github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/eks/adapt.go (about) 1 package eks 2 3 import ( 4 eksapi "github.com/aws/aws-sdk-go-v2/service/eks" 5 "github.com/aws/aws-sdk-go-v2/service/eks/types" 6 "github.com/khulnasoft-lab/defsec/internal/adapters/cloud/aws" 7 "github.com/khulnasoft-lab/defsec/pkg/concurrency" 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/eks" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 11 ) 12 13 type adapter struct { 14 *aws.RootAdapter 15 api *eksapi.Client 16 } 17 18 func init() { 19 aws.RegisterServiceAdapter(&adapter{}) 20 } 21 22 func (a *adapter) Provider() string { 23 return "aws" 24 } 25 26 func (a *adapter) Name() string { 27 return "eks" 28 } 29 30 func (a *adapter) Adapt(root *aws.RootAdapter, state *state.State) error { 31 32 a.RootAdapter = root 33 a.api = eksapi.NewFromConfig(root.SessionConfig()) 34 var err error 35 36 state.AWS.EKS.Clusters, err = a.getClusters() 37 if err != nil { 38 return err 39 } 40 41 return nil 42 } 43 44 func (a *adapter) getClusters() ([]eks.Cluster, error) { 45 46 a.Tracker().SetServiceLabel("Discovering clusters...") 47 48 var clusterNames []string 49 var input eksapi.ListClustersInput 50 for { 51 output, err := a.api.ListClusters(a.Context(), &input) 52 if err != nil { 53 return nil, err 54 } 55 clusterNames = append(clusterNames, output.Clusters...) 56 a.Tracker().SetTotalResources(len(clusterNames)) 57 if output.NextToken == nil { 58 break 59 } 60 input.NextToken = output.NextToken 61 } 62 63 a.Tracker().SetServiceLabel("Adapting clusters...") 64 return concurrency.Adapt(clusterNames, a.RootAdapter, a.adaptCluster), nil 65 } 66 67 // nolint 68 func (a *adapter) adaptCluster(name string) (*eks.Cluster, error) { 69 70 output, err := a.api.DescribeCluster(a.Context(), &eksapi.DescribeClusterInput{ 71 Name: &name, 72 }) 73 if err != nil { 74 return nil, err 75 } 76 77 metadata := a.CreateMetadataFromARN(*output.Cluster.Arn) 78 79 var publicAccess bool 80 var publicCidrs []defsecTypes.StringValue 81 if output.Cluster.ResourcesVpcConfig != nil { 82 publicAccess = output.Cluster.ResourcesVpcConfig.EndpointPublicAccess 83 for _, cidr := range output.Cluster.ResourcesVpcConfig.PublicAccessCidrs { 84 publicCidrs = append(publicCidrs, defsecTypes.String(cidr, metadata)) 85 } 86 } 87 88 var encryptionKeyARN string 89 var secretsEncrypted bool 90 for _, config := range output.Cluster.EncryptionConfig { 91 if config.Provider != nil && config.Provider.KeyArn != nil { 92 encryptionKeyARN = *config.Provider.KeyArn 93 } 94 if len(config.Resources) > 0 { 95 for _, resource := range config.Resources { 96 if resource == "secrets" { 97 secretsEncrypted = true 98 } 99 } 100 } 101 } 102 103 var logAPI, logAudit, logAuth, logCM, logSched bool 104 if output.Cluster.Logging != nil { 105 for _, logging := range output.Cluster.Logging.ClusterLogging { 106 if logging.Enabled == nil || !*logging.Enabled { 107 continue 108 } 109 for _, logType := range logging.Types { 110 switch logType { 111 case types.LogTypeApi: 112 logAPI = true 113 case types.LogTypeAudit: 114 logAudit = true 115 case types.LogTypeAuthenticator: 116 logAuth = true 117 case types.LogTypeControllerManager: 118 logCM = true 119 case types.LogTypeScheduler: 120 logSched = true 121 } 122 } 123 } 124 } 125 126 return &eks.Cluster{ 127 Metadata: metadata, 128 Logging: eks.Logging{ 129 Metadata: metadata, 130 API: defsecTypes.Bool(logAPI, metadata), 131 Audit: defsecTypes.Bool(logAudit, metadata), 132 Authenticator: defsecTypes.Bool(logAuth, metadata), 133 ControllerManager: defsecTypes.Bool(logCM, metadata), 134 Scheduler: defsecTypes.Bool(logSched, metadata), 135 }, 136 Encryption: eks.Encryption{ 137 Metadata: metadata, 138 Secrets: defsecTypes.Bool(secretsEncrypted, metadata), 139 KMSKeyID: defsecTypes.String(encryptionKeyARN, metadata), 140 }, 141 PublicAccessEnabled: defsecTypes.Bool(publicAccess, metadata), 142 PublicAccessCIDRs: publicCidrs, 143 }, nil 144 }