From a4e8a610ff0ad7b9affa9f68754bd07d87f7bd99 Mon Sep 17 00:00:00 2001
From: Alex Chantavy <achantavy@lyft.com>
Date: Thu, 28 Mar 2019 15:41:51 -0700
Subject: [PATCH] #26 - Fix IAM sync crash due to "Action" not being defined on
 a policy Statement (#27)

* #26 - Fix IAM sync crash due to "Action" not being defined on a policy Statement

* Pre-release version to 0.2.2rc1
---
 cartography/intel/aws/iam.py | 35 ++++++++++++++++++-----------------
 setup.py                     |  2 +-
 2 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/cartography/intel/aws/iam.py b/cartography/intel/aws/iam.py
index ce92b6146..678c9638d 100644
--- a/cartography/intel/aws/iam.py
+++ b/cartography/intel/aws/iam.py
@@ -275,29 +275,30 @@ def load_group_policies(session, group_policies, aws_update_tag):
     for group_name, policies in group_policies.items():
         for policy_name, policy_data in policies.items():
             for statement in policy_data["PolicyDocument"]["Statement"]:
-                action = statement["Action"]
-
-                # TODO improve this
-                if action == "sts:AssumeRole":
-                    if statement["Effect"] == "Allow":
-                        roles_arn = statement["Resource"]
-
-                        if type(roles_arn) == str:
-                            session.run(
-                                ingest_policies_assume_role,
-                                GroupName=group_name,
-                                RoleArn=roles_arn,
-                                aws_update_tag=aws_update_tag
-                            )
-                        else:
-                            # TODO the code below probably contains a bug -- why is role_arn not used in the loop?
-                            for role_arn in roles_arn:
+                if "Action" in statement:
+                    action = statement["Action"]
+
+                    # TODO improve this
+                    if action == "sts:AssumeRole":
+                        if statement["Effect"] == "Allow":
+                            roles_arn = statement["Resource"]
+
+                            if type(roles_arn) == str:
                                 session.run(
                                     ingest_policies_assume_role,
                                     GroupName=group_name,
                                     RoleArn=roles_arn,
                                     aws_update_tag=aws_update_tag
                                 )
+                            else:
+                                # TODO the code below probably contains a bug -- why is role_arn not used in the loop?
+                                for role_arn in roles_arn:
+                                    session.run(
+                                        ingest_policies_assume_role,
+                                        GroupName=group_name,
+                                        RoleArn=roles_arn,
+                                        aws_update_tag=aws_update_tag
+                                    )
 
 
 def load_user_access_keys(session, user_access_keys, aws_update_tag):
diff --git a/setup.py b/setup.py
index 8c66bf480..3f681739f 100644
--- a/setup.py
+++ b/setup.py
@@ -1,6 +1,6 @@
 from setuptools import setup, find_packages
 
-__version__ = '0.2.1'
+__version__ = '0.2.2rc1'
 
 
 setup(