aws

package
v1.50.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 29, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

A package that generates Lacework deployment code for Amazon Web Services.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AwsGenerateCommandExtraState added in v1.40.0 

type AwsGenerateCommandExtraState struct {
	CloudtrailAdvanced            bool
	Output                        string
	AwsSubAccounts                []string
	AgentlessMonitoredAccounts    []string
	AgentlessScanningAccounts     []string
	ControlTowerAuditAccount      string
	ControlTowerLogArchiveAccount string
	TerraformApply                bool
}

func (*AwsGenerateCommandExtraState) IsEmpty added in v1.40.0 

func (a *AwsGenerateCommandExtraState) IsEmpty() bool

type AwsSubAccount 

type AwsSubAccount struct {
	// The name of the AwsProfile to use (in AWS configuration)
	AwsProfile string

	// The AwsRegion this profile should use if any resources are created
	AwsRegion string

	// The Alias of the provider block
	Alias string
}

func NewAwsSubAccount 

func NewAwsSubAccount(profile string, region string, alias ...string) AwsSubAccount

Create a new AWS sub account

A subaccount consists of the profile name (which needs to match the executing machines aws configuration) and a region for any new resources to be created in

type AwsTerraformModifier 

type AwsTerraformModifier func(c *GenerateAwsTfConfigurationArgs)

func WithAgentlessManagementAccountID added in v1.38.0 

func WithAgentlessManagementAccountID(accountID string) AwsTerraformModifier

WithAgentlessManagementAccountID Set Agentless management account ID

func WithAgentlessMonitoredAccountIDs added in v1.38.0 

func WithAgentlessMonitoredAccountIDs(accountIDs []string) AwsTerraformModifier

WithAgentlessMonitoredAccountIDs Set Agentless monitored account IDs

func WithAgentlessMonitoredAccounts added in v1.38.0 

func WithAgentlessMonitoredAccounts(accounts ...AwsSubAccount) AwsTerraformModifier

WithAgentlessMonitoredAccounts Set Agentless monitored accounts

func WithAgentlessScanningAccounts added in v1.40.0 

func WithAgentlessScanningAccounts(accounts ...AwsSubAccount) AwsTerraformModifier

WithAgentlessScanningAccounts Set Agentless scanning accounts

func WithAwsAssumeRole added in v1.38.0 

func WithAwsAssumeRole(assumeRole string) AwsTerraformModifier

WithAwsAssumeRole Set the AWS Assume Role to utilize for the main AWS provider

func WithAwsProfile 

func WithAwsProfile(name string) AwsTerraformModifier

WithAwsProfile Set the AWS Profile to utilize for the main AWS provider

func WithAwsRegion added in v1.40.0 

func WithAwsRegion(region string) AwsTerraformModifier

WithAwsRegion Set the AWS region to utilize for the main AWS provider

func WithBucketEncryptionEnabled added in v0.41.0 

func WithBucketEncryptionEnabled(enableBucketEncryption bool) AwsTerraformModifier

WithBucketEncryptionEnabled Enable encryption on a newly created bucket

func WithBucketName added in v0.41.0 

func WithBucketName(bucketName string) AwsTerraformModifier

WithBucketName add bucket name for CloudTrail integration

func WithBucketSSEKeyArn added in v0.41.0 

func WithBucketSSEKeyArn(bucketSseKeyArn string) AwsTerraformModifier

WithBucketSSEKeyArn Set existing KMS encryption key arn for bucket

func WithCloudtrailName added in v0.41.0 

func WithCloudtrailName(cloudtrailName string) AwsTerraformModifier

WithCloudtrailName add optional name for CloudTrail integration

func WithCloudtrailUseExistingSNSTopic added in v1.40.0 

func WithCloudtrailUseExistingSNSTopic(useExistingSNSTopic bool) AwsTerraformModifier

WithCloudtrailUseExistingSNSTopic Use the existing Cloudtrail SNS topic

func WithCloudtrailUseExistingTrail added in v1.44.3 

func WithCloudtrailUseExistingTrail(useExistingS3 bool) AwsTerraformModifier

WithCloudtrailUseExistingTrail Use the existing Cloudtrail S3 bucket

func WithConfigAdditionalAccounts added in v1.40.0 

func WithConfigAdditionalAccounts(accounts ...AwsSubAccount) AwsTerraformModifier

WithConfigAdditionalAccounts Set Config additional accounts

func WithConfigOrgCfResourcePrefix added in v1.40.0 

func WithConfigOrgCfResourcePrefix(resourcePrefix string) AwsTerraformModifier

WithConfigOrgCfResourcePrefix Set Config org resource prefix

func WithConfigOrgId added in v1.40.0 

func WithConfigOrgId(orgId string) AwsTerraformModifier

WithConfigOrgId Set Config org ID

func WithConfigOrgLWAccessKeyId added in v1.40.0 

func WithConfigOrgLWAccessKeyId(accessKeyId string) AwsTerraformModifier

WithConfigOrgLWAccessKeyId Set Config org LW access key ID

func WithConfigOrgLWAccount added in v1.40.0 

func WithConfigOrgLWAccount(account string) AwsTerraformModifier

WithConfigOrgLWAccount Set Config org LW account

func WithConfigOrgLWSecretKey added in v1.40.0 

func WithConfigOrgLWSecretKey(secretKey string) AwsTerraformModifier

WithConfigOrgLWSecretKey Set Config org LW secret key

func WithConfigOrgLWSubaccount added in v1.40.0 

func WithConfigOrgLWSubaccount(subaccount string) AwsTerraformModifier

WithConfigOrgLWSubaccount Set Config org LW sub-account

func WithConfigOrgUnits added in v1.40.0 

func WithConfigOrgUnits(orgUnits []string) AwsTerraformModifier

WithConfigOrgUnits Set Config org units

func WithConsolidatedCloudtrail added in v1.40.0 

func WithConsolidatedCloudtrail(consolidatedCloudtrail bool) AwsTerraformModifier

WithConsolidatedCloudtrail Enable Consolidated Cloudtrail use

func WithControlTower added in v1.41.0 

func WithControlTower(controlTower bool) AwsTerraformModifier

WithControlTower Set ControlTower

func WithControlTowerAuditAccount added in v1.41.0 

func WithControlTowerAuditAccount(auditAccount *AwsSubAccount) AwsTerraformModifier

WithControlTowerAuditAccount Set ControlTower audit account

func WithControlTowerKmsKeyArn added in v1.41.0 

func WithControlTowerKmsKeyArn(kmsKeyArn string) AwsTerraformModifier

WithControlTowerKmsKeyArn Set ControlTower custom KMS key ARN

func WithControlTowerLogArchiveAccount added in v1.41.0 

func WithControlTowerLogArchiveAccount(LogArchiveAccount *AwsSubAccount) AwsTerraformModifier

WithControlTowerLogArchiveAccount Set ControlTower log archive account

func WithCustomOutputs added in v1.50.0 

func WithCustomOutputs(outputs []lwgenerate.HclOutput) AwsTerraformModifier

WithConfigOutputs Set Custom Terraform Outputs

func WithExistingCloudtrailBucketArn added in v1.40.0 

func WithExistingCloudtrailBucketArn(arn string) AwsTerraformModifier

WithExistingCloudtrailBucketArn Set the bucket ARN of an existing Cloudtrail setup

func WithExistingIamRole added in v1.40.0 

func WithExistingIamRole(iamDetails *ExistingIamRoleDetails) AwsTerraformModifier

WithExistingIamRole Set an existing IAM role configuration to use with the created Terraform code

func WithExistingSnsTopicArn added in v1.40.0 

func WithExistingSnsTopicArn(arn string) AwsTerraformModifier

WithExistingSnsTopicArn Set the SNS Topic ARN of an existing Cloudtrail setup

func WithLaceworkAccountID added in v1.7.0 

func WithLaceworkAccountID(accountID string) AwsTerraformModifier

WithLaceworkAccountID Set the Lacework AWS root account ID to use

func WithLaceworkProfile 

func WithLaceworkProfile(name string) AwsTerraformModifier

WithLaceworkProfile Set the Lacework Profile to utilize when integrating

func WithOrgAccountMappings added in v1.39.0 

func WithOrgAccountMappings(mapping OrgAccountMapping) AwsTerraformModifier

WithOrgAccountMappings add optional name for Organization account mappings Sets lacework org level to true

func WithS3BucketNotification added in v1.19.0 

func WithS3BucketNotification(s3BucketNotifiaction bool) AwsTerraformModifier

func WithSnsTopicEncryptionEnabled added in v0.43.0 

func WithSnsTopicEncryptionEnabled(snsTopicEncryptionEnabled bool) AwsTerraformModifier

WithSnsTopicEncryptionEnabled Enable encryption on SNS Topic when created

func WithSnsTopicEncryptionKeyArn added in v0.43.0 

func WithSnsTopicEncryptionKeyArn(snsTopicEncryptionKeyArn string) AwsTerraformModifier

WithSnsTopicEncryptionKeyArn Set existing KMS encryption key arn for SNS topic

func WithSnsTopicName added in v0.41.0 

func WithSnsTopicName(snsTopicName string) AwsTerraformModifier

WithSnsTopicName Set SNS Topic Name if creating new one

func WithSqsEncryptionEnabled added in v0.41.0 

func WithSqsEncryptionEnabled(sqsEncryptionEnabled bool) AwsTerraformModifier

WithSqsEncryptionEnabled Enable encryption on SQS queue when created

func WithSqsEncryptionKeyArn added in v0.41.0 

func WithSqsEncryptionKeyArn(ssqEncryptionKeyArn string) AwsTerraformModifier

WithSqsEncryptionKeyArn Set existing KMS encryption key arn for SQS queue

func WithSqsQueueName added in v0.41.0 

func WithSqsQueueName(sqsQueueName string) AwsTerraformModifier

WithSqsQueueName Set SQS Queue Name if creating new one

func WithSubaccounts 

func WithSubaccounts(subaccounts ...AwsSubAccount) AwsTerraformModifier

WithSubaccounts Supply additional AWS Profiles to integrate

type ExistingIamRoleDetails 

type ExistingIamRoleDetails struct {
	// Existing IAM Role ARN
	Arn string

	// Existing IAM Role Name
	Name string

	// Existing IAM Role External Id
	ExternalId string
}

func NewExistingIamRoleDetails 

func NewExistingIamRoleDetails(name string, arn string, externalId string) *ExistingIamRoleDetails

NewExistingIamRoleDetails Create new existing IAM role details

func (*ExistingIamRoleDetails) IsEmpty added in v1.40.0 

func (e *ExistingIamRoleDetails) IsEmpty() bool

func (*ExistingIamRoleDetails) IsPartial added in v0.24.0 

func (e *ExistingIamRoleDetails) IsPartial() bool

type GenerateAwsTfConfigurationArgs 

type GenerateAwsTfConfigurationArgs struct {
	// Should we enable AWS organization integration?
	AwsOrganization bool

	// Should we configure Agentless integration in LW?
	Agentless bool

	// Agentless management AWS account ID
	AgentlessManagementAccountID string

	// Agentless monitored AWS account IDs, OUs, or the organization root.
	AgentlessMonitoredAccountIDs []string

	// Agentless monitored AWS accounts
	AgentlessMonitoredAccounts []AwsSubAccount

	// Agentless scanning AWS accounts
	AgentlessScanningAccounts []AwsSubAccount

	// Is the AWS organization using Control Tower?
	ControlTower bool

	// AWS Control Tower Audit account
	ControlTowerAuditAccount *AwsSubAccount

	// AWS Control Tower Log Archive account
	ControlTowerLogArchiveAccount *AwsSubAccount

	// AWS Control Tower custom KMS key ARN
	ControlTowerKmsKeyArn string

	// Should we configure Cloudtrail integration in LW?
	Cloudtrail bool

	// Optional name for CloudTrail
	CloudtrailName string

	// Should we configure AWS organization mappings?
	AwsOrganizationMappings bool

	// Cloudtrail organization account mappings
	OrgAccountMappings OrgAccountMapping

	// OrgAccountMapping json used for flag input
	OrgAccountMappingsJson string

	// Use exisiting CloudTrail
	CloudtrailUseExistingTrail bool

	// Use exisiting CloudTrail SNS topic
	CloudtrailUseExistingSNSTopic bool

	// Should we configure CSPM integration in LW?
	Config bool

	// Optional name for config
	ConfigName string

	// Config additional AWS accounts
	ConfigAdditionalAccounts []AwsSubAccount

	// Config Lacework account
	ConfigOrgLWAccount string

	// Config Lacework sub-account
	ConfigOrgLWSubaccount string

	// Config Lacework access key ID
	ConfigOrgLWAccessKeyId string

	// Config Lacework secret key
	ConfigOrgLWSecretKey string

	// Config organization ID
	ConfigOrgId string

	// Config organization unit
	ConfigOrgUnits []string

	// Config resource prefix
	ConfigOrgCfResourcePrefix string

	// Custom outputs
	CustomOutputs []lwgenerate.HclOutput

	// Supply an AWS region for where to find the cloudtrail resources
	// TODO @ipcrm future: support split regions for resources (s3 one place, sns another, etc)
	AwsRegion string

	// Supply an AWS Profile name for the main account, only asked if configuring multiple
	AwsProfile string

	// Supply an AWS Assume Role for the main account
	AwsAssumeRole string

	// Existing S3 Bucket ARN (Required when using existing cloudtrail)
	ExistingCloudtrailBucketArn string

	// Optionally supply existing IAM role details
	ExistingIamRole *ExistingIamRoleDetails

	// Existing SNS Topic
	ExistingSnsTopicArn string

	// Consolidated Trail
	ConsolidatedCloudtrail bool

	// Should we force destroy the bucket if it has stuff in it? (only relevant on new Cloudtrail creation)
	// DEPRECATED
	ForceDestroyS3Bucket bool

	// Enable encryption of bucket if it is created
	BucketEncryptionEnabled bool

	// Indicates that the Bucket Encryption flag has been actively set
	// this is needed to show this it was set actively to false, rather
	// than default value for bool
	BucketEncryptionEnabledSet bool

	// Optional name of bucket if creating a new one
	BucketName string

	// Arn of the KMS encryption key for S3, required when bucket encryption in enabled
	BucketSseKeyArn string

	// Enable S3 bucket notification
	S3BucketNotification bool

	// SNS Topic name if creating one and not using an existing one
	SnsTopicName string

	// Enable encryption of SNS if it is created
	SnsTopicEncryptionEnabled bool

	// Indicates that the SNS Encryption flag has been actively set
	// this is needed to show this it was set actively to false, rather
	// than default value for bool
	SnsEncryptionEnabledSet bool

	// Arn of the KMS encryption key for SNS, required when SNS encryption in enabled
	SnsTopicEncryptionKeyArn string

	// SSQ Queue name if creating one and not using an existing one
	SqsQueueName string

	// Enable encryption of SQS if it is created
	SqsEncryptionEnabled bool

	// Indicates that the SQS Encryption flag has been actively set
	// this is needed to show this it was set actively to false, rather
	// than default value for bool
	SqsEncryptionEnabledSet bool

	// Arn of the KMS encryption key for SQS, required when SQS encryption in enabled
	SqsEncryptionKeyArn string

	// For AWS Subaccounts in consolidated CT setups
	// TODO @ipcrm future: what about many individual ct/config integrations together?
	SubAccounts []AwsSubAccount

	// Lacework Profile to use
	LaceworkProfile string

	// The Lacework AWS Root Account ID
	LaceworkAccountID string

	// Lacework Organization
	LaceworkOrganizationLevel bool
}

func NewTerraform 

func NewTerraform(
	enableAwsOrganization bool,
	enableAgentless bool,
	enableConfig bool,
	enableCloudtrail bool,
	mods ...AwsTerraformModifier,
) *GenerateAwsTfConfigurationArgs

NewTerraform returns an instance of the GenerateAwsTfConfigurationArgs struct with the provided region and enabled settings (config/cloudtrail).

Note: Additional configuration details may be set using modifiers of the AwsTerraformModifier type

Basic usage: Initialize a new AwsTerraformModifier struct, with a non-default AWS profile set. Then use generate to 

           create a string output of the required HCL.

hcl, err := aws.NewTerraform("us-east-1", true, true,
  aws.WithAwsProfile("mycorp-profile")).Generate()

func (*GenerateAwsTfConfigurationArgs) Generate 

func (args *GenerateAwsTfConfigurationArgs) Generate() (string, error)

Generate new Terraform code based on the supplied args.

func (*GenerateAwsTfConfigurationArgs) IsEmpty added in v1.40.0 

func (args *GenerateAwsTfConfigurationArgs) IsEmpty() bool

func (*GenerateAwsTfConfigurationArgs) Validate added in v1.40.0 

func (args *GenerateAwsTfConfigurationArgs) Validate() error

Ensure all combinations of inputs our valid for supported spec

type OrgAccountMap added in v1.39.0 

type OrgAccountMap struct {
	LaceworkAccount string   `json:"lacework_account"`
	AwsAccounts     []string `json:"aws_accounts"`
}

type OrgAccountMapping added in v1.39.0 

type OrgAccountMapping struct {
	DefaultLaceworkAccount string          `json:"default_lacework_account"`
	Mapping                []OrgAccountMap `json:"mapping"`
}

func (*OrgAccountMapping) IsEmpty added in v1.39.0 

func (orgMap *OrgAccountMapping) IsEmpty() bool

func (*OrgAccountMapping) ToMap added in v1.39.0 

func (orgMap *OrgAccountMapping) ToMap() (map[string]any, error)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.