search

noqdev / iambic

IAMbic is Version-Control for IAM. It centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in Git.
https://iambic.org
Apache License 2.0
281 stars 26 forks source link

ValidationError(model='PermissionSetProperties') in iambic import #593

Closed rodolphoescobar closed 1 year ago

rodolphoescobar commented 1 year ago

Describe the bug iambic import resources not work with AWS Organizations

To Reproduce Steps to reproduce the behavior:

  1. Run iambic import with AWS Organizations

Error log

error=ValidationError(model='PermissionSetProperties', errors=[{'loc': ('InlinePolicy', 'Statement'), 'msg': 'value is not a valid list', 'type': 'type_error.list'}])
  exception=ValidationError
  stacktrace=  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/bin/iambic", line 8, in <module>
    sys.exit(cli())
             ^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/iambic/main.py", line 454, in import_
    asyncio.run(config.run_import(exe_message, repo_dir))
  File "/usr/local/Cellar/python@3.11/3.11.4_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/python@3.11/3.11.4_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/Cellar/python@3.11/3.11.4_1/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
    return future.result()
           ^^^^^^^^^^^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/iambic/config/dynamic_config.py", line 273, in run_import
    await asyncio.gather(*tasks)
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/handlers.py", line 463, in import_aws_resources
    await asyncio.gather(*tasks)
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/handlers.py", line 381, in import_identity_center_resources
    await import_service_resources(
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/handlers.py", line 340, in import_service_resources
    await asyncio.gather(
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/identity_center/permission_set/template_generation.py", line 580, in generate_aws_permission_set_templates
    resource_template = await create_templated_permission_set(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/iambic/plugins/v0_1_0/aws/identity_center/permission_set/template_generation.py", line 394, in create_templated_permission_set
    PermissionSetProperties(**template_properties),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/rodolpho.escobar/Documents/projects/OLX/iambic-templates/venv/lib/python3.11/site-packages/iambic/core/models.py", line 85, in __init__
    super().__init__(*args, **kwargs)
  File "pydantic/main.py", line 341, in pydantic.main.BaseModel.__init__
smoy commented 1 year ago

i think i know the reason, this is a grammar thing we didn't catch.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1692382781340",
      "Action": [
        "sns:AddPermission"
      ],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

^ that's the modern policy generated by the policy generator. but Statement in the past can simply be a dict and not a list. i will cut a bug fix release now

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_statement.html

smoy commented 1 year ago

I am able to reproduce this issue with this inline policy: 

{
    "Statement": {
        "Sid": "Statement1",
        "Effect": "Deny",
        "Action": [
            "s3:ListAllMyBuckets"
        ],
        "Resource": "*"
    }
}