Documentation ¶
Overview ¶
The commands behind the Lacework command-line interface (CLI)
Author:: Salim Afiune Maya (<afiune@lacework.net>) Copyright:: Copyright 2020, Lacework Inc. License:: Apache License, Version 2.0
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- Variables
- func CDKComponentJSON(component *lwcomponent.CDKComponent) error
- func CDKComponentsJSON(catalog *lwcomponent.Catalog) error
- func CacheTransform(key string) *diskv.PathKey
- func DisplayTerraformPlanChanges(tf *tfexec.Terraform, data TfPlanChangesSummary) (bool, error)
- func Execute() (err error)
- func GenerateMarkdownDocs(location string) error
- func InverseCacheTransform(pathKey *diskv.PathKey) string
- func LoadCatalog(componentName string, getAllVersions bool) (*lwcomponent.Catalog, error)
- func LocateOrInstallTerraform(forceInstall bool, workingDir string) (*tfexec.Terraform, error)
- func NewDefaultState() *cliState
- func NewQueryFailonError(failonCount string, count int) *queryFailonError
- func NewVulnerabilityPolicyError(assessment api.VulnerabilityAssessment, failOnSeverity string, ...) *vulnerabilityPolicyError
- func NewVulnerabilityPolicyErrorV2(assessment api.VulnerabilitiesContainersResponse, failOnSeverity string, ...) *vulnerabilityPolicyError
- func SurveyMultipleQuestionWithValidation(questions []SurveyQuestionWithValidationArgs, checks ...bool) error
- func SurveyQuestionInteractiveOnly(question SurveyQuestionWithValidationArgs) error
- func TerraformExecApply(tf *tfexec.Terraform) error
- func TerraformExecutePreRunCheck(outputLocation string, cloud string) (bool, error)
- func TerraformInit(tf *tfexec.Terraform) error
- func TerraformPlanAndExecute(workingDir string) error
- type AwsControlTowerGenerateCommandExtraState
- type AwsEksAuditGenerateCommandExtraState
- type AzureGenerateCommandExtraState
- type CmdFilters
- type GcpGenerateCommandExtraState
- type GkeGenerateCommandExtraState
- type LCLContentType
- type LCLPolicy
- type LCLQuery
- type LCLReference
- type LaceworkContentLibrary
- type OS
- type OciGenerateCommandExtraState
- type PolicyExceptionSurveyQuestion
- type PolicySyncOperation
- type SurveyQuestionWithValidationArgs
- type TfPlanChangesSummary
- type VulnCveSummary
Constants ¶
const ( IconAgentless = "[Agentless]" IconConfig = "[Configuration]" IconCloudTrail = "[CloudTrail]" )
Question labels
const ( // DisableTelemetry is an environment variable that can be used to // disable telemetry sent to Honeycomb DisableTelemetry = "LW_TELEMETRY_DISABLE" // HomebrewInstall is an environment variable that denotes the // install method was via homebrew package manager HomebrewInstall = "LW_HOMEBREW_INSTALL" // ChocolateyInstall is an environment variable that denotes the // install method was via chocolatey package manager ChocolateyInstall = "LW_CHOCOLATEY_INSTALL" )
const AlasRegex = `(?i)ALAS(2?)-\d{4}-\d{3,7}`
const (
AzureCloudEnv = "POWERSHELL_DISTRIBUTION_CHANNEL"
)
Env variables found in GCP, AWS and Azure cloudshell. Used to determine if cli is running on cloudshell.
const ConfigBackupDir = "cfg_backups"
The name of the directory we will store backups of configuration files before migrating them
const CveRegex = `(?i)CVE-\d{4}-\d{4,7}`
const MaxCacheSize = 1024 * 1024 * 1024
const (
ReasonUnset = -1
)
Variables ¶
var ( QuestionRunTfPlan = "Run Terraform plan now?" QuestionUsePreviousCache = "Previous IaC generation detected, load cached values?" )
var ( // Define question text here so they can be reused in testing // Core questions QuestionEnableAwsOrganization = "Enable integrations for AWS organization?" QuestionMainAwsProfile = "Main AWS account profile:" QuestionMainAwsRegion = "Main AWS account region:" // Agentless questions QuestionEnableAgentless = "Enable Agentless integration?" QuestionAgentlessManagementAccountID = "AWS management account ID:" QuestionAgentlessManagementAccountRegion = "AWS management account region:" QuestionAgentlessScanningAccountProfile = "Scanning AWS account profile:" QuestionAgentlessScanningAccountRegion = "Scanning AWS account region:" QuestionAgentlessScanningAccountAddMore = "Add another scanning AWS account?" QuestionAgentlessScanningAccountsReplace = "Currently configured scanning accounts: %s, replace?" QuestionAgentlessMonitoredAccountIDs = "Monitored AWS account ID list:" QuestionAgentlessMonitoredAccountIDsHelp = "Please provide a comma separated list that may " + "contain account IDs, OUs, or the organization root (e.g. 123456789000,ou-abcd-12345678,r-abcd)." QuestionAgentlessMonitoredAccountProfile = "Monitored AWS account profile:" QuestionAgentlessMonitoredAccountRegion = "Monitored AWS account region:" // Config questions QuestionEnableConfig = "Enable Configuration integration?" QuestionConfigAdditionalAccountProfile = "Additional AWS account profile:" QuestionConfigAdditionalAccountRegion = "Additional AWS account region:" QuestionConfigAdditionalAccountsReplace = "Currently configured additional accounts: %s, replace?" QuestionConfigAdditionalAccountAddMore = "Add another AWS account?" // Config Org questions QuestionConfigOrgLWAccount = "Lacework account:" QuestionConfigOrgLWSubaccount = "Lacework subaccount (optional):" QuestionConfigOrgLWAccessKeyId = "Lacework access key ID:" QuestionConfigOrgLWSecretKey = "Lacework secret key:" QuestionConfigOrgId = "AWS organization ID:" QuestionConfigOrgUnits = "AWS organization units (multiple can be supplied comma separated):" QuestionConfigOrgCfResourcePrefix = "Cloudformation resource prefix:" // CloudTrail questions QuestionEnableCloudtrail = "Enable CloudTrail integration?" QuestionCloudtrailName = "Existing trail name:" QuestionCloudtrailAdvanced = "Configure advanced options?" // CloudTrail Control Tower questions QuestionControlTower = "Is your AWS organzation using Control Tower?" QuestionControlTowerS3BucketArn = "AWS Control Tower S3 bucket ARN:" QuestionControlTowerSnsTopicArn = "AWS Control Tower SNS topic ARN:" QuestionControlTowerAuditAccountProfile = "AWS Control Tower audit account profile:" QuestionControlTowerAuditAccountRegion = "AWS Control Tower audit account region:" QuestionControlTowerLogArchiveAccountProfile = "AWS Control Tower log archive account profile:" QuestionControlTowerLogArchiveAccountRegion = "AWS Control Tower log archive account region:" QuestionControlTowerKmsKeyArn = "AWS Control Tower custom KMS Key ARN (optional):" // CloudTrail advanced options OptCloudtrailMessage = "Which options would you like to configure?" OptCloudtrailOrg = "Configure org account mappings" OptCloudtrailKmsKeyArn = "Configure custom KMS key" OptCloudtrailS3 = "Configure S3 bucket" OptCloudtrailSNS = "Configure SNS topic" OptCloudtrailSQS = "Configure SQS queue" OptCloudtrailIAM = "Configure an existing IAM role" OptCloudtrailDone = "Done" // CloudTrail Org questions QuestionCloudtrailOrgAccountMappingsDefaultLWAccount = "Org account mappings default Lacework account:" QuestionCloudtrailOrgAccountMappingsAnotherAddMore = "Add another org account mapping?" QuestionCloudtrailOrgAccountMappingsLWAccount = "Lacework account:" QuestionCloudtrailOrgAccountMappingsAwsAccounts = "AWS accounts:" // CloudTrail S3 Bucket Questions QuestionCloudtrailUseConsolidated = "Use consolidated CloudTrail?" QuestionCloudtrailUseExistingTrail = "Use an existing CloudTrail?" QuestionCloudtrailS3ExistingBucketArn = "Existing S3 bucket ARN used for CloudTrail logs:" QuestionCloudtrailS3BucketEnableEncryption = "Enable S3 bucket encryption" QuestionCloudtrailS3BucketSseKeyArn = "Existing KMS encryption key arn for S3 bucket (optional):" QuestionCloudtrailS3BucketName = "New S3 bucket name (optional):" QuestionCloudtrailS3BucketNotification = "Enable S3 bucket notifications" // CloudTrail SNS Topic Questions QuestionCloudtrailUseExistingSNSTopic = "Use an existing SNS topic? (If not, S3 notification will be used)" QuestionCloudtrailSnsExistingTopicArn = "Existing SNS topic arn:" QuestionCloudtrailSnsEnableEncryption = "Enable encryption on SNS topic?" QuestionCloudtrailSnsEncryptionKeyArn = "Existing KMS encryption key arn for SNS topic (optional):" QuestionCloudtrailSnsTopicName = "New SNS topic name (optional):" // CloudTrail SQS Queue Questions QuestionCloudtrailSqsEnableEncryption = "Enable encryption on SQS queue:" QuestionCloudtrailSqsEncryptionKeyArn = "Existing KMS encryption key arn for SQS queue (optional):" QuestionCloudtrailSqsQueueName = "New SQS queue name (optional):" // CloudTrail IAM Role Questions QuestionCloudtrailExistingIamRoleName = "Existing IAM role name for CloudTrail access:" QuestionCloudtrailExistingIamRoleArn = "Existing IAM role ARN for CloudTrail access:" QuestionCloudtrailExistingIamRoleExtID = "External ID for the existing IAM role:" // Custom location Question QuestionAwsOutputLocation = "Custom output location (optional):" // Other options AwsAdvancedOptDone = "Done" // Used in aws controltower and eks_audit // AwsArnRegex original source: https://regex101.com/r/pOfxYN/1 AwsArnRegex = `` //nolint /* 154-byte string literal not displayed */ // AwsRegionRegex regex used for validating region input; note intentionally does not match gov cloud AwsRegionRegex = `(af|ap|ca|eu|me|sa|us)-(central|(north|south)?(east|west)?)-\d` AwsProfileRegex = `([A-Za-z_0-9-]+)` AwsAccountIDRegex = `^\d{12}$` AwsOUIDRegex = `^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$` AWSRootIDRegex = `^r-[0-9a-z]{4,32}$` AwsAssumeRoleRegex = `^arn:aws:iam::\d{12}:role\/.*$` ValidateSubAccountFlagRegex = fmt.Sprintf(`%s:%s`, AwsProfileRegex, AwsRegionRegex) AwsCfResourcePrefixRegex = `^[a-zA-Z0-9]+(?:-[a-zA-Z0-9]+)*$` GenerateAwsCommandState = &aws.GenerateAwsTfConfigurationArgs{ ExistingIamRole: &aws.ExistingIamRoleDetails{}, } GenerateAwsCommandExtraState = &aws.AwsGenerateCommandExtraState{} CachedAwsArgsKey = "iac-aws-generate-args" CachedAwsExtraStateKey = "iac-aws-extra-state" )
var ( QuestionAwsControlTowerCoreS3Bucket = "Provide the Arn of the S3 Bucket for consolidated CloudTrail:" QuestionAwsControlTowerCoreSnsTopic = "Provide the Arn of the SNS Topic:" QuestionAwsControlTowerCoreLogProfile = "Provide the aws profile of the 'log_archive' account:" QuestionAwsControlTowerCoreLogRegion = "Provide the aws region of the 'log_archive' account:" QuestionAwsControlTowerCoreAuditProfile = "Provide the aws profile of the 'audit' account:" QuestionAwsControlTowerCoreAuditRegion = "Provide the aws region of the 'audit' account:" QuestionAwsControlTowerConfigureAdvanced = "Configure advanced integration options?" QuestionAwsControlTowerCustomizeOutputLocation = "Provide the location for the output to be written:" ControlTowerConfigureExistingIamRoleOpt = "Configure existing Iam Role?" QuestionAwsControlTowerCoreIamRoleName = "Specify Existing Iam Role name:" QuestionAwsControlTowerCoreIamRoleArn = "Specify Existing Iam Arn:" QuestionAwsControlTowerCoreIamRoleExternalID = "Specify Existing Iam Role external ID:" ControlTowerIntegrationNameOpt = "Customize integration name?" QuestionControlTowerIntegrationName = "Specify a custom integration name:" ControlTowerIntegrationPrefixOpt = "Customize resource prefix name?" QuestionControlTowerPrefix = "Specify a prefix name for resources:" ControlTowerIntegrationSqsOpt = "Customize sqs queue name?" QuestionControlTowerSqsQueueName = "Specify a name for sqs queue:" QuestionControlTowerOrgAccountMappingsLWDefaultAccount = "Specify org account mappings default Lacework account:" QuestionControlTowerOrgAccountMappingAnotherAdvancedOpt = "Configure another org account mapping?" QuestionControlTowerOrgAccountMappingsLWAccount = "Specify lacework account: " QuestionControlTowerOrgAccountMappingsAwsAccounts = "Specify aws accounts:" ControlTowerAdvancedOptLocation = "Customize output location" ControlTowerAdvancedOptMappings = "Configure Org Account Mappings" QuestionControlTowerAnotherAdvancedOpt = "Configure another advanced integration option?" ControlTowerAdvancedOptDone = "Done" GenerateAwsControlTowerCommandState = &aws_controltower.GenerateAwsControlTowerTfConfigurationArgs{} GenerateAwsControlTowerCommandExtraState = &AwsControlTowerGenerateCommandExtraState{} CachedAssetAwsControlTowerIacParams = "iac-aws-controltower-generate-params" CachedAssetAwsControlTowerExtraState = "iac-aws-controltower-extra-state" )
var ( // Define question text here, so they can be reused in testing QuestionEksAuditMultiRegion = "Integrate clusters in more than one region?" QuestionEksAuditRegionClusterCurrent = "Currently configured regions and clusters: %s. " + "Configure additional?" QuestionEksAuditRegion = "Specify AWS region:" QuestionEksAuditRegionClusters = "Specify a comma-seperated list of clusters in region" + " to ingest EKS Audit Logs:" QuestionEksAuditAdditionalRegion = "Configure another AWS region?" QuestionEksAuditConfigureAdvanced = "Configure advanced integration options?" // S3 Bucket Questions QuestionUseExistingBucket = "Use existing bucket?" QuestionExistingBucketArn = "Specify an existing bucket ARN used for EKS audit log:" EksAuditConfigureBucket = "Configure bucket settings" QuestionEksAuditBucketVersioning = "Enable access versioning on the new bucket?" QuestionEksAuditMfaDeleteS3Bucket = "Should MFA object deletion be required for the new bucket?" QuestionEksAuditBucketLifecycle = "Specify the bucket lifecycle expiration days: (optional)" QuestionEksAuditBucketEncryption = "Enable encryption for the new bucket?" QuestionEksAuditBucketSseAlgorithm = "Specify the bucket SSE Algorithm: (optional)" QuestionEksAuditBucketExistingKey = "Use existing KMS key?" QuestionEksAuditBucketKeyArn = "Specify the bucket existing SSE KMS key ARN:" QuestionEksAuditKmsKeyRotation = "Should the KMS key have rotation enabled?" QuestionEksAuditKmsKeyDeletionDays = "Specify the KMS key deletion days: (optional)" // SNS Topic Questions EksAuditConfigureSns = "Configure SNS settings" QuestionEksAuditSnsEncryption = "Enable encryption on SNS topic when creating?" QuestionEksAuditSnsEncryptionKeyArn = "Specify existing KMS encryption key ARN for SNS topic (optional)" // Cloudwatch IAM Questions EksAuditExistingCwIamRole = "Configure and use existing Cloudwatch IAM role" QuestionEksAuditExistingCwIamArn = "Specify an existing Cloudwatch IAM role ARN:" // Firehose Questions EksAuditConfigureFh = "Configure Firehose settings" QuestionEksAuditExistingFhIamRole = "Use existing Firehose IAM role?" QuestionEksAuditExistingFhIamArn = "Specify an existing Firehose IAM role ARN:" QuestionEksAuditFhEncryption = "Enable encryption on Firehose when creating?" QuestionEksAuditFhEncryptionKeyArn = "Specify existing KMS encryption key ARN for Firehose (optional)" // Cross Account IAM Questions EksAuditExistingCaIamRole = "Configure and use existing Cross Account IAM role" QuestionEksAuditExistingCaIamArn = "Specify an existing Cross Account IAM role ARN:" QuestionEksAuditExistingCaIamExtID = "Specify the external ID to be used with the existing IAM role:" // Customize integration name EksAuditIntegrationNameOpt = "Customize integration name" QuestionEksAuditCustomIntegrationName = "Specify a custom integration name: (optional)" // Customize output location EksAuditAdvancedOptLocation = "Customize output location" QuestionEksAuditCustomizeOutputLocation = "Provide the location for the output to be written:" QuestionEksAuditAnotherAdvancedOpt = "Configure another advanced integration option" EksAuditAdvancedOptDone = "Done" // AwsEksAuditRegionRegex regex used for validating region input; note intentionally does not match gov cloud AwsEksAuditRegionRegex = `(af|ap|ca|eu|me|sa|us)-(central|(north|south)?(east|west)?)-\d` GenerateAwsEksAuditCommandState = &aws_eks_audit.GenerateAwsEksAuditTfConfigurationArgs{} GenerateAwsEksAuditCommandExtraState = &AwsEksAuditGenerateCommandExtraState{} GenerateAwsEksAuditExistingRoleState = &aws_eks_audit.ExistingCrossAccountIamRoleDetails{} CachedAssetAwsEksAuditIacParams = "iac-aws-eks-audit-generate-params" CachedAssetAwsEksAuditExtraState = "iac-aws-eks-audit-extra-state" )
var ( // Define question text here so they can be reused in testing QuestionAzureEnableConfig = "Enable Azure configuration integration?" QuestionAzureConfigName = "Specify custom configuration integration name: (optional)" QuestionEnableActivityLog = "Enable Azure Activity Log Integration?" QuestionActivityLogName = "Specify custom Activity Log integration name: (optional)" QuestionEnableEntraIdActivityLog = "Enable Azure Entra ID Activity Log Integration?" QuestionEntraIdActivityLogName = "Specify custom EntraID Activity Log integration name: (optional)" QuestionAddAzureSubscriptionID = "Set Azure Subscription ID?" QuestionAzureSubscriptionID = "Specify the Azure Subscription ID to be used to provision Lacework resources:" QuestionAzureAnotherAdvancedOpt = "Configure another advanced integration option" QuestionAzureConfigAdvanced = "Configure advanced integration options?" QuestionAzureCustomizeOutputLocation = "Provide the location for the output to be written:" // EntraID Activity Log QuestionEventHubLocation = "Specify Azure region where the event hub for logging will reside" QuestionEventHubPartitionCount = "Specify the number of partitions in the event hub for logging" // Active Directory QuestionEnableAdIntegration = "Create Active Directory Integration?" QuestionADApplicationPass = "Specify the password of an existing Active Directory application" QuestionADApplicationId = "Specify the ID of an existing Active Directory application" QuestionADServicePrincpleId = "Specify the Service Principle ID of an existing Active Directory application" // Storage Account QuestionUseExistingStorageAccount = "Use an existing Storage Account?" QuestionAzureRegion = "Specify the Azure region to be used by Storage Account logging" QuestionStorageAccountName = "Specify existing Storage Account name" QuestionStorageAccountResourceGroup = "Specify existing Storage Account Resource Group" QuestionStorageLocation = "Specify Azure region where Storage Account for logging resides " // Subscriptions QuestionEnableAllSubscriptions = "Enable all subscriptions?" QuestionSubscriptionIds = "Specify list of subscription ids to enable logging" // Management Group QuestionEnableManagementGroup = "Enable Management Group level Integration?" QuestionManagementGroupId = "Specify Management Group ID" // Select options AzureAdvancedOptDone = "Done" AdvancedAdIntegration = "Configure Lacework integration with an existing Active Directory (optional)" AzureExistingStorageAcount = "Configure Storage Account (optional)" AzureSubscriptions = "Configure Subscriptions (optional)" AzureManagmentGroup = "Configure Management Group (optional)" AzureStorageGroup = "Configure Storage Group (optional)" AzureUserIntegrationNames = "Customize integration name(s)" AzureAdvancedOptLocation = "Customize output location (optional)" AzureRegionStorage = "Customize Azure region for Storage Account (optional)" AzureEntraIdAdvancedOpt = "Configure Entra ID activity log integration advanced options" GenerateAzureCommandState = &azure.GenerateAzureTfConfigurationArgs{} GenerateAzureCommandExtraState = &AzureGenerateCommandExtraState{} CachedAzureAssetIacParams = "iac-azure-generate-params" CachedAzureAssetExtraState = "iac-azure-extra-state" )
var ( // Define question text here to be reused in testing QuestionGcpEnableAgentless = "Enable Agentless integration?" QuestionGcpEnableConfiguration = "Enable Configuration integration?" QuestionGcpEnableAuditLog = "Enable Audit Log integration?" QuestionGcpOrganizationIntegration = "Organization integration?" QuestionGcpOrganizationID = "Specify the GCP organization ID:" QuestionGcpProjectID = "Specify the project ID to be used to provision Lacework resources:" QuestionGcpServiceAccountCredsPath = "Specify service account credentials JSON path: (optional)" QuestionGcpConfigureAdvanced = "Configure advanced integration options?" GcpAdvancedOptExistingServiceAccount = "Configure & use existing service account" QuestionExistingServiceAccountName = "Specify an existing service account name:" QuestionExistingServiceAccountPrivateKey = "Specify an existing service account private key (base64 encoded):" GcpAdvancedOptAgentless = "Configure additional Agentless options" QuestionGcpProjectFilterList = "Specify a comma separated list of Google Cloud projects that " + "you want to monitor: (optional)" QuestionGcpRegions = "Specify a comma separated list of regions to deploy Agentless:" GcpAdvancedOptAuditLog = "Configure additional Audit Log options" QuestionGcpUseExistingSink = "Use an existing sink?" QuestionGcpExistingSinkName = "Specify the existing sink name" GcpAdvancedOptIntegrationName = "Customize integration name(s)" QuestionGcpConfigurationIntegrationName = "Specify a custom configuration integration name: (optional)" QuestionGcpAuditLogIntegrationName = "Specify a custom Audit Log integration name: (optional)" QuestionGcpAnotherAdvancedOpt = "Configure another advanced integration option" GcpAdvancedOptLocation = "Customize output location" GcpAdvancedOptProjects = "Configure multiple projects" QuestionGcpCustomizeOutputLocation = "Provide the location for the output to be written:" QuestionGcpCustomizeProjects = "Provide comma separated list of project ID" QuestionGcpCustomFilter = "Specify a custom Audit Log filter which supersedes all other filter options" GcpAdvancedOptDone = "Done" // GcpRegionRegex regex used for validating region input GcpRegionRegex = `(asia|australia|europe|northamerica|southamerica|us)-(central|(north|south)?(east|west)?)\d` GenerateGcpCommandState = &gcp.GenerateGcpTfConfigurationArgs{} GenerateGcpExistingServiceAccountDetails = &gcp.ExistingServiceAccountDetails{} GenerateGcpCommandExtraState = &GcpGenerateCommandExtraState{} CachedGcpAssetIacParams = "iac-gcp-generate-params" CachedAssetGcpExtraState = "iac-gcp-extra-state" InvalidProjectIDMessage = "invalid GCP project ID. " + "It must be 6 to 30 lowercase ASCII letters, digits, or hyphens. " + "It must start with a letter. Trailing hyphens are prohibited. Example: tokyo-rain-123" )
var ( QuestionGkeOrganizationIntegration = "Organization integration?" QuestionGkeOrganizationID = "Specify the GCP organization ID:" QuestionGkeProjectID = "Specify the project ID to be used to provision Lacework resources:" QuestionGkeServiceAccountCredsPath = "Specify service account credentials JSON path: (optional)" QuestionGkeConfigureAdvanced = "Configure advanced integration options?" GkeAdvancedOpt = "Configure additional options" QuestionGkeUseExistingSink = "Use an existing sink?" QuestionGkeExistingSinkName = "Specify the existing sink name" GkeAdvancedOptIntegrationName = "Customize integration name(s)" QuestionGkeIntegrationName = "Specify a custom integration name: (optional)" GkeAdvancedOptExistingServiceAccount = "Configure & use existing service account" QuestionGkeExistingServiceAccountName = "Specify an existing service account name:" QuestionGkeExistingServiceAccountPrivateKey = "Specify an existing service account private key" + " (base64 encoded):" // guardrails-disable-line GkeAdvancedOptLocation = "Customize output location" QuestionGkeCustomizeOutputLocation = "Provide the location for the output to be written:" QuestionGkeAnotherAdvancedOpt = "Configure another advanced integration option" GkeAdvancedOptDone = "Done" GenerateGkeCommandState = &gcp.GenerateGkeTfConfigurationArgs{} GenerateGkeExistingServiceAccount = &gcp.ServiceAccount{} GenerateGkeCommandExtraState = &GkeGenerateCommandExtraState{} CachedGkeAssetIacParams = "iac-gke-generate-params" CachedGkeAssetExtraState = "iac-gke-extra-state" )
var ( // questions QuestionOciEnableConfig = "Enable configuration integration?" QuestionOciTenantOcid = "Specify the OCID of the tenant to be integrated" QuestionOciUserEmail = "Specify the email address to associate with the integration OCI user" QuestionOciConfigAdvanced = "Configure advanced integration options?" QuestionOciConfigName = "Specify name of configuration integration (optional)" QuestionOciCustomizeOutputLocation = "Provide the location for the output to be written:" QuestionOciAnotherAdvancedOpt = "Configure another advanced integration option" // options OciAdvancedOptDone = "Done" OciAdvancedOptLocation = "Customize output location" OciAdvancedOptIntegrationName = "Customize integration name" // state GenerateOciCommandState = &oci.GenerateOciTfConfigurationArgs{} GenerateOciCommandExtraState = &OciGenerateCommandExtraState{} // cache keys CachedOciAssetIacParams = "iac-oci-generate-params" CachedAssetOciExtraState = "iac-oci-extra-state" )
var ( CreateReportDefinitionQuestion = "Create from an existing report definition template?" CreateReportDefinitionReportNameQuestion = "Report Name: " CreateReportDefinitionDisplayNameQuestion = "Display Name: " CreateReportDefinitionReportSubTypeQuestion = "Report SubType: " CreateReportDefinitionAddSectionQuestion = "Add another policy section?" CreateReportDefinitionSectionTitleQuestion = "Section Title: " CreateReportDefinitionPoliciesQuestion = "Select Policies in this Section: " SelectReportDefinitionQuestion = "Select an existing report definition as a template?" UpdateReportDefinitionQuestion = "Update report definition in editor?" UpdateReportDefinitionReportNameQuestion = "Report Name: " UpdateReportDefinitionDisplayNameQuestion = "Display Name: " UpdateReportDefinitionEditSectionQuestion = "Update an existing policy section?" UpdateReportDefinitionEditAnotherSectionQuestion = "Update another existing policy section?" UpdateReportDefinitionAddSectionQuestion = "Add a new policy section?" UpdateReportDefinitionSelectSectionQuestion = "Select a section to edit" )
var ( CreateReportDistributionReportNameQuestion = "Report Distribution Name: " CreateReportDistributionFrequencyQuestion = "Select Frequency: " CreateReportDistributionDefinitionQuestion = "Select Report Definition: " CreateReportDistributionAlertChannelsQuestion = "Select Alert Channels: " CreateReportDistributionResourceGroupsQuestion = "Select Resource Groups: " CreateReportDistributionIntegrationAwsQuestion = "Select Aws Accounts: " CreateReportDistributionAddSeveritiesQuestion = "Add Severities? " CreateReportDistributionSeveritiesQuestion = "Select Severities: " CreateReportDistributionAddViolationsQuestion = "Add Violations? " CreateReportDistributionScopeQuestion = "Select Distribution Scope:" CreateReportDistributionViolationsQuestion = "Select Violations: " UpdateReportDistributionReportNameQuestion = "Update Report Distribution Name? " UpdateReportDistributionFrequencyQuestion = "Update Frequency?" UpdateReportDistributionAlertChannelsQuestion = "Update Alert Channels? " UpdateReportDistributionAddSeveritiesQuestion = "Update Severities? " UpdateReportDistributionAddViolationsQuestion = "Update Violations? " )
var ( // All the following "unknown" variables are being injected at // build time via the cross-platform directive inside the Makefile // // Version is the semver coming from the VERSION file Version = "unknown" // GitSHA is the git ref that the cli was built from GitSHA = "unknown" // BuildTime is a human-readable time when the cli was built at BuildTime = "unknown" // The name of the version cache file needed for daily version checks VersionCacheFile = "version_cache" )
var ( // HoneyDataset is the dataset in Honeycomb that we send tracing // data this variable will be set depending on the environment we // are running on. During development, we send all events and // tracing data to a default dataset. HoneyDataset = "lacework-cli-dev" )
var SupportedPackageManagers = []string{"dpkg-query", "rpm"} // @afiune can we support yum and apk?
Functions ¶
func CDKComponentJSON ¶
func CDKComponentJSON(component *lwcomponent.CDKComponent) error
func CDKComponentsJSON ¶
func CDKComponentsJSON(catalog *lwcomponent.Catalog) error
func CacheTransform ¶
func CacheTransform(key string) *diskv.PathKey
func DisplayTerraformPlanChanges ¶
func DisplayTerraformPlanChanges(tf *tfexec.Terraform, data TfPlanChangesSummary) (bool, error)
DisplayTerraformPlanChanges used to display the results of a plan
returns true if apply should run, false to exit
func Execute ¶
func Execute() (err error)
Execute adds all child commands to the root command and sets flags appropriately. This is called by main.main(). It only needs to happen once to the rootCmd.
func GenerateMarkdownDocs ¶
func InverseCacheTransform ¶
func InverseCacheTransform(pathKey *diskv.PathKey) string
func LoadCatalog ¶
func LoadCatalog(componentName string, getAllVersions bool) (*lwcomponent.Catalog, error)
func LocateOrInstallTerraform ¶
LocateOrInstallTerraform Determine if terraform is installed, if that version is new enough, and if not install a new ephemeral binary of the correct version into tmp location
forceInstall: if set always install ephemeral binary
func NewDefaultState ¶
func NewDefaultState() *cliState
NewDefaultState creates a new cliState with some defaults
func NewQueryFailonError ¶
func NewVulnerabilityPolicyError ¶
func NewVulnerabilityPolicyError( assessment api.VulnerabilityAssessment, failOnSeverity string, failOnFixable bool, ) *vulnerabilityPolicyError
func NewVulnerabilityPolicyErrorV2 ¶
func NewVulnerabilityPolicyErrorV2( assessment api.VulnerabilitiesContainersResponse, failOnSeverity string, failOnFixable bool, ) *vulnerabilityPolicyError
func SurveyMultipleQuestionWithValidation ¶
func SurveyMultipleQuestionWithValidation(questions []SurveyQuestionWithValidationArgs, checks ...bool) error
SurveyMultipleQuestionWithValidation Prompt for many values at once
checks: If supplied check(s) are true, questions will be asked
func SurveyQuestionInteractiveOnly ¶
func SurveyQuestionInteractiveOnly(question SurveyQuestionWithValidationArgs) error
SurveyQuestionInteractiveOnly Prompt use for question, only if the CLI is in interactive mode
func TerraformExecApply ¶
TerraformExecApply Run terraform apply using the workingDir from *tfexec.Terraform
- Run plan - Get plan file details (returned)
func TerraformInit ¶
func TerraformPlanAndExecute ¶
Execute a terraform plan & execute
Types ¶
type CmdFilters ¶
type CmdFilters struct {
Filters []string
}
Used to store the list of available filters from a CLI command
E.g. get available filters for a cobra.Command.Long
```go
dummyCmdState = struct { // The available filters AvailableFilters CmdFilters // List of filters to apply Filters []string }{} dummyCmdState := &cobra.Command{ Long: `The available keys for this command are:
` + stringSliceToMarkdownList(
dummyCmdState.AvailableFilters.GetFiltersFrom( api.MachineDetailEntity{}, ),
)} ```
func (*CmdFilters) GetFiltersFrom ¶
func (f *CmdFilters) GetFiltersFrom(T interface{}) []string
type LCLContentType ¶
type LCLContentType string
const ( LCLQueryType LCLContentType = "query" LCLPolicyType LCLContentType = "policy" )
type LCLQuery ¶
type LCLQuery struct {
References []LCLReference `json:"references"`
}
type LCLReference ¶
type LCLReference struct { ID string `json:"id"` Type LCLContentType `json:"content_type"` Path string `json:"path"` URI string `json:"uri"` }
type LaceworkContentLibrary ¶
type LaceworkContentLibrary struct { Component *lwcomponent.Component Queries map[string]LCLQuery `json:"queries"` Policies map[string]LCLPolicy `json:"policies"` PolicyTags map[string][]string `json:"policy_tags"` }
func (*LaceworkContentLibrary) GetPoliciesByTag ¶
func (lcl *LaceworkContentLibrary) GetPoliciesByTag(t string) map[string]LCLPolicy
type PolicyExceptionSurveyQuestion ¶
type PolicyExceptionSurveyQuestion struct {
// contains filtered or unexported fields
}
type PolicySyncOperation ¶
type TfPlanChangesSummary ¶
type TfPlanChangesSummary struct {
// contains filtered or unexported fields
}
func TerraformExecPlan ¶
func TerraformExecPlan(tf *tfexec.Terraform) (*TfPlanChangesSummary, error)
TerraformExecPlan Run terraform plan using the workingDir from *tfexec.Terraform
- Run plan - Get plan file details (returned)
type VulnCveSummary ¶
type VulnCveSummary struct { Host api.VulnerabilityHost Count int Hostnames []string }
Source Files ¶
- access_token.go
- account.go
- agent.go
- agent_aws-install_ec2ic.go
- agent_aws-install_ec2ssh.go
- agent_aws-install_ec2ssm.go
- agent_gcp-install-osl.go
- agent_install.go
- agent_list.go
- alert.go
- alert_channel.go
- alert_close.go
- alert_comment.go
- alert_list.go
- alert_list_fixable.go
- alert_profiles.go
- alert_rules.go
- alert_show.go
- alert_show_details.go
- alert_show_events.go
- alert_show_integrations.go
- alert_show_investigation.go
- alert_show_related.go
- alert_show_timeline.go
- api.go
- aws.go
- awsiam.go
- cache.go
- cdk.go
- cli_state.go
- cli_unix.go
- cloud_account.go
- compliance.go
- compliance_aws.go
- compliance_azure.go
- compliance_gcp.go
- component.go
- component_args.go
- component_dev.go
- configure.go
- configure_switch_profile.go
- container_registry.go
- content_library.go
- docs.go
- emoji.go
- emoji_unix.go
- errors.go
- errors_lql.go
- flags.go
- gcp.go
- generate.go
- generate_aws.go
- generate_aws_controltower.go
- generate_aws_eks_audit.go
- generate_azure.go
- generate_cloud_account.go
- generate_execute.go
- generate_gcp.go
- generate_gke.go
- generate_k8s.go
- generate_oci.go
- grpc.go
- honeyvent.go
- integration_aws.go
- integration_aws_cloudwatch.go
- integration_aws_govcloud.go
- integration_aws_s3_channel.go
- integration_azure.go
- integration_cisco_webex.go
- integration_ctr_reg_limits.go
- integration_datadog.go
- integration_docker_hub.go
- integration_docker_v2.go
- integration_ecr.go
- integration_email.go
- integration_gar.go
- integration_gcp.go
- integration_gcp_pub_sub_audit.go
- integration_gcp_pub_sub_channel.go
- integration_gcr.go
- integration_ghcr.go
- integration_inline_scanner.go
- integration_jira.go
- integration_microsoft_teams.go
- integration_new_relic_channel.go
- integration_oci.go
- integration_pagerduty.go
- integration_proxy_scanner.go
- integration_qradar_channel.go
- integration_service_now_channel.go
- integration_slack_channel.go
- integration_splunk.go
- integration_victorops.go
- integration_webhook.go
- lql.go
- lql_create.go
- lql_delete.go
- lql_library.go
- lql_list.go
- lql_preview.go
- lql_show.go
- lql_sources.go
- lql_update.go
- lql_validate.go
- migration.go
- outputs.go
- package_manifest.go
- policy.go
- policy_create.go
- policy_delete.go
- policy_disable.go
- policy_enable.go
- policy_exceptions.go
- policy_library.go
- policy_update.go
- prompt.go
- report_definitions.go
- report_definitions_create.go
- report_definitions_diff.go
- report_definitions_revert.go
- report_definitions_update.go
- report_distributions.go
- report_distributions_create.go
- report_distributions_update.go
- report_rules.go
- resource_group_v2.go
- resource_groups.go
- root.go
- suppressions.go
- suppressions_aws.go
- suppressions_azure.go
- suppressions_gcp.go
- table_render.go
- team_members.go
- telemetry.go
- version.go
- vuln_container.go
- vuln_container_list_assessments.go
- vuln_container_list_registries.go
- vuln_container_scan.go
- vuln_container_show_assessments.go
- vuln_host.go
- vuln_host_gen_package_manifest.go
- vuln_host_list_cves.go
- vuln_host_list_hosts.go
- vuln_host_scan_package_manifest.go
- vuln_host_show_assessment.go
- vuln_html.go
- vulnerability.go
- vulnerability_exception_container.go
- vulnerability_exception_host.go
- vulnerabilty_exceptions.go