diff --git a/plugins/providers/gcs/client.go b/plugins/providers/gcs/client.go index 956a79d6f..f03dd787e 100644 --- a/plugins/providers/gcs/client.go +++ b/plugins/providers/gcs/client.go @@ -9,6 +9,7 @@ import ( "cloud.google.com/go/storage" "github.com/odpf/guardian/domain" "github.com/odpf/guardian/utils" + "golang.org/x/sync/errgroup" "google.golang.org/api/iterator" "google.golang.org/api/option" ) @@ -83,42 +84,51 @@ func (c *gcsClient) RevokeBucketAccess(ctx context.Context, b Bucket, identity s func (c *gcsClient) ListAccess(ctx context.Context, resources []*domain.Resource) (domain.MapResourceAccess, error) { result := make(domain.MapResourceAccess) + eg, ctx := errgroup.WithContext(ctx) for _, resource := range resources { - var accessEntries []domain.AccessEntry - - bucket := c.client.Bucket(resource.URN) - policy, err := bucket.IAM().Policy(ctx) - if err != nil { - return nil, fmt.Errorf("Bucket(%q).IAM().Policy: %w", resource.URN, err) - } - - for _, role := range policy.Roles() { - for _, member := range policy.Members(role) { - if strings.HasPrefix(member, "deleted:") { - continue - } - accountType, accountID, err := parseMember(member) - if err != nil { - return nil, err - } + resource := resource + eg.Go(func() error { + var accessEntries []domain.AccessEntry + + bucket := c.client.Bucket(resource.URN) + policy, err := bucket.IAM().Policy(ctx) + if err != nil { + return fmt.Errorf("Bucket(%q).IAM().Policy: %w", resource.URN, err) + } - // exclude unsupported account types - if !utils.ContainsString(AllowedAccountTypes, accountType) { - continue + for _, role := range policy.Roles() { + for _, member := range policy.Members(role) { + if strings.HasPrefix(member, "deleted:") { + continue + } + accountType, accountID, err := parseMember(member) + if err != nil { + return err + } + + // exclude unsupported account types + if !utils.ContainsString(AllowedAccountTypes, accountType) { + continue + } + + accessEntries = append(accessEntries, domain.AccessEntry{ + Permission: string(role), + AccountID: accountID, + AccountType: accountType, + }) } + } - accessEntries = append(accessEntries, domain.AccessEntry{ - Permission: string(role), - AccountID: accountID, - AccountType: accountType, - }) + if accessEntries != nil { + result[resource.URN] = accessEntries } - } - if accessEntries != nil { - result[resource.URN] = accessEntries - } + return nil + }) + } + if err := eg.Wait(); err != nil { + return nil, err } return result, nil