From 1859607832c391c1fbc8cf8a5ea037a858534210 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 27 Aug 2024 13:31:13 -0600 Subject: [PATCH 1/3] feat(configservice-configrule): remove remediation config if it exists --- resources/configservice-configrules.go | 55 +++++++++++++++++++------- 1 file changed, 40 insertions(+), 15 deletions(-) diff --git a/resources/configservice-configrules.go b/resources/configservice-configrules.go index 965c2c02..a90ada34 100644 --- a/resources/configservice-configrules.go +++ b/resources/configservice-configrules.go @@ -3,9 +3,10 @@ package resources import ( "context" "fmt" - "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/service/configservice" + "github.com/gotidy/ptr" + "github.com/sirupsen/logrus" "github.com/ekristen/libnuke/pkg/registry" "github.com/ekristen/libnuke/pkg/resource" @@ -41,11 +42,27 @@ func (l *ConfigServiceConfigRuleLister) List(_ context.Context, o interface{}) ( } for _, configRule := range output.ConfigRules { - resources = append(resources, &ConfigServiceConfigRule{ - svc: svc, - configRuleName: configRule.ConfigRuleName, - createdBy: configRule.CreatedBy, + remConfig, err := svc.DescribeRemediationConfigurations(&configservice.DescribeRemediationConfigurationsInput{ + ConfigRuleNames: []*string{configRule.ConfigRuleName}, }) + if err != nil { + logrus. + WithField("name", configRule.ConfigRuleName). + WithError(err). + Warn("unable to describe remediation configurations") + } + + newResource := &ConfigServiceConfigRule{ + svc: svc, + Name: configRule.ConfigRuleName, + CreatedBy: configRule.CreatedBy, + } + + if remConfig != nil && len(remConfig.RemediationConfigurations) > 0 { + newResource.HasRemediationConfig = ptr.Bool(true) + } + + resources = append(resources, newResource) } if output.NextToken == nil { @@ -59,17 +76,19 @@ func (l *ConfigServiceConfigRuleLister) List(_ context.Context, o interface{}) ( } type ConfigServiceConfigRule struct { - svc *configservice.ConfigService - configRuleName *string - createdBy *string + svc *configservice.ConfigService + Name *string + Scope *string + HasRemediationConfig *bool + CreatedBy *string } func (f *ConfigServiceConfigRule) Filter() error { - if aws.StringValue(f.createdBy) == "securityhub.amazonaws.com" { + if aws.StringValue(f.CreatedBy) == "securityhub.amazonaws.com" { return fmt.Errorf("cannot remove rule owned by securityhub.amazonaws.com") } - if aws.StringValue(f.createdBy) == "config-conforms.amazonaws.com" { + if aws.StringValue(f.CreatedBy) == "config-conforms.amazonaws.com" { return fmt.Errorf("cannot remove rule owned by config-conforms.amazonaws.com") } @@ -77,19 +96,25 @@ func (f *ConfigServiceConfigRule) Filter() error { } func (f *ConfigServiceConfigRule) Remove(_ context.Context) error { + if ptr.ToBool(f.HasRemediationConfig) { + if _, err := f.svc.DeleteRemediationConfiguration(&configservice.DeleteRemediationConfigurationInput{ + ConfigRuleName: f.Name, + }); err != nil { + return err + } + } + _, err := f.svc.DeleteConfigRule(&configservice.DeleteConfigRuleInput{ - ConfigRuleName: f.configRuleName, + ConfigRuleName: f.Name, }) return err } func (f *ConfigServiceConfigRule) String() string { - return *f.configRuleName + return *f.Name } func (f *ConfigServiceConfigRule) Properties() types.Properties { - props := types.NewProperties() - props.Set("CreatedBy", f.createdBy) - return props + return types.NewPropertiesFromStruct(f) } From 6d306337ddfc45e47d8a47b9e5b8e6689396f0ec Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 27 Aug 2024 13:32:48 -0600 Subject: [PATCH 2/3] refactor(configservice-configrule): standardize naming conventions --- ...igrules.go => configservice-configrule.go} | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) rename resources/{configservice-configrules.go => configservice-configrule.go} (78%) diff --git a/resources/configservice-configrules.go b/resources/configservice-configrule.go similarity index 78% rename from resources/configservice-configrules.go rename to resources/configservice-configrule.go index a90ada34..0dfb572f 100644 --- a/resources/configservice-configrules.go +++ b/resources/configservice-configrule.go @@ -83,38 +83,38 @@ type ConfigServiceConfigRule struct { CreatedBy *string } -func (f *ConfigServiceConfigRule) Filter() error { - if aws.StringValue(f.CreatedBy) == "securityhub.amazonaws.com" { +func (r *ConfigServiceConfigRule) Filter() error { + if aws.StringValue(r.CreatedBy) == "securityhub.amazonaws.com" { return fmt.Errorf("cannot remove rule owned by securityhub.amazonaws.com") } - if aws.StringValue(f.CreatedBy) == "config-conforms.amazonaws.com" { + if aws.StringValue(r.CreatedBy) == "config-conforms.amazonaws.com" { return fmt.Errorf("cannot remove rule owned by config-conforms.amazonaws.com") } return nil } -func (f *ConfigServiceConfigRule) Remove(_ context.Context) error { - if ptr.ToBool(f.HasRemediationConfig) { - if _, err := f.svc.DeleteRemediationConfiguration(&configservice.DeleteRemediationConfigurationInput{ - ConfigRuleName: f.Name, +func (r *ConfigServiceConfigRule) Remove(_ context.Context) error { + if ptr.ToBool(r.HasRemediationConfig) { + if _, err := r.svc.DeleteRemediationConfiguration(&configservice.DeleteRemediationConfigurationInput{ + ConfigRuleName: r.Name, }); err != nil { return err } } - _, err := f.svc.DeleteConfigRule(&configservice.DeleteConfigRuleInput{ - ConfigRuleName: f.Name, + _, err := r.svc.DeleteConfigRule(&configservice.DeleteConfigRuleInput{ + ConfigRuleName: r.Name, }) return err } -func (f *ConfigServiceConfigRule) String() string { - return *f.Name +func (r *ConfigServiceConfigRule) String() string { + return *r.Name } -func (f *ConfigServiceConfigRule) Properties() types.Properties { - return types.NewPropertiesFromStruct(f) +func (r *ConfigServiceConfigRule) Properties() types.Properties { + return types.NewPropertiesFromStruct(r) } From 72e93457c31deaa5ff28f5a8428d0e0ae75290e4 Mon Sep 17 00:00:00 2001 From: Erik Kristensen Date: Tue, 27 Aug 2024 13:45:56 -0600 Subject: [PATCH 3/3] chore(configservice-configrule): fix lint violations --- resources/configservice-configrule.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/resources/configservice-configrule.go b/resources/configservice-configrule.go index 0dfb572f..748ad163 100644 --- a/resources/configservice-configrule.go +++ b/resources/configservice-configrule.go @@ -3,11 +3,13 @@ package resources import ( "context" "fmt" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/service/configservice" + "github.com/gotidy/ptr" "github.com/sirupsen/logrus" + "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/service/configservice" + "github.com/ekristen/libnuke/pkg/registry" "github.com/ekristen/libnuke/pkg/resource" "github.com/ekristen/libnuke/pkg/types"