@cloud-copilot/iam-expand 0.1.5 → 0.1.7

package/README.md

@@ -1,18 +1,28 @@
 # Expand IAM Actions
-This will expand the actions of the IAM policy to show the individual actions. Useful for when you want to see the individual actions that are included in a wildcard action or are not allowed to use wildcards for security or compliance reasons.
-
-Published in ESM and CommonJS and available as a [CLI](#cli).
+Built in the Unix philosophy, this is a small tool that does one thing well: expand IAM actions with wildcards to their list of matching actions.
 
 Use this to:
 1) Expand out wildcards in actions when you are not allowed to use wildcards in your IAM policy.
 2) Get an exhaustive list of actions that are included in a policy and quickly search it for interesting actions.
 3) Investigate where dangerous or dubious actions are being used in your policies.
 
+Published in ESM and CommonJS plus available as a [CLI](#cli).
+
+All information is sourced from the [@cloud-copilot/iam-data](https://github.com/cloud-copilot/iam-data) which is updated daily.
+
 ## Installation
 ```bash
 npm install -g @cloud-copilot/iam-expand
 ```
 
+### AWS CloudShell Installation
+The AWS CloudShell automatically has node and npm installed, so you can install this and run it straight from the console. You'll need to use sudo to install it globally.
+```bash
+sudo npm install -g @cloud-copilot/iam-expand
+iam-expand
+```
+
+## Typescript/NodeJS Usage
 ```typescript
 import { expandIamActions } from '@cloud-copilot/iam-expand';
 
@@ -50,7 +60,7 @@ expandIamActions(['s3:Get*Tagging', 's3:Put*Tagging'])
 `expandIamActions` an optional second argument that is an object with the following options:
 
 ### `expandAsterisk`
-By default, a single `*` not be expanded. We assume that if you want a list of all IAM actions there are other sources you will check, such as [@cloud-copilot/iam-data](https://github.com/cloud-copilot/iam-data). If you want to expand a single `*` you can set this option to `true`.
+By default, a single `*` will not be expanded. If you want to expand a single `*` you can set this option to `true`.
 
 ```typescript
 import { expandIamActions } from '@cloud-copilot/iam-expand';
@@ -126,7 +136,7 @@ expandIamActions(['s3:GetObject*','s3:Get*Tagging'],{distinct:true})
 ```
 
 ### `sort`
-By default, the output will be sorted based on the order of the input. If you want the output to be sorted alphabetically you can set this option to `true`.
+By default, the output will be sorted based on the order of the input. If you want the consolidated output to be sorted alphabetically you can set this option to `true`.
 
 ```typescript
 import { expandIamActions } from '@cloud-copilot/iam-expand';
@@ -193,10 +203,36 @@ expandIamActions('r2:Get*Tagging', { errorOnMissingService: true })
 //Uncaught Error: Service not found: r2
 ```
 
+## `invalidActionBehavior`
+By default, if an action is passed in that does not exist in the IAM data, it will be silently ignored and left out of the output. There are two options to override this behavior: `Error` and `Include`.
+
+```typescript
+import { expandIamActions, InvalidActionBehavior } from '@cloud-copilot/iam-expand';
+
+//Ignore invalid action by default
+expandIamActions('ec2:DestroyAvailabilityZone')
+[]
+
+//Ignore invalid action explicitly
+expandIamActions('ec2:DestroyAvailabilityZone', { invalidActionBehavior: InvalidActionBehavior.Remove })
+[]
+
+//Throw an error on invalid action
+expandIamActions('ec2:DestroyAvailabilityZone', { invalidActionBehavior: InvalidActionBehavior.Error })
+//Uncaught Error: Invalid action: ec2:DestroyAvailabilityZone
+
+//Include invalid action
+expandIamActions('ec2:DestroyAvailabilityZone', { invalidActionBehavior: InvalidActionBehavior.Include })
+['ec2:DestroyAvailabilityZone']
+```
+
 ## CLI
-There is a CLI!
+There is a CLI! The [examples folder](examples/README.md) has examples showing how to use the CLI to find interesting actions in your IAM policies.
+
+### Installation
+You can install it globally and use the command `iam-expand` or add it to a single project and use `npx`.
 
-### Install Globally
+#### Install Globally
 ```bash
 npm install -g @cloud-copilot/iam-expand
 ```
@@ -206,9 +242,14 @@ yarn global add @cloud-copilot/iam-data
 yarn global add @cloud-copilot/iam-expand
 ```
 
-### Run the sciprt in a project that has the package installed
+The AWS CloudShell automatically has node and npm installed, so you can install this and run it straight from the console. You'll need to use sudo to install it globally.
+
+```bash
+sudo npm install -g @cloud-copilot/iam-expand
+```
+#### Install in a project
 ```bash
-npx @cloud-copilot/iam-expand
+npm install @cloud-copilot/iam-expand
 ```
 
 ### Simple Usage
@@ -219,13 +260,13 @@ iam-expand s3:Get* s3:*Tag*
 
 You can pass in all options available through the api as dash separated flags.
 
-_Prints all matching actions for s3:Get*Tagging, s3:*Tag*, and ec2:* in alphabetical order with duplicates removed:_
+_Prints all matching actions for `s3:Get*Tagging`, `s3:*Tag*`, and `ec2:*` in alphabetical order with duplicates removed:_
 ```bash
 iam-expand s3:Get*Tagging s3:*Tag* ec2:* --expand-service-asterisk --distinct --sort
 ```
 
 ### Help
-Running the command with no options shows usage help;
+Run the command with no options to show usage:
 ```bash
 iam-expand
 ```
@@ -234,8 +275,7 @@ iam-expand
 If no actions are passed as arguments, the CLI will read from stdin.
 
 #### Expanding JSON input
-If the input is a valid json document, the CLI will find every instance of `Action` that is a string
-or an array of strings and expand them. This is useful for finding all the actions in a policy document or set of documents.
+If the input is a valid json document, the CLI will find every instance of `Action` and `NotAction` that is a string or an array of strings and expand them. This is useful for finding all the actions in a policy document or set of documents.
 
 Given `policy.json`
 ```json
@@ -249,8 +289,8 @@ Given `policy.json`
       "Resource": "*"
     },
     {
-      "Effect": "Allow",
-      "Action": ["s3:Get*Tagging", "s3:Put*Tagging"],
+      "Effect": "Deny",
+      "NotAction": ["s3:Get*Tagging", "s3:Put*Tagging"],
       "Resource": "*"
     }
   ]
@@ -279,9 +319,9 @@ Gives this file in `expanded-policy.json`
       "Resource": "*"
     },
     {
-      "Effect": "Allow",
+      "Effect": "Deny",
       // Was ["s3:Get*Tagging", "s3:Put*Tagging"]
-      "Action": [
+      "NotAction": [
         "s3:GetBucketTagging",
         "s3:GetJobTagging",
         "s3:GetObjectTagging",
@@ -301,14 +341,13 @@ Gives this file in `expanded-policy.json`
 
 You can also use this to expand the actions from the output of commands.
 ```bash
-aws iam get-account-authorization-details --output json | iam-expand --expand-service-asterisk --read-wait-time=20_000 > expanded-inline-policies.json
+aws iam get-account-authorization-details --output json | iam-expand --expand-service-asterisk --read-wait-time=20_000 > expanded-authorization-details.json
 # Now you can search the output for actions you are interested in
-grep "kms:DisableKey" expanded-inline-policies.json
+grep -n "kms:DisableKey" expanded-inline-policies.json
 ```
-_--expand-service-asterisk makes sure kms:* is expaneded out so you can find the DisableKey action. --read-wait-time=20_000 gives the cli command more time to return it's first byte of output_
 
 #### Expanding arbitrary input
-If the input from stdin is not json, the content is searched for actions that are then expanded. This is really meant to be abused. It essentialy greps the content for anything resembling and action and expands it. Throw anything at it and it will find all the actions it can and expand them.
+If the input from stdin is not json, the content is searched for IAM actions then expands them. Throw anything at it and it will find all the actions it can and expand them.
 
 You can echo some content:
 ```bash
@@ -332,7 +371,7 @@ cat template.yaml | iam-expand
 
 Or even some HTML:
 ```bash
-curl "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/SecurityAudit.html" | iam-expand
+curl "https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ReadOnlyAccess.html" | iam-expand
 ```
 
 Or the output of any command.

package/dist/cjs/cli.js

@@ -5,6 +5,7 @@ const iam_data_1 = require("@cloud-copilot/iam-data");
 const cli_utils_js_1 = require("./cli_utils.js");
 const expand_js_1 = require("./expand.js");
 const commandName = 'iam-expand';
+const dataPackage = '@cloud-copilot/iam-data';
 async function expandAndPrint(actionStrings, options) {
     try {
         const result = await (0, expand_js_1.expandIamActions)(actionStrings, options);
@@ -35,7 +36,7 @@ function printUsage() {
     console.log('    --invalid-action-behavior=error: Throw an error if an invalid action is encountered');
     console.log('CLI Behavior Options:');
     console.log('  --show-data-version: Print the version of the iam-data package being used and exit');
-    console.log('  --read-wait-time: Millisenconds to wait for input from stdin before timing out.');
+    console.log('  --read-wait-time: Millisenconds to wait for the first byte from stdin before timing out.');
     console.log('                    Example: --read-wait-time=10_000');
     process.exit(1);
 }
@@ -53,7 +54,12 @@ for (const arg of args) {
 async function run() {
     const options = (0, cli_utils_js_1.convertOptions)(optionStrings);
     if (options.showDataVersion) {
-        console.log(`@cloud-copilot/iam-data version: ${(0, iam_data_1.iamDataVersion)()}`);
+        const version = await (0, iam_data_1.iamDataVersion)();
+        const updatedAt = console.log(`${dataPackage} version: ${version}`);
+        console.log(`Data last updated: ${await (0, iam_data_1.iamDataUpdatedAt)()}`);
+        console.log(`Update with either:`);
+        console.log(`  npm update ${dataPackage}`);
+        console.log(`  npm update -g ${dataPackage}`);
         return;
     }
     if (actionStrings.length === 0) {

package/dist/cjs/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,sDAAyD;AACzD,iDAA4D;AAC5D,2CAAwE;AAExE,MAAM,WAAW,GAAG,YAAY,CAAA;AAEhC,KAAK,UAAU,cAAc,CAAC,aAAuB,EAAE,OAAyC;IAC9F,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAgB,EAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC7D,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;QACxB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;AACH,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;IACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACrB,OAAO,CAAC,GAAG,CAAC,KAAK,WAAW,oCAAoC,CAAC,CAAA;IACjE,OAAO,CAAC,GAAG,CAAC,2BAA2B,WAAW,YAAY,CAAC,CAAA;IAC/D,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;IACxC,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAA;IACrD,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAA;IACzC,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAA;IACtE,OAAO,CAAC,GAAG,CAAC,+EAA+E,CAAC,CAAA;IAC5F,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAA;IACrF,OAAO,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAA;IAC5G,OAAO,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAA;IAC7F,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAA;IAC9E,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAA;IAChF,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAA;IACtG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IACpC,OAAO,CAAC,GAAG,CAAC,sFAAsF,CAAC,CAAA;IACnG,OAAO,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAA;IAChG,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;IACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gCAAgC;AACpE,MAAM,aAAa,GAAa,EAAE,CAAA;AAClC,MAAM,aAAa,GAAa,EAAE,CAAA;AAElC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,OAAO,GAAG,IAAA,6BAAc,EAAC,aAAa,CAAC,CAAA;IAC7C,IAAG,OAAO,CAAC,eAAe,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,oCAAoC,IAAA,yBAAc,GAAE,EAAE,CAAC,CAAA;QACnE,OAAM;IACR,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,6CAA6C;QAC7C,MAAM,WAAW,GAAG,MAAM,IAAA,yBAAU,EAAC,OAAO,CAAC,CAAA;QAC7C,IAAG,WAAW,CAAC,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACxD,OAAM;QACR,CAAC;aAAM,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC/B,MAAM,YAAY,GAAG,WAAW,CAAC,OAAO,CAAA;YACxC,IAAG,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBACrD,OAAO,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAA;YAC/F,CAAC;YACD,aAAa,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAA;QACrC,CAAC;IACH,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,cAAc,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC5C,OAAM;IACR,CAAC;IAED,UAAU,EAAE,CAAA;AACd,CAAC;AAED,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";;;AAEA,sDAA2E;AAC3E,iDAA4D;AAC5D,2CAAwE;AAExE,MAAM,WAAW,GAAG,YAAY,CAAA;AAChC,MAAM,WAAW,GAAG,yBAAyB,CAAA;AAE7C,KAAK,UAAU,cAAc,CAAC,aAAuB,EAAE,OAAyC;IAC9F,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,IAAA,4BAAgB,EAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC7D,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;QACxB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;AACH,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;IACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACrB,OAAO,CAAC,GAAG,CAAC,KAAK,WAAW,oCAAoC,CAAC,CAAA;IACjE,OAAO,CAAC,GAAG,CAAC,2BAA2B,WAAW,YAAY,CAAC,CAAA;IAC/D,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;IACxC,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAA;IACrD,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAA;IACzC,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAA;IACtE,OAAO,CAAC,GAAG,CAAC,+EAA+E,CAAC,CAAA;IAC5F,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAA;IACrF,OAAO,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAA;IAC5G,OAAO,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAA;IAC7F,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAA;IAC9E,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAA;IAChF,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAA;IACtG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IACpC,OAAO,CAAC,GAAG,CAAC,sFAAsF,CAAC,CAAA;IACnG,OAAO,CAAC,GAAG,CAAC,4FAA4F,CAAC,CAAA;IACzG,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;IACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gCAAgC;AACpE,MAAM,aAAa,GAAa,EAAE,CAAA;AAClC,MAAM,aAAa,GAAa,EAAE,CAAA;AAElC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,OAAO,GAAG,IAAA,6BAAc,EAAC,aAAa,CAAC,CAAA;IAC7C,IAAG,OAAO,CAAC,eAAe,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,MAAM,IAAA,yBAAc,GAAE,CAAA;QACtC,MAAM,SAAS,GACf,OAAO,CAAC,GAAG,CAAC,GAAG,WAAW,aAAa,OAAO,EAAE,CAAC,CAAA;QACjD,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,IAAA,2BAAgB,GAAE,EAAE,CAAC,CAAA;QAC7D,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAA;QAClC,OAAO,CAAC,GAAG,CAAC,gBAAgB,WAAW,EAAE,CAAC,CAAA;QAC1C,OAAO,CAAC,GAAG,CAAC,mBAAmB,WAAW,EAAE,CAAC,CAAA;QAC7C,OAAM;IACR,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,6CAA6C;QAC7C,MAAM,WAAW,GAAG,MAAM,IAAA,yBAAU,EAAC,OAAO,CAAC,CAAA;QAC7C,IAAG,WAAW,CAAC,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACxD,OAAM;QACR,CAAC;aAAM,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC/B,MAAM,YAAY,GAAG,WAAW,CAAC,OAAO,CAAA;YACxC,IAAG,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBACrD,OAAO,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAA;YAC/F,CAAC;YACD,aAAa,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAA;QACrC,CAAC;IACH,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,cAAc,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC5C,OAAM;IACR,CAAC;IAED,UAAU,EAAE,CAAA;AACd,CAAC;AAED,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA"}

package/dist/cjs/expand_file.js

@@ -11,7 +11,7 @@ const expand_js_1 = require("./expand.js");
  * @returns the expanded JSON document
  */
 async function expandJsonDocument(options, document, key) {
-    if (key === 'Action') {
+    if (key === 'Action' || key === 'NotAction') {
         if (typeof document === 'string') {
             return await (0, expand_js_1.expandIamActions)(document, options);
         }

package/dist/cjs/expand_file.js.map

@@ -1 +1 @@
-{"version":3,"file":"expand_file.js","sourceRoot":"","sources":["../../src/expand_file.ts"],"names":[],"mappings":";;AAUA,gDA4BC;AAtCD,2CAAuE;AAEvE;;;;;;;GAOG;AACI,KAAK,UAAU,kBAAkB,CAAC,OAAyC,EAAE,QAAa,EAAE,GAAY;IAC7G,IAAG,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpB,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,MAAM,IAAA,4BAAgB,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAClD,CAAC;QACD,IAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YACrF,MAAM,KAAK,GAAI,MAAM,IAAA,4BAAgB,EAAC,QAAQ,EAAE,EAAC,GAAG,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAC,CAAC,CAAA;YAC7E,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,IAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YAC7C,OAAO,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;QAC1C,CAAC,CAAC,CAAC,CAAA;IACL,CAAC;IAED,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAClC,MAAM,SAAS,GAAQ,EAAE,CAAA;QACzB,KAAI,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACtB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;YAC3B,SAAS,CAAC,GAAG,CAAC,GAAG,MAAM,kBAAkB,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;QAChE,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}
+{"version":3,"file":"expand_file.js","sourceRoot":"","sources":["../../src/expand_file.ts"],"names":[],"mappings":";;AAUA,gDA4BC;AAtCD,2CAAuE;AAEvE;;;;;;;GAOG;AACI,KAAK,UAAU,kBAAkB,CAAC,OAAyC,EAAE,QAAa,EAAE,GAAY;IAC7G,IAAG,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;QAC3C,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,MAAM,IAAA,4BAAgB,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAClD,CAAC;QACD,IAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YACrF,MAAM,KAAK,GAAI,MAAM,IAAA,4BAAgB,EAAC,QAAQ,EAAE,EAAC,GAAG,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAC,CAAC,CAAA;YAC7E,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,IAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YAC7C,OAAO,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;QAC1C,CAAC,CAAC,CAAC,CAAA;IACL,CAAC;IAED,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAClC,MAAM,SAAS,GAAQ,EAAE,CAAA;QACzB,KAAI,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACtB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;YAC3B,SAAS,CAAC,GAAG,CAAC,GAAG,MAAM,kBAAkB,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;QAChE,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/dist/esm/cli.js

@@ -1,8 +1,9 @@
 #!/usr/bin/env node
-import { iamDataVersion } from "@cloud-copilot/iam-data";
+import { iamDataUpdatedAt, iamDataVersion } from "@cloud-copilot/iam-data";
 import { convertOptions, parseStdIn } from "./cli_utils.js";
 import { expandIamActions } from "./expand.js";
 const commandName = 'iam-expand';
+const dataPackage = '@cloud-copilot/iam-data';
 async function expandAndPrint(actionStrings, options) {
     try {
         const result = await expandIamActions(actionStrings, options);
@@ -33,7 +34,7 @@ function printUsage() {
     console.log('    --invalid-action-behavior=error: Throw an error if an invalid action is encountered');
     console.log('CLI Behavior Options:');
     console.log('  --show-data-version: Print the version of the iam-data package being used and exit');
-    console.log('  --read-wait-time: Millisenconds to wait for input from stdin before timing out.');
+    console.log('  --read-wait-time: Millisenconds to wait for the first byte from stdin before timing out.');
     console.log('                    Example: --read-wait-time=10_000');
     process.exit(1);
 }
@@ -51,7 +52,12 @@ for (const arg of args) {
 async function run() {
     const options = convertOptions(optionStrings);
     if (options.showDataVersion) {
-        console.log(`@cloud-copilot/iam-data version: ${iamDataVersion()}`);
+        const version = await iamDataVersion();
+        const updatedAt = console.log(`${dataPackage} version: ${version}`);
+        console.log(`Data last updated: ${await iamDataUpdatedAt()}`);
+        console.log(`Update with either:`);
+        console.log(`  npm update ${dataPackage}`);
+        console.log(`  npm update -g ${dataPackage}`);
         return;
     }
     if (actionStrings.length === 0) {

package/dist/esm/cli.js.map

@@ -1 +1 @@
-{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAA2B,MAAM,aAAa,CAAC;AAExE,MAAM,WAAW,GAAG,YAAY,CAAA;AAEhC,KAAK,UAAU,cAAc,CAAC,aAAuB,EAAE,OAAyC;IAC9F,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC7D,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;QACxB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;AACH,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;IACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACrB,OAAO,CAAC,GAAG,CAAC,KAAK,WAAW,oCAAoC,CAAC,CAAA;IACjE,OAAO,CAAC,GAAG,CAAC,2BAA2B,WAAW,YAAY,CAAC,CAAA;IAC/D,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;IACxC,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAA;IACrD,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAA;IACzC,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAA;IACtE,OAAO,CAAC,GAAG,CAAC,+EAA+E,CAAC,CAAA;IAC5F,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAA;IACrF,OAAO,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAA;IAC5G,OAAO,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAA;IAC7F,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAA;IAC9E,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAA;IAChF,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAA;IACtG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IACpC,OAAO,CAAC,GAAG,CAAC,sFAAsF,CAAC,CAAA;IACnG,OAAO,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAA;IAChG,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;IACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gCAAgC;AACpE,MAAM,aAAa,GAAa,EAAE,CAAA;AAClC,MAAM,aAAa,GAAa,EAAE,CAAA;AAElC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,OAAO,GAAG,cAAc,CAAC,aAAa,CAAC,CAAA;IAC7C,IAAG,OAAO,CAAC,eAAe,EAAE,CAAC;QAC3B,OAAO,CAAC,GAAG,CAAC,oCAAoC,cAAc,EAAE,EAAE,CAAC,CAAA;QACnE,OAAM;IACR,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,6CAA6C;QAC7C,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAA;QAC7C,IAAG,WAAW,CAAC,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACxD,OAAM;QACR,CAAC;aAAM,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC/B,MAAM,YAAY,GAAG,WAAW,CAAC,OAAO,CAAA;YACxC,IAAG,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBACrD,OAAO,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAA;YAC/F,CAAC;YACD,aAAa,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAA;QACrC,CAAC;IACH,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,cAAc,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC5C,OAAM;IACR,CAAC;IAED,UAAU,EAAE,CAAA;AACd,CAAC;AAED,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA"}
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AAC3E,OAAO,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAC;AAC5D,OAAO,EAAE,gBAAgB,EAA2B,MAAM,aAAa,CAAC;AAExE,MAAM,WAAW,GAAG,YAAY,CAAA;AAChC,MAAM,WAAW,GAAG,yBAAyB,CAAA;AAE7C,KAAK,UAAU,cAAc,CAAC,aAAuB,EAAE,OAAyC;IAC9F,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC7D,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;YAC5B,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAA;QACrB,CAAC;IACH,CAAC;IAAC,OAAO,CAAM,EAAE,CAAC;QAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,CAAA;QACxB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC;AACH,CAAC;AAED,SAAS,UAAU;IACjB,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAA;IACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACrB,OAAO,CAAC,GAAG,CAAC,KAAK,WAAW,oCAAoC,CAAC,CAAA;IACjE,OAAO,CAAC,GAAG,CAAC,2BAA2B,WAAW,YAAY,CAAC,CAAA;IAC/D,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAA;IACxC,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAA;IACrD,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAA;IACzC,OAAO,CAAC,GAAG,CAAC,yDAAyD,CAAC,CAAA;IACtE,OAAO,CAAC,GAAG,CAAC,+EAA+E,CAAC,CAAA;IAC5F,OAAO,CAAC,GAAG,CAAC,wEAAwE,CAAC,CAAA;IACrF,OAAO,CAAC,GAAG,CAAC,+FAA+F,CAAC,CAAA;IAC5G,OAAO,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAA;IAC7F,OAAO,CAAC,GAAG,CAAC,iEAAiE,CAAC,CAAA;IAC9E,OAAO,CAAC,GAAG,CAAC,mEAAmE,CAAC,CAAA;IAChF,OAAO,CAAC,GAAG,CAAC,yFAAyF,CAAC,CAAA;IACtG,OAAO,CAAC,GAAG,CAAC,uBAAuB,CAAC,CAAA;IACpC,OAAO,CAAC,GAAG,CAAC,sFAAsF,CAAC,CAAA;IACnG,OAAO,CAAC,GAAG,CAAC,4FAA4F,CAAC,CAAA;IACzG,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;IACnE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC;AAED,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,gCAAgC;AACpE,MAAM,aAAa,GAAa,EAAE,CAAA;AAClC,MAAM,aAAa,GAAa,EAAE,CAAA;AAElC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,IAAG,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;SAAM,CAAC;QACN,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,OAAO,GAAG,cAAc,CAAC,aAAa,CAAC,CAAA;IAC7C,IAAG,OAAO,CAAC,eAAe,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,MAAM,cAAc,EAAE,CAAA;QACtC,MAAM,SAAS,GACf,OAAO,CAAC,GAAG,CAAC,GAAG,WAAW,aAAa,OAAO,EAAE,CAAC,CAAA;QACjD,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,gBAAgB,EAAE,EAAE,CAAC,CAAA;QAC7D,OAAO,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAA;QAClC,OAAO,CAAC,GAAG,CAAC,gBAAgB,WAAW,EAAE,CAAC,CAAA;QAC1C,OAAO,CAAC,GAAG,CAAC,mBAAmB,WAAW,EAAE,CAAC,CAAA;QAC7C,OAAM;IACR,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,6CAA6C;QAC7C,MAAM,WAAW,GAAG,MAAM,UAAU,CAAC,OAAO,CAAC,CAAA;QAC7C,IAAG,WAAW,CAAC,MAAM,EAAE,CAAC;YACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAA;YACxD,OAAM;QACR,CAAC;aAAM,IAAI,WAAW,CAAC,OAAO,EAAE,CAAC;YAC/B,MAAM,YAAY,GAAG,WAAW,CAAC,OAAO,CAAA;YACxC,IAAG,YAAY,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;gBACrD,OAAO,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAA;YAC/F,CAAC;YACD,aAAa,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAA;QACrC,CAAC;IACH,CAAC;IAED,IAAG,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,MAAM,cAAc,CAAC,aAAa,EAAE,OAAO,CAAC,CAAA;QAC5C,OAAM;IACR,CAAC;IAED,UAAU,EAAE,CAAA;AACd,CAAC;AAED,GAAG,EAAE,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;IAChB,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAChB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;AACjB,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAA"}

package/dist/esm/expand_file.js

@@ -8,7 +8,7 @@ import { expandIamActions } from "./expand.js";
  * @returns the expanded JSON document
  */
 export async function expandJsonDocument(options, document, key) {
-    if (key === 'Action') {
+    if (key === 'Action' || key === 'NotAction') {
         if (typeof document === 'string') {
             return await expandIamActions(document, options);
         }

package/dist/esm/expand_file.js.map

@@ -1 +1 @@
-{"version":3,"file":"expand_file.js","sourceRoot":"","sources":["../../src/expand_file.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAA2B,MAAM,aAAa,CAAA;AAEvE;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,OAAyC,EAAE,QAAa,EAAE,GAAY;IAC7G,IAAG,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpB,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,MAAM,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAClD,CAAC;QACD,IAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YACrF,MAAM,KAAK,GAAI,MAAM,gBAAgB,CAAC,QAAQ,EAAE,EAAC,GAAG,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAC,CAAC,CAAA;YAC7E,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,IAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YAC7C,OAAO,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;QAC1C,CAAC,CAAC,CAAC,CAAA;IACL,CAAC;IAED,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAClC,MAAM,SAAS,GAAQ,EAAE,CAAA;QACzB,KAAI,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACtB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;YAC3B,SAAS,CAAC,GAAG,CAAC,GAAG,MAAM,kBAAkB,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;QAChE,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}
+{"version":3,"file":"expand_file.js","sourceRoot":"","sources":["../../src/expand_file.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAA2B,MAAM,aAAa,CAAA;AAEvE;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,OAAyC,EAAE,QAAa,EAAE,GAAY;IAC7G,IAAG,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,WAAW,EAAE,CAAC;QAC3C,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAChC,OAAO,MAAM,gBAAgB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;QAClD,CAAC;QACD,IAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,OAAO,QAAQ,CAAC,CAAC,CAAC,KAAK,QAAQ,EAAE,CAAC;YACrF,MAAM,KAAK,GAAI,MAAM,gBAAgB,CAAC,QAAQ,EAAE,EAAC,GAAG,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAC,CAAC,CAAA;YAC7E,OAAO,KAAK,CAAA;QACd,CAAC;IACH,CAAC;IAED,IAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;YAC7C,OAAO,kBAAkB,CAAC,OAAO,EAAE,IAAI,CAAC,CAAA;QAC1C,CAAC,CAAC,CAAC,CAAA;IACL,CAAC;IAED,IAAG,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAClC,MAAM,SAAS,GAAQ,EAAE,CAAA;QACzB,KAAI,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACtB,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAA;YAC3B,SAAS,CAAC,GAAG,CAAC,GAAG,MAAM,kBAAkB,CAAC,OAAO,EAAE,KAAK,EAAE,GAAG,CAAC,CAAA;QAChE,CAAC;QACD,OAAO,SAAS,CAAA;IAClB,CAAC;IAED,OAAO,QAAQ,CAAA;AACjB,CAAC"}

package/examples/README.md

@@ -0,0 +1,3 @@
+# Example Scripts
+
+This folder has example scripts that show ways you can combine the AWS CLI with `iam-expand` to help find interesting actions in your IAM policies.

package/examples/download-and-expand-authorization-details.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+: <<'END_COMMENT'
+This script will download all the account authorization details which contains
+inline policies and expand them then save them to a file.
+END_COMMENT
+
+aws iam get-account-authorization-details --output json | iam-expand --expand-service-asterisk --read-wait-time=20_000 > expanded-authorization-details.json

package/examples/download-and-expand-policies.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+: <<'END_COMMENT'
+This script will download all customer-managed policies in the account, expand them, and save them to files
+in the `policies` directory. The file name will be the policy name with the path as a prefix.
+END_COMMENT
+
+mkdir -p policies
+
+# List all managed policies that are attached to any entity
+policies=$(aws iam list-policies --scope All --only-attached --query 'Policies[].{Arn:Arn,VersionId:DefaultVersionId,Path:Path,Name:PolicyName}' --output json)
+
+# Loop through each policy to get the default version and save it
+echo "$policies" | jq -c '.[]' | while read -r line; do
+  arn=$(echo "$line" | jq -r '.Arn')
+  version_id=$(echo "$line" | jq -r '.VersionId')
+  path=$(echo "$line" | jq -r '.Path' | tr '/' '_')
+  name=$(echo "$line" | jq -r '.Name')
+
+  file_name="policies/${path}${name}.json"
+  aws iam get-policy-version --policy-arn "$arn" --version-id "$version_id" --query 'PolicyVersion.Document' --output json 2>/dev/null | iam-expand --read-wait-time=10_000 > $file_name
+done

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloud-copilot/iam-expand",
-  "version": "0.1.5",
+  "version": "0.1.7",
   "description": "Expand AWS IAM Actions with Wildcards",
   "repository": {
     "type": "git",

package/src/cli.ts

@@ -1,10 +1,11 @@
 #!/usr/bin/env node
 
-import { iamDataVersion } from "@cloud-copilot/iam-data";
+import { iamDataUpdatedAt, iamDataVersion } from "@cloud-copilot/iam-data";
 import { convertOptions, parseStdIn } from "./cli_utils.js";
 import { expandIamActions, ExpandIamActionsOptions } from "./expand.js";
 
 const commandName = 'iam-expand'
+const dataPackage = '@cloud-copilot/iam-data'
 
 async function expandAndPrint(actionStrings: string[], options: Partial<ExpandIamActionsOptions>) {
   try {
@@ -36,7 +37,7 @@ function printUsage() {
   console.log('    --invalid-action-behavior=error: Throw an error if an invalid action is encountered')
   console.log('CLI Behavior Options:')
   console.log('  --show-data-version: Print the version of the iam-data package being used and exit')
-  console.log('  --read-wait-time: Millisenconds to wait for input from stdin before timing out.')
+  console.log('  --read-wait-time: Millisenconds to wait for the first byte from stdin before timing out.')
   console.log('                    Example: --read-wait-time=10_000')
   process.exit(1)
 }
@@ -56,7 +57,13 @@ for (const arg of args) {
 async function run() {
   const options = convertOptions(optionStrings)
   if(options.showDataVersion) {
-    console.log(`@cloud-copilot/iam-data version: ${iamDataVersion()}`)
+    const version = await iamDataVersion()
+    const updatedAt =
+    console.log(`${dataPackage} version: ${version}`)
+    console.log(`Data last updated: ${await iamDataUpdatedAt()}`)
+    console.log(`Update with either:`)
+    console.log(`  npm update ${dataPackage}`)
+    console.log(`  npm update -g ${dataPackage}`)
     return
   }
 

package/src/expand_file.test.ts

@@ -103,5 +103,84 @@ describe('expand_file', () => {
       // Then the document should be returned as is
       expect(result).toEqual(document)
     })
+
+    it('should expand a string NotAction', async () => {
+      // Given a document with an action
+      const document = {
+        a: {
+          b: {
+            "NotAction": "s3:Get*"
+          }
+        }
+      }
+      vi.mocked(expandIamActions).mockResolvedValue(["s3:GetObject", "s3:GetBucket"])
+
+      // When the document is expanded
+      const result = await expandJsonDocument({}, document)
+
+      // Then the action should be expanded
+      const expected = JSON.parse(JSON.stringify(document))
+      expected.a.b.NotAction = ["s3:GetObject", "s3:GetBucket"]
+      expect(result).toEqual(expected)
+    })
+
+    it('should expand an array of string NotActions', async () => {
+      // Given a document with an action
+      const document = {
+        a: {
+          b: {
+            "NotAction": ["s3:Get*", "s3:Put*"]
+          }
+        }
+      }
+      vi.mocked(expandIamActions).mockImplementation(async (actions, options) =>{
+        expect(options?.distinct).toBe(true)
+        return ["s3:GetObject", "s3:GetBucket", "s3:PutObject", "s3:PutBucket"]
+      })
+
+      // When the document is expanded
+      const result = await expandJsonDocument({}, document)
+
+      // Then the action should be expanded
+      const expected = JSON.parse(JSON.stringify(document))
+      expected.a.b.NotAction = ["s3:GetObject", "s3:GetBucket", "s3:PutObject", "s3:PutBucket"]
+      expect(result).toEqual(expected)
+    })
+
+    it('should not expand a NotAction if it is an object', async () => {
+      // Given a document with an action
+      const document = {
+        a: {
+          b: {
+            "NotAction": {
+              "key": "value"
+            }
+          }
+        }
+      }
+
+      // When the document is expanded
+      const result = await expandJsonDocument({}, document)
+
+      // Then the document should be returned as is
+      expect(result).toEqual(document)
+    })
+
+    it('should not expand a NotAction if it is an array of numbers', async () => {
+      // Given a document with an action
+      const document = {
+        a: {
+          b: {
+            "NotAction": [1, 2, 3]
+          }
+        }
+      }
+
+      // When the document is expanded
+      const result = await expandJsonDocument({}, document)
+
+      // Then the document should be returned as is
+      expect(result).toEqual(document)
+    })
   })
 })

package/src/expand_file.ts

@@ -9,7 +9,7 @@ import { expandIamActions, ExpandIamActionsOptions } from "./expand.js"
  * @returns the expanded JSON document
  */
 export async function expandJsonDocument(options: Partial<ExpandIamActionsOptions>, document: any, key?: string): Promise<any> {
-  if(key === 'Action') {
+  if(key === 'Action' || key === 'NotAction') {
     if(typeof document === 'string') {
       return await expandIamActions(document, options)
     }