feat: Allow user defined S3 Bucket for the audit log (#1248)

djmctavish · web-flow · commit ab1c338157fe · 2023-04-25T13:52:35.000+01:00
* feat: Allow user defined S3 Bucket for the audit log

* refactor: address code review comments

* fix: update integration tests
diff --git a/cli/cmd/generate_aws_eks_audit.go b/cli/cmd/generate_aws_eks_audit.go
@@ -28,6 +28,8 @@ var (
 	QuestionEksAuditConfigureAdvanced = "Configure advanced integration options?"
 
 	// S3 Bucket Questions
+	QuestionUseExistingBucket            = "Use existing bucket?"
+	QuestionExistingBucketArn            = "Specify an existing bucket ARN used for EKS audit log:"
 	EksAuditConfigureBucket              = "Configure bucket settings"
 	QuestionEksAuditBucketVersioning     = "Enable access versioning on the new bucket?"
 	QuestionEksAuditMfaDeleteS3Bucket    = "Should MFA object deletion be required for the new bucket?"
@@ -117,6 +119,7 @@ See help output for more details on the parameter values required for Terraform
 				aws_eks_audit.WithAwsProfile(GenerateAwsEksAuditCommandState.AwsProfile),
 				aws_eks_audit.WithLaceworkAccountID(GenerateAwsEksAuditCommandState.LaceworkAccountID),
 				aws_eks_audit.WithBucketLifecycleExpirationDays(GenerateAwsEksAuditCommandState.BucketLifecycleExpirationDays),
+				aws_eks_audit.WithExistingBucketArn(GenerateAwsEksAuditCommandState.ExistinglBucketArn),
 				aws_eks_audit.WithBucketSseAlgorithm(GenerateAwsEksAuditCommandState.BucketSseAlgorithm),
 				aws_eks_audit.WithBucketSseKeyArn(GenerateAwsEksAuditCommandState.BucketSseKeyArn),
 				aws_eks_audit.WithEksAuditIntegrationName(GenerateAwsEksAuditCommandState.EksAuditIntegrationName),
@@ -138,6 +141,10 @@ See help output for more details on the parameter values required for Terraform
 				aws_eks_audit.EnableKmsKeyRotation(GenerateAwsEksAuditCommandState.KmsKeyRotation),
 			}
 
+			if GenerateAwsEksAuditCommandState.UseExistinglBucket {
+				mods = append(mods, aws_eks_audit.EnableUseExistingBucket())
+			}
+
 			if GenerateAwsEksAuditCommandState.BucketEnableMfaDelete {
 				mods = append(mods, aws_eks_audit.EnableBucketMfaDelete())
 			}
@@ -366,6 +373,16 @@ func initGenerateAwsEksAuditTfCommandFlags() {
 		"bucket_sse_key_arn",
 		"",
 		"specify the kms key arn to be used for s3. (required when bucket_sse_algorithm is aws:kms & using an existing kms key)")
+	generateAwsEksAuditTfCommand.PersistentFlags().StringVar(
+		&GenerateAwsEksAuditCommandState.ExistinglBucketArn,
+		"existing_bucket_arn",
+		"",
+		"specify existing s3 bucket arn for the audit log")
+	generateAwsEksAuditTfCommand.PersistentFlags().BoolVar(
+		&GenerateAwsEksAuditCommandState.UseExistinglBucket,
+		"use_existing_bucket",
+		false,
+		"use existing supplied s3 bucket (default false)")
 	generateAwsEksAuditTfCommand.PersistentFlags().BoolVar(
 		&GenerateAwsEksAuditCommandState.BucketVersioning,
 		"enable_bucket_versioning",
@@ -473,6 +490,26 @@ func validateResponseTypeInt(val interface{}) error {
 
 func promptAwsEksAuditBucketQuestions(config *aws_eks_audit.GenerateAwsEksAuditTfConfigurationArgs) error {
 	// Only ask these questions if configure bucket is true
+	if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{
+		{
+			Prompt:   &survey.Confirm{Message: QuestionUseExistingBucket, Default: config.UseExistinglBucket},
+			Response: &config.UseExistinglBucket,
+		},
+		{
+			Prompt:   &survey.Input{Message: QuestionExistingBucketArn, Default: config.ExistinglBucketArn},
+			Checks:   []*bool{&config.UseExistinglBucket},
+			Opts:     []survey.AskOpt{survey.WithValidator(validateAwsArnFormat)},
+			Response: &config.ExistinglBucketArn,
+		},
+	}); err != nil {
+		return err
+	}
+
+	// Only ask the next questions if the user did not indicate they wanted to use and existing bucket
+	if config.UseExistinglBucket {
+		return nil
+	}
+
 	if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{
 		{
 			Prompt:   &survey.Confirm{Message: QuestionEksAuditBucketVersioning, Default: config.BucketVersioning},
diff --git a/integration/aws_eks_audit_generation_test.go b/integration/aws_eks_audit_generation_test.go
@@ -89,6 +89,7 @@ func TestGenerationEksSingleRegionAdvancedBucket(t *testing.T) {
 				MsgRsp{cmd.QuestionEksAuditRegionClusters, "cluster1,cluster2"},
 				MsgRsp{cmd.QuestionEksAuditConfigureAdvanced, "y"},
 				MsgMenu{cmd.EksAuditConfigureBucket, 0},
+				MsgRsp{cmd.QuestionUseExistingBucket, "n"},
 				MsgRsp{cmd.QuestionEksAuditBucketVersioning, "y"},
 				MsgRsp{cmd.QuestionEksAuditMfaDeleteS3Bucket, "y"},
 				MsgRsp{cmd.QuestionEksAuditForceDestroyS3Bucket, "y"},
@@ -139,6 +140,7 @@ func TestGenerationEksSingleRegionAdvancedBucketExistingKey(t *testing.T) {
 				MsgRsp{cmd.QuestionEksAuditRegionClusters, "cluster1,cluster2"},
 				MsgRsp{cmd.QuestionEksAuditConfigureAdvanced, "y"},
 				MsgMenu{cmd.EksAuditConfigureBucket, 0},
+				MsgRsp{cmd.QuestionUseExistingBucket, "n"},
 				MsgRsp{cmd.QuestionEksAuditBucketVersioning, "y"},
 				MsgRsp{cmd.QuestionEksAuditMfaDeleteS3Bucket, "y"},
 				MsgRsp{cmd.QuestionEksAuditForceDestroyS3Bucket, "y"},
@@ -481,7 +483,7 @@ func TestGenerateEksPrefix(t *testing.T) {
 		prefix,
 	)
 
-	assertGkeTerraformSaved(t, final)
+	assertEksAuditTerraformSaved(t, final)
 
 	regionClusterMap := make(map[string][]string)
 	regionClusterMap["us-west-1"] = []string{"cluster1", "cluster2"}
@@ -646,3 +648,41 @@ func TestGenerationEksNonInteractive(t *testing.T) {
 	buildTf, _ := aws_eks_audit.NewTerraform(aws_eks_audit.WithParsedRegionClusterMap(regionClusterMap)).Generate()
 	assert.Equal(t, buildTf, tfResult)
 }
+
+func TestGenerationSuppliedBucketArn(t *testing.T) {
+	os.Setenv("LW_NOCACHE", "true")
+	defer os.Setenv("LW_NOCACHE", "")
+	var final string
+
+	tfResult := runEksAuditGenerateTest(t,
+		func(c *expect.Console) {
+			expectsCliOutput(t, c, []MsgRspHandler{
+				MsgRsp{cmd.QuestionEksAuditMultiRegion, "n"},
+				MsgRsp{cmd.QuestionEksAuditRegion, "us-west-1"},
+				MsgRsp{cmd.QuestionEksAuditRegionClusters, "cluster1,cluster2"},
+				MsgRsp{cmd.QuestionEksAuditConfigureAdvanced, "y"},
+				MsgMenu{cmd.EksAuditConfigureBucket, 0},
+				MsgRsp{cmd.QuestionUseExistingBucket, "y"},
+				MsgRsp{cmd.QuestionExistingBucketArn, "arn:aws:s3:::bucket-name"},
+				MsgRsp{cmd.QuestionEksAuditAnotherAdvancedOpt, "n"},
+				MsgRsp{cmd.QuestionRunTfPlan, "n"},
+			})
+
+			final, _ = c.ExpectEOF()
+		},
+		"generate",
+		"k8s",
+		"eks",
+	)
+
+	assertEksAuditTerraformSaved(t, final)
+
+	regionClusterMap := make(map[string][]string)
+	regionClusterMap["us-west-1"] = []string{"cluster1", "cluster2"}
+	buildTf, _ := aws_eks_audit.NewTerraform(
+		aws_eks_audit.WithParsedRegionClusterMap(regionClusterMap),
+		aws_eks_audit.EnableUseExistingBucket(),
+		aws_eks_audit.WithExistingBucketArn("arn:aws:s3:::bucket-name"),
+	).Generate()
+	assert.Equal(t, buildTf, tfResult)
+}
diff --git a/integration/test_resources/help/generate_k8s_eks b/integration/test_resources/help/generate_k8s_eks
@@ -33,6 +33,7 @@ Flags:
       --enable_kms_key_rotation                   enable automatic kms key rotation (default true)
       --enable_mfa_delete_s3                      enable mfa delete on s3 bucket. Requires bucket versioning.
       --enable_sns_topic_encryption               enable encryption on the sns topic (default true)
+      --existing_bucket_arn string                specify existing s3 bucket arn for the audit log
       --existing_ca_iam_role_arn string           specify existing cross account iam role arn to use
       --existing_ca_iam_role_external_id string   specify existing cross account iam role external_id to use
       --existing_cw_iam_role_arn string           specify existing cloudwatch iam role arn to use
@@ -46,6 +47,7 @@ Flags:
       --prefix string                             specify the prefix that will be used at the beginning of every generated resource
       --region_clusters stringToString            configure eks clusters per aws region. To configure multiple regions pass the flag multiple times. Example format:  --region_clusters <region>="cluster,list" (default [])
       --sns_topic_encryption_key_arn string       specify the kms key arn to be used with the sns topic
+      --use_existing_bucket                       use existing supplied s3 bucket (default false)
 
 Global Flags:
   -a, --account string      account subdomain of URL (i.e. <ACCOUNT>.lacework.net)
diff --git a/lwgenerate/aws_eks_audit/aws_eks_audit.go b/lwgenerate/aws_eks_audit/aws_eks_audit.go
@@ -132,6 +132,12 @@ type GenerateAwsEksAuditTfConfigurationArgs struct {
 
 	// The Lacework AWS Root Account ID
 	LaceworkAccountID string
+
+	// Should we use an existing customer supplied bucket? Defaults to false
+	UseExistinglBucket bool
+
+	// Existing S3 Bucket ARN (Required when using existing bucket)
+	ExistinglBucketArn string
 }
 
 // Ensure all combinations of inputs our valid for supported spec
@@ -360,6 +366,20 @@ func WithLaceworkProfile(name string) AwsEksAuditTerraformModifier {
 	}
 }
 
+// WithExistingBucketArn Set the Lacework Profile to utilize when integrating
+func WithExistingBucketArn(name string) AwsEksAuditTerraformModifier {
+	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
+		c.ExistinglBucketArn = name
+	}
+}
+
+// EnableUseExistingBucket Set the S3 ForceDestroy parameter to true for newly created buckets
+func EnableUseExistingBucket() AwsEksAuditTerraformModifier {
+	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
+		c.UseExistinglBucket = true
+	}
+}
+
 // Generate new Terraform code based on the supplied args.
 func (args *GenerateAwsEksAuditTfConfigurationArgs) Generate() (string, error) {
 	// Validate inputs
@@ -491,6 +511,11 @@ func createEksAudit(args *GenerateAwsEksAuditTfConfigurationArgs) ([]*hclwrite.B
 		moduleAttrs["lacework_aws_account_id"] = args.LaceworkAccountID
 	}
 
+	if args.UseExistinglBucket {
+		moduleAttrs["use_existing_bucket"] = true
+		moduleAttrs["bucket_arn"] = args.ExistinglBucketArn
+	}
+
 	if args.BucketEnableMfaDelete && args.BucketVersioning {
 		moduleAttrs["bucket_enable_mfa_delete"] = true
 	}
diff --git a/lwgenerate/aws_eks_audit/aws_eks_audit_test.go b/lwgenerate/aws_eks_audit/aws_eks_audit_test.go
@@ -394,6 +394,20 @@ func TestGenerationEksEnableKmsKeyRotationFalse(t *testing.T) {
 	assert.Contains(t, strippedHcl, "kms_key_rotation=false")
 }
 
+func TestGenerationEksUseExistingBucketKey(t *testing.T) {
+	clusterMap := make(map[string][]string)
+	clusterMap["us-east-1"] = []string{"cluster1", "cluster2"}
+	hcl, err := NewTerraform(WithParsedRegionClusterMap(clusterMap),
+		EnableUseExistingBucket(),
+		WithExistingBucketArn("arn:aws:s3:::test-bucket"),
+	).Generate()
+	assert.Nil(t, err)
+	assert.NotNil(t, hcl)
+	strippedHcl := strings.ReplaceAll(hcl, " ", "")
+	assert.Contains(t, strippedHcl, "use_existing_bucket=true")
+	assert.Contains(t, strippedHcl, "bucket_arn=\"arn:aws:s3:::test-bucket\"")
+}
+
 var requiredProviders = `terraform {
   required_providers {
     lacework = {
