Manage IAM instance profiles

iamy.go

@@ -12,7 +12,7 @@ import (
 var (
 	Version    string = "dev"
 	defaultDir string
-	dryRun *bool
+	dryRun     *bool
 )
 
 type logWriter struct{ *log.Logger }

iamy/aws.go

@@ -105,6 +105,7 @@ func (a *AwsFetcher) fetchS3Data() error {
 }
 func (a *AwsFetcher) fetchIamData() error {
 	var populateIamDataErr error
+	var populateInstanceProfileErr error
 	err := a.iam.GetAccountAuthorizationDetailsPages(
 		&iam.GetAccountAuthorizationDetailsInput{
 			Filter: aws.StringSlice([]string{
@@ -119,7 +120,6 @@ func (a *AwsFetcher) fetchIamData() error {
 			if populateIamDataErr != nil {
 				return false
 			}
-
 			return true
 		},
 	)
@@ -129,7 +129,21 @@ func (a *AwsFetcher) fetchIamData() error {
 	if err != nil {
 		return err
 	}
-
+	// Fetch instance profiles
+	err = a.iam.ListInstanceProfilesPages(&iam.ListInstanceProfilesInput{},
+		func(resp *iam.ListInstanceProfilesOutput, lastPage bool) bool {
+			populateInstanceProfileErr = a.populateInstanceProfileData(resp)
+			if populateInstanceProfileErr != nil {
+				return false
+			}
+			return true
+		})
+	if populateInstanceProfileErr != nil {
+		return err
+	}
+	if err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -176,6 +190,25 @@ func (a *AwsFetcher) marshalRoleDescriptionAsync(roleName string, target *string
 	}()
 }
 
+func (a *AwsFetcher) populateInstanceProfileData(resp *iam.ListInstanceProfilesOutput) error {
+	for _, profileResp := range resp.InstanceProfiles {
+		if cfnResourceRegexp.MatchString(*profileResp.InstanceProfileName) {
+			log.Printf("Skipping CloudFormation generated instance profile %s", *profileResp.InstanceProfileName)
+			continue
+		}
+		profile := InstanceProfile{iamService: iamService{
+			Name: *profileResp.InstanceProfileName,
+			Path: *profileResp.Path,
+		}}
+		for _, roleResp := range profileResp.Roles {
+			role := *(roleResp.RoleName)
+			profile.Roles = append(profile.Roles, role)
+		}
+		a.data.InstanceProfiles = append(a.data.InstanceProfiles, &profile)
+	}
+	return nil
+}
+
 func (a *AwsFetcher) populateIamData(resp *iam.GetAccountAuthorizationDetailsOutput) error {
 	for _, userResp := range resp.UserDetailList {
 		if cfnResourceRegexp.MatchString(*userResp.UserName) {

iamy/awsdiff.go

@@ -186,6 +186,12 @@ func (a *awsSyncCmdGenerator) deleteOldEntities() {
 				"--policy-arn", Arn(fromPolicy, a.to.Account))
 		}
 	}
+	for _, fromInstanceProfile := range a.from.InstanceProfiles {
+		if found, _ := a.to.FindInstanceProfileByName(fromInstanceProfile.Name, fromInstanceProfile.Path); !found {
+			a.cmds.Add("aws", "iam", "delete-instance-profile",
+				"--instance-profile-name", fromInstanceProfile.Name)
+		}
+	}
 }
 
 func (a *awsSyncCmdGenerator) updatePolicies() {
@@ -409,6 +415,28 @@ func (a *awsSyncCmdGenerator) updateUsers() {
 		}
 	}
 }
+func (a *awsSyncCmdGenerator) updateInstanceProfiles() {
+	// update instance profiles
+	for _, toInstanceProfile := range a.to.InstanceProfiles {
+		if found, fromInstanceProfile := a.from.FindInstanceProfileByName(toInstanceProfile.Name, toInstanceProfile.Path); found {
+			// remove old roles from instance profile
+			for _, role := range stringSetDifference(fromInstanceProfile.Roles, toInstanceProfile.Roles) {
+				a.cmds.Add("aws", "iam", "remove-role-from-instance-profile", "--instance-profile-name", toInstanceProfile.Name, "--role-name", role)
+			}
+
+			// add new roles to instance profile
+			for _, role := range stringSetDifference(toInstanceProfile.Roles, fromInstanceProfile.Roles) {
+				a.cmds.Add("aws", "iam", "add-role-to-instance-profile", "--instance-profile-name", toInstanceProfile.Name, "--role-name", role)
+			}
+		} else {
+			// Create instance profile
+			a.cmds.Add("aws", "create-instance-profile", "--instance-profile-name", toInstanceProfile.Name, "--path", path(toInstanceProfile.Path))
+			for _, role := range toInstanceProfile.Roles {
+				a.cmds.Add("aws", "iam", "add-role-to-instance-profile", "--instance-profile-name", toInstanceProfile.Name, "--role-name", role)
+			}
+		}
+	}
+}
 
 func (a *awsSyncCmdGenerator) updateBucketPolicies() {
 	for _, fromBucketPolicy := range a.from.BucketPolicies {
@@ -437,6 +465,7 @@ func (a *awsSyncCmdGenerator) GenerateCmds() CmdList {
 	a.updateRoles()
 	a.updateGroups()
 	a.updateUsers()
+	a.updateInstanceProfiles()
 	a.updateBucketPolicies()
 	a.deleteOldEntities()
 

iamy/models.go

@@ -113,6 +113,15 @@ type Role struct {
 	Policies                 []string        `json:"Policies,omitempty"`
 }
 
+type InstanceProfile struct {
+	iamService `json:"-"`
+	Roles      []string `json:"Roles,omitempty"`
+}
+
+func (ip InstanceProfile) ResourceType() string {
+	return "instance-profile"
+}
+
 func (r Role) ResourceType() string {
 	return "role"
 }
@@ -139,21 +148,23 @@ func (bp BucketPolicy) ResourcePath() string {
 }
 
 type AccountData struct {
-	Account        *Account
-	Users          []*User
-	Groups         []*Group
-	Roles          []*Role
-	Policies       []*Policy
-	BucketPolicies []*BucketPolicy
+	Account          *Account
+	Users            []*User
+	Groups           []*Group
+	Roles            []*Role
+	Policies         []*Policy
+	BucketPolicies   []*BucketPolicy
+	InstanceProfiles []*InstanceProfile
 }
 
 func NewAccountData(account string) *AccountData {
 	return &AccountData{
-		Account:  NewAccountFromString(account),
-		Users:    []*User{},
-		Groups:   []*Group{},
-		Roles:    []*Role{},
-		Policies: []*Policy{},
+		Account:          NewAccountFromString(account),
+		Users:            []*User{},
+		Groups:           []*Group{},
+		Roles:            []*Role{},
+		Policies:         []*Policy{},
+		InstanceProfiles: []*InstanceProfile{},
 	}
 }
 
@@ -173,6 +184,10 @@ func (a *AccountData) addPolicy(p *Policy) {
 	a.Policies = append(a.Policies, p)
 }
 
+func (a *AccountData) addInstanceProfile(p *InstanceProfile) {
+	a.InstanceProfiles = append(a.InstanceProfiles, p)
+}
+
 func (a *AccountData) addBucketPolicy(bp *BucketPolicy) {
 	a.BucketPolicies = append(a.BucketPolicies, bp)
 }
@@ -217,6 +232,16 @@ func (a *AccountData) FindPolicyByName(name, path string) (bool, *Policy) {
 	return false, nil
 }
 
+func (a *AccountData) FindInstanceProfileByName(name, path string) (bool, *InstanceProfile) {
+	for _, p := range a.InstanceProfiles {
+		if p.Name == name && p.Path == path {
+			return true, p
+		}
+	}
+
+	return false, nil
+}
+
 func (a *AccountData) FindBucketPolicyByBucketName(name string) (bool, *BucketPolicy) {
 	for _, p := range a.BucketPolicies {
 		if p.BucketName == name {

iamy/yaml.go

@@ -13,7 +13,7 @@ import (
 )
 
 const pathTemplateBlob = "{{.Account}}/{{.Resource.Service}}/{{.Resource.ResourceType}}{{.Resource.ResourcePath}}{{.Resource.ResourceName}}.yaml"
-const pathRegexBlob = `^(?P<account>[^/]+)/(?P<entity>(iam/user|iam/group|iam/policy|iam/role|s3))(?P<resourcepath>.*/)(?P<resourcename>[^/]+)\.yaml$`
+const pathRegexBlob = `^(?P<account>[^/]+)/(?P<entity>(iam/instance-profile|iam/user|iam/group|iam/policy|iam/role|s3))(?P<resourcepath>.*/)(?P<resourcename>[^/]+)\.yaml$`
 
 var pathTemplate = template.Must(template.New("").Parse(pathTemplateBlob))
 var pathRegex = regexp.MustCompile(pathRegexBlob)
@@ -106,6 +106,10 @@ func (a *YamlLoadDumper) Load() ([]AccountData, error) {
 				p := Policy{iamService: nameAndPath}
 				err = a.unmarshalYamlFile(fp, &p)
 				accounts[accountid].addPolicy(&p)
+			case "iam/instance-profile":
+				profile := InstanceProfile{iamService: nameAndPath}
+				err = a.unmarshalYamlFile(fp, &profile)
+				accounts[accountid].addInstanceProfile(&profile)
 			case "s3":
 				bp := BucketPolicy{BucketName: name}
 				err = a.unmarshalYamlFile(fp, &bp)
@@ -168,6 +172,12 @@ func (f *YamlLoadDumper) Dump(accountData *AccountData, canDelete bool) error {
 		}
 	}
 
+	for _, profile := range accountData.InstanceProfiles {
+		if err := f.writeResource(accountData.Account, profile); err != nil {
+			return err
+		}
+	}
+
 	for _, bucketPolicy := range accountData.BucketPolicies {
 		if err := f.writeResource(accountData.Account, bucketPolicy); err != nil {
 			return err