driftctl/pkg/middlewares/google_default_iam_member.go

71 lines
2.1 KiB
Go

package middlewares
import (
"fmt"
"strings"
"github.com/sirupsen/logrus"
"github.com/snyk/driftctl/pkg/resource"
"github.com/snyk/driftctl/pkg/resource/google"
)
// Some service accounts are created by default when activating APIs, this middleware will filter them unless they are managed.
type GoogleDefaultIAMMember struct{}
func NewGoogleDefaultIAMMember() *GoogleDefaultIAMMember {
return &GoogleDefaultIAMMember{}
}
func (m *GoogleDefaultIAMMember) Execute(remoteResources, resourcesFromState *[]*resource.Resource) error {
newRemoteResources := make([]*resource.Resource, 0)
for _, remoteResource := range *remoteResources {
// Ignore all resources other than BucketIamBinding
if remoteResource.ResourceType() != google.GoogleProjectIamMemberResourceType {
newRemoteResources = append(newRemoteResources, remoteResource)
continue
}
// Ignore all non service account member
if memberName := remoteResource.Attrs.GetString("member"); memberName != nil && !strings.HasPrefix(*memberName, "serviceAccount:") {
newRemoteResources = append(newRemoteResources, remoteResource)
continue
}
// Ignore all service accounts that have project host
memberName := *remoteResource.Attrs.GetString("member")
projectName := *remoteResource.Attrs.GetString("project")
if strings.HasSuffix(memberName, fmt.Sprintf("%s.iam.gserviceaccount.com", projectName)) {
newRemoteResources = append(newRemoteResources, remoteResource)
continue
}
// Check if member is managed by IaC
existInState := false
for _, stateResource := range *resourcesFromState {
if remoteResource.Equal(stateResource) {
existInState = true
break
}
}
// Include resource if it's managed by IaC
if existInState {
newRemoteResources = append(newRemoteResources, remoteResource)
continue
}
// Else, resource is not added to newRemoteResources slice, so it will be ignored
logrus.WithFields(logrus.Fields{
"id": remoteResource.ResourceId(),
"type": remoteResource.ResourceType(),
}).Debug("Ignoring default service account membership as it is not managed by IaC")
}
*remoteResources = newRemoteResources
return nil
}