aws

package
v0.0.0-...-d0f2575 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 16, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

A package that generates Lacework deployment code for Amazon Web Services.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AwsGenerateCommandExtraState 

type AwsGenerateCommandExtraState struct {
	CloudtrailAdvanced            bool
	Output                        string
	AwsSubAccounts                []string
	AgentlessMonitoredAccounts    []string
	AgentlessScanningAccounts     []string
	ControlTowerAuditAccount      string
	ControlTowerLogArchiveAccount string
	TerraformApply                bool
}

func (*AwsGenerateCommandExtraState) IsEmpty 

func (a *AwsGenerateCommandExtraState) IsEmpty() bool

type AwsSubAccount 

type AwsSubAccount struct {
	// The name of the AwsProfile to use (in AWS configuration)
	AwsProfile string

	// The AwsRegion this profile should use if any resources are created
	AwsRegion string

	// The Alias of the provider block
	Alias string
}

func NewAwsSubAccount 

func NewAwsSubAccount(profile string, region string, alias ...string) AwsSubAccount

Create a new AWS sub account

A subaccount consists of the profile name (which needs to match the executing machines aws configuration) and a region for any new resources to be created in

type AwsTerraformModifier 

type AwsTerraformModifier func(c *GenerateAwsTfConfigurationArgs)

func WithAgentlessManagementAccountID 

func WithAgentlessManagementAccountID(accountID string) AwsTerraformModifier

WithAgentlessManagementAccountID Set Agentless management account ID

func WithAgentlessMonitoredAccountIDs 

func WithAgentlessMonitoredAccountIDs(accountIDs []string) AwsTerraformModifier

WithAgentlessMonitoredAccountIDs Set Agentless monitored account IDs

func WithAgentlessMonitoredAccounts 

func WithAgentlessMonitoredAccounts(accounts ...AwsSubAccount) AwsTerraformModifier

WithAgentlessMonitoredAccounts Set Agentless monitored accounts

func WithAgentlessScanningAccounts 

func WithAgentlessScanningAccounts(accounts ...AwsSubAccount) AwsTerraformModifier

WithAgentlessScanningAccounts Set Agentless scanning accounts

func WithAwsAssumeRole 

func WithAwsAssumeRole(assumeRole string) AwsTerraformModifier

WithAwsAssumeRole Set the AWS Assume Role to utilize for the main AWS provider

func WithAwsProfile 

func WithAwsProfile(name string) AwsTerraformModifier

WithAwsProfile Set the AWS Profile to utilize for the main AWS provider

func WithAwsRegion 

func WithAwsRegion(region string) AwsTerraformModifier

WithAwsRegion Set the AWS region to utilize for the main AWS provider

func WithBucketEncryptionEnabled 

func WithBucketEncryptionEnabled(enableBucketEncryption bool) AwsTerraformModifier

WithBucketEncryptionEnabled Enable encryption on a newly created bucket

func WithBucketName 

func WithBucketName(bucketName string) AwsTerraformModifier

WithBucketName add bucket name for CloudTrail integration

func WithBucketSSEKeyArn 

func WithBucketSSEKeyArn(bucketSseKeyArn string) AwsTerraformModifier

WithBucketSSEKeyArn Set existing KMS encryption key arn for bucket

func WithCloudtrailName 

func WithCloudtrailName(cloudtrailName string) AwsTerraformModifier

WithCloudtrailName add optional name for CloudTrail integration

func WithCloudtrailUseExistingSNSTopic 

func WithCloudtrailUseExistingSNSTopic(useExistingSNSTopic bool) AwsTerraformModifier

WithCloudtrailUseExistingSNSTopic Use the existing Cloudtrail SNS topic

func WithCloudtrailUseExistingTrail 

func WithCloudtrailUseExistingTrail(useExistingS3 bool) AwsTerraformModifier

WithCloudtrailUseExistingTrail Use the existing Cloudtrail S3 bucket

func WithConfigAdditionalAccounts 

func WithConfigAdditionalAccounts(accounts ...AwsSubAccount) AwsTerraformModifier

WithConfigAdditionalAccounts Set Config additional accounts

func WithConfigOrgCfResourcePrefix 

func WithConfigOrgCfResourcePrefix(resourcePrefix string) AwsTerraformModifier

WithConfigOrgCfResourcePrefix Set Config org resource prefix

func WithConfigOrgId 

func WithConfigOrgId(orgId string) AwsTerraformModifier

WithConfigOrgId Set Config org ID

func WithConfigOrgLWAccessKeyId 

func WithConfigOrgLWAccessKeyId(accessKeyId string) AwsTerraformModifier

WithConfigOrgLWAccessKeyId Set Config org LW access key ID

func WithConfigOrgLWAccount 

func WithConfigOrgLWAccount(account string) AwsTerraformModifier

WithConfigOrgLWAccount Set Config org LW account

func WithConfigOrgLWSecretKey 

func WithConfigOrgLWSecretKey(secretKey string) AwsTerraformModifier

WithConfigOrgLWSecretKey Set Config org LW secret key

func WithConfigOrgLWSubaccount 

func WithConfigOrgLWSubaccount(subaccount string) AwsTerraformModifier

WithConfigOrgLWSubaccount Set Config org LW sub-account

func WithConfigOrgUnits 

func WithConfigOrgUnits(orgUnits []string) AwsTerraformModifier

WithConfigOrgUnits Set Config org units

func WithConsolidatedCloudtrail 

func WithConsolidatedCloudtrail(consolidatedCloudtrail bool) AwsTerraformModifier

WithConsolidatedCloudtrail Enable Consolidated Cloudtrail use

func WithControlTower 

func WithControlTower(controlTower bool) AwsTerraformModifier

WithControlTower Set ControlTower

func WithControlTowerAuditAccount 

func WithControlTowerAuditAccount(auditAccount *AwsSubAccount) AwsTerraformModifier

WithControlTowerAuditAccount Set ControlTower audit account

func WithControlTowerKmsKeyArn 

func WithControlTowerKmsKeyArn(kmsKeyArn string) AwsTerraformModifier

WithControlTowerKmsKeyArn Set ControlTower custom KMS key ARN

func WithControlTowerLogArchiveAccount 

func WithControlTowerLogArchiveAccount(LogArchiveAccount *AwsSubAccount) AwsTerraformModifier

WithControlTowerLogArchiveAccount Set ControlTower log archive account

func WithCustomOutputs 

func WithCustomOutputs(outputs []lwgenerate.HclOutput) AwsTerraformModifier

WithConfigOutputs Set Custom Terraform Outputs

func WithExistingCloudtrailBucketArn 

func WithExistingCloudtrailBucketArn(arn string) AwsTerraformModifier

WithExistingCloudtrailBucketArn Set the bucket ARN of an existing Cloudtrail setup

func WithExistingIamRole 

func WithExistingIamRole(iamDetails *ExistingIamRoleDetails) AwsTerraformModifier

WithExistingIamRole Set an existing IAM role configuration to use with the created Terraform code

func WithExistingSnsTopicArn 

func WithExistingSnsTopicArn(arn string) AwsTerraformModifier

WithExistingSnsTopicArn Set the SNS Topic ARN of an existing Cloudtrail setup

func WithExtraBlocks 

func WithExtraBlocks(blocks []*hclwrite.Block) AwsTerraformModifier

WithExtraBlocks enables adding additional arbitrary blocks to the root hcl document

func WithExtraProviderArguments 

func WithExtraProviderArguments(arguments map[string]interface{}) AwsTerraformModifier

WithExtraProviderArguments enables adding additional arguments into the `aws` provider block this enables custom use cases

func WithExtraRootBlocks 

func WithExtraRootBlocks(blocks []*hclwrite.Block) AwsTerraformModifier

WithExtraRootBlocks allows adding generic hcl blocks to the root `terraform{}` block this enables custom use cases

func WithLaceworkAccountID 

func WithLaceworkAccountID(accountID string) AwsTerraformModifier

WithLaceworkAccountID Set the Lacework AWS root account ID to use

func WithLaceworkProfile 

func WithLaceworkProfile(name string) AwsTerraformModifier

WithLaceworkProfile Set the Lacework Profile to utilize when integrating

func WithOrgAccountMappings 

func WithOrgAccountMappings(mapping OrgAccountMapping) AwsTerraformModifier

WithOrgAccountMappings add optional name for Organization account mappings Sets lacework org level to true

func WithProviderDefaultTags 

func WithProviderDefaultTags(tags map[string]interface{}) AwsTerraformModifier

WithProviderDefaultTags adds default_tags to the provider configuration for AWS (if tags are present)

func WithS3BucketNotification 

func WithS3BucketNotification(s3BucketNotifiaction bool) AwsTerraformModifier

func WithSnsTopicEncryptionEnabled 

func WithSnsTopicEncryptionEnabled(snsTopicEncryptionEnabled bool) AwsTerraformModifier

WithSnsTopicEncryptionEnabled Enable encryption on SNS Topic when created

func WithSnsTopicEncryptionKeyArn 

func WithSnsTopicEncryptionKeyArn(snsTopicEncryptionKeyArn string) AwsTerraformModifier

WithSnsTopicEncryptionKeyArn Set existing KMS encryption key arn for SNS topic

func WithSnsTopicName 

func WithSnsTopicName(snsTopicName string) AwsTerraformModifier

WithSnsTopicName Set SNS Topic Name if creating new one

func WithSqsEncryptionEnabled 

func WithSqsEncryptionEnabled(sqsEncryptionEnabled bool) AwsTerraformModifier

WithSqsEncryptionEnabled Enable encryption on SQS queue when created

func WithSqsEncryptionKeyArn 

func WithSqsEncryptionKeyArn(ssqEncryptionKeyArn string) AwsTerraformModifier

WithSqsEncryptionKeyArn Set existing KMS encryption key arn for SQS queue

func WithSqsQueueName 

func WithSqsQueueName(sqsQueueName string) AwsTerraformModifier

WithSqsQueueName Set SQS Queue Name if creating new one

func WithSubaccounts 

func WithSubaccounts(subaccounts ...AwsSubAccount) AwsTerraformModifier

WithSubaccounts Supply additional AWS Profiles to integrate

type ExistingIamRoleDetails 

type ExistingIamRoleDetails struct {
	// Existing IAM Role ARN
	Arn string

	// Existing IAM Role Name
	Name string

	// Existing IAM Role External Id
	ExternalId string
}

func NewExistingIamRoleDetails 

func NewExistingIamRoleDetails(name string, arn string, externalId string) *ExistingIamRoleDetails

NewExistingIamRoleDetails Create new existing IAM role details

func (*ExistingIamRoleDetails) IsEmpty 

func (e *ExistingIamRoleDetails) IsEmpty() bool

func (*ExistingIamRoleDetails) IsPartial 

func (e *ExistingIamRoleDetails) IsPartial() bool

type GenerateAwsTfConfigurationArgs 

type GenerateAwsTfConfigurationArgs struct {
	// Should we enable AWS organization integration?
	AwsOrganization bool

	// Should we configure Agentless integration in LW?
	Agentless bool

	// Agentless management AWS account ID
	AgentlessManagementAccountID string

	// Agentless monitored AWS account IDs, OUs, or the organization root.
	AgentlessMonitoredAccountIDs []string

	// Agentless monitored AWS accounts
	AgentlessMonitoredAccounts []AwsSubAccount

	// Agentless scanning AWS accounts
	AgentlessScanningAccounts []AwsSubAccount

	// Is the AWS organization using Control Tower?
	ControlTower bool

	// AWS Control Tower Audit account
	ControlTowerAuditAccount *AwsSubAccount

	// AWS Control Tower Log Archive account
	ControlTowerLogArchiveAccount *AwsSubAccount

	// AWS Control Tower custom KMS key ARN
	ControlTowerKmsKeyArn string

	// Should we configure Cloudtrail integration in LW?
	Cloudtrail bool

	// Optional name for CloudTrail
	CloudtrailName string

	// Should we configure AWS organization mappings?
	AwsOrganizationMappings bool

	// Cloudtrail organization account mappings
	OrgAccountMappings OrgAccountMapping

	// OrgAccountMapping json used for flag input
	OrgAccountMappingsJson string

	// Use exisiting CloudTrail
	CloudtrailUseExistingTrail bool

	// Use exisiting CloudTrail SNS topic
	CloudtrailUseExistingSNSTopic bool

	// Should we configure CSPM integration in LW?
	Config bool

	// Optional name for config
	ConfigName string

	// Config additional AWS accounts
	ConfigAdditionalAccounts []AwsSubAccount

	// Config Lacework account
	ConfigOrgLWAccount string

	// Config Lacework sub-account
	ConfigOrgLWSubaccount string

	// Config Lacework access key ID
	ConfigOrgLWAccessKeyId string

	// Config Lacework secret key
	ConfigOrgLWSecretKey string

	// Config organization ID
	ConfigOrgId string

	// Config organization unit
	ConfigOrgUnits []string

	// Config resource prefix
	ConfigOrgCfResourcePrefix string

	// Custom outputs
	CustomOutputs []lwgenerate.HclOutput

	// Supply an AWS region for where to find the cloudtrail resources
	// TODO @ipcrm future: support split regions for resources (s3 one place, sns another, etc)
	AwsRegion string

	// Supply an AWS Profile name for the main account, only asked if configuring multiple
	AwsProfile string

	// Supply an AWS Assume Role for the main account
	AwsAssumeRole string

	// Existing S3 Bucket ARN (Required when using existing cloudtrail)
	ExistingCloudtrailBucketArn string

	// Optionally supply existing IAM role details
	ExistingIamRole *ExistingIamRoleDetails

	// Existing SNS Topic
	ExistingSnsTopicArn string

	// Consolidated Trail
	ConsolidatedCloudtrail bool

	// Should we force destroy the bucket if it has stuff in it? (only relevant on new Cloudtrail creation)
	// DEPRECATED
	ForceDestroyS3Bucket bool

	// Enable encryption of bucket if it is created
	BucketEncryptionEnabled bool

	// Indicates that the Bucket Encryption flag has been actively set
	// this is needed to show this it was set actively to false, rather
	// than default value for bool
	BucketEncryptionEnabledSet bool

	// Optional name of bucket if creating a new one
	BucketName string

	// Arn of the KMS encryption key for S3, required when bucket encryption in enabled
	BucketSseKeyArn string

	// Enable S3 bucket notification
	S3BucketNotification bool

	// SNS Topic name if creating one and not using an existing one
	SnsTopicName string

	// Enable encryption of SNS if it is created
	SnsTopicEncryptionEnabled bool

	// Indicates that the SNS Encryption flag has been actively set
	// this is needed to show this it was set actively to false, rather
	// than default value for bool
	SnsEncryptionEnabledSet bool

	// Arn of the KMS encryption key for SNS, required when SNS encryption in enabled
	SnsTopicEncryptionKeyArn string

	// SSQ Queue name if creating one and not using an existing one
	SqsQueueName string

	// Enable encryption of SQS if it is created
	SqsEncryptionEnabled bool

	// Indicates that the SQS Encryption flag has been actively set
	// this is needed to show this it was set actively to false, rather
	// than default value for bool
	SqsEncryptionEnabledSet bool

	// Arn of the KMS encryption key for SQS, required when SQS encryption in enabled
	SqsEncryptionKeyArn string

	// For AWS Subaccounts in consolidated CT setups
	// TODO @ipcrm future: what about many individual ct/config integrations together?
	SubAccounts []AwsSubAccount

	// Lacework Profile to use
	LaceworkProfile string

	// The Lacework AWS Root Account ID
	LaceworkAccountID string

	// Lacework Organization
	LaceworkOrganizationLevel bool

	// Default AWS Provider Tags
	ProviderDefaultTags map[string]interface{}

	// Add custom blocks to the root `terraform{}` block. Can be used for advanced configuration. Things like backend, etc
	ExtraBlocksRootTerraform []*hclwrite.Block

	// ExtraProviderArguments allows adding more arguments to the provider block as needed (custom use cases)
	ExtraProviderArguments map[string]interface{}

	// ExtraBlocks allows adding more hclwrite.Block to the root terraform document (advanced use cases)
	ExtraBlocks []*hclwrite.Block
}

func NewTerraform 

func NewTerraform(
	enableAwsOrganization bool,
	enableAgentless bool,
	enableConfig bool,
	enableCloudtrail bool,
	mods ...AwsTerraformModifier,
) *GenerateAwsTfConfigurationArgs

NewTerraform returns an instance of the GenerateAwsTfConfigurationArgs struct with the provided region and enabled settings (config/cloudtrail).

Note: Additional configuration details may be set using modifiers of the AwsTerraformModifier type

Basic usage: Initialize a new AwsTerraformModifier struct, with a non-default AWS profile set. Then use generate to 

           create a string output of the required HCL.

hcl, err := aws.NewTerraform("us-east-1", true, true,
  aws.WithAwsProfile("mycorp-profile")).Generate()

func (*GenerateAwsTfConfigurationArgs) Generate 

func (args *GenerateAwsTfConfigurationArgs) Generate() (string, error)

Generate new Terraform code based on the supplied args.

func (*GenerateAwsTfConfigurationArgs) IsEmpty 

func (args *GenerateAwsTfConfigurationArgs) IsEmpty() bool

func (*GenerateAwsTfConfigurationArgs) Validate 

func (args *GenerateAwsTfConfigurationArgs) Validate() error

Ensure all combinations of inputs our valid for supported spec

type OrgAccountMap 

type OrgAccountMap struct {
	LaceworkAccount string   `json:"lacework_account"`
	AwsAccounts     []string `json:"aws_accounts"`
}

type OrgAccountMapping 

type OrgAccountMapping struct {
	DefaultLaceworkAccount string          `json:"default_lacework_account"`
	Mapping                []OrgAccountMap `json:"mapping"`
}

func (*OrgAccountMapping) IsEmpty 

func (orgMap *OrgAccountMapping) IsEmpty() bool

func (*OrgAccountMapping) ToMap 

func (orgMap *OrgAccountMapping) ToMap() (map[string]any, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.