Skip to content

Commit

Permalink
Add new files to aws.rds.snapshot (#3080)
Browse files Browse the repository at this point in the history 
The most useful is the create date of the snapshot, but this also adds
useful things like the version of the engine and the port the DB was
running on.

Signed-off-by: Tim Smith <[email protected]>
  • Loading branch information
@tas50
tas50 authored Jan 21, 2024
1 parent 65df0ae commit 18e12ca
Show file tree
Hide file tree
Showing 4 changed files with 93 additions and 42 deletions.
12 changes: 9 additions & 3 deletions providers/aws/resources/aws.lr
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1823,7 +1823,7 @@ private aws.rds.dbcluster @defaults("id region") {
}

// Amazon RDS snapshot
private aws.rds.snapshot @defaults("id region type encrypted") {
private aws.rds.snapshot @defaults("id region type encrypted createdAt") {
// ARN of the snapshot
arn string
// ID of the snapshot
Expand All @@ -1842,10 +1842,16 @@ private aws.rds.snapshot @defaults("id region type encrypted") {
tags map[string]string
// The snapshot DB engine
engine string
// The snapshot DB engine version
engineVersion string
// The snapshot status
status string
// The amount of storage allocated to the snapshot
allocatedStorage int
// The port that the DB instance or cluster listens on
port int
// The creation date of the snapshot
createdAt time
}

// Amazon RDS database instance
Expand Down Expand Up @@ -2279,7 +2285,7 @@ private aws.ec2.internetgateway @defaults("arn") {
attachments []dict
}

// Amazon EC2 snapshot
// Amazon EC2 (EBS) snapshot
private aws.ec2.snapshot @defaults("id region volumeSize state") {
// ARN for the snapshot
arn string
Expand All @@ -2305,7 +2311,7 @@ private aws.ec2.snapshot @defaults("id region volumeSize state") {
encrypted bool
}

// Amazon EC2 volume
// Amazon EC2 (EBS) volume
private aws.ec2.volume @defaults("id region volumeType size encrypted state") {
// ARN for the EC2 volume
arn string
Expand Down
36 changes: 36 additions & 0 deletions providers/aws/resources/aws.lr.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

57 changes: 30 additions & 27 deletions providers/aws/resources/aws.lr.manifest.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,9 @@ resources:
title: Return the account ID (number) and any configured account aliases
aws.acm:
docs:
desc: Use the `aws.acm` resource to assess the configuration of the
AWS Certificates Manager service in the account. This resource returns
a list of ACM certificates found in the account.
desc: Use the `aws.acm` resource to assess the configuration of the AWS Certificates
Manager service in the account. This resource returns a list of ACM certificates
found in the account.
fields:
certificates: {}
min_mondoo_version: 5.15.0
Expand Down Expand Up @@ -153,8 +153,8 @@ resources:
- aws
aws.apigateway:
docs:
desc: Use the `aws.apigateway` resource to assess the configuration
of the AWS API Gateway service.
desc: Use the `aws.apigateway` resource to assess the configuration of the AWS
API Gateway service.
fields:
restApis: {}
min_mondoo_version: 5.15.0
Expand Down Expand Up @@ -291,13 +291,12 @@ resources:
snippets:
- query: "aws.autoscaling.groups { \n arn \n healthCheckType \n loadBalancerNames
\n name \n}\n"
title: Return a list of all auto-scaling groups configured across all
enabled regions across the account and
the values for specified fields
title: Return a list of all auto-scaling groups configured across all enabled
regions across the account and the values for specified fields
- query: "aws.autoscaling.groups.where(loadBalancerNames.length > 0) { \n healthCheckType
== \"ELB\" \n}\n"
title: Check that all autoscaling groups associated with a load balancer use health
checks
title: Check that all autoscaling groups associated with a load balancer use
health checks
aws.autoscaling.group:
docs:
desc: |
Expand Down Expand Up @@ -342,12 +341,11 @@ resources:
- title: What is AWS Backup?
url: https://docs.aws.amazon.com/aws-backup/latest/devguide/whatisbackup.html
- title: Compliance validation for AWS Backup
url: https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-compliance.html
url: https://docs.aws.amazon.com/aws-backup/latest/devguide/backup-compliance.html
snippets:
- query: "aws.backup.vaults { \n arn \n region \n recoveryPoints
\n name \n}\n"
title: Return a list of all AWS Backup vaults configured across all
enabled regions across the account and all their recovery points
- query: "aws.backup.vaults { \n arn \n region \n recoveryPoints \n name \n}\n"
title: Return a list of all AWS Backup vaults configured across all enabled
regions across the account and all their recovery points
aws.backup.vault:
docs:
desc: |
Expand Down Expand Up @@ -624,8 +622,8 @@ resources:
- aws
aws.codebuild:
docs:
desc: "Use the `aws.codebuild` resource to assess the configuration of the
AWS CodeBuild service and the projects within. \n"
desc: "Use the `aws.codebuild` resource to assess the configuration of the AWS
CodeBuild service and the projects within. \n"
fields:
projects: {}
min_mondoo_version: 5.15.0
Expand Down Expand Up @@ -655,8 +653,7 @@ resources:
AWS_SECRET_ACCESS_KEY are not in plaintext
- query: "aws.codebuild.projects.where( source['Type'] == \"BITBUCKET\" || source['Type']
== \"GITHUB\" ) { \n source['Auth']['Type'] == \"OAUTH\"\n}\n"
title: Check that all projects using GitHub or Bitbucket as the source use
oauth
title: Check that all projects using GitHub or Bitbucket as the source use oauth
aws.codebuild.project:
docs:
desc: |
Expand Down Expand Up @@ -1411,8 +1408,8 @@ resources:
- aws
aws.elasticache:
docs:
desc: "Use the `aws.elasticache` resource to assess the configuration
of Amazon ElastiCache. \n"
desc: "Use the `aws.elasticache` resource to assess the configuration of Amazon
ElastiCache. \n"
fields:
cacheClusters: {}
clusters: {}
Expand Down Expand Up @@ -1508,8 +1505,8 @@ resources:
load balancer http listeners
- query: "aws.elb.classicLoadBalancers.all( listenerDescriptions.any ( \n _['Listener']['Protocol']
== \"HTTPS\" || _['Listener']['Protocol'] == \"SSL\" ) \n)\n"
title: Check that all Classic Load Balancers use SSL certificates provided
by AWS Cert Mgr
title: Check that all Classic Load Balancers use SSL certificates provided by
AWS Cert Mgr
aws.elb.loadbalancer:
docs:
desc: |
Expand Down Expand Up @@ -1850,8 +1847,8 @@ resources:
- aws
aws.kms:
docs:
desc: "Use the `aws.kms` resource to assess the configuration of AWS
KMS keys. \n"
desc: "Use the `aws.kms` resource to assess the configuration of AWS KMS keys.
\n"
fields:
keys: {}
min_mondoo_version: 5.15.0
Expand Down Expand Up @@ -1879,8 +1876,8 @@ resources:
- aws
aws.lambda:
docs:
desc: "Use the `aws.lambda` resource to assess the configuration of
AWS Lambda. \n"
desc: "Use the `aws.lambda` resource to assess the configuration of AWS Lambda.
\n"
fields:
functions: {}
min_mondoo_version: 5.15.0
Expand Down Expand Up @@ -2052,11 +2049,17 @@ resources:
min_mondoo_version: 9.0.0
arn: {}
attributes: {}
createdAt:
min_mondoo_version: 10.0.0
encrypted: {}
engine:
min_mondoo_version: 9.0.0
engineVersion:
min_mondoo_version: 10.0.0
id: {}
isClusterSnapshot: {}
port:
min_mondoo_version: 10.0.0
region: {}
status:
min_mondoo_version: 9.0.0
Expand Down
30 changes: 18 additions & 12 deletions providers/aws/resources/aws_rds.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -318,16 +318,19 @@ func (a *mqlAwsRdsDbcluster) snapshots() ([]interface{}, error) {
for _, snapshot := range snapshots.DBClusterSnapshots {
mqlDbSnapshot, err := CreateResource(a.MqlRuntime, "aws.rds.snapshot",
map[string]*llx.RawData{
"allocatedStorage": llx.IntData(convert.ToInt64From32(snapshot.AllocatedStorage)),
"arn": llx.StringDataPtr(snapshot.DBClusterSnapshotArn),
"id": llx.StringDataPtr(snapshot.DBClusterSnapshotIdentifier),
"type": llx.StringDataPtr(snapshot.SnapshotType),
"region": llx.StringData(region),
"createdAt": llx.TimeDataPtr(snapshot.SnapshotCreateTime),
"encrypted": llx.BoolDataPtr(snapshot.StorageEncrypted),
"isClusterSnapshot": llx.BoolData(true),
"tags": llx.MapData(rdsTagsToMap(snapshot.TagList), types.String),
"engine": llx.StringDataPtr(snapshot.Engine),
"engineVersion": llx.StringDataPtr(snapshot.EngineVersion),
"id": llx.StringDataPtr(snapshot.DBClusterSnapshotIdentifier),
"port": llx.IntData(convert.ToInt64From32(snapshot.Port)),
"isClusterSnapshot": llx.BoolData(true),
"region": llx.StringData(region),
"status": llx.StringDataPtr(snapshot.Status),
"allocatedStorage": llx.IntData(convert.ToInt64From32(snapshot.AllocatedStorage)),
"tags": llx.MapData(rdsTagsToMap(snapshot.TagList), types.String),
"type": llx.StringDataPtr(snapshot.SnapshotType),
})
if err != nil {
return nil, err
Expand Down Expand Up @@ -360,16 +363,19 @@ func (a *mqlAwsRdsDbinstance) snapshots() ([]interface{}, error) {
for _, snapshot := range snapshots.DBSnapshots {
mqlDbSnapshot, err := CreateResource(a.MqlRuntime, "aws.rds.snapshot",
map[string]*llx.RawData{
"allocatedStorage": llx.IntData(convert.ToInt64From32(snapshot.AllocatedStorage)),
"arn": llx.StringDataPtr(snapshot.DBSnapshotArn),
"id": llx.StringDataPtr(snapshot.DBSnapshotIdentifier),
"type": llx.StringDataPtr(snapshot.SnapshotType),
"region": llx.StringData(region),
"createdAt": llx.TimeDataPtr(snapshot.SnapshotCreateTime),
"encrypted": llx.BoolDataPtr(snapshot.Encrypted),
"isClusterSnapshot": llx.BoolData(false),
"tags": llx.MapData(rdsTagsToMap(snapshot.TagList), types.String),
"engine": llx.StringDataPtr(snapshot.Engine),
"engineVersion": llx.StringDataPtr(snapshot.EngineVersion),
"id": llx.StringDataPtr(snapshot.DBSnapshotIdentifier),
"port": llx.IntData(convert.ToInt64From32(snapshot.Port)),
"isClusterSnapshot": llx.BoolData(false),
"region": llx.StringData(region),
"status": llx.StringDataPtr(snapshot.Status),
"allocatedStorage": llx.IntData(convert.ToInt64From32(snapshot.AllocatedStorage)),
"tags": llx.MapData(rdsTagsToMap(snapshot.TagList), types.String),
"type": llx.StringDataPtr(snapshot.SnapshotType),
})
if err != nil {
return nil, err
Expand Down

0 comments on commit 18e12ca

Please sign in to comment.