service

package
v1.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 2, 2025 License: MIT Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	BatchKMSValidationFailedTemplate = "failed to validate KMS key '%s' for batch operation in region '%s' (config rule: %s): %w"
	BatchContextInitFailedTemplate   = "failed to initialize batch remediation context for config rule '%s' in region '%s': %w"
	KMSKeyNotValidatedTemplate       = "KMS key '%s' not validated for batch operation in region '%s' (config rule: %s): %w"
)

Batch error message templates for consistent and descriptive error reporting

View Source 
const (
	// Encryption audit actions
	AuditActionEncryptionStart   = "encryption_start"
	AuditActionEncryptionSuccess = "encryption_success"
	AuditActionEncryptionFailed  = "encryption_failed"
	AuditActionEncryptionDryRun  = "encryption_dry_run"

	// Key validation audit actions
	AuditActionKeyValidationSuccess = "key_validation_success"
	AuditActionKeyValidationFailed  = "key_validation_failed"
	AuditActionCrossRegionKeyUsage  = "cross_region_key_usage"

	// Policy validation audit actions
	AuditActionPolicyValidationSuccess = "policy_validation_success"
	AuditActionPolicyValidationWarning = "policy_validation_warning"

	// Comprehensive validation audit actions
	AuditActionComprehensiveKMSValidation = "comprehensive_kms_validation"

	// Failure reason constants
	FailureReasonKeyNotFound      = "key_not_found"
	FailureReasonAccessDenied     = "access_denied"
	FailureReasonGeneralError     = "general_error"
	FailureReasonInvalidMetadata  = "invalid_metadata"
	FailureReasonMissingKeyID     = "missing_key_id"
	FailureReasonMissingKeyARN    = "missing_key_arn"
	FailureReasonUnusableKeyState = "unusable_key_state"

	// Failure stage constants
	FailureStageKeyValidation    = "key_validation"
	FailureStagePolicyValidation = "policy_validation"
	FailureStageKeyAssociation   = "key_association"

	// Retry logic constants
	MaxExponentialBackoffAttempts = 10   // Maximum attempts before capping multiplier to prevent overflow
	MaxBackoffMultiplier          = 1024 // 2^10, maximum multiplier for exponential backoff
)

Audit action constants for consistent logging and compliance tracking

View Source 
const (
	// DefaultBatchSize is the default number of resources to process in parallel
	DefaultBatchSize = 10
)

Batch processing constants

Variables

This section is empty.

Functions

func GetSharedBuffer 

func GetSharedBuffer() []byte

GetSharedBuffer gets a shared buffer for string operations

func OptimizeMemory 

func OptimizeMemory()

OptimizeMemory performs memory optimization operations

func PutSharedBuffer 

func PutSharedBuffer(buf []byte)

PutSharedBuffer returns a shared buffer

func WithMemoryOptimization 

func WithMemoryOptimization(ctx context.Context, fn func(context.Context) error) error

WithMemoryOptimization wraps a function call with memory optimization

Types

type BatchKMSValidationCache 

type BatchKMSValidationCache struct {
	// contains filtered or unexported fields
}

BatchKMSValidationCache caches KMS key validation results for a batch operation

type BatchRemediationContext 

type BatchRemediationContext struct {
	// contains filtered or unexported fields
}

BatchRemediationContext holds shared context for a batch remediation operation

func (*BatchRemediationContext) GetValidatedKMSKeyInfo 

func (bctx *BatchRemediationContext) GetValidatedKMSKeyInfo() (*KMSKeyInfo, error)

GetValidatedKMSKeyInfo returns the pre-validated KMS key info for the batch

type ClientPool 

type ClientPool struct {
	// contains filtered or unexported fields
}

ClientPool manages reusable AWS clients to reduce memory allocations

func (*ClientPool) Cleanup 

func (cp *ClientPool) Cleanup()

Cleanup releases resources and triggers garbage collection

func (*ClientPool) GetKMSClient 

func (cp *ClientPool) GetKMSClient(region string, createFunc func() *kms.Client) *kms.Client

GetKMSClient returns a cached KMS client for the region

func (*ClientPool) GetLogsClient 

func (cp *ClientPool) GetLogsClient(region string, createFunc func() *cloudwatchlogs.Client) *cloudwatchlogs.Client

GetLogsClient returns a cached CloudWatch Logs client for the region

type CloudWatchLogsClientInterface 

type CloudWatchLogsClientInterface interface {
	AssociateKmsKey(ctx context.Context, params *cloudwatchlogs.AssociateKmsKeyInput, optFns ...func(*cloudwatchlogs.Options)) (*cloudwatchlogs.AssociateKmsKeyOutput, error)
	PutRetentionPolicy(ctx context.Context, params *cloudwatchlogs.PutRetentionPolicyInput, optFns ...func(*cloudwatchlogs.Options)) (*cloudwatchlogs.PutRetentionPolicyOutput, error)
	DescribeLogGroups(ctx context.Context, params *cloudwatchlogs.DescribeLogGroupsInput, optFns ...func(*cloudwatchlogs.Options)) (*cloudwatchlogs.DescribeLogGroupsOutput, error)
}

CloudWatchLogsClientInterface defines the interface for CloudWatch Logs operations

type ComplianceService 

type ComplianceService struct {
	// contains filtered or unexported fields
}

ComplianceService handles log group compliance remediation

func NewComplianceService 

func NewComplianceService(cfg aws.Config) *ComplianceService

NewComplianceService creates a new compliance service

func (*ComplianceService) GetNonCompliantResources 

func (s *ComplianceService) GetNonCompliantResources(ctx context.Context, configRuleName string, region string) ([]types.NonCompliantResource, error)

GetNonCompliantResources retrieves non-compliant log groups from Config API

func (*ComplianceService) NewBatchRemediationContext 

func (s *ComplianceService) NewBatchRemediationContext(ctx context.Context, request types.BatchComplianceRequest) (*BatchRemediationContext, error)

NewBatchRemediationContext creates a new batch context with KMS validation only for encryption rules

func (*ComplianceService) ProcessNonCompliantResourcesOptimized 

func (s *ComplianceService) ProcessNonCompliantResourcesOptimized(ctx context.Context, request types.BatchComplianceRequest) (*types.BatchRemediationResult, error)

ProcessNonCompliantResourcesOptimized processes multiple non-compliant resources with optimized KMS validation

func (*ComplianceService) RemediateLogGroup 

func (s *ComplianceService) RemediateLogGroup(ctx context.Context, compliance types.ComplianceResult) (*types.RemediationResult, error)

RemediateLogGroup applies compliance remediation to a log group

func (*ComplianceService) ValidateKMSKeyComprehensively 

func (s *ComplianceService) ValidateKMSKeyComprehensively(ctx context.Context, keyAlias string) (*types.KMSValidationReport, error)

ValidateKMSKeyComprehensively provides a comprehensive validation report for a KMS key This function is useful for troubleshooting and audit purposes

func (*ComplianceService) ValidateResourceExistence 

func (s *ComplianceService) ValidateResourceExistence(ctx context.Context, resources []types.NonCompliantResource) ([]types.NonCompliantResource, error)

ValidateResourceExistence checks if resources still exist before processing

type ComplianceServiceInterface 

type ComplianceServiceInterface interface {
	RemediateLogGroup(ctx context.Context, compliance types.ComplianceResult) (*types.RemediationResult, error)
	ProcessNonCompliantResourcesOptimized(ctx context.Context, request types.BatchComplianceRequest) (*types.BatchRemediationResult, error)
	GetNonCompliantResources(ctx context.Context, configRuleName string, region string) ([]types.NonCompliantResource, error)
	ValidateResourceExistence(ctx context.Context, resources []types.NonCompliantResource) ([]types.NonCompliantResource, error)
}

ComplianceServiceInterface defines the interface for compliance operations

type ConfigEvaluationService 

type ConfigEvaluationService struct {
	// contains filtered or unexported fields
}

ConfigEvaluationService handles AWS Config rule evaluation processing

func NewConfigEvaluationService 

func NewConfigEvaluationService(cfg aws.Config) *ConfigEvaluationService

NewConfigEvaluationService creates a new Config evaluation service

func (*ConfigEvaluationService) FilterResourcesByComplianceType 

func (s *ConfigEvaluationService) FilterResourcesByComplianceType(resources []logguardiantypes.NonCompliantResource, complianceTypes []string) []logguardiantypes.NonCompliantResource

FilterResourcesByComplianceType filters resources by specific compliance issues

func (*ConfigEvaluationService) GetNonCompliantResources 

func (s *ConfigEvaluationService) GetNonCompliantResources(ctx context.Context, configRuleName string, region string) ([]logguardiantypes.NonCompliantResource, error)

GetNonCompliantResources retrieves non-compliant log groups from Config API

func (*ConfigEvaluationService) ValidateResourceExistence 

func (s *ConfigEvaluationService) ValidateResourceExistence(ctx context.Context, resources []logguardiantypes.NonCompliantResource) ([]logguardiantypes.NonCompliantResource, error)

ValidateResourceExistence checks if resources still exist before processing Note: For Config rule evaluations, we trust that AWS Config has recently evaluated these resources. If a log group is deleted between evaluation and remediation, the remediation will fail gracefully and the resource won't appear in the next Config rule evaluation.

type ConfigServiceClientInterface 

type ConfigServiceClientInterface interface {
	GetComplianceDetailsByConfigRule(ctx context.Context, params *configservice.GetComplianceDetailsByConfigRuleInput, optFns ...func(*configservice.Options)) (*configservice.GetComplianceDetailsByConfigRuleOutput, error)
	GetComplianceDetailsByResource(ctx context.Context, params *configservice.GetComplianceDetailsByResourceInput, optFns ...func(*configservice.Options)) (*configservice.GetComplianceDetailsByResourceOutput, error)
}

ConfigServiceClientInterface defines the interface for AWS Config operations

type KMSClientInterface 

type KMSClientInterface interface {
	DescribeKey(ctx context.Context, params *kms.DescribeKeyInput, optFns ...func(*kms.Options)) (*kms.DescribeKeyOutput, error)
	GetKeyPolicy(ctx context.Context, params *kms.GetKeyPolicyInput, optFns ...func(*kms.Options)) (*kms.GetKeyPolicyOutput, error)
	ListGrants(ctx context.Context, params *kms.ListGrantsInput, optFns ...func(*kms.Options)) (*kms.ListGrantsOutput, error)
}

KMSClientInterface defines the interface for KMS operations

type KMSKeyInfo 

type KMSKeyInfo struct {
	KeyId    string
	Arn      string
	KeyState string
	Region   string
}

KMSKeyInfo holds comprehensive information about a KMS key

type MemoryOptimizedComplianceService 

type MemoryOptimizedComplianceService struct {
	*ComplianceService
	// contains filtered or unexported fields
}

MemoryOptimizedComplianceService provides memory-optimized operations for Lambda

func NewMemoryOptimizedComplianceService 

func NewMemoryOptimizedComplianceService(baseService *ComplianceService) *MemoryOptimizedComplianceService

NewMemoryOptimizedComplianceService creates a memory-optimized service

type MemoryStats 

type MemoryStats struct {
	AllocMB      uint64 // Current memory allocation in MB
	TotalAllocMB uint64 // Total memory allocated in MB
	SysMB        uint64 // System memory obtained from OS in MB
	NumGCRuns    uint32 // Number of GC runs
	HeapObjects  uint64 // Number of objects in heap
}

MemoryStats provides memory usage statistics

func GetMemoryStats 

func GetMemoryStats() MemoryStats

GetMemoryStats returns current memory usage statistics

type MetricsData added in v1.1.1 

type MetricsData struct {
	LogGroupsProcessed  int
	LogGroupsRemediated int
	RemediationErrors   int
}

MetricsData holds metrics for batch publishing

type MetricsService added in v1.1.1 

type MetricsService struct {
	// contains filtered or unexported fields
}

MetricsService handles CloudWatch metrics publishing

func NewMetricsService added in v1.1.1 

func NewMetricsService(cfg aws.Config) *MetricsService

NewMetricsService creates a new metrics service

func (*MetricsService) PublishBatchMetrics added in v1.1.1 

func (m *MetricsService) PublishBatchMetrics(ctx context.Context, metrics MetricsData) error

PublishBatchMetrics publishes all metrics from a batch operation

func (*MetricsService) PublishSingleMetric added in v1.1.1 

func (m *MetricsService) PublishSingleMetric(ctx context.Context, metricName string, value float64, unit types.StandardUnit) error

PublishSingleMetric publishes a single metric

type MultiRegionComplianceService 

type MultiRegionComplianceService struct {
	// contains filtered or unexported fields
}

MultiRegionComplianceService handles compliance across multiple AWS regions

func NewMultiRegionComplianceService 

func NewMultiRegionComplianceService(baseConfig aws.Config) *MultiRegionComplianceService

NewMultiRegionComplianceService creates a new multi-region compliance service

func NewMultiRegionFromEnvironment 

func NewMultiRegionFromEnvironment(ctx context.Context) (*MultiRegionComplianceService, error)

NewMultiRegionFromEnvironment creates a multi-region service from environment variables

func (*MultiRegionComplianceService) AddRegion 

func (mrs *MultiRegionComplianceService) AddRegion(region string, serviceConfig ServiceConfig) error

AddRegion adds support for a specific region with custom configuration

func (*MultiRegionComplianceService) GetSupportedRegions 

func (mrs *MultiRegionComplianceService) GetSupportedRegions() []string

GetSupportedRegions returns the list of configured regions

func (*MultiRegionComplianceService) LoadRegionsFromConfig 

func (mrs *MultiRegionComplianceService) LoadRegionsFromConfig(ctx context.Context, regions []string) error

LoadRegionsFromConfig loads multiple regions from environment configuration

func (*MultiRegionComplianceService) RemediateLogGroup 

func (mrs *MultiRegionComplianceService) RemediateLogGroup(ctx context.Context, compliance types.ComplianceResult) (*types.RemediationResult, error)

RemediateLogGroup applies remediation to a log group in the appropriate region

func (*MultiRegionComplianceService) ValidateKMSKeysAcrossRegions 

func (mrs *MultiRegionComplianceService) ValidateKMSKeysAcrossRegions(ctx context.Context) (map[string]*types.KMSValidationReport, error)

ValidateKMSKeysAcrossRegions validates KMS keys in all configured regions This provides comprehensive cross-region KMS key validation with concurrent processing

func (*MultiRegionComplianceService) ValidateRegionAccess 

func (mrs *MultiRegionComplianceService) ValidateRegionAccess(ctx context.Context) error

ValidateRegionAccess validates that we can access required services in each region

type ServiceConfig 

type ServiceConfig struct {
	DefaultKMSKeyAlias   string
	DefaultRetentionDays int32
	DryRun               bool
	BatchLimit           int32
	Region               string
	MaxKMSRetries        int32
	RetryBaseDelay       time.Duration
	BatchResourceDelay   time.Duration
	BatchGroupDelay      time.Duration
}

ServiceConfig holds configuration for the compliance service

type StringPool 

type StringPool struct {
	// contains filtered or unexported fields
}

StringPool provides memory-efficient string operations

func NewStringPool 

func NewStringPool() *StringPool

NewStringPool creates a new string pool

func (*StringPool) GetBuffer 

func (sp *StringPool) GetBuffer() []byte

GetBuffer gets a buffer from the pool

func (*StringPool) PutBuffer 

func (sp *StringPool) PutBuffer(buf []byte)

PutBuffer returns a buffer to the pool

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.