func()

in internal/flavors/benchmark/aws_org.go [168:218]

• 32 lines of code
• 7 McCabe index (conditional complexity)

func (a *AWSOrg) pickManagementAccountRole(ctx context.Context, log *clog.Logger, stsClient stscreds.AssumeRoleAPIClient, rootCfg awssdk.Config, identity cloud.Identity) (awssdk.Config, error) {
	// We will check for a tag on 'cloudbeat-root' role. If it is missing, we
	// will try to be backward compatible and use the "cloudbeat-root" role to
	// scan the Management Account. In previous CF templates, "cloudbeat-root"
	// had the built-in SecurityAudit policy attached.
	var foundTagValue string
	{
		r, err := a.IAMProvider.GetRole(ctx, rootRole)
		if err != nil {
			return awssdk.Config{}, fmt.Errorf("error getting root role: %w", err)
		}

		for _, tag := range r.Tags {
			if pointers.Deref(tag.Key) == scanSettingTagKey {
				foundTagValue = pointers.Deref(tag.Value)
				break
			}
		}
	}

	if foundTagValue == "" {
		// Legacy. Use 'cloudbeat-root' role for compliance reasons.
		log.Infof("%q tag not found, using '%s' role for backward compatibility", scanSettingTagKey, rootRole)
		return rootCfg, nil
	}

	// Log an error if 'cloudbeat-securityaudit' does not exist in the
	// Management Account. This should not happen! We log and continue
	// without exiting function, since we want to scan other selected
	// accounts, but at least the error will be visible in the logs.
	if foundTagValue == scanSettingTagValue {
		_, err := a.IAMProvider.GetRole(ctx, memberRole)
		if err != nil {
			log.Errorf("Management Account should be scanned (%s: %s), but %q role is missing: %s", scanSettingTagKey, foundTagValue, memberRole, err)
		}
	}

	// If the "cloudbeat_scan_management_account" tag on the "cloudbeat-root"
	// role is set to "Yes", the user chose to scan it, and there should be a
	// "cloudbeat-securityaudit" role enabling this. If it is set to "No" we
	// will still try to use "cloudbeat-securityaudit", but it is non-existent,
	// so we will fail silently and not get any data from the Management
	// Account.
	log.Debugf("assuming '%s' role for Account %s", memberRole, identity.Account)
	config := assumeRole(
		stsClient,
		rootCfg,
		fmtIAMRole(identity.Account, memberRole),
	)
	return config, nil
}