github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/iam/groups.go (about)

     1  package iam
     2  
     3  import (
     4  	"github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam"
     5  	"github.com/khulnasoft-lab/defsec/pkg/terraform"
     6  )
     7  
     8  func adaptGroups(modules terraform.Modules) []iam.Group {
     9  
    10  	groupMap, policyMap := mapGroups(modules)
    11  
    12  	for _, policyBlock := range modules.GetResourcesByType("aws_iam_group_policy") {
    13  		if _, ok := policyMap[policyBlock.ID()]; ok {
    14  			continue
    15  		}
    16  		groupAttr := policyBlock.GetAttribute("group")
    17  		if groupAttr.IsNil() {
    18  			continue
    19  		}
    20  		groupBlock, err := modules.GetReferencedBlock(groupAttr, policyBlock)
    21  		if err != nil {
    22  			continue
    23  		}
    24  		policy, err := parsePolicy(policyBlock, modules)
    25  		if err != nil {
    26  			continue
    27  		}
    28  		group, ok := groupMap[groupBlock.ID()]
    29  		if !ok {
    30  			group = iam.Group{
    31  				Metadata: groupBlock.GetMetadata(),
    32  				Name:     groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock),
    33  				Users:    nil,
    34  				Policies: nil,
    35  			}
    36  		}
    37  		group.Policies = append(group.Policies, policy)
    38  		groupMap[groupBlock.ID()] = group
    39  	}
    40  
    41  	for _, attachBlock := range modules.GetResourcesByType("aws_iam_group_policy_attachment") {
    42  		if _, ok := policyMap[attachBlock.ID()]; ok {
    43  			continue
    44  		}
    45  		groupAttr := attachBlock.GetAttribute("group")
    46  		if groupAttr.IsNil() {
    47  			continue
    48  		}
    49  		groupBlock, err := modules.GetReferencedBlock(groupAttr, attachBlock)
    50  		if err != nil {
    51  			continue
    52  		}
    53  		policyAttr := attachBlock.GetAttribute("policy_arn")
    54  		if policyAttr.IsNil() {
    55  			continue
    56  		}
    57  		policyBlock, err := modules.GetReferencedBlock(policyAttr, attachBlock)
    58  		if err != nil {
    59  			continue
    60  		}
    61  		policy, err := parsePolicy(policyBlock, modules)
    62  		if err != nil {
    63  			continue
    64  		}
    65  		group, ok := groupMap[groupBlock.ID()]
    66  		if !ok {
    67  			group = iam.Group{
    68  				Metadata: groupBlock.GetMetadata(),
    69  				Name:     groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock),
    70  				Users:    nil,
    71  				Policies: nil,
    72  			}
    73  		}
    74  		group.Policies = append(group.Policies, policy)
    75  		groupMap[groupBlock.ID()] = group
    76  	}
    77  
    78  	var output []iam.Group
    79  	for _, group := range groupMap {
    80  		output = append(output, group)
    81  	}
    82  	return output
    83  }
    84  
    85  func mapGroups(modules terraform.Modules) (map[string]iam.Group, map[string]struct{}) {
    86  	groupMap := make(map[string]iam.Group)
    87  	policyMap := make(map[string]struct{})
    88  	for _, groupBlock := range modules.GetResourcesByType("aws_iam_group") {
    89  		group := iam.Group{
    90  			Metadata: groupBlock.GetMetadata(),
    91  			Name:     groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock),
    92  			Users:    nil,
    93  			Policies: nil,
    94  		}
    95  
    96  		for _, block := range modules.GetResourcesByType("aws_iam_group_policy") {
    97  			if !sameProvider(groupBlock, block) {
    98  				continue
    99  			}
   100  			if groupAttr := block.GetAttribute("group"); groupAttr.IsString() {
   101  				if groupAttr.Equals(group.Name.Value()) {
   102  					policy, err := parsePolicy(block, modules)
   103  					if err != nil {
   104  						continue
   105  					}
   106  					group.Policies = append(group.Policies, policy)
   107  					policyMap[block.ID()] = struct{}{}
   108  				}
   109  			}
   110  		}
   111  
   112  		for _, block := range modules.GetResourcesByType("aws_iam_group_policy_attachment") {
   113  			if !sameProvider(groupBlock, block) {
   114  				continue
   115  			}
   116  			if groupAttr := block.GetAttribute("group"); groupAttr.IsString() {
   117  				if groupAttr.Equals(group.Name.Value()) {
   118  					policyAttr := block.GetAttribute("policy_arn")
   119  
   120  					policyBlock, err := modules.GetReferencedBlock(policyAttr, block)
   121  					if err != nil {
   122  						continue
   123  					}
   124  					policy, err := parsePolicy(policyBlock, modules)
   125  					if err != nil {
   126  						continue
   127  					}
   128  					group.Policies = append(group.Policies, policy)
   129  					policyMap[block.ID()] = struct{}{}
   130  				}
   131  			}
   132  		}
   133  
   134  		groupMap[groupBlock.ID()] = group
   135  	}
   136  	return groupMap, policyMap
   137  }