github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/aws/iam/roles.go (about) 1 package iam 2 3 import ( 4 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/iam" 5 "github.com/khulnasoft-lab/defsec/pkg/terraform" 6 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 7 "github.com/liamg/iamgo" 8 ) 9 10 func adaptRoles(modules terraform.Modules) []iam.Role { 11 12 roleMap, policyMap := mapRoles(modules) 13 14 for _, policyBlock := range modules.GetResourcesByType("aws_iam_role_policy") { 15 if _, ok := policyMap[policyBlock.ID()]; ok { 16 continue 17 } 18 roleAttr := policyBlock.GetAttribute("role") 19 if roleAttr.IsNil() { 20 continue 21 } 22 roleBlock, err := modules.GetReferencedBlock(roleAttr, policyBlock) 23 if err != nil { 24 continue 25 } 26 policy, err := parsePolicy(policyBlock, modules) 27 if err != nil { 28 continue 29 } 30 role, ok := roleMap[roleBlock.ID()] 31 if !ok { 32 role = iam.Role{ 33 Metadata: roleBlock.GetMetadata(), 34 Name: roleBlock.GetAttribute("name").AsStringValueOrDefault("", roleBlock), 35 Policies: nil, 36 } 37 } 38 role.Policies = append(role.Policies, policy) 39 roleMap[roleBlock.ID()] = role 40 } 41 42 var output []iam.Role 43 for _, role := range roleMap { 44 output = append(output, role) 45 } 46 return output 47 } 48 49 func mapRoles(modules terraform.Modules) (map[string]iam.Role, map[string]struct{}) { 50 policyMap := make(map[string]struct{}) 51 roleMap := make(map[string]iam.Role) 52 for _, roleBlock := range modules.GetResourcesByType("aws_iam_role") { 53 role := iam.Role{ 54 Metadata: roleBlock.GetMetadata(), 55 Name: roleBlock.GetAttribute("name").AsStringValueOrDefault("", roleBlock), 56 Policies: nil, 57 } 58 if inlineBlock := roleBlock.GetBlock("inline_policy"); inlineBlock.IsNotNil() { 59 policy := iam.Policy{ 60 Metadata: inlineBlock.GetMetadata(), 61 Name: inlineBlock.GetAttribute("name").AsStringValueOrDefault("", inlineBlock), 62 Document: iam.Document{ 63 Metadata: defsecTypes.NewUnmanagedMetadata(), 64 Parsed: iamgo.Document{}, 65 IsOffset: false, 66 HasRefs: false, 67 }, 68 Builtin: defsecTypes.Bool(false, inlineBlock.GetMetadata()), 69 } 70 doc, err := ParsePolicyFromAttr(inlineBlock.GetAttribute("policy"), inlineBlock, modules) 71 if err != nil { 72 continue 73 } 74 policy.Document = *doc 75 role.Policies = append(role.Policies, policy) 76 } 77 78 for _, block := range modules.GetResourcesByType("aws_iam_role_policy") { 79 if !sameProvider(roleBlock, block) { 80 continue 81 } 82 if roleAttr := block.GetAttribute("role"); roleAttr.IsString() { 83 if roleAttr.Equals(role.Name.Value()) { 84 policy, err := parsePolicy(block, modules) 85 if err != nil { 86 continue 87 } 88 role.Policies = append(role.Policies, policy) 89 policyMap[block.ID()] = struct{}{} 90 } 91 } 92 } 93 94 for _, block := range modules.GetResourcesByType("aws_iam_role_policy_attachment") { 95 if !sameProvider(roleBlock, block) { 96 continue 97 } 98 if roleAttr := block.GetAttribute("role"); roleAttr.IsString() { 99 if roleAttr.Equals(role.Name.Value()) { 100 policyAttr := block.GetAttribute("policy_arn") 101 102 policyBlock, err := modules.GetReferencedBlock(policyAttr, block) 103 if err != nil { 104 continue 105 } 106 policy, err := parsePolicy(policyBlock, modules) 107 if err != nil { 108 continue 109 } 110 role.Policies = append(role.Policies, policy) 111 policyMap[block.ID()] = struct{}{} 112 } 113 } 114 } 115 116 roleMap[roleBlock.ID()] = role 117 } 118 119 return roleMap, policyMap 120 121 }