Skip to content

feat: add preflight check tool #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kirklandnuts merged 34 commits into from
Apr 29, 2025
Merged

feat: add preflight check tool #56

kirklandnuts merged 34 commits into from
Apr 29, 2025

Conversation

@kirklandnuts
Copy link
Contributor

@kirklandnuts kirklandnuts commented Mar 24, 2025
edited
Loading

Summary

This PR introduces a tool which helps users smoothly deploy AWLS on Azure by

  1. interactively prompting the user for details on how they'd like to deploy AWLS
  2. checking whether or not they have sufficient permissions to deploy AWLS via this terraform module
  3. checking the usage quota limits for their scanning subscription are sufficient for the # of VMs expected to be monitored by AWLS in a given scan

The tool is a python module that lives in /preflight_check. Usage instructions are included at /preflight_check/README.md.

Future work:

  1. Modify the terraform module so that, by default, it requires the user to have run the preflight check before executing the module.
  • The TF module will read the output json file produced by the preflight check and validate that the permission checks and quota checks have succeeded.
  1. Have the preflight check generate the input variables for the terraform module based on the deployment config they specified to the preflight check.
  • The user should be able to run the preflight check, then immediately execute the terraform module without having to create the script

How did you test this change?

I created a SP as instructed in the preflight check README, then I ran the preflight check and verified that it

  1. observed that the SP had all of the required permissions and was able to identify the role that satisfied each required permission.
  2. properly calculated the required usage quotas
  3. emitted a json output file that aligned with my expectations

Issue

AWLS2-368

@kirklandnuts kirklandnuts changed the title Feat/awls2 368/preflight script feat: preflight check Mar 24, 2025
@kirklandnuts
feat(preflight): scaffold project structure & script arguments
79243aa
@kirklandnuts
docs: link to preflight check from main README
c248e9a
@kirklandnuts
docs(preflight): document service principal creation with required pe…
4ccf3ff 
…rmissions
@kirklandnuts
feat(preflight): enumerate VMs and subscriptions to use as default va…
77b2670 
…lues
@kirklandnuts
feat(preflight): interactively prompt for subscriptions, display subs…
d8fd56c 
…criptions and vm counts in tables, compute quota requirements
@kirklandnuts
refactor(preflight): refactor preflight script
bd12067
@kirklandnuts
docs(preflight): update run command
9f320db
@kirklandnuts
feat(preflight): improve quota readability
bf76db7
@kirklandnuts
refactor(preflight): refactor preflight check and azure service
0f0fbbe 
- split azure service into subscription service and client factory
- encapsulate arg handling in preflight check
@kirklandnuts
feat(preflight_check): implement usage quota checks
36f413c
@kirklandnuts
feat(preflight): implement auth check
07383f6
@kirklandnuts
feat(preflight): consider current quota usage in quota check
868f9a4
@kirklandnuts
style(preflight): ruff format
2cab59f
@kirklandnuts
fix: check permissions using regex, consider not actions
53fb1f3
@kirklandnuts
feat: output results to json file
415270c
@kirklandnuts
docs(preflight): fix SP permissions
c1714fa
@kirklandnuts kirklandnuts force-pushed the feat/AWLS2-368/preflight-script branch from ee9d68d to c1714fa Compare March 26, 2025 17:45
@kirklandnuts kirklandnuts force-pushed the feat/AWLS2-368/preflight-script branch from 4a25476 to de1c128 Compare March 31, 2025 16:57
@kirklandnuts kirklandnuts marked this pull request as ready for review March 31, 2025 17:49
@kirklandnuts kirklandnuts requested review from a team as code owners March 31, 2025 17:49
@kirklandnuts kirklandnuts changed the title feat: preflight check feat: add preflight check tool Mar 31, 2025
wilderj
wilderj reviewed Apr 2, 2025
View reviewed changes
README.md

A Terraform Module to configure the Lacework Agentless Scanner on Azure.

To ensure smooth deployment, please reference our [preflight check](./preflight_check/).
Copy link
Contributor

@wilderj wilderj Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just an aside, but we should follow up with the docs team to include reference to this tool after we merge and release.

wilderj
wilderj reviewed Apr 2, 2025
View reviewed changes
preflight_check/preflight_check/core/models/__init__.py
from .config import DeploymentConfig, IntegrationType, Region, Subscription
from .quota import UsageQuotaLimit

__all__ = [
Copy link
Contributor

@wilderj wilderj Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just curious, why do we need this?

Copy link
Contributor Author

@kirklandnuts kirklandnuts Apr 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It defines the scope for what's imported when a caller imports * from this package.

if a package’s __init__.py code defines a list named __all__, it is taken to be the list of module names that should be imported when from package import * is encountered.

source

wilderj
wilderj reviewed Apr 2, 2025
View reviewed changes
wilderj
wilderj approved these changes Apr 2, 2025
View reviewed changes
Copy link
Contributor

@wilderj wilderj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really fantastic work here @kirklandnuts 👊 !

PengyuanZhao
PengyuanZhao requested changes Apr 3, 2025
View reviewed changes
Copy link
Contributor

@PengyuanZhao PengyuanZhao left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We product platform team (growth team) built a CLI tool lacework preflight to do preflight check across all CSPs/ integrations here https://github.com/lacework-dev/cdk-preflight. It has minimal check on Azure currently but already fully supports AWS/GCP. Seems like we are making duplicated efforts in different ways.

Questions:

  • Why do you do preflight check only for this Agentless module but not the other modules? I assume it's a question more about using cdk-preflight VS doing preflight check in every single module.
  • If user to have run the preflight check before executing the module., how would the upstream dependencies be affected? We have CLI commands and self-deployment service that heavily depend on Terraform modules. The Terraform modules shouldn't be overburdened and their behavior should remain unchanged.

@kirklandnuts
Copy link
Contributor Author

kirklandnuts commented Apr 3, 2025
edited by atlassian bot
Loading

We product platform team (growth team) built a CLI tool lacework preflight to do preflight check across all CSPs/ integrations here https://github.com/lacework-dev/cdk-preflight. It has minimal check on Azure currently but already fully supports AWS/GCP. Seems like we are making duplicated efforts in different ways.

@PengyuanZhao thanks for raising this — I wasn't aware that we had an existing preflight check tool.

  • Why do you do preflight check only for this Agentless module but not the other modules? I assume it's a question more about using cdk-preflight VS doing preflight check in every single module.

Depending on the feedback we receive on this tool, we'd planned to do implement something similar for other AWLS modules (https://github.com/lacework/terraform-aws-agentless-scanning/ and https://github.com/lacework/terraform-gcp-agentless-scanning). With regards to modules beyond those pertaining to AWLS, it simply comes down to the fact that our team is not acutely aware of what conditions need to be checked to ensure successful deployment of those components, so we would not be the ones to implement such checks.

  • If user to have run the preflight check before executing the module., how would the upstream dependencies be affected? We have CLI commands and self-deployment service that heavily depend on Terraform modules. The Terraform modules shouldn't be overburdened and their behavior should remain unchanged.

As of right now, we are not enforcing the requirement that users must have run the preflight check before they can execute the module — this is being tracked as a separate follow-up task AWLS2-490. For context, the way we're considering enforcing this requirement is by having the module read the preflight check output file and validate that the checks had passed. In any case, when we make this change, we will also add a new input variable (e.g., skip_preflight (bool) that would enable users to opt out of the preflight check validation. Upstream dependencies would specify this input to maintain existing behavior — to ensure smooth transition, we could default the new input variable to True, start modifying those CLI commands and self-deployment services you'd mentioned to specify skip_preflight = True, and finally switch the default to False only after those changes are released.

Given the checks being performed by this tool, do you think that it's something that the platform team can replicate within the lacework preflight tool? If not, or until these checks have been integrated into lacework preflight, we can publish and maintain this tool separately. What do you think?

@PengyuanZhao
Copy link
Contributor

PengyuanZhao commented Apr 3, 2025
edited
Loading

@kirklandnuts thanks for the clarification!

As a lot of work has been done on lacework preflight, there is no need to go to the other path to let each team build such checks into each module. And technically the preflight check has lots of duplicate logic/code between different modules, especially the ones from the same CSP. So doing it centrally is better than separately. That being said, having this tool separately for Agentless won't hurt much for now I guess.

The skip_preflight param sounds great. But I believe we should provide a coherent preflight check experience not only for Agentless, but also for all the other modules(like AWS config, GCP config, etc.), otherwise it will confuse customers. So I would suggest we always make it optional(skip_preflight=true) for Agentless, unless we really choose to have preflight checks in every module.

Our team would add it to our roadmap to replicate this within lacework preflight. Hopefully the tools could converge somehow by then. For example, we could serve all the module preflight checks as libraries from our go-sdk. So they can be independently imported and used by Terraform modules, CLI commands or self-deployment.

@kirklandnuts kirklandnuts merged commit 4647031 into main Apr 29, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PengyuanZhao PengyuanZhao PengyuanZhao approved these changes

@wilderj wilderj wilderj approved these changes

@goodmorninggoaway goodmorninggoaway Awaiting requested review from goodmorninggoaway goodmorninggoaway is a code owner automatically assigned from lacework/eng-product-platform

@thekeys93 thekeys93 Awaiting requested review from thekeys93 thekeys93 is a code owner automatically assigned from lacework/eng-product-platform

@declanwilson-lw declanwilson-lw Awaiting requested review from declanwilson-lw declanwilson-lw is a code owner automatically assigned from lacework/eng-product-platform

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kirklandnuts @PengyuanZhao @wilderj