From 2aaad38536a5f19057f2dabbc351935b648d2ea7 Mon Sep 17 00:00:00 2001 From: Justin Kufro Date: Mon, 20 Sep 2021 11:01:35 -0600 Subject: [PATCH] Include AWS resource name in code description in AWS Config Mapper --- lib/heimdall_tools/aws_config_mapper.rb | 53 +++++++++++++++++++++++-- 1 file changed, 50 insertions(+), 3 deletions(-) diff --git a/lib/heimdall_tools/aws_config_mapper.rb b/lib/heimdall_tools/aws_config_mapper.rb index e80fb66..242256b 100644 --- a/lib/heimdall_tools/aws_config_mapper.rb +++ b/lib/heimdall_tools/aws_config_mapper.rb @@ -185,6 +185,7 @@ def fetch_all_compliance_info(config_rules) # # Returns: The same config_rules array with `results` key added to each rule. def add_results_to_config_rules(config_rules) + resource_name_map = {} config_rules.each do |rule| response = @client.get_compliance_details_by_config_rule(config_rule_name: rule[:config_rule_name], limit: 100) rule_results = response.to_h[:evaluation_results] @@ -193,13 +194,17 @@ def add_results_to_config_rules(config_rules) rule_results += response.to_h[:evaluation_results] end + resource_name_map = get_resource_name_map(rule_results, resource_name_map) + rule[:results] = [] rule_results.each do |result| hdf_result = {} # code_desc - hdf_result['code_desc'] = result.dig(:evaluation_result_identifier, :evaluation_result_qualifier)&.map do |k, v| - "#{k}: #{v}" - end&.join(', ') + code_desc = result.dig(:evaluation_result_identifier, :evaluation_result_qualifier)&.map do |k, v| + "#{k}: #{v}" + end&.join(', ') || '' + code_desc += ", resource_name: #{resource_name_map[result.dig(:evaluation_result_identifier, :evaluation_result_qualifier, :resource_id)] || 'unknown'}" + hdf_result['code_desc'] = code_desc # start_time hdf_result['start_time'] = if result.key?(:config_rule_invoked_time) DateTime.parse(result[:config_rule_invoked_time].to_s).strftime('%Y-%m-%dT%H:%M:%S%:z') @@ -246,6 +251,48 @@ def add_results_to_config_rules(config_rules) config_rules end + ## + # Takes in `rule_results` from a `get_compliance_details_by_config_rule` API call, + # then makes `list_discovered_resources` API calls to get the `resource_name` for + # each resouce ID. + # + # Resource ID alone without resource name commonly makes it inconvenient to figure out + # what AWS resource that the rule is referencing in its results. + def get_resource_name_map(rule_results, current_resource_name_map) + # Should be in the format: { resource_id: resource_name } + resource_map = {} + + # Group by resource Type because the API call requires a type to be specified + groups = rule_results.group_by { |e| e.dig(:evaluation_result_identifier, :evaluation_result_qualifier, :resource_type) } + # Trim down values to just the ids + groups = groups.map do |resource_type, rule_results_arr| + [ + resource_type, + rule_results_arr.map { |result| result.dig(:evaluation_result_identifier, :evaluation_result_qualifier, :resource_id) }.uniq, + ] + end + # Reject any ids that are already in `current_resource_name_map` + groups = groups.map do |resource_type, resource_ids| + [ + resource_type, + resource_ids.reject { |id| current_resource_name_map.include? id }, + ] + end + + groups.each do |resource_type, resource_ids| + # API endpoint reports a max size of 20 + resource_ids.each_slice(20) do |resource_ids_slice| + # Don't send an API call for an empty array + next if resource_ids_slice.empty? + + response = @client.list_discovered_resources(resource_type: resource_type, resource_ids: resource_ids_slice, limit: 100) + resource_map = resource_map.merge(response.resource_identifiers.map { |resource| [resource.resource_id, resource.resource_name] }.to_h) + end + end + + current_resource_name_map.merge resource_map + end + ## # Takes in a config rule and pulls out tags that are useful for HDF. #