noqdev / iambic

IAMbic is Version-Control for IAM. It centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in Git.
https://iambic.org
Apache License 2.0
285 stars 26 forks source link

iambic does not throw warning/error for users/groups that do not exists in the Idp #602

Closed dushyantbhardwaj9 closed 1 year ago

dushyantbhardwaj9 commented 1 year ago

I am trying to create a permission set and in that, if I add a user/group that does not exist. iambic peacefully exits stating no change detected. It would be good to know that we have entered an incorrect username/group name, So I can fix the username. If the tool can give us a warning/error that the username does not exist in the Idp.

To Reproduce Steps to reproduce the behavior: Create a template and in the mapping provide an incorrect username/group name See the example template below

template_type: NOQ::AWS::IdentityCenter::PermissionSet
template_schema_url: https://docs.iambic.org/reference/schemas/aws_identity_center_permission_set_template
access_rules:
  - included_accounts:
      - account-name
    included_orgs:
      - o-abcd12efgh
    users:
      - joe.biden@company.com
      - donald.trump@bug.com
      - bill.taylor@feature.com
  - included_accounts:
      - account-name
    groups:
      - correct-groupName
      - incorrect-groupname
    included_orgs:
      - o-abcd12efgh
identifier: Security-Team
properties:
  name: Security-Team
  managed_policies:
    - arn: arn:aws:iam::aws:policy/AWSHealthFullAccess
    - arn: arn:aws:iam::aws:policy/AWSSSOReadOnly
    - arn: arn:aws:iam::aws:policy/AWSSecurityHubFullAccess
    - arn: arn:aws:iam::aws:policy/AWSSupportAccess
    - arn: arn:aws:iam::aws:policy/AmazonSNSFullAccess
    - arn: arn:aws:iam::aws:policy/AmazonSSMFullAccess
    - arn: arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
    - arn: arn:aws:iam::aws:policy/ReadOnlyAccess
    - arn: arn:aws:iam::aws:policy/SecurityAudit
    - arn: arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
  session_duration: PT12H
  tags:
    - key: team
      value: security

Expected behavior user: bill.taylor@feature.com does not exist, please check if the username is correct and exists in the Idp

Version: 0.11.59

Additional context Add any other context about the problem here.

Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.