chore: add CloudTrail Control Tower to generate AWS (#1464)

Author: PengyuanZhao

cli/cmd/generate_aws.go

@@ -68,15 +68,26 @@ var (
 	QuestionCloudtrailName     = "Name of cloudtrail integration (optional):"
 	QuestionCloudtrailAdvanced = "Configure advanced options?"
 
+	// CloudTrail Control Tower questions
+	QuestionControlTower                         = "Is your AWS organzation using Control Tower?"
+	QuestionControlTowerS3BucketArn              = "AWS Control Tower S3 bucket ARN:"
+	QuestionControlTowerSnsTopicArn              = "AWS Control Tower SNS topic ARN:"
+	QuestionControlTowerAuditAccountProfile      = "AWS Control Tower audit account profile:"
+	QuestionControlTowerAuditAccountRegion       = "AWS Control Tower audit account region:"
+	QuestionControlTowerLogArchiveAccountProfile = "AWS Control Tower log archive account profile:"
+	QuestionControlTowerLogArchiveAccountRegion  = "AWS Control Tower log archive account region:"
+	QuestionControlTowerKmsKeyArn                = "AWS Control Tower custom KMS Key ARN (optional):"
+
 	// CloudTrail advanced options
 	OptCloudtrailMessage = "Which options would you like to configure?"
 
-	OptCloudtrailOrg  = "Configure org account mappings"
-	OptCloudtrailS3   = "Configure S3 bucket"
-	OptCloudtrailSNS  = "Configure SNS topic"
-	OptCloudtrailSQS  = "Configure SQS queue"
-	OptCloudtrailIAM  = "Configure an existing IAM role"
-	OptCloudtrailDone = "Done"
+	OptCloudtrailOrg       = "Configure org account mappings"
+	OptCloudtrailKmsKeyArn = "Configure custom KMS key"
+	OptCloudtrailS3        = "Configure S3 bucket"
+	OptCloudtrailSNS       = "Configure SNS topic"
+	OptCloudtrailSQS       = "Configure SQS queue"
+	OptCloudtrailIAM       = "Configure an existing IAM role"
+	OptCloudtrailDone      = "Done"
 
 	// CloudTrail Org questions
 	QuestionCloudtrailOrgAccountMappingsDefaultLWAccount = "Org account mappings default Lacework account:"
@@ -188,6 +199,10 @@ See help output for more details on the parameter value(s) required for Terrafor
 				aws.WithConfigOrgId(GenerateAwsCommandState.ConfigOrgId),
 				aws.WithConfigOrgUnits(GenerateAwsCommandState.ConfigOrgUnits),
 				aws.WithConfigOrgCfResourcePrefix(GenerateAwsCommandState.ConfigOrgCfResourcePrefix),
+				aws.WithControlTower(GenerateAwsCommandState.ControlTower),
+				aws.WithControlTowerAuditAccount(GenerateAwsCommandState.ControlTowerAuditAccount),
+				aws.WithControlTowerLogArchiveAccount(GenerateAwsCommandState.ControlTowerLogArchiveAccount),
+				aws.WithControlTowerKmsKeyArn(GenerateAwsCommandState.ControlTowerKmsKeyArn),
 				aws.WithConsolidatedCloudtrail(GenerateAwsCommandState.ConsolidatedCloudtrail),
 				aws.WithCloudtrailUseExistingS3(GenerateAwsCommandState.CloudtrailUseExistingS3),
 				aws.WithCloudtrailUseExistingSNSTopic(GenerateAwsCommandState.CloudtrailUseExistingSNSTopic),
@@ -399,6 +414,28 @@ See help output for more details on the parameter value(s) required for Terrafor
 				GenerateAwsCommandState.AgentlessScanningAccounts = accounts
 			}
 
+			// Parse passed in Control Tower Audit account
+			if GenerateAwsCommandExtraState.ControlTowerAuditAccount != "" {
+				accounts, err := parseAwsAccountsFromCommandFlag(
+					[]string{GenerateAwsCommandExtraState.ControlTowerAuditAccount},
+				)
+				if err != nil {
+					return err
+				}
+				GenerateAwsCommandState.ControlTowerAuditAccount = &accounts[0]
+			}
+
+			// Parse passed in Control Tower Log Archive account
+			if GenerateAwsCommandExtraState.ControlTowerLogArchiveAccount != "" {
+				accounts, err := parseAwsAccountsFromCommandFlag(
+					[]string{GenerateAwsCommandExtraState.ControlTowerLogArchiveAccount},
+				)
+				if err != nil {
+					return err
+				}
+				GenerateAwsCommandState.ControlTowerLogArchiveAccount = &accounts[0]
+			}
+
 			return nil
 		},
 	}
@@ -461,6 +498,26 @@ func initGenerateAwsTfCommandFlags() {
 		"agentless_scanning_accounts",
 		[]string{},
 		"AWS scanning accounts for Agentless integrations; value format must be <aws profile>:<region>")
+	generateAwsTfCommand.PersistentFlags().BoolVar(
+		&GenerateAwsCommandState.ControlTower,
+		"controltower",
+		false,
+		"enable Control Tower integration")
+	generateAwsTfCommand.PersistentFlags().StringVar(
+		&GenerateAwsCommandExtraState.ControlTowerAuditAccount,
+		"controltower_audit_account",
+		"",
+		"specify AWS Control Tower Audit account; value format must be <aws profile>:<region>")
+	generateAwsTfCommand.PersistentFlags().StringVar(
+		&GenerateAwsCommandExtraState.ControlTowerLogArchiveAccount,
+		"controltower_log_archive_account",
+		"",
+		"specify AWS Control Tower Log Archive account; value format must be <aws profile>:<region>")
+	generateAwsTfCommand.PersistentFlags().StringVar(
+		&GenerateAwsCommandState.ControlTowerKmsKeyArn,
+		"controltower_kms_key_arn",
+		"",
+		"specify AWS Control Tower custom kMS key ARN")
 	generateAwsTfCommand.PersistentFlags().BoolVar(
 		&GenerateAwsCommandState.Cloudtrail,
 		"cloudtrail",
@@ -955,10 +1012,17 @@ func promptCloudtrailQuestions(
 		return nil
 	}
 
+	if err := promptCloudtrailControlTowerQuestions(config); err != nil {
+		return err
+	}
+
+	noControlTower := !config.ControlTower
+
 	if err := SurveyQuestionInteractiveOnly(SurveyQuestionWithValidationArgs{
 		Icon:     IconCloudTrail,
 		Prompt:   &survey.Confirm{Message: QuestionCloudtrailUseConsolidated, Default: config.ConsolidatedCloudtrail},
 		Response: &config.ConsolidatedCloudtrail,
+		Checks:   []*bool{&noControlTower},
 	}); err != nil {
 		return err
 	}
@@ -983,6 +1047,13 @@ func promptCloudtrailQuestions(
 			OptCloudtrailDone,
 		}
 		if config.AwsOrganization {
+			if config.ControlTower {
+				options = []string{
+					OptCloudtrailKmsKeyArn,
+					OptCloudtrailIAM,
+					OptCloudtrailDone,
+				}
+			}
 			options = append([]string{OptCloudtrailOrg}, options...)
 		}
 		for answer != OptCloudtrailDone {
@@ -1001,6 +1072,10 @@ func promptCloudtrailQuestions(
 				if err := promptCloudtrailOrgQuestions(config); err != nil {
 					return err
 				}
+			case OptCloudtrailKmsKeyArn:
+				if err := promptCloudtrailKmsKeyQuestions(config); err != nil {
+					return err
+				}
 			case OptCloudtrailS3:
 				if err := promptCloudtrailS3Questions(config); err != nil {
 					return err
@@ -1024,6 +1099,128 @@ func promptCloudtrailQuestions(
 	return nil
 }
 
+func promptCloudtrailControlTowerQuestions(config *aws.GenerateAwsTfConfigurationArgs) error {
+	if err := SurveyQuestionInteractiveOnly(SurveyQuestionWithValidationArgs{
+		Icon:     IconCloudTrail,
+		Prompt:   &survey.Confirm{Message: QuestionControlTower, Default: config.ControlTower},
+		Response: &config.ControlTower,
+		Checks:   []*bool{&config.AwsOrganization},
+	}); err != nil {
+		return err
+	}
+
+	if !config.ControlTower {
+		return nil
+	}
+
+	if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{
+		{
+			Icon: IconCloudTrail,
+			Prompt: &survey.Input{
+				Message: QuestionControlTowerS3BucketArn,
+				Default: config.ExistingCloudtrailBucketArn,
+			},
+			Required: true,
+			Opts:     []survey.AskOpt{survey.WithValidator(validateAwsArnFormat)},
+			Response: &config.ExistingCloudtrailBucketArn,
+		},
+		{
+			Icon: IconCloudTrail,
+			Prompt: &survey.Input{
+				Message: QuestionControlTowerSnsTopicArn,
+				Default: config.ExistingSnsTopicArn,
+			},
+			Required: true,
+			Opts:     []survey.AskOpt{survey.WithValidator(validateAwsArnFormat)},
+			Response: &config.ExistingSnsTopicArn,
+		},
+	}); err != nil {
+		return err
+	}
+
+	profile := ""
+	region := ""
+	defaultProfile := ""
+	defaultRegion := ""
+	if config.ControlTowerAuditAccount != nil {
+		defaultProfile = config.ControlTowerAuditAccount.AwsProfile
+	}
+	if config.ControlTowerAuditAccount != nil {
+		defaultRegion = config.ControlTowerAuditAccount.AwsRegion
+	}
+
+	if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{
+		{
+			Icon: IconCloudTrail,
+			Prompt: &survey.Input{
+				Message: QuestionControlTowerAuditAccountProfile,
+				Default: defaultProfile,
+			},
+			Required: true,
+			Response: &profile,
+		},
+		{
+			Icon: IconCloudTrail,
+			Prompt: &survey.Input{
+				Message: QuestionControlTowerAuditAccountRegion,
+				Default: defaultRegion,
+			},
+			Required: true,
+			Opts:     []survey.AskOpt{survey.WithValidator(validateAwsRegion)},
+			Response: &region,
+		},
+	}); err != nil {
+		return err
+	}
+
+	config.ControlTowerAuditAccount = &aws.AwsSubAccount{
+		AwsProfile: profile,
+		AwsRegion:  region,
+		Alias:      fmt.Sprintf("%s-%s", profile, region),
+	}
+
+	defaultProfile = ""
+	defaultRegion = ""
+	if config.ControlTowerLogArchiveAccount != nil {
+		defaultProfile = config.ControlTowerLogArchiveAccount.AwsProfile
+	}
+	if config.ControlTowerLogArchiveAccount != nil {
+		defaultRegion = config.ControlTowerLogArchiveAccount.AwsRegion
+	}
+
+	if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{
+		{
+			Icon: IconCloudTrail,
+			Prompt: &survey.Input{
+				Message: QuestionControlTowerLogArchiveAccountProfile,
+				Default: defaultProfile,
+			},
+			Required: true,
+			Response: &profile,
+		},
+		{
+			Icon: IconCloudTrail,
+			Prompt: &survey.Input{
+				Message: QuestionControlTowerLogArchiveAccountRegion,
+				Default: defaultRegion,
+			},
+			Required: true,
+			Opts:     []survey.AskOpt{survey.WithValidator(validateAwsRegion)},
+			Response: &region,
+		},
+	}); err != nil {
+		return err
+	}
+
+	config.ControlTowerLogArchiveAccount = &aws.AwsSubAccount{
+		AwsProfile: profile,
+		AwsRegion:  region,
+		Alias:      fmt.Sprintf("%s-%s", profile, region),
+	}
+
+	return nil
+}
+
 func promptCloudtrailOrgAccountMappingQuestions(config *aws.GenerateAwsTfConfigurationArgs) error {
 	mapping := aws.OrgAccountMap{}
 	var accountsAnswer string
@@ -1075,6 +1272,22 @@ func promptCloudtrailOrgQuestions(config *aws.GenerateAwsTfConfigurationArgs) er
 	return nil
 }
 
+func promptCloudtrailKmsKeyQuestions(config *aws.GenerateAwsTfConfigurationArgs) error {
+	if err := SurveyQuestionInteractiveOnly(SurveyQuestionWithValidationArgs{
+		Icon: IconCloudTrail,
+		Prompt: &survey.Input{
+			Message: QuestionControlTowerKmsKeyArn,
+			Default: config.ControlTowerKmsKeyArn,
+		},
+		Opts:     []survey.AskOpt{survey.WithValidator(validateAwsArnFormat)},
+		Response: &config.ControlTowerKmsKeyArn,
+	}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func promptCloudtrailS3Questions(config *aws.GenerateAwsTfConfigurationArgs) error {
 	if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{
 		{

cli/docs/lacework_generate_cloud-account_aws.md

@@ -63,6 +63,10 @@ lacework generate cloud-account aws [flags]
       --config_organization_id string             specify AWS organization ID for Config organization integration
       --config_organization_units strings         specify AWS organization units for Config organization integration
       --consolidated_cloudtrail                   use consolidated trail
+      --controltower                              enable Control Tower integration
+      --controltower_audit_account string         specify AWS Control Tower Audit account; value format must be <aws profile>:<region>
+      --controltower_kms_key_arn string           specify AWS Control Tower custom kMS key ARN
+      --controltower_log_archive_account string   specify AWS Control Tower Log Archive account; value format must be <aws profile>:<region>
       --existing_bucket_arn string                specify existing cloudtrail S3 bucket ARN
       --existing_iam_role_arn string              specify existing iam role arn to use
       --existing_iam_role_externalid string       specify existing iam role external_id to use

integration/aws_generation_test.go

@@ -436,6 +436,7 @@ func TestGenerationAwsCloudtrailOrganization(t *testing.T) {
 				MsgRsp{cmd.QuestionEnableAgentless, "n"},
 				MsgRsp{cmd.QuestionEnableConfig, "n"},
 				MsgRsp{cmd.QuestionEnableCloudtrail, "y"},
+				MsgRsp{cmd.QuestionControlTower, "n"},
 				MsgRsp{cmd.QuestionCloudtrailUseConsolidated, "y"},
 				MsgRsp{cmd.QuestionCloudtrailAdvanced, "y"},
 				MsgMenu{cmd.OptCloudtrailOrg, 0},
@@ -484,6 +485,72 @@ func TestGenerationAwsCloudtrailOrganization(t *testing.T) {
 	assert.Equal(t, buildTf, tfResult)
 }
 
+// Test CloudTrail Control Tower integration
+func TestGenerationAwsCloudtrailControlTower(t *testing.T) {
+	os.Setenv("LW_NOCACHE", "true")
+	defer os.Setenv("LW_NOCACHE", "")
+	var final string
+
+	s3BucketArn := "arn:aws:s3:::bucket-name"
+	snsTopicArn := "arn:aws:sns:us-east-2:249446771485:topic-name"
+
+	// Tempdir for test
+	dir, err := os.MkdirTemp("", "t")
+	if err != nil {
+		panic(err)
+	}
+	defer os.RemoveAll(dir)
+
+	// Run CLI
+	runGenerateTest(t,
+		func(c *expect.Console) {
+			expectsCliOutput(t, c, []MsgRspHandler{
+				MsgRsp{cmd.QuestionEnableAwsOrganization, "y"},
+				MsgRsp{cmd.QuestionMainAwsProfile, "main"},
+				MsgRsp{cmd.QuestionMainAwsRegion, "us-east-2"},
+				MsgRsp{cmd.QuestionEnableAgentless, "n"},
+				MsgRsp{cmd.QuestionEnableConfig, "n"},
+				MsgRsp{cmd.QuestionEnableCloudtrail, "y"},
+				MsgRsp{cmd.QuestionControlTower, "y"},
+				MsgRsp{cmd.QuestionControlTowerS3BucketArn, s3BucketArn},
+				MsgRsp{cmd.QuestionControlTowerSnsTopicArn, snsTopicArn},
+				MsgRsp{cmd.QuestionControlTowerAuditAccountProfile, "audit"},
+				MsgRsp{cmd.QuestionControlTowerAuditAccountRegion, "us-west-1"},
+				MsgRsp{cmd.QuestionControlTowerLogArchiveAccountProfile, "log-archive"},
+				MsgRsp{cmd.QuestionControlTowerLogArchiveAccountRegion, "us-west-2"},
+				MsgRsp{cmd.QuestionCloudtrailAdvanced, "n"},
+				MsgRsp{cmd.QuestionAwsOutputLocation, dir},
+				MsgRsp{cmd.QuestionRunTfPlan, "n"},
+			})
+			final, _ = c.ExpectEOF()
+		},
+		"generate",
+		"cloud-account",
+		"aws",
+	)
+
+	// Get result
+	tfResult, _ := os.ReadFile(filepath.FromSlash(fmt.Sprintf("%s/main.tf", dir)))
+
+	auditAccount := aws.NewAwsSubAccount("audit", "us-west-1", "audit-us-west-1")
+	logArchiveAccount := aws.NewAwsSubAccount("log-archive", "us-west-2", "log-archive-us-west-2")
+
+	// Ensure CLI ran correctly
+	assert.Contains(t, final, "Terraform code saved in")
+
+	// Create the TF directly with lwgenerate and validate same result via CLI
+	buildTf, _ := aws.NewTerraform(true, false, false, true,
+		aws.WithAwsProfile("main"),
+		aws.WithAwsRegion("us-east-2"),
+		aws.WithControlTower(true),
+		aws.WithControlTowerAuditAccount(&auditAccount),
+		aws.WithControlTowerLogArchiveAccount(&logArchiveAccount),
+		aws.WithExistingCloudtrailBucketArn(s3BucketArn),
+		aws.WithExistingSnsTopicArn(snsTopicArn),
+	).Generate()
+	assert.Equal(t, buildTf, string(tfResult))
+}
+
 // Test CloudTrail integration with existing S3 bucket
 func TestGenerationAwsCloudtrailWithExistingS3Bucket(t *testing.T) {
 	os.Setenv("LW_NOCACHE", "true")

integration/test_resources/help/generate_cloud-account_aws

@@ -51,6 +51,10 @@ Flags:
       --config_organization_id string             specify AWS organization ID for Config organization integration
       --config_organization_units strings         specify AWS organization units for Config organization integration
       --consolidated_cloudtrail                   use consolidated trail
+      --controltower                              enable Control Tower integration
+      --controltower_audit_account string         specify AWS Control Tower Audit account; value format must be <aws profile>:<region>
+      --controltower_kms_key_arn string           specify AWS Control Tower custom kMS key ARN
+      --controltower_log_archive_account string   specify AWS Control Tower Log Archive account; value format must be <aws profile>:<region>
       --existing_bucket_arn string                specify existing cloudtrail S3 bucket ARN
       --existing_iam_role_arn string              specify existing iam role arn to use
       --existing_iam_role_externalid string       specify existing iam role external_id to use