Merge pull request #51 from GSA/update

Adds SheetVpcPeers
GSA · Aug 24, 2021 · 9b3f84a · 9b3f84a
2 parents 2130c43 + d649056
commit 9b3f84a
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -264,6 +264,7 @@ provider "aws" {
 | Volumes | ec2:DescribeVolumes | queries EC2 Volumes |
 | Snapshots | ec2:DescribeSnapshots | queries EC2 Snapshots |
 | VPCs | ec2:DescribeVpcs | queries EC2 VPCs |
+| VpcPeers | ec2:DescribeVpcPeeringConnectionsPages | queries EC2 Vpc Peers |
 | Subnets | ec2:DescribeSubnets | queries EC2 Subnets |
 | SecurityGroups | ec2:DescribeSecurityGroups | queries EC2 Security Groups |
 | Addresses | ec2:DescribeAddresses | queries EC2 Addresses |

diff --git a/handler/helpers/ec2.go b/handler/helpers/ec2.go
@@ -1,6 +1,7 @@
 package helpers
 
 import (
+	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/service/ec2"
 	"github.com/aws/aws-sdk-go/service/ec2/ec2iface"
 )
@@ -81,6 +82,44 @@ func (svc *Ec2Svc) Vpcs() ([]*ec2.Vpc, error) {
 	return results, nil
 }
 
+type VpcPeer struct {
+	AccepterAccountID  string
+	AccepterVpcID      string
+	AccepterCidrBlock  string
+	RequesterAccountID string
+	RequesterVpcID     string
+	RequesterCidrBlock string
+	StatusCode         string
+	StatusMessage      string
+}
+
+//
+// VpcPeers ... pages through DescribeVpcPeeringConnectionsPages and returns all VPC Peers
+func (svc *Ec2Svc) VpcPeers() ([]*VpcPeer, error) {
+	var results []*VpcPeer
+	err := svc.Client.DescribeVpcPeeringConnectionsPages(&ec2.DescribeVpcPeeringConnectionsInput{},
+		func(page *ec2.DescribeVpcPeeringConnectionsOutput, lastPage bool) bool {
+			for _, conn := range page.VpcPeeringConnections {
+				peer := &VpcPeer{
+					AccepterVpcID:      aws.StringValue(conn.AccepterVpcInfo.VpcId),
+					AccepterAccountID:  aws.StringValue(conn.AccepterVpcInfo.OwnerId),
+					AccepterCidrBlock:  aws.StringValue(conn.AccepterVpcInfo.CidrBlock),
+					RequesterVpcID:     aws.StringValue(conn.RequesterVpcInfo.VpcId),
+					RequesterAccountID: aws.StringValue(conn.RequesterVpcInfo.OwnerId),
+					RequesterCidrBlock: aws.StringValue(conn.RequesterVpcInfo.CidrBlock),
+					StatusCode:         aws.StringValue(conn.Status.Code),
+					StatusMessage:      aws.StringValue(conn.Status.Message),
+				}
+				results = append(results, peer)
+			}
+			return !lastPage
+		})
+	if err != nil {
+		return nil, err
+	}
+	return results, nil
+}
+
 // Subnets ... pages through DescribeSubnetsPages and returns all VPC Subnets
 func (svc *Ec2Svc) Subnets() ([]*ec2.Subnet, error) {
 	var results []*ec2.Subnet

diff --git a/handler/helpers/helpers.go b/handler/helpers/helpers.go
@@ -320,6 +320,7 @@ const (
 	SheetVolumes        = "Volumes"
 	SheetSnapshots      = "Snapshots"
 	SheetVpcs           = "VPCs"
+	SheetVpcPeers       = "VpcPeers"
 	SheetSubnets        = "Subnets"
 	SheetSecurityGroups = "SecurityGroups"
 	SheetAddresses      = "Addresses"
@@ -407,6 +408,8 @@ func TypeToSheet(items interface{}) (string, error) {
 		sheet = SheetTopics
 	case *ssm.ParameterMetadata:
 		sheet = SheetParameters
+	case *VpcPeer:
+		sheet = SheetVpcPeers
 	default:
 		log.Printf("Unknown sheet type: %T", val)
 		return "", errors.New("unknown type")

diff --git a/handler/inv/init.go b/handler/inv/init.go
@@ -133,6 +133,20 @@ func init() {
 			{FriendlyName: "DhcpOptionsId", FieldName: "DhcpOptionsId"},
 		}}
 	})
+	spreadsheet.RegisterSheet(helpers.SheetVpcPeers, func() *spreadsheet.Sheet {
+		return &spreadsheet.Sheet{Name: "VpcPeers", Columns: []*spreadsheet.Column{
+			{FriendlyName: "Account", FieldName: ""},
+			{FriendlyName: "Region", FieldName: ""},
+			{FriendlyName: "AccepterAccountID", FieldName: "AccepterAccountID"},
+			{FriendlyName: "AccepterVpcID", FieldName: "AccepterVpcID"},
+			{FriendlyName: "AccepterCidrBlock", FieldName: "AccepterCidrBlock"},
+			{FriendlyName: "RequesterAccountID", FieldName: "RequesterAccountID"},
+			{FriendlyName: "RequesterVpcID", FieldName: "RequesterVpcID"},
+			{FriendlyName: "RequesterCidrBlock", FieldName: "RequesterCidrBlock"},
+			{FriendlyName: "StatusCode", FieldName: "StatusCode"},
+			{FriendlyName: "StatusMessage", FieldName: "StatusMessage"},
+		}}
+	})
 	spreadsheet.RegisterSheet(helpers.SheetSubnets, func() *spreadsheet.Sheet {
 		return &spreadsheet.Sheet{Name: "Subnets", Columns: []*spreadsheet.Column{
 			{FriendlyName: "Account", FieldName: ""},

diff --git a/handler/inv/inv.go b/handler/inv/inv.go
@@ -158,6 +158,7 @@ func New() (*Inv, error) {
 		helpers.SheetVolumes:        inv.queryVolumes,
 		helpers.SheetSnapshots:      inv.querySnapshots,
 		helpers.SheetVpcs:           inv.queryVpcs,
+		helpers.SheetVpcPeers:       inv.queryVpcPeers,
 		helpers.SheetSubnets:        inv.querySubnets,
 		helpers.SheetSecurityGroups: inv.querySecurityGroups,
 		helpers.SheetAddresses:      inv.queryAddresses,
@@ -628,6 +629,27 @@ func (inv *Inv) queryVpcs() ([]*spreadsheet.Payload, error) {
 	})
 }
 
+// queryVpcPeers ... queries VpcPeerss for all organization accounts and
+// all sessions/regions in SessionMgr, pushes them onto a slice of interface
+// then returns a slice of *spreadsheet.Payload
+func (inv *Inv) queryVpcPeers() ([]*spreadsheet.Payload, error) {
+	defer logDuration()()
+	return inv.walkSessions(func(account string, cred *credentials.Credentials, sess *session.Session) (*spreadsheet.Payload, error) {
+		svc := helpers.Ec2Svc{
+			Client: ec2Creator(sess, &aws.Config{Credentials: cred}),
+		}
+		peers, err := svc.VpcPeers()
+		if err != nil {
+			return nil, newQueryErrorf(err, "failed to get VpcPeers for account: %s, region: %s -> %v", account, *sess.Config.Region, err)
+		}
+		var items []interface{}
+		for _, v := range peers {
+			items = append(items, v)
+		}
+		return &spreadsheet.Payload{Static: []string{account, *sess.Config.Region}, Items: items}, nil
+	})
+}
+
 // querySubnets ... queries subnets for all organization accounts and
 // all sessions/regions in SessionMgr, pushes them onto a slice of interface
 // then returns a slice of *spreadsheet.Payload

diff --git a/lambda.tf b/lambda.tf
@@ -1,3 +1,4 @@
+#tfsec:ignore:aws-lambda-enable-tracing
 resource "aws_lambda_function" "lambda_function" {
   filename         = var.source_file
   function_name    = local.app_name

diff --git a/s3.tf b/s3.tf
@@ -2,6 +2,7 @@ locals {
   useAccessLogging = length(var.access_logging_bucket) > 0 ? [1] : []
 }
 
+#tfsec:ignore:AWS002
 resource "aws_s3_bucket" "bucket" {
   bucket        = local.app_name
   acl           = "private"
@@ -11,7 +12,6 @@ resource "aws_s3_bucket" "bucket" {
     enabled = true
   }
 
-  #tfsec:ignore:AWS002
   dynamic "logging" {
     for_each = local.useAccessLogging
     content {