sundowndev
/
driftctl
mirror of https://github.com/sundowndev/driftctl.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

enrich iam_role_policy for aws_default middleware

main
Martin Guibert 2021-07-22 12:26:05 +02:00
parent 2745d44160
commit bcc56d0b6c
6 changed files with 57 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/middlewares/aws_defaults.go
View File

@ -59,6 +59,11 @@ func (m AwsDefaults) awsIamRolePolicyDefaults(remoteResources []resource.Resourc
} }
} }
if role == nil {
logrus.Warnf("Role for %s role policy not found. Is that supposed to happen ?", remoteResource.TerraformId())
continue
}
if match := strings.HasPrefix((*role.Attrs)["path"].(string), defaultIamRolePathPrefix); match { if match := strings.HasPrefix((*role.Attrs)["path"].(string), defaultIamRolePathPrefix); match {
resourcesToIgnore = append(resourcesToIgnore, remoteResource) resourcesToIgnore = append(resourcesToIgnore, remoteResource)
} }

8
pkg/remote/aws/iam_role_policy_enumerator.go
View File

@ -1,6 +1,8 @@
package aws package aws
import ( import (
"fmt"
"github.com/cloudskiff/driftctl/pkg/remote/aws/repository" "github.com/cloudskiff/driftctl/pkg/remote/aws/repository"
remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error" remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
@ -41,8 +43,10 @@ func (e *IamRolePolicyEnumerator) Enumerate() ([]resource.Resource, error) {
results, results,
e.factory.CreateAbstractResource( e.factory.CreateAbstractResource(
string(e.SupportedType()), string(e.SupportedType()),
policy, fmt.Sprintf("%s:%s", policy.RoleName, policy.Policy),
map[string]interface{}{}, map[string]interface{}{
"role": policy.RoleName,
},
), ),
) )
} }

17
pkg/remote/aws/repository/iam_repository.go
View File

@ -16,7 +16,7 @@ type IAMRepository interface {
ListAllPolicies() ([]*iam.Policy, error) ListAllPolicies() ([]*iam.Policy, error)
ListAllRoles() ([]*iam.Role, error) ListAllRoles() ([]*iam.Role, error)
ListAllRolePolicyAttachments([]*iam.Role) ([]*AttachedRolePolicy, error) ListAllRolePolicyAttachments([]*iam.Role) ([]*AttachedRolePolicy, error)
ListAllRolePolicies([]*iam.Role) ([]string, error) ListAllRolePolicies([]*iam.Role) ([]RolePolicy, error)
ListAllUserPolicyAttachments([]*iam.User) ([]*AttachedUserPolicy, error) ListAllUserPolicyAttachments([]*iam.User) ([]*AttachedUserPolicy, error)
ListAllUserPolicies([]*iam.User) ([]string, error) ListAllUserPolicies([]*iam.User) ([]string, error)
} }
@ -154,22 +154,22 @@ func (r *iamRepository) ListAllRolePolicyAttachments(roles []*iam.Role) ([]*Atta
return resources, nil return resources, nil
} }
func (r *iamRepository) ListAllRolePolicies(roles []*iam.Role) ([]string, error) { func (r *iamRepository) ListAllRolePolicies(roles []*iam.Role) ([]RolePolicy, error) {
var resources []string var resources []RolePolicy
for _, role := range roles { for _, role := range roles {
cacheKey := fmt.Sprintf("iamListAllRolePolicies_role_%s", *role.RoleName) cacheKey := fmt.Sprintf("iamListAllRolePolicies_role_%s", *role.RoleName)
if v := r.cache.Get(cacheKey); v != nil { if v := r.cache.Get(cacheKey); v != nil {
resources = append(resources, v.([]string)...) resources = append(resources, v.([]RolePolicy)...)
continue continue
} }
roleResources := make([]string, 0) roleResources := make([]RolePolicy, 0)
input := &iam.ListRolePoliciesInput{ input := &iam.ListRolePoliciesInput{
RoleName: role.RoleName, RoleName: role.RoleName,
} }
err := r.client.ListRolePoliciesPages(input, func(res *iam.ListRolePoliciesOutput, lastPage bool) bool { err := r.client.ListRolePoliciesPages(input, func(res *iam.ListRolePoliciesOutput, lastPage bool) bool {
for _, policy := range res.PolicyNames { for _, policy := range res.PolicyNames {
roleResources = append(roleResources, fmt.Sprintf("%s:%s", *input.RoleName, *policy)) roleResources = append(roleResources, RolePolicy{*policy, *input.RoleName})
} }
return !lastPage return !lastPage
}) })
@ -257,3 +257,8 @@ type AttachedRolePolicy struct {
iam.AttachedPolicy iam.AttachedPolicy
RoleName string RoleName string
} }
type RolePolicy struct {
Policy string
RoleName string
}

42
pkg/remote/aws/repository/iam_repository_test.go
View File

@ -412,17 +412,17 @@ func Test_IAMRepository_ListAllRolePolicyAttachments(t *testing.T) {
return false return false
} }
callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{ callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy"),
PolicyName: aws.String("policy"), PolicyName: aws.String("policy"),
}, },
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy2"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy2"),
PolicyName: aws.String("policy2"), PolicyName: aws.String("policy2"),
}, },
}}, false) }}, false)
callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{ callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy3"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy3"),
PolicyName: aws.String("policy3"), PolicyName: aws.String("policy3"),
}, },
@ -440,17 +440,17 @@ func Test_IAMRepository_ListAllRolePolicyAttachments(t *testing.T) {
return false return false
} }
callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{ callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy"),
PolicyName: aws.String("policy"), PolicyName: aws.String("policy"),
}, },
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy2"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy2"),
PolicyName: aws.String("policy2"), PolicyName: aws.String("policy2"),
}, },
}}, false) }}, false)
callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{ callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy3"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test-policy3"),
PolicyName: aws.String("policy3"), PolicyName: aws.String("policy3"),
}, },
@ -544,7 +544,7 @@ func Test_IAMRepository_ListAllRolePolicies(t *testing.T) {
name string name string
roles []*iam.Role roles []*iam.Role
mocks func(client *awstest.MockFakeIAM) mocks func(client *awstest.MockFakeIAM)
want []string want []RolePolicy
wantErr error wantErr error
}{ }{
{ {
@ -600,13 +600,13 @@ func Test_IAMRepository_ListAllRolePolicies(t *testing.T) {
return true return true
})).Once().Return(nil) })).Once().Return(nil)
}, },
want: []string{ want: []RolePolicy{
*aws.String("test_role_0:policy-role0-0"), {Policy: "policy-role0-0", RoleName: "test_role_0"},
*aws.String("test_role_0:policy-role0-1"), {Policy: "policy-role0-1", RoleName: "test_role_0"},
*aws.String("test_role_0:policy-role0-2"), {Policy: "policy-role0-2", RoleName: "test_role_0"},
*aws.String("test_role_1:policy-role1-0"), {Policy: "policy-role1-0", RoleName: "test_role_1"},
*aws.String("test_role_1:policy-role1-1"), {Policy: "policy-role1-1", RoleName: "test_role_1"},
*aws.String("test_role_1:policy-role1-2"), {Policy: "policy-role1-2", RoleName: "test_role_1"},
}, },
}, },
} }
@ -628,7 +628,7 @@ func Test_IAMRepository_ListAllRolePolicies(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
assert.Equal(t, got, cachedData) assert.Equal(t, got, cachedData)
for _, role := range tt.roles { for _, role := range tt.roles {
assert.IsType(t, []string{}, store.Get(fmt.Sprintf("iamListAllRolePolicies_role_%s", *role.RoleName))) assert.IsType(t, []RolePolicy{}, store.Get(fmt.Sprintf("iamListAllRolePolicies_role_%s", *role.RoleName)))
} }
} }
@ -670,17 +670,17 @@ func Test_IAMRepository_ListAllUserPolicyAttachments(t *testing.T) {
}, },
mock.MatchedBy(func(callback func(res *iam.ListAttachedUserPoliciesOutput, lastPage bool) bool) bool { mock.MatchedBy(func(callback func(res *iam.ListAttachedUserPoliciesOutput, lastPage bool) bool) bool {
callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{ callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test"),
PolicyName: aws.String("test-attach"), PolicyName: aws.String("test-attach"),
}, },
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test2"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test2"),
PolicyName: aws.String("test-attach2"), PolicyName: aws.String("test-attach2"),
}, },
}}, false) }}, false)
callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{ callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test3"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test3"),
PolicyName: aws.String("test-attach3"), PolicyName: aws.String("test-attach3"),
}, },
@ -694,17 +694,17 @@ func Test_IAMRepository_ListAllUserPolicyAttachments(t *testing.T) {
}, },
mock.MatchedBy(func(callback func(res *iam.ListAttachedUserPoliciesOutput, lastPage bool) bool) bool { mock.MatchedBy(func(callback func(res *iam.ListAttachedUserPoliciesOutput, lastPage bool) bool) bool {
callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{ callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test"),
PolicyName: aws.String("test-attach"), PolicyName: aws.String("test-attach"),
}, },
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test2"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test2"),
PolicyName: aws.String("test-attach2"), PolicyName: aws.String("test-attach2"),
}, },
}}, false) }}, false)
callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{ callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
&iam.AttachedPolicy{ {
PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test3"), PolicyArn: aws.String("arn:aws:iam::526954929923:policy/test3"),
PolicyName: aws.String("test-attach3"), PolicyName: aws.String("test-attach3"),
}, },

12
pkg/remote/aws/repository/mock_IAMRepository.go
View File

@ -1,4 +1,4 @@
// Code generated by mockery v1.0.0. DO NOT EDIT. // Code generated by mockery v0.0.0-dev. DO NOT EDIT.
package repository package repository
@ -7,7 +7,7 @@ import (
mock "github.com/stretchr/testify/mock" mock "github.com/stretchr/testify/mock"
) )
// MockIAMRepository is an autogenerated mock type for the MockIAMRepository type // MockIAMRepository is an autogenerated mock type for the IAMRepository type
type MockIAMRepository struct { type MockIAMRepository struct {
mock.Mock mock.Mock
} }
@ -59,15 +59,15 @@ func (_m *MockIAMRepository) ListAllPolicies() ([]*iam.Policy, error) {
} }
// ListAllRolePolicies provides a mock function with given fields: _a0 // ListAllRolePolicies provides a mock function with given fields: _a0
func (_m *MockIAMRepository) ListAllRolePolicies(_a0 []*iam.Role) ([]string, error) { func (_m *MockIAMRepository) ListAllRolePolicies(_a0 []*iam.Role) ([]RolePolicy, error) {
ret := _m.Called(_a0) ret := _m.Called(_a0)
var r0 []string var r0 []RolePolicy
if rf, ok := ret.Get(0).(func([]*iam.Role) []string); ok { if rf, ok := ret.Get(0).(func([]*iam.Role) []RolePolicy); ok {
r0 = rf(_a0) r0 = rf(_a0)
} else { } else {
if ret.Get(0) != nil { if ret.Get(0) != nil {
r0 = ret.Get(0).([]string) r0 = ret.Get(0).([]RolePolicy)
} }
} }

16
pkg/remote/iam_scanner_test.go
View File

@ -982,7 +982,7 @@ func TestIamRolePolicy(t *testing.T) {
}, },
} }
repo.On("ListAllRoles").Return(roles, nil) repo.On("ListAllRoles").Return(roles, nil)
repo.On("ListAllRolePolicies", roles).Return([]string{}, nil) repo.On("ListAllRolePolicies", roles).Return([]repository.RolePolicy{}, nil)
}, },
wantErr: nil, wantErr: nil,
}, },
@ -999,13 +999,13 @@ func TestIamRolePolicy(t *testing.T) {
}, },
} }
repo.On("ListAllRoles").Return(roles, nil) repo.On("ListAllRoles").Return(roles, nil)
repo.On("ListAllRolePolicies", roles).Return([]string{ repo.On("ListAllRolePolicies", roles).Return([]repository.RolePolicy{
*aws.String("test_role_0:policy-role0-0"), {Policy: "policy-role0-0", RoleName: "test_role_0"},
*aws.String("test_role_0:policy-role0-1"), {Policy: "policy-role0-1", RoleName: "test_role_0"},
*aws.String("test_role_0:policy-role0-2"), {Policy: "policy-role0-2", RoleName: "test_role_0"},
*aws.String("test_role_1:policy-role1-0"), {Policy: "policy-role1-0", RoleName: "test_role_1"},
*aws.String("test_role_1:policy-role1-1"), {Policy: "policy-role1-1", RoleName: "test_role_1"},
*aws.String("test_role_1:policy-role1-2"), {Policy: "policy-role1-2", RoleName: "test_role_1"},
}, nil).Once() }, nil).Once()
}, },
wantErr: nil, wantErr: nil,