diff --git a/go.mod b/go.mod index 07658d96..699cf9d5 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,13 @@ go 1.21 require ( cloud.google.com/go/storage v1.33.0 - github.com/aws/aws-sdk-go v1.45.28 + github.com/aws/aws-sdk-go-v2 v1.21.2 + github.com/aws/aws-sdk-go-v2/config v1.19.0 + github.com/aws/aws-sdk-go-v2/credentials v1.13.43 + github.com/aws/aws-sdk-go-v2/service/kinesis v1.20.0 + github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 + github.com/aws/aws-sdk-go-v2/service/securityhub v1.37.2 + github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 github.com/go-redis/redis/v8 v8.11.5 github.com/go-sql-driver/mysql v1.7.1 github.com/kyverno/go-wildcard v1.0.5 @@ -33,6 +39,19 @@ require ( cloud.google.com/go/compute v1.23.1 // indirect cloud.google.com/go/compute/metadata v0.2.3 // indirect cloud.google.com/go/iam v1.1.3 // indirect + github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 // indirect + github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 // indirect + github.com/aws/smithy-go v1.15.0 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect diff --git a/go.sum b/go.sum index 114aafa6..9af0ae16 100644 --- a/go.sum +++ b/go.sum @@ -48,8 +48,46 @@ cloud.google.com/go/storage v1.33.0/go.mod h1:Hhh/dogNRGca7IWv1RC2YqEn0c0G77ctA/ dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/aws/aws-sdk-go v1.45.28 h1:p2ATcaK6ffSw4yZ2UAGzgRyRXwKyOJY6ZCiKqj5miJE= -github.com/aws/aws-sdk-go v1.45.28/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= +github.com/aws/aws-sdk-go-v2 v1.21.2 h1:+LXZ0sgo8quN9UOKXXzAWRT3FWd4NxeXWOZom9pE7GA= +github.com/aws/aws-sdk-go-v2 v1.21.2/go.mod h1:ErQhvNuEMhJjweavOYhxVkn2RUx7kQXVATHrjKtxIpM= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14 h1:Sc82v7tDQ/vdU1WtuSyzZ1I7y/68j//HJ6uozND1IDs= +github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.14/go.mod h1:9NCTOURS8OpxvoAVHq79LK81/zC78hfRWFn+aL0SPcY= +github.com/aws/aws-sdk-go-v2/config v1.19.0 h1:AdzDvwH6dWuVARCl3RTLGRc4Ogy+N7yLFxVxXe1ClQ0= +github.com/aws/aws-sdk-go-v2/config v1.19.0/go.mod h1:ZwDUgFnQgsazQTnWfeLWk5GjeqTQTL8lMkoE1UXzxdE= +github.com/aws/aws-sdk-go-v2/credentials v1.13.43 h1:LU8vo40zBlo3R7bAvBVy/ku4nxGEyZe9N8MqAeFTzF8= +github.com/aws/aws-sdk-go-v2/credentials v1.13.43/go.mod h1:zWJBz1Yf1ZtX5NGax9ZdNjhhI4rgjfgsyk6vTY1yfVg= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13 h1:PIktER+hwIG286DqXyvVENjgLTAwGgoeriLDD5C+YlQ= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.13/go.mod h1:f/Ib/qYjhV2/qdsf79H3QP/eRE4AkVyEf6sk7XfZ1tg= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43 h1:nFBQlGtkbPzp/NjZLuFxRqmT91rLJkgvsEQs68h962Y= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.43/go.mod h1:auo+PiyLl0n1l8A0e8RIeR8tOzYPfZZH/JNlrJ8igTQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37 h1:JRVhO25+r3ar2mKGP7E0LDl8K9/G36gjlqca5iQbaqc= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.37/go.mod h1:Qe+2KtKml+FEsQF/DHmDV+xjtche/hwoF75EG4UlHW8= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45 h1:hze8YsjSh8Wl1rYa1CJpRmXP21BvOBuc76YhW0HsuQ4= +github.com/aws/aws-sdk-go-v2/internal/ini v1.3.45/go.mod h1:lD5M20o09/LCuQ2mE62Mb/iSdSlCNuj6H5ci7tW7OsE= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6 h1:wmGLw2i8ZTlHLw7a9ULGfQbuccw8uIiNr6sol5bFzc8= +github.com/aws/aws-sdk-go-v2/internal/v4a v1.1.6/go.mod h1:Q0Hq2X/NuL7z8b1Dww8rmOFl+jzusKEcyvkKspwdpyc= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15 h1:7R8uRYyXzdD71KWVCL78lJZltah6VVznXBazvKjfH58= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.15/go.mod h1:26SQUPcTNgV1Tapwdt4a1rOsYRsnBsJHLMPoxK2b0d8= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38 h1:skaFGzv+3kA+v2BPKhuekeb1Hbb105+44r8ASC+q5SE= +github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.38/go.mod h1:epIZoRSSbRIwLPJU5F+OldHhwZPBdpDeQkRdCeY3+00= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37 h1:WWZA/I2K4ptBS1kg0kV1JbBtG/umed0vwHRrmcr9z7k= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.37/go.mod h1:vBmDnwWXWxNPFRMmG2m/3MKOe+xEcMDo1tanpaWCcck= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6 h1:9ulSU5ClouoPIYhDQdg9tpl83d5Yb91PXTKK+17q+ow= +github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.15.6/go.mod h1:lnc2taBsR9nTlz9meD+lhFZZ9EWY712QHrRflWpTcOA= +github.com/aws/aws-sdk-go-v2/service/kinesis v1.20.0 h1:OCYjSomi2Q8ttimk0DB4nNSAvoVOXfpSAwB0ZM4g1K0= +github.com/aws/aws-sdk-go-v2/service/kinesis v1.20.0/go.mod h1:IKAdoalibJPPhb+riPJyKh9z/6V8n4J2X1yUto/W90Q= +github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2 h1:Ll5/YVCOzRB+gxPqs2uD0R7/MyATC0w85626glSKmp4= +github.com/aws/aws-sdk-go-v2/service/s3 v1.40.2/go.mod h1:Zjfqt7KhQK+PO1bbOsFNzKgaq7TcxzmEoDWN8lM0qzQ= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.37.2 h1:F/ApqSnIeQl+1oiBxEmnJ4Xza3lzC/58tbtuHN5ZiCs= +github.com/aws/aws-sdk-go-v2/service/securityhub v1.37.2/go.mod h1:T1iphqNYdWF50nRQ++jMxIYe5Gw63/eeP0as72YtzwI= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.2 h1:JuPGc7IkOP4AaqcZSIcyqLpFSqBWK32rM9+a1g6u73k= +github.com/aws/aws-sdk-go-v2/service/sso v1.15.2/go.mod h1:gsL4keucRCgW+xA85ALBpRFfdSLH4kHOVSnLMSuBECo= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3 h1:HFiiRkf1SdaAmV3/BHOFZ9DjFynPHj8G/UIO1lQS+fk= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.17.3/go.mod h1:a7bHA82fyUXOm+ZSWKU6PIoBxrjSprdLoM8xPYvzYVg= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.2 h1:0BkLfgeDjfZnZ+MhB3ONb01u9pwFYTCZVhlsSSBvlbU= +github.com/aws/aws-sdk-go-v2/service/sts v1.23.2/go.mod h1:Eows6e1uQEsc4ZaHANmsPRzAKcVDrcmjjWiih2+HUUQ= +github.com/aws/smithy-go v1.15.0 h1:PS/durmlzvAFpQHDs4wi4sNNP9ExsqZh6IlfdHXgKK8= +github.com/aws/smithy-go v1.15.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -154,6 +192,7 @@ github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= @@ -427,7 +466,6 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= @@ -492,12 +530,10 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE= golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -509,7 +545,6 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ= -golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff --git a/pkg/config/database_factory_test.go b/pkg/config/database_factory_test.go index 35c46933..89468905 100644 --- a/pkg/config/database_factory_test.go +++ b/pkg/config/database_factory_test.go @@ -3,9 +3,10 @@ package config_test import ( "testing" + "github.com/uptrace/bun/dialect" + "github.com/kyverno/policy-reporter/pkg/config" "github.com/kyverno/policy-reporter/pkg/kubernetes/secrets" - "github.com/uptrace/bun/dialect" ) func Test_ResolveDatabase(t *testing.T) { diff --git a/pkg/config/target_factory.go b/pkg/config/target_factory.go index f88c996a..3953c48c 100644 --- a/pkg/config/target_factory.go +++ b/pkg/config/target_factory.go @@ -616,6 +616,7 @@ func (f *TargetFactory) createS3Client(config, parent *S3) target.Client { return nil } + setFallback(&config.Region, os.Getenv("AWS_REGION")) setFallback(&config.Prefix, parent.Prefix, "policy-reporter") setFallback(&config.KmsKeyID, parent.KmsKeyID) setFallback(&config.ServerSideEncryption, parent.ServerSideEncryption) @@ -630,7 +631,7 @@ func (f *TargetFactory) createS3Client(config, parent *S3) target.Client { config.Endpoint, config.Bucket, config.PathStyle, - helper.WithKMS(&config.BucketKeyEnabled, &config.KmsKeyID, &config.ServerSideEncryption), + helper.WithKMS(config.BucketKeyEnabled, &config.KmsKeyID, &config.ServerSideEncryption), ) sugar.Infof("%s configured", config.Name) diff --git a/pkg/helper/aws.go b/pkg/helper/aws.go index 1a98d2ab..98baf111 100644 --- a/pkg/helper/aws.go +++ b/pkg/helper/aws.go @@ -2,19 +2,20 @@ package helper import ( "bytes" + "context" "io" "os" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials" - "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds" - "github.com/aws/aws-sdk-go/aws/credentials/stscreds" - "github.com/aws/aws-sdk-go/aws/ec2metadata" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/kinesis" - "github.com/aws/aws-sdk-go/service/s3/s3manager" - "github.com/aws/aws-sdk-go/service/securityhub" - "github.com/aws/aws-sdk-go/service/sts" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/credentials" + "github.com/aws/aws-sdk-go-v2/credentials/ec2rolecreds" + "github.com/aws/aws-sdk-go-v2/credentials/stscreds" + "github.com/aws/aws-sdk-go-v2/service/kinesis" + "github.com/aws/aws-sdk-go-v2/service/s3" + "github.com/aws/aws-sdk-go-v2/service/s3/types" + "github.com/aws/aws-sdk-go-v2/service/securityhub" + "github.com/aws/aws-sdk-go-v2/service/sts" "go.uber.org/zap" ) @@ -27,15 +28,15 @@ type AWSClient interface { type s3Client struct { bucket string - uploader *s3manager.Uploader - bucketKeyEnabled *bool + client *s3.Client + bucketKeyEnabled bool kmsKeyID *string - serverSideEncryption *string + serverSideEncryption types.ServerSideEncryption } type Options func(s *s3Client) -func WithKMS(bucketKeyEnabled *bool, kmsKeyID, serverSideEncryption *string) Options { +func WithKMS(bucketKeyEnabled bool, kmsKeyID, serverSideEncryption *string) Options { return func(s *s3Client) { s.bucketKeyEnabled = bucketKeyEnabled if *kmsKeyID != "" { @@ -43,13 +44,13 @@ func WithKMS(bucketKeyEnabled *bool, kmsKeyID, serverSideEncryption *string) Opt } if *serverSideEncryption != "" { - s.serverSideEncryption = serverSideEncryption + s.serverSideEncryption = types.ServerSideEncryption(s.serverSideEncryption) } } } func (s *s3Client) Upload(body *bytes.Buffer, key string) error { - _, err := s.uploader.Upload(&s3manager.UploadInput{ + _, err := s.client.PutObject(context.TODO(), &s3.PutObjectInput{ Bucket: aws.String(s.bucket), Key: aws.String(key), Body: body, @@ -62,20 +63,23 @@ func (s *s3Client) Upload(body *bytes.Buffer, key string) error { // NewS3Client creates a new S3.client to send Results to S3 func NewS3Client(accessKeyID, secretAccessKey, region, endpoint, bucket string, pathStyle bool, opts ...Options) AWSClient { - config := createConfig(accessKeyID, secretAccessKey, region, endpoint) - if pathStyle { - config.S3ForcePathStyle = &pathStyle - } - - sess, err := session.NewSession(config) + config, err := createConfig(accessKeyID, secretAccessKey, region) if err != nil { - zap.L().Error("error while creating S3 session") + zap.L().Error("error while creating config", zap.Error(err)) return nil } + client := s3.NewFromConfig(config, func(o *s3.Options) { + o.UsePathStyle = pathStyle + + if endpoint != "" { + o.BaseEndpoint = &endpoint + } + }) + s3Client := &s3Client{ - bucket: bucket, - uploader: s3manager.NewUploader(sess), + bucket: bucket, + client: client, } for _, opt := range opts { @@ -87,7 +91,7 @@ func NewS3Client(accessKeyID, secretAccessKey, region, endpoint, bucket string, type kinesisClient struct { streamName string - kinesis *kinesis.Kinesis + kinesis *kinesis.Client } func (k *kinesisClient) Upload(body *bytes.Buffer, key string) error { @@ -96,7 +100,7 @@ func (k *kinesisClient) Upload(body *bytes.Buffer, key string) error { return err } - _, err = k.kinesis.PutRecord(&kinesis.PutRecordInput{ + _, err = k.kinesis.PutRecord(context.TODO(), &kinesis.PutRecordInput{ StreamName: aws.String(k.streamName), PartitionKey: aws.String(key), Data: data, @@ -106,75 +110,64 @@ func (k *kinesisClient) Upload(body *bytes.Buffer, key string) error { // NewKinesisClient creates a new S3.client to send Results to S3 func NewKinesisClient(accessKeyID, secretAccessKey, region, endpoint, streamName string) AWSClient { - config := createConfig(accessKeyID, secretAccessKey, region, endpoint) - - sess, err := session.NewSession(config) + config, err := createConfig(accessKeyID, secretAccessKey, region) if err != nil { - zap.L().Error("error while creating Kinesis session") + zap.L().Error("error while creating config", zap.Error(err)) return nil } return &kinesisClient{ streamName, - kinesis.New(sess), + kinesis.NewFromConfig(config, func(o *kinesis.Options) { + if endpoint != "" { + o.BaseEndpoint = &endpoint + } + }), } } // NewHubClient creates a new SecurityHub client to send finding events -func NewHubClient(accessKeyID, secretAccessKey, region, endpoint string) *securityhub.SecurityHub { - config := createConfig(accessKeyID, secretAccessKey, region, endpoint) - - sess, err := session.NewSession(config) +func NewHubClient(accessKeyID, secretAccessKey, region, endpoint string) *securityhub.Client { + config, err := createConfig(accessKeyID, secretAccessKey, region) if err != nil { - zap.L().Error("error while creating SecurityHub session") + zap.L().Error("error while creating config", zap.Error(err)) return nil } - optional := make([]*aws.Config, 0) - if endpoint != "" { - optional = append(optional, aws.NewConfig().WithEndpoint(endpoint)) - } - - return securityhub.New(sess, optional...) + return securityhub.NewFromConfig(config, func(o *securityhub.Options) { + if endpoint != "" { + o.BaseEndpoint = &endpoint + } + }) } -func createConfig(accessKeyID, secretAccessKey, region, endpoint string) *aws.Config { - baseConfig := &aws.Config{} - if endpoint != "" { - baseConfig.Endpoint = aws.String(endpoint) - } - if region != "" { - baseConfig.Region = aws.String(region) - } +func createConfig(accessKeyID, secretAccessKey, region string) (aws.Config, error) { + roleARN := os.Getenv("AWS_ROLE_ARN") + webIdentity := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") - sess := session.Must(session.NewSession(baseConfig)) + cfg, err := config.LoadDefaultConfig(context.TODO(), func(o *config.LoadOptions) error { + if region != "" { + o.Region = region + } - var provider credentials.Provider + return nil + }) + if err != nil { + return aws.Config{}, err + } if accessKeyID != "" && secretAccessKey != "" { - provider = &credentials.StaticProvider{ - Value: credentials.Value{ - AccessKeyID: accessKeyID, - SecretAccessKey: secretAccessKey, - }, - } - } else if os.Getenv("AWS_ROLE_ARN") != "" && os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE") != "" { - provider = stscreds.NewWebIdentityRoleProvider( - sts.New(sess), - os.Getenv("AWS_ROLE_ARN"), - "", - os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE"), - ) + zap.L().Debug("configure AWS credentals provider", zap.String("provider", "StaticCredentialsProvider")) + cfg.Credentials = credentials.NewStaticCredentialsProvider(accessKeyID, secretAccessKey, "") + } else if webIdentity != "" && roleARN != "" { + zap.L().Debug("configure AWS credentals provider", zap.String("provider", "WebIdentityRoleProvider")) + cfg.Credentials = stscreds.NewWebIdentityRoleProvider(sts.NewFromConfig(cfg), roleARN, stscreds.IdentityTokenFile(webIdentity)) + } else if roleARN != "" { + zap.L().Debug("configure AWS credentals provider", zap.String("provider", "AssumeRoleProvider")) + cfg.Credentials = stscreds.NewAssumeRoleProvider(sts.NewFromConfig(cfg), roleARN) } else { - provider = &ec2rolecreds.EC2RoleProvider{ - Client: ec2metadata.New(sess), - } + cfg.Credentials = ec2rolecreds.New() } - return &aws.Config{ - Region: baseConfig.Region, - Endpoint: baseConfig.Endpoint, - CredentialsChainVerboseErrors: aws.Bool(true), - Credentials: credentials.NewCredentials(provider), - } + return cfg, nil } diff --git a/pkg/listener/new_result_test.go b/pkg/listener/new_result_test.go index 7acbfec7..9d53beaa 100644 --- a/pkg/listener/new_result_test.go +++ b/pkg/listener/new_result_test.go @@ -4,12 +4,13 @@ import ( "testing" "time" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "github.com/kyverno/policy-reporter/pkg/cache" "github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2" "github.com/kyverno/policy-reporter/pkg/fixtures" "github.com/kyverno/policy-reporter/pkg/listener" "github.com/kyverno/policy-reporter/pkg/report" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) func Test_ResultListener(t *testing.T) { diff --git a/pkg/target/googlechat/googlechat.go b/pkg/target/googlechat/googlechat.go index 683594b1..be436ca9 100644 --- a/pkg/target/googlechat/googlechat.go +++ b/pkg/target/googlechat/googlechat.go @@ -5,15 +5,18 @@ import ( "text/template" "time" + "go.uber.org/zap" + corev1 "k8s.io/api/core/v1" + "github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2" "github.com/kyverno/policy-reporter/pkg/target" "github.com/kyverno/policy-reporter/pkg/target/http" - "go.uber.org/zap" - corev1 "k8s.io/api/core/v1" ) -const messageTempl string = `[{{ .Priority }}] {{ or .Result.Policy .Result.Rule }}` -const resourceTempl string = `{{ if .Namespace }}[{{ .Namespace }}] {{ end }} {{ .APIVersion }}/{{ .Kind }} {{ .Name }}` +const ( + messageTempl string = `[{{ .Priority }}] {{ or .Result.Policy .Result.Rule }}` + resourceTempl string = `{{ if .Namespace }}[{{ .Namespace }}] {{ end }} {{ .APIVersion }}/{{ .Kind }} {{ .Name }}` +) type values struct { Result v1alpha2.PolicyReportResult @@ -94,7 +97,7 @@ func mapPayload(result v1alpha2.PolicyReportResult) (*Payload, error) { return nil, err } - var prio = result.Priority.String() + prio := result.Priority.String() if prio == "" { prio = v1alpha2.DebugPriority.String() } diff --git a/pkg/target/http/logroundtripper.go b/pkg/target/http/logroundtripper.go index 5b89a400..762c669e 100644 --- a/pkg/target/http/logroundtripper.go +++ b/pkg/target/http/logroundtripper.go @@ -2,9 +2,10 @@ package http import ( "fmt" - "go.uber.org/zap" "net/http" "net/http/httputil" + + "go.uber.org/zap" ) func NewLoggingRoundTripper(roundTripper http.RoundTripper) http.RoundTripper { diff --git a/pkg/target/securityhub/securityhub.go b/pkg/target/securityhub/securityhub.go index 55bc13d1..0ffc8ac7 100644 --- a/pkg/target/securityhub/securityhub.go +++ b/pkg/target/securityhub/securityhub.go @@ -1,10 +1,12 @@ package securityhub import ( + "context" "fmt" "time" - hub "github.com/aws/aws-sdk-go/service/securityhub" + hub "github.com/aws/aws-sdk-go-v2/service/securityhub" + "github.com/aws/aws-sdk-go-v2/service/securityhub/types" "go.uber.org/zap" "github.com/kyverno/policy-reporter/pkg/crd/api/policyreport/v1alpha2" @@ -15,7 +17,7 @@ import ( type Options struct { target.ClientOptions CustomFields map[string]string - Client *hub.SecurityHub + Client *hub.Client AccountID string Region string } @@ -23,7 +25,7 @@ type Options struct { type client struct { target.BaseClient customFields map[string]string - hub *hub.SecurityHub + hub *hub.Client accountID string region string } @@ -41,37 +43,37 @@ func (c *client) Send(result v1alpha2.PolicyReportResult) { t := time.Unix(result.Timestamp.Seconds, int64(result.Timestamp.Nanos)) - res, err := c.hub.BatchImportFindings(&hub.BatchImportFindingsInput{ - Findings: []*hub.AwsSecurityFinding{ + res, err := c.hub.BatchImportFindings(context.TODO(), &hub.BatchImportFindingsInput{ + Findings: []types.AwsSecurityFinding{ { Id: &result.ID, AwsAccountId: &c.accountID, SchemaVersion: toPointer("2018-10-08"), ProductArn: toPointer("arn:aws:securityhub:" + c.region + ":" + c.accountID + ":product/" + c.accountID + "/default"), GeneratorId: toPointer(fmt.Sprintf("%s/%s", result.Source, generator)), - Types: []*string{toPointer("Software and Configuration Checks")}, + Types: []string{"Software and Configuration Checks"}, CreatedAt: toPointer(t.Format("2006-01-02T15:04:05.999999999Z07:00")), UpdatedAt: toPointer(t.Format("2006-01-02T15:04:05.999999999Z07:00")), - Severity: &hub.Severity{ + Severity: &types.Severity{ Label: mapSeverity(result.Severity), }, Title: &title, Description: &result.Message, - ProductFields: map[string]*string{ - "Product Name": toPointer("Policy Reporter"), + ProductFields: map[string]string{ + "Product Name": "Policy Reporter", }, - Resources: []*hub.Resource{ + Resources: []types.Resource{ { Type: toPointer("Other"), Region: &c.region, - Partition: toPointer("aws"), + Partition: types.PartitionAws, Id: mapResourceID(result), - Details: &hub.ResourceDetails{ + Details: &types.ResourceDetails{ Other: c.mapOtherDetails(result), }, }, }, - RecordState: toPointer(hub.RecordStateActive), + RecordState: types.RecordStateActive, }, }, }) @@ -80,26 +82,26 @@ func (c *client) Send(result v1alpha2.PolicyReportResult) { return } - zap.L().Info(c.Name()+": PUSH OK", zap.Int64("successCount", *res.SuccessCount), zap.Int64("failedCount", *res.FailedCount)) + zap.L().Info(c.Name()+": PUSH OK", zap.Int32("successCount", res.SuccessCount), zap.Int32("failedCount", res.FailedCount)) } -func (c *client) mapOtherDetails(result v1alpha2.PolicyReportResult) map[string]*string { - details := map[string]*string{ - "Source": &result.Source, - "Category": &result.Category, - "Policy": &result.Policy, - "Rule": &result.Rule, - "Result": toPointer(string(result.Result)), - "Priority": toPointer(result.Priority.String()), +func (c *client) mapOtherDetails(result v1alpha2.PolicyReportResult) map[string]string { + details := map[string]string{ + "Source": result.Source, + "Category": result.Category, + "Policy": result.Policy, + "Rule": result.Rule, + "Result": string(result.Result), + "Priority": result.Priority.String(), } if len(c.customFields) > 0 { for property, value := range c.customFields { - details[property] = &value + details[property] = value } for property, value := range result.Properties { - details[property] = &value + details[property] = value } } @@ -107,19 +109,19 @@ func (c *client) mapOtherDetails(result v1alpha2.PolicyReportResult) map[string] res := result.GetResource() if res.APIVersion != "" { - details["Resource APIVersion"] = &res.APIVersion + details["Resource APIVersion"] = res.APIVersion } if res.Kind != "" { - details["Resource Kind"] = &res.Kind + details["Resource Kind"] = res.Kind } if res.Namespace != "" { - details["Resource Namespace"] = &res.Namespace + details["Resource Namespace"] = res.Namespace } if res.Name != "" { - details["Resource Name"] = &res.Name + details["Resource Name"] = res.Name } if res.UID != "" { - details["Resource UID"] = toPointer(string(res.UID)) + details["Resource UID"] = string(res.UID) } } @@ -141,20 +143,20 @@ func toPointer[T any](value T) *T { return &value } -func mapSeverity(s v1alpha2.PolicySeverity) *string { +func mapSeverity(s v1alpha2.PolicySeverity) types.SeverityLabel { switch s { case v1alpha2.SeverityInfo: - return toPointer(hub.SeverityLabelInformational) + return types.SeverityLabelInformational case v1alpha2.SeverityLow: - return toPointer(hub.SeverityLabelLow) + return types.SeverityLabelLow case v1alpha2.SeverityMedium: - return toPointer(hub.SeverityLabelMedium) + return types.SeverityLabelMedium case v1alpha2.SeverityHigh: - return toPointer(hub.SeverityLabelHigh) + return types.SeverityLabelHigh case v1alpha2.SeverityCritical: - return toPointer(hub.SeverityLabelCritical) + return types.SeverityLabelCritical default: - return toPointer(hub.SeverityLabelInformational) + return types.SeverityLabelInformational } } diff --git a/pkg/target/telegram/telegram.go b/pkg/target/telegram/telegram.go index 7911c1bb..6e932b7e 100644 --- a/pkg/target/telegram/telegram.go +++ b/pkg/target/telegram/telegram.go @@ -26,8 +26,7 @@ func escape(text interface{}) string { return replacer.Replace(fmt.Sprintf("%v", text)) } -var ( - notificationTempl = `*\[Policy Reporter\] \[{{ .Priority }}\] {{ escape (or .Result.Policy .Result.Rule) }}* +var notificationTempl = `*\[Policy Reporter\] \[{{ .Priority }}\] {{ escape (or .Result.Policy .Result.Rule) }}* {{- if .Resource }} *Resource*: {{ .Resource.Kind }} {{ if .Resource.Namespace }}{{ escape .Resource.Namespace }}/{{ end }}{{ escape .Resource.Name }} @@ -49,7 +48,6 @@ var ( {{ range $key, $value := .Result.Properties }}• *{{ escape $key }}*: {{ escape $value }} {{ end }} ` -) type Payload struct { Text string `json:"text,omitempty"` @@ -119,7 +117,7 @@ func (e *client) Send(result v1alpha2.PolicyReportResult) { res = result.GetResource() } - var prio = result.Priority.String() + prio := result.Priority.String() if prio == "" { prio = v1alpha2.DebugPriority.String() }