fix: do not ignore default policy attachments

pkg/middlewares/aws_defaults.go

@@ -36,39 +36,6 @@ func (m AwsDefaults) awsIamRoleDefaults(remoteResources []resource.Resource) []r
 	return resourcesToIgnore
 }
 
-func (m AwsDefaults) awsIamPolicyAttachmentDefaults(remoteResources []resource.Resource) []resource.Resource {
-	resourcesToIgnore := make([]resource.Resource, 0)
-
-	for _, remoteResource := range remoteResources {
-		// Ignore all resources other than iam policy attachment
-		if remoteResource.TerraformType() != aws.AwsIamPolicyAttachmentResourceType {
-			continue
-		}
-
-		defaultRolesCount := 0
-		for _, roleId := range *remoteResource.(*aws.AwsIamPolicyAttachment).Roles {
-			var role *aws.AwsIamRole
-			for _, res := range remoteResources {
-				if res.TerraformType() == aws.AwsIamRoleResourceType && res.TerraformId() == roleId {
-					role = res.(*aws.AwsIamRole)
-					break
-				}
-			}
-
-			if match := strings.HasPrefix(*role.Path, defaultIamRolePathPrefix); match {
-				defaultRolesCount++
-			}
-		}
-
-		// Check if all of the policy's roles are default AWS roles
-		if defaultRolesCount == len(*remoteResource.(*aws.AwsIamPolicyAttachment).Roles) {
-			resourcesToIgnore = append(resourcesToIgnore, remoteResource)
-		}
-	}
-
-	return resourcesToIgnore
-}
-
 func (m AwsDefaults) awsIamRolePolicyDefaults(remoteResources []resource.Resource) []resource.Resource {
 	resourcesToIgnore := make([]resource.Resource, 0)
 
@@ -100,7 +67,6 @@ func (m AwsDefaults) Execute(remoteResources, resourcesFromState *[]resource.Res
 	resourcesToIgnore := make([]resource.Resource, 0)
 
 	resourcesToIgnore = append(resourcesToIgnore, m.awsIamRoleDefaults(*remoteResources)...)
-	resourcesToIgnore = append(resourcesToIgnore, m.awsIamPolicyAttachmentDefaults(*remoteResources)...)
 	resourcesToIgnore = append(resourcesToIgnore, m.awsIamRolePolicyDefaults(*remoteResources)...)
 
 	for _, res := range *remoteResources {

pkg/middlewares/aws_defaults_test.go

@@ -107,109 +107,6 @@ func TestAwsDefaults_Execute(t *testing.T) {
 				},
 			},
 		},
-		{
-			"test that default iam policy attachment are excluded when not managed by IaC",
-			[]resource.Resource{
-				&aws.AwsIamRole{
-					Id:   "custom-role",
-					Path: func(p string) *string { return &p }("/not-aws-service-role/sso.amazonaws.com"),
-				},
-				&aws.AwsIamRole{
-					Id:   "AWSServiceRoleForSSO",
-					Path: func(p string) *string { return &p }("/aws-service-role/sso.amazonaws.com"),
-				},
-				&aws.AwsIamPolicyAttachment{
-					Id:    "driftctl_test-arn:aws:iam::0123456789:policy/driftctl",
-					Roles: &[]string{"custom-role"},
-				},
-				&aws.AwsIamPolicyAttachment{
-					Id:    "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/AWSSSOServiceRolePolicy",
-					Roles: &[]string{"AWSServiceRoleForSSO"},
-				},
-				&aws.AwsIamPolicyAttachment{
-					Id:    "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/whatever",
-					Roles: &[]string{"AWSServiceRoleForSSO"},
-				},
-			},
-			[]resource.Resource{},
-			diff.Changelog{
-				{
-					Type: diff.DELETE,
-					Path: []string{"0"},
-					From: &aws.AwsIamRole{
-						Id:   "custom-role",
-						Path: func(p string) *string { return &p }("/not-aws-service-role/sso.amazonaws.com"),
-					},
-					To: nil,
-				},
-				{
-					Type: diff.DELETE,
-					Path: []string{"1"},
-					From: &aws.AwsIamPolicyAttachment{
-						Id:    "driftctl_test-arn:aws:iam::0123456789:policy/driftctl",
-						Roles: &[]string{"custom-role"},
-					},
-					To: nil,
-				},
-			},
-		},
-		{
-			"test that default iam policy attachment are excluded when managed by IaC",
-			[]resource.Resource{
-				&aws.AwsIamRole{
-					Id:   "custom-role",
-					Path: func(p string) *string { return &p }("/not-aws-service-role/sso.amazonaws.com"),
-				},
-				&aws.AwsIamRole{
-					Id:   "AWSServiceRoleForSSO",
-					Path: func(p string) *string { return &p }("/aws-service-role/sso.amazonaws.com"),
-				},
-				&aws.AwsIamPolicyAttachment{
-					Id:    "driftctl_test-arn:aws:iam::0123456789:policy/driftctl",
-					Roles: &[]string{"custom-role"},
-				},
-				&aws.AwsIamPolicyAttachment{
-					Id:    "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/AWSSSOServiceRolePolicy",
-					Roles: &[]string{"AWSServiceRoleForSSO"},
-				},
-				&aws.AwsIamPolicyAttachment{
-					Id:    "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/whatever",
-					Roles: &[]string{"custom-role", "AWSServiceRoleForSSO"},
-					Users: nil,
-				},
-			},
-			[]resource.Resource{
-				&aws.AwsIamPolicyAttachment{
-					Id:    "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/AWSSSOServiceRolePolicy",
-					Roles: &[]string{"AWSServiceRoleForSSO"},
-					Users: &[]string{"test"},
-				},
-				&aws.AwsIamRole{
-					Id:   "custom-role",
-					Path: func(p string) *string { return &p }("/not-aws-service-role/sso.amazonaws.com"),
-				},
-			},
-			diff.Changelog{
-				{
-					Type: diff.DELETE,
-					Path: []string{"1"},
-					From: &aws.AwsIamPolicyAttachment{
-						Id:    "driftctl_test-arn:aws:iam::0123456789:policy/driftctl",
-						Roles: &[]string{"custom-role"},
-					},
-					To: nil,
-				},
-				{
-					Type: diff.DELETE,
-					Path: []string{"2"},
-					From: &aws.AwsIamPolicyAttachment{
-						Id:    "AWSServiceRoleForSSO-arn:aws:iam::aws:policy/aws-service-role/whatever",
-						Roles: &[]string{"AWSServiceRoleForSSO", "custom-role"},
-					},
-					To: nil,
-				},
-			},
-		},
 		{
 			"ignore default iam role policies when they're not managed by IaC",
 			[]resource.Resource{