Parse Azure trusted identity-internal (#134)

* add azure to valid benchmark schemas Co-authored-by: Alex <[email protected]>
sysdiglabs · Oct 21, 2021 · 1edcda1 · 1edcda1
1 parent b748e91
commit 1edcda1
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 7 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,18 @@
+repos:
+  - repo: local
+    hooks:
+    -   id: fmt
+        pass_filenames: false
+        name: fmt
+        entry: make fmt
+        language: system
+    -   id: fmtcheck
+        pass_filenames: false
+        name: fmtcheck
+        entry: make fmtcheck
+        language: system
+    -   id: lint
+        pass_filenames: false
+        name: lint
+        entry: make lint
+        language: system
diff --git a/GNUmakefile b/GNUmakefile
@@ -36,6 +36,9 @@ fmt:
 fmtcheck:
 	@sh -c "'$(CURDIR)/scripts/gofmtcheck.sh'"
 
+lint:
+	golangci-lint run --timeout 1h ./...
+
 errcheck:
 	@sh -c "'$(CURDIR)/scripts/errcheck.sh'"
 

diff --git a/sysdig/data_source_sysdig_secure_trusted_cloud_identity.go b/sysdig/data_source_sysdig_secure_trusted_cloud_identity.go
@@ -58,15 +58,25 @@ func dataSourceSysdigSecureTrustedCloudIdentityRead(ctx context.Context, d *sche
 	d.SetId(identity)
 	d.Set("identity", identity)
 
-	// If identity is an ARN, attempt to extract certain fields
-	parsedArn, err := arn.Parse(identity)
-	if err == nil {
-		d.Set("aws_account_id", parsedArn.AccountID)
+	provider := d.Get("cloud_provider")
+	switch provider {
+	case "aws", "gcp":
+		// If identity is an ARN, attempt to extract certain fields
+		parsedArn, err := arn.Parse(identity)
+		if err == nil {
+			d.Set("aws_account_id", parsedArn.AccountID)
 
-		if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") {
-			d.Set("aws_role_name", strings.TrimPrefix(parsedArn.Resource, "role/"))
+			if parsedArn.Service == "iam" && strings.HasPrefix(parsedArn.Resource, "role/") {
+				d.Set("aws_role_name", strings.TrimPrefix(parsedArn.Resource, "role/"))
+			}
+		}
+	case "azure":
+		// If identity is an Azure tenantID/clientID, separate into each part
+		tenantID, clientID, err := parseAzureCreds(identity)
+		if err == nil {
+			d.Set("azure_tenant_id", tenantID)
+			d.Set("azure_client_id", clientID)
 		}
 	}
-
 	return nil
 }
diff --git a/sysdig/helpers.go b/sysdig/helpers.go
@@ -1,7 +1,9 @@
 package sysdig
 
 import (
+	"errors"
 	"fmt"
+	"strings"
 
 	"github.com/hashicorp/go-cty/cty"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
@@ -31,3 +33,12 @@ func validateDiagFunc(validateFunc func(interface{}, string) ([]string, []error)
 		return diags
 	}
 }
+
+// parseAzureCreds splits an Azure Trusted Identity into a tenantID and a clientID
+func parseAzureCreds(azureTrustedIdentity string) (tenantID string, clientID string, err error) {
+	tokens := strings.Split(azureTrustedIdentity, ":")
+	if len(tokens) != 2 {
+		return "", "", errors.New("Not a valid Azure Trusted Identity")
+	}
+	return tokens[0], tokens[1], nil
+}