feat(aws): Add ssoadmin permission_sets, account_assignments (#4817)

jhudson10x · web-flow · commit 4ae00ca0a644 · 2022-11-23T10:54:08.000Z
#### Summary

Add support for SSOAdmin permission sets
Add support for SSOAdmin account assignments

&lt;!--
diff --git a/plugins/source/aws/codegen/recipes/ssoadmin.go b/plugins/source/aws/codegen/recipes/ssoadmin.go
@@ -7,8 +7,26 @@ import (
 func SSOAdminResources() []*Resource {
 	resources := []*Resource{
 		{
-			SubService: "instances",
-			Struct:     &types.InstanceMetadata{},
+			SubService:  "instances",
+			Struct:      &types.InstanceMetadata{},
+			Description: "https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_InstanceMetadata.html",
+			Relations: []string{
+				"PermissionSets()",
+			},
+		},
+		{
+			SubService:          "permission_sets",
+			Struct:              &types.PermissionSet{},
+			Description:         "https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PermissionSet.html",
+			PreResourceResolver: "getSsoadminPermissionSet",
+			Relations: []string{
+				"AccountAssignments()",
+			},
+		},
+		{
+			SubService:  "account_assignments",
+			Struct:      &types.AccountAssignment{},
+			Description: "https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AccountAssignment.html",
 		},
 	}
 
diff --git a/plugins/source/aws/docs/tables/README.md b/plugins/source/aws/docs/tables/README.md
@@ -426,6 +426,7 @@
 | [aws_ssm_inventory_schemas](aws_ssm_inventory_schemas.md) |
 | [aws_ssm_patch_baselines](aws_ssm_patch_baselines.md) |
 | [aws_ssoadmin_instances](aws_ssoadmin_instances.md) |
+| ↳ [aws_ssoadmin_permission_sets](aws_ssoadmin_permission_sets.md) |
 | [aws_stepfunctions_state_machines](aws_stepfunctions_state_machines.md) |
 | [aws_timestream_databases](aws_timestream_databases.md) |
 | ↳ [aws_timestream_tables](aws_timestream_tables.md) |
diff --git a/plugins/source/aws/docs/tables/aws_ssoadmin_account_assignments.md b/plugins/source/aws/docs/tables/aws_ssoadmin_account_assignments.md
@@ -0,0 +1,20 @@
+# Table: aws_ssoadmin_account_assignments
+
+https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_AccountAssignment.html
+
+The primary key for this table is **_cq_id**.
+
+## Relations
+This table depends on [aws_ssoadmin_permission_sets](aws_ssoadmin_permission_sets.md).
+
+## Columns
+| Name          | Type          |
+| ------------- | ------------- |
+|_cq_source_name|String|
+|_cq_sync_time|Timestamp|
+|_cq_id (PK)|UUID|
+|_cq_parent_id|UUID|
+|account_id|String|
+|permission_set_arn|String|
+|principal_id|String|
+|principal_type|String|
diff --git a/plugins/source/aws/docs/tables/aws_ssoadmin_instances.md b/plugins/source/aws/docs/tables/aws_ssoadmin_instances.md
@@ -1,9 +1,12 @@
 # Table: aws_ssoadmin_instances
 
-
+https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_InstanceMetadata.html
 
 The primary key for this table is **_cq_id**.
 
+## Relations
+The following tables depend on aws_ssoadmin_instances:
+  - [aws_ssoadmin_permission_sets](aws_ssoadmin_permission_sets.md)
 
 ## Columns
 | Name          | Type          |
diff --git a/plugins/source/aws/docs/tables/aws_ssoadmin_permission_sets.md b/plugins/source/aws/docs/tables/aws_ssoadmin_permission_sets.md
@@ -0,0 +1,24 @@
+# Table: aws_ssoadmin_permission_sets
+
+https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PermissionSet.html
+
+The primary key for this table is **_cq_id**.
+
+## Relations
+This table depends on [aws_ssoadmin_instances](aws_ssoadmin_instances.md).
+The following tables depend on aws_ssoadmin_permission_sets:
+  - [aws_ssoadmin_account_assignments](aws_ssoadmin_account_assignments.md)
+
+## Columns
+| Name          | Type          |
+| ------------- | ------------- |
+|_cq_source_name|String|
+|_cq_sync_time|Timestamp|
+|_cq_id (PK)|UUID|
+|_cq_parent_id|UUID|
+|created_date|Timestamp|
+|description|String|
+|name|String|
+|permission_set_arn|String|
+|relay_state|String|
+|session_duration|String|
diff --git a/plugins/source/aws/resources/services/ssoadmin/account_assignments.go b/plugins/source/aws/resources/services/ssoadmin/account_assignments.go
diff --git a/plugins/source/aws/resources/services/ssoadmin/account_assignments_fetch.go b/plugins/source/aws/resources/services/ssoadmin/account_assignments_fetch.go
@@ -0,0 +1,37 @@
+package ssoadmin
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ssoadmin"
+	"github.com/aws/aws-sdk-go-v2/service/ssoadmin/types"
+	"github.com/cloudquery/cloudquery/plugins/source/aws/client"
+	"github.com/cloudquery/plugin-sdk/schema"
+)
+
+func fetchSsoadminAccountAssignments(ctx context.Context, meta schema.ClientMeta, parent *schema.Resource, res chan<- interface{}) error {
+	cl := meta.(*client.Client)
+	svc := cl.Services().Ssoadmin
+	permission_set_arn := parent.Item.(*types.PermissionSet).PermissionSetArn
+	instance_arn := parent.Parent.Item.(types.InstanceMetadata).InstanceArn
+	config := ssoadmin.ListAccountAssignmentsInput{
+		AccountId:        &cl.AccountID,
+		InstanceArn:      instance_arn,
+		PermissionSetArn: permission_set_arn,
+	}
+
+	for {
+		response, err := svc.ListAccountAssignments(ctx, &config)
+		if err != nil {
+			return err
+		}
+		res <- response.AccountAssignments
+		if aws.ToString(response.NextToken) == "" {
+			break
+		}
+		config.NextToken = response.NextToken
+	}
+
+	return nil
+}
diff --git a/plugins/source/aws/resources/services/ssoadmin/instances.go b/plugins/source/aws/resources/services/ssoadmin/instances.go
diff --git a/plugins/source/aws/resources/services/ssoadmin/instances_mock_test.go b/plugins/source/aws/resources/services/ssoadmin/instances_mock_test.go
@@ -14,7 +14,17 @@ import (
 func buildInstances(t *testing.T, ctrl *gomock.Controller) client.Services {
 	mSSOAdmin := mocks.NewMockSsoadminClient(ctrl)
 	im := types.InstanceMetadata{}
-	err := faker.FakeObject(&im)
+	ps := types.PermissionSet{}
+	as := types.AccountAssignment{}
+	err := faker.FakeObject(&ps)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = faker.FakeObject(&as)
+	if err != nil {
+		t.Fatal(err)
+	}
+	err = faker.FakeObject(&im)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -24,6 +34,21 @@ func buildInstances(t *testing.T, ctrl *gomock.Controller) client.Services {
 			Instances: []types.InstanceMetadata{im},
 		}, nil)
 
+	mSSOAdmin.EXPECT().ListPermissionSets(gomock.Any(), gomock.Any(), gomock.Any()).Return(
+		&ssoadmin.ListPermissionSetsOutput{
+			PermissionSets: []string{*ps.Name},
+		}, nil)
+
+	mSSOAdmin.EXPECT().DescribePermissionSet(gomock.Any(), gomock.Any(), gomock.Any()).Return(
+		&ssoadmin.DescribePermissionSetOutput{
+			PermissionSet: &ps,
+		}, nil)
+
+	mSSOAdmin.EXPECT().ListAccountAssignments(gomock.Any(), gomock.Any(), gomock.Any()).Return(
+		&ssoadmin.ListAccountAssignmentsOutput{
+			AccountAssignments: []types.AccountAssignment{as},
+		}, nil)
+
 	return client.Services{
 		Ssoadmin: mSSOAdmin,
 	}
diff --git a/plugins/source/aws/resources/services/ssoadmin/permission_sets.go b/plugins/source/aws/resources/services/ssoadmin/permission_sets.go
diff --git a/plugins/source/aws/resources/services/ssoadmin/permission_sets_fetch.go b/plugins/source/aws/resources/services/ssoadmin/permission_sets_fetch.go
@@ -0,0 +1,51 @@
+package ssoadmin
+
+import (
+	"context"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/ssoadmin"
+	"github.com/aws/aws-sdk-go-v2/service/ssoadmin/types"
+	"github.com/cloudquery/cloudquery/plugins/source/aws/client"
+	"github.com/cloudquery/plugin-sdk/schema"
+)
+
+func getSsoadminPermissionSet(ctx context.Context, meta schema.ClientMeta, resource *schema.Resource) error {
+	svc := meta.(*client.Client).Services().Ssoadmin
+	permission_set_arn := resource.Item.(string)
+	instance_arn := resource.Parent.Item.(types.InstanceMetadata).InstanceArn
+	config := ssoadmin.DescribePermissionSetInput{
+		InstanceArn:      instance_arn,
+		PermissionSetArn: &permission_set_arn,
+	}
+
+	response, err := svc.DescribePermissionSet(ctx, &config)
+	if err != nil {
+		return err
+	}
+	resource.Item = response.PermissionSet
+	return nil
+}
+
+func fetchSsoadminPermissionSets(ctx context.Context, meta schema.ClientMeta, parent *schema.Resource, res chan<- interface{}) error {
+	cl := meta.(*client.Client)
+	svc := cl.Services().Ssoadmin
+	instance_arn := parent.Item.(types.InstanceMetadata).InstanceArn
+	config := ssoadmin.ListPermissionSetsInput{
+		InstanceArn: instance_arn,
+	}
+
+	for {
+		response, err := svc.ListPermissionSets(ctx, &config)
+		if err != nil {
+			return err
+		}
+		res <- response.PermissionSets
+		if aws.ToString(response.NextToken) == "" {
+			break
+		}
+		config.NextToken = response.NextToken
+	}
+
+	return nil
+}
