Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws_iam_policy_attachment drift is not detected (0.7.1 regression) #489

Closed
sjourdan opened this issue May 6, 2021 · 3 comments · May be fixed by #1649
Closed

aws_iam_policy_attachment drift is not detected (0.7.1 regression) #489

sjourdan opened this issue May 6, 2021 · 3 comments · May be fixed by #1649
Assignees
@sjourdan
Labels
kind/bug Something isn't working
Milestone
v0.8.0

Comments

@sjourdan
Copy link
Contributor

sjourdan commented May 6, 2021

Description

Manually adding an IAM policy on an IAM user was detected as a drift until 0.7.0 but 0.7.1 did not (regression)

0.7.0

❯  driftctl scan --from tfstate://./iam/terraform.tfstate --from tfstate://./vpc/terraform.tfstate --from tfstate://./s3/terraform.tfstate
Scanning resources: ⡿ (55)
Found unmanaged resources:
  aws_iam_access_key:
    - AKIASBXWQ3AYZG3H5ZMP (User: microservice-gae5qn)
  aws_iam_policy_attachment:
    - microservice-gae5qn-arn:aws:iam::aws:policy/AdministratorAccess
[...]
Found 6 resource(s)
 - 50% coverage
 - 3 covered by IaC
 - 3 not covered by IaC
 - 0 deleted on cloud provider
 - 0/3 drifted from IaC

0.7.1

❯  driftctl scan --from tfstate://./iam/terraform.tfstate --from tfstate://./vpc/terraform.tfstate --from tfstate://./s3/terraform.tfstate
Scanned resources:    (56)
Found resources not covered by IaC:
  aws_iam_access_key:
    - AKIASBXWQ3AYZG3H5ZMP (User: microservice-gae5qn)
Found 3 resource(s)
 - 66% coverage
 - 2 covered by IaC
 - 1 not covered by IaC
 - 0 missing on cloud provider
 - 0/2 changed outside of IaC

Environment

  • OS: fedora 34
  • driftctl version: 0.7.1

How to reproduce

  • apply this hcl (tf 0.15.1 in this case)
resource "aws_iam_user" "myuser" {
  name = "myuser"
}

resource "aws_iam_user_policy_attachment" "myuser" {
  user       = aws_iam_user.myuser.name
  policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
  • go to the AWS IAM console and click "add permissions", add whatever policy you want
  • run driftctl scan

Possible Solution

Additional context
@sjourdan sjourdan added the kind/bug Something isn't working label May 6, 2021
@sjourdan
Copy link
Contributor Author

sjourdan commented May 6, 2021

tldr: cause = Ignoring default AWS resource

❯  dctlenv use 0.7.1
Switching version to v0.7.1
Switching completed

❯  driftctl scan --from tfstate://iam/terraform.tfstate --from tfstate://vpc/terraform.tfstate --from tfstate://s3/terraform.tfstate --output json://stdout
{
	"summary": {
		"total_resources": 3,
		"total_changed": 0,
		"total_unmanaged": 1,
		"total_missing": 0,
		"total_managed": 2
	},
	"managed": [
		{
			"id": "microservice-gae5qn",
			"type": "aws_iam_user"
		},
		{
			"id": "AKIASBXWQ3AYSUC7XHUG",
			"type": "aws_iam_access_key"
		}
	],
	"unmanaged": [
		{
			"id": "AKIASBXWQ3AYZG3H5ZMP",
			"type": "aws_iam_access_key"
		}
	],
	"missing": null,
	"differences": null,
	"coverage": 66,
	"alerts": null
}
❯  dctlenv use 0.7.0
Switching version to v0.7.0
Switching completed

❯  driftctl scan --from tfstate://iam/terraform.tfstate --from tfstate://vpc/terraform.tfstate --from tfstate://s3/terraform.tfstate --output json://stdout
{
	"summary": {
		"total_resources": 6,
		"total_drifted": 0,
		"total_unmanaged": 3,
		"total_deleted": 0,
		"total_managed": 3
	},
	"managed": [
		{
			"id": "microservice-gae5qn",
			"type": "aws_iam_user"
		},
		{
			"id": "microservice-gae5qn-arn:aws:iam::aws:policy/ReadOnlyAccess",
			"type": "aws_iam_policy_attachment"
		},
		{
			"id": "AKIASBXWQ3AYSUC7XHUG",
			"type": "aws_iam_access_key"
		}
	],
	"unmanaged": [
		{
			"id": "AWSServiceRoleForAccessAnalyzer-arn:aws:iam::aws:policy/aws-service-role/AccessAnalyzerServiceRolePolicy",
			"type": "aws_iam_policy_attachment"
		},
		{
			"id": "microservice-gae5qn-arn:aws:iam::aws:policy/AdministratorAccess",
			"type": "aws_iam_policy_attachment"
		},
		{
			"id": "AKIASBXWQ3AYZG3H5ZMP",
			"type": "aws_iam_access_key"
		}
	],
	"deleted": null,
	"differences": null,
	"coverage": 50,
	"alerts": null
}

using LOG_LEVEL=debug 

[...]
DEBU[0009] Ignoring default AWS resource id=microservice-gae5qn-arn:aws:iam::aws:policy/AdministratorAccess type=aws_iam_policy_attachment

@sundowndev sundowndev added this to the v0.8.0 milestone May 7, 2021
@sundowndev sundowndev self-assigned this May 7, 2021
@sundowndev sundowndev mentioned this issue May 7, 2021
Merged
@eliecharra eliecharra assigned sjourdan and unassigned sundowndev May 10, 2021
@sundowndev
Copy link
Contributor

Fixed in v0.8.0

@n2N8Z
Copy link
Contributor

n2N8Z commented Mar 31, 2023

The code that was removed to fix this issue had a logical flaw, which should have been fixed rather than removing it to solve this issue.
The logical flaw in the removed code was:
defaultRolesCount := 0
...
if defaultRolesCount == len(remoteResource.Attrs.GetSlice("roles")) {
resourcesToIgnore = append(resourcesToIgnore, remoteResource)
...

The effect of this is that if a aws_iam_policy_attachment has no role attachments and only user or group attachments it will be ignored (since defaultRolesCount == 0 and len(roles) == 0) i.e. the reported issue.

@n2N8Z n2N8Z mentioned this issue Mar 31, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjourdan sjourdan

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
v0.8.0
Development

Successfully merging a pull request may close this issue.

Fix aws_iam_policy_attachment drift not detected, without removing aw… n2N8Z/driftctl
3 participants
@sjourdan @sundowndev @n2N8Z