driftctl/pkg/remote/resource_enumeration_error_...

package remote

import (
	"fmt"
	"strings"

	"github.com/aws/aws-sdk-go/aws/awserr"
	"github.com/cloudskiff/driftctl/pkg/alerter"
	"github.com/cloudskiff/driftctl/pkg/remote/aws"
	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
	"github.com/cloudskiff/driftctl/pkg/remote/github"
	"github.com/sirupsen/logrus"
)

type EnumerationAccessDeniedAlert struct {
	message  string
	provider string
}

func NewEnumerationAccessDeniedAlert(provider, supplierType, listedTypeError string) *EnumerationAccessDeniedAlert {
	message := fmt.Sprintf("Ignoring %s from drift calculation: Listing %s is forbidden.", supplierType, listedTypeError)
	return &EnumerationAccessDeniedAlert{message, provider}
}

func (e *EnumerationAccessDeniedAlert) Message() string {
	return e.message
}

func (e *EnumerationAccessDeniedAlert) ShouldIgnoreResource() bool {
	return true
}

func (e *EnumerationAccessDeniedAlert) GetProviderMessage() string {
	message := "It seems that we got access denied exceptions while listing resources.\n"
	switch e.provider {
	case github.RemoteGithubTerraform:
		message += "Please be sure that your Github token has the right permissions, check the last up-to-date documentation there: https://docs.driftctl.com/github/policy"
	case aws.RemoteAWSTerraform:
		message += "The latest minimal read-only IAM policy for driftctl is always available here, please update yours: https://docs.driftctl.com/aws/policy"
	default:
		return ""
	}
	return message
}

func HandleResourceEnumerationError(err error, alerter alerter.AlerterInterface) error {
	listError, ok := err.(*remoteerror.ResourceEnumerationError)
	if !ok {
		return err
	}

	rootCause := listError.RootCause()

	reqerr, ok := rootCause.(awserr.RequestFailure)
	if ok {
		return handleAWSError(alerter, listError, reqerr)
	}

	if strings.HasPrefix(
		rootCause.Error(),
		"Your token has not been granted the required scopes to execute this query.",
	) {
		sendEnumerationAlert(github.RemoteGithubTerraform, alerter, listError)
		return nil
	}

	return err
}

func handleAWSError(alerter alerter.AlerterInterface, listError *remoteerror.ResourceEnumerationError, reqerr awserr.RequestFailure) error {
	if reqerr.StatusCode() == 403 || (reqerr.StatusCode() == 400 && strings.Contains(reqerr.Code(), "AccessDenied")) {
		sendEnumerationAlert(aws.RemoteAWSTerraform, alerter, listError)
		return nil
	}

	return reqerr
}

func sendEnumerationAlert(provider string, alerter alerter.AlerterInterface, listError *remoteerror.ResourceEnumerationError) {
	logrus.WithFields(logrus.Fields{
		"supplier_type": listError.SupplierType(),
		"listed_type":   listError.ListedTypeError(),
	}).Debugf("Got an access denied error")
	alerter.SendAlert(listError.SupplierType(), NewEnumerationAccessDeniedAlert(provider, listError.SupplierType(), listError.ListedTypeError()))
}
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`package remote`

			`import (`
			`"fmt"`
add support for dynamodb_table 2021-02-11 11:21:49 +00:00			`"strings"`

alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`"github.com/aws/aws-sdk-go/aws/awserr"`
			`"github.com/cloudskiff/driftctl/pkg/alerter"`
Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`"github.com/cloudskiff/driftctl/pkg/remote/aws"`
			`remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"`
			`"github.com/cloudskiff/driftctl/pkg/remote/github"`
Issue 226: Update resource_enumeration_error_handler to implement Alert interface 2021-02-12 21:35:21 +00:00			`"github.com/sirupsen/logrus"`
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`)`

Issue 226: Update resource_enumeration_error_handler to implement Alert interface 2021-02-12 21:35:21 +00:00			`type EnumerationAccessDeniedAlert struct {`
Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`message string`
			`provider string`
Issue 226: Update resource_enumeration_error_handler to implement Alert interface 2021-02-12 21:35:21 +00:00			`}`

Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`func NewEnumerationAccessDeniedAlert(provider, supplierType, listedTypeError string) *EnumerationAccessDeniedAlert {`
Issue 226: Update resource_enumeration_error_handler to implement Alert interface 2021-02-12 21:35:21 +00:00			`message := fmt.Sprintf("Ignoring %s from drift calculation: Listing %s is forbidden.", supplierType, listedTypeError)`
Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`return &EnumerationAccessDeniedAlert{message, provider}`
Issue 226: Update resource_enumeration_error_handler to implement Alert interface 2021-02-12 21:35:21 +00:00			`}`

			`func (e *EnumerationAccessDeniedAlert) Message() string {`
			`return e.message`
			`}`

			`func (e *EnumerationAccessDeniedAlert) ShouldIgnoreResource() bool {`
			`return true`
			`}`

Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`func (e *EnumerationAccessDeniedAlert) GetProviderMessage() string {`
			`message := "It seems that we got access denied exceptions while listing resources.\n"`
			`switch e.provider {`
			`case github.RemoteGithubTerraform:`
fix: doc deep links for providers authentication 2021-05-12 09:31:00 +00:00			`message += "Please be sure that your Github token has the right permissions, check the last up-to-date documentation there: https://docs.driftctl.com/github/policy"`
Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`case aws.RemoteAWSTerraform:`
fix: doc deep links for providers authentication 2021-05-12 09:31:00 +00:00			`message += "The latest minimal read-only IAM policy for driftctl is always available here, please update yours: https://docs.driftctl.com/aws/policy"`
Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`default:`
			`return ""`
			`}`
			`return message`
			`}`

Add scanner test 2021-06-28 09:00:59 +00:00			`func HandleResourceEnumerationError(err error, alerter alerter.AlerterInterface) error {`
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`listError, ok := err.(*remoteerror.ResourceEnumerationError)`
			`if !ok {`
			`return err`
			`}`

Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`rootCause := listError.RootCause()`

			`reqerr, ok := rootCause.(awserr.RequestFailure)`
			`if ok {`
			`return handleAWSError(alerter, listError, reqerr)`
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`}`

Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00			`if strings.HasPrefix(`
			`rootCause.Error(),`
			`"Your token has not been granted the required scopes to execute this query.",`
			`) {`
			`sendEnumerationAlert(github.RemoteGithubTerraform, alerter, listError)`
alert and ignore when listing resources is forbidden 2021-01-20 13:01:57 +00:00			`return nil`
			`}`

			`return err`
			`}`
Handle enumeration error from multiples providers 2021-03-02 10:39:14 +00:00
			`func handleAWSError(alerter alerter.AlerterInterface, listError *remoteerror.ResourceEnumerationError, reqerr awserr.RequestFailure) error {`
			`if reqerr.StatusCode() == 403 \|\| (reqerr.StatusCode() == 400 && strings.Contains(reqerr.Code(), "AccessDenied")) {`
			`sendEnumerationAlert(aws.RemoteAWSTerraform, alerter, listError)`
			`return nil`
			`}`

			`return reqerr`
			`}`

			`func sendEnumerationAlert(provider string, alerter alerter.AlerterInterface, listError *remoteerror.ResourceEnumerationError) {`
			`logrus.WithFields(logrus.Fields{`
			`"supplier_type": listError.SupplierType(),`
			`"listed_type": listError.ListedTypeError(),`
			`}).Debugf("Got an access denied error")`
			`alerter.SendAlert(listError.SupplierType(), NewEnumerationAccessDeniedAlert(provider, listError.SupplierType(), listError.ListedTypeError()))`
			`}`