github.com/khulnasoft-lab/defsec@v1.0.5-0.20230827010352-5e9f46893d95/internal/adapters/cloud/aws/elasticsearch/adapt.go (about) 1 package elasticsearch 2 3 import ( 4 api "github.com/aws/aws-sdk-go-v2/service/elasticsearchservice" 5 "github.com/aws/aws-sdk-go-v2/service/elasticsearchservice/types" 6 "github.com/khulnasoft-lab/defsec/internal/adapters/cloud/aws" 7 "github.com/khulnasoft-lab/defsec/pkg/concurrency" 8 "github.com/khulnasoft-lab/defsec/pkg/providers/aws/elasticsearch" 9 "github.com/khulnasoft-lab/defsec/pkg/state" 10 defsecTypes "github.com/khulnasoft-lab/defsec/pkg/types" 11 ) 12 13 type adapter struct { 14 *aws.RootAdapter 15 api *api.Client 16 } 17 18 func init() { 19 aws.RegisterServiceAdapter(&adapter{}) 20 } 21 22 func (a *adapter) Provider() string { 23 return "aws" 24 } 25 26 func (a *adapter) Name() string { 27 return "elasticsearch" 28 } 29 30 func (a *adapter) Adapt(root *aws.RootAdapter, state *state.State) error { 31 32 a.RootAdapter = root 33 a.api = api.NewFromConfig(root.SessionConfig()) 34 var err error 35 36 state.AWS.Elasticsearch.Domains, err = a.getDomains() 37 if err != nil { 38 return err 39 } 40 41 return nil 42 } 43 44 func (a *adapter) getDomains() ([]elasticsearch.Domain, error) { 45 46 a.Tracker().SetServiceLabel("Discovering domains...") 47 48 var input api.ListDomainNamesInput 49 output, err := a.api.ListDomainNames(a.Context(), &input) 50 if err != nil { 51 return nil, err 52 } 53 apiDomains := output.DomainNames 54 a.Tracker().SetTotalResources(len(apiDomains)) 55 56 a.Tracker().SetServiceLabel("Adapting domains...") 57 return concurrency.Adapt(apiDomains, a.RootAdapter, a.adaptDomain), nil 58 } 59 60 func (a *adapter) adaptDomain(apiDomain types.DomainInfo) (*elasticsearch.Domain, error) { 61 metadata := a.CreateMetadata(*apiDomain.DomainName) 62 63 output, err := a.api.DescribeElasticsearchDomain(a.Context(), &api.DescribeElasticsearchDomainInput{ 64 DomainName: apiDomain.DomainName, 65 }) 66 if err != nil { 67 return nil, err 68 } 69 status := output.DomainStatus 70 71 var auditEnabled bool 72 var transitEncryption bool 73 var atRestEncryption bool 74 var enforceHTTPS, dedicatedMasterEnabled bool 75 var tlsPolicy, cloudWatchLogGroupArn, kmskeyId, vpcId string 76 77 if status.ElasticsearchClusterConfig != nil { 78 dedicatedMasterEnabled = *status.ElasticsearchClusterConfig.DedicatedMasterEnabled 79 } 80 81 if status.VPCOptions != nil && status.VPCOptions.VPCId != nil { 82 vpcId = *status.VPCOptions.VPCId 83 } 84 85 if status.LogPublishingOptions != nil { 86 if audit, ok := status.LogPublishingOptions["AUDIT_LOGS"]; ok && audit.Enabled != nil { 87 auditEnabled = *audit.Enabled 88 if audit.CloudWatchLogsLogGroupArn != nil { 89 cloudWatchLogGroupArn = *audit.CloudWatchLogsLogGroupArn 90 } 91 } 92 } 93 94 if status.NodeToNodeEncryptionOptions != nil && status.NodeToNodeEncryptionOptions.Enabled != nil { 95 transitEncryption = *status.NodeToNodeEncryptionOptions.Enabled 96 } 97 98 if status.EncryptionAtRestOptions != nil && status.EncryptionAtRestOptions.Enabled != nil { 99 atRestEncryption = *status.EncryptionAtRestOptions.Enabled 100 if status.EncryptionAtRestOptions.KmsKeyId != nil { 101 kmskeyId = *status.EncryptionAtRestOptions.KmsKeyId 102 } 103 } 104 105 if status.DomainEndpointOptions != nil { 106 tlsPolicy = string(status.DomainEndpointOptions.TLSSecurityPolicy) 107 if status.DomainEndpointOptions.EnforceHTTPS != nil { 108 enforceHTTPS = *status.DomainEndpointOptions.EnforceHTTPS 109 } 110 } 111 112 var currentVersion, newVersion, updatestatus string 113 var updateAvailable bool 114 115 if status.ServiceSoftwareOptions != nil { 116 currentVersion = *status.ServiceSoftwareOptions.CurrentVersion 117 newVersion = *status.ServiceSoftwareOptions.NewVersion 118 updateAvailable = *status.ServiceSoftwareOptions.UpdateAvailable 119 updatestatus = string(status.ServiceSoftwareOptions.UpdateStatus) 120 } 121 122 return &elasticsearch.Domain{ 123 Metadata: metadata, 124 DomainName: defsecTypes.String(*apiDomain.DomainName, metadata), 125 AccessPolicies: defsecTypes.String(*status.AccessPolicies, metadata), 126 DedicatedMasterEnabled: defsecTypes.Bool(dedicatedMasterEnabled, metadata), 127 VpcId: defsecTypes.String(vpcId, metadata), 128 LogPublishing: elasticsearch.LogPublishing{ 129 Metadata: metadata, 130 AuditEnabled: defsecTypes.Bool(auditEnabled, metadata), 131 CloudWatchLogGroupArn: defsecTypes.String(cloudWatchLogGroupArn, metadata), 132 }, 133 TransitEncryption: elasticsearch.TransitEncryption{ 134 Metadata: metadata, 135 Enabled: defsecTypes.Bool(transitEncryption, metadata), 136 }, 137 AtRestEncryption: elasticsearch.AtRestEncryption{ 138 Metadata: metadata, 139 Enabled: defsecTypes.Bool(atRestEncryption, metadata), 140 KmsKeyId: defsecTypes.String(kmskeyId, metadata), 141 }, 142 Endpoint: elasticsearch.Endpoint{ 143 Metadata: metadata, 144 EnforceHTTPS: defsecTypes.Bool(enforceHTTPS, metadata), 145 TLSPolicy: defsecTypes.String(tlsPolicy, metadata), 146 }, 147 ServiceSoftwareOptions: elasticsearch.ServiceSoftwareOptions{ 148 Metadata: metadata, 149 CurrentVersion: defsecTypes.String(currentVersion, metadata), 150 NewVersion: defsecTypes.String(newVersion, metadata), 151 UpdateAvailable: defsecTypes.Bool(updateAvailable, metadata), 152 UpdateStatus: defsecTypes.String(updatestatus, metadata), 153 }, 154 }, nil 155 }