🐛 ensure we catch all 403 access denied errors (#3296)

providers/aws/resources/aws_dms.go

@@ -5,9 +5,9 @@ package resources
 
 import (
 	"context"
+	"errors"
 
 	"github.com/aws/aws-sdk-go-v2/service/databasemigrationservice"
-	"github.com/aws/aws-sdk-go-v2/service/databasemigrationservice/types"
 	"github.com/rs/zerolog/log"
 	"go.mondoo.com/cnquery/v10/providers-sdk/v1/util/convert"
 	"go.mondoo.com/cnquery/v10/providers-sdk/v1/util/jobpool"
@@ -21,19 +21,29 @@ func (a *mqlAwsDms) id() (string, error) {
 func (a *mqlAwsDms) replicationInstances() ([]interface{}, error) {
 	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
 
-	res := []types.ReplicationInstance{}
+	res := []interface{}{}
 	poolOfJobs := jobpool.CreatePool(a.getReplicationInstances(conn), 5)
 	poolOfJobs.Run()
 
 	// check for errors
 	if poolOfJobs.HasErrors() {
 		return nil, poolOfJobs.GetErrors()
 	}
+	var errs []error
 	// get all the results
 	for i := range poolOfJobs.Jobs {
-		res = append(res, poolOfJobs.Jobs[i].Result.([]types.ReplicationInstance)...)
+		if poolOfJobs.Jobs[i].Err != nil {
+			errs = append(errs, poolOfJobs.Jobs[i].Err)
+		}
+		if poolOfJobs.Jobs[i].Result != nil {
+			res = append(res, poolOfJobs.Jobs[i].Result.([]interface{})...)
+		}
+	}
+	converted, err := convert.JsonToDictSlice(res)
+	if err != nil {
+		return nil, err
 	}
-	return convert.JsonToDictSlice(res)
+	return converted, errors.Join(errs...)
 }
 
 func (a *mqlAwsDms) getReplicationInstances(conn *connection.AwsConnection) []*jobpool.Job {
@@ -50,26 +60,31 @@ func (a *mqlAwsDms) getReplicationInstances(conn *connection.AwsConnection) []*j
 
 			svc := conn.Dms(regionVal)
 			ctx := context.Background()
-			replicationInstancesAggregated := []types.ReplicationInstance{}
+			res := []interface{}{}
 
 			var marker *string
 			for {
 				replicationInstances, err := svc.DescribeReplicationInstances(ctx, &databasemigrationservice.DescribeReplicationInstancesInput{Marker: marker})
 				if err != nil {
 					if Is400AccessDeniedError(err) {
 						log.Warn().Str("region", regionVal).Msg("error accessing region for AWS API")
-						return tasks, nil
+						return nil, nil
 					}
 					return nil, err
 				}
-				replicationInstancesAggregated = append(replicationInstancesAggregated, replicationInstances.ReplicationInstances...)
+
+				mqlRep, err := convert.JsonToDictSlice(replicationInstances.ReplicationInstances)
+				if err != nil {
+					return nil, err
+				}
+				res = append(res, mqlRep...)
 
 				if replicationInstances.Marker == nil {
 					break
 				}
 				marker = replicationInstances.Marker
 			}
-			return jobpool.JobResult(replicationInstancesAggregated), nil
+			return jobpool.JobResult(res), nil
 		}
 		tasks = append(tasks, jobpool.NewJob(f))
 	}

providers/aws/resources/aws_ec2.go

@@ -508,8 +508,10 @@ func (a *mqlAwsEc2) ebsEncryptionByDefault() (map[string]interface{}, error) {
 	}
 	// get all the results
 	for i := range poolOfJobs.Jobs {
-		jobResult := poolOfJobs.Jobs[i].Result.(ebsEncryption)
-		res[jobResult.region] = jobResult.ebsEncryptionByDefault
+		if poolOfJobs.Jobs[i].Result != nil {
+			jobResult := poolOfJobs.Jobs[i].Result.(ebsEncryption)
+			res[jobResult.region] = jobResult.ebsEncryptionByDefault
+		}
 	}
 	return res, nil
 }
@@ -528,13 +530,12 @@ func (a *mqlAwsEc2) getEbsEncryptionPerRegion(conn *connection.AwsConnection) []
 
 			svc := conn.Ec2(regionVal)
 			ctx := context.Background()
-			res := []interface{}{}
 
 			ebsEncryptionRes, err := svc.GetEbsEncryptionByDefault(ctx, &ec2.GetEbsEncryptionByDefaultInput{})
 			if err != nil {
 				if Is400AccessDeniedError(err) {
 					log.Warn().Str("region", regionVal).Msg("error accessing region for AWS API")
-					return res, nil
+					return nil, nil
 				}
 				return nil, err
 			}

providers/aws/resources/aws_elasticache.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 
 	"github.com/aws/aws-sdk-go-v2/service/elasticache"
-	ecstypes "github.com/aws/aws-sdk-go-v2/service/elasticache/types"
 
 	"github.com/rs/zerolog/log"
 	"go.mondoo.com/cnquery/v10/llx"
@@ -36,7 +35,7 @@ func (a *mqlAwsElasticache) clusters() ([]interface{}, error) {
 	// get all the results
 	for i := range poolOfJobs.Jobs {
 		if poolOfJobs.Jobs[i].Result != nil {
-			res = append(res, poolOfJobs.Jobs[i].Result.([]interface{})...)
+			res = append(res, poolOfJobs.Jobs[i].Result.(interface{}))
 		}
 	}
 
@@ -57,7 +56,7 @@ func (a *mqlAwsElasticache) getClusters(conn *connection.AwsConnection) []*jobpo
 
 			svc := conn.Elasticache(regionVal)
 			ctx := context.Background()
-			res := []ecstypes.CacheCluster{}
+			var res interface{}
 
 			var marker *string
 			for {
@@ -72,7 +71,6 @@ func (a *mqlAwsElasticache) getClusters(conn *connection.AwsConnection) []*jobpo
 				if len(clusters.CacheClusters) == 0 {
 					return nil, nil
 				}
-				res = append(res, clusters.CacheClusters...)
 				if clusters.Marker == nil {
 					break
 				}

providers/aws/resources/shared.go

@@ -16,8 +16,8 @@ import (
 	"go.mondoo.com/cnquery/v10/llx"
 	"go.mondoo.com/cnquery/v10/providers-sdk/v1/inventory"
 	"go.mondoo.com/cnquery/v10/providers-sdk/v1/plugin"
-	"go.mondoo.com/cnquery/v10/providers/network/resources/certificates"
 	"go.mondoo.com/cnquery/v10/providers/aws/connection"
+	"go.mondoo.com/cnquery/v10/providers/network/resources/certificates"
 	"go.mondoo.com/cnquery/v10/types"
 	"k8s.io/client-go/util/cert"
 )
@@ -58,7 +58,7 @@ func (a *mqlAws) regions() ([]interface{}, error) {
 func Is400AccessDeniedError(err error) bool {
 	var respErr *http.ResponseError
 	if errors.As(err, &respErr) {
-		if respErr.HTTPStatusCode() == 400 && strings.Contains(respErr.Error(), "AccessDeniedException") {
+		if (respErr.HTTPStatusCode() == 400 || respErr.HTTPStatusCode() == 403) && (strings.Contains(respErr.Error(), "AccessDenied") || strings.Contains(respErr.Error(), "UnauthorizedOperation") || strings.Contains(respErr.Error(), "AuthorizationError")) {
 			return true
 		}
 	}