/
ssooverviewaccount.go
147 lines (136 loc) · 5.88 KB
/
ssooverviewaccount.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
package cmd
import (
"github.com/ArjenSchwarz/awstools/config"
"github.com/ArjenSchwarz/awstools/helpers"
format "github.com/ArjenSchwarz/go-output"
"github.com/ArjenSchwarz/go-output/drawio"
"github.com/spf13/cobra"
)
// ssoOverviewByAccountCmd represents the sso OverviewByAccount command
var ssoOverviewByAccountCmd = &cobra.Command{
Use: "by-account",
Short: "A basic overview of the SSO Config Permission Sets by account",
Long: `Provides an overview of all the permission sets and assignments attached to an account,
grouped by account.
You can filter the output to a single account by supplying the --resource-id (-r) flag with the account ID or, if you use a name file, the account alias from the name file.
Verbose mode will add the policies for the permissionsets in the textual output formats drawio output will generate a graph that goes SSO Instance -> Accounts -> Permission Sets -> User/Group You may notice the same permission sets shown multiple times, this is to improve readability not a bug. dot output is currently limited as it shows internal names only
`,
Run: ssoOverviewByAccount,
}
func init() {
ssoCmd.AddCommand(ssoOverviewByAccountCmd)
ssoOverviewByAccountCmd.Flags().StringVarP(&ssoresourceid, "resource-id", "r", "", "The account id (or account alias) you want to limit to")
}
func ssoOverviewByAccount(cmd *cobra.Command, args []string) {
awsConfig := config.DefaultAwsConfig(*settings)
resultTitle := "SSO Overview per account"
ssoInstance := helpers.GetSSOAccountInstance(awsConfig.SsoClient())
keys := []string{"AccountID", "PermissionSet", "Principal"}
if settings.IsVerbose() {
keys = append(keys, "ManagedPolicies", "InlinePolicy")
}
output := format.OutputArray{Keys: keys, Settings: settings.NewOutputSettings()}
output.Settings.Title = resultTitle
output.Settings.SortKey = "AccountID"
if settings.IsDrawIO() {
output.Settings.DrawIOHeader = createSSOAccountsDrawIOHeader()
createSSOAccountDrawIOContents(ssoInstance, &output)
} else if output.Settings.NeedsFromToColumns() {
output.Settings.AddFromToColumns("DrawIOID", "Children")
createSSOAccountDrawIOContents(ssoInstance, &output)
} else {
for _, account := range ssoInstance.Accounts {
if filteredSSOAccount(account) {
for _, assignment := range account.AccountAssignments {
content := make(map[string]interface{})
content["AccountID"] = getName(account.AccountID)
content["PermissionSet"] = assignment.PermissionSet.Name
content["Principal"] = getName(assignment.PrincipalID)
if settings.IsVerbose() {
content["ManagedPolicies"] = assignment.PermissionSet.GetManagedPolicyNames()
content["InlinePolicy"] = assignment.PermissionSet.InlinePolicy
}
holder := format.OutputHolder{Contents: content}
output.AddHolder(holder)
}
}
}
}
output.Write()
}
func filteredSSOAccount(account helpers.SSOAccount) bool {
if ssoresourceid == "" ||
ssoresourceid == account.AccountID ||
ssoresourceid == getName(account.AccountID) {
return true
}
return false
}
func createSSOAccountsDrawIOHeader() drawio.Header {
drawioheader := drawio.DefaultHeader()
drawioheader.SetHeightAndWidth("78", "78")
drawioheader.SetLayout(drawio.LayoutHorizontalTree)
connection := drawio.NewConnection()
connection.Invert = false
connection.From = "Children"
connection.To = "DrawIOID"
drawioheader.AddConnection(connection)
return drawioheader
}
func createSSOAccountDrawIOContents(instance helpers.SSOInstance, output *format.OutputArray) {
output.Keys = []string{"Name", "DrawIOID", "Type", "Children", "Image"}
content := make(map[string]interface{})
content["Name"] = getName(instance.Arn)
content["DrawIOID"] = getName(instance.Arn)
content["Type"] = "SSO"
content["Image"] = drawio.AWSShape("Security Identity Compliance", "Single Sign-On")
content["Children"] = instance.GetAccountList()
holder := format.OutputHolder{Contents: content}
output.AddHolder(holder)
uniquefilter := []string{}
for _, account := range instance.Accounts {
if !filteredSSOAccount(account) {
continue
}
accountchildren := []string{}
content := make(map[string]interface{})
content["Name"] = getName(account.AccountID)
content["DrawIOID"] = account.AccountID
content["Type"] = "Account"
content["Image"] = drawio.AWSShape("Security Identity Compliance", "Organizations Account")
for _, assignment := range account.AccountAssignments {
accountchildren = append(accountchildren, assignment.PermissionSet.Name+account.AccountID)
}
content["Children"] = unique(accountchildren)
holder := format.OutputHolder{Contents: content}
output.AddHolder(holder)
for _, assignment := range account.AccountAssignments {
if !contains(uniquefilter, assignment.PermissionSet.Name+account.AccountID) {
uniquefilter = append(uniquefilter, assignment.PermissionSet.Name+account.AccountID)
content := make(map[string]interface{})
content["Name"] = getName(assignment.PermissionSet.Name)
content["DrawIOID"] = getName(assignment.PermissionSet.Name + account.AccountID)
content["Type"] = "PermissionSet"
content["Image"] = drawio.AWSShape("Security Identity Compliance", "Permissions")
content["Children"] = assignment.PermissionSet.GetAssignmentIdsByAccount(account.AccountID)
holder := format.OutputHolder{Contents: content}
output.AddHolder(holder)
}
if !contains(uniquefilter, assignment.PrincipalID) {
uniquefilter = append(uniquefilter, assignment.PrincipalID)
content := make(map[string]interface{})
content["Name"] = getName(assignment.PrincipalID)
content["DrawIOID"] = assignment.PrincipalID
content["Type"] = assignment.PrincipalType
switch assignment.PrincipalType {
case "USER":
content["Image"] = drawio.AWSShape("General Resources", "User")
case "GROUP":
content["Image"] = drawio.AWSShape("General Resources", "Users")
}
holder := format.OutputHolder{Contents: content}
output.AddHolder(holder)
}
}
}
}