driftctl/enumeration/remote/aws/iam_role_enumerator.go

66 lines
1.7 KiB
Go
Raw Normal View History

2021-07-09 15:45:49 +00:00
package aws
import (
"github.com/snyk/driftctl/enumeration/remote/aws/repository"
remoteerror "github.com/snyk/driftctl/enumeration/remote/error"
"github.com/snyk/driftctl/enumeration/resource"
resourceaws "github.com/snyk/driftctl/enumeration/resource/aws"
2021-07-09 15:45:49 +00:00
)
var iamRoleExclusionList = map[string]struct{}{
// Enabled by default for aws to enable support, not removable
"AWSServiceRoleForSupport": {},
// Enabled and not removable for every org account
"AWSServiceRoleForOrganizations": {},
// Not manageable by IaC and set by default
"AWSServiceRoleForTrustedAdvisor": {},
}
type IamRoleEnumerator struct {
repository repository.IAMRepository
factory resource.ResourceFactory
}
func NewIamRoleEnumerator(repository repository.IAMRepository, factory resource.ResourceFactory) *IamRoleEnumerator {
return &IamRoleEnumerator{
repository,
factory,
}
}
func (e *IamRoleEnumerator) SupportedType() resource.ResourceType {
return resourceaws.AwsIamRoleResourceType
}
func awsIamRoleShouldBeIgnored(roleName string) bool {
_, ok := iamRoleExclusionList[roleName]
return ok
}
2021-08-09 14:03:04 +00:00
func (e *IamRoleEnumerator) Enumerate() ([]*resource.Resource, error) {
2021-07-09 15:45:49 +00:00
roles, err := e.repository.ListAllRoles()
if err != nil {
2021-08-03 10:34:36 +00:00
return nil, remoteerror.NewResourceListingError(err, string(e.SupportedType()))
2021-07-09 15:45:49 +00:00
}
2021-08-09 14:03:04 +00:00
results := make([]*resource.Resource, 0)
2021-07-09 15:45:49 +00:00
for _, role := range roles {
if role.RoleName != nil && awsIamRoleShouldBeIgnored(*role.RoleName) {
continue
}
results = append(
results,
e.factory.CreateAbstractResource(
string(e.SupportedType()),
*role.RoleName,
2021-07-16 09:48:03 +00:00
map[string]interface{}{
"path": *role.Path,
},
2021-07-09 15:45:49 +00:00
),
)
}
return results, nil
}