JamesWoolfenden/sato: Sato converts ARM or CFN into Terraform

URL

https://github.com/JamesWoolfenden/sato

Sato

Converts CloudFormation (and now also ARM) into Terraform. In Go, quickerly.

Install

Download the latest releases https://github.com/JamesWoolfenden/sato/releases/tag/v0.1.19 or:

Compile locally:

git clone https://github.com/JamesWoolfenden/sato
cd sato
go install

Windows

I'm now using Scoop to distribute releases, it's much quicker to update and easier to manage than previous methods, you can install scoop from https://scoop.sh/.

Add my scoop bucket:

scoop bucket add iac https://github.com/JamesWoolfenden/scoop.git

Then you can install a tool:

scoop install sato

Usage

Get yourself some valid CloudFormation*

 git clone https://github.com/JamesWoolfenden/aws-cloudformation-templates
 >cd aws-cloudformation-templates/community/codestar/custom-ci-cd-pipeline
 ❯ ls
 README.md    template.yml
 >sato parse -f template.yml
 9:17PM INF Created .sato\variables.tf
 9:17PM INF Created .sato\data.tf
 9:17PM INF Created .sato\aws_codebuild_project.productionbuild.tf
 9:17PM INF Created .sato\aws_codebuild_project.productiondeploy.tf
 9:17PM INF Created .sato\aws_codebuild_project.stagingbuild.tf
 9:17PM INF Created .sato\aws_codebuild_project.stagingdeploy.tf
 9:17PM INF Created .sato\aws_iam_role.codebuildrole.tf
 9:17PM INF Created .sato\aws_codepipeline_pipeline.pipeline.tf
 9:17PM INF Created .sato\aws_iam_role.pipelinerole.tf
 9:17PM INF Created .sato\aws_s3_bucket.pipelines3bucket.tf

That's it. So by default (overridable) the parsed CloudFormation (now Terraform) will be in a .sato subdirectory. So let's have a look see:

> ls .sato
aws_codebuild_project.productionbuild.tf  aws_codebuild_project.stagingbuild.tf     aws_codepipeline_pipeline.pipeline.tf     aws_iam_role.pipelinerole.tf              variables.tf
aws_codebuild_project.productiondeploy.tf aws_codebuild_project.stagingdeploy.tf    aws_iam_role.codebuildrole.tf             aws_s3_bucket.pipelines3bucket.tf

So there are some files that could be Terraform.

The Cats Pyjamas

Testing...

>terraform init
...
Terraform has been successfully initialized!
....
>terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
...
Plan: 12 to add, 0 to change, 0 to destroy.
...

See - finds the terraform resource

This tells you the equivalent resource required given a CF ..... or an ARM resource;

$ sato see -r Microsoft.Storage/storageAccounts
azurerm_storage_account

$sato see -r AWS::EC2::Instance
aws_instance%

Bisect - ARM to terraform

What? You've got these legacy ARM templates, and you'd dearly love to drop them, but you really don't fancy Bicep and the rework. I got you covered. Sato now bisects ARM into Terraform - Take one of the Azure quickstart examples from here https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.compute/vm-simple-windows:

Clone it:

git clone https://github.com/Azure/azure-quickstart-templates.git

Then bisect it!

$ sato bisect -f /Users/jwoolfenden/code/azure-quickstart-templates/quickstarts/microsoft.compute/vm-simple-windows/azuredeploy.json
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/variables.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/locals.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/azurerm_storage_account.sato0.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/azurerm_public_ip.sato1.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/azurerm_network_security_group.sato2.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/azurerm_virtual_network.sato3.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/azurerm_network_interface.sato4.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/azurerm_virtual_machine.sato5.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/azurerm_virtual_machine_extension.sato6.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/outputs.tf
1:56PM INF Created /Users/jwoolfenden/code/sato/.sato/data.tf

I make an opinionated translation, in Terraform there are no parameters, resources and dependencies are very different, there's no 1 for 1 - ARM to Terraform, so the aim is to get you close to 100%.

There needs to be a lot of work supporting resources and built-in functions/template as yet. If you want to use this, let me know so, then I'll know to do so, or even better send me a PR.

Extra credit - Pike

If you use my other tool, Pike you can now apply that and get the policy requirements:

pike scan -d .sato -o json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "codebuild:BatchGetProjects",
        "codebuild:CreateProject",
        "codebuild:DeleteProject",
        "codebuild:UpdateProject"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": [
        "codepipeline:CreatePipeline",
        "codepipeline:DeletePipeline",
        "codepipeline:GetPipeline",
        "codepipeline:ListTagsForResource"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListAttachedRolePolicies",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRolePolicies",
        "iam:PassRole",
        "iam:PutRolePolicy"
      ],
      "Resource": [
        "*"
      ]
    },
    {
      "Sid": "VisualEditor3",
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:GetAccelerateConfiguration",
        "s3:GetBucketAcl",
        "s3:GetBucketCORS",
        "s3:GetBucketLogging",
        "s3:GetBucketObjectLockConfiguration",
        "s3:GetBucketPolicy",
        "s3:GetBucketRequestPayment",
        "s3:GetBucketTagging",
        "s3:GetBucketVersioning",
        "s3:GetBucketWebsite",
        "s3:GetEncryptionConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetObject",
        "s3:GetObjectAcl",
        "s3:GetReplicationConfiguration",
        "s3:ListBucket"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Valid CloudFormation

Ditch it all, Ok, ok but some older samples can play fast and lose with the CloudFormation schema and data types. The Go-formation parser is less accommodating, you may need to be stricter on your typing.

Booleans are true or false and not "false"
Ints are 1,2,3 not "1", "2", "3"