5252 scanKubeContext string
5353 scanExcludeTags []string
5454 scanMinUptimeDays int
55+ scanTargets []string
56+ scanRole string
57+ scanExternalID string
58+ scanOrg bool
59+ scanSkipSelf bool
5560)
5661
5762// --- diff command ---
@@ -85,6 +90,12 @@ func init() {
8590 scanCmd .Flags ().StringVar (& scanKubeContext , "kube-context" , "" , "Kubernetes context to use (default: current context)" )
8691 scanCmd .Flags ().StringSliceVar (& scanExcludeTags , "exclude-tag" , nil , "Exclude instances matching tag (key=value, repeatable)" )
8792 scanCmd .Flags ().IntVar (& scanMinUptimeDays , "min-uptime-days" , 0 , "Only flag instances running for at least this many days" )
93+ scanCmd .Flags ().StringSliceVar (& scanTargets , "targets" , nil , "Account IDs to scan (comma-separated)" )
94+ scanCmd .Flags ().StringVar (& scanRole , "role" , "" , "IAM role name to assume in each target" )
95+ scanCmd .Flags ().StringVar (& scanExternalID , "external-id" , "" , "STS external ID for cross-account role assumption" )
96+ scanCmd .Flags ().BoolVar (& scanOrg , "org" , false , "Auto-discover all accounts from AWS Organizations" )
97+ scanCmd .Flags ().BoolVar (& scanSkipSelf , "skip-self" , false , "Exclude the caller's own account from the scan" )
98+ scanCmd .MarkFlagsMutuallyExclusive ("targets" , "org" )
8899
89100 diffCmd .Flags ().StringVar (& diffFormat , "format" , "table" , "Output format: table, json" )
90101
@@ -98,6 +109,10 @@ func init() {
98109func runScan (cmd * cobra.Command , args []string ) error {
99110 ctx := context .Background ()
100111
112+ if (len (scanTargets ) > 0 || scanOrg ) && scanRole == "" {
113+ return fmt .Errorf ("--role is required when using --targets or --org" )
114+ }
115+
101116 opts := awsprovider .DefaultScanOptions ()
102117 opts .Profile = scanProfile
103118 opts .Regions = scanRegions
@@ -107,6 +122,11 @@ func runScan(cmd *cobra.Command, args []string) error {
107122 opts .SkipCosts = scanSkipCosts
108123 opts .ExcludeTags = parseExcludeTags (scanExcludeTags )
109124 opts .MinUptimeDays = scanMinUptimeDays
125+ opts .Targets = scanTargets
126+ opts .Role = scanRole
127+ opts .ExternalID = scanExternalID
128+ opts .OrgScan = scanOrg
129+ opts .SkipSelf = scanSkipSelf
110130
111131 result , err := awsprovider .Scan (ctx , opts )
112132 if err != nil {
@@ -322,8 +342,21 @@ var iamPolicyCmd = &cobra.Command{
322342 },
323343 "Resource" : "*" ,
324344 },
345+ {
346+ "Sid" : "GPUAuditCrossAccount" ,
347+ "Effect" : "Allow" ,
348+ "Action" : "sts:AssumeRole" ,
349+ "Resource" : "arn:aws:iam::*:role/gpuaudit-reader" ,
350+ },
351+ {
352+ "Sid" : "GPUAuditOrganizations" ,
353+ "Effect" : "Allow" ,
354+ "Action" : "organizations:ListAccounts" ,
355+ "Resource" : "*" ,
356+ },
325357 },
326358 }
359+ fmt .Fprintln (os .Stdout , "// The last two statements (CrossAccount, Organizations) are only needed for --targets or --org scanning." )
327360 enc := json .NewEncoder (os .Stdout )
328361 enc .SetIndent ("" , " " )
329362 enc .Encode (policy )
0 commit comments