2021-04-01 17:30:02 +00:00
|
|
|
package middlewares
|
|
|
|
|
|
|
|
import (
|
2021-04-09 11:07:15 +00:00
|
|
|
"strings"
|
2021-04-01 17:30:02 +00:00
|
|
|
|
|
|
|
"github.com/cloudskiff/driftctl/pkg/resource"
|
|
|
|
"github.com/cloudskiff/driftctl/pkg/resource/aws"
|
2021-04-12 15:05:32 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2021-04-01 17:30:02 +00:00
|
|
|
)
|
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
const defaultIamRolePathPrefix = "/aws-service-role/"
|
2021-04-01 17:30:02 +00:00
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
// AwsDefaults represents service-linked AWS resources
|
|
|
|
// When scanning a AWS account, some users may see irrelevant results about default AWS roles or role policies.
|
2021-04-01 17:30:02 +00:00
|
|
|
// We ignore these resources by default when strict mode is disabled.
|
|
|
|
type AwsDefaults struct{}
|
|
|
|
|
|
|
|
func NewAwsDefaults() AwsDefaults {
|
|
|
|
return AwsDefaults{}
|
|
|
|
}
|
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
func (m AwsDefaults) awsIamRoleDefaults(remoteResources []resource.Resource) []resource.Resource {
|
|
|
|
resourcesToIgnore := make([]resource.Resource, 0)
|
2021-04-01 17:30:02 +00:00
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
for _, remoteResource := range remoteResources {
|
2021-04-01 17:30:02 +00:00
|
|
|
// Ignore all resources other than iam role
|
|
|
|
if remoteResource.TerraformType() != aws.AwsIamRoleResourceType {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2021-06-17 15:25:53 +00:00
|
|
|
path := remoteResource.Attributes().GetString("path")
|
|
|
|
if path == nil {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
if match := strings.HasPrefix(*path, defaultIamRolePathPrefix); match {
|
2021-04-09 11:07:15 +00:00
|
|
|
resourcesToIgnore = append(resourcesToIgnore, remoteResource)
|
2021-04-01 17:30:02 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
return resourcesToIgnore
|
2021-04-01 17:30:02 +00:00
|
|
|
}
|
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
func (m AwsDefaults) awsIamRolePolicyDefaults(remoteResources []resource.Resource) []resource.Resource {
|
|
|
|
resourcesToIgnore := make([]resource.Resource, 0)
|
2021-04-01 17:30:02 +00:00
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
for _, remoteResource := range remoteResources {
|
2021-04-01 17:30:02 +00:00
|
|
|
// Ignore all resources other than role policy
|
|
|
|
if remoteResource.TerraformType() != aws.AwsIamRolePolicyResourceType {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
2021-05-07 15:47:53 +00:00
|
|
|
var role *resource.AbstractResource
|
2021-04-09 11:07:15 +00:00
|
|
|
for _, res := range remoteResources {
|
2021-05-07 15:47:53 +00:00
|
|
|
if res.TerraformType() == aws.AwsIamRoleResourceType &&
|
|
|
|
res.TerraformId() == (*remoteResource.(*resource.AbstractResource).Attrs)["role"] {
|
|
|
|
role = res.(*resource.AbstractResource)
|
2021-04-09 11:07:15 +00:00
|
|
|
break
|
2021-04-01 17:30:02 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-05-07 15:47:53 +00:00
|
|
|
if match := strings.HasPrefix((*role.Attrs)["path"].(string), defaultIamRolePathPrefix); match {
|
2021-04-09 11:07:15 +00:00
|
|
|
resourcesToIgnore = append(resourcesToIgnore, remoteResource)
|
2021-04-01 17:30:02 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
return resourcesToIgnore
|
2021-04-01 17:30:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func (m AwsDefaults) Execute(remoteResources, resourcesFromState *[]resource.Resource) error {
|
2021-04-12 15:05:32 +00:00
|
|
|
newRemoteResources := make([]resource.Resource, 0)
|
|
|
|
newResourcesFromState := make([]resource.Resource, 0)
|
2021-04-09 11:07:15 +00:00
|
|
|
resourcesToIgnore := make([]resource.Resource, 0)
|
|
|
|
|
|
|
|
resourcesToIgnore = append(resourcesToIgnore, m.awsIamRoleDefaults(*remoteResources)...)
|
|
|
|
resourcesToIgnore = append(resourcesToIgnore, m.awsIamRolePolicyDefaults(*remoteResources)...)
|
|
|
|
|
2021-04-12 15:05:32 +00:00
|
|
|
for _, res := range *remoteResources {
|
|
|
|
ignored := false
|
|
|
|
|
|
|
|
for _, resourceToIgnore := range resourcesToIgnore {
|
2021-04-09 11:07:15 +00:00
|
|
|
if resource.IsSameResource(res, resourceToIgnore) {
|
2021-04-12 15:05:32 +00:00
|
|
|
ignored = true
|
|
|
|
break
|
2021-04-09 11:07:15 +00:00
|
|
|
}
|
|
|
|
}
|
2021-04-12 15:05:32 +00:00
|
|
|
|
|
|
|
if !ignored {
|
|
|
|
newRemoteResources = append(newRemoteResources, res)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
logrus.WithFields(logrus.Fields{
|
|
|
|
"id": res.TerraformId(),
|
|
|
|
"type": res.TerraformType(),
|
|
|
|
}).Debug("Ignoring default AWS resource")
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, res := range *resourcesFromState {
|
|
|
|
ignored := false
|
|
|
|
|
|
|
|
for _, resourceToIgnore := range resourcesToIgnore {
|
2021-04-09 11:07:15 +00:00
|
|
|
if resource.IsSameResource(res, resourceToIgnore) {
|
2021-04-12 15:05:32 +00:00
|
|
|
ignored = true
|
|
|
|
break
|
2021-04-09 11:07:15 +00:00
|
|
|
}
|
|
|
|
}
|
2021-04-12 15:05:32 +00:00
|
|
|
|
|
|
|
if !ignored {
|
|
|
|
newResourcesFromState = append(newResourcesFromState, res)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
logrus.WithFields(logrus.Fields{
|
|
|
|
"id": res.TerraformId(),
|
|
|
|
"type": res.TerraformType(),
|
|
|
|
}).Debug("Ignoring default AWS resource")
|
2021-04-01 17:30:02 +00:00
|
|
|
}
|
|
|
|
|
2021-04-09 11:07:15 +00:00
|
|
|
*remoteResources = newRemoteResources
|
|
|
|
*resourcesFromState = newResourcesFromState
|
2021-04-01 17:30:02 +00:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|