alsmola · February 10, 2021 21:37
diff --git a/okta_aws_account_access.go b/okta_aws_account_access.go
 package main

 import (
 	"context"
 	"encoding/csv"
 	"errors"
 	"fmt"
 	"log"
 	"os"
 	"regexp"

 	"github.com/okta/okta-sdk-golang/v2/okta"
 	"github.com/okta/okta-sdk-golang/v2/okta/query"
 )

 // Map of Okta email to array of AWS IAM roles
 type userRoles map[string][]string

 func main() {
 	ctx := context.Background()
 	oktaOrgURL := "https://yoursubdomain.okta.com"
 	ctx, client, err := okta.NewClient(ctx, okta.WithOrgUrl(oktaOrgURL), okta.WithToken("your-okta-api-token"))
 	if err != nil {
 		panic(err)
 	}
 	applications, err := getOktaApps(ctx, client)
 	if err != nil {
 		panic(err)
 	}
 	awsAppID := ""
 	for _, app := range applications {
 		if app.Name == "amazon_aws" {
 			awsAppID = app.Id
 		}
 	}
 	if awsAppID == "" {
 		panic(errors.New("No AWS application found"))
 	}
 	appUsers, err := getOktaUsersForAWS(ctx, client, awsAppID)
 	if err != nil {
 		panic(err)
 	}
 	awsAccounts := []string{
 		"your-aws-account-names",
 	}
 	writers := map[string]*csv.Writer{}
 	for _, awsAccount := range awsAccounts {
 		file, err := os.Create(fmt.Sprintf("%s.csv", awsAccount))
 		if err != nil {
 			panic(err)
 		}
 		writers[awsAccount] = csv.NewWriter(file)
 	}
 	accountsUsersRoles := map[string]userRoles{}
 	for email, roles := range appUsers {
 		for _, role := range roles {
 			roleRegex := regexp.MustCompile(`\[(.*)\]\s--\s(.*)`)
 			matches := roleRegex.FindStringSubmatch(role)
 			if len(matches) < 3 {
 				panic(fmt.Errorf("Couldn't parse role: %s", role))
 			}
 			account := matches[1]
 			roleName := matches[2]
 			r := accountsUsersRoles[account][email]
 			r = append(r, roleName)
 			if accountsUsersRoles[account] == nil {
 				accountsUsersRoles[account] = userRoles{}
 			}
 			accountsUsersRoles[account][email] = r
 		}
 	}

 	for account, ur := range accountsUsersRoles {
 		for email, roles := range ur {
 			line := []string{email}
 			line = append(line, roles...)
 			err := writers[account].Write(line)
 			if err != nil {
 				panic(err)
 			}
 		}
 	}

 	for _, w := range writers {
 		w.Flush()
 	}

 	log.Println("Files created.")
 }

 func getOktaUsersForAWS(ctx context.Context, client *okta.Client, appID string) (userRoles, error) {
 	users := map[string][]string{}

 	// Get users assigned directly to application
 	appUsers, resp, err := client.Application.ListApplicationUsers(ctx, appID, nil)
 	if err != nil {
 		return users, err
 	}
 	for resp.HasNextPage() {
 		var nextAppUsers []*okta.AppUser
 		resp, err = resp.Next(ctx, &nextAppUsers)
 		if err != nil {
 			return users, err
 		}
 		appUsers = append(appUsers, nextAppUsers...)
 	}
 	for _, appUser := range appUsers {
 		userProfile := appUser.Profile.(map[string]interface{})
 		email := userProfile["email"].(string)
 		roles := []string{}
 		for _, r := range userProfile["samlRoles"].([]interface{}) {
 			roles = append(roles, r.(string))
 		}
 		users[email] = roles
 	}

 	// Get users assigned to application via groups
 	groups, resp, err := client.Application.ListApplicationGroupAssignments(ctx, appID, nil)
 	if err != nil {
 		return users, err
 	}
 	for resp.HasNextPage() {
 		var nextGroups []*okta.ApplicationGroupAssignment
 		resp, err = resp.Next(ctx, &nextGroups)
 		if err != nil {
 			return users, err
 		}
 		groups = append(groups, nextGroups...)
 	}
 	var groupUsers []*okta.User
 	for _, group := range groups {
 		roles := []string{}
 		profile := group.Profile.(map[string]interface{})
 		samlRoles := profile["samlRoles"].([]interface{})
 		for _, r := range samlRoles {
 			roles = append(roles, r.(string))
 		}
 		groupUsers, resp, err = client.Group.ListGroupUsers(ctx, group.Id, nil)
 		if err != nil {
 			return users, err
 		}
 		for resp.HasNextPage() {
 			var nextGroupUsers []*okta.User
 			resp, err = resp.Next(ctx, &nextGroupUsers)
 			if err != nil {
 				return users, err
 			}
 			groupUsers = append(groupUsers, nextGroupUsers...)
 		}
 		for _, groupUser := range groupUsers {
 			userProfile := *(groupUser.Profile)
 			email := userProfile["email"].(string)
 			existingRoles, ok := users[email]
 			if ok {
 				users[email] = union(existingRoles, roles)
 			}
 		}
 	}
 	return users, err
 }

 func getOktaApps(ctx context.Context, client *okta.Client) ([]*okta.Application, error) {
 	applications := []*okta.Application{}
 	params := query.Params{
 		Filter: "status eq \"ACTIVE\"",
 	}
 	apps, resp, err := client.Application.ListApplications(ctx, &params)
 	if err != nil {
 		log.Println("Can't get apps")
 		return applications, err
 	}
 	applications = transformApplications(apps)
 	for resp.HasNextPage() {
 		var nextApps []*okta.Application
 		resp, err = resp.Next(ctx, &nextApps)
 		if err != nil {
 			return applications, err
 		}
 		applications = append(applications, nextApps...)
 	}
 	return applications, nil
 }

 func transformApplications(values []okta.App) []*okta.Application {
 	var tValues []*okta.Application
 	for _, v := range values {
 		tValues = append(tValues, v.(*okta.Application))
 	}
 	return tValues
 }

 func union(a, b []string) []string {
 	m := make(map[string]bool)
 	for _, item := range a {
 		m[item] = true
 	}
 	for _, item := range b {
 		if _, ok := m[item]; !ok {
 			a = append(a, item)
 		}
 	}
 	return a
 }
	package main

	import (
	"context"
	"encoding/csv"
	"errors"
	"fmt"
	"log"
	"os"
	"regexp"

	"github.com/okta/okta-sdk-golang/v2/okta"
	"github.com/okta/okta-sdk-golang/v2/okta/query"
	)

	// Map of Okta email to array of AWS IAM roles
	type userRoles map[string][]string

	func main() {
	ctx := context.Background()
	oktaOrgURL := "https://yoursubdomain.okta.com"
	ctx, client, err := okta.NewClient(ctx, okta.WithOrgUrl(oktaOrgURL), okta.WithToken("your-okta-api-token"))
	if err != nil {
	panic(err)
	}
	applications, err := getOktaApps(ctx, client)
	if err != nil {
	panic(err)
	}
	awsAppID := ""
	for _, app := range applications {
	if app.Name == "amazon_aws" {
	awsAppID = app.Id
	}
	}
	if awsAppID == "" {
	panic(errors.New("No AWS application found"))
	}
	appUsers, err := getOktaUsersForAWS(ctx, client, awsAppID)
	if err != nil {
	panic(err)
	}
	awsAccounts := []string{
	"your-aws-account-names",
	}
	writers := map[string]*csv.Writer{}
	for _, awsAccount := range awsAccounts {
	file, err := os.Create(fmt.Sprintf("%s.csv", awsAccount))
	if err != nil {
	panic(err)
	}
	writers[awsAccount] = csv.NewWriter(file)
	}
	accountsUsersRoles := map[string]userRoles{}
	for email, roles := range appUsers {
	for _, role := range roles {
	roleRegex := regexp.MustCompile(`\[(.)\]\s--\s(.)`)
	matches := roleRegex.FindStringSubmatch(role)
	if len(matches) < 3 {
	panic(fmt.Errorf("Couldn't parse role: %s", role))
	}
	account := matches[1]
	roleName := matches[2]
	r := accountsUsersRoles[account][email]
	r = append(r, roleName)
	if accountsUsersRoles[account] == nil {
	accountsUsersRoles[account] = userRoles{}
	}
	accountsUsersRoles[account][email] = r
	}
	}

	for account, ur := range accountsUsersRoles {
	for email, roles := range ur {
	line := []string{email}
	line = append(line, roles...)
	err := writers[account].Write(line)
	if err != nil {
	panic(err)
	}
	}
	}

	for _, w := range writers {
	w.Flush()
	}

	log.Println("Files created.")
	}

	func getOktaUsersForAWS(ctx context.Context, client *okta.Client, appID string) (userRoles, error) {
	users := map[string][]string{}

	// Get users assigned directly to application
	appUsers, resp, err := client.Application.ListApplicationUsers(ctx, appID, nil)
	if err != nil {
	return users, err
	}
	for resp.HasNextPage() {
	var nextAppUsers []*okta.AppUser
	resp, err = resp.Next(ctx, &nextAppUsers)
	if err != nil {
	return users, err
	}
	appUsers = append(appUsers, nextAppUsers...)
	}
	for _, appUser := range appUsers {
	userProfile := appUser.Profile.(map[string]interface{})
	email := userProfile["email"].(string)
	roles := []string{}
	for _, r := range userProfile["samlRoles"].([]interface{}) {
	roles = append(roles, r.(string))
	}
	users[email] = roles
	}

	// Get users assigned to application via groups
	groups, resp, err := client.Application.ListApplicationGroupAssignments(ctx, appID, nil)
	if err != nil {
	return users, err
	}
	for resp.HasNextPage() {
	var nextGroups []*okta.ApplicationGroupAssignment
	resp, err = resp.Next(ctx, &nextGroups)
	if err != nil {
	return users, err
	}
	groups = append(groups, nextGroups...)
	}
	var groupUsers []*okta.User
	for _, group := range groups {
	roles := []string{}
	profile := group.Profile.(map[string]interface{})
	samlRoles := profile["samlRoles"].([]interface{})
	for _, r := range samlRoles {
	roles = append(roles, r.(string))
	}
	groupUsers, resp, err = client.Group.ListGroupUsers(ctx, group.Id, nil)
	if err != nil {
	return users, err
	}
	for resp.HasNextPage() {
	var nextGroupUsers []*okta.User
	resp, err = resp.Next(ctx, &nextGroupUsers)
	if err != nil {
	return users, err
	}
	groupUsers = append(groupUsers, nextGroupUsers...)
	}
	for _, groupUser := range groupUsers {
	userProfile := *(groupUser.Profile)
	email := userProfile["email"].(string)
	existingRoles, ok := users[email]
	if ok {
	users[email] = union(existingRoles, roles)
	}
	}
	}
	return users, err
	}

	func getOktaApps(ctx context.Context, client okta.Client) ([]okta.Application, error) {
	applications := []*okta.Application{}
	params := query.Params{
	Filter: "status eq \"ACTIVE\"",
	}
	apps, resp, err := client.Application.ListApplications(ctx, &params)
	if err != nil {
	log.Println("Can't get apps")
	return applications, err
	}
	applications = transformApplications(apps)
	for resp.HasNextPage() {
	var nextApps []*okta.Application
	resp, err = resp.Next(ctx, &nextApps)
	if err != nil {
	return applications, err
	}
	applications = append(applications, nextApps...)
	}
	return applications, nil
	}

	func transformApplications(values []okta.App) []*okta.Application {
	var tValues []*okta.Application
	for _, v := range values {
	tValues = append(tValues, v.(*okta.Application))
	}
	return tValues
	}

	func union(a, b []string) []string {
	m := make(map[string]bool)
	for _, item := range a {
	m[item] = true
	}
	for _, item := range b {
	if _, ok := m[item]; !ok {
	a = append(a, item)
	}
	}
	return a
	}