github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/iam/groups.go (about) 1 package iam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 5 "github.com/khulnasoft-lab/defsec/pkg/terraform" 6 ) 7 8 func adaptGroups(modules terraform.Modules) []iam.Group { 9 10 groupMap, policyMap := mapGroups(modules) 11 12 for _, policyBlock := range modules.GetResourcesByType("aws_iam_group_policy") { 13 if _, ok := policyMap[policyBlock.ID()]; ok { 14 continue 15 } 16 groupAttr := policyBlock.GetAttribute("group") 17 if groupAttr.IsNil() { 18 continue 19 } 20 groupBlock, err := modules.GetReferencedBlock(groupAttr, policyBlock) 21 if err != nil { 22 continue 23 } 24 policy, err := parsePolicy(policyBlock, modules) 25 if err != nil { 26 continue 27 } 28 group, ok := groupMap[groupBlock.ID()] 29 if !ok { 30 group = iam.Group{ 31 Metadata: groupBlock.GetMetadata(), 32 Name: groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock), 33 Users: nil, 34 Policies: nil, 35 } 36 } 37 group.Policies = append(group.Policies, policy) 38 groupMap[groupBlock.ID()] = group 39 } 40 41 for _, attachBlock := range modules.GetResourcesByType("aws_iam_group_policy_attachment") { 42 if _, ok := policyMap[attachBlock.ID()]; ok { 43 continue 44 } 45 groupAttr := attachBlock.GetAttribute("group") 46 if groupAttr.IsNil() { 47 continue 48 } 49 groupBlock, err := modules.GetReferencedBlock(groupAttr, attachBlock) 50 if err != nil { 51 continue 52 } 53 policyAttr := attachBlock.GetAttribute("policy_arn") 54 if policyAttr.IsNil() { 55 continue 56 } 57 policyBlock, err := modules.GetReferencedBlock(policyAttr, attachBlock) 58 if err != nil { 59 continue 60 } 61 policy, err := parsePolicy(policyBlock, modules) 62 if err != nil { 63 continue 64 } 65 group, ok := groupMap[groupBlock.ID()] 66 if !ok { 67 group = iam.Group{ 68 Metadata: groupBlock.GetMetadata(), 69 Name: groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock), 70 Users: nil, 71 Policies: nil, 72 } 73 } 74 group.Policies = append(group.Policies, policy) 75 groupMap[groupBlock.ID()] = group 76 } 77 78 var output []iam.Group 79 for _, group := range groupMap { 80 output = append(output, group) 81 } 82 return output 83 } 84 85 func mapGroups(modules terraform.Modules) (map[string]iam.Group, map[string]struct{}) { 86 groupMap := make(map[string]iam.Group) 87 policyMap := make(map[string]struct{}) 88 for _, groupBlock := range modules.GetResourcesByType("aws_iam_group") { 89 group := iam.Group{ 90 Metadata: groupBlock.GetMetadata(), 91 Name: groupBlock.GetAttribute("name").AsStringValueOrDefault("", groupBlock), 92 Users: nil, 93 Policies: nil, 94 } 95 96 for _, block := range modules.GetResourcesByType("aws_iam_group_policy") { 97 if !sameProvider(groupBlock, block) { 98 continue 99 } 100 if groupAttr := block.GetAttribute("group"); groupAttr.IsString() { 101 if groupAttr.Equals(group.Name.Value()) { 102 policy, err := parsePolicy(block, modules) 103 if err != nil { 104 continue 105 } 106 group.Policies = append(group.Policies, policy) 107 policyMap[block.ID()] = struct{}{} 108 } 109 } 110 } 111 112 for _, block := range modules.GetResourcesByType("aws_iam_group_policy_attachment") { 113 if !sameProvider(groupBlock, block) { 114 continue 115 } 116 if groupAttr := block.GetAttribute("group"); groupAttr.IsString() { 117 if groupAttr.Equals(group.Name.Value()) { 118 policyAttr := block.GetAttribute("policy_arn") 119 120 policyBlock, err := modules.GetReferencedBlock(policyAttr, block) 121 if err != nil { 122 continue 123 } 124 policy, err := parsePolicy(policyBlock, modules) 125 if err != nil { 126 continue 127 } 128 group.Policies = append(group.Policies, policy) 129 policyMap[block.ID()] = struct{}{} 130 } 131 } 132 } 133 134 groupMap[groupBlock.ID()] = group 135 } 136 return groupMap, policyMap 137 }