Handle inline and attached user policies

jckuester · May 23, 2020 · c2a1f14 · c2a1f14
1 parent 5fa436a
commit c2a1f14
Show file tree

Hide file tree

Showing 6 changed files with 102 additions and 77 deletions.
diff --git a/command/wipe.go b/command/wipe.go
@@ -3,9 +3,14 @@ package command
 import (
 	"encoding/json"
 	"fmt"
+	"os"
 	"sort"
 	"strings"
 
+	"github.com/aws/aws-sdk-go/service/iam"
+	"github.com/fatih/color"
+	"github.com/zclconf/go-cty/cty"
+
 	"github.com/apex/log"
 	"github.com/cloudetc/awsweeper/resource"
 	awsls "github.com/jckuester/awsls/aws"
@@ -52,6 +57,18 @@ func List(filter *resource.Filter, client *resource.AWS, awsClient *awsls.Client
 			filteredRes := filter.Apply(rType, resourcesWithStates, nil, client)
 			print(filteredRes, outputType)
 
+			switch rType {
+			case "aws_iam_user":
+				policyAttachments := getAttachedUserPolicies(filteredRes, client, provider)
+				print(policyAttachments, outputType)
+
+				inlinePolicies := getInlineUserPolicies(filteredRes, client, provider)
+				print(inlinePolicies, outputType)
+
+				filteredRes = append(filteredRes, policyAttachments...)
+				filteredRes = append(filteredRes, inlinePolicies...)
+			}
+
 			for _, r := range filteredRes {
 				destroyableRes = append(destroyableRes, r.Resource)
 			}
@@ -61,6 +78,78 @@ func List(filter *resource.Filter, client *resource.AWS, awsClient *awsls.Client
 	return destroyableRes
 }
 
+func getAttachedUserPolicies(users []awsls.Resource, client *resource.AWS,
+	provider *provider.TerraformProvider) []awsls.Resource {
+	var result []awsls.Resource
+
+	for _, user := range users {
+		attachedPolicies, err := client.ListAttachedUserPolicies(&iam.ListAttachedUserPoliciesInput{
+			UserName: &user.ID,
+		})
+		if err != nil {
+			fmt.Fprint(os.Stderr, color.RedString("Error: %s\n", err))
+			continue
+		}
+
+		for _, attachedPolicy := range attachedPolicies.AttachedPolicies {
+			r := awsls.Resource{
+				Type: "aws_iam_user_policy_attachment",
+				ID:   *attachedPolicy.PolicyArn,
+			}
+
+			r.Resource = terradozerRes.New(r.Type, r.ID, map[string]cty.Value{
+				"user":       cty.StringVal(user.ID),
+				"policy_arn": cty.StringVal(*attachedPolicy.PolicyArn),
+			}, provider)
+
+			err = r.UpdateState()
+			if err != nil {
+				fmt.Fprint(os.Stderr, color.RedString("Error: %s\n", err))
+				continue
+			}
+
+			result = append(result, r)
+		}
+	}
+
+	return result
+}
+
+func getInlineUserPolicies(users []awsls.Resource, client *resource.AWS,
+	provider *provider.TerraformProvider) []awsls.Resource {
+	var result []awsls.Resource
+
+	for _, user := range users {
+		inlinePolicies, err := client.ListUserPolicies(&iam.ListUserPoliciesInput{
+			UserName: &user.ID,
+		})
+		if err != nil {
+			fmt.Fprint(os.Stderr, color.RedString("Error: %s\n", err))
+			continue
+		}
+
+		for _, inlinePolicy := range inlinePolicies.PolicyNames {
+			r := awsls.Resource{
+				Type: "aws_iam_user_policy",
+				ID:   user.ID + ":" + *inlinePolicy,
+			}
+
+			r.Resource = terradozerRes.New(r.Type, r.ID, nil, provider)
+
+			err = r.UpdateState()
+			if err != nil {
+				fmt.Fprint(os.Stderr, color.RedString("Error: %s\n", err))
+				continue
+			}
+
+			result = append(result, r)
+		}
+
+	}
+
+	return result
+}
+
 func print(res []awsls.Resource, outputType string) {
 	if len(res) == 0 {
 		return

diff --git a/go.mod b/go.mod
@@ -9,8 +9,8 @@ require (
 	github.com/golang/mock v1.4.0
 	github.com/gruntwork-io/terratest v0.24.2
 	github.com/hashicorp/terraform v0.12.24
-	github.com/jckuester/awsls v0.0.0-20200516153042-96ea638daeb5
-	github.com/jckuester/terradozer v0.0.0-20200505071321-36ef87ab4394
+	github.com/jckuester/awsls v0.0.0-20200523105025-fe25c60a9fba
+	github.com/jckuester/terradozer v0.0.0-20200522202131-ed33ac929141
 	github.com/onsi/gomega v1.9.0
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.5.1

diff --git a/go.sum b/go.sum
@@ -107,6 +107,8 @@ github.com/aws/aws-sdk-go v1.30.5 h1:i+sSesaMrSxiUt3NJddOApe2mXK+VNBgfcmRTvNFrXM
 github.com/aws/aws-sdk-go v1.30.5/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0=
 github.com/aws/aws-sdk-go-v2 v0.20.0 h1:/yefUjgMrda9PNFwWctBU63nL10CJMdBwkAmaQ4w4Hs=
 github.com/aws/aws-sdk-go-v2 v0.20.0/go.mod h1:2LhT7UgHOXK3UXONKI5OMgIyoQL6zTAw/jwIeX6yqzw=
+github.com/aws/aws-sdk-go-v2 v0.22.0 h1:mlixfS5HVzn7Sf3KVhjAIM2H3bB7uoTbLCtKHvteUfE=
+github.com/aws/aws-sdk-go-v2 v0.22.0/go.mod h1:2LhT7UgHOXK3UXONKI5OMgIyoQL6zTAw/jwIeX6yqzw=
 github.com/aybabtme/rgbterm v0.0.0-20170906152045-cc83f3b3ce59/go.mod h1:q/89r3U2H7sSsE2t6Kca0lfwTK8JdoNGS/yzM/4iH5I=
 github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -347,8 +349,12 @@ github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/jckuester/awsls v0.0.0-20200516153042-96ea638daeb5 h1:V8YuMycWi094/mWHmVIqbcFVH7L5o8LrgJgAi56yIA8=
 github.com/jckuester/awsls v0.0.0-20200516153042-96ea638daeb5/go.mod h1:6dqF/j6Ar6b10DmHSV0CRYgKP2jwN8VUsHoFT3szFfA=
+github.com/jckuester/awsls v0.0.0-20200523105025-fe25c60a9fba h1:fbk5OV5nnwtkElugQcUTur/B0M4NceHTp4Mr0qAbJvA=
+github.com/jckuester/awsls v0.0.0-20200523105025-fe25c60a9fba/go.mod h1:6dqF/j6Ar6b10DmHSV0CRYgKP2jwN8VUsHoFT3szFfA=
 github.com/jckuester/terradozer v0.0.0-20200505071321-36ef87ab4394 h1:7LmuH4Cm81Qsi0trqbnOmZ75xemFDhmzin0OoNL7aM4=
 github.com/jckuester/terradozer v0.0.0-20200505071321-36ef87ab4394/go.mod h1:KYrRcPbIiXgcRp7hG9fOBdAyvDnUx2aA9cjTqvKa4cI=
+github.com/jckuester/terradozer v0.0.0-20200522202131-ed33ac929141 h1:BowqT+JEJsqjPRWcTH7EOEEJuJlhKoh80MKZouM3pkE=
+github.com/jckuester/terradozer v0.0.0-20200522202131-ed33ac929141/go.mod h1:fc32wbKuGQHf17dmggX1O51swhUUEr344xb173I6mSA=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=

diff --git a/resource/select.go b/resource/select.go
@@ -35,9 +35,7 @@ func (f Filter) Apply(resType string, res []awsls.Resource, raw interface{}, aws
 	switch resType {
 	case EfsFileSystem:
 		return f.efsFileSystemFilter(res, raw, aws)
-	case IamUser:
-		return f.iamUserFilter(res, aws)
-	case IamPolicy:
+	case "aws_iam_policy":
 		return f.iamPolicyFilter(res, raw, aws)
 	case KmsKey:
 		return f.kmsKeysFilter(res, aws)
@@ -120,49 +118,6 @@ func (f Filter) efsFileSystemFilter(res []awsls.Resource, raw interface{}, c *AW
 	return result
 }
 
-func (f Filter) iamUserFilter(res []awsls.Resource, c *AWS) []awsls.Resource {
-	var result []awsls.Resource
-
-	for _, r := range res {
-		if f.Match(r) {
-			// list inline policies, delete with "aws_iam_user_policy" delete routine
-			ups, err := c.ListUserPolicies(&iam.ListUserPoliciesInput{
-				UserName: &r.ID,
-			})
-			if err == nil {
-				for _, up := range ups.PolicyNames {
-					result = append(result, awsls.Resource{
-						Type: "aws_iam_user_policy",
-						ID:   r.ID + ":" + *up,
-					})
-				}
-			}
-
-			// Lists all managed policies that are attached  to user (inline and others)
-			upols, err := c.ListAttachedUserPolicies(&iam.ListAttachedUserPoliciesInput{
-				UserName: &r.ID,
-			})
-			if err == nil {
-				for _, upol := range upols.AttachedPolicies {
-					result = append(result, awsls.Resource{
-						Type: "aws_iam_user_policy_attachment",
-						ID:   *upol.PolicyArn,
-						/*
-							Attrs: map[string]string{
-								"user":       r.ID,
-								"policy_arn": *upol.PolicyArn,
-							},
-						*/
-					})
-				}
-			}
-
-			result = append(result, r)
-		}
-	}
-	return result
-}
-
 func (f Filter) iamPolicyFilter(res []awsls.Resource, raw interface{}, c *AWS) []awsls.Resource {
 	var result []awsls.Resource
 

diff --git a/resource/supported.go b/resource/supported.go
@@ -44,8 +44,6 @@ const (
 	EbsSnapshot      = "aws_ebs_snapshot"
 	EcsCluster       = "aws_ecs_cluster"
 	EfsFileSystem    = "aws_efs_file_system"
-	IamPolicy        = "aws_iam_policy"
-	IamUser          = "aws_iam_user"
 	Instance         = "aws_instance"
 	KmsAlias         = "aws_kms_alias"
 	KmsKey           = "aws_kms_key"
@@ -60,8 +58,6 @@ var (
 		// Note: to import a cluster, the name is used as ID
 		EcsCluster:    "ClusterArn",
 		EfsFileSystem: "FileSystemId",
-		IamPolicy:     "Arn",
-		IamUser:       "UserName",
 		Instance:      "InstanceId",
 		KmsAlias:      "AliasName",
 		KmsKey:        "KeyId",
@@ -93,9 +89,9 @@ var (
 		"aws_network_acl":          9840,
 		"aws_vpc":                  9830,
 		"aws_db_instance":          9825,
-		IamPolicy:                  9820,
+		"aws_iam_policy":           9820,
 		"aws_iam_group":            9810,
-		IamUser:                    9800,
+		"aws_iam_user":             9800,
 		"aws_iam_role":             9790,
 		"aws_iam_instance_profile": 9780,
 		"aws_s3_bucket":            9750,
@@ -195,10 +191,6 @@ func (a *AWS) RawResources(resType string) (interface{}, error) {
 		return a.ecsClusters()
 	case EfsFileSystem:
 		return a.efsFileSystems()
-	case IamPolicy:
-		return a.iamPolicies()
-	case IamUser:
-		return a.iamUsers()
 	case Instance:
 		return a.instances()
 	case KmsAlias:
@@ -280,22 +272,6 @@ func (a *AWS) efsFileSystems() (interface{}, error) {
 	return output.FileSystems, nil
 }
 
-func (a *AWS) iamPolicies() (interface{}, error) {
-	output, err := a.ListPolicies(&iam.ListPoliciesInput{})
-	if err != nil {
-		return nil, err
-	}
-	return output.Policies, nil
-}
-
-func (a *AWS) iamUsers() (interface{}, error) {
-	output, err := a.ListUsers(&iam.ListUsersInput{})
-	if err != nil {
-		return nil, err
-	}
-	return output.Users, nil
-}
-
 func (a *AWS) KmsAliases() (interface{}, error) {
 	output, err := a.KMSAPI.ListAliases(&kms.ListAliasesInput{})
 	if err != nil {

diff --git a/test/iam_user_test.go b/test/iam_user_test.go
@@ -12,7 +12,6 @@ import (
 	"github.com/stretchr/testify/require"
 
 	"github.com/aws/aws-sdk-go/aws/awserr"
-	res "github.com/cloudetc/awsweeper/resource"
 )
 
 func TestAcc_IamUser_DeleteByID(t *testing.T) {
@@ -33,7 +32,7 @@ func TestAcc_IamUser_DeleteByID(t *testing.T) {
 	id := terraform.Output(t, terraformOptions, "id")
 	assertIamUserExists(t, env, id)
 
-	writeConfigID(t, terraformDir, res.IamUser, id)
+	writeConfigID(t, terraformDir, "aws_iam_user", id)
 	defer os.Remove(terraformDir + "/config.yml")
 
 	logBuffer, err := runBinary(t, terraformDir, "YES\n")
@@ -62,7 +61,7 @@ func TestAcc_IamUser_DeleteByTag(t *testing.T) {
 	id := terraform.Output(t, terraformOptions, "id")
 	assertIamUserExists(t, env, id)
 
-	writeConfigTag(t, terraformDir, res.IamUser)
+	writeConfigTag(t, terraformDir, "aws_iam_user")
 	defer os.Remove(terraformDir + "/config.yml")
 
 	logBuffer, err := runBinary(t, terraformDir, "YES\n")