feat: AWS serverless integration (#106)

* feat: added serveless integration for aws Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * feat: added aws serverless integration and GetClientIntegrationToken gql request Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: added documentation Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: variable name Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: update doc Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: lint errors Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: spelling Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> * fix: spelling Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com> --------- Signed-off-by: Matthias Theuermann <mtheuermann@infralovers.com>
mondoohq · Jul 29, 2024 · 6786c25 · 6786c25
1 parent dc0deba
commit 6786c25
Show file tree

Hide file tree

Showing 6 changed files with 743 additions and 2 deletions.
diff --git a/docs/resources/integration_aws_serverless.md b/docs/resources/integration_aws_serverless.md
@@ -0,0 +1,167 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "mondoo_integration_aws_serverless Resource - terraform-provider-mondoo"
+subcategory: ""
+description: |-
+  Continuously scan AWS organization and accounts for misconfigurations and vulnerabilities.
+---
+
+# mondoo_integration_aws_serverless (Resource)
+
+Continuously scan AWS organization and accounts for misconfigurations and vulnerabilities.
+
+## Example Usage
+
+```terraform
+variable "mondoo_org" {
+  description = "Mondoo Organization"
+  type        = string
+}
+
+variable "origin_aws_account" {
+  description = "Origin AWS Account"
+  type        = string
+  default     = "764453172858"
+}
+
+variable "aws_region" {
+  description = "AWS Region"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "aws_account_id" {
+  description = "value of the AWS account ID"
+  type        = string
+}
+
+provider "mondoo" {
+  region = "us"
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+data "aws_region" "current" {}
+
+# Create a new space
+resource "mondoo_space" "my_space" {
+  name   = "AWS Terraform"
+  org_id = var.mondoo_org
+}
+
+# Setup the AWS integration
+resource "mondoo_integration_aws_serverless" "aws_serverless" {
+  space_id                      = mondoo_space.my_space.id
+  name                          = "AWS Integration"
+  region                        = data.aws_region.current.name
+  is_organization               = false
+  console_sign_in_trigger       = true
+  instance_state_change_trigger = true
+  account_ids                   = [var.aws_account_id]
+  scan_configuration = {
+    ec2_scan           = true
+    ecr_scan           = false
+    ecs_scan           = false
+    cron_scan_in_hours = 24
+    ec2_scan_options = {
+      ssm             = true
+      ebs_volume_scan = true
+      ebs_scan_options = {
+        target_instances_per_scanner = 5
+        max_asg_instances            = 10
+      }
+      instance_connect = false
+    }
+  }
+}
+
+# for single account deploys
+resource "aws_cloudformation_stack" "mondoo_stack" {
+  name         = "mondoo-stack"
+  template_url = "https://s3.amazonaws.com/mondoo.${data.aws_region.current.name}/mondoo-lambda-stackset-cf.json"
+  capabilities = ["CAPABILITY_NAMED_IAM"]
+  parameters = {
+    MondooIntegrationMrn = mondoo_integration_aws_serverless.aws_serverless.mrn
+    MondooToken          = mondoo_integration_aws_serverless.aws_serverless.token
+    OriginAwsAccount     = var.origin_aws_account
+  }
+}
+
+# for organisation wide deploys use aws_cloudformation_stack_set and aws_cloudformation_stack_set_instance instead of aws_cloudformation_stack
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `name` (String) Name of the integration.
+- `region` (String) AWS region.
+- `scan_configuration` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration))
+- `space_id` (String) Mondoo Space Identifier.
+
+### Optional
+
+- `account_ids` (List of String) List of AWS account IDs.
+- `console_sign_in_trigger` (Boolean) Enable console sign in trigger.
+- `instance_state_change_trigger` (Boolean) Enable instance state change trigger.
+- `is_organization` (Boolean) Is organization.
+
+### Read-Only
+
+- `mrn` (String) Integration identifier
+- `token` (String) Integration token
+
+<a id="nestedatt--scan_configuration"></a>
+### Nested Schema for `scan_configuration`
+
+Required:
+
+- `ec2_scan_options` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--ec2_scan_options))
+
+Optional:
+
+- `cron_scan_in_hours` (Number) Cron scan in hours.
+- `ec2_scan` (Boolean) Enable EC2 scan.
+- `ecr_scan` (Boolean) Enable ECR scan.
+- `ecs_scan` (Boolean) Enable ECS scan.
+- `event_scan_triggers` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--event_scan_triggers))
+
+<a id="nestedatt--scan_configuration--ec2_scan_options"></a>
+### Nested Schema for `scan_configuration.ec2_scan_options`
+
+Required:
+
+- `ebs_scan_options` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--ec2_scan_options--ebs_scan_options))
+
+Optional:
+
+- `ebs_volume_scan` (Boolean) Enable EBS volume scan.
+- `instance_connect` (Boolean) Enable instance connect.
+- `instance_ids_filter` (List of String) List of instance IDs filter.
+- `regions_filter` (List of String) List of regions filter.
+- `ssm` (Boolean) Enable SSM.
+- `tags_filter` (Map of String) Tags filter.
+
+<a id="nestedatt--scan_configuration--ec2_scan_options--ebs_scan_options"></a>
+### Nested Schema for `scan_configuration.ec2_scan_options.ebs_scan_options`
+
+Optional:
+
+- `max_asg_instances` (Number) Max ASG instances.
+- `target_instances_per_scanner` (Number) Target instances per scanner.
+
+
+
+<a id="nestedatt--scan_configuration--event_scan_triggers"></a>
+### Nested Schema for `scan_configuration.event_scan_triggers`
+
+Optional:
+
+- `event_detail_type` (String) Event detail type.
+- `event_source` (String) Event source.
+- `scan_type` (String) Scan type.
diff --git a/examples/resources/mondoo_integration_aws_serverless/main.tf b/examples/resources/mondoo_integration_aws_serverless/main.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    mondoo = {
+      source  = "mondoohq/mondoo"
+      version = ">= 0.4.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.50.0"
+    }
+  }
+}
diff --git a/examples/resources/mondoo_integration_aws_serverless/resource.tf b/examples/resources/mondoo_integration_aws_serverless/resource.tf
@@ -0,0 +1,79 @@
+variable "mondoo_org" {
+  description = "Mondoo Organization"
+  type        = string
+}
+
+variable "origin_aws_account" {
+  description = "Origin AWS Account"
+  type        = string
+  default     = "764453172858"
+}
+
+variable "aws_region" {
+  description = "AWS Region"
+  type        = string
+  default     = "us-east-1"
+}
+
+variable "aws_account_id" {
+  description = "value of the AWS account ID"
+  type        = string
+}
+
+provider "mondoo" {
+  region = "us"
+}
+
+provider "aws" {
+  region = var.aws_region
+}
+
+data "aws_region" "current" {}
+
+# Create a new space
+resource "mondoo_space" "my_space" {
+  name   = "AWS Terraform"
+  org_id = var.mondoo_org
+}
+
+# Setup the AWS integration
+resource "mondoo_integration_aws_serverless" "aws_serverless" {
+  space_id                      = mondoo_space.my_space.id
+  name                          = "AWS Integration"
+  region                        = data.aws_region.current.name
+  is_organization               = false
+  console_sign_in_trigger       = true
+  instance_state_change_trigger = true
+  account_ids                   = [var.aws_account_id]
+  scan_configuration = {
+    ec2_scan           = true
+    ecr_scan           = false
+    ecs_scan           = false
+    cron_scan_in_hours = 24
+    ec2_scan_options = {
+      ssm             = true
+      ebs_volume_scan = true
+      ebs_scan_options = {
+        target_instances_per_scanner = 5
+        max_asg_instances            = 10
+      }
+      instance_connect = false
+    }
+  }
+}
+
+# for single account deploys
+resource "aws_cloudformation_stack" "mondoo_stack" {
+  name         = "mondoo-stack"
+  template_url = "https://s3.amazonaws.com/mondoo.${data.aws_region.current.name}/mondoo-lambda-stackset-cf.json"
+  capabilities = ["CAPABILITY_NAMED_IAM"]
+  parameters = {
+    MondooIntegrationMrn = mondoo_integration_aws_serverless.aws_serverless.mrn
+    MondooToken          = mondoo_integration_aws_serverless.aws_serverless.token
+    OriginAwsAccount     = var.origin_aws_account
+  }
+}
+
+# for organisation wide deploys use aws_cloudformation_stack_set and aws_cloudformation_stack_set_instance instead of aws_cloudformation_stack
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance
diff --git a/internal/provider/gql.go b/internal/provider/gql.go
@@ -418,8 +418,9 @@ func (c *ExtendedGqlClient) DeletePolicy(ctx context.Context, policyMrn string)
 }
 
 type CreateClientIntegrationPayload struct {
-	Mrn  mondoov1.String
-	Name mondoov1.String
+	Mrn   mondoov1.String
+	Name  mondoov1.String
+	Token mondoov1.String
 }
 
 func (c *ExtendedGqlClient) CreateIntegration(ctx context.Context, spaceMrn, name string, typ mondoov1.ClientIntegrationType, opts mondoov1.ClientIntegrationConfigurationInput) (*CreateClientIntegrationPayload, error) {
@@ -448,6 +449,45 @@ func (c *ExtendedGqlClient) CreateIntegration(ctx context.Context, spaceMrn, nam
 	return &createMutation.CreateClientIntegration.Integration, nil
 }
 
+type GetClientIntegrationTokenInput struct {
+	mrn            mondoov1.String
+	longLivedToken mondoov1.Boolean
+}
+
+type ClientIntegrationToken struct {
+	Token mondoov1.String
+}
+
+func (c *ExtendedGqlClient) GetClientIntegrationToken(ctx context.Context, mrn string, longLivedToken bool) (*ClientIntegrationToken, error) {
+	// Define the response structure
+	var query struct {
+		ClientIntegrationToken ClientIntegrationToken `graphql:"getClientIntegrationToken(input: $input)"`
+	}
+
+	// Define the input variables
+	input := GetClientIntegrationTokenInput{
+		mrn:            mondoov1.String(mrn),
+		longLivedToken: mondoov1.Boolean(longLivedToken),
+	}
+	variables := map[string]interface{}{
+		"input": input,
+	}
+
+	// Trace the input variables for debugging
+	tflog.Trace(ctx, "GetClientIntegrationTokenInput", map[string]interface{}{
+		"input": fmt.Sprintf("%+v", input),
+	})
+
+	// Perform the GraphQL query
+	err := c.Query(ctx, &query, variables)
+	if err != nil {
+		return nil, err
+	}
+
+	// Return the token from the response
+	return &query.ClientIntegrationToken, nil
+}
+
 type UpdateIntegrationPayload struct {
 	Name mondoov1.String
 }