driftctl/pkg/middlewares/aws_defaults.go

125 lines
3.3 KiB
Go
Raw Normal View History

package middlewares
import (
2021-04-09 11:07:15 +00:00
"strings"
"github.com/cloudskiff/driftctl/pkg/resource"
"github.com/cloudskiff/driftctl/pkg/resource/aws"
2021-04-12 15:05:32 +00:00
"github.com/sirupsen/logrus"
)
2021-04-09 11:07:15 +00:00
const defaultIamRolePathPrefix = "/aws-service-role/"
2021-04-09 11:07:15 +00:00
// AwsDefaults represents service-linked AWS resources
// When scanning a AWS account, some users may see irrelevant results about default AWS roles or role policies.
// We ignore these resources by default when strict mode is disabled.
type AwsDefaults struct{}
func NewAwsDefaults() AwsDefaults {
return AwsDefaults{}
}
2021-04-09 11:07:15 +00:00
func (m AwsDefaults) awsIamRoleDefaults(remoteResources []resource.Resource) []resource.Resource {
resourcesToIgnore := make([]resource.Resource, 0)
2021-04-09 11:07:15 +00:00
for _, remoteResource := range remoteResources {
// Ignore all resources other than iam role
if remoteResource.TerraformType() != aws.AwsIamRoleResourceType {
continue
}
path := remoteResource.Attributes().GetString("path")
if path == nil {
continue
}
if match := strings.HasPrefix(*path, defaultIamRolePathPrefix); match {
2021-04-09 11:07:15 +00:00
resourcesToIgnore = append(resourcesToIgnore, remoteResource)
}
}
2021-04-09 11:07:15 +00:00
return resourcesToIgnore
}
2021-04-09 11:07:15 +00:00
func (m AwsDefaults) awsIamRolePolicyDefaults(remoteResources []resource.Resource) []resource.Resource {
resourcesToIgnore := make([]resource.Resource, 0)
2021-04-09 11:07:15 +00:00
for _, remoteResource := range remoteResources {
// Ignore all resources other than role policy
if remoteResource.TerraformType() != aws.AwsIamRolePolicyResourceType {
continue
}
2021-05-07 15:47:53 +00:00
var role *resource.AbstractResource
2021-04-09 11:07:15 +00:00
for _, res := range remoteResources {
2021-05-07 15:47:53 +00:00
if res.TerraformType() == aws.AwsIamRoleResourceType &&
res.TerraformId() == (*remoteResource.(*resource.AbstractResource).Attrs)["role"] {
role = res.(*resource.AbstractResource)
2021-04-09 11:07:15 +00:00
break
}
}
2021-05-07 15:47:53 +00:00
if match := strings.HasPrefix((*role.Attrs)["path"].(string), defaultIamRolePathPrefix); match {
2021-04-09 11:07:15 +00:00
resourcesToIgnore = append(resourcesToIgnore, remoteResource)
}
}
2021-04-09 11:07:15 +00:00
return resourcesToIgnore
}
func (m AwsDefaults) Execute(remoteResources, resourcesFromState *[]resource.Resource) error {
2021-04-12 15:05:32 +00:00
newRemoteResources := make([]resource.Resource, 0)
newResourcesFromState := make([]resource.Resource, 0)
2021-04-09 11:07:15 +00:00
resourcesToIgnore := make([]resource.Resource, 0)
resourcesToIgnore = append(resourcesToIgnore, m.awsIamRoleDefaults(*remoteResources)...)
resourcesToIgnore = append(resourcesToIgnore, m.awsIamRolePolicyDefaults(*remoteResources)...)
2021-04-12 15:05:32 +00:00
for _, res := range *remoteResources {
ignored := false
for _, resourceToIgnore := range resourcesToIgnore {
2021-04-09 11:07:15 +00:00
if resource.IsSameResource(res, resourceToIgnore) {
2021-04-12 15:05:32 +00:00
ignored = true
break
2021-04-09 11:07:15 +00:00
}
}
2021-04-12 15:05:32 +00:00
if !ignored {
newRemoteResources = append(newRemoteResources, res)
continue
}
logrus.WithFields(logrus.Fields{
"id": res.TerraformId(),
"type": res.TerraformType(),
}).Debug("Ignoring default AWS resource")
}
for _, res := range *resourcesFromState {
ignored := false
for _, resourceToIgnore := range resourcesToIgnore {
2021-04-09 11:07:15 +00:00
if resource.IsSameResource(res, resourceToIgnore) {
2021-04-12 15:05:32 +00:00
ignored = true
break
2021-04-09 11:07:15 +00:00
}
}
2021-04-12 15:05:32 +00:00
if !ignored {
newResourcesFromState = append(newResourcesFromState, res)
continue
}
logrus.WithFields(logrus.Fields{
"id": res.TerraformId(),
"type": res.TerraformType(),
}).Debug("Ignoring default AWS resource")
}
2021-04-09 11:07:15 +00:00
*remoteResources = newRemoteResources
*resourcesFromState = newResourcesFromState
return nil
}