diff --git a/README.md b/README.md index 5f9d4eb..d6caada 100644 --- a/README.md +++ b/README.md @@ -264,6 +264,7 @@ provider "aws" { | Volumes | ec2:DescribeVolumes | queries EC2 Volumes | | Snapshots | ec2:DescribeSnapshots | queries EC2 Snapshots | | VPCs | ec2:DescribeVpcs | queries EC2 VPCs | +| VpcPeers | ec2:DescribeVpcPeeringConnectionsPages | queries EC2 Vpc Peers | | Subnets | ec2:DescribeSubnets | queries EC2 Subnets | | SecurityGroups | ec2:DescribeSecurityGroups | queries EC2 Security Groups | | Addresses | ec2:DescribeAddresses | queries EC2 Addresses | diff --git a/handler/helpers/ec2.go b/handler/helpers/ec2.go index ed9e3ce..0346974 100644 --- a/handler/helpers/ec2.go +++ b/handler/helpers/ec2.go @@ -1,6 +1,7 @@ package helpers import ( + "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/ec2" "github.com/aws/aws-sdk-go/service/ec2/ec2iface" ) @@ -81,6 +82,44 @@ func (svc *Ec2Svc) Vpcs() ([]*ec2.Vpc, error) { return results, nil } +type VpcPeer struct { + AccepterAccountID string + AccepterVpcID string + AccepterCidrBlock string + RequesterAccountID string + RequesterVpcID string + RequesterCidrBlock string + StatusCode string + StatusMessage string +} + +// +// VpcPeers ... pages through DescribeVpcPeeringConnectionsPages and returns all VPC Peers +func (svc *Ec2Svc) VpcPeers() ([]*VpcPeer, error) { + var results []*VpcPeer + err := svc.Client.DescribeVpcPeeringConnectionsPages(&ec2.DescribeVpcPeeringConnectionsInput{}, + func(page *ec2.DescribeVpcPeeringConnectionsOutput, lastPage bool) bool { + for _, conn := range page.VpcPeeringConnections { + peer := &VpcPeer{ + AccepterVpcID: aws.StringValue(conn.AccepterVpcInfo.VpcId), + AccepterAccountID: aws.StringValue(conn.AccepterVpcInfo.OwnerId), + AccepterCidrBlock: aws.StringValue(conn.AccepterVpcInfo.CidrBlock), + RequesterVpcID: aws.StringValue(conn.RequesterVpcInfo.VpcId), + RequesterAccountID: aws.StringValue(conn.RequesterVpcInfo.OwnerId), + RequesterCidrBlock: aws.StringValue(conn.RequesterVpcInfo.CidrBlock), + StatusCode: aws.StringValue(conn.Status.Code), + StatusMessage: aws.StringValue(conn.Status.Message), + } + results = append(results, peer) + } + return !lastPage + }) + if err != nil { + return nil, err + } + return results, nil +} + // Subnets ... pages through DescribeSubnetsPages and returns all VPC Subnets func (svc *Ec2Svc) Subnets() ([]*ec2.Subnet, error) { var results []*ec2.Subnet diff --git a/handler/helpers/helpers.go b/handler/helpers/helpers.go index 4e5de1b..478f75b 100644 --- a/handler/helpers/helpers.go +++ b/handler/helpers/helpers.go @@ -320,6 +320,7 @@ const ( SheetVolumes = "Volumes" SheetSnapshots = "Snapshots" SheetVpcs = "VPCs" + SheetVpcPeers = "VpcPeers" SheetSubnets = "Subnets" SheetSecurityGroups = "SecurityGroups" SheetAddresses = "Addresses" @@ -407,6 +408,8 @@ func TypeToSheet(items interface{}) (string, error) { sheet = SheetTopics case *ssm.ParameterMetadata: sheet = SheetParameters + case *VpcPeer: + sheet = SheetVpcPeers default: log.Printf("Unknown sheet type: %T", val) return "", errors.New("unknown type") diff --git a/handler/inv/init.go b/handler/inv/init.go index ed1140e..987a3a0 100644 --- a/handler/inv/init.go +++ b/handler/inv/init.go @@ -133,6 +133,20 @@ func init() { {FriendlyName: "DhcpOptionsId", FieldName: "DhcpOptionsId"}, }} }) + spreadsheet.RegisterSheet(helpers.SheetVpcPeers, func() *spreadsheet.Sheet { + return &spreadsheet.Sheet{Name: "VpcPeers", Columns: []*spreadsheet.Column{ + {FriendlyName: "Account", FieldName: ""}, + {FriendlyName: "Region", FieldName: ""}, + {FriendlyName: "AccepterAccountID", FieldName: "AccepterAccountID"}, + {FriendlyName: "AccepterVpcID", FieldName: "AccepterVpcID"}, + {FriendlyName: "AccepterCidrBlock", FieldName: "AccepterCidrBlock"}, + {FriendlyName: "RequesterAccountID", FieldName: "RequesterAccountID"}, + {FriendlyName: "RequesterVpcID", FieldName: "RequesterVpcID"}, + {FriendlyName: "RequesterCidrBlock", FieldName: "RequesterCidrBlock"}, + {FriendlyName: "StatusCode", FieldName: "StatusCode"}, + {FriendlyName: "StatusMessage", FieldName: "StatusMessage"}, + }} + }) spreadsheet.RegisterSheet(helpers.SheetSubnets, func() *spreadsheet.Sheet { return &spreadsheet.Sheet{Name: "Subnets", Columns: []*spreadsheet.Column{ {FriendlyName: "Account", FieldName: ""}, diff --git a/handler/inv/inv.go b/handler/inv/inv.go index a25a76b..967fcc5 100644 --- a/handler/inv/inv.go +++ b/handler/inv/inv.go @@ -158,6 +158,7 @@ func New() (*Inv, error) { helpers.SheetVolumes: inv.queryVolumes, helpers.SheetSnapshots: inv.querySnapshots, helpers.SheetVpcs: inv.queryVpcs, + helpers.SheetVpcPeers: inv.queryVpcPeers, helpers.SheetSubnets: inv.querySubnets, helpers.SheetSecurityGroups: inv.querySecurityGroups, helpers.SheetAddresses: inv.queryAddresses, @@ -628,6 +629,27 @@ func (inv *Inv) queryVpcs() ([]*spreadsheet.Payload, error) { }) } +// queryVpcPeers ... queries VpcPeerss for all organization accounts and +// all sessions/regions in SessionMgr, pushes them onto a slice of interface +// then returns a slice of *spreadsheet.Payload +func (inv *Inv) queryVpcPeers() ([]*spreadsheet.Payload, error) { + defer logDuration()() + return inv.walkSessions(func(account string, cred *credentials.Credentials, sess *session.Session) (*spreadsheet.Payload, error) { + svc := helpers.Ec2Svc{ + Client: ec2Creator(sess, &aws.Config{Credentials: cred}), + } + peers, err := svc.VpcPeers() + if err != nil { + return nil, newQueryErrorf(err, "failed to get VpcPeers for account: %s, region: %s -> %v", account, *sess.Config.Region, err) + } + var items []interface{} + for _, v := range peers { + items = append(items, v) + } + return &spreadsheet.Payload{Static: []string{account, *sess.Config.Region}, Items: items}, nil + }) +} + // querySubnets ... queries subnets for all organization accounts and // all sessions/regions in SessionMgr, pushes them onto a slice of interface // then returns a slice of *spreadsheet.Payload diff --git a/lambda.tf b/lambda.tf index a1e588a..5790f47 100644 --- a/lambda.tf +++ b/lambda.tf @@ -1,3 +1,4 @@ +#tfsec:ignore:aws-lambda-enable-tracing resource "aws_lambda_function" "lambda_function" { filename = var.source_file function_name = local.app_name diff --git a/s3.tf b/s3.tf index cff1f66..aefea6d 100644 --- a/s3.tf +++ b/s3.tf @@ -2,6 +2,7 @@ locals { useAccessLogging = length(var.access_logging_bucket) > 0 ? [1] : [] } +#tfsec:ignore:AWS002 resource "aws_s3_bucket" "bucket" { bucket = local.app_name acl = "private" @@ -11,7 +12,6 @@ resource "aws_s3_bucket" "bucket" { enabled = true } - #tfsec:ignore:AWS002 dynamic "logging" { for_each = local.useAccessLogging content {