search

noqdev / iambic

IAMbic is Version-Control for IAM. It centralizes and simplifies cloud access and permissions. It maintains an eventually consistent, human-readable, bi-directional representation of IAM in Git.
https://iambic.org
Apache License 2.0
279 stars 26 forks source link

IAMbic plan fails for multi account yamls #650

Open Ascend1984 opened 10 months ago

Ascend1984 commented 10 months ago

Describe the bug I'm evaluating this tool for some time, but had a other things to do for some time. Getting back i upgraded IAMbic from Version ~0.11.59 to 0.11.86. After i executed an "iambic import" on my configuration, the "iambic plan" command produces errors for some yaml file. At the end this results to an empty "proposed_changes.json" which can not be rendered to console and throws an exception.

Yamls producing errors are for a managed policy and users. From what i see in the console output, IAMbic is trying to detect changes and fails. But the error in that step is not thrown or printed anywhere. So i looked at my files and these are my findings:

...
properties:
  credentials:
    - include_accounts:
        - Account X
     access_keys:
       - enabled: true
         id: XXXXXXXXXXXXXXXXXXX
         last_used: '2023-10-20'
    password:
      enabled: true
      last_used: Never
...

To Reproduce Steps to reproduce the behavior:

  1. Look for a policy or user yaml
  2. Add "include_accounts"
    1. before credentials entry (like shown above) for user yaml
    2. before policy_document entry for policy yaml
  3. Execute "iambic plan" on prepared yaml
  4. See error

Expected behavior IAMbic plan step does not produce an error for these types of yamls and respects the include and exclude statements (if this is intended in that way)

Desktop (please complete the following information):

Additional context Upgraded IAMbic from version 0.11.59 (or 56, can't remember ^^) to 0.11.86. Had no issues with the old version, so this is either a change to iambic that was introduced between those versions or some other changes on the AWS side?

Community Engagement Your vote counts! Please support this bug report by adding a 👍 reaction to the original issue, which will aid the community and maintainers in addressing this problem.

Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.

smoy commented 10 months ago

Hi @Ascend1984, thanks for reporting the bug. Have you already tried removing the "resources" directory in the template and do a fresh import?

There were some exclude directive fixes. Before the fix, the usage for exclude shouldn't be generated from initial import command.

Ascend1984 commented 10 months ago

Hello @smoy, thanks for your reply.

I did the complete re-import of my accounts, but i still get the same error or at least for the same YAML files (because command still just ends in a _NotRenderableError('Unable to render None; A str, Segment or object with __rich_console__ method is required')_ )

So i compared some of the YAMLs with the "older" ones, and yeah the previous exclude is gone. But everything else is still the same. Also when deleting the credentials block, the iambic plan does work.

Also the erroneous policy i also still not working with iambic plan:

template_type: NOQ::AWS::IAM::ManagedPolicy
template_schema_url: https://docs.iambic.org/reference/schemas/aws_iam_managed_policy_template
included_accounts:
  - Account A
  - Account B
  - Account C
identifier: GreengrassV2TokenExchangeRoleAccess
properties:
  policy_document:
    - included_accounts:
        - Account A
        - Account B
      statement:
        - action:
            - iot:Connect
            - iot:DescribeCertificate
            - iot:Publish
            - iot:Receive
            - iot:Subscribe
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DescribeLogStreams
            - logs:PutLogEvents
            - s3:GetBucketLocation
          effect: Allow
          resource: '*'
      version: '2012-10-17'
    - included_accounts:
        - Account C
      statement:
        - action:
            - logs:CreateLogGroup
            - logs:CreateLogStream
            - logs:DescribeLogStreams
            - logs:PutLogEvents
            - s3:GetBucketLocation
          effect: Allow
          resource: '*'
      version: '2012-10-17'
  policy_name: GreengrassV2TokenExchangeRoleAccess
smoy commented 10 months ago

Thank you fro the follow up. I will investigate the credential block issue (it was designed to be launched as a informational, investigation detail). it's safe to disable to move pass this issue.

in your IAMbic config.yaml (possibly in your config folder), under the aws block, add

enable_iam_user_credentials: False should disable that functionality at the moment.

reference: https://github.com/noqdev/iambic/blob/7d2f834fa50826815c848716b044a96f15e4aa78/iambic/plugins/v0_1_0/aws/iambic_plugin.py#L79

I will try to reproduce that policy locally. your initial report mention you on Windows. is it possible for you to try this under WSL2? We suppress some signal handler in Windows (since some only exist in Linux-like systems). I am wondering if that is contributing to stack trace masking.

Ascend1984 commented 10 months ago

I had a lot to do these past days and will be on vacation next week, so i will out for a few days.

For the WSL2 part im not sure. I need to look if its possible on my work laptop (where i made the evaluation).

I will get back to this when i return in a few days.

Ascend1984 commented 8 months ago

Sorry to get back to you so late, a busy end of the year ^^

Sadly there is no way to use WSL2 at the moment :( so i cannot provide any further insight to the stack trace masking.