feat(aws): create config access logs for IAM assume role

[yashmehrotra]

Fixes: #1845

Summary by CodeRabbit

• New Features

  • CloudTrail scraper now converts AssumeRole events into access-log entries for better tracing of assumed roles.
  • CloudTrail event data now captures Role ARN to improve role attribution.

• Refactor

  • Streamlined event lookup and processing for more efficient handling.

• Tests

  • Added tests covering AssumeRole-to-access-log conversion scenarios.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3b1d55b and ba5d1ad.

📒 Files selected for processing (1)

• scrapers/aws/cloudtrail.go

---

Walkthrough

Adds handling for AWS CloudTrail AssumeRole events: a new RequestParameters.RoleArn field, removal of default AssumeRole exclusion, a converter function that turns AssumeRole events into ExternalUser + ConfigAccessLog ScrapeResult, and corresponding tests.

Changes

Cohort / File(s)	Summary
CloudTrail implementation scrapers/aws/cloudtrail.go	Added RoleArn to CloudTrailEvent.RequestParameters. Removed default exclusion of AssumeRole. Added logic to route AssumeRole events to a new cloudtrailAssumeRoleToAccessLog converter that emits ExternalUser and ConfigAccessLog ScrapeResult; simplified event lookup initialization.
CloudTrail tests scrapers/aws/cloudtrail_test.go	Added TestCloudTrailAssumeRoleToAccessLog covering IAMUser and AssumedRole chains: asserts ExternalUser fields, deterministic user ID from ARN, and ConfigAccessLog properties including ExternalID, ConfigType, ExternalUserID, and CreatedAt. Added test imports (time, hash, pq).

Sequence Diagram(s)

sequenceDiagram
  participant CloudTrail as CloudTrail (event source)
  participant Scraper as CloudTrail Scraper
  participant Converter as cloudtrailAssumeRoleToAccessLog
  participant Emitter as ScrapeResult Emitter

  CloudTrail->>Scraper: delivers event (AssumeRole)
  Scraper->>Converter: parse event, extract roleArn & userIdentity
  Converter->>Converter: determine actor ARN, build ExternalUser & ConfigAccessLog
  Converter-->>Scraper: return ScrapeResult
  Scraper->>Emitter: emit ExternalUser + ConfigAccessLog

Loading

Possibly related PRs

• feat: orphaned change details #1809: Modifies scrapers/aws/cloudtrail.go (CloudTrailEvent fields and parsing logic), likely overlapping with these structural changes.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main feature: creating config access logs for IAM assume role events, which aligns with the code changes adding AssumeRole handling.
Linked Issues check	✅ Passed	The PR implements the core requirement from #1845 by adding CloudTrail event handling for IAM role assumptions and generating config access logs with user and role information.
Out of Scope Changes check	✅ Passed	All code changes are directly related to implementing IAM assume role handling and access log creation, with no unrelated modifications present.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch assume-role-cloudtrail

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@scrapers/aws/cloudtrail.go`:
- Around line 287-307: The switch handling userType can set userARN to empty
when AssumedRole lacks SessionContext.SessionIssuer; update the AssumedRole
branch in the switch (where userName/userARN are assigned from
ctEvent.UserIdentity.SessionContext.SessionIssuer) to first try
SessionIssuer.Arn and if empty fall back to ctEvent.UserIdentity.Arn, and after
the switch validate that userARN is non-empty before calling
hash.DeterministicUUID (return an error if still empty) so DeterministicUUID
never receives an empty alias; reference ctEvent.UserIdentity,
SessionContext.SessionIssuer, the userARN variable, and the call to
hash.DeterministicUUID/userID.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1292dbf and 3b1d55b.

📒 Files selected for processing (2)

• scrapers/aws/cloudtrail.go
• scrapers/aws/cloudtrail_test.go