fix: do not ignore default policy attachments
sundowndev
parent
6b6e4d62dd
commit
2c76d30c81
|
|
@ -36,39 +36,6 @@ func (m AwsDefaults) awsIamRoleDefaults(remoteResources []resource.Resource) []r
|
|||
return resourcesToIgnore
|
||||
}
|
||||
|
||||
func (m AwsDefaults) awsIamPolicyAttachmentDefaults(remoteResources []resource.Resource) []resource.Resource {
|
||||
resourcesToIgnore := make([]resource.Resource, 0)
|
||||
|
||||
for _, remoteResource := range remoteResources {
|
||||
// Ignore all resources other than iam policy attachment
|
||||
if remoteResource.TerraformType() != aws.AwsIamPolicyAttachmentResourceType {
|
||||
continue
|
||||
}
|
||||
|
||||
defaultRolesCount := 0
|
||||
for _, roleId := range *remoteResource.(*aws.AwsIamPolicyAttachment).Roles {
|
||||
var role *aws.AwsIamRole
|
||||
for _, res := range remoteResources {
|
||||
if res.TerraformType() == aws.AwsIamRoleResourceType && res.TerraformId() == roleId {
|
||||
role = res.(*aws.AwsIamRole)
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if match := strings.HasPrefix(*role.Path, defaultIamRolePathPrefix); match {
|
||||
defaultRolesCount++
|
||||
}
|
||||
}
|
||||
|
||||
// Check if all of the policy's roles are default AWS roles
|
||||
if defaultRolesCount == len(*remoteResource.(*aws.AwsIamPolicyAttachment).Roles) {
|
||||
resourcesToIgnore = append(resourcesToIgnore, remoteResource)
|
||||
}
|
||||
}
|
||||
|
||||
return resourcesToIgnore
|
||||
}
|
||||
|
||||
func (m AwsDefaults) awsIamRolePolicyDefaults(remoteResources []resource.Resource) []resource.Resource {
|
||||
resourcesToIgnore := make([]resource.Resource, 0)
|
||||
|
||||
|
|
@ -100,7 +67,6 @@ func (m AwsDefaults) Execute(remoteResources, resourcesFromState *[]resource.Res
|
|||
resourcesToIgnore := make([]resource.Resource, 0)
|
||||
|
||||
resourcesToIgnore = append(resourcesToIgnore, m.awsIamRoleDefaults(*remoteResources)...)
|
||||
resourcesToIgnore = append(resourcesToIgnore, m.awsIamPolicyAttachmentDefaults(*remoteResources)...)
|
||||
resourcesToIgnore = append(resourcesToIgnore, m.awsIamRolePolicyDefaults(*remoteResources)...)
|
||||
|
||||
for _, res := range *remoteResources {
|
||||
|
|
|
|||
|
|
@ -107,109 +107,6 @@ func TestAwsDefaults_Execute(t *testing.T) {
|
|||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"test that default iam policy attachment are excluded when not managed by IaC",
|
||||
[]resource.Resource{
|
||||
&aws.AwsIamRole{
|
||||
Id: "custom-role",
|
||||
Path: func(p string) *string { return &p }("/not-aws-service-role/sso.amazonaws.com"),
|
||||
},
|
||||
&aws.AwsIamRole{
|
||||
Id: "AWSServiceRoleForSSO",
|
||||
Path: func(p string) *string { return &p }("/aws-service-role/sso.amazonaws.com"),
|
||||
},
|
||||
&aws.AwsIamPolicyAttachment{
|
||||
Id: "driftctl_test-arn:aws:iam::0123456789:policy/driftctl",
|
||||
Roles: &[]string{"custom-role"},
|
||||
},
|
||||
&aws.AwsIamPolicyAttachment{
|
||||
Id: "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/AWSSSOServiceRolePolicy",
|
||||
Roles: &[]string{"AWSServiceRoleForSSO"},
|
||||
},
|
||||
&aws.AwsIamPolicyAttachment{
|
||||
Id: "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/whatever",
|
||||
Roles: &[]string{"AWSServiceRoleForSSO"},
|
||||
},
|
||||
},
|
||||
[]resource.Resource{},
|
||||
diff.Changelog{
|
||||
{
|
||||
Type: diff.DELETE,
|
||||
Path: []string{"0"},
|
||||
From: &aws.AwsIamRole{
|
||||
Id: "custom-role",
|
||||
Path: func(p string) *string { return &p }("/not-aws-service-role/sso.amazonaws.com"),
|
||||
},
|
||||
To: nil,
|
||||
},
|
||||
{
|
||||
Type: diff.DELETE,
|
||||
Path: []string{"1"},
|
||||
From: &aws.AwsIamPolicyAttachment{
|
||||
Id: "driftctl_test-arn:aws:iam::0123456789:policy/driftctl",
|
||||
Roles: &[]string{"custom-role"},
|
||||
},
|
||||
To: nil,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"test that default iam policy attachment are excluded when managed by IaC",
|
||||
[]resource.Resource{
|
||||
&aws.AwsIamRole{
|
||||
Id: "custom-role",
|
||||
Path: func(p string) *string { return &p }("/not-aws-service-role/sso.amazonaws.com"),
|
||||
},
|
||||
&aws.AwsIamRole{
|
||||
Id: "AWSServiceRoleForSSO",
|
||||
Path: func(p string) *string { return &p }("/aws-service-role/sso.amazonaws.com"),
|
||||
},
|
||||
&aws.AwsIamPolicyAttachment{
|
||||
Id: "driftctl_test-arn:aws:iam::0123456789:policy/driftctl",
|
||||
Roles: &[]string{"custom-role"},
|
||||
},
|
||||
&aws.AwsIamPolicyAttachment{
|
||||
Id: "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/AWSSSOServiceRolePolicy",
|
||||
Roles: &[]string{"AWSServiceRoleForSSO"},
|
||||
},
|
||||
&aws.AwsIamPolicyAttachment{
|
||||
Id: "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/whatever",
|
||||
Roles: &[]string{"custom-role", "AWSServiceRoleForSSO"},
|
||||
Users: nil,
|
||||
},
|
||||
},
|
||||
[]resource.Resource{
|
||||
&aws.AwsIamPolicyAttachment{
|
||||
Id: "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/AWSSSOServiceRolePolicy",
|
||||
Roles: &[]string{"AWSServiceRoleForSSO"},
|
||||
Users: &[]string{"test"},
|
||||
},
|
||||
&aws.AwsIamRole{
|
||||
Id: "custom-role",
|
||||
Path: func(p string) *string { return &p }("/not-aws-service-role/sso.amazonaws.com"),
|
||||
},
|
||||
},
|
||||
diff.Changelog{
|
||||
{
|
||||
Type: diff.DELETE,
|
||||
Path: []string{"1"},
|
||||
From: &aws.AwsIamPolicyAttachment{
|
||||
Id: "driftctl_test-arn:aws:iam::0123456789:policy/driftctl",
|
||||
Roles: &[]string{"custom-role"},
|
||||
},
|
||||
To: nil,
|
||||
},
|
||||
{
|
||||
Type: diff.DELETE,
|
||||
Path: []string{"2"},
|
||||
From: &aws.AwsIamPolicyAttachment{
|
||||
Id: "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/whatever",
|
||||
Roles: &[]string{"AWSServiceRoleForSSO", "custom-role"},
|
||||
},
|
||||
To: nil,
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"ignore default iam role policies when they're not managed by IaC",
|
||||
[]resource.Resource{
|
||||
|
|
|
|||
Loading…
Reference in New Issue