Fix AWS SSO support when using the 'sso-session' sections (#629)

* Bump terraform-exec wrapper * Upgrade the Terraform AWS provider version to be 4.54.0+ to fix AWS SSO support (closes #626)
DataDog · Feb 11, 2025 · 19909e7 · 19909e7
1 parent 8758bd3
commit 19909e7
Show file tree

Hide file tree

Showing 41 changed files with 119 additions and 174 deletions.
diff --git a/v2/go.mod b/v2/go.mod
@@ -33,10 +33,10 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sts v1.33.14
 	github.com/aws/smithy-go v1.22.2
 	github.com/cenkalti/backoff/v4 v4.2.1
-	github.com/fatih/color v1.13.0
+	github.com/fatih/color v1.16.0
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.6.0
-	github.com/hashicorp/terraform-exec v0.17.3
+	github.com/hashicorp/terraform-exec v0.21.0
 	github.com/jedib0t/go-pretty/v6 v6.4.0
 	github.com/microsoftgraph/msgraph-beta-sdk-go v0.108.0
 	github.com/microsoftgraph/msgraph-sdk-go-core v1.2.1
@@ -52,9 +52,10 @@ require (
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
-	github.com/Microsoft/go-winio v0.5.0 // indirect
+	github.com/ProtonMail/go-crypto v1.1.0-alpha.2 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.8 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.28 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.32 // indirect
@@ -68,6 +69,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/sso v1.24.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.14 // indirect
 	github.com/cjlapao/common-go v0.0.39 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
@@ -83,14 +85,14 @@ require (
 	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect
 	github.com/googleapis/gax-go/v2 v2.5.1 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
 	github.com/microsoft/kiota-abstractions-go v1.7.0 // indirect
 	github.com/microsoft/kiota-authentication-azure-go v1.1.0 // indirect
@@ -113,6 +115,7 @@ require (
 	go.opentelemetry.io/otel v1.24.0 // indirect
 	go.opentelemetry.io/otel/metric v1.24.0 // indirect
 	go.opentelemetry.io/otel/trace v1.24.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/net v0.27.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20221006150949-b44042a4b9c1 // indirect
 	golang.org/x/term v0.22.0 // indirect
@@ -132,10 +135,10 @@ require (
 require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-version v1.6.0
-	github.com/hashicorp/hc-install v0.4.0
-	github.com/hashicorp/terraform-json v0.14.0 // indirect
+	github.com/hashicorp/hc-install v0.6.4
+	github.com/hashicorp/terraform-json v0.22.1 // indirect
 	github.com/microsoftgraph/msgraph-sdk-go v1.47.0
-	github.com/zclconf/go-cty v1.11.0 // indirect
+	github.com/zclconf/go-cty v1.14.4 // indirect
 	golang.org/x/crypto v0.25.0 // indirect
 	golang.org/x/sys v0.22.0 // indirect
 	golang.org/x/text v0.16.0 // indirect

diff --git a/v2/go.sum b/v2/go.sum
diff --git a/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf b/v2/internal/attacktechniques/aws/credential-access/ec2-get-password-data/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf b/v2/internal/attacktechniques/aws/credential-access/ec2-steal-instance-credentials/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -28,7 +28,7 @@ data "aws_availability_zones" "available" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"

diff --git a/...rnal/attacktechniques/aws/credential-access/secretsmanager-batch-retrieve-secrets/main.tf b/...rnal/attacktechniques/aws/credential-access/secretsmanager-batch-retrieve-secrets/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf b/v2/internal/attacktechniques/aws/credential-access/secretsmanager-retrieve-secrets/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/...ernal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf b/...ernal/attacktechniques/aws/credential-access/ssm-retrieve-securestring-parameters/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-delete/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-event-selectors/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-lifecycle-rule/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/cloudtrail-stop/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/organizations-leave/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf b/v2/internal/attacktechniques/aws/defense-evasion/vpc-remove-flow-logs/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf b/v2/internal/attacktechniques/aws/discovery/ec2-enumerate-from-instance/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -28,7 +28,7 @@ data "aws_availability_zones" "available" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"

diff --git a/v2/internal/attacktechniques/aws/discovery/ec2-get-user-data/main.tf b/v2/internal/attacktechniques/aws/discovery/ec2-get-user-data/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/execution/ec2-launch-unusual-instances/main.tf b/v2/internal/attacktechniques/aws/execution/ec2-launch-unusual-instances/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -72,7 +72,7 @@ data "aws_availability_zones" "available" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"

diff --git a/v2/internal/attacktechniques/aws/execution/ec2-user-data/main.tf b/v2/internal/attacktechniques/aws/execution/ec2-user-data/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -28,7 +28,7 @@ data "aws_availability_zones" "available" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"

diff --git a/v2/internal/attacktechniques/aws/execution/ssm-send-command/main.tf b/v2/internal/attacktechniques/aws/execution/ssm-send-command/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -32,7 +32,7 @@ data "aws_availability_zones" "available" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"

diff --git a/v2/internal/attacktechniques/aws/execution/ssm-start-session/main.tf b/v2/internal/attacktechniques/aws/execution/ssm-start-session/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -32,7 +32,7 @@ data "aws_availability_zones" "available" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"

diff --git a/...nternal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf b/...nternal/attacktechniques/aws/exfiltration/ec2-security-group-open-port-22-ingress/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf b/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ami/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf b/v2/internal/attacktechniques/aws/exfiltration/ec2-share-ebs-snapshot/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf b/v2/internal/attacktechniques/aws/exfiltration/rds-share-snapshot/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -33,7 +33,7 @@ data "aws_availability_zones" "available" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"

diff --git a/v2/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf b/v2/internal/attacktechniques/aws/exfiltration/s3-backdoor-bucket-policy/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/impact/s3-ransomware-batch-deletion/main.tf b/v2/internal/attacktechniques/aws/impact/s3-ransomware-batch-deletion/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/impact/s3-ransomware-client-side-encryption/main.tf b/v2/internal/attacktechniques/aws/impact/s3-ransomware-client-side-encryption/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/v2/internal/attacktechniques/aws/impact/s3-ransomware-individual-deletion/main.tf b/v2/internal/attacktechniques/aws/impact/s3-ransomware-individual-deletion/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 3.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }

diff --git a/...attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.tf b/...attacktechniques/aws/lateral-movement/ec2-send-serial-console-send-ssh-public-key/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -34,7 +34,7 @@ data "aws_ec2_serial_console_access" "current" {}
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"

diff --git a/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-ssh-public-key/main.tf b/v2/internal/attacktechniques/aws/lateral-movement/ec2-send-ssh-public-key/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
     }
   }
 }
@@ -32,7 +32,7 @@ data "aws_availability_zones" "available" {
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 3.0"
+  version = ">= 4.54.0, < 5.0.0" # 4.54.0 at least is required for proper AWS SSO support, see #626
 
   name = "${local.resource_prefix}-vpc"
   cidr = "10.0.0.0/16"