fix: make sure we only update if there is a changed resource (#256)

Make sure we only schedule an update if there is an actual change in the resource. --------- Signed-off-by: Kasper J. Hermansen <[email protected]>
lunarway · Aug 14, 2023 · 50fb816 · 50fb816
1 parent 0869c01
commit 50fb816
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/pkg/iam/policy.go b/pkg/iam/policy.go
@@ -81,8 +81,16 @@ func (p *PolicyDocument) Update(region, accountID, rolePrefix, username, rolenam
 
 	var updated bool
 	var statements []StatementEntry
+statement_loop:
 	for i := range p.Statement {
 		if p.Statement[i].Condition.StringLike.AWSUserID == awsUserID {
+			for _, resource := range p.Statement[i].Resource {
+				if resource == formatStatementResource(region, accountID, rolePrefix, rolename, awsUserID) {
+					statements = append(statements, p.Statement[i])
+					continue statement_loop
+				}
+			}
+
 			statements = append(statements, newStatementEntry(region, accountID, rolePrefix, rolename, awsUserID))
 			updated = true
 			continue
@@ -99,11 +107,15 @@ func newStatementEntry(region, accountID, rolePrefix, rolename, awsUserID string
 	return StatementEntry{
 		Effect:    "Allow",
 		Action:    []string{"rds-db:connect"},
-		Resource:  []string{fmt.Sprintf("arn:aws:rds-db:%s:%s:dbuser:*/%s%s", region, accountID, rolePrefix, rolename)},
+		Resource:  []string{formatStatementResource(region, accountID, rolePrefix, rolename, awsUserID)},
 		Condition: StringLike{StringLike: UserID{AWSUserID: awsUserID}},
 	}
 }
 
+func formatStatementResource(region, accountID, rolePrefix, rolename, awsUserID string) string {
+	return fmt.Sprintf("arn:aws:rds-db:%s:%s:dbuser:*/%s%s", region, accountID, rolePrefix, rolename)
+}
+
 func (p *PolicyDocument) Remove(username string) {
 	awsUserID := usernameToUserId(username)