it --rm \
+--name gcp-iam-graph \
+-e IAM_GRAPH_SCOPE="${IAM_GRAPH_SCOPE}" \
+-e GOOGLE_APPLICATION_CREDENTIALS=/tmp/keys/credentials.json \
+-v $GOOGLE_APPLICATION_CREDENTIALS:/tmp/keys/credentials.json:ro \
+-p 8080:8080 \
+gcp-iam-graph
 ```
 
-# Run Instructions
+This will first start data collection, construct the graph, then serve it on a local webserver on [localhost:8080](http://localhost:8080).
 
-Command below dumps all IAM to csv files
+This message means data collection is finished, and that the webserver is ready:
 ```
-python collector.py
+Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...
 ```
+</details>
+<details>
+  <summary>Python (development)</summary>
 
-Creating interactive graph:
+### 1. Install dependencies
+**Requires Python 3 and PIP.**
+
+```
+pip install --no-cache-dir -r src/requirements.txt
 ```
-python create_iam_graph.py
+
+### 2. Create the graph
+
 ```
+python3 src/create_graph.py ${IAM_GRAPH_SCOPE} index.html
+```
+
+### 3. Start a simple Python webserver (optional)
+You can also open the HTML file in a browser.
+
+```
+python3 -m http.server 8080
+```
+</details>
+
+
+# Attributions
+This project is based on [gcp-iam-collector](https://github.com/marcin-kolda/gcp-iam-collector) by Marcin Kolda.