search

noqdev / iambic

IAMbic is Version-Control for IAM. It centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in Git.
https://iambic.org
Apache License 2.0
281 stars 26 forks source link

(aws role) the default description on a role should be None instead of "" #624

Open smoy opened 1 year ago

smoy commented 1 year ago

Describe the bug Current implementation of IAM role default is "". I notice AWS IAM role can have no description. For example, an IAM role results from AWS CLI get-role is the following 

{
    "Role": {
        "Path": "/aws-reserved/sso.amazonaws.com/",
        "RoleName": "REDACTED",
        "RoleId": "REDACTED",
        "Arn": "arn:aws:iam::REDACTED:role/aws-reserved/sso.amazonaws.com/REDACTED",
        "CreateDate": "2023-01-03T20:17:20+00:00",
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Principal": {
                        "Federated": "arn:aws:iam::REDACTED:saml-provider/AWSSSO_REDACTED_DO_NOT_DELETE"
                    },
                    "Action": [
                        "sts:AssumeRoleWithSAML",
                        "sts:TagSession"
                    ],
                    "Condition": {
                        "StringEquals": {
                            "SAML:aud": "https://signin.aws.amazon.com/saml"
                        }
                    }
                }
            ]
        },
        "MaxSessionDuration": 43200,
        "RoleLastUsed": {
            "LastUsedDate": "2023-04-25T23:18:58+00:00",
            "Region": "us-east-1"
        }
    }
}

That would mean if a user manually run import and submits a pull request. IAMBIC plan would claim the request will attempt to change the cloud because cloud have a description of None. and template simply use "".

To Reproduce Steps to reproduce the behavior:

  1. One sanity is if run import on IAM role with no description.
  2. examine resulting yaml file to see if description appeared. (it should not be)
  3. run iambic plan. the expectation is there is no changes requires.
  4. The bug is it attempt to change to description with empty string.

Expected behavior Expectation is import, plan should yield no change (as long as there is change in the cloud resource)

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

Additional context Add any other context about the problem here.

Community Engagement Your vote counts! Please support this bug report by adding a 👍 reaction to the original issue, which will aid the community and maintainers in addressing this problem.

Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.