feat: implement aws_iam_role_policy_defaults middleware
sundowndev
parent
4371dec865
commit
2ca48d4e65
|
|
@ -53,6 +53,7 @@ func (d DriftCTL) Run() (*analyser.Analysis, error) {
|
|||
middlewares.NewAwsSqsQueuePolicyExpander(d.resourceFactory),
|
||||
middlewares.NewAwsDefaultSqsQueuePolicy(),
|
||||
middlewares.NewAwsSNSTopicPolicyExpander(d.resourceFactory),
|
||||
middlewares.NewAwsDefaultIamRolePolicy(),
|
||||
)
|
||||
|
||||
logrus.Debug("Ready to run middlewares")
|
||||
|
|
|
|||
|
|
@ -0,0 +1,51 @@
|
|||
package middlewares
|
||||
|
||||
import (
|
||||
"github.com/cloudskiff/driftctl/pkg/resource"
|
||||
"github.com/cloudskiff/driftctl/pkg/resource/aws"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// Default subnet should not be shown as unmanaged as they are present by default
|
||||
// This middleware ignores default subnet from unmanaged resources if they are not managed by IaC
|
||||
type AwsDefaultIamRolePolicy struct{}
|
||||
|
||||
func NewAwsDefaultIamRolePolicy() AwsDefaultIamRolePolicy {
|
||||
return AwsDefaultIamRolePolicy{}
|
||||
}
|
||||
|
||||
func (m AwsDefaultIamRolePolicy) Execute(remoteResources, resourcesFromState *[]resource.Resource) error {
|
||||
|
||||
newRemoteResources := make([]resource.Resource, 0)
|
||||
|
||||
for _, remoteResource := range *remoteResources {
|
||||
existInState := false
|
||||
|
||||
// Ignore all resources other than default Subnet
|
||||
if remoteResource.TerraformType() != aws.AwsIamRolePolicyResourceType {
|
||||
newRemoteResources = append(newRemoteResources, remoteResource)
|
||||
continue
|
||||
}
|
||||
|
||||
for _, stateResource := range *resourcesFromState {
|
||||
if resource.IsSameResource(remoteResource, stateResource) {
|
||||
existInState = true
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if existInState {
|
||||
newRemoteResources = append(newRemoteResources, remoteResource)
|
||||
} else {
|
||||
logrus.WithFields(logrus.Fields{
|
||||
"id": remoteResource.TerraformId(),
|
||||
"type": remoteResource.TerraformType(),
|
||||
}).Debug("Ignoring default IAM policies as it is not managed by IaC")
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
*remoteResources = newRemoteResources
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
@ -0,0 +1,100 @@
|
|||
package middlewares
|
||||
|
||||
import (
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
awssdk "github.com/aws/aws-sdk-go/aws"
|
||||
"github.com/aws/aws-sdk-go/aws/awsutil"
|
||||
"github.com/cloudskiff/driftctl/pkg/resource"
|
||||
"github.com/cloudskiff/driftctl/pkg/resource/aws"
|
||||
"github.com/r3labs/diff/v2"
|
||||
)
|
||||
|
||||
func TestAwsDefaultIamRolePolicy_Execute(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
remoteResources []resource.Resource
|
||||
resourcesFromState []resource.Resource
|
||||
expected []resource.Resource
|
||||
}{
|
||||
{
|
||||
"default iam role policies when they're not ignored when managed by IaC",
|
||||
[]resource.Resource{
|
||||
&aws.AwsIamRolePolicy{
|
||||
Id: "OrganizationAccountAccessRole:AdministratorAccess",
|
||||
},
|
||||
&aws.AwsRoute{
|
||||
Id: "dummy-route",
|
||||
RouteTableId: awssdk.String("default-route-table"),
|
||||
GatewayId: awssdk.String("local"),
|
||||
},
|
||||
},
|
||||
[]resource.Resource{
|
||||
&aws.AwsRoute{
|
||||
Id: "dummy-route",
|
||||
RouteTableId: awssdk.String("default-route-table"),
|
||||
GatewayId: awssdk.String("local"),
|
||||
},
|
||||
},
|
||||
[]resource.Resource{
|
||||
&aws.AwsRoute{
|
||||
Id: "dummy-route",
|
||||
RouteTableId: awssdk.String("default-route-table"),
|
||||
GatewayId: awssdk.String("local"),
|
||||
},
|
||||
},
|
||||
},
|
||||
{
|
||||
"default iam role policies when they're not ignored when managed by IaC",
|
||||
[]resource.Resource{
|
||||
&aws.AwsIamRolePolicy{
|
||||
Id: "OrganizationAccountAccessRole:AdministratorAccess",
|
||||
},
|
||||
&aws.AwsRoute{
|
||||
Id: "dummy-route",
|
||||
RouteTableId: awssdk.String("default-route-table"),
|
||||
GatewayId: awssdk.String("local"),
|
||||
},
|
||||
},
|
||||
[]resource.Resource{
|
||||
&aws.AwsIamRolePolicy{
|
||||
Id: "OrganizationAccountAccessRole:AdministratorAccess",
|
||||
},
|
||||
&aws.AwsRoute{
|
||||
Id: "dummy-route",
|
||||
RouteTableId: awssdk.String("default-route-table"),
|
||||
GatewayId: awssdk.String("local"),
|
||||
},
|
||||
},
|
||||
[]resource.Resource{
|
||||
&aws.AwsIamRolePolicy{
|
||||
Id: "OrganizationAccountAccessRole:AdministratorAccess",
|
||||
},
|
||||
&aws.AwsRoute{
|
||||
Id: "dummy-route",
|
||||
RouteTableId: awssdk.String("default-route-table"),
|
||||
GatewayId: awssdk.String("local"),
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
m := NewAwsDefaultIamRolePolicy()
|
||||
err := m.Execute(&tt.remoteResources, &tt.resourcesFromState)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
changelog, err := diff.Diff(tt.expected, tt.remoteResources)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if len(changelog) > 0 {
|
||||
for _, change := range changelog {
|
||||
t.Errorf("%s got = %v, want %v", strings.Join(change.Path, "."), awsutil.Prettify(change.From), awsutil.Prettify(change.To))
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
Loading…
Reference in New Issue