Skip to content

Commit

Permalink
🧹 Resolve secret for each provider config in GCP (#867)
Browse files Browse the repository at this point in the history
Initially, the idea was to copy the resolved secret over to the cloned
provider configs. That is not ideal since it requires other changes as
well. After a discussion with @chris-rock we concluded that resolving
secrets multiple times is a vault problem, not a provider problem. This
PR makes sure that scanning GCP assets work. In a follow up PR I will
address the issue with the retrieval of the same secret multiple times.

Signed-off-by: Ivan Milchev <[email protected]>
  • Loading branch information
imilchev authored Feb 1, 2023
1 parent ca8ceef commit 8568a0b
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 14 deletions.
15 changes: 12 additions & 3 deletions motor/discovery/gcp/mql_assets.go
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package gcp

import (
"context"
"errors"

"github.com/mitchellh/mapstructure"
Expand All @@ -13,6 +14,7 @@ import (
"go.mondoo.com/cnquery/motor/platform"
"go.mondoo.com/cnquery/motor/providers"
gcpprovider "go.mondoo.com/cnquery/motor/providers/google"
"go.mondoo.com/cnquery/motor/providers/resolver"
"go.mondoo.com/cnquery/mql"
"go.mondoo.com/cnquery/resources"
resource_pack "go.mondoo.com/cnquery/resources/packs/gcp"
Expand Down Expand Up @@ -54,14 +56,21 @@ func (md *MqlDiscovery) GetList(query string) []interface{} {
return a
}

func GatherAssets(tc *providers.Config, project string) ([]*asset.Asset, error) {
func GatherAssets(ctx context.Context, tc *providers.Config, project string, cfn common.CredentialFn) ([]*asset.Asset, error) {
assets := []*asset.Asset{}
// Note: we use the resolver instead of the direct gcp_provider.New to resolve credentials properly
pCfg := tc.Clone()
at, err := gcpprovider.New(pCfg)
motor, err := resolver.NewMotorConnection(ctx, pCfg, cfn)
if err != nil {
return nil, err
}
m, err := NewMQLAssetsDiscovery(at)
defer motor.Close()

provider, ok := motor.Provider.(*gcpprovider.Provider)
if !ok {
return nil, errors.New("could not create gcp provider")
}
m, err := NewMQLAssetsDiscovery(provider)
if err != nil {
return nil, err
}
Expand Down
7 changes: 1 addition & 6 deletions motor/discovery/gcp/resolver_project.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,11 +51,6 @@ func (r *GcpProjectResolver) Resolve(ctx context.Context, tc *providers.Config,
return nil, errors.New("could not create gcp provider")
}

// If there is a service account provided in the inventory, resolve it and then copy it to the provider config we use
if len(tc.Credentials) != 0 {
tc.Credentials[0] = provider.GetCredential()
}

identifier, err := provider.Identifier()
if err != nil {
return nil, err
Expand Down Expand Up @@ -95,7 +90,7 @@ func (r *GcpProjectResolver) Resolve(ctx context.Context, tc *providers.Config,
DiscoveryGkeClusters,
DiscoveryStorageBuckets,
DiscoveryBigQueryDatasets) {
assetList, err := GatherAssets(tc, project)
assetList, err := GatherAssets(ctx, tc, project, cfn)
if err != nil {
return nil, err
}
Expand Down
5 changes: 0 additions & 5 deletions motor/providers/google/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@ import (
"go.mondoo.com/cnquery/motor/providers"
"go.mondoo.com/cnquery/motor/providers/os/fsutil"
"go.mondoo.com/cnquery/motor/vault"
"google.golang.org/protobuf/proto"
)

var (
Expand Down Expand Up @@ -144,10 +143,6 @@ type Provider struct {
platformOverride string
}

func (p *Provider) GetCredential() *vault.Credential {
return proto.Clone(p.cred).(*vault.Credential)
}

func (p *Provider) FS() afero.Fs {
return &fsutil.NoFs{}
}
Expand Down

0 comments on commit 8568a0b

Please sign in to comment.