From 2b99e41a4a7a532db857b1ff334b6b8cb0f236b1 Mon Sep 17 00:00:00 2001 From: Nikita Melkozerov Date: Wed, 11 Sep 2024 14:46:46 +0200 Subject: [PATCH] Add IamPrincipal base resource (#2187) --- .github/workflows/basecheck.yml | 2 +- .github/workflows/check_pr_fixlib.yml | 2 +- .github/workflows/check_pr_fixmetrics.yml | 2 +- .github/workflows/check_pr_fixshell.yml | 2 +- .github/workflows/check_pr_fixworker.yml | 2 +- .github/workflows/check_pr_plugin_aws.yml | 2 +- .github/workflows/check_pr_plugin_azure.yml | 2 +- .github/workflows/check_pr_plugin_digitalocean.yml | 2 +- .github/workflows/check_pr_plugin_dockerhub.yml | 2 +- .../workflows/check_pr_plugin_example_collector.yml | 2 +- .github/workflows/check_pr_plugin_gcp.yml | 2 +- .github/workflows/check_pr_plugin_github.yml | 2 +- .github/workflows/check_pr_plugin_k8s.yml | 2 +- .github/workflows/check_pr_plugin_onelogin.yml | 2 +- .github/workflows/check_pr_plugin_onprem.yml | 2 +- .github/workflows/check_pr_plugin_posthog.yml | 2 +- .github/workflows/check_pr_plugin_random.yml | 2 +- .github/workflows/check_pr_plugin_scarf.yml | 2 +- .github/workflows/check_pr_plugin_slack.yml | 2 +- .github/workflows/check_pr_plugin_vsphere.yml | 2 +- .github/workflows/create_plugin_workflows.py | 2 +- fixlib/fixlib/baseresources.py | 11 +++++++++++ plugins/aws/fix_plugin_aws/resource/base.py | 3 ++- plugins/aws/fix_plugin_aws/resource/iam.py | 7 ++++--- 24 files changed, 38 insertions(+), 25 deletions(-) diff --git a/.github/workflows/basecheck.yml b/.github/workflows/basecheck.yml index b880ef45f1..e7488afdc0 100644 --- a/.github/workflows/basecheck.yml +++ b/.github/workflows/basecheck.yml @@ -35,7 +35,7 @@ jobs: python3 ./tools/basechecker.py html > basecheck.html - name: Archive base resource coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: basecheck path: ./basecheck.html diff --git a/.github/workflows/check_pr_fixlib.yml b/.github/workflows/check_pr_fixlib.yml index 8e8247b37b..01922f16c4 100644 --- a/.github/workflows/check_pr_fixlib.yml +++ b/.github/workflows/check_pr_fixlib.yml @@ -43,7 +43,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: fixlib-code-coverage-report path: fixlib/htmlcov/ diff --git a/.github/workflows/check_pr_fixmetrics.yml b/.github/workflows/check_pr_fixmetrics.yml index 03ac2d6404..ebf7c74fd5 100644 --- a/.github/workflows/check_pr_fixmetrics.yml +++ b/.github/workflows/check_pr_fixmetrics.yml @@ -45,7 +45,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: fixmetrics-code-coverage-report path: fixmetrics/htmlcov/ diff --git a/.github/workflows/check_pr_fixshell.yml b/.github/workflows/check_pr_fixshell.yml index 340db91f17..9993cb2bf5 100644 --- a/.github/workflows/check_pr_fixshell.yml +++ b/.github/workflows/check_pr_fixshell.yml @@ -46,7 +46,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: fixshell-code-coverage-report path: fixshell/htmlcov/ diff --git a/.github/workflows/check_pr_fixworker.yml b/.github/workflows/check_pr_fixworker.yml index 23e87e6f44..cc700b04b5 100644 --- a/.github/workflows/check_pr_fixworker.yml +++ b/.github/workflows/check_pr_fixworker.yml @@ -45,7 +45,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: fixworker-code-coverage-report path: fixworker/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_aws.yml b/.github/workflows/check_pr_plugin_aws.yml index 2844fd77ee..f15cedadb0 100644 --- a/.github/workflows/check_pr_plugin_aws.yml +++ b/.github/workflows/check_pr_plugin_aws.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-aws-code-coverage-report path: ./plugins/aws/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_azure.yml b/.github/workflows/check_pr_plugin_azure.yml index 2e723c7343..39f6f697e1 100644 --- a/.github/workflows/check_pr_plugin_azure.yml +++ b/.github/workflows/check_pr_plugin_azure.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-azure-code-coverage-report path: ./plugins/azure/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_digitalocean.yml b/.github/workflows/check_pr_plugin_digitalocean.yml index d8918928da..9bfe0cbf71 100644 --- a/.github/workflows/check_pr_plugin_digitalocean.yml +++ b/.github/workflows/check_pr_plugin_digitalocean.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-digitalocean-code-coverage-report path: ./plugins/digitalocean/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_dockerhub.yml b/.github/workflows/check_pr_plugin_dockerhub.yml index dc5171c7c0..34a87324d8 100644 --- a/.github/workflows/check_pr_plugin_dockerhub.yml +++ b/.github/workflows/check_pr_plugin_dockerhub.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-dockerhub-code-coverage-report path: ./plugins/dockerhub/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_example_collector.yml b/.github/workflows/check_pr_plugin_example_collector.yml index 1757444c2b..b6f3a9e7c8 100644 --- a/.github/workflows/check_pr_plugin_example_collector.yml +++ b/.github/workflows/check_pr_plugin_example_collector.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-example_collector-code-coverage-report path: ./plugins/example_collector/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_gcp.yml b/.github/workflows/check_pr_plugin_gcp.yml index 6c38889245..b797cbde00 100644 --- a/.github/workflows/check_pr_plugin_gcp.yml +++ b/.github/workflows/check_pr_plugin_gcp.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-gcp-code-coverage-report path: ./plugins/gcp/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_github.yml b/.github/workflows/check_pr_plugin_github.yml index 952d81654d..54f54af2d6 100644 --- a/.github/workflows/check_pr_plugin_github.yml +++ b/.github/workflows/check_pr_plugin_github.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-github-code-coverage-report path: ./plugins/github/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_k8s.yml b/.github/workflows/check_pr_plugin_k8s.yml index 4626abe177..8c9d8cb09a 100644 --- a/.github/workflows/check_pr_plugin_k8s.yml +++ b/.github/workflows/check_pr_plugin_k8s.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-k8s-code-coverage-report path: ./plugins/k8s/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_onelogin.yml b/.github/workflows/check_pr_plugin_onelogin.yml index 74945eb17b..e862bedfd6 100644 --- a/.github/workflows/check_pr_plugin_onelogin.yml +++ b/.github/workflows/check_pr_plugin_onelogin.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-onelogin-code-coverage-report path: ./plugins/onelogin/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_onprem.yml b/.github/workflows/check_pr_plugin_onprem.yml index dfb7aedece..f97ad794ce 100644 --- a/.github/workflows/check_pr_plugin_onprem.yml +++ b/.github/workflows/check_pr_plugin_onprem.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-onprem-code-coverage-report path: ./plugins/onprem/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_posthog.yml b/.github/workflows/check_pr_plugin_posthog.yml index 634857a264..ad452faea3 100644 --- a/.github/workflows/check_pr_plugin_posthog.yml +++ b/.github/workflows/check_pr_plugin_posthog.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-posthog-code-coverage-report path: ./plugins/posthog/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_random.yml b/.github/workflows/check_pr_plugin_random.yml index 8ec6ad75a6..2be2525c4a 100644 --- a/.github/workflows/check_pr_plugin_random.yml +++ b/.github/workflows/check_pr_plugin_random.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-random-code-coverage-report path: ./plugins/random/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_scarf.yml b/.github/workflows/check_pr_plugin_scarf.yml index 0161a8408b..8dd3d107e9 100644 --- a/.github/workflows/check_pr_plugin_scarf.yml +++ b/.github/workflows/check_pr_plugin_scarf.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-scarf-code-coverage-report path: ./plugins/scarf/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_slack.yml b/.github/workflows/check_pr_plugin_slack.yml index 9ac3c0088c..ce81d43af3 100644 --- a/.github/workflows/check_pr_plugin_slack.yml +++ b/.github/workflows/check_pr_plugin_slack.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-slack-code-coverage-report path: ./plugins/slack/htmlcov/ diff --git a/.github/workflows/check_pr_plugin_vsphere.yml b/.github/workflows/check_pr_plugin_vsphere.yml index 60c8e651c6..ef59159192 100644 --- a/.github/workflows/check_pr_plugin_vsphere.yml +++ b/.github/workflows/check_pr_plugin_vsphere.yml @@ -48,7 +48,7 @@ jobs: run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-vsphere-code-coverage-report path: ./plugins/vsphere/htmlcov/ diff --git a/.github/workflows/create_plugin_workflows.py b/.github/workflows/create_plugin_workflows.py index 42e35dead0..76380cf1e7 100755 --- a/.github/workflows/create_plugin_workflows.py +++ b/.github/workflows/create_plugin_workflows.py @@ -94,7 +94,7 @@ run: tox - name: Archive code coverage results - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 with: name: plugin-@name@-code-coverage-report path: @directory@/htmlcov/ diff --git a/fixlib/fixlib/baseresources.py b/fixlib/fixlib/baseresources.py index a1900ffb36..a1e1d7b4f0 100644 --- a/fixlib/fixlib/baseresources.py +++ b/fixlib/fixlib/baseresources.py @@ -1236,6 +1236,17 @@ class BaseNetworkInterface(BaseResource): description: Optional[str] = None +@define(eq=False, slots=False) +class BaseIamPrincipal(BaseResource): + kind: ClassVar[str] = "iam_principal" + kind_display: ClassVar[str] = "IAM Principal" + kind_description: ClassVar[str] = ( + "An IAM principal is an entity that can be authenticated and authorized to access resources." + ) + metadata: ClassVar[Dict[str, Any]] = {"icon": "iam_principal", "group": "access_control"} + _categories: ClassVar[List[Category]] = [Category.iam] + + @define(eq=False, slots=False) class BaseUser(BaseResource): kind: ClassVar[str] = "user" diff --git a/plugins/aws/fix_plugin_aws/resource/base.py b/plugins/aws/fix_plugin_aws/resource/base.py index a3935e3868..1203beb6dc 100644 --- a/plugins/aws/fix_plugin_aws/resource/base.py +++ b/plugins/aws/fix_plugin_aws/resource/base.py @@ -22,6 +22,7 @@ from fixlib.utils import utc from fixlib.baseresources import ( BaseAccount, + BaseIamPrincipal, BaseRegion, BaseResource, BaseVolumeType, @@ -265,7 +266,7 @@ def __str__(self) -> str: # derived from https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html @define(eq=False) -class AwsAccount(BaseAccount, AwsResource): +class AwsAccount(BaseAccount, AwsResource, BaseIamPrincipal): kind: ClassVar[str] = "aws_account" kind_display: ClassVar[str] = "AWS Account" kind_description: ClassVar[str] = ( diff --git a/plugins/aws/fix_plugin_aws/resource/iam.py b/plugins/aws/fix_plugin_aws/resource/iam.py index 6fe9a0fa90..7c16ce9baa 100644 --- a/plugins/aws/fix_plugin_aws/resource/iam.py +++ b/plugins/aws/fix_plugin_aws/resource/iam.py @@ -10,6 +10,7 @@ from fix_plugin_aws.utils import ToDict from fixlib.baseresources import ( BaseCertificate, + BaseIamPrincipal, BasePolicy, BaseGroup, BaseAccessKey, @@ -104,7 +105,7 @@ class AwsIamRoleLastUsed: @define(eq=False, slots=False) -class AwsIamRole(AwsResource, BaseRole): +class AwsIamRole(AwsResource, BaseRole, BaseIamPrincipal): # Note: this resource is collected via AwsIamUser.collect. kind: ClassVar[str] = "aws_iam_role" aws_metadata: ClassVar[Dict[str, Any]] = {"provider_link_tpl": "https://{region_id}.console.aws.amazon.com/iam/home?region={region}#/roles/details/{RoleName}", "arn_tpl": "arn:{partition}:iam:{region}:{account}:role/{name}"} # fmt: skip @@ -619,7 +620,7 @@ class AwsIamVirtualMfaDevice: @define(eq=False, slots=False) -class AwsRootUser(AwsResource, BaseUser): +class AwsRootUser(AwsResource, BaseUser, BaseIamPrincipal): kind: ClassVar[str] = "aws_root_user" kind_display: ClassVar[str] = "AWS Root User" aws_metadata: ClassVar[Dict[str, Any]] = {"arn_tpl": "arn:{partition}:None:{region}:{account}:resource/{id}"} # fmt: skip @@ -639,7 +640,7 @@ class AwsRootUser(AwsResource, BaseUser): @define(eq=False, slots=False) -class AwsIamUser(AwsResource, BaseUser): +class AwsIamUser(AwsResource, BaseUser, BaseIamPrincipal): kind: ClassVar[str] = "aws_iam_user" kind_display: ClassVar[str] = "AWS IAM User" aws_metadata: ClassVar[Dict[str, Any]] = {"provider_link_tpl": "https://{region_id}.console.aws.amazon.com/iam/home?region={region}#/users/details/{name}", "arn_tpl": "arn:{partition}:iam::{account}:user/{name}"} # fmt: skip