⭐️ Added Trust relationship policy to the role (aws) (#3445)

* added support to retrieve IAM-Support for each role Signed-off-by: Hossein Rouhani <[email protected]> * added support to retrieve IAM-Support for each role Signed-off-by: Hossein Rouhani <[email protected]> --------- Signed-off-by: Hossein Rouhani <[email protected]>
mondoohq · Mar 5, 2024 · e13f4f2 · e13f4f2
1 parent 1326076
commit e13f4f2
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 9 deletions.
diff --git a/providers/aws/resources/aws.lr b/providers/aws/resources/aws.lr
@@ -852,6 +852,8 @@ private aws.iam.role @defaults("arn name") {
   tags map[string]string
   // Time when the role was created
   createDate time
+  // The policy document that grants an entity permission to assume the role
+  assumeRolePolicyDocument dict
 }
 
 // AWS IAM group

diff --git a/providers/aws/resources/aws.lr.go b/providers/aws/resources/aws.lr.go
diff --git a/providers/aws/resources/aws.lr.manifest.yaml b/providers/aws/resources/aws.lr.manifest.yaml
@@ -1770,6 +1770,7 @@ resources:
         The `aws.iam.role` provides fields for assessing the configuration of individual IAM Roles. For usage, read the `aws.iam` resource documentation.
     fields:
       arn: {}
+      assumeRolePolicyDocument: {}
       createDate: {}
       description: {}
       id: {}

diff --git a/providers/aws/resources/aws_iam.go b/providers/aws/resources/aws_iam.go
@@ -421,7 +421,6 @@ func (a *mqlAwsIam) policies() ([]interface{}, error) {
 
 func (a *mqlAwsIam) roles() ([]interface{}, error) {
 	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
-
 	svc := conn.Iam("")
 	ctx := context.Background()
 
@@ -435,17 +434,27 @@ func (a *mqlAwsIam) roles() ([]interface{}, error) {
 			return nil, err
 		}
 
-		for i := range rolesResp.Roles {
-			role := rolesResp.Roles[i]
+		// Added Trust relationship policy attached to each role
+		for _, role := range rolesResp.Roles {
+			policyOutput, err := svc.GetRole(ctx, &iam.GetRoleInput{RoleName: role.RoleName})
+			var policyDocumentMap map[string]interface{}
+			if err == nil && policyOutput.Role != nil && policyOutput.Role.AssumeRolePolicyDocument != nil {
+				policyDocument := *policyOutput.Role.AssumeRolePolicyDocument
+				decodedPolicyDocument, decodeErr := url.QueryUnescape(policyDocument)
+				if decodeErr == nil {
+					json.Unmarshal([]byte(decodedPolicyDocument), &policyDocumentMap)
+				}
+			}
 
 			mqlAwsIamRole, err := CreateResource(a.MqlRuntime, "aws.iam.role",
 				map[string]*llx.RawData{
-					"arn":         llx.StringDataPtr(role.Arn),
-					"id":          llx.StringDataPtr(role.RoleId),
-					"name":        llx.StringDataPtr(role.RoleName),
-					"description": llx.StringDataPtr(role.Description),
-					"tags":        llx.MapData(iamTagsToMap(role.Tags), types.String),
-					"createDate":  llx.TimeDataPtr(role.CreateDate),
+					"arn":                      llx.StringDataPtr(role.Arn),
+					"id":                       llx.StringDataPtr(role.RoleId),
+					"name":                     llx.StringDataPtr(role.RoleName),
+					"description":              llx.StringDataPtr(role.Description),
+					"tags":                     llx.MapData(iamTagsToMap(role.Tags), types.String),
+					"createDate":               llx.TimeDataPtr(role.CreateDate),
+					"assumeRolePolicyDocument": llx.MapData(policyDocumentMap, types.Any),
 				})
 			if err != nil {
 				return nil, err