role policy lookup return nil rather than throw error (#2082)

* change from throwing error on non-existent policy to logging debug and return nil * remove trailing newline
glerb · Nov 23, 2020 · 4540537 · 4540537
1 parent 657d7d8
commit 4540537
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 6 deletions.
diff --git a/internal/compliance/snapshot_poller/pollers/aws/awstest/iam.go b/internal/compliance/snapshot_poller/pollers/aws/awstest/iam.go
@@ -570,6 +570,15 @@ var (
 			svc.On("ListAttachedRolePoliciesPages", mock.Anything).
 				Return(errors.New("IAM.ListAttachedRolePoliciesPages error"))
 		},
+		"ListAttachedRolePoliciesPagesAWSErr": func(svc *MockIAM) {
+			svc.On("ListAttachedRolePoliciesPages", mock.Anything).
+				Return(
+					awserr.New(
+						iam.ErrCodeNoSuchEntityException,
+						"The role policy with name MYNAME cannot be found",
+						errors.New("fake GetRolePolicy error"),
+					))
+		},
 		"ListRolesPages": func(svc *MockIAM) {
 			svc.On("ListRolesPages", mock.Anything).
 				Return(errors.New("IAM.ListRolesPages error"))
@@ -578,6 +587,15 @@ var (
 			svc.On("ListRolePoliciesPages", mock.Anything).
 				Return(errors.New("IAM.ListRolePoliciesPages error"))
 		},
+		"ListRolePoliciesPagesAWSErr": func(svc *MockIAM) {
+			svc.On("ListRolePoliciesPages", mock.Anything).
+				Return(
+					awserr.New(
+						iam.ErrCodeNoSuchEntityException,
+						"The role policy with name MYNAME cannot be found",
+						errors.New("fake GetRolePolicy error"),
+					))
+		},
 		"GetRolePolicy": func(svc *MockIAM) {
 			svc.On("GetRolePolicy", mock.Anything).
 				Return(&iam.GetRolePolicyOutput{},

diff --git a/internal/compliance/snapshot_poller/pollers/aws/iam_role.go b/internal/compliance/snapshot_poller/pollers/aws/iam_role.go
@@ -34,6 +34,7 @@ import (
 	awsmodels "github.com/panther-labs/panther/internal/compliance/snapshot_poller/models/aws"
 	pollermodels "github.com/panther-labs/panther/internal/compliance/snapshot_poller/models/poller"
 	"github.com/panther-labs/panther/internal/compliance/snapshot_poller/pollers/utils"
+	"github.com/panther-labs/panther/pkg/awsutils"
 )
 
 // PollIAMRole polls a single IAM Role resource
@@ -112,9 +113,8 @@ func iamRoleIterator(page *iam.ListRolesOutput, roles *[]*iam.Role, marker **str
 func getRolePolicy(iamSvc iamiface.IAMAPI, roleName *string, policyName *string) (*string, error) {
 	policy, err := iamSvc.GetRolePolicy(&iam.GetRolePolicyInput{RoleName: roleName, PolicyName: policyName})
 	if err != nil {
-		var awsError awserr.Error
-		if errors.As(err, &awsError) && awsError.Code() == iam.ErrCodeNoSuchEntityException {
-			zap.L().Debug("role policy could not be found", zap.String("policyName", *policyName))
+		if awsutils.IsAnyError(err, iam.ErrCodeNoSuchEntityException) {
+			zap.L().Debug("role policy could not be found", zap.String("roleName", *roleName))
 			return nil, nil
 		}
 		return nil, errors.Wrapf(err, "IAM.GetRolePolicy: %s", aws.StringValue(roleName))
@@ -140,6 +140,10 @@ func getRolePolicies(iamSvc iamiface.IAMAPI, roleName *string) (
 		},
 	)
 	if err != nil {
+		if awsutils.IsAnyError(err, iam.ErrCodeNoSuchEntityException) {
+			zap.L().Debug("IAM.ListRolePolicies: role policy could not be found", zap.String("roleName", *roleName))
+			return nil, nil, nil
+		}
 		return nil, nil, errors.Wrapf(err, "IAM.ListRolePolicies: %s", aws.StringValue(roleName))
 	}
 
@@ -153,13 +157,17 @@ func getRolePolicies(iamSvc iamiface.IAMAPI, roleName *string) (
 		},
 	)
 	if err != nil {
+		if awsutils.IsAnyError(err, iam.ErrCodeNoSuchEntityException) {
+			zap.L().Debug("IAM.ListAttachedRolePolicies: role policy could not be found", zap.String("roleName", *roleName))
+			return nil, nil, nil
+		}
 		return nil, nil, errors.Wrapf(err, "IAM.ListAttachedRolePolicies: %s", aws.StringValue(roleName))
 	}
 
-	return
+	return inlinePolicies, managedPolicies, nil
 }
 
-// buildIAMRoleSnapshot builds an IAMRoleSnapshot for a given IAM Role
+// BuildIAMRoleSnapshot builds an IAMRoleSnapshot for a given IAM Role
 func BuildIAMRoleSnapshot(iamSvc iamiface.IAMAPI, role *iam.Role) (*awsmodels.IAMRole, error) {
 	iamRoleSnapshot := &awsmodels.IAMRole{
 		GenericResource: awsmodels.GenericResource{

diff --git a/internal/compliance/snapshot_poller/pollers/aws/iam_role_test.go b/internal/compliance/snapshot_poller/pollers/aws/iam_role_test.go
@@ -87,7 +87,7 @@ func TestIAMRolesGetPolicyError(t *testing.T) {
 	assert.Error(t, err)
 }
 
-func TestIAMROlesGetPolicyAWSError(t *testing.T) {
+func TestIAMRolesGetPolicyAWSError(t *testing.T) {
 	mockSvc := awstest.BuildMockIAMSvcError([]string{"GetRolePolicyAWSErr"})
 
 	out, err := getRolePolicy(mockSvc, aws.String("RoleName"), aws.String("PolicyName"))
@@ -115,6 +115,15 @@ func TestIAMRolesGetPolicies(t *testing.T) {
 	)
 }
 
+func TestIAMRolesGetPolicesAWSError(t *testing.T) {
+	mockSvc := awstest.BuildMockIAMSvcError([]string{"ListRolePoliciesPagesAWSErr"})
+
+	inlinePolicies, managedPolicies, err := getRolePolicies(mockSvc, aws.String("Franklin"))
+	assert.NoError(t, err)
+	assert.Nil(t, inlinePolicies)
+	assert.Nil(t, managedPolicies)
+}
+
 func TestIAMRolesGetPoliciesErrors(t *testing.T) {
 	mockSvc := awstest.BuildMockIAMSvcError([]string{
 		"ListRolePoliciesPages",