Cloud scanner support in EKS (#26)

(cherry picked from commit ef12ada)

cloud_resource_changes/cloud_resource_changes.go

@@ -8,7 +8,7 @@ import (
 )
 
 type CloudResourceChanges interface {
-	Initialize() error
+	Initialize() (bool, error)
 	GetResourceTypesToRefresh() (map[string][]string, error)
 }
 

cloud_resource_changes/cloud_resource_changes_aws/cloudtrail.go

@@ -37,30 +37,27 @@ type CloudResourceChangesAWS struct {
 }
 
 func NewCloudResourcesChangesAWS(config util.Config) (*CloudResourceChangesAWS, error) {
-	if config.CloudScannerPolicy != TaskRoleReadOnly {
-		log.Warn().Msg("Task role is not set to arn:aws:iam::aws:policy/ReadOnlyAccess. Disabling CloudTrail based updates of cloud resources.")
-		return &CloudResourceChangesAWS{
-			config:           config,
-			cloudTrailTrails: []CloudTrailTrail{},
-		}, nil
-	}
 	return &CloudResourceChangesAWS{
 		config:           config,
 		cloudTrailTrails: make([]CloudTrailTrail, 0),
 	}, nil
 }
 
-func (c *CloudResourceChangesAWS) Initialize() error {
+func (c *CloudResourceChangesAWS) Initialize() (bool, error) {
+	if c.config.CloudScannerPolicy != TaskRoleReadOnly {
+		log.Warn().Msg("Task role is not set to arn:aws:iam::aws:policy/ReadOnlyAccess. Disabling CloudTrail based updates of cloud resources.")
+		return false, nil
+	}
 	trails := getCloudTrailTrails(c.config)
 	if len(trails) == 0 {
-		return ErrNoCloudTrailsFound
+		return false, ErrNoCloudTrailsFound
 	}
 	c.cloudTrailTrails = trails
 	log.Info().Msgf("Following CloudTrail Trails are monitored for events every 30 minutes to update the cloud resources in the management console")
 	for i, trail := range c.cloudTrailTrails {
 		log.Info().Msgf("%d. %s (Region: %s)", i+1, trail.Arn, trail.Region)
 	}
-	return nil
+	return true, nil
 }
 
 func (c *CloudResourceChangesAWS) GetResourceTypesToRefresh() (map[string][]string, error) {

cloud_resource_changes/cloud_resource_changes_aws/util.go

@@ -119,7 +119,7 @@ func getCloudTrailTrails(config util.Config) []CloudTrailTrail {
 		}
 	}
 	if len(selectedTrailList) == 0 {
-		log.Error().Msgf("Cloudtrail not configured")
+		log.Warn().Msgf("Cloudtrail not configured")
 		return trailList
 	}
 	return []CloudTrailTrail{selectedTrailList[0]}

cloud_resource_changes/cloud_resources_changes_azure/azure_monitor_logs.go

@@ -14,8 +14,8 @@ func NewCloudResourcesChangesAzure(config util.Config) (*CloudResourceChangesAzu
 	}, nil
 }
 
-func (c *CloudResourceChangesAzure) Initialize() error {
-	return nil
+func (c *CloudResourceChangesAzure) Initialize() (bool, error) {
+	return false, nil
 }
 
 func (c *CloudResourceChangesAzure) GetResourceTypesToRefresh() (map[string][]string, error) {

cloud_resource_changes/cloud_resources_changes_gcp/cloud_audit_logs.go

@@ -14,8 +14,8 @@ func NewCloudResourcesChangesGCP(config util.Config) (*CloudResourceChangesGCP,
 	}, nil
 }
 
-func (c *CloudResourceChangesGCP) Initialize() error {
-	return nil
+func (c *CloudResourceChangesGCP) Initialize() (bool, error) {
+	return false, nil
 }
 
 func (c *CloudResourceChangesGCP) GetResourceTypesToRefresh() (map[string][]string, error) {

helm-chart/deepfence-cloud-scanner/values.yaml

@@ -4,7 +4,7 @@ image:
   # ThreatStryker
   # repository: quay.io/deepfenceio/cloud_scanner
   pullPolicy: Always
-  tag: "2.3.1"
+  tag: 2.3.1
 
 # Deepfence management console url and port
 # Format: deepfence.customer.com or 123.123.123.123
@@ -19,7 +19,7 @@ deepfenceKey:
   key: ""
 
 cloudAccount:
-  # AWS/GCP/Azure account ID to monitor
+  # AWS account ID / GCP project ID / Azure subscription ID to monitor
   accountID: ""
   # Account name (Optional, for easy identification. Not required in organization deployment.)
   accountName: ""
@@ -32,18 +32,22 @@ cloudAccount:
   # Policy set for Cloud Scanner in CloudFormation / terraform
   # arn:aws:iam::aws:policy/ReadOnlyAccess / arn:aws:iam::aws:policy/SecurityAudit
   cloudScannerPolicy: ""
+
+  # Optional: AWS account ID / GCP project ID / Azure subscription ID where the helm chart is deployed,
+  # in case it is different from cloudAccount.accountID
+  deployedAccountID: ""
 
   # For Organization deployment:
 
   # Is this organization deployment or single account deployment?
   isOrganizationDeployment: false
 
   # Organization root account ID
+  # Should be same as cloudAccount.accountID, in case of AWS/GCP
+  # Should be tenant id, in case of Azure
   organizationAccountID: ""
 
-  # Optional: AWS/GCP/Azure account ID where the helm chart is deployed, in case it is different from monitored account ID
-  deployedAccountID: ""
-
+  # Applicable only in AWS
   # Role name. The name should be same across all accounts in the Organization deployment.
   # Role ARN example: arn:aws:iam::123456789012:role/deepfence-cloud-scanner-role
   # Role name in this case is deepfence-cloud-scanner-role
@@ -61,21 +65,25 @@ cloudAuditLogIDs: ""
 # service account needs special handling
 awsCredentialSource: "ServiceAccount"
 
-imagePullSecrets: []
-nameOverride: ""
-fullnameOverride: ""
-
 serviceAccount:
   # Specifies whether a service account should be created
   create: true
   # Automatically mount a ServiceAccount's API credentials?
   automount: true
+
   # Annotations to add to the service account
   annotations: {}
+  # annotations:
+  #   "eks.amazonaws.com/role-arn": "arn:aws:iam::123456789012:role/deepfence-cloud-scanner"
+
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
 
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
 podAnnotations: {}
 podLabels: {}
 

helm-chart/index.yaml

@@ -3,12 +3,12 @@ entries:
   deepfence-cloud-scanner:
   - apiVersion: v2
     appVersion: 2.3.1
-    created: "2024-09-12T23:05:04.567552+05:30"
+    created: "2024-09-13T16:11:49.769503+05:30"
     description: Deepfence Cloud Scanner
-    digest: 7c1bff9a6e7410ca7b16b448e2f2cd7adb2f59b85214875eeb2e696c4d9b0a05
+    digest: 373f538761c6d58d2b0cbb4be2fb0b23823cfaf5a284fe96983fd201cdab6451
     name: deepfence-cloud-scanner
     type: application
     urls:
     - deepfence-cloud-scanner-2.3.1.tgz
     version: 2.3.1
-generated: "2024-09-12T23:05:04.566918+05:30"
+generated: "2024-09-13T16:11:49.769078+05:30"

main.go

@@ -88,6 +88,10 @@ func main() {
 		}
 	}
 
+	if config.DeployedAccountID == "" {
+		config.DeployedAccountID = config.AccountID
+	}
+
 	switch config.CloudProvider {
 	case util.CloudProviderAWS:
 		if config.AWSCredentialSource != "EcsContainer" &&

query_resource/query_service.go

@@ -36,13 +36,15 @@ func NewResourceRefreshService(config util.Config) (*ResourceRefreshService, err
 
 func (r *ResourceRefreshService) Initialize() {
 	log.Info().Msgf("CloudResourceChanges Initialization started")
-	err := r.CloudResourceChanges.Initialize()
+	ok, err := r.CloudResourceChanges.Initialize()
 	if err != nil {
 		log.Warn().Msgf("%+v", err)
 	}
 	log.Info().Msgf("CloudResourceChanges Initialization completed")
 
-	go r.refreshResourcesFromTrailPeriodically()
+	if ok {
+		go r.refreshResourcesFromTrailPeriodically()
+	}
 }
 
 func (r *ResourceRefreshService) Lock() {

service/service.go

@@ -466,11 +466,13 @@ func processAwsCredentials(c *ComplianceScanService) {
 		} else {
 			if accId == c.config.DeployedAccountID {
 				steampipeConfigFile += "\nconnection \"aws_" + accId + "\" {\n  plugin = \"" + util.SteampipeAWSPluginVersion + "\"\n  " + regionString + "  max_error_retry_attempts = 10\n  ignore_error_codes = [\"AccessDenied\", \"AccessDeniedException\", \"NotAuthorized\", \"UnauthorizedOperation\", \"AuthorizationError\"]\n}\n"
-			} else if c.config.AWSCredentialSource == "ServiceAccount" {
-				awsCredentialsFile += "\n[profile_" + accId + "]\nrole_arn = arn:aws:iam::" + accId + ":role/" + c.config.RoleName + "\nsource_profile = default\n"
-				steampipeConfigFile += "\nconnection \"aws_" + accId + "\" {\n  plugin = \"" + util.SteampipeAWSPluginVersion + "\"\n  profile = \"profile_" + accId + "\"\n  " + regionString + "  max_error_retry_attempts = 10\n  ignore_error_codes = [\"AccessDenied\", \"AccessDeniedException\", \"NotAuthorized\", \"UnauthorizedOperation\", \"AuthorizationError\"]\n}\n"
 			} else {
-				awsCredentialsFile += "\n[profile_" + accId + "]\nrole_arn = arn:aws:iam::" + accId + ":role/" + c.config.RoleName + "\ncredential_source = " + c.config.AWSCredentialSource + "\n"
+				awsCredentialsFile += "\n[profile_" + accId + "]\nrole_arn = arn:aws:iam::" + accId + ":role/" + c.config.RoleName + "\n"
+				if c.config.AWSCredentialSource == "ServiceAccount" {
+					awsCredentialsFile += "source_profile = default\n"
+				} else {
+					awsCredentialsFile += "credential_source = " + c.config.AWSCredentialSource + "\n"
+				}
 				steampipeConfigFile += "\nconnection \"aws_" + accId + "\" {\n  plugin = \"" + util.SteampipeAWSPluginVersion + "\"\n  profile = \"profile_" + accId + "\"\n  " + regionString + "  max_error_retry_attempts = 10\n  ignore_error_codes = [\"AccessDenied\", \"AccessDeniedException\", \"NotAuthorized\", \"UnauthorizedOperation\", \"AuthorizationError\"]\n}\n"
 			}
 		}