github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/terraform/google/iam/org_iam.go (about) 1 package iam 2 3 import ( 4 "github.com/google/uuid" 5 "github.com/khulnasoft-lab/defsec/pkg/providers/google/iam" 6 "github.com/khulnasoft-lab/defsec/pkg/types" 7 ) 8 9 // see https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_organization_iam 10 11 func (a *adapter) adaptOrganizationIAM() { 12 a.adaptOrganizationMembers() 13 a.adaptOrganizationBindings() 14 } 15 16 func (a *adapter) adaptOrganizationMembers() { 17 for _, iamBlock := range a.modules.GetResourcesByType("google_organization_iam_member") { 18 member := a.adaptMember(iamBlock) 19 organizationAttr := iamBlock.GetAttribute("organization") 20 if organizationAttr.IsNil() { 21 organizationAttr = iamBlock.GetAttribute("org_id") 22 } 23 24 if refBlock, err := a.modules.GetReferencedBlock(organizationAttr, iamBlock); err == nil { 25 if refBlock.TypeLabel() == "google_organization" { 26 a.addOrg(refBlock.ID()) 27 org, ok := a.orgs[refBlock.ID()] 28 if !ok { 29 org = iam.Organization{ 30 Metadata: refBlock.GetMetadata(), 31 Folders: nil, 32 Projects: nil, 33 Members: []iam.Member{member}, 34 Bindings: nil, 35 } 36 } 37 org.Members = append(org.Members, member) 38 a.orgs[refBlock.ID()] = org 39 continue 40 } 41 } 42 43 // we didn't find the organization - add an unmanaged one 44 placeholderID := uuid.NewString() 45 org := iam.Organization{ 46 Metadata: types.NewUnmanagedMetadata(), 47 Members: []iam.Member{member}, 48 } 49 a.orgs[placeholderID] = org 50 51 } 52 } 53 54 func (a *adapter) adaptOrganizationBindings() { 55 56 for _, iamBlock := range a.modules.GetResourcesByType("google_organization_iam_policy") { 57 58 policyAttr := iamBlock.GetAttribute("policy_data") 59 if policyAttr.IsNil() { 60 continue 61 } 62 policyBlock, err := a.modules.GetReferencedBlock(policyAttr, iamBlock) 63 if err != nil { 64 continue 65 } 66 bindings := ParsePolicyBlock(policyBlock) 67 orgAttr := iamBlock.GetAttribute("organization") 68 69 if refBlock, err := a.modules.GetReferencedBlock(orgAttr, iamBlock); err == nil { 70 if refBlock.TypeLabel() == "google_organization" { 71 if org, ok := a.orgs[refBlock.ID()]; ok { 72 org.Bindings = append(org.Bindings, bindings...) 73 a.orgs[refBlock.ID()] = org 74 continue 75 } 76 } 77 } 78 79 // we didn't find the organization - add an unmanaged one 80 placeholderID := uuid.NewString() 81 org := iam.Organization{ 82 Metadata: types.NewUnmanagedMetadata(), 83 Bindings: bindings, 84 } 85 a.orgs[placeholderID] = org 86 } 87 88 for _, iamBlock := range a.modules.GetResourcesByType("google_organization_iam_binding") { 89 binding := a.adaptBinding(iamBlock) 90 organizationAttr := iamBlock.GetAttribute("organization") 91 if organizationAttr.IsNil() { 92 organizationAttr = iamBlock.GetAttribute("org_id") 93 } 94 95 if refBlock, err := a.modules.GetReferencedBlock(organizationAttr, iamBlock); err == nil { 96 if refBlock.TypeLabel() == "google_organization" { 97 a.addOrg(refBlock.ID()) 98 org := a.orgs[refBlock.ID()] 99 org.Bindings = append(org.Bindings, binding) 100 a.orgs[refBlock.ID()] = org 101 continue 102 } 103 } 104 105 // we didn't find the organization - add an unmanaged one 106 placeholderID := uuid.NewString() 107 org := iam.Organization{ 108 Metadata: types.NewUnmanagedMetadata(), 109 Bindings: []iam.Binding{binding}, 110 } 111 a.orgs[placeholderID] = org 112 } 113 }