Skip to content

tcmarkfeld/Conductor

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Conductor.slnx
Conductor.slnx
 
 
README.md
README.md
 
 

Repository files navigation

Conductor

Conductor is a CLI tool that scans C# MassTransit + Amazon SQS/SNS configuration and generates a least-privilege IAM policy JSON.

What it does

  • Scans a repo for MassTransit Amazon SQS usage.
  • Detects queues/topics from common patterns:
    • UsingAmazonSqs(...)
    • ReceiveEndpoint(...)
    • ec.Subscribe(...)
    • bus.Message<T>(x => x.SetEntityName(...))
    • EndpointConvention.Map<T>(new Uri(...))
  • Resolves names from:
    • string literals
    • const values
    • simple .Replace("{{env}}", ...) patterns
  • Outputs deterministic IAM JSON policy or Terraform (depending on the --format you select).

Requirements

  • .NET SDK 10+ installed
  • macOS/Linux/Windows shell

Check version:

dotnet --version

Install From NuGet (Global Tool)

Install:

dotnet tool install -g Conductor.Tool

Update:

dotnet tool update -g Conductor.Tool

Uninstall:

dotnet tool uninstall -g Conductor.Tool

Install From Repository

From repo root:

dotnet restore Conductor.slnx
dotnet build Conductor.slnx -c Release

Run after install:

conductor --help
conductor generate --repo /absolute/path/to/repo --out ./policy.json

Run

Use the built CLI:

dotnet ./src/Conductor.Cli/bin/Release/net10.0/Conductor.dll generate \
  --repo /absolute/path/to/your/repo \
  --out /absolute/path/to/policy.json

Command

conductor generate --repo <path> --out <path> [options]

Required flags

  • --repo Path to the repository to scan
  • --out Output path:
    • if --scope repo: output file path
    • if --scope folder: output directory path

Optional flags

  • --scope repo|folder. Default: repo
  • --format Output format (iam-json or terraform). Default: iam-json
  • --strict true|false. Default: true
  • --region ARN region token/value. Default: ${region}
  • --account-id ARN account token/value. Default: ${account_id}
  • --env reserved for future expansion. Default: ${env}

Examples

1) Default tokenized output

dotnet ./src/Conductor.Cli/bin/Release/net10.0/conductor.dll generate \
  --repo /Users/me/source/my-service \
  --out ./policy.json

2) Concrete account + region in ARNs

dotnet ./src/Conductor.Cli/bin/Release/net10.0/conductor.dll generate \
  --repo /Users/me/source/my-service \
  --out ./policy.prod.json \
  --region us-east-2 \
  --account-id 123456789012

3) Non-strict mode (warn and continue)

dotnet ./src/Conductor.Cli/bin/Release/net10.0/conductor.dll generate \
  --repo /Users/me/source/my-service \
  --out ./policy.json \
  --strict false

4) Monorepo mode (one policy per top-level folder)

dotnet ./src/Conductor.Cli/bin/Release/net10.0/conductor.dll generate \
  --repo /Users/me/source/repos/<repo-name> \
  --scope folder \
  --out ./policies \
  --strict false

This creates files like:

  • ./policies/Company.Api.policy.json
  • ./policies/Company.BlogAgent.policy.json
  • etc. (for folders where MassTransit SQS/SNS usage is detected)

When --format terraform is selected, generated files use .policy.tf.

Strict mode behavior

When --strict true:

  • unresolved queue/topic names are treated as errors
  • command exits non-zero
  • diagnostics are printed to stderr with source file paths

Test

dotnet test Conductor.slnx -c Release

Output

  • scope=repo: one policy output at --out path (JSON for iam-json, HCL for terraform)
  • scope=folder: one policy output per top-level folder in repo (.policy.json for iam-json, .policy.tf for terraform)

Sample generated output

Example input assumptions:

  • queue detected: order-submit
  • topic detected: order-events
  • default tokenized ARN parts: region=${region}, account_id=${account_id}
  • fault publish behavior enabled (so MassTransit fault topics are included)

IAM JSON (--format iam-json)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SqsManageQueues",
      "Effect": "Allow",
      "Action": [
        "sqs:ChangeMessageVisibility",
        "sqs:CreateQueue",
        "sqs:DeleteMessage",
        "sqs:GetQueueAttributes",
        "sqs:GetQueueUrl",
        "sqs:PurgeQueue",
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "sqs:SetQueueAttributes",
        "sqs:TagQueue"
      ],
      "Resource": [
        "arn:aws:sqs:${region}:${account_id}:order-submit",
        "arn:aws:sqs:${region}:${account_id}:order-submit_error",
        "arn:aws:sqs:${region}:${account_id}:order-submit_skipped"
      ]
    },
    {
      "Sid": "SnsManageTopics",
      "Effect": "Allow",
      "Action": [
        "sns:CreateTopic",
        "sns:GetTopicAttributes",
        "sns:Publish",
        "sns:SetTopicAttributes",
        "sns:Subscribe",
        "sns:TagResource",
        "sns:Unsubscribe"
      ],
      "Resource": [
        "arn:aws:sns:${region}:${account_id}:MassTransit-Fault*",
        "arn:aws:sns:${region}:${account_id}:MassTransit-ReceiveFault",
        "arn:aws:sns:${region}:${account_id}:order-events"
      ]
    }
  ]
}

Terraform HCL (--format terraform)

data "aws_iam_policy_document" "conductor_sqs" {
  statement {
    sid    = "SqsManageQueues"
    effect = "Allow"
    actions = [
      "sqs:ChangeMessageVisibility",
      "sqs:CreateQueue",
      "sqs:DeleteMessage",
      "sqs:GetQueueAttributes",
      "sqs:GetQueueUrl",
      "sqs:PurgeQueue",
      "sqs:ReceiveMessage",
      "sqs:SendMessage",
      "sqs:SetQueueAttributes",
      "sqs:TagQueue",
    ]
    resources = [
      "arn:aws:sqs:${region}:${account_id}:order-submit",
      "arn:aws:sqs:${region}:${account_id}:order-submit_error",
      "arn:aws:sqs:${region}:${account_id}:order-submit_skipped",
    ]
  }
}

data "aws_iam_policy_document" "conductor_sns" {
  statement {
    sid    = "SnsManageTopics"
    effect = "Allow"
    actions = [
      "sns:CreateTopic",
      "sns:GetTopicAttributes",
      "sns:Publish",
      "sns:SetTopicAttributes",
      "sns:Subscribe",
      "sns:TagResource",
      "sns:Unsubscribe",
    ]
    resources = [
      "arn:aws:sns:${region}:${account_id}:MassTransit-Fault*",
      "arn:aws:sns:${region}:${account_id}:MassTransit-ReceiveFault",
      "arn:aws:sns:${region}:${account_id}:order-events",
    ]
  }
}

Current limitations

  • Focused on common MassTransit SQS/SNS patterns (not every dynamic/metaprogrammed style).
  • If endpoint names are fully dynamic/runtime-only, strict mode will fail by design.

Roadmap (planned)

  • Expanded analyzer coverage for additional MassTransit patterns.

Contributing

  1. Create feature branch
  2. Add/adjust tests
  3. Run build + tests
  4. Open PR

About

CLI tool that scans MassTransit + Amazon SQS/SNS config and generates least-privilege IAM policies and Terraform resources.

Topics

cli aws security devops dotnet terraform iam sqs sns sqs-queue masstransit sns-topic

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages