forked from rebuy-de/aws-nuke
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiam-role-policy.go
121 lines (99 loc) · 2.55 KB
/
iam-role-policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package resources
import (
"fmt"
"strings"
"time"
"github.com/sirupsen/logrus"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/iam"
"github.com/rebuy-de/aws-nuke/v2/pkg/types"
)
type IAMRolePolicy struct {
svc *iam.IAM
role iam.Role
policyName string
}
func init() {
register("IAMRolePolicy", ListIAMRolePolicies)
}
func ListIAMRolePolicies(sess *session.Session) ([]Resource, error) {
svc := iam.New(sess)
roleParams := &iam.ListRolesInput{}
resources := make([]Resource, 0)
for {
roles, err := svc.ListRoles(roleParams)
if err != nil {
return nil, err
}
for _, listedRole := range roles.Roles {
role, err := GetIAMRole(svc, listedRole.RoleName)
if err != nil {
logrus.Errorf("Failed to get listed role %s: %v", *listedRole.RoleName, err)
continue
}
polParams := &iam.ListRolePoliciesInput{
RoleName: role.RoleName,
}
for {
policies, err := svc.ListRolePolicies(polParams)
if err != nil {
logrus.
WithError(err).
WithField("roleName", *role.RoleName).
Error("Failed to list policies")
break
}
for _, policyName := range policies.PolicyNames {
resources = append(resources, &IAMRolePolicy{
svc: svc,
role: *role,
policyName: *policyName,
})
}
if !*policies.IsTruncated {
break
}
polParams.Marker = policies.Marker
}
}
if !*roles.IsTruncated {
break
}
roleParams.Marker = roles.Marker
}
return resources, nil
}
func (e *IAMRolePolicy) Filter() error {
if strings.HasPrefix(aws.StringValue(e.role.Path), "/aws-service-role/") {
return fmt.Errorf("cannot alter service roles")
}
return nil
}
func (e *IAMRolePolicy) Remove() error {
_, err := e.svc.DeleteRolePolicy(
&iam.DeleteRolePolicyInput{
RoleName: e.role.RoleName,
PolicyName: &e.policyName,
})
if err != nil {
return err
}
return nil
}
func (e *IAMRolePolicy) Properties() types.Properties {
properties := types.NewProperties().
Set("PolicyName", e.policyName).
Set("role:RoleName", e.role.RoleName).
Set("role:RoleID", e.role.RoleId).
Set("role:Path", e.role.Path).
Set("role:LastUsed", getLastUsedDate(&e.role, time.RFC3339)).
Set("role:CreateDate", e.role.CreateDate.Format(time.RFC3339))
for _, tagValue := range e.role.Tags {
properties.SetTagWithPrefix("role", tagValue.Key, tagValue.Value)
}
return properties
}
func (e *IAMRolePolicy) String() string {
return fmt.Sprintf("%s -> %s", aws.StringValue(e.role.RoleName), e.policyName)
}