Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(organizations): request Organization Info after assume_role occurs #2682

Merged
merged 4 commits into from
Aug 7, 2023
Merged

fix(organizations): request Organization Info after assume_role occurs #2682

merged 4 commits into from
Aug 7, 2023

Conversation

jchrisfarris
Copy link
Contributor

Context

Fix issue where the use of -R and -O leads to the wrong information being populated in the OrganizationsInfo data.

Description

When called with -R
current_audit_info.audited_account is not set until after the audited_account's assume role credentials are fetched and validated. Moving this block of code means Prowler will fetch the right info from the Organizational Management Account.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@jchrisfarris jchrisfarris requested a review from a team as a code owner August 7, 2023 12:20
@sergargar sergargar self-assigned this Aug 7, 2023
@sergargar sergargar changed the title Request Organization Info _after_ assume_role occurs fix(organizations): request Organization Info _after_ assume_role occurs Aug 7, 2023
@sergargar
Copy link
Member

Good catch @jchrisfarris !! Thank you for this fix 🚀

@jfagoagas
Copy link
Member

I can't reproduce it, @sergargar could you check it?

@sergargar
Copy link
Member

I can't reproduce it, @sergargar could you check it?

Yes, I'm on it

@jchrisfarris
Copy link
Contributor Author

@sergargar This is how I'm calling it

prowler aws -M csv json json-asff html  -b -z -S \
        --excluded-services route53 cloudwatch  \
        -e $EXCLUDE_CHECKS \
        -f $REGIONS \
        --log-file prowler-logs-${ACCOUNT_ID}-${TODAY}.log \
        -F prowler-${ACCOUNT_ID}-${TODAY} --log-level ERROR \
        -R arn:aws:iam::$ACCOUNT_ID:role/$ROLENAME \
        -O arn:aws:iam::$PAYER_ID:role/$ROLENAME \
        -D ${OUTPUT_BUCKET} -o prowler-output

@sergargar
Copy link
Member

sergargar commented Aug 7, 2023
edited

I could reproduce it, now Prowler correctly retrieves the organizations info from the -R account and not from the original one.

sergargar
sergargar approved these changes Aug 7, 2023
View reviewed changes
Copy link
Member

@sergargar sergargar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔝 🔝 🔝

@sergargar sergargar changed the title fix(organizations): request Organization Info _after_ assume_role occurs fix(organizations): request Organization Info after assume_role occurs Aug 7, 2023
@sergargar sergargar merged commit c1caf67 into prowler-cloud:master Aug 7, 2023
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sergargar sergargar sergargar approved these changes

Assignees

@sergargar sergargar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jchrisfarris @sergargar @jfagoagas