cmd

package
v0.41.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 30, 2022 License: Apache-2.0 Imports: 73 Imported by: 0

Documentation

Overview

Author:: Salim Afiune Maya (<afiune@lacework.net>) Copyright:: Copyright 2020, Lacework Inc. License:: Apache License, Version 2.0

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source
const (
	// DisableTelemetry is an environment variable that can be used to
	// disable telemetry sent to Honeycomb
	DisableTelemetry = "LW_TELEMETRY_DISABLE"

	// HomebrewInstall is an environment variable that denotes the
	// install method was via homebrew package manager
	HomebrewInstall = "LW_HOMEBREW_INSTALL"

	// ChocolateyInstall is an environment variable that denotes the
	// install method was via chocolatey package manager
	ChocolateyInstall = "LW_CHOCOLATEY_INSTALL"
)
View Source
const AlasRegex = `(?i)ALAS(2?)-\d{4}-\d{3,7}`
View Source
const (
	AzureCloudEnv = "POWERSHELL_DISTRIBUTION_CHANNEL"
)

Env variables found in GCP, AWS and Azure cloudshell. Used to determine if cli is running on cloudshell.

View Source
const ConfigBackupDir = "cfg_backups"

The name of the directory we will store backups of configuration files before migrating them

View Source
const CveRegex = `(?i)CVE-\d{4}-\d{4,7}`
View Source
const MaxCacheSize = 1024 * 1024 * 1024

Variables

View Source
var (
	QuestionRunTfPlan        = "Run Terraform plan now?"
	QuestionUsePreviousCache = "Previous IaC generation detected, load cached values?"
)
View Source
var (
	// Define question text here so they can be reused in testing
	QuestionAwsEnableConfig             = "Enable configuration integration?"
	QuestionCustomizeConfigName         = "Customize Config integration name?"
	QuestionConfigName                  = "Specify name of config integration (optional)"
	QuestionEnableCloudtrail            = "Enable CloudTrail integration?"
	QuestionCloudtrailName              = "Specify name of cloudtrail integration (optional)"
	QuestionAwsRegion                   = "Specify the AWS region to be used by CloudTrail, SNS, and S3:"
	QuestionConsolidatedCloudtrail      = "Use consolidated CloudTrail?"
	QuestionUseExistingCloudtrail       = "Use an existing CloudTrail?"
	QuestionCloudtrailExistingBucketArn = "Specify an existing bucket ARN used for CloudTrail logs:"
	QuestionForceDestroyS3Bucket        = "Should the new S3 bucket have force destroy enabled?"
	QuestionExistingIamRoleName         = "Specify an existing IAM role name for CloudTrail access:"
	QuestionExistingIamRoleArn          = "Specify an existing IAM role ARN for CloudTrail access:"
	QuestionExistingIamRoleExtID        = "Specify the external ID to be used with the existing IAM role:"
	QuestionPrimaryAwsAccountProfile    = "Before adding sub-accounts, your primary AWS account profile name must be set;" +
		" which profile should the main account use?"
	QuestionSubAccountProfileName      = "Supply the profile name for this additional AWS account:"
	QuestionSubAccountRegion           = "What region should be used for this account?"
	QuestionSubAccountAddMore          = "Add another AWS account?"
	QuestionSubAccountReplace          = "Currently configured AWS sub-accounts: %s, replace?"
	QuestionAwsConfigAdvanced          = "Configure advanced integration options?"
	QuestionAwsAnotherAdvancedOpt      = "Configure another advanced integration option"
	QuestionAwsCustomizeOutputLocation = "Provide the location for the output to be written:"

	// S3 Bucket Questions
	QuestionBucketEnableEncryption = "Enable S3 bucket encryption when creating bucket"
	QuestionBucketSseKeyArn        = "Specify existing KMS encryption key arn for S3 bucket (optional)"
	QuestionBucketName             = "Specify name when creating S3 bucket (optional)"

	// SNS Topic Questions
	QuestionsUseExistingSNSTopic = "Use an existing SNS topic?"
	QuestionSnsTopicArn          = "Specify existing SNS topic arn"
	QuestionSnsEnableEncryption  = "Enable encryption on SNS topic when creating?"
	QuestionSnsEncryptionKeyArn  = "Specify existing KMS encryption key arn for SNS topic (optional)"
	QuestionSnsTopicName         = "Specify SNS topic name if creating new one (optional)"

	// SQS Queue Questions
	QuestionSqsEnableEncryption = "Enable encryption on SQS queue when creating"
	QuestionSqsEncryptionKeyArn = "Specify existing KMS encryption key arn for SQS queue (optional)"
	QuestionSqsQueueName        = "Specify SQS queue name when creating (optional)"

	// select options
	AwsAdvancedOptDone     = "Done"
	AdvancedOptCloudTrail  = "Additional CloudTrail options"
	AdvancedOptIamRole     = "Configure Lacework integration with an existing IAM role"
	AdvancedOptAwsAccounts = "Add additional AWS Accounts to Lacework"
	AwsAdvancedOptLocation = "Customize output location"

	// AwsArnRegex original source: https://regex101.com/r/pOfxYN/1
	AwsArnRegex = `` /* 154-byte string literal not displayed */
	// AwsRegionRegex regex used for validating region input; note intentionally does not match gov cloud
	AwsRegionRegex  = `(us|ap|ca|cn|eu|sa)-(central|(north|south)?(east|west)?)-\d`
	AwsProfileRegex = `([A-Za-z_0-9-]+)`

	GenerateAwsCommandState      = &aws.GenerateAwsTfConfigurationArgs{}
	GenerateAwsExistingRoleState = &aws.ExistingIamRoleDetails{}
	GenerateAwsCommandExtraState = &AwsGenerateCommandExtraState{}
	ValidateSubAccountFlagRegex  = fmt.Sprintf(`%s:%s`, AwsProfileRegex, AwsRegionRegex)
	CachedAwsAssetIacParams      = "iac-aws-generate-params"
	CachedAssetAwsExtraState     = "iac-aws-extra-state"
)
View Source
var (
	// Define question text here so they can be reused in testing
	QuestionAzureEnableConfig = "Enable Azure configuration integration?"
	QuestionAzureConfigName   = "Specify custom configuration integration name: (optional)"
	QuestionEnableActivityLog = "Enable Azure Activity Log Integration?"
	QuestionActivityLogName   = "Specify custom Activity Log integration name: (optional)"

	QuestionAzureAnotherAdvancedOpt      = "Configure another advanced integration option"
	QuestionAzureConfigAdvanced          = "Configure advanced integration options?"
	QuestionAzureCustomizeOutputLocation = "Provide the location for the output to be written:"

	// Active Directory
	QuestionEnableAdIntegration = "Create Active Directory Integration?"
	QuestionADApplicationPass   = "Specify the password of an existing Active Directory application"
	QuestionADApplicationId     = "Specify the ID of an existing Active Directory application"
	QuestionADServicePrincpleId = "Specify the Service Principle ID of an existing Active Directory application"

	// Storage Account
	QuestionUseExistingStorageAccount   = "Use an existing Storage Account?"
	QuestionAzureRegion                 = "Specify the Azure region to be used by Storage Account logging"
	QuestionStorageAccountName          = "Specify existing Storage Account name"
	QuestionStorageAccountResourceGroup = "Specify existing Storage Account Resource Group"

	QuestionStorageLocation = "Specify Azure region where Storage Account for logging resides "

	// Subscriptions
	QuestionEnableAllSubscriptions = "Enable all subscriptions?"
	QuestionSubscriptionIds        = "Specify list of subscription ids to enable logging"

	// Management Group
	QuestionEnableManagementGroup = "Enable Management Group level Integration?"
	QuestionManagementGroupId     = "Specify Management Group ID"

	// Select options
	AzureAdvancedOptDone       = "Done"
	AdvancedAdIntegration      = "Configure Lacework integration with an existing Active Directory (optional)"
	AzureExistingStorageAcount = "Configure Storage Account (optional)"
	AzureSubscriptions         = "Configure Subscriptions (optional)"
	AzureManagmentGroup        = "Configure Management Group (optional)"
	AzureStorageGroup          = "Configure Storage Group (optional)"
	AzureUserIntegrationNames  = "Customize integration name(s)"
	AzureAdvancedOptLocation   = "Customize output location (optional)"
	AzureRegionStorage         = "Customize Azure region for Storage Account (optional)"

	GenerateAzureCommandState      = &azure.GenerateAzureTfConfigurationArgs{}
	GenerateAzureCommandExtraState = &AzureGenerateCommandExtraState{}
	CachedAzureAssetIacParams      = "iac-azure-generate-params"
	CachedAzureAssetExtraState     = "iac-azure-extra-state"
)
View Source
var (
	// Define question text here to be reused in testing
	QuestionGcpEnableConfiguration     = "Enable configuration integration?"
	QuestionGcpEnableAuditLog          = "Enable Audit Log integration?"
	QuestionGcpOrganizationIntegration = "Organization integration?"
	QuestionGcpOrganizationID          = "Specify the GCP organization ID:"
	QuestionGcpProjectID               = "Specify the project ID to be used to provision Lacework resources:"
	QuestionGcpServiceAccountCredsPath = "Specify service account credentials JSON path: (optional)"

	QuestionGcpConfigureAdvanced             = "Configure advanced integration options?"
	GcpAdvancedOptExistingServiceAccount     = "Configure & use existing service account"
	QuestionExistingServiceAccountName       = "Specify an existing service account name:"
	QuestionExistingServiceAccountPrivateKey = "Specify an existing service account private key (base64 encoded):"

	GcpAdvancedOptAuditLog              = "Configure additional Audit Log options"
	QuestionGcpUseExistingBucket        = "Use an existing bucket?"
	QuestionGcpExistingBucketName       = "Specify an existing bucket name:"
	QuestionGcpConfigureNewBucket       = "Configure settings for new bucket?"
	QuestionGcpBucketName               = "Specify new bucket name: (optional)"
	QuestionGcpBucketRegion             = "Specify the bucket region: (optional)"
	QuestionGcpBucketLocation           = "Specify the bucket location: (optional)"
	QuestionGcpBucketRetention          = "Specify the bucket retention days: (optional)"
	QuestionGcpBucketLifecycle          = "Specify the bucket lifecycle rule age: (optional)"
	QuestionGcpEnableUBLA               = "Enable uniform bucket level access(UBLA)?"
	QuestionGcpEnableBucketForceDestroy = "Enable bucket force destroy?"
	QuestionGcpUseExistingSink          = "Use an existing sink?"
	QuestionGcpExistingSinkName         = "Specify the existing sink name"

	GcpAdvancedOptIntegrationName           = "Customize integration name(s)"
	QuestionGcpConfigurationIntegrationName = "Specify a custom configuration integration name: (optional)"
	QuestionGcpAuditLogIntegrationName      = "Specify a custom Audit Log integration name: (optional)"

	QuestionGcpAnotherAdvancedOpt      = "Configure another advanced integration option"
	GcpAdvancedOptLocation             = "Customize output location"
	QuestionGcpCustomizeOutputLocation = "Provide the location for the output to be written:"
	GcpAdvancedOptDone                 = "Done"

	// GcpRegionRegex regex used for validating region input
	GcpRegionRegex = `(asia|australia|europe|northamerica|southamerica|us)-(central|(north|south)?(east|west)?)\d`

	GenerateGcpCommandState                  = &gcp.GenerateGcpTfConfigurationArgs{}
	GenerateGcpExistingServiceAccountDetails = &gcp.ExistingServiceAccountDetails{}
	GenerateGcpCommandExtraState             = &GcpGenerateCommandExtraState{}
	CachedGcpAssetIacParams                  = "iac-gcp-generate-params"
	CachedAssetGcpExtraState                 = "iac-gcp-extra-state"
)
View Source
var (
	// HoneyApiKey is a variable that is injected at build time via
	// the cross-platform directive inside the Makefile, this key is
	// used to send events to Honeycomb so that we can understand how
	// our customers use the Lacework CLI
	HoneyApiKey = "unknown"

	// HoneyDataset is the dataset in Honeycomb that we send tracing
	// data this variable will be set depending on the environment we
	// are running on. During development, we send all events and
	// tracing data to a default dataset.
	HoneyDataset = "lacework-cli-dev"
)
View Source
var (
	// All the following "unknown" variables are being injected at
	// build time via the cross-platform directive inside the Makefile
	//
	// Version is the semver coming from the VERSION file
	Version = "unknown"

	// GitSHA is the git ref that the cli was built from
	GitSHA = "unknown"

	// BuildTime is a human-readable time when the cli was built at
	BuildTime = "unknown"

	// The name of the version cache file needed for daily version checks
	VersionCacheFile = "version_cache"
)
View Source
var (
	RecommendationIDRegex = "^[A-Z]+[A-Z_]*[0-9]*"
)
View Source
var SupportedPackageManagers = []string{"dpkg-query", "rpm"} // @afiune can we support yum and apk?

Functions

func CacheTransform added in v0.10.0

func CacheTransform(key string) *diskv.PathKey

func DisplayTerraformPlanChanges added in v0.23.0

func DisplayTerraformPlanChanges(tf *tfexec.Terraform, data TfPlanChangesSummary) (bool, error)

DisplayTerraformPlanChanges used to display the results of a plan

returns true if apply should run, false to exit

func Execute

func Execute() (err error)

Execute adds all child commands to the root command and sets flags appropriately. This is called by main.main(). It only needs to happen once to the rootCmd.

func GenerateMarkdownDocs added in v0.2.4

func GenerateMarkdownDocs(location string) error

func InverseCacheTransform added in v0.10.0

func InverseCacheTransform(pathKey *diskv.PathKey) string

func IsDefault added in v0.15.0

func IsDefault(isDefault int) string

func LocateOrInstallTerraform added in v0.23.0

func LocateOrInstallTerraform(forceInstall bool, workingDir string) (*tfexec.Terraform, error)

LocateOrInstallTerraform Determine if terraform is installed, if that version is new enough, and if not install a new ephemeral binary of the correct version into tmp location

forceInstall: if set always install ephemeral binary

func NewDefaultState added in v0.1.3

func NewDefaultState() *cliState

NewDefaultState creates a new cliState with some defaults

func NewQueryFailonError added in v0.36.0

func NewQueryFailonError(failonCount string, count int) *queryFailonError

func NewVulnerabilityPolicyError added in v0.4.0

func NewVulnerabilityPolicyError(
	assessment api.VulnerabilityAssessment,
	failOnSeverity string, failOnFixable bool,
) *vulnerabilityPolicyError

func SurveyMultipleQuestionWithValidation added in v0.23.0

func SurveyMultipleQuestionWithValidation(questions []SurveyQuestionWithValidationArgs, checks ...bool) error

SurveyMultipleQuestionWithValidation Prompt for many values at once

checks: If supplied check(s) are true, questions will be asked

func SurveyQuestionInteractiveOnly added in v0.23.0

func SurveyQuestionInteractiveOnly(question SurveyQuestionWithValidationArgs) error

SurveyQuestionInteractiveOnly Prompt use for question, only if the CLI is in interactive mode

func TerraformExecApply added in v0.23.0

func TerraformExecApply(tf *tfexec.Terraform) error

TerraformExecApply Run terraform apply using the workingDir from *tfexec.Terraform

- Run plan - Get plan file details (returned)

func TerraformExecutePreRunCheck added in v0.23.0

func TerraformExecutePreRunCheck(outputLocation string, cloud string) (bool, error)

func TerraformInit added in v0.23.0

func TerraformInit(tf *tfexec.Terraform) error

func TerraformPlanAndExecute added in v0.23.0

func TerraformPlanAndExecute(workingDir string) error

Execute a terraform plan & execute

Types

type AwsGenerateCommandExtraState added in v0.23.0

type AwsGenerateCommandExtraState struct {
	Output                string
	UseExistingCloudtrail bool
	UseExistingSNSTopic   bool
	AwsSubAccounts        []string
	TerraformApply        bool
}

type AzureGenerateCommandExtraState added in v0.30.0

type AzureGenerateCommandExtraState struct {
	Output         string
	TerraformApply bool
}

type CmdFilters added in v0.25.0

type CmdFilters struct {
	Filters []string
}

Used to store the list of available filters from a CLI command

E.g. get available filters for a cobra.Command.Long

```go

dummyCmdState = struct {
    // The available filters
    AvailableFilters CmdFilters

    // List of filters to apply
    Filters []string
	}{}
dummyCmdState := &cobra.Command{
    Long: `The available keys for this command are:

` + stringSliceToMarkdownList(

dummyCmdState.AvailableFilters.GetFiltersFrom(
    api.MachineDetailEntity{},
 ),

)} ```

func (*CmdFilters) GetFiltersFrom added in v0.25.0

func (f *CmdFilters) GetFiltersFrom(T interface{}) []string

type GcpGenerateCommandExtraState added in v0.28.0

type GcpGenerateCommandExtraState struct {
	AskAdvanced                bool
	Output                     string
	ConfigureNewBucketSettings bool
	UseExistingServiceAccount  bool
	UseExistingBucket          bool
	UseExistingSink            bool
	TerraformApply             bool
}

type Honeyvent added in v0.2.12

type Honeyvent struct {
	Version       string      `json:"version"`
	CfgVersion    int         `json:"config_version"`
	Os            string      `json:"os"`
	Arch          string      `json:"arch"`
	Command       string      `json:"command,omitempty"`
	Args          []string    `json:"args,omitempty"`
	Flags         []string    `json:"flags,omitempty"`
	Account       string      `json:"account,omitempty"`
	Subaccount    string      `json:"subaccount,omitempty"`
	Profile       string      `json:"profile,omitempty"`
	ApiKey        string      `json:"api_key,omitempty"`
	Feature       string      `json:"feature,omitempty"`
	FeatureData   interface{} `json:"feature.data,omitempty"`
	DurationMs    int64       `json:"duration_ms,omitempty"`
	Error         string      `json:"error,omitempty"`
	InstallMethod string      `json:"install_method,omitempty"`

	// tracing data for multiple events, this is useful for specific features
	// within the Lacework CLI such as daily version check, polling mechanism, etc.
	TraceID  string `json:"trace.trace_id,omitempty"`
	SpanID   string `json:"trace.span_id,omitempty"`
	ParentID string `json:"trace.parent_id,omitempty"`
}

Honeyvent defines what a Honeycomb event looks like for the Lacework CLI

func (*Honeyvent) AddFeatureField added in v0.2.13

func (e *Honeyvent) AddFeatureField(key string, value interface{})

type LCLContentType added in v0.36.0

type LCLContentType string
const (
	LCLQueryType  LCLContentType = "query"
	LCLPolicyType LCLContentType = "policy"
)

type LCLPolicy added in v0.36.0

type LCLPolicy struct {
	PolicyID    string         `json:"policyId"`
	Title       string         `json:"title"`
	Description string         `json:"description"`
	Tags        []string       `json:"tags"`
	QueryID     string         `json:"queryId"`
	References  []LCLReference `json:"references"`
}

type LCLQuery added in v0.36.0

type LCLQuery struct {
	References []LCLReference `json:"references"`
}

type LCLReference added in v0.36.0

type LCLReference struct {
	ID   string         `json:"id"`
	Type LCLContentType `json:"content_type"`
	Path string         `json:"path"`
	URI  string         `json:"uri"`
}

type LaceworkContentLibrary added in v0.36.0

type LaceworkContentLibrary struct {
	Component  *lwcomponent.Component
	Queries    map[string]LCLQuery  `json:"queries"`
	Policies   map[string]LCLPolicy `json:"policies"`
	PolicyTags map[string][]string  `json:"policy_tags"`
}

func (*LaceworkContentLibrary) GetPoliciesByTag added in v0.36.0

func (lcl *LaceworkContentLibrary) GetPoliciesByTag(t string) map[string]LCLPolicy

func (*LaceworkContentLibrary) GetPolicy added in v0.36.0

func (lcl *LaceworkContentLibrary) GetPolicy(id string) (string, error)

func (*LaceworkContentLibrary) GetQuery added in v0.36.0

func (lcl *LaceworkContentLibrary) GetQuery(id string) (string, error)

type OS added in v0.2.3

type OS struct {
	Name    string
	Version string
}

type PolicySyncOperation added in v0.36.0

type PolicySyncOperation struct {
	ID          string
	ContentType string
	Operation   string
}

type SurveyQuestionWithValidationArgs added in v0.23.0

type SurveyQuestionWithValidationArgs struct {
	Prompt survey.Prompt
	// Supplied checks can be used to validate IF the question should be asked
	Checks   []*bool
	Response interface{}
	Opts     []survey.AskOpt
	Required bool
}

type TfPlanChangesSummary added in v0.24.0

type TfPlanChangesSummary struct {
	// contains filtered or unexported fields
}

func TerraformExecPlan added in v0.23.0

func TerraformExecPlan(tf *tfexec.Terraform) (*TfPlanChangesSummary, error)

TerraformExecPlan Run terraform plan using the workingDir from *tfexec.Terraform

- Run plan - Get plan file details (returned)

Source Files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL