driftctl/pkg/remote/aws/vpc_security_group_rule_enu...

171 lines
5.5 KiB
Go
Raw Normal View History

package aws
import (
"github.com/cloudskiff/driftctl/pkg/remote/aws/repository"
remoteerror "github.com/cloudskiff/driftctl/pkg/remote/error"
"github.com/cloudskiff/driftctl/pkg/resource"
resourceaws "github.com/cloudskiff/driftctl/pkg/resource/aws"
2021-05-21 14:09:45 +00:00
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/service/ec2"
)
const (
sgRuleTypeIngress = "ingress"
sgRuleTypeEgress = "egress"
)
type VPCSecurityGroupRuleEnumerator struct {
repository repository.EC2Repository
factory resource.ResourceFactory
}
2021-05-21 14:09:45 +00:00
type securityGroupRule struct {
Type string
SecurityGroupId string
Protocol string
2021-07-19 15:55:59 +00:00
FromPort float64
ToPort float64
2021-05-21 14:09:45 +00:00
Self bool
SourceSecurityGroupId string
CidrBlocks []string
Ipv6CidrBlocks []string
PrefixListIds []string
}
func (s *securityGroupRule) getId() string {
2021-07-07 10:10:20 +00:00
attrs := s.getAttrs()
return resourceaws.CreateSecurityGroupRuleIdHash(&attrs)
}
func (s *securityGroupRule) getAttrs() resource.Attributes {
2021-05-21 14:09:45 +00:00
attrs := resource.Attributes{
"type": s.Type,
"security_group_id": s.SecurityGroupId,
"protocol": s.Protocol,
2021-07-19 15:55:59 +00:00
"from_port": s.FromPort,
"to_port": s.ToPort,
2021-05-21 14:09:45 +00:00
"self": s.Self,
"source_security_group_id": s.SourceSecurityGroupId,
"cidr_blocks": toInterfaceSlice(s.CidrBlocks),
"ipv6_cidr_blocks": toInterfaceSlice(s.Ipv6CidrBlocks),
"prefix_list_ids": toInterfaceSlice(s.PrefixListIds),
}
2021-07-07 10:10:20 +00:00
return attrs
2021-05-21 14:09:45 +00:00
}
func toInterfaceSlice(val []string) []interface{} {
var res []interface{}
for _, v := range val {
res = append(res, v)
}
return res
}
func NewVPCSecurityGroupRuleEnumerator(repository repository.EC2Repository, factory resource.ResourceFactory) *VPCSecurityGroupRuleEnumerator {
return &VPCSecurityGroupRuleEnumerator{
repository,
factory,
}
}
func (e *VPCSecurityGroupRuleEnumerator) SupportedType() resource.ResourceType {
return resourceaws.AwsSecurityGroupRuleResourceType
}
2021-08-09 14:03:04 +00:00
func (e *VPCSecurityGroupRuleEnumerator) Enumerate() ([]*resource.Resource, error) {
securityGroups, defaultSecurityGroups, err := e.repository.ListAllSecurityGroups()
if err != nil {
2021-08-03 10:34:36 +00:00
return nil, remoteerror.NewResourceListingErrorWithType(err, string(e.SupportedType()), resourceaws.AwsSecurityGroupResourceType)
}
2021-01-15 13:15:31 +00:00
secGroups := make([]*ec2.SecurityGroup, 0, len(securityGroups)+len(defaultSecurityGroups))
secGroups = append(secGroups, securityGroups...)
secGroups = append(secGroups, defaultSecurityGroups...)
securityGroupsRules := e.listSecurityGroupsRules(secGroups)
2021-08-09 14:03:04 +00:00
results := make([]*resource.Resource, 0, len(securityGroupsRules))
for _, rule := range securityGroupsRules {
results = append(
results,
e.factory.CreateAbstractResource(
string(e.SupportedType()),
rule.getId(),
2021-07-07 10:10:20 +00:00
rule.getAttrs(),
),
)
}
return results, nil
}
func (e *VPCSecurityGroupRuleEnumerator) listSecurityGroupsRules(securityGroups []*ec2.SecurityGroup) []securityGroupRule {
2021-05-21 14:09:45 +00:00
var securityGroupsRules []securityGroupRule
for _, sg := range securityGroups {
for _, rule := range sg.IpPermissions {
securityGroupsRules = append(securityGroupsRules, e.addSecurityGroupRule(sgRuleTypeIngress, rule, sg)...)
}
for _, rule := range sg.IpPermissionsEgress {
securityGroupsRules = append(securityGroupsRules, e.addSecurityGroupRule(sgRuleTypeEgress, rule, sg)...)
}
}
return securityGroupsRules
}
// addSecurityGroupRule will iterate through each "Source" as per Aws definition and create a
// rule with custom attributes
func (e *VPCSecurityGroupRuleEnumerator) addSecurityGroupRule(ruleType string, rule *ec2.IpPermission, sg *ec2.SecurityGroup) []securityGroupRule {
2021-05-21 14:09:45 +00:00
var rules []securityGroupRule
for _, groupPair := range rule.UserIdGroupPairs {
2021-05-21 14:09:45 +00:00
r := securityGroupRule{
Type: ruleType,
SecurityGroupId: aws.StringValue(sg.GroupId),
Protocol: aws.StringValue(rule.IpProtocol),
2021-07-19 15:55:59 +00:00
FromPort: float64(aws.Int64Value(rule.FromPort)),
ToPort: float64(aws.Int64Value(rule.ToPort)),
}
if aws.StringValue(groupPair.GroupId) == aws.StringValue(sg.GroupId) {
2021-05-21 14:09:45 +00:00
r.Self = true
} else {
2021-05-21 14:09:45 +00:00
r.SourceSecurityGroupId = aws.StringValue(groupPair.GroupId)
}
rules = append(rules, r)
}
for _, ipRange := range rule.IpRanges {
2021-05-21 14:09:45 +00:00
r := securityGroupRule{
Type: ruleType,
SecurityGroupId: aws.StringValue(sg.GroupId),
Protocol: aws.StringValue(rule.IpProtocol),
2021-07-19 15:55:59 +00:00
FromPort: float64(aws.Int64Value(rule.FromPort)),
ToPort: float64(aws.Int64Value(rule.ToPort)),
2021-05-21 14:09:45 +00:00
CidrBlocks: []string{aws.StringValue(ipRange.CidrIp)},
}
rules = append(rules, r)
}
for _, ipRange := range rule.Ipv6Ranges {
2021-05-21 14:09:45 +00:00
r := securityGroupRule{
Type: ruleType,
SecurityGroupId: aws.StringValue(sg.GroupId),
Protocol: aws.StringValue(rule.IpProtocol),
2021-07-19 15:55:59 +00:00
FromPort: float64(aws.Int64Value(rule.FromPort)),
ToPort: float64(aws.Int64Value(rule.ToPort)),
2021-05-21 14:09:45 +00:00
Ipv6CidrBlocks: []string{aws.StringValue(ipRange.CidrIpv6)},
}
rules = append(rules, r)
}
for _, listId := range rule.PrefixListIds {
2021-05-21 14:09:45 +00:00
r := securityGroupRule{
Type: ruleType,
SecurityGroupId: aws.StringValue(sg.GroupId),
Protocol: aws.StringValue(rule.IpProtocol),
2021-07-19 15:55:59 +00:00
FromPort: float64(aws.Int64Value(rule.FromPort)),
ToPort: float64(aws.Int64Value(rule.ToPort)),
2021-05-21 14:09:45 +00:00
PrefixListIds: []string{aws.StringValue(listId.PrefixListId)},
}
rules = append(rules, r)
}
return rules
}