aws_assume_role_chain.go 1.4 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
  1. package gorm
  2. import (
  3. "context"
  4. "errors"
  5. "fmt"
  6. "github.com/porter-dev/porter/internal/models"
  7. "github.com/porter-dev/porter/internal/repository"
  8. "gorm.io/gorm"
  9. )
  10. // AWSAssumeRoleChain uses gorm.DB for querying the database
  11. type AWSAssumeRoleChain struct {
  12. db *gorm.DB
  13. }
  14. // NewAPIContractRevisioner creates an APIRevision connection
  15. func NewAWSAssumeRoleChainer(db *gorm.DB) repository.AWSAssumeRoleChainer {
  16. return &AWSAssumeRoleChain{db}
  17. }
  18. // List returns a list of aws assume role chains where the target arn is not owned by Porter.
  19. // This allows for only returning the customer ARNs
  20. func (cr AWSAssumeRoleChain) List(ctx context.Context, projectID uint) ([]*models.AWSAssumeRoleChain, error) {
  21. var confs []*models.AWSAssumeRoleChain
  22. if projectID == 0 {
  23. return nil, errors.New("must provide a project ID")
  24. }
  25. // porterInternalAccounts are accounts which should be hidden from users, such as bastion or production accounts
  26. porterInternalAccounts := []string{
  27. "108458755588", // CAPI Bastion
  28. "813111008191", // Internal Tooling Cluster
  29. "975032674314", // Old production account
  30. }
  31. query := "project_id = ?"
  32. for _, account := range porterInternalAccounts {
  33. query += fmt.Sprintf(" and target_arn not like '%%arn:aws:iam::%s%%'", account)
  34. }
  35. tx := cr.db.Where(query, projectID).Find(&confs)
  36. if tx.Error != nil {
  37. return nil, tx.Error
  38. }
  39. return confs, nil
  40. }