chore: make agentless_monitored_accounts optional (#1455)

* chore: make agentless_monitored_account optional

* chore: fix make lint

* chore: fix integration test

Author: PengyuanZhao

cli/cmd/generate_aws.go

@@ -44,10 +44,8 @@ var (
 	QuestionAgentlessMonitoredAccountIDsHelp = "Please provide a comma seprated list that may " +
 		"contain account IDs, OUs, or the organization root (e.g. 123456789000,ou-abcd-12345678,r-abcd)."
 
-	QuestionAgentlessMonitoredAccountProfile  = "Monitored AWS account profile:"
-	QuestionAgentlessMonitoredAccountRegion   = "Monitored AWS account region:"
-	QuestionAgentlessMonitoredAccountAddMore  = "Add another monitored AWS account?"
-	QuestionAgentlessMonitoredAccountsReplace = "Currently configured monitored accounts: %s, replace?"
+	QuestionAgentlessMonitoredAccountProfile = "Monitored AWS account profile:"
+	QuestionAgentlessMonitoredAccountRegion  = "Monitored AWS account region:"
 
 	// Config questions
 	QuestionEnableConfig                    = "Enable configuration integration?"
@@ -776,17 +774,48 @@ func promptAgentlessQuestions(config *aws.GenerateAwsTfConfigurationArgs) error
 		}
 
 		config.AgentlessMonitoredAccountIDs = strings.Split(monitoredAccountIDListInput, ",")
+		config.AgentlessMonitoredAccounts = []aws.AwsSubAccount{}
 
-		if err := promptAwsAccountsQuestions(
-			&config.AgentlessMonitoredAccounts,
-			IconAgentless,
-			QuestionAgentlessMonitoredAccountProfile,
-			QuestionAgentlessMonitoredAccountRegion,
-			QuestionAgentlessMonitoredAccountAddMore,
-			QuestionAgentlessMonitoredAccountsReplace,
-			false,
-		); err != nil {
-			return err
+		// Prompt user to enter profile/region for single accounts
+		for _, accountID := range config.AgentlessMonitoredAccountIDs {
+			err := validateAwsAccountID(accountID)
+			if err != nil {
+				continue
+			}
+			var profile, region string
+			profileMessage := fmt.Sprintf(
+				"%s for account %s:",
+				QuestionAgentlessMonitoredAccountProfile[:len(QuestionAgentlessMonitoredAccountProfile)-1],
+				accountID,
+			)
+			regionMessage := fmt.Sprintf(
+				"%s for account %s:",
+				QuestionAgentlessMonitoredAccountRegion[:len(QuestionAgentlessMonitoredAccountRegion)-1],
+				accountID,
+			)
+			if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{
+				{
+					Icon:     IconAgentless,
+					Prompt:   &survey.Input{Message: profileMessage},
+					Opts:     []survey.AskOpt{survey.WithValidator(validateAwsProfile)},
+					Required: true,
+					Response: &profile,
+				},
+				{
+					Icon:     IconAgentless,
+					Prompt:   &survey.Input{Message: regionMessage},
+					Opts:     []survey.AskOpt{survey.WithValidator(validateAwsRegion)},
+					Required: true,
+					Response: &region,
+				},
+			}); err != nil {
+				return err
+			}
+			alias := fmt.Sprintf("%s-%s", profile, region)
+			config.AgentlessMonitoredAccounts = append(
+				config.AgentlessMonitoredAccounts,
+				aws.AwsSubAccount{AwsProfile: profile, AwsRegion: region, Alias: alias},
+			)
 		}
 	}
 

integration/aws_generation_test.go

@@ -70,7 +70,7 @@ func TestGenerationAwsNoninteractive(t *testing.T) {
 		"--agentless_monitored_account_ids",
 		"123456789000,ou-abcd-12345678,r-abcd",
 		"--agentless_monitored_accounts",
-		"monitored-1:us-west-1,monitored-2:us-west-2",
+		"monitored-1:us-west-1",
 		"--agentless_scanning_accounts",
 		"scanning-1:us-east-1,scanning-2:us-east-2",
 		"--config_lacework_account",
@@ -138,7 +138,6 @@ func TestGenerationAwsNoninteractive(t *testing.T) {
 		aws.WithAgentlessMonitoredAccountIDs([]string{"123456789000", "ou-abcd-12345678", "r-abcd"}),
 		aws.WithAgentlessMonitoredAccounts(
 			aws.NewAwsSubAccount("monitored-1", "us-west-1", "monitored-1-us-west-1"),
-			aws.NewAwsSubAccount("monitored-2", "us-west-2", "monitored-2-us-west-2"),
 		),
 		aws.WithAgentlessScanningAccounts(
 			aws.NewAwsSubAccount("scanning-1", "us-east-1", "scanning-1-us-east-1"),
@@ -224,6 +223,9 @@ func TestGenerationAwsAgentlessOrganization(t *testing.T) {
 	defer os.Setenv("LW_NOCACHE", "")
 	var final string
 
+	monitoredProfileQuestion := "Monitored AWS account profile for account 123456789000"
+	monitoredRegionQuestion := "Monitored AWS account region for account 123456789000"
+
 	// Run CLI
 	tfResult := runGenerateTest(t,
 		func(c *expect.Console) {
@@ -234,12 +236,8 @@ func TestGenerationAwsAgentlessOrganization(t *testing.T) {
 				MsgRsp{cmd.QuestionEnableAgentless, "y"},
 				MsgRsp{cmd.QuestionAgentlessManagementAccountID, "123456789000"},
 				MsgRsp{cmd.QuestionAgentlessMonitoredAccountIDs, "123456789000,ou-abcd-12345678,r-abcd"},
-				MsgRsp{cmd.QuestionAgentlessMonitoredAccountProfile, "monitored-1"},
-				MsgRsp{cmd.QuestionAgentlessMonitoredAccountRegion, "us-west-1"},
-				MsgRsp{cmd.QuestionAgentlessMonitoredAccountAddMore, "y"},
-				MsgRsp{cmd.QuestionAgentlessMonitoredAccountProfile, "monitored-2"},
-				MsgRsp{cmd.QuestionAgentlessMonitoredAccountRegion, "us-west-2"},
-				MsgRsp{cmd.QuestionAgentlessMonitoredAccountAddMore, "n"},
+				MsgRsp{monitoredProfileQuestion, "monitored-1"},
+				MsgRsp{monitoredRegionQuestion, "us-west-1"},
 				MsgRsp{cmd.QuestionAgentlessScanningAccountProfile, "scanning-1"},
 				MsgRsp{cmd.QuestionAgentlessScanningAccountRegion, "us-east-1"},
 				MsgRsp{cmd.QuestionAgentlessScanningAccountAddMore, "y"},
@@ -269,7 +267,6 @@ func TestGenerationAwsAgentlessOrganization(t *testing.T) {
 		aws.WithAgentlessMonitoredAccountIDs([]string{"123456789000", "ou-abcd-12345678", "r-abcd"}),
 		aws.WithAgentlessMonitoredAccounts(
 			aws.NewAwsSubAccount("monitored-1", "us-west-1", "monitored-1-us-west-1"),
-			aws.NewAwsSubAccount("monitored-2", "us-west-2", "monitored-2-us-west-2"),
 		),
 		aws.WithAgentlessScanningAccounts(
 			aws.NewAwsSubAccount("scanning-1", "us-east-1", "scanning-1-us-east-1"),

lwgenerate/aws/aws.go

@@ -4,6 +4,7 @@ package aws
 import (
 	"encoding/json"
 	"fmt"
+	"regexp"
 	"slices"
 	"strings"
 
@@ -309,7 +310,14 @@ func (args *GenerateAwsTfConfigurationArgs) Validate() error {
 				return errors.New("must specify monitored account ID list for Agentless organization integration")
 			}
 			if len(args.AgentlessMonitoredAccounts) == 0 {
-				return errors.New("must specify monitored accounts for Agentless organization integration")
+				// profile/region is required for single accounts
+				for _, accountID := range args.AgentlessMonitoredAccountIDs {
+					regex, _ := regexp.Compile(`^\d{12}$`)
+					if regex.MatchString(accountID) {
+						return errors.New("must specify profile/region for single monitored accounts" +
+							" for Agentless organization integration")
+					}
+				}
 			}
 			if len(args.AgentlessScanningAccounts) == 0 {
 				return errors.New("must specify scanning accounts for Agentless organization integration")
@@ -1111,7 +1119,7 @@ func createAgentless(args *GenerateAwsTfConfigurationArgs) ([]*hclwrite.Block, e
 		// Get OU IDs for the organizational_unit_ids attribute
 		OUIDs := []string{}
 		for _, accountID := range args.AgentlessMonitoredAccountIDs {
-			if strings.HasPrefix(accountID, "ou-") {
+			if strings.HasPrefix(accountID, "ou-") || strings.HasPrefix(accountID, "r-") {
 				OUIDs = append(OUIDs, fmt.Sprintf("\"%s\"", accountID))
 			}
 		}