✨ New AWS WAF resource (#2682)

--------- Co-authored-by: Letha <[email protected]>
mondoohq · Dec 12, 2023 · 1de204f · 1de204f
1 parent 45139cb
commit 1de204f
Show file tree

Hide file tree

Showing 11 changed files with 7,861 additions and 2,111 deletions.
diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
@@ -49,6 +49,7 @@ postgre
 pushconfig
 querypack
 resourcegroup
+rulegroup
 Sas
 scim
 serviceprincipals
@@ -66,3 +67,21 @@ Vtpm
 vulnerabilityassessmentsettings
 wil
 vulnmgmt
+bytematchstatement
+geomatchstatement
+headerorder
+ipsetforwardedipconfig
+ipsetreferencestatement
+jsonbody
+labelmatchstatement
+managedrulegroupstatement
+orstatement
+ratebasedstatement
+regexmatchstatement
+regexpatternsetreferencestatement
+rulegroupreferencestatement
+singlequeryargument
+sizeconstraintstatement
+sqli
+sqlimatchstatement
+xssmatchstatement
diff --git a/providers/aws/config/config.go b/providers/aws/config/config.go
@@ -84,6 +84,12 @@ var Config = plugin.Provider{
 					Default: "",
 					Desc:    "Override option for EBS scanning that tells it to not create the snapshot or volume",
 				},
+				{
+					Long:    "scope",
+					Type:    plugin.FlagType_String,
+					Default: "",
+					Desc:    "Set Scope for the aws wafv2 either CLOUDFRONT or REGIONAL",
+				},
 				{
 					Long:    "filters",
 					Type:    plugin.FlagType_KeyValue,

diff --git a/providers/aws/connection/clients.go b/providers/aws/connection/clients.go
@@ -45,6 +45,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/securityhub"
 	"github.com/aws/aws-sdk-go-v2/service/sns"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
+	"github.com/aws/aws-sdk-go-v2/service/wafv2"
 	"github.com/rs/zerolog/log"
 )
 
@@ -122,6 +123,30 @@ func (t *AwsConnection) Ec2(region string) *ec2.Client {
 	return client
 }
 
+func (t *AwsConnection) Wafv2(region string) *wafv2.Client {
+	// if no region value is sent in, use the configured region
+	if len(region) == 0 {
+		region = t.cfg.Region
+	}
+	cacheVal := "_wafv2_" + region
+
+	// check for cached client and return it if it exists
+	c, ok := t.clientcache.Load(cacheVal)
+	if ok {
+		log.Debug().Msg("use cached wafv2 client")
+		return c.Data.(*wafv2.Client)
+	}
+
+	// create the client
+	cfg := t.cfg.Copy()
+	cfg.Region = region
+	client := wafv2.NewFromConfig(cfg)
+
+	// cache it
+	t.clientcache.Store(cacheVal, &CacheEntry{Data: client})
+	return client
+}
+
 func (t *AwsConnection) Ecs(region string) *ecs.Client {
 	// if no region value is sent in, use the configured region
 	if len(region) == 0 {

diff --git a/providers/aws/connection/connection.go b/providers/aws/connection/connection.go
@@ -32,6 +32,7 @@ type AwsConnection struct {
 	connectionOptions map[string]string
 	Filters           DiscoveryFilters
 	RegionLimits      []string
+	scope             string
 }
 
 type DiscoveryFilters struct {
@@ -105,6 +106,7 @@ func NewAwsConnection(id uint32, asset *inventory.Asset, conf *inventory.Config)
 	c.cfg = cfg
 	c.accountId = *identity.Account
 	c.profile = asset.Options["profile"]
+	c.scope = asset.Options["scope"]
 	c.connectionOptions = asset.Options
 	if conf.Discover != nil {
 		c.Filters = parseOptsToFilters(conf.Discover.Filter)
@@ -245,6 +247,10 @@ func (p *AwsConnection) Profile() string {
 	return p.profile
 }
 
+func (p *AwsConnection) Scope() string {
+	return p.scope
+}
+
 func (p *AwsConnection) ConnectionOptions() map[string]string {
 	return p.connectionOptions
 }

diff --git a/providers/aws/go.mod b/providers/aws/go.mod
@@ -90,6 +90,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.9 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.18.5 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/wafv2 v1.43.5 // indirect
 	github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231121224113-b6714ac5eb13 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect

diff --git a/providers/aws/go.sum b/providers/aws/go.sum
@@ -146,6 +146,8 @@ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5 h1:2k9KmFawS63euAkY4/ixVNsY
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.5/go.mod h1:W+nd4wWDVkSUIox9bacmkBP5NMFQeTJ/xqNabpzSR38=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.5 h1:5UYvv8JUvllZsRnfrcMQ+hJ9jNICmcgKPAO1CER25Wg=
 github.com/aws/aws-sdk-go-v2/service/sts v1.26.5/go.mod h1:XX5gh4CB7wAs4KhcF46G6C8a2i7eupU19dcAAE+EydU=
+github.com/aws/aws-sdk-go-v2/service/wafv2 v1.43.5 h1:8iixoEN4rUe8tIWeT9QPbh22Ipu8czawmvo4KavymzM=
+github.com/aws/aws-sdk-go-v2/service/wafv2 v1.43.5/go.mod h1:y3yChmvnpx/kuhvUEaKkNDih3FjWuuB+qUCK6WVRhfs=
 github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
 github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
 github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231121224113-b6714ac5eb13 h1:kJcp+jlDkv310Sv1VsMgfseHpRWf842HUJAoeaWYy28=

diff --git a/providers/aws/provider/provider.go b/providers/aws/provider/provider.go
@@ -105,7 +105,7 @@ func parseFlagsToFiltersOpts(m map[string]*llx.Primitive) map[string]string {
 func parseFlagsToOptions(m map[string]*llx.Primitive) map[string]string {
 	o := make(map[string]string, 0)
 	for k, v := range m {
-		if k == "profile" || k == "region" || k == "role" || k == "endpoint-url" || k == "no-setup" {
+		if k == "profile" || k == "region" || k == "role" || k == "endpoint-url" || k == "no-setup" || k == "scope" {
 			if val := string(v.Value); val != "" {
 				o[k] = string(v.Value)
 			}