enrich iam_role_policy for aws_default middleware

snyk · Jul 22, 2021 · bcc56d0 · bcc56d0
1 parent 2745d44
commit bcc56d0
Show file tree

Hide file tree

Showing 6 changed files with 57 additions and 43 deletions.
diff --git a/pkg/middlewares/aws_defaults.go b/pkg/middlewares/aws_defaults.go
@@ -59,6 +59,11 @@ func (m AwsDefaults) awsIamRolePolicyDefaults(remoteResources []resource.Resourc
 			}
 		}
 
+		if role == nil {
+			logrus.Warnf("Role for %s role policy not found. Is that supposed to happen ?", remoteResource.TerraformId())
+			continue
+		}
+
 		if match := strings.HasPrefix((*role.Attrs)["path"].(string), defaultIamRolePathPrefix); match {
 			resourcesToIgnore = append(resourcesToIgnore, remoteResource)
 		}

diff --git a/pkg/remote/aws/iam_role_policy_enumerator.go b/pkg/remote/aws/iam_role_policy_enumerator.go
@@ -1,6 +1,8 @@
 package aws
 
 import (
+	"fmt"
+
 	"github.com/cloudskiff/driftctl/pkg/remote/aws/repository"
 	remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
 
@@ -41,8 +43,10 @@ func (e *IamRolePolicyEnumerator) Enumerate() ([]resource.Resource, error) {
 			results,
 			e.factory.CreateAbstractResource(
 				string(e.SupportedType()),
-				policy,
-				map[string]interface{}{},
+				fmt.Sprintf("%s:%s", policy.RoleName, policy.Policy),
+				map[string]interface{}{
+					"role": policy.RoleName,
+				},
 			),
 		)
 	}

diff --git a/pkg/remote/aws/repository/iam_repository.go b/pkg/remote/aws/repository/iam_repository.go
@@ -16,7 +16,7 @@ type IAMRepository interface {
 	ListAllPolicies() ([]*iam.Policy, error)
 	ListAllRoles() ([]*iam.Role, error)
 	ListAllRolePolicyAttachments([]*iam.Role) ([]*AttachedRolePolicy, error)
-	ListAllRolePolicies([]*iam.Role) ([]string, error)
+	ListAllRolePolicies([]*iam.Role) ([]RolePolicy, error)
 	ListAllUserPolicyAttachments([]*iam.User) ([]*AttachedUserPolicy, error)
 	ListAllUserPolicies([]*iam.User) ([]string, error)
 }
@@ -154,22 +154,22 @@ func (r *iamRepository) ListAllRolePolicyAttachments(roles []*iam.Role) ([]*Atta
 	return resources, nil
 }
 
-func (r *iamRepository) ListAllRolePolicies(roles []*iam.Role) ([]string, error) {
-	var resources []string
+func (r *iamRepository) ListAllRolePolicies(roles []*iam.Role) ([]RolePolicy, error) {
+	var resources []RolePolicy
 	for _, role := range roles {
 		cacheKey := fmt.Sprintf("iamListAllRolePolicies_role_%s", *role.RoleName)
 		if v := r.cache.Get(cacheKey); v != nil {
-			resources = append(resources, v.([]string)...)
+			resources = append(resources, v.([]RolePolicy)...)
 			continue
 		}
 
-		roleResources := make([]string, 0)
+		roleResources := make([]RolePolicy, 0)
 		input := &iam.ListRolePoliciesInput{
 			RoleName: role.RoleName,
 		}
 		err := r.client.ListRolePoliciesPages(input, func(res *iam.ListRolePoliciesOutput, lastPage bool) bool {
 			for _, policy := range res.PolicyNames {
-				roleResources = append(roleResources, fmt.Sprintf("%s:%s", *input.RoleName, *policy))
+				roleResources = append(roleResources, RolePolicy{*policy, *input.RoleName})
 			}
 			return !lastPage
 		})
@@ -257,3 +257,8 @@ type AttachedRolePolicy struct {
 	iam.AttachedPolicy
 	RoleName string
 }
+
+type RolePolicy struct {
+	Policy   string
+	RoleName string
+}
diff --git a/pkg/remote/aws/repository/iam_repository_test.go b/pkg/remote/aws/repository/iam_repository_test.go
@@ -412,17 +412,17 @@ func Test_IAMRepository_ListAllRolePolicyAttachments(t *testing.T) {
 							return false
 						}
 						callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test-policy"),
 								PolicyName: aws.String("policy"),
 							},
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test-policy2"),
 								PolicyName: aws.String("policy2"),
 							},
 						}}, false)
 						callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test-policy3"),
 								PolicyName: aws.String("policy3"),
 							},
@@ -440,17 +440,17 @@ func Test_IAMRepository_ListAllRolePolicyAttachments(t *testing.T) {
 							return false
 						}
 						callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test-policy"),
 								PolicyName: aws.String("policy"),
 							},
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test-policy2"),
 								PolicyName: aws.String("policy2"),
 							},
 						}}, false)
 						callback(&iam.ListAttachedRolePoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test-policy3"),
 								PolicyName: aws.String("policy3"),
 							},
@@ -544,7 +544,7 @@ func Test_IAMRepository_ListAllRolePolicies(t *testing.T) {
 		name    string
 		roles   []*iam.Role
 		mocks   func(client *awstest.MockFakeIAM)
-		want    []string
+		want    []RolePolicy
 		wantErr error
 	}{
 		{
@@ -600,13 +600,13 @@ func Test_IAMRepository_ListAllRolePolicies(t *testing.T) {
 						return true
 					})).Once().Return(nil)
 			},
-			want: []string{
-				*aws.String("test_role_0:policy-role0-0"),
-				*aws.String("test_role_0:policy-role0-1"),
-				*aws.String("test_role_0:policy-role0-2"),
-				*aws.String("test_role_1:policy-role1-0"),
-				*aws.String("test_role_1:policy-role1-1"),
-				*aws.String("test_role_1:policy-role1-2"),
+			want: []RolePolicy{
+				{Policy: "policy-role0-0", RoleName: "test_role_0"},
+				{Policy: "policy-role0-1", RoleName: "test_role_0"},
+				{Policy: "policy-role0-2", RoleName: "test_role_0"},
+				{Policy: "policy-role1-0", RoleName: "test_role_1"},
+				{Policy: "policy-role1-1", RoleName: "test_role_1"},
+				{Policy: "policy-role1-2", RoleName: "test_role_1"},
 			},
 		},
 	}
@@ -628,7 +628,7 @@ func Test_IAMRepository_ListAllRolePolicies(t *testing.T) {
 				assert.NoError(t, err)
 				assert.Equal(t, got, cachedData)
 				for _, role := range tt.roles {
-					assert.IsType(t, []string{}, store.Get(fmt.Sprintf("iamListAllRolePolicies_role_%s", *role.RoleName)))
+					assert.IsType(t, []RolePolicy{}, store.Get(fmt.Sprintf("iamListAllRolePolicies_role_%s", *role.RoleName)))
 				}
 			}
 
@@ -670,17 +670,17 @@ func Test_IAMRepository_ListAllUserPolicyAttachments(t *testing.T) {
 					},
 					mock.MatchedBy(func(callback func(res *iam.ListAttachedUserPoliciesOutput, lastPage bool) bool) bool {
 						callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test"),
 								PolicyName: aws.String("test-attach"),
 							},
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test2"),
 								PolicyName: aws.String("test-attach2"),
 							},
 						}}, false)
 						callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test3"),
 								PolicyName: aws.String("test-attach3"),
 							},
@@ -694,17 +694,17 @@ func Test_IAMRepository_ListAllUserPolicyAttachments(t *testing.T) {
 					},
 					mock.MatchedBy(func(callback func(res *iam.ListAttachedUserPoliciesOutput, lastPage bool) bool) bool {
 						callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test"),
 								PolicyName: aws.String("test-attach"),
 							},
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test2"),
 								PolicyName: aws.String("test-attach2"),
 							},
 						}}, false)
 						callback(&iam.ListAttachedUserPoliciesOutput{AttachedPolicies: []*iam.AttachedPolicy{
-							&iam.AttachedPolicy{
+							{
 								PolicyArn:  aws.String("arn:aws:iam::526954929923:policy/test3"),
 								PolicyName: aws.String("test-attach3"),
 							},

diff --git a/pkg/remote/aws/repository/mock_IAMRepository.go b/pkg/remote/aws/repository/mock_IAMRepository.go
diff --git a/pkg/remote/iam_scanner_test.go b/pkg/remote/iam_scanner_test.go
@@ -982,7 +982,7 @@ func TestIamRolePolicy(t *testing.T) {
 					},
 				}
 				repo.On("ListAllRoles").Return(roles, nil)
-				repo.On("ListAllRolePolicies", roles).Return([]string{}, nil)
+				repo.On("ListAllRolePolicies", roles).Return([]repository.RolePolicy{}, nil)
 			},
 			wantErr: nil,
 		},
@@ -999,13 +999,13 @@ func TestIamRolePolicy(t *testing.T) {
 					},
 				}
 				repo.On("ListAllRoles").Return(roles, nil)
-				repo.On("ListAllRolePolicies", roles).Return([]string{
-					*aws.String("test_role_0:policy-role0-0"),
-					*aws.String("test_role_0:policy-role0-1"),
-					*aws.String("test_role_0:policy-role0-2"),
-					*aws.String("test_role_1:policy-role1-0"),
-					*aws.String("test_role_1:policy-role1-1"),
-					*aws.String("test_role_1:policy-role1-2"),
+				repo.On("ListAllRolePolicies", roles).Return([]repository.RolePolicy{
+					{Policy: "policy-role0-0", RoleName: "test_role_0"},
+					{Policy: "policy-role0-1", RoleName: "test_role_0"},
+					{Policy: "policy-role0-2", RoleName: "test_role_0"},
+					{Policy: "policy-role1-0", RoleName: "test_role_1"},
+					{Policy: "policy-role1-1", RoleName: "test_role_1"},
+					{Policy: "policy-role1-2", RoleName: "test_role_1"},
 				}, nil).Once()
 			},
 			wantErr: nil,