97 lines
3.2 KiB
Go
97 lines
3.2 KiB
Go
package alerts
|
|
|
|
import (
|
|
"fmt"
|
|
|
|
"github.com/cloudskiff/driftctl/pkg/alerter"
|
|
"github.com/cloudskiff/driftctl/pkg/remote/common"
|
|
remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
|
|
"github.com/sirupsen/logrus"
|
|
)
|
|
|
|
type ScanningPhase int
|
|
|
|
const (
|
|
EnumerationPhase ScanningPhase = iota
|
|
DetailsFetchingPhase
|
|
)
|
|
|
|
type RemoteAccessDeniedAlert struct {
|
|
message string
|
|
provider string
|
|
scanningPhase ScanningPhase
|
|
}
|
|
|
|
func NewRemoteAccessDeniedAlert(provider string, scanErr *remoteerror.ResourceScanningError, scanningPhase ScanningPhase) *RemoteAccessDeniedAlert {
|
|
var message string
|
|
switch scanningPhase {
|
|
case EnumerationPhase:
|
|
message = fmt.Sprintf(
|
|
"Ignoring %s from drift calculation: Listing %s is forbidden: %s",
|
|
scanErr.Resource(),
|
|
scanErr.ListedTypeError(),
|
|
scanErr.RootCause().Error(),
|
|
)
|
|
case DetailsFetchingPhase:
|
|
message = fmt.Sprintf(
|
|
"Ignoring %s from drift calculation: Reading details of %s is forbidden: %s",
|
|
scanErr.Resource(),
|
|
scanErr.ListedTypeError(),
|
|
scanErr.RootCause().Error(),
|
|
)
|
|
default:
|
|
message = fmt.Sprintf(
|
|
"Ignoring %s from drift calculation: %s",
|
|
scanErr.Resource(),
|
|
scanErr.RootCause().Error(),
|
|
)
|
|
}
|
|
return &RemoteAccessDeniedAlert{message, provider, scanningPhase}
|
|
}
|
|
|
|
func (e *RemoteAccessDeniedAlert) Message() string {
|
|
return e.message
|
|
}
|
|
|
|
func (e *RemoteAccessDeniedAlert) ShouldIgnoreResource() bool {
|
|
return true
|
|
}
|
|
|
|
func (e *RemoteAccessDeniedAlert) GetProviderMessage() string {
|
|
var message string
|
|
if e.scanningPhase == DetailsFetchingPhase {
|
|
message = "It seems that we got access denied exceptions while reading details of resources.\n"
|
|
}
|
|
if e.scanningPhase == EnumerationPhase {
|
|
message = "It seems that we got access denied exceptions while listing resources.\n"
|
|
}
|
|
|
|
switch e.provider {
|
|
case common.RemoteGithubTerraform:
|
|
message += "Please be sure that your Github token has the right permissions, check the last up-to-date documentation there: https://docs.driftctl.com/github/policy"
|
|
case common.RemoteAWSTerraform:
|
|
message += "The latest minimal read-only IAM policy for driftctl is always available here, please update yours: https://docs.driftctl.com/aws/policy"
|
|
case common.RemoteGoogleTerraform:
|
|
message += "Please ensure that you have configured the required roles, please check our documentation at https://docs.driftctl.com/google/policy"
|
|
default:
|
|
return ""
|
|
}
|
|
return message
|
|
}
|
|
|
|
func sendRemoteAccessDeniedAlert(provider string, alerter alerter.AlerterInterface, listError *remoteerror.ResourceScanningError, p ScanningPhase) {
|
|
logrus.WithFields(logrus.Fields{
|
|
"resource": listError.Resource(),
|
|
"listed_type": listError.ListedTypeError(),
|
|
}).Debugf("Got an access denied error: %+v", listError.Error())
|
|
alerter.SendAlert(listError.Resource(), NewRemoteAccessDeniedAlert(provider, listError, p))
|
|
}
|
|
|
|
func SendEnumerationAlert(provider string, alerter alerter.AlerterInterface, listError *remoteerror.ResourceScanningError) {
|
|
sendRemoteAccessDeniedAlert(provider, alerter, listError, EnumerationPhase)
|
|
}
|
|
|
|
func SendDetailsFetchingAlert(provider string, alerter alerter.AlerterInterface, listError *remoteerror.ResourceScanningError) {
|
|
sendRemoteAccessDeniedAlert(provider, alerter, listError, DetailsFetchingPhase)
|
|
}
|