github.com/turbot/steampipe@v1.7.0-rc.0.0.20240517123944-7cef272d4458/tests/manual_testing/args/with1/error_dash.sp (about) 1 // this is just for testing while `with` is in development... 2 locals { 3 test_user_arn = "arn:aws:iam::876515858155:user/jsmyth" 4 } 5 6 7 8 dashboard "aws_iam_user_detail" { 9 10 title = "AWS IAM User Detail" 11 12 13 input "user_arn" { 14 title = "Select a user:" 15 sql = query.aws_iam_user_input.sql 16 width = 4 17 } 18 19 container { 20 21 card { 22 width = 2 23 query = query.aws_iam_user_mfa_for_user 24 args = { 25 arn = self.input.user_arn.value 26 } 27 } 28 29 card { 30 width = 2 31 query = query.aws_iam_boundary_policy_for_user 32 args = { 33 arn = self.input.user_arn.value 34 } 35 } 36 37 card { 38 width = 2 39 query = query.aws_iam_user_inline_policy_count_for_user 40 args = { 41 arn = self.input.user_arn.value 42 } 43 } 44 45 card { 46 width = 2 47 query = query.aws_iam_user_direct_attached_policy_count_for_user 48 args = { 49 arn = self.input.user_arn.value 50 } 51 } 52 53 } 54 55 container { 56 57 graph { 58 title = "Relationships" 59 type = "graph" 60 direction = "TD" 61 62 with "groups" { 63 sql = <<-EOQ 64 select 65 g ->> 'Arn' as group_arn 66 from 67 aws_iam_user, 68 jsonb_array_elements(groups) as g 69 where 70 arn = $1 71 EOQ 72 73 //args = [self.input.user_arn.value] 74 args = [local.test_user_arn] 75 76 param "user_arn" { 77 // default = self.input.user_arn.value 78 } 79 } 80 81 82 with "attached_policies" { 83 sql = <<-EOQ 84 select 85 jsonb_array_elements_text(attached_policy_arns) as policy_arn 86 from 87 aws_iam_user 88 where 89 arn = $1 90 EOQ 91 92 //args = [self.input.user_arn.value] 93 args = [local.test_user_arn] 94 95 # param "user_arn" { 96 # //default = self.input.user_arn.value 97 # } 98 } 99 100 101 nodes = [ 102 node.aws_iam_user_nodes, 103 # node.aws_iam_group_nodes, 104 # node.aws_iam_policy_nodes, 105 106 // to update for 'with' reuse 107 node.aws_iam_user_to_iam_access_key_node, 108 node.aws_iam_user_to_inline_policy_node, 109 ] 110 111 edges = [ 112 # edge.aws_iam_group_to_iam_user_edges, 113 edge.aws_iam_user_to_iam_policy_edges, 114 115 // to update for 'with' reuse 116 edge.aws_iam_user_to_iam_access_key_edge, 117 edge.aws_iam_user_to_inline_policy_edge, 118 ] 119 120 args = { 121 //arn = self.input.user_arn.value 122 arn = local.test_user_arn 123 124 group_arns = with.groups.rows[*].group_arn 125 policy_arns = with.attached_policies.rows[*].policy_arn 126 user_arns = [local.test_user_arn] 127 //user_arns = [self.input.user_arn.value] 128 } 129 } 130 } 131 132 container { 133 134 container { 135 136 width = 6 137 138 table { 139 title = "Overview" 140 type = "line" 141 width = 6 142 query = query.aws_iam_user_overview 143 args = { 144 arn = self.input.user_arn.value 145 } 146 } 147 148 table { 149 title = "Tags" 150 width = 6 151 query = query.aws_iam_user_tags 152 args = { 153 arn = self.input.user_arn.value 154 } 155 } 156 157 } 158 159 container { 160 161 width = 6 162 163 table { 164 title = "Console Password" 165 query = query.aws_iam_user_console_password 166 args = { 167 arn = self.input.user_arn.value 168 } 169 } 170 171 table { 172 title = "Access Keys" 173 query = query.aws_iam_user_access_keys 174 args = { 175 arn = self.input.user_arn.value 176 } 177 } 178 179 table { 180 title = "MFA Devices" 181 query = query.aws_iam_user_mfa_devices 182 args = { 183 arn = self.input.user_arn.value 184 } 185 } 186 187 } 188 189 } 190 191 container { 192 193 title = "AWS IAM User Policy Analysis" 194 195 flow { 196 type = "sankey" 197 title = "Attached Policies" 198 query = query.aws_iam_user_manage_policies_sankey 199 args = { 200 arn = self.input.user_arn.value 201 } 202 203 category "aws_iam_group" { 204 color = "ok" 205 } 206 } 207 208 209 flow { 210 title = "Attached Policies" 211 212 nodes = [ 213 node.aws_iam_user_node, 214 node.aws_iam_user_to_iam_group_node, 215 node.aws_iam_user_to_iam_group_policy_node, 216 node.aws_iam_user_to_iam_policy_node, 217 node.aws_iam_user_to_inline_policy_node, 218 node.aws_iam_user_to_iam_group_inline_policy_node, 219 220 ] 221 222 edges = [ 223 edge.aws_iam_user_to_iam_group_edge, 224 edge.aws_iam_user_to_iam_group_policy_edge, 225 edge.aws_iam_user_to_iam_policy_edge, 226 edge.aws_iam_user_to_inline_policy_edge, 227 edge.aws_iam_user_to_iam_group_inline_policy_edge, 228 ] 229 230 args = { 231 arn = self.input.user_arn.value 232 } 233 } 234 235 236 table { 237 title = "Groups" 238 width = 6 239 query = query.aws_iam_groups_for_user 240 args = { 241 arn = self.input.user_arn.value 242 } 243 244 column "Name" { 245 // cyclic dependency prevents use of url_path, hardcode for now 246 //href = "${dashboard.aws_iam_group_detail.url_path}?input.group_arn={{.'ARN' | @uri}}" 247 href = "/aws_insights.dashboard.aws_iam_group_detail?input.group_arn={{.ARN | @uri}}" 248 249 } 250 } 251 252 table { 253 title = "Policies" 254 width = 6 255 query = query.aws_iam_all_policies_for_user 256 args = { 257 arn = self.input.user_arn.value 258 } 259 } 260 261 } 262 263 } 264 265 query "aws_iam_user_input" { 266 sql = <<-EOQ 267 select 268 title as label, 269 arn as value, 270 json_build_object( 271 'account_id', account_id 272 ) as tags 273 from 274 aws_iam_user 275 order by 276 title; 277 EOQ 278 } 279 280 query "aws_iam_user_mfa_for_user" { 281 sql = <<-EOQ 282 select 283 case when mfa_enabled then 'Enabled' else 'Disabled' end as value, 284 'MFA Status' as label, 285 case when mfa_enabled then 'ok' else 'alert' end as type 286 from 287 aws_iam_user 288 where 289 arn = $1 290 EOQ 291 292 param "arn" {} 293 } 294 295 query "aws_iam_boundary_policy_for_user" { 296 sql = <<-EOQ 297 select 298 case 299 when permissions_boundary_type is null then 'Not set' 300 when permissions_boundary_type = '' then 'Not set' 301 else substring(permissions_boundary_arn, 'arn:aws:iam::\d{12}:.+\/(.*)') 302 end as value, 303 'Boundary Policy' as label, 304 case 305 when permissions_boundary_type is null then 'alert' 306 when permissions_boundary_type = '' then 'alert' 307 else 'ok' 308 end as type 309 from 310 aws_iam_user 311 where 312 arn = $1 313 EOQ 314 315 param "arn" {} 316 317 } 318 319 query "aws_iam_user_inline_policy_count_for_user" { 320 sql = <<-EOQ 321 select 322 coalesce(jsonb_array_length(inline_policies),0) as value, 323 'Inline Policies' as label, 324 case when coalesce(jsonb_array_length(inline_policies),0) = 0 then 'ok' else 'alert' end as type 325 from 326 aws_iam_user 327 where 328 arn = $1 329 EOQ 330 331 param "arn" {} 332 } 333 334 query "aws_iam_user_direct_attached_policy_count_for_user" { 335 sql = <<-EOQ 336 select 337 coalesce(jsonb_array_length(attached_policy_arns), 0) as value, 338 'Attached Policies' as label, 339 case when coalesce(jsonb_array_length(attached_policy_arns), 0) = 0 then 'ok' else 'alert' end as type 340 from 341 aws_iam_user 342 where 343 arn = $1 344 EOQ 345 346 param "arn" {} 347 } 348 349 350 node "aws_iam_user_node" { 351 352 353 sql = <<-EOQ 354 select 355 user_id as id, 356 name as title, 357 jsonb_build_object( 358 'ARN', arn, 359 'Path', path, 360 'Create Date', create_date, 361 'MFA Enabled', mfa_enabled::text, 362 'Account ID', account_id 363 ) as properties 364 from 365 aws_iam_user 366 where 367 arn = $1; 368 EOQ 369 370 param "arn" {} 371 } 372 373 node "aws_iam_user_to_iam_group_node" { 374 375 sql = <<-EOQ 376 select 377 g.group_id as id, 378 g.name as title, 379 jsonb_build_object( 380 'ARN', arn, 381 'Path', path, 382 'Create Date', create_date, 383 'Account ID', account_id 384 ) as properties 385 from 386 aws_iam_group as g, 387 jsonb_array_elements(users) as u 388 where 389 u ->> 'Arn' = $1; 390 EOQ 391 392 param "arn" {} 393 } 394 395 396 node "aws_iam_user_to_iam_policy_node" { 397 398 sql = <<-EOQ 399 select 400 p.policy_id as id, 401 p.name as title, 402 jsonb_build_object( 403 'ARN', p.arn, 404 'AWS Managed', p.is_aws_managed::text, 405 'Attached', p.is_attached::text, 406 'Create Date', p.create_date, 407 'Account ID', p.account_id 408 ) as properties 409 from 410 aws_iam_user as u, 411 jsonb_array_elements_text(attached_policy_arns) as pol, 412 aws_iam_policy as p 413 where 414 p.arn = pol 415 and p.account_id = u.account_id 416 and u.arn = $1 417 418 EOQ 419 420 param "arn" {} 421 } 422 423 edge "aws_iam_user_to_iam_policy_edge" { 424 title = "managed policy" 425 426 sql = <<-EOQ 427 select 428 u.user_id as from_id, 429 p.policy_id as to_id 430 from 431 aws_iam_user as u, 432 jsonb_array_elements_text(attached_policy_arns) as pol, 433 aws_iam_policy as p 434 where 435 p.arn = pol 436 and p.account_id = u.account_id 437 and u.arn = $1 438 EOQ 439 440 param "arn" {} 441 } 442 443 444 445 node "aws_iam_user_to_inline_policy_node" { 446 447 sql = <<-EOQ 448 select 449 concat('inline_', i ->> 'PolicyName') as id, 450 i ->> 'PolicyName' as title, 451 jsonb_build_object( 452 'PolicyName', i ->> 'PolicyName', 453 'Type', 'Inline Policy' 454 ) as properties 455 from 456 aws_iam_user as u, 457 jsonb_array_elements(inline_policies_std) as i 458 where 459 u.arn = $1 460 EOQ 461 462 param "arn" {} 463 } 464 465 edge "aws_iam_user_to_inline_policy_edge" { 466 title = "inline policy" 467 468 sql = <<-EOQ 469 select 470 u.arn as from_id, 471 concat('inline_', i ->> 'PolicyName') as to_id 472 from 473 aws_iam_user as u, 474 jsonb_array_elements(inline_policies_std) as i 475 where 476 u.arn = $1 477 EOQ 478 479 param "arn" {} 480 } 481 482 483 node "aws_iam_user_to_iam_access_key_node" { 484 485 sql = <<-EOQ 486 select 487 a.access_key_id as id, 488 a.access_key_id as title, 489 jsonb_build_object( 490 'Key Id', a.access_key_id, 491 'Status', a.status, 492 'Create Date', a.create_date, 493 'Last Used Date', a.access_key_last_used_date, 494 'Last Used Service', a.access_key_last_used_service, 495 'Last Used Region', a.access_key_last_used_region 496 ) as properties 497 from 498 aws_iam_access_key as a left join aws_iam_user as u on u.name = a.user_name 499 where 500 u.arn = $1; 501 EOQ 502 503 param "arn" {} 504 } 505 506 edge "aws_iam_user_to_iam_access_key_edge" { 507 title = "access key" 508 509 sql = <<-EOQ 510 select 511 u.arn as from_id, 512 a.access_key_id as to_id 513 from 514 aws_iam_access_key as a, 515 aws_iam_user as u 516 where 517 u.name = a.user_name 518 and u.account_id = a.account_id 519 and u.arn = $1; 520 EOQ 521 522 param "arn" {} 523 } 524 525 query "aws_iam_user_overview" { 526 sql = <<-EOQ 527 select 528 name as "Name", 529 create_date as "Create Date", 530 permissions_boundary_arn as "Boundary Policy", 531 user_id as "User ID", 532 arn as "ARN", 533 account_id as "Account ID" 534 from 535 aws_iam_user 536 where 537 arn = $1 538 EOQ 539 540 param "arn" {} 541 } 542 543 query "aws_iam_user_tags" { 544 sql = <<-EOQ 545 select 546 tag ->> 'Key' as "Key", 547 tag ->> 'Value' as "Value" 548 from 549 aws_iam_user, 550 jsonb_array_elements(tags_src) as tag 551 where 552 arn = $1 553 order by 554 tag ->> 'Key' 555 EOQ 556 557 param "arn" {} 558 } 559 560 query "aws_iam_user_console_password" { 561 sql = <<-EOQ 562 select 563 password_last_used as "Password Last Used", 564 mfa_enabled as "MFA Enabled" 565 from 566 aws_iam_user 567 where 568 arn = $1 569 EOQ 570 571 param "arn" {} 572 } 573 574 query "aws_iam_user_access_keys" { 575 sql = <<-EOQ 576 select 577 access_key_id as "Access Key ID", 578 a.status as "Status", 579 a.create_date as "Create Date" 580 from 581 aws_iam_access_key as a left join aws_iam_user as u on u.name = a.user_name and u.account_id = a.account_id 582 where 583 u.arn = $1 584 EOQ 585 586 param "arn" {} 587 } 588 589 query "aws_iam_user_mfa_devices" { 590 sql = <<-EOQ 591 select 592 mfa ->> 'SerialNumber' as "Serial Number", 593 mfa ->> 'EnableDate' as "Enable Date", 594 path as "User Path" 595 from 596 aws_iam_user as u, 597 jsonb_array_elements(mfa_devices) as mfa 598 where 599 arn = $1 600 EOQ 601 602 param "arn" {} 603 } 604 605 query "aws_iam_user_manage_policies_sankey" { 606 sql = <<-EOQ 607 608 with args as ( 609 select $1 as iam_user_arn 610 ) 611 612 -- User 613 select 614 null as from_id, 615 arn as id, 616 title, 617 0 as depth, 618 'aws_iam_user' as category 619 from 620 aws_iam_user 621 where 622 arn in (select iam_user_arn from args) 623 624 -- Groups 625 union select 626 u.arn as from_id, 627 g ->> 'Arn' as id, 628 g ->> 'GroupName' as title, 629 1 as depth, 630 'aws_iam_group' as category 631 from 632 aws_iam_user as u, 633 jsonb_array_elements(groups) as g 634 where 635 u.arn in (select iam_user_arn from args) 636 637 -- Policies (attached to groups) 638 union select 639 g.arn as from_id, 640 p.arn as id, 641 p.title as title, 642 2 as depth, 643 'aws_iam_policy' as category 644 from 645 aws_iam_user as u, 646 aws_iam_policy as p, 647 jsonb_array_elements(u.groups) as user_groups 648 inner join aws_iam_group g on g.arn = user_groups ->> 'Arn' 649 where 650 g.attached_policy_arns :: jsonb ? p.arn 651 and u.arn in (select iam_user_arn from args) 652 653 -- Policies (inline from groups) 654 union select 655 grp.arn as from_id, 656 concat(grp.group_id, '_' , i ->> 'PolicyName') as id, 657 concat(i ->> 'PolicyName', ' (inline)') as title, 658 2 as depth, 659 'inline_policy' as category 660 from 661 aws_iam_user as u, 662 jsonb_array_elements(u.groups) as g, 663 aws_iam_group as grp, 664 jsonb_array_elements(grp.inline_policies_std) as i 665 where 666 grp.arn = g ->> 'Arn' 667 and u.arn in (select iam_user_arn from args) 668 669 -- Policies (attached to user) 670 union select 671 u.arn as from_id, 672 p.arn as id, 673 p.title as title, 674 2 as depth, 675 'aws_iam_policy' as category 676 from 677 aws_iam_user as u, 678 jsonb_array_elements_text(u.attached_policy_arns) as pol_arn, 679 aws_iam_policy as p 680 where 681 u.attached_policy_arns :: jsonb ? p.arn 682 and pol_arn = p.arn 683 and u.arn in (select iam_user_arn from args) 684 685 -- Inline Policies (defined on user) 686 union select 687 u.arn as from_id, 688 concat('inline_', i ->> 'PolicyName') as id, 689 concat(i ->> 'PolicyName', ' (inline)') as title, 690 2 as depth, 691 'inline_policy' as category 692 from 693 aws_iam_user as u, 694 jsonb_array_elements(inline_policies_std) as i 695 where 696 u.arn in (select iam_user_arn from args) 697 EOQ 698 699 param "arn" {} 700 } 701 702 query "aws_iam_groups_for_user" { 703 sql = <<-EOQ 704 select 705 g ->> 'GroupName' as "Name", 706 g ->> 'Arn' as "ARN" 707 from 708 aws_iam_user as u, 709 jsonb_array_elements(groups) as g 710 where 711 u.arn = $1 712 EOQ 713 714 param "arn" {} 715 } 716 717 query "aws_iam_all_policies_for_user" { 718 sql = <<-EOQ 719 720 -- Policies (attached to groups) 721 select 722 p.title as "Policy", 723 p.arn as "ARN", 724 'Group: ' || g.title as "Via" 725 from 726 aws_iam_user as u, 727 aws_iam_policy as p, 728 jsonb_array_elements(u.groups) as user_groups 729 inner join aws_iam_group g on g.arn = user_groups ->> 'Arn' 730 where 731 g.attached_policy_arns :: jsonb ? p.arn 732 and u.arn = $1 733 734 -- Policies (inline from groups) 735 union select 736 i ->> 'PolicyName' as "Policy", 737 'N/A' as "ARN", 738 'Group: ' || grp.title || ' (inline)' as "Via" 739 from 740 aws_iam_user as u, 741 jsonb_array_elements(u.groups) as g, 742 aws_iam_group as grp, 743 jsonb_array_elements(grp.inline_policies_std) as i 744 where 745 grp.arn = g ->> 'Arn' 746 and u.arn = $1 747 748 -- Policies (attached to user) 749 union select 750 p.title as "Policy", 751 p.arn as "ARN", 752 'Attached to User' as "Via" 753 from 754 aws_iam_user as u, 755 jsonb_array_elements_text(u.attached_policy_arns) as pol_arn, 756 aws_iam_policy as p 757 where 758 u.attached_policy_arns :: jsonb ? p.arn 759 and pol_arn = p.arn 760 and u.arn = $1 761 762 -- Inline Policies (defined on user) 763 union select 764 i ->> 'PolicyName' as "Policy", 765 'N/A' as "ARN", 766 'Inline' as "Via" 767 from 768 aws_iam_user as u, 769 jsonb_array_elements(inline_policies_std) as i 770 where 771 u.arn = $1 772 EOQ 773 774 param "arn" {} 775 } 776 777 778 779 780 //*** 781 782 783 784 edge "aws_iam_user_to_iam_group_edge" { 785 title = "has member" 786 787 sql = <<-EOQ 788 select 789 u ->> 'UserId' as from_id, 790 g.group_id as to_id 791 from 792 aws_iam_group as g, 793 jsonb_array_elements(users) as u 794 where 795 u ->> 'Arn' = $1; 796 EOQ 797 798 param "arn" {} 799 } 800 801 802 803 804 805 node "aws_iam_user_to_iam_group_policy_node" { 806 807 sql = <<-EOQ 808 select 809 p.policy_id as id, 810 p.name as title, 811 jsonb_build_object( 812 'ARN', p.arn, 813 'AWS Managed', p.is_aws_managed::text, 814 'Attached', p.is_attached::text, 815 'Create Date', p.create_date, 816 'Account ID', p.account_id 817 ) as properties 818 from 819 aws_iam_user as u, 820 jsonb_array_elements(u.groups) as user_groups, 821 aws_iam_group as g, 822 jsonb_array_elements_text(g.attached_policy_arns) as gp_arn, 823 aws_iam_policy as p 824 where 825 g.arn = user_groups ->> 'Arn' 826 and gp_arn = p.arn 827 and p.account_id = u.account_id 828 and u.arn = $1; 829 EOQ 830 831 param "arn" {} 832 } 833 834 edge "aws_iam_user_to_iam_group_policy_edge" { 835 title = "attached" 836 837 sql = <<-EOQ 838 select 839 g.group_id as from_id, 840 p.policy_id as to_id 841 from 842 aws_iam_user as u, 843 jsonb_array_elements(u.groups) as user_groups, 844 aws_iam_group as g, 845 jsonb_array_elements_text(g.attached_policy_arns) as gp_arn, 846 aws_iam_policy as p 847 where 848 g.arn = user_groups ->> 'Arn' 849 and gp_arn = p.arn 850 and p.account_id = u.account_id 851 and u.arn = $1; 852 EOQ 853 854 param "arn" {} 855 } 856 857 858 859 node "aws_iam_user_to_iam_group_inline_policy_node" { 860 861 sql = <<-EOQ 862 select 863 concat(grp.group_id, '_' , i ->> 'PolicyName') as id, 864 i ->> 'PolicyName' as title 865 --2 as depth 866 from 867 aws_iam_user as u, 868 jsonb_array_elements(u.groups) as g, 869 aws_iam_group as grp, 870 jsonb_array_elements(grp.inline_policies_std) as i 871 where 872 grp.arn = g ->> 'Arn' 873 and u.arn = $1 874 EOQ 875 876 param "arn" {} 877 } 878 879 edge "aws_iam_user_to_iam_group_inline_policy_edge" { 880 title = "attached" 881 882 sql = <<-EOQ 883 select 884 concat(grp.group_id, '_' , i ->> 'PolicyName') as to_id, 885 grp.group_id as from_id 886 from 887 aws_iam_user as u, 888 jsonb_array_elements(u.groups) as g, 889 aws_iam_group as grp, 890 jsonb_array_elements(grp.inline_policies_std) as i 891 where 892 grp.arn = g ->> 'Arn' 893 and u.arn = $1 894 EOQ 895 896 param "arn" {} 897 } 898 899 //****** 900 901 node "aws_iam_user_nodes" { 902 903 904 sql = <<-EOQ 905 select 906 arn as id, 907 name as title, 908 jsonb_build_object( 909 'ARN', arn, 910 'Path', path, 911 'Create Date', create_date, 912 'MFA Enabled', mfa_enabled::text, 913 'Account ID', account_id 914 ) as properties 915 from 916 aws_iam_user 917 where 918 arn = any($1); 919 EOQ 920 921 param "user_arns" {} 922 } 923 924 925 926 927 edge "aws_iam_user_to_iam_policy_edges" { 928 title = "has member" 929 930 sql = <<-EOQ 931 select 932 user_arn as from_id, 933 policy_arn as to_id 934 from 935 unnest($1::text[]) as user_arn, 936 unnest($2::text[]) as policy_arn 937 EOQ 938 939 param "user_arns" {} 940 param "policy_arns" {} 941 942 }