fix(aws): Support syncing AWS SSO Account Assignments for non management accounts (#10881)

bbernays · web-flow · commit a715e4f24f97 · 2023-05-23T12:25:24.000Z
#### Summary closes #10844 Rather than just using the management account id as the input for `ListAccountAssignments` we now call `ListAccountsForProvisionedPermissionSet` and use the list of Account Ids returned as the input. This will increase the number of API calls required, but there is no way of parallelizing the requests without implementing https://github.com/cloudquery/plugin-sdk/issues/338
diff --git a/plugins/source/aws/resources/services/ssoadmin/account_assignments.go b/plugins/source/aws/resources/services/ssoadmin/account_assignments.go
@@ -3,6 +3,7 @@ package ssoadmin
 import (
 	"context"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ssoadmin"
 	"github.com/aws/aws-sdk-go-v2/service/ssoadmin/types"
 	"github.com/cloudquery/cloudquery/plugins/source/aws/client"
@@ -24,20 +25,36 @@ func accountAssignments() *schema.Table {
 func fetchSsoadminAccountAssignments(ctx context.Context, meta schema.ClientMeta, parent *schema.Resource, res chan<- any) error {
 	cl := meta.(*client.Client)
 	svc := cl.Services().Ssoadmin
-	config := ssoadmin.ListAccountAssignmentsInput{
-		AccountId:        &cl.AccountID,
+	configListAccountForPPS := ssoadmin.ListAccountsForProvisionedPermissionSetInput{
 		InstanceArn:      parent.Parent.Item.(types.InstanceMetadata).InstanceArn,
 		PermissionSetArn: parent.Item.(*types.PermissionSet).PermissionSetArn,
 	}
-	paginator := ssoadmin.NewListAccountAssignmentsPaginator(svc, &config)
-	for paginator.HasMorePages() {
-		page, err := paginator.NextPage(ctx, func(o *ssoadmin.Options) {
+
+	paginatorListAccountForPPS := ssoadmin.NewListAccountsForProvisionedPermissionSetPaginator(svc, &configListAccountForPPS)
+	for paginatorListAccountForPPS.HasMorePages() {
+		accounts, err := paginatorListAccountForPPS.NextPage(ctx, func(o *ssoadmin.Options) {
 			o.Region = cl.Region
 		})
 		if err != nil {
 			return err
 		}
-		res <- page.AccountAssignments
+		for _, account := range accounts.AccountIds {
+			configLAA := ssoadmin.ListAccountAssignmentsInput{
+				AccountId:        aws.String(account),
+				InstanceArn:      parent.Parent.Item.(types.InstanceMetadata).InstanceArn,
+				PermissionSetArn: parent.Item.(*types.PermissionSet).PermissionSetArn,
+			}
+			paginator := ssoadmin.NewListAccountAssignmentsPaginator(svc, &configLAA)
+			for paginator.HasMorePages() {
+				page, err := paginator.NextPage(ctx, func(o *ssoadmin.Options) {
+					o.Region = cl.Region
+				})
+				if err != nil {
+					return err
+				}
+				res <- page.AccountAssignments
+			}
+		}
 	}
 	return nil
 }
diff --git a/plugins/source/aws/resources/services/ssoadmin/instances_mock_test.go b/plugins/source/aws/resources/services/ssoadmin/instances_mock_test.go
@@ -44,7 +44,10 @@ func buildInstances(t *testing.T, ctrl *gomock.Controller) client.Services {
 		&ssoadmin.DescribePermissionSetOutput{
 			PermissionSet: &ps,
 		}, nil)
-
+	mSSOAdmin.EXPECT().ListAccountsForProvisionedPermissionSet(gomock.Any(), gomock.Any(), gomock.Any()).Return(
+		&ssoadmin.ListAccountsForProvisionedPermissionSetOutput{
+			AccountIds: []string{*as.AccountId},
+		}, nil)
 	mSSOAdmin.EXPECT().ListAccountAssignments(gomock.Any(), gomock.Any(), gomock.Any()).Return(
 		&ssoadmin.ListAccountAssignmentsOutput{
 			AccountAssignments: []types.AccountAssignment{as},
diff --git a/plugins/source/aws/resources/services/ssoadmin/permission_sets.go b/plugins/source/aws/resources/services/ssoadmin/permission_sets.go
@@ -13,13 +13,24 @@ import (
 func permissionSets() *schema.Table {
 	tableName := "aws_ssoadmin_permission_sets"
 	return &schema.Table{
-		Name:                tableName,
-		Description:         `https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PermissionSet.html`,
+		Name: tableName,
+		Description: `https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PermissionSet.html. 
+The 'request_account_id' and 'request_region' columns are added to show the account_id and region of where the request was made from.`,
 		Resolver:            fetchSsoadminPermissionSets,
 		PreResourceResolver: getSsoadminPermissionSet,
 		Transform:           transformers.TransformWithStruct(&types.PermissionSet{}),
 		Multiplex:           client.ServiceAccountRegionMultiplexer(tableName, "identitystore"),
 		Columns: []schema.Column{
+			{
+				Name:     "request_account_id",
+				Type:     schema.TypeString,
+				Resolver: client.ResolveAWSAccount,
+			},
+			{
+				Name:     "request_region",
+				Type:     schema.TypeString,
+				Resolver: client.ResolveAWSRegion,
+			},
 			{
 				Name:     "inline_policy",
 				Type:     schema.TypeJSON,
diff --git a/website/tables/aws/aws_ssoadmin_permission_sets.md b/website/tables/aws/aws_ssoadmin_permission_sets.md
@@ -2,7 +2,8 @@
 
 This table shows data for Ssoadmin Permission Sets.
 
-https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PermissionSet.html
+https://docs.aws.amazon.com/singlesignon/latest/APIReference/API_PermissionSet.html. 
+The 'request_account_id' and 'request_region' columns are added to show the account_id and region of where the request was made from.
 
 The primary key for this table is **_cq_id**.
 
@@ -21,6 +22,8 @@ The following tables depend on aws_ssoadmin_permission_sets:
 |_cq_sync_time|Timestamp|
 |_cq_id (PK)|UUID|
 |_cq_parent_id|UUID|
+|request_account_id|String|
+|request_region|String|
 |inline_policy|JSON|
 |created_date|Timestamp|
 |description|String|
