From e13f4f2597cda655db3e04167cacd0f4dcc5cc66 Mon Sep 17 00:00:00 2001 From: Hossein Rouhani <56231339+HRouhani@users.noreply.github.com> Date: Tue, 5 Mar 2024 04:10:28 +0100 Subject: [PATCH] =?UTF-8?q?=E2=AD=90=EF=B8=8F=20=20Added=20Trust=20relatio?= =?UTF-8?q?nship=20policy=20=20to=20the=20role=20(aws)=20(#3445)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * added support to retrieve IAM-Support for each role Signed-off-by: Hossein Rouhani * added support to retrieve IAM-Support for each role Signed-off-by: Hossein Rouhani --------- Signed-off-by: Hossein Rouhani --- providers/aws/resources/aws.lr | 2 ++ providers/aws/resources/aws.lr.go | 12 +++++++++ providers/aws/resources/aws.lr.manifest.yaml | 1 + providers/aws/resources/aws_iam.go | 27 +++++++++++++------- 4 files changed, 33 insertions(+), 9 deletions(-) diff --git a/providers/aws/resources/aws.lr b/providers/aws/resources/aws.lr index dba983e108..3352f4e38f 100644 --- a/providers/aws/resources/aws.lr +++ b/providers/aws/resources/aws.lr @@ -852,6 +852,8 @@ private aws.iam.role @defaults("arn name") { tags map[string]string // Time when the role was created createDate time + // The policy document that grants an entity permission to assume the role + assumeRolePolicyDocument dict } // AWS IAM group diff --git a/providers/aws/resources/aws.lr.go b/providers/aws/resources/aws.lr.go index 15ab8e4710..7874ad57c6 100644 --- a/providers/aws/resources/aws.lr.go +++ b/providers/aws/resources/aws.lr.go @@ -1636,6 +1636,9 @@ var getDataFields = map[string]func(r plugin.Resource) *plugin.DataRes{ "aws.iam.role.createDate": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlAwsIamRole).GetCreateDate()).ToDataRes(types.Time) }, + "aws.iam.role.assumeRolePolicyDocument": func(r plugin.Resource) *plugin.DataRes { + return (r.(*mqlAwsIamRole).GetAssumeRolePolicyDocument()).ToDataRes(types.Dict) + }, "aws.iam.group.arn": func(r plugin.Resource) *plugin.DataRes { return (r.(*mqlAwsIamGroup).GetArn()).ToDataRes(types.String) }, @@ -5106,6 +5109,10 @@ var setDataFields = map[string]func(r plugin.Resource, v *llx.RawData) bool { r.(*mqlAwsIamRole).CreateDate, ok = plugin.RawToTValue[*time.Time](v.Value, v.Error) return }, + "aws.iam.role.assumeRolePolicyDocument": func(r plugin.Resource, v *llx.RawData) (ok bool) { + r.(*mqlAwsIamRole).AssumeRolePolicyDocument, ok = plugin.RawToTValue[interface{}](v.Value, v.Error) + return + }, "aws.iam.group.__id": func(r plugin.Resource, v *llx.RawData) (ok bool) { r.(*mqlAwsIamGroup).__id, ok = v.Value.(string) return @@ -12501,6 +12508,7 @@ type mqlAwsIamRole struct { Description plugin.TValue[string] Tags plugin.TValue[map[string]interface{}] CreateDate plugin.TValue[*time.Time] + AssumeRolePolicyDocument plugin.TValue[interface{}] } // createAwsIamRole creates a new instance of this resource @@ -12564,6 +12572,10 @@ func (c *mqlAwsIamRole) GetCreateDate() *plugin.TValue[*time.Time] { return &c.CreateDate } +func (c *mqlAwsIamRole) GetAssumeRolePolicyDocument() *plugin.TValue[interface{}] { + return &c.AssumeRolePolicyDocument +} + // mqlAwsIamGroup for the aws.iam.group resource type mqlAwsIamGroup struct { MqlRuntime *plugin.Runtime diff --git a/providers/aws/resources/aws.lr.manifest.yaml b/providers/aws/resources/aws.lr.manifest.yaml index 6228bf4f80..cfd1e5f133 100755 --- a/providers/aws/resources/aws.lr.manifest.yaml +++ b/providers/aws/resources/aws.lr.manifest.yaml @@ -1770,6 +1770,7 @@ resources: The `aws.iam.role` provides fields for assessing the configuration of individual IAM Roles. For usage, read the `aws.iam` resource documentation. fields: arn: {} + assumeRolePolicyDocument: {} createDate: {} description: {} id: {} diff --git a/providers/aws/resources/aws_iam.go b/providers/aws/resources/aws_iam.go index 1a32b3fa68..6eac0578cd 100644 --- a/providers/aws/resources/aws_iam.go +++ b/providers/aws/resources/aws_iam.go @@ -421,7 +421,6 @@ func (a *mqlAwsIam) policies() ([]interface{}, error) { func (a *mqlAwsIam) roles() ([]interface{}, error) { conn := a.MqlRuntime.Connection.(*connection.AwsConnection) - svc := conn.Iam("") ctx := context.Background() @@ -435,17 +434,27 @@ func (a *mqlAwsIam) roles() ([]interface{}, error) { return nil, err } - for i := range rolesResp.Roles { - role := rolesResp.Roles[i] + // Added Trust relationship policy attached to each role + for _, role := range rolesResp.Roles { + policyOutput, err := svc.GetRole(ctx, &iam.GetRoleInput{RoleName: role.RoleName}) + var policyDocumentMap map[string]interface{} + if err == nil && policyOutput.Role != nil && policyOutput.Role.AssumeRolePolicyDocument != nil { + policyDocument := *policyOutput.Role.AssumeRolePolicyDocument + decodedPolicyDocument, decodeErr := url.QueryUnescape(policyDocument) + if decodeErr == nil { + json.Unmarshal([]byte(decodedPolicyDocument), &policyDocumentMap) + } + } mqlAwsIamRole, err := CreateResource(a.MqlRuntime, "aws.iam.role", map[string]*llx.RawData{ - "arn": llx.StringDataPtr(role.Arn), - "id": llx.StringDataPtr(role.RoleId), - "name": llx.StringDataPtr(role.RoleName), - "description": llx.StringDataPtr(role.Description), - "tags": llx.MapData(iamTagsToMap(role.Tags), types.String), - "createDate": llx.TimeDataPtr(role.CreateDate), + "arn": llx.StringDataPtr(role.Arn), + "id": llx.StringDataPtr(role.RoleId), + "name": llx.StringDataPtr(role.RoleName), + "description": llx.StringDataPtr(role.Description), + "tags": llx.MapData(iamTagsToMap(role.Tags), types.String), + "createDate": llx.TimeDataPtr(role.CreateDate), + "assumeRolePolicyDocument": llx.MapData(policyDocumentMap, types.Any), }) if err != nil { return nil, err