Merge pull request #402 from cloudskiff/issue_366_lotoussa

Fix aws_iam_policy_attachment false-positives
snyk · Apr 6, 2021 · 589c908 · 589c908
2 parents 3f8d5e0 + a93cfbb
commit 589c908
Show file tree

Hide file tree

Showing 7 changed files with 147 additions and 20 deletions.
diff --git a/pkg/iac/terraform/state/test/iam_role_policy_attachment/result.golden.json b/pkg/iac/terraform/state/test/iam_role_policy_attachment/result.golden.json
@@ -57,54 +57,54 @@
   "Policy": "{\"Statement\":[{\"Action\":[\"ec2:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}],\"Version\":\"2012-10-17\"}"
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "test-attachment5",
   "Name": "test-attachment5",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test-policy3",
   "Roles": [
    "test-role",
    "test-role2"
   ],
-  "Users": []
+  "Users": null
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "test-role-arn:aws:iam::526954929923:policy/test-policy",
   "Name": "test-role-20201118162849968800000001",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test-policy",
   "Roles": [
    "test-role"
   ],
-  "Users": []
+  "Users": null
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "test-role-arn:aws:iam::526954929923:policy/test-policy2",
   "Name": "test-role-20201118162849994600000002",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test-policy2",
   "Roles": [
    "test-role"
   ],
-  "Users": []
+  "Users": null
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "test-role2-arn:aws:iam::526954929923:policy/test-policy",
   "Name": "test-role2-20201118162908999800000001",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test-policy",
   "Roles": [
    "test-role2"
   ],
-  "Users": []
+  "Users": null
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "test-role2-arn:aws:iam::526954929923:policy/test-policy2",
   "Name": "test-role2-20201118162909011200000002",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test-policy2",
   "Roles": [
    "test-role2"
   ],
-  "Users": []
+  "Users": null
  }
 ]
diff --git a/pkg/iac/terraform/state/test/iam_user_policy_attachment/result.golden.json b/pkg/iac/terraform/state/test/iam_user_policy_attachment/result.golden.json
@@ -30,7 +30,7 @@
   "UniqueId": "AIDAXVMHWD4BTVLVQM236"
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer-arn:aws:iam::526954929923:policy/test2",
   "Name": "loadbalancer-2020111317225517310000000a",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test2",
@@ -40,7 +40,7 @@
   ]
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer3-arn:aws:iam::526954929923:policy/test",
   "Name": "loadbalancer3-2020111317225590250000000c",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test",
@@ -50,7 +50,7 @@
   ]
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer3-arn:aws:iam::526954929923:policy/test2",
   "Name": "loadbalancer3-20201113172255118300000007",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test2",
@@ -60,7 +60,7 @@
   ]
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer-arn:aws:iam::526954929923:policy/test",
   "Name": "loadbalancer-20201113172255158500000009",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test",
@@ -70,7 +70,7 @@
   ]
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer3-arn:aws:iam::526954929923:policy/test3",
   "Name": "loadbalancer3-20201113172254986500000006",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test3",
@@ -80,7 +80,7 @@
   ]
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer-arn:aws:iam::526954929923:policy/test3",
   "Name": "loadbalancer-20201113172254928300000005",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test3",
@@ -90,7 +90,7 @@
   ]
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer2-arn:aws:iam::526954929923:policy/test",
   "Name": "loadbalancer2-2020111317225587220000000b",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test",
@@ -100,7 +100,7 @@
   ]
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer2-arn:aws:iam::526954929923:policy/test2",
   "Name": "loadbalancer2-20201113172255122400000008",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test2",
@@ -110,7 +110,7 @@
   ]
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "loadbalancer2-arn:aws:iam::526954929923:policy/test3",
   "Name": "loadbalancer2-20201113172254923500000004",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test3",
@@ -186,7 +186,7 @@
   "Policy": "{\"Statement\":[{\"Action\":[\"ec2:Describe*\"],\"Effect\":\"Allow\",\"Resource\":\"*\"}],\"Version\":\"2012-10-17\"}"
  },
  {
-  "Groups": [],
+  "Groups": null,
   "Id": "test-attachment",
   "Name": "test-attachment",
   "PolicyArn": "arn:aws:iam::526954929923:policy/test4",

diff --git a/pkg/resource/aws/aws_iam_policy_attachment_ext.go b/pkg/resource/aws/aws_iam_policy_attachment_ext.go
@@ -0,0 +1,25 @@
+package aws
+
+import (
+	"github.com/cloudskiff/driftctl/pkg/resource"
+)
+
+func (r *AwsIamPolicyAttachment) NormalizeForState() (resource.Resource, error) {
+	if r.Groups != nil && len(*r.Groups) == 0 {
+		r.Groups = nil
+	}
+	if r.Users != nil && len(*r.Users) == 0 {
+		r.Users = nil
+	}
+	return r, nil
+}
+
+func (r *AwsIamPolicyAttachment) NormalizeForProvider() (resource.Resource, error) {
+	if r.Groups != nil && len(*r.Groups) == 0 {
+		r.Groups = nil
+	}
+	if r.Users != nil && len(*r.Users) == 0 {
+		r.Users = nil
+	}
+	return r, nil
+}
diff --git a/pkg/resource/aws/aws_iam_policy_attachment_test.go b/pkg/resource/aws/aws_iam_policy_attachment_test.go
@@ -0,0 +1,25 @@
+package aws_test
+
+import (
+	"testing"
+
+	"github.com/cloudskiff/driftctl/test/acceptance"
+)
+
+func TestAcc_AwsIamPolicyAttachment_WithGroupsUsers(t *testing.T) {
+	acceptance.Run(t, acceptance.AccTestCase{
+		Paths: []string{"./testdata/acc/aws_iam_policy_attachment"},
+		Args:  []string{"scan", "--filter", "Type=='aws_iam_policy_attachment'"},
+		Checks: []acceptance.AccCheck{
+			{
+				Check: func(result *acceptance.ScanResult, stdout string, err error) {
+					if err != nil {
+						t.Fatal(err)
+					}
+					result.AssertDriftCountTotal(0)
+					result.Equal(1, result.Summary().TotalManaged)
+				},
+			},
+		},
+	})
+}
diff --git a/pkg/resource/aws/testdata/acc/aws_iam_policy_attachment/.terraform.lock.hcl b/pkg/resource/aws/testdata/acc/aws_iam_policy_attachment/.terraform.lock.hcl
diff --git a/pkg/resource/aws/testdata/acc/aws_iam_policy_attachment/iam_policy_attachment.tf b/pkg/resource/aws/testdata/acc/aws_iam_policy_attachment/iam_policy_attachment.tf
@@ -0,0 +1,46 @@
+resource "aws_iam_role" "yaddi" {
+    name               = "driftctl-lambda-role2"
+    path               = "/service-role/"
+    assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "yadda" {
+    name = "policy"
+
+    policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "sqs:ReceiveMessage",
+        "sqs:DeleteMessage",
+        "sqs:GetQueueAttributes"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_policy_attachment" "yaddattach" {
+    name = "yaddattachment2"
+    roles = [aws_iam_role.yaddi.name]
+    policy_arn = aws_iam_policy.yadda.arn
+}
diff --git a/pkg/resource/aws/testdata/acc/aws_iam_policy_attachment/providers.tf b/pkg/resource/aws/testdata/acc/aws_iam_policy_attachment/providers.tf
@@ -0,0 +1,10 @@
+provider "aws" {
+  region = "us-east-1"
+}
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 3.19.0"
+    }
+  }
+}