IAMbic plan fails for multi account yamls #650
Description
Describe the bug
I'm evaluating this tool for some time, but had a other things to do for some time. Getting back i upgraded IAMbic from Version ~0.11.59 to 0.11.86. After i executed an "iambic import" on my configuration, the "iambic plan" command produces errors for some yaml file. At the end this results to an empty "proposed_changes.json" which can not be rendered to console and throws an exception.
Yamls producing errors are for a managed policy and users. From what i see in the console output, IAMbic is trying to detect changes and fails. But the error in that step is not thrown or printed anywhere.
So i looked at my files and these are my findings:
- The "iambic import" adds an entry called "credentials" to properties (which is not documented here but not responsible for the error)
- Part of the "credentials" block are informations about access_keys (which is why i can't and will not post my yamls) and password. Both blocks with information about "enabled" status and last usage.
- The "credentials" block itself is not the issue here, because i also have user yamls that also contain this block but do not produce the error
- The main difference between the erroneous yamls and the working ones is, that they belong to users residing in multiple accounts.
- So my conclusion here is, that the issue lies with the "include_accounts" or "exclude_accounts" (exclude being used at the erroneous policy document) starting the entries for "credentials"
...
properties:
credentials:
- include_accounts:
- Account X
access_keys:
- enabled: true
id: XXXXXXXXXXXXXXXXXXX
last_used: '2023-10-20'
password:
enabled: true
last_used: Never
...- As for my erroneous managed policy, i think it is the same issue because in its policy_document block there are also exclude_accounts and include_accounts statements.
template_type: NOQ::AWS::IAM::ManagedPolicy
template_schema_url: https://docs.iambic.org/reference/schemas/aws_iam_managed_policy_template
included_accounts:
- Account X
- Account Y
identifier: GreengrassV2TokenExchangeRoleAccess
properties:
policy_document:
- excluded_accounts:
- Account Y
statement:
- action:
- iot:Connect
- iot:DescribeCertificate
- iot:Publish
- iot:Receive
- iot:Subscribe
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
- s3:GetBucketLocation
effect: Allow
resource: '*'
version: '2012-10-17'
- included_accounts:
- Account Y
statement:
- action:
- logs:CreateLogGroup
- logs:CreateLogStream
- logs:DescribeLogStreams
- logs:PutLogEvents
- s3:GetBucketLocation
effect: Allow
resource: '*'
version: '2012-10-17'
policy_name: GreengrassV2TokenExchangeRoleAccessTo Reproduce
Steps to reproduce the behavior:
- Look for a policy or user yaml
- Add "include_accounts"
- before credentials entry (like shown above) for user yaml
- before policy_document entry for policy yaml
- Execute "iambic plan" on prepared yaml
- See error
Expected behavior
IAMbic plan step does not produce an error for these types of yamls and respects the include and exclude statements (if this is intended in that way)
Desktop (please complete the following information):
- OS: Windows
- Python 3.11.5
- IAMbic 0.11.86 (after pip install iambic-core --upgrade)
Additional context
Upgraded IAMbic from version 0.11.59 (or 56, can't remember ^^) to 0.11.86. Had no issues with the old version, so this is either a change to iambic that was introduced between those versions or some other changes on the AWS side?
Community Engagement
Your vote counts! Please support this bug report by adding a 👍 reaction to the original issue, which will aid the community and maintainers in addressing this problem.
Please refrain from adding "+1" or "me too" comments, as these create unnecessary noise for issue followers and do not help in prioritizing the issue. If you wish to contribute to solving this issue or have submitted a pull request, please leave a comment.