forked from crossplane-contrib/provider-aws
/
iam.go
249 lines (209 loc) · 7.42 KB
/
iam.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
package iam
import (
"fmt"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/aws/arn"
"github.com/aws/aws-sdk-go-v2/aws/awserr"
"github.com/aws/aws-sdk-go-v2/service/iam"
"github.com/aws/aws-sdk-go-v2/service/iam/iamiface"
)
const (
policyArn = "arn:aws:iam::%s:policy/%s"
)
// Client defines IAM Client operations
// mockery -case snake -name Client -output fake -outpkg fake
type Client interface {
CreateUser(username string) (*iam.AccessKey, error)
DeleteUser(username string) error
CreatePolicyAndAttach(username string, policyName string, policyDocument string) (string, error)
GetPolicyVersion(policyName string) (string, error)
UpdatePolicy(policyName string, policyDocument string) (string, error)
DeletePolicyAndDetach(username string, policyName string) error
}
type iamClient struct {
accountID *string
iam iamiface.IAMAPI
}
// NewClient creates new AWS Client with provided AWS Configurations/Credentials
func NewClient(config *aws.Config) Client {
return &iamClient{iam: iam.New(*config)}
}
// CreateUser - Creates an IAM User, a policy, binds user to policy and returns an access key and policy version for the user.
func (c *iamClient) CreateUser(username string) (*iam.AccessKey, error) {
err := c.createUser(username)
if err != nil {
return nil, fmt.Errorf("failed to create user, %s", err)
}
key, err := c.createAccessKey(username)
if err != nil {
return nil, fmt.Errorf("failed to create access key, %s", err)
}
return key, err
}
// CreatePolicyAndAttach - Creates the IAM policy and attaches it to the username
func (c *iamClient) CreatePolicyAndAttach(username string, policyName string, policyDocument string) (string, error) {
currentVersion, err := c.createPolicy(username, policyDocument)
if err != nil {
return "", fmt.Errorf("failed to create policy, %s", err)
}
err = c.attachPolicyToUser(username, username)
if err != nil {
return "", fmt.Errorf("failed to attach policy, %s", err)
}
return currentVersion, nil
}
// GetPolicyVersion get the policy document for the IAM user
func (c *iamClient) GetPolicyVersion(username string) (string, error) {
policyARN, err := c.getPolicyARN(username)
if err != nil {
return "", err
}
policyResponse, err := c.iam.GetPolicyRequest(&iam.GetPolicyInput{
PolicyArn: aws.String(policyARN),
}).Send()
if err != nil {
return "", err
}
return aws.StringValue(policyResponse.Policy.DefaultVersionId), nil
}
// UpdatePolicy - updates the policy document for the IAM user and return current policy version
func (c *iamClient) UpdatePolicy(policyName string, policyDocument string) (string, error) {
policyARN, err := c.getPolicyARN(policyName)
if err != nil {
return "", err
}
// Create a new policy version
policyVersionResponse, err := c.iam.CreatePolicyVersionRequest(&iam.CreatePolicyVersionInput{PolicyArn: aws.String(policyARN), PolicyDocument: aws.String(policyDocument), SetAsDefault: aws.Bool(true)}).Send()
if err != nil {
return "", err
}
currentPolicyVersion := policyVersionResponse.PolicyVersion.VersionId
// Delete old versions of policy - Max 5 allowed
policyVersions, err := c.iam.ListPolicyVersionsRequest(&iam.ListPolicyVersionsInput{PolicyArn: aws.String(policyARN)}).Send()
if err != nil {
return "", err
}
for _, policy := range policyVersions.Versions {
if aws.StringValue(policy.VersionId) != aws.StringValue(currentPolicyVersion) {
_, err := c.iam.DeletePolicyVersionRequest(&iam.DeletePolicyVersionInput{PolicyArn: aws.String(policyARN), VersionId: policy.VersionId}).Send()
if err != nil {
return "", err
}
}
}
return aws.StringValue(currentPolicyVersion), nil
}
// DeletePolicyAndDetach delete the policy of PolicyName and detach it from the username provided
func (c *iamClient) DeletePolicyAndDetach(username string, policyName string) error {
policyARN, err := c.getPolicyARN(username)
if err != nil {
return err
}
_, err = c.iam.DetachUserPolicyRequest(&iam.DetachUserPolicyInput{PolicyArn: aws.String(policyARN), UserName: aws.String(username)}).Send()
if err != nil && !IsErrorNotFound(err) {
return err
}
_, err = c.iam.DeletePolicyRequest(&iam.DeletePolicyInput{PolicyArn: aws.String(policyARN)}).Send()
if err != nil && !IsErrorNotFound(err) {
return err
}
return nil
}
// DeleteUser Policy and IAM User
func (c *iamClient) DeleteUser(username string) error {
keys, err := c.iam.ListAccessKeysRequest(&iam.ListAccessKeysInput{UserName: aws.String(username)}).Send()
if err != nil {
return err
}
for _, key := range keys.AccessKeyMetadata {
_, err = c.iam.DeleteAccessKeyRequest(&iam.DeleteAccessKeyInput{AccessKeyId: key.AccessKeyId, UserName: aws.String(username)}).Send()
if err != nil {
return err
}
}
_, err = c.iam.DeleteUserRequest(&iam.DeleteUserInput{UserName: aws.String(username)}).Send()
if err != nil && !IsErrorNotFound(err) {
return err
}
return nil
}
// getAccountID - Gets the accountID of the authenticated session.
func (c *iamClient) getAccountID() (string, error) {
if c.accountID == nil {
user, err := c.iam.GetUserRequest(&iam.GetUserInput{}).Send()
if err != nil {
return "", err
}
arnData, err := arn.Parse(*user.User.Arn)
if err != nil {
return "", err
}
c.accountID = &arnData.AccountID
}
return aws.StringValue(c.accountID), nil
}
func (c *iamClient) getPolicyARN(policyName string) (string, error) {
accountID, err := c.getAccountID()
if err != nil {
return "", err
}
policyARN := fmt.Sprintf(policyArn, accountID, policyName)
return policyARN, nil
}
func (c *iamClient) createUser(username string) error {
_, err := c.iam.CreateUserRequest(&iam.CreateUserInput{UserName: aws.String(username)}).Send()
if err != nil && isErrorAlreadyExists(err) {
return nil
}
return err
}
func (c *iamClient) createAccessKey(username string) (*iam.AccessKey, error) {
keysResponse, err := c.iam.CreateAccessKeyRequest(&iam.CreateAccessKeyInput{UserName: aws.String(username)}).Send()
if err != nil {
return nil, err
}
return keysResponse.AccessKey, nil
}
func (c *iamClient) createPolicy(policyName string, policyDocument string) (string, error) {
response, err := c.iam.CreatePolicyRequest(&iam.CreatePolicyInput{PolicyName: aws.String(policyName), PolicyDocument: aws.String(policyDocument)}).Send()
if err != nil {
if isErrorAlreadyExists(err) {
return c.UpdatePolicy(policyName, policyDocument)
}
return "", err
}
return aws.StringValue(response.Policy.DefaultVersionId), nil
}
func (c *iamClient) attachPolicyToUser(policyName string, username string) error {
policyArn, err := c.getPolicyARN(policyName)
if err != nil {
return err
}
_, err = c.iam.AttachUserPolicyRequest(&iam.AttachUserPolicyInput{PolicyArn: aws.String(policyArn), UserName: aws.String(username)}).Send()
return err
}
func isErrorAlreadyExists(err error) bool {
if iamErr, ok := err.(awserr.Error); ok && iamErr.Code() == iam.ErrCodeEntityAlreadyExistsException {
return true
}
return false
}
// IsErrorNotFound returns true if the error code indicates that the item was not found
func IsErrorNotFound(err error) bool {
if iamErr, ok := err.(awserr.Error); ok && iamErr.Code() == iam.ErrCodeNoSuchEntityException {
return true
}
return false
}
// PolicyDocument is the structure of IAM policy document
type PolicyDocument struct {
Version string
Statement []StatementEntry
}
// StatementEntry is used to define permission statements in a PolicyDocument
type StatementEntry struct {
Sid string
Effect string
Action []string
Resource []string
}