-
Notifications
You must be signed in to change notification settings - Fork 23
/
role_policies.go
85 lines (71 loc) · 2.48 KB
/
role_policies.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
package iam
import (
"fmt"
"github.com/aws/aws-sdk-go/aws"
awsiam "github.com/aws/aws-sdk-go/service/iam"
)
//go:generate faux --interface rolePoliciesClient --output fakes/role_policies_client.go
type rolePoliciesClient interface {
ListAttachedRolePolicies(*awsiam.ListAttachedRolePoliciesInput) (*awsiam.ListAttachedRolePoliciesOutput, error)
ListRolePolicies(*awsiam.ListRolePoliciesInput) (*awsiam.ListRolePoliciesOutput, error)
DetachRolePolicy(*awsiam.DetachRolePolicyInput) (*awsiam.DetachRolePolicyOutput, error)
DeleteRolePolicy(*awsiam.DeleteRolePolicyInput) (*awsiam.DeleteRolePolicyOutput, error)
}
//go:generate faux --interface rolePolicies --output fakes/role_policies.go
type rolePolicies interface {
Delete(roleName string) error
}
type RolePolicies struct {
client rolePoliciesClient
logger logger
}
func NewRolePolicies(client rolePoliciesClient, logger logger) RolePolicies {
return RolePolicies{
client: client,
logger: logger,
}
}
func (o RolePolicies) Delete(roleName string) error {
attachedPolicies, err := o.client.ListAttachedRolePolicies(&awsiam.ListAttachedRolePoliciesInput{RoleName: aws.String(roleName)})
if err != nil {
return fmt.Errorf("List IAM Attached Role Policies: %s", err)
}
for _, p := range attachedPolicies.AttachedPolicies {
n := *p.PolicyName
_, err := o.client.DetachRolePolicy(&awsiam.DetachRolePolicyInput{
RoleName: aws.String(roleName),
PolicyArn: p.PolicyArn,
})
if err == nil {
o.logger.Printf("[IAM Role: %s] Detached policy %s \n", roleName, n)
} else {
o.logger.Printf("[IAM Role: %s] Detach policy %s: %s \n", roleName, n, err)
}
_, err = o.client.DeleteRolePolicy(&awsiam.DeleteRolePolicyInput{
RoleName: aws.String(roleName),
PolicyName: p.PolicyName,
})
if err == nil {
o.logger.Printf("[IAM Role: %s] Deleted policy %s \n", roleName, n)
} else {
o.logger.Printf("[IAM Role: %s] Delete policy %s: %s \n", roleName, n, err)
}
}
policies, err := o.client.ListRolePolicies(&awsiam.ListRolePoliciesInput{RoleName: aws.String(roleName)})
if err != nil {
return fmt.Errorf("List IAM Role Policies: %s", err)
}
for _, p := range policies.PolicyNames {
n := *p
_, err = o.client.DeleteRolePolicy(&awsiam.DeleteRolePolicyInput{
RoleName: aws.String(roleName),
PolicyName: p,
})
if err == nil {
o.logger.Printf("[IAM Role: %s] Deleted policy %s \n", roleName, n)
} else {
o.logger.Printf("[IAM Role: %s] Delete policy %s: %s \n", roleName, n, err)
}
}
return nil
}