2020-12-09 15:31:34 +00:00
|
|
|
package aws
|
|
|
|
|
|
|
|
import (
|
|
|
|
"github.com/aws/aws-sdk-go/service/iam"
|
|
|
|
"github.com/aws/aws-sdk-go/service/iam/iamiface"
|
2021-01-20 13:01:57 +00:00
|
|
|
remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
|
|
|
|
|
2020-12-09 15:31:34 +00:00
|
|
|
"github.com/cloudskiff/driftctl/pkg/remote/deserializer"
|
|
|
|
"github.com/cloudskiff/driftctl/pkg/resource"
|
|
|
|
resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
|
|
|
|
awsdeserializer "github.com/cloudskiff/driftctl/pkg/resource/aws/deserializer"
|
|
|
|
"github.com/cloudskiff/driftctl/pkg/terraform"
|
|
|
|
|
|
|
|
"github.com/sirupsen/logrus"
|
|
|
|
"github.com/zclconf/go-cty/cty"
|
|
|
|
)
|
|
|
|
|
|
|
|
var iamRoleExclusionList = map[string]struct{}{
|
|
|
|
// Enabled by default for aws to enable support, not removable
|
|
|
|
"AWSServiceRoleForSupport": {},
|
|
|
|
// Enabled and not removable for every org account
|
|
|
|
"AWSServiceRoleForOrganizations": {},
|
|
|
|
// Not manageable by IaC and set by default
|
|
|
|
"AWSServiceRoleForTrustedAdvisor": {},
|
|
|
|
}
|
|
|
|
|
|
|
|
type IamRoleSupplier struct {
|
|
|
|
reader terraform.ResourceReader
|
|
|
|
deserializer deserializer.CTYDeserializer
|
|
|
|
client iamiface.IAMAPI
|
|
|
|
runner *terraform.ParallelResourceReader
|
|
|
|
}
|
|
|
|
|
2021-02-09 13:56:11 +00:00
|
|
|
func NewIamRoleSupplier(provider *AWSTerraformProvider) *IamRoleSupplier {
|
2021-01-20 13:01:57 +00:00
|
|
|
return &IamRoleSupplier{
|
2021-01-22 17:06:17 +00:00
|
|
|
provider,
|
2021-01-20 13:01:57 +00:00
|
|
|
awsdeserializer.NewIamRoleDeserializer(),
|
2021-01-22 17:06:17 +00:00
|
|
|
iam.New(provider.session),
|
|
|
|
terraform.NewParallelResourceReader(provider.Runner().SubRunner()),
|
2021-01-20 13:01:57 +00:00
|
|
|
}
|
2020-12-09 15:31:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func awsIamRoleShouldBeIgnored(roleName string) bool {
|
|
|
|
_, ok := iamRoleExclusionList[roleName]
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s IamRoleSupplier) Resources() ([]resource.Resource, error) {
|
2021-01-20 13:01:57 +00:00
|
|
|
roles, err := listIamRoles(s.client, resourceaws.AwsIamRoleResourceType)
|
2020-12-09 15:31:34 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
results := make([]cty.Value, 0)
|
|
|
|
if len(roles) > 0 {
|
|
|
|
for _, role := range roles {
|
|
|
|
u := *role
|
|
|
|
if u.RoleName != nil && awsIamRoleShouldBeIgnored(*u.RoleName) {
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
s.runner.Run(func() (cty.Value, error) {
|
|
|
|
return s.readRes(&u)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
results, err = s.runner.Wait()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return s.deserializer.Deserialize(results)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s IamRoleSupplier) readRes(resource *iam.Role) (cty.Value, error) {
|
|
|
|
res, err := s.reader.ReadResource(
|
|
|
|
terraform.ReadResourceArgs{
|
|
|
|
Ty: resourceaws.AwsIamRoleResourceType,
|
|
|
|
ID: *resource.RoleName,
|
|
|
|
},
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
logrus.Warnf("Error reading iam role %s[%s]: %+v", *resource.RoleName, resourceaws.AwsIamRoleResourceType, err)
|
|
|
|
return cty.NilVal, err
|
|
|
|
}
|
|
|
|
|
|
|
|
return *res, nil
|
|
|
|
}
|
|
|
|
|
2021-01-20 13:01:57 +00:00
|
|
|
func listIamRoles(client iamiface.IAMAPI, supplierType string) ([]*iam.Role, error) {
|
2020-12-09 15:31:34 +00:00
|
|
|
var resources []*iam.Role
|
|
|
|
input := &iam.ListRolesInput{}
|
|
|
|
err := client.ListRolesPages(input, func(res *iam.ListRolesOutput, lastPage bool) bool {
|
|
|
|
resources = append(resources, res.Roles...)
|
|
|
|
return !lastPage
|
|
|
|
})
|
|
|
|
if err != nil {
|
2021-01-20 13:01:57 +00:00
|
|
|
return nil, remoteerror.NewResourceEnumerationErrorWithType(err, supplierType, resourceaws.AwsIamRoleResourceType)
|
2020-12-09 15:31:34 +00:00
|
|
|
}
|
|
|
|
return resources, nil
|
|
|
|
}
|