⭐ Expand OCI provider with new resources for CIS benchmark coverage

.github/actions/spelling/expect.txt

@@ -43,6 +43,7 @@ cmdline
 cmnd
 cname
 compressratio
+computeagent
 cooldown
 copywrite
 cpe
@@ -76,6 +77,8 @@ ekm
 ekus
 elbv
 endpointslice
+EPP
+ERPCLOUD
 exo
 failback
 fargate
@@ -99,6 +102,7 @@ gpu
 groupname
 gvnic
 HADOOP
+HCMCLOUD
 headerorder
 hec
 Hns
@@ -169,6 +173,7 @@ nodepool
 nokeys
 notebookinstancedetails
 nproc
+nsg
 nsrecord
 nullgroup
 nullstring
@@ -270,7 +275,9 @@ vdev
 VGeneration
 virtualmachine
 vlans
+Vnic
 vnet
+vpus
 vrf
 vtpm
 vulnerabilityassessmentsettings

providers/oci/connection/clients.go

@@ -8,10 +8,22 @@ import (
 	"errors"
 
 	"github.com/oracle/oci-go-sdk/v65/audit"
+	"github.com/oracle/oci-go-sdk/v65/bastion"
+	"github.com/oracle/oci-go-sdk/v65/cloudguard"
 	"github.com/oracle/oci-go-sdk/v65/common"
+	"github.com/oracle/oci-go-sdk/v65/containerengine"
 	"github.com/oracle/oci-go-sdk/v65/core"
+	"github.com/oracle/oci-go-sdk/v65/events"
+	"github.com/oracle/oci-go-sdk/v65/filestorage"
 	"github.com/oracle/oci-go-sdk/v65/identity"
+	"github.com/oracle/oci-go-sdk/v65/keymanagement"
+	"github.com/oracle/oci-go-sdk/v65/loadbalancer"
+	"github.com/oracle/oci-go-sdk/v65/logging"
+	"github.com/oracle/oci-go-sdk/v65/monitoring"
+	"github.com/oracle/oci-go-sdk/v65/networkfirewall"
 	"github.com/oracle/oci-go-sdk/v65/objectstorage"
+	"github.com/oracle/oci-go-sdk/v65/ons"
+	"github.com/oracle/oci-go-sdk/v65/vault"
 )
 
 func (c *OciConnection) IdentityClient() (identity.IdentityClient, error) {
@@ -152,3 +164,137 @@ func (c *OciConnection) ObjectStorageClient(region string) (*objectstorage.Objec
 	client.SetRegion(region)
 	return &client, nil
 }
+
+func (c *OciConnection) BlockstorageClient(region string) (*core.BlockstorageClient, error) {
+	client, err := core.NewBlockstorageClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) FileStorageClient(region string) (*filestorage.FileStorageClient, error) {
+	client, err := filestorage.NewFileStorageClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) LoggingClient(region string) (*logging.LoggingManagementClient, error) {
+	client, err := logging.NewLoggingManagementClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) KmsVaultClient(region string) (*keymanagement.KmsVaultClient, error) {
+	client, err := keymanagement.NewKmsVaultClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) KmsManagementClient(endpoint string) (*keymanagement.KmsManagementClient, error) {
+	client, err := keymanagement.NewKmsManagementClientWithConfigurationProvider(c.config, endpoint)
+	if err != nil {
+		return nil, err
+	}
+	return &client, nil
+}
+
+func (c *OciConnection) EventsClient(region string) (*events.EventsClient, error) {
+	client, err := events.NewEventsClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) NotificationControlPlaneClient(region string) (*ons.NotificationControlPlaneClient, error) {
+	client, err := ons.NewNotificationControlPlaneClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) CloudGuardClient(region string) (*cloudguard.CloudGuardClient, error) {
+	client, err := cloudguard.NewCloudGuardClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) NotificationDataPlaneClient(region string) (*ons.NotificationDataPlaneClient, error) {
+	client, err := ons.NewNotificationDataPlaneClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) BastionClient(region string) (*bastion.BastionClient, error) {
+	client, err := bastion.NewBastionClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) MonitoringClient(region string) (*monitoring.MonitoringClient, error) {
+	client, err := monitoring.NewMonitoringClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) VaultsClient(region string) (*vault.VaultsClient, error) {
+	client, err := vault.NewVaultsClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) LoadBalancerClient(region string) (*loadbalancer.LoadBalancerClient, error) {
+	client, err := loadbalancer.NewLoadBalancerClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) NetworkFirewallClient(region string) (*networkfirewall.NetworkFirewallClient, error) {
+	client, err := networkfirewall.NewNetworkFirewallClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}
+
+func (c *OciConnection) ContainerEngineClient(region string) (*containerengine.ContainerEngineClient, error) {
+	client, err := containerengine.NewContainerEngineClientWithConfigurationProvider(c.config)
+	if err != nil {
+		return nil, err
+	}
+	client.SetRegion(region)
+	return &client, nil
+}

providers/oci/go.mod

@@ -7,6 +7,7 @@ replace go.mondoo.com/mql/v13 => ../..
 require (
 	github.com/oracle/oci-go-sdk/v65 v65.109.3
 	github.com/rs/zerolog v1.34.0
+	github.com/stretchr/testify v1.11.1
 	go.mondoo.com/mql/v13 v13.2.0
 )
 
@@ -58,6 +59,7 @@ require (
 	github.com/cockroachdb/redact v1.1.8 // indirect
 	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
 	github.com/danieljoos/wincred v1.2.3 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dvsekhvalnov/jose2go v1.8.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.36.0 // indirect
@@ -116,6 +118,7 @@ require (
 	github.com/pjbgf/sha1cd v0.5.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
@@ -159,6 +162,7 @@ require (
 	google.golang.org/grpc v1.79.3 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	moul.io/http2curl v1.0.0 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )

providers/oci/resources/audit.go

@@ -0,0 +1,48 @@
+// Copyright (c) Mondoo, Inc.
+// SPDX-License-Identifier: BUSL-1.1
+
+package resources
+
+import (
+	"context"
+
+	"github.com/oracle/oci-go-sdk/v65/audit"
+	"github.com/oracle/oci-go-sdk/v65/common"
+	"go.mondoo.com/mql/v13/providers/oci/connection"
+)
+
+func (o *mqlOciAudit) id() (string, error) {
+	return "oci.audit", nil
+}
+
+func (o *mqlOciAudit) retentionPeriodDays() (int64, error) {
+	conn := o.MqlRuntime.Connection.(*connection.OciConnection)
+
+	// Audit configuration is tenancy-level; use home region
+	tenancy, err := conn.Tenant(context.Background())
+	if err != nil {
+		return 0, err
+	}
+
+	region := ""
+	if tenancy.HomeRegionKey != nil {
+		region = *tenancy.HomeRegionKey
+	}
+
+	client, err := conn.AuditClient(region)
+	if err != nil {
+		return 0, err
+	}
+
+	resp, err := client.GetConfiguration(context.Background(), audit.GetConfigurationRequest{
+		CompartmentId: common.String(conn.TenantID()),
+	})
+	if err != nil {
+		return 0, err
+	}
+
+	if resp.RetentionPeriodDays == nil {
+		return 0, nil
+	}
+	return int64(*resp.RetentionPeriodDays), nil
+}