feat: add AI-powered policy generation command

.gitignore

@@ -37,3 +37,9 @@ Thumbs.db
 *.key
 credentials.json
 secrets.yaml
+
+# Generated policy files
+*-full-access-policy.json
+*-iam-reference.json
+*-policy-documentation.md
+*-scp.json

README.md

@@ -98,6 +98,98 @@ A single-binary Go tool for testing AWS IAM policies using scenario-based YAML c
   - Displays full statement JSON from source for failed tests
   - Optional --show-matched-success flag for passing tests
 
+- **AI-powered policy generation** (NEW)
+  - Generate security-focused IAM policies from AWS documentation
+  - Scrapes actions, conditions, and resource types automatically
+  - Uses OpenAI-compatible LLM APIs to create compliant policies
+  - Produces documentation explaining each policy statement
+  - 24-hour caching of AWS documentation pages
+
+## Generate Command
+
+The `generate` command creates security-focused IAM policies by scraping AWS service authorization documentation and using an LLM to generate appropriate policy statements.
+
+### Features
+
+- **Automatic scraping** of IAM actions, condition keys, and resource types from AWS docs
+- **Parallel batch processing** for faster policy generation
+- **Customizable prompts** to specify your security requirements
+- **24-hour caching** of documentation pages to reduce API calls
+- **Three output files**:
+  - `{service}-iam-reference.json` - Scraped IAM data
+  - `{service}-full-access-policy.json` - Generated policy
+  - `{service}-policy-documentation.md` - Human-readable documentation
+
+### Usage
+
+```bash
+politest generate [flags]
+
+Flags:
+  --url string          AWS IAM documentation URL (required)
+  --base-url string     OpenAI-compatible API base URL (required)
+  --model string        LLM model name (required)
+  --api-key string      API key for LLM service
+  --output string       Output directory (default ".")
+  --prompt string       Custom requirements/constraints for policy generation
+  --concurrency int     Number of parallel batch requests (default 3)
+  --no-enrich           Skip action description enrichment
+  --quiet               Suppress progress output
+```
+
+### Example
+
+```bash
+./politest generate \
+  --url "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html" \
+  --base-url "https://your-llm-api.example.com/api" \
+  --model "claude-3-sonnet" \
+  --api-key "$LLM_API_KEY" \
+  --output "./output" \
+  --concurrency 4 \
+  --prompt "Require VPC endpoint conditions where supported. Deny access to \
+foundation models which require cross region inference. Include resource-level \
+permissions for all model invocation actions."
+```
+
+### Output
+
+The command generates three files:
+
+1. **IAM Reference** (`bedrock-iam-reference.json`)
+   - All scraped actions with descriptions and access levels
+   - Available condition keys and their types
+   - Resource types and ARN patterns
+
+2. **Generated Policy** (`bedrock-full-access-policy.json`)
+   - Security-focused IAM policy with grouped statements
+   - Includes conditions like `aws:SecureTransport` and MFA requirements
+   - Uses placeholder variables (e.g., `${AWS::AccountId}`, `${VpcEndpointId}`)
+
+3. **Documentation** (`bedrock-policy-documentation.md`)
+   - Explanation of each policy statement
+   - Variables that need to be configured
+   - Security summary and compliance considerations
+   - Usage recommendations
+
+### Placeholder Variables
+
+The generated policy uses consistent placeholder variables that you must replace:
+
+| Variable | Description |
+|----------|-------------|
+| `${AWS::AccountId}` | Your AWS account ID |
+| `${AWS::Region}` | Target AWS region |
+| `${VpcEndpointId}` | VPC endpoint ID for endpoint conditions |
+| `${VpcId}` | VPC ID |
+| `${OrgId}` | AWS Organization ID |
+| `${PrincipalTag/Department}` | Principal tag values |
+| `${ResourceTag/Environment}` | Resource tag values |
+
+### Caching
+
+AWS documentation pages are cached locally in `~/.cache/politest/` for 24 hours to reduce network requests during iterative policy development.
+
 ## ⚠️ Understanding What politest Tests
 
 **politest is a pre-deployment validation tool that helps you catch IAM policy issues early, but it is NOT a replacement for integration testing in real AWS environments.**

examples.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# Example politest generate commands
+
+# Bedrock - Invoke-only policy (least privilege for model invocation)
+# With --scp flag, generates both identity policy AND Service Control Policy
+
+# Allowed models (update this list as needed)
+ALLOWED_MODELS=(
+  "arn:aws:bedrock:eu-west-2::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0"
+)
+
+MODELS_LIST=$(IFS=', '; echo "${ALLOWED_MODELS[*]}")
+ALLOWED_REGION="eu-west-2"
+
+go run . generate \
+  --url "https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html" \
+  --base-url "https://api.openai.com" \
+  --model "gpt-4o" \
+  --api-key "$(cat ~/.ssh/openai_api_key)" \
+  --scp \
+  --prompt "I need a policy for a developer who can ONLY call specific Bedrock foundation models - nothing else.
+
+ALLOWED MODELS: ${MODELS_LIST}
+ALLOWED REGION: ${ALLOWED_REGION}
+
+THE DEVELOPER SHOULD BE ABLE TO:
+- Call the allowed models using InvokeModel and InvokeModelWithResponseStream
+- Discover what models exist using Get*, Describe*, List* wildcards only (do NOT list individual Get/Describe/List actions)
+
+THE DEVELOPER MUST NOT BE ABLE TO:
+- Call any models other than those listed above
+- Use cross-region inference or global cross-region inference (CRIS)
+- Create, update, delete, or manage any Bedrock resources
+- Invoke agents, flows, or anything other than foundation models
+- Do anything administrative
+
+POLICY SPLIT (SCP will be generated separately):
+- Identity policy: Only ALLOW statements with actions and resources - no conditions like SecureTransport
+- SCP: All security guardrails (SecureTransport, region locks, NotAction allowlist)
+
+For the identity policy: Keep it minimal - just actions and resources. Do NOT include SecureTransport conditions or any deny statements - those all go in the SCP. Use ONLY wildcards for read operations - do not list individual actions that are already covered by wildcards."

go.mod

@@ -1,10 +1,13 @@
 module politest
 
-go 1.24
+go 1.24.0
+
+toolchain go1.24.4
 
 require (
 	github.com/aws/aws-sdk-go-v2/config v1.31.15
 	github.com/aws/aws-sdk-go-v2/service/iam v1.48.1
+	golang.org/x/net v0.47.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 
@@ -21,4 +24,9 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.38.9 // indirect
 	github.com/aws/smithy-go v1.23.1 // indirect
+	github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/schollz/progressbar/v3 v3.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
 )

go.sum

@@ -26,6 +26,18 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.38.9 h1:Ekml5vGg6sHSZLZJQJagefnVe6Pm
 github.com/aws/aws-sdk-go-v2/service/sts v1.38.9/go.mod h1:/e15V+o1zFHWdH3u7lpI3rVBcxszktIKuHKCY2/py+k=
 github.com/aws/smithy-go v1.23.1 h1:sLvcH6dfAFwGkHLZ7dGiYF7aK6mg4CgKA/iDKjLDt9M=
 github.com/aws/smithy-go v1.23.1/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0=
+github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ=
+github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/schollz/progressbar/v3 v3.18.0 h1:uXdoHABRFmNIjUfte/Ex7WtuyVslrw2wVPQmCN62HpA=
+github.com/schollz/progressbar/v3 v3.18.0/go.mod h1:IsO3lpbaGuzh8zIMzgY3+J8l4C8GjO0Y9S69eFvNsec=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=