Skip to content

Commit 6786c25

Browse files
authored
feat: AWS serverless integration (#106)
* feat: added serveless integration for aws Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * feat: added aws serverless integration and GetClientIntegrationToken gql request Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: added documentation Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: variable name Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: update doc Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: lint errors Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: spelling Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: spelling Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> --------- Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com>
1 parent dc0deba commit 6786c25

6 files changed

Lines changed: 743 additions & 2 deletions

File tree

Lines changed: 167 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,167 @@
1+
---
2+
# generated by https://github.com/hashicorp/terraform-plugin-docs
3+
page_title: "mondoo_integration_aws_serverless Resource - terraform-provider-mondoo"
4+
subcategory: ""
5+
description: |-
6+
Continuously scan AWS organization and accounts for misconfigurations and vulnerabilities.
7+
---
8+
9+
# mondoo_integration_aws_serverless (Resource)
10+
11+
Continuously scan AWS organization and accounts for misconfigurations and vulnerabilities.
12+
13+
## Example Usage
14+
15+
```terraform
16+
variable "mondoo_org" {
17+
description = "Mondoo Organization"
18+
type = string
19+
}
20+
21+
variable "origin_aws_account" {
22+
description = "Origin AWS Account"
23+
type = string
24+
default = "764453172858"
25+
}
26+
27+
variable "aws_region" {
28+
description = "AWS Region"
29+
type = string
30+
default = "us-east-1"
31+
}
32+
33+
variable "aws_account_id" {
34+
description = "value of the AWS account ID"
35+
type = string
36+
}
37+
38+
provider "mondoo" {
39+
region = "us"
40+
}
41+
42+
provider "aws" {
43+
region = var.aws_region
44+
}
45+
46+
data "aws_region" "current" {}
47+
48+
# Create a new space
49+
resource "mondoo_space" "my_space" {
50+
name = "AWS Terraform"
51+
org_id = var.mondoo_org
52+
}
53+
54+
# Setup the AWS integration
55+
resource "mondoo_integration_aws_serverless" "aws_serverless" {
56+
space_id = mondoo_space.my_space.id
57+
name = "AWS Integration"
58+
region = data.aws_region.current.name
59+
is_organization = false
60+
console_sign_in_trigger = true
61+
instance_state_change_trigger = true
62+
account_ids = [var.aws_account_id]
63+
scan_configuration = {
64+
ec2_scan = true
65+
ecr_scan = false
66+
ecs_scan = false
67+
cron_scan_in_hours = 24
68+
ec2_scan_options = {
69+
ssm = true
70+
ebs_volume_scan = true
71+
ebs_scan_options = {
72+
target_instances_per_scanner = 5
73+
max_asg_instances = 10
74+
}
75+
instance_connect = false
76+
}
77+
}
78+
}
79+
80+
# for single account deploys
81+
resource "aws_cloudformation_stack" "mondoo_stack" {
82+
name = "mondoo-stack"
83+
template_url = "https://s3.amazonaws.com/mondoo.${data.aws_region.current.name}/mondoo-lambda-stackset-cf.json"
84+
capabilities = ["CAPABILITY_NAMED_IAM"]
85+
parameters = {
86+
MondooIntegrationMrn = mondoo_integration_aws_serverless.aws_serverless.mrn
87+
MondooToken = mondoo_integration_aws_serverless.aws_serverless.token
88+
OriginAwsAccount = var.origin_aws_account
89+
}
90+
}
91+
92+
# for organisation wide deploys use aws_cloudformation_stack_set and aws_cloudformation_stack_set_instance instead of aws_cloudformation_stack
93+
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set
94+
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance
95+
```
96+
97+
<!-- schema generated by tfplugindocs -->
98+
## Schema
99+
100+
### Required
101+
102+
- `name` (String) Name of the integration.
103+
- `region` (String) AWS region.
104+
- `scan_configuration` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration))
105+
- `space_id` (String) Mondoo Space Identifier.
106+
107+
### Optional
108+
109+
- `account_ids` (List of String) List of AWS account IDs.
110+
- `console_sign_in_trigger` (Boolean) Enable console sign in trigger.
111+
- `instance_state_change_trigger` (Boolean) Enable instance state change trigger.
112+
- `is_organization` (Boolean) Is organization.
113+
114+
### Read-Only
115+
116+
- `mrn` (String) Integration identifier
117+
- `token` (String) Integration token
118+
119+
<a id="nestedatt--scan_configuration"></a>
120+
### Nested Schema for `scan_configuration`
121+
122+
Required:
123+
124+
- `ec2_scan_options` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--ec2_scan_options))
125+
126+
Optional:
127+
128+
- `cron_scan_in_hours` (Number) Cron scan in hours.
129+
- `ec2_scan` (Boolean) Enable EC2 scan.
130+
- `ecr_scan` (Boolean) Enable ECR scan.
131+
- `ecs_scan` (Boolean) Enable ECS scan.
132+
- `event_scan_triggers` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--event_scan_triggers))
133+
134+
<a id="nestedatt--scan_configuration--ec2_scan_options"></a>
135+
### Nested Schema for `scan_configuration.ec2_scan_options`
136+
137+
Required:
138+
139+
- `ebs_scan_options` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--ec2_scan_options--ebs_scan_options))
140+
141+
Optional:
142+
143+
- `ebs_volume_scan` (Boolean) Enable EBS volume scan.
144+
- `instance_connect` (Boolean) Enable instance connect.
145+
- `instance_ids_filter` (List of String) List of instance IDs filter.
146+
- `regions_filter` (List of String) List of regions filter.
147+
- `ssm` (Boolean) Enable SSM.
148+
- `tags_filter` (Map of String) Tags filter.
149+
150+
<a id="nestedatt--scan_configuration--ec2_scan_options--ebs_scan_options"></a>
151+
### Nested Schema for `scan_configuration.ec2_scan_options.ebs_scan_options`
152+
153+
Optional:
154+
155+
- `max_asg_instances` (Number) Max ASG instances.
156+
- `target_instances_per_scanner` (Number) Target instances per scanner.
157+
158+
159+
160+
<a id="nestedatt--scan_configuration--event_scan_triggers"></a>
161+
### Nested Schema for `scan_configuration.event_scan_triggers`
162+
163+
Optional:
164+
165+
- `event_detail_type` (String) Event detail type.
166+
- `event_source` (String) Event source.
167+
- `scan_type` (String) Scan type.
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
terraform {
2+
required_providers {
3+
mondoo = {
4+
source = "mondoohq/mondoo"
5+
version = ">= 0.4.0"
6+
}
7+
aws = {
8+
source = "hashicorp/aws"
9+
version = "5.50.0"
10+
}
11+
}
12+
}
Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,79 @@
1+
variable "mondoo_org" {
2+
description = "Mondoo Organization"
3+
type = string
4+
}
5+
6+
variable "origin_aws_account" {
7+
description = "Origin AWS Account"
8+
type = string
9+
default = "764453172858"
10+
}
11+
12+
variable "aws_region" {
13+
description = "AWS Region"
14+
type = string
15+
default = "us-east-1"
16+
}
17+
18+
variable "aws_account_id" {
19+
description = "value of the AWS account ID"
20+
type = string
21+
}
22+
23+
provider "mondoo" {
24+
region = "us"
25+
}
26+
27+
provider "aws" {
28+
region = var.aws_region
29+
}
30+
31+
data "aws_region" "current" {}
32+
33+
# Create a new space
34+
resource "mondoo_space" "my_space" {
35+
name = "AWS Terraform"
36+
org_id = var.mondoo_org
37+
}
38+
39+
# Setup the AWS integration
40+
resource "mondoo_integration_aws_serverless" "aws_serverless" {
41+
space_id = mondoo_space.my_space.id
42+
name = "AWS Integration"
43+
region = data.aws_region.current.name
44+
is_organization = false
45+
console_sign_in_trigger = true
46+
instance_state_change_trigger = true
47+
account_ids = [var.aws_account_id]
48+
scan_configuration = {
49+
ec2_scan = true
50+
ecr_scan = false
51+
ecs_scan = false
52+
cron_scan_in_hours = 24
53+
ec2_scan_options = {
54+
ssm = true
55+
ebs_volume_scan = true
56+
ebs_scan_options = {
57+
target_instances_per_scanner = 5
58+
max_asg_instances = 10
59+
}
60+
instance_connect = false
61+
}
62+
}
63+
}
64+
65+
# for single account deploys
66+
resource "aws_cloudformation_stack" "mondoo_stack" {
67+
name = "mondoo-stack"
68+
template_url = "https://s3.amazonaws.com/mondoo.${data.aws_region.current.name}/mondoo-lambda-stackset-cf.json"
69+
capabilities = ["CAPABILITY_NAMED_IAM"]
70+
parameters = {
71+
MondooIntegrationMrn = mondoo_integration_aws_serverless.aws_serverless.mrn
72+
MondooToken = mondoo_integration_aws_serverless.aws_serverless.token
73+
OriginAwsAccount = var.origin_aws_account
74+
}
75+
}
76+
77+
# for organisation wide deploys use aws_cloudformation_stack_set and aws_cloudformation_stack_set_instance instead of aws_cloudformation_stack
78+
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set
79+
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance

internal/provider/gql.go

Lines changed: 42 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -418,8 +418,9 @@ func (c *ExtendedGqlClient) DeletePolicy(ctx context.Context, policyMrn string)
418418
}
419419

420420
type CreateClientIntegrationPayload struct {
421-
Mrn mondoov1.String
422-
Name mondoov1.String
421+
Mrn mondoov1.String
422+
Name mondoov1.String
423+
Token mondoov1.String
423424
}
424425

425426
func (c *ExtendedGqlClient) CreateIntegration(ctx context.Context, spaceMrn, name string, typ mondoov1.ClientIntegrationType, opts mondoov1.ClientIntegrationConfigurationInput) (*CreateClientIntegrationPayload, error) {
@@ -448,6 +449,45 @@ func (c *ExtendedGqlClient) CreateIntegration(ctx context.Context, spaceMrn, nam
448449
return &createMutation.CreateClientIntegration.Integration, nil
449450
}
450451

452+
type GetClientIntegrationTokenInput struct {
453+
mrn mondoov1.String
454+
longLivedToken mondoov1.Boolean
455+
}
456+
457+
type ClientIntegrationToken struct {
458+
Token mondoov1.String
459+
}
460+
461+
func (c *ExtendedGqlClient) GetClientIntegrationToken(ctx context.Context, mrn string, longLivedToken bool) (*ClientIntegrationToken, error) {
462+
// Define the response structure
463+
var query struct {
464+
ClientIntegrationToken ClientIntegrationToken `graphql:"getClientIntegrationToken(input: $input)"`
465+
}
466+
467+
// Define the input variables
468+
input := GetClientIntegrationTokenInput{
469+
mrn: mondoov1.String(mrn),
470+
longLivedToken: mondoov1.Boolean(longLivedToken),
471+
}
472+
variables := map[string]interface{}{
473+
"input": input,
474+
}
475+
476+
// Trace the input variables for debugging
477+
tflog.Trace(ctx, "GetClientIntegrationTokenInput", map[string]interface{}{
478+
"input": fmt.Sprintf("%+v", input),
479+
})
480+
481+
// Perform the GraphQL query
482+
err := c.Query(ctx, &query, variables)
483+
if err != nil {
484+
return nil, err
485+
}
486+
487+
// Return the token from the response
488+
return &query.ClientIntegrationToken, nil
489+
}
490+
451491
type UpdateIntegrationPayload struct {
452492
Name mondoov1.String
453493
}

0 commit comments

Comments
 (0)