projectdiscovery
diff --git a/‎.gitignore‎
Lines changed: 11 additions & 1 deletion b/‎.gitignore‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎CLAUDE.md‎
Lines changed: 185 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 185 additions & 0 deletions
diff --git a/‎PROVIDERS.md‎
Lines changed: 154 additions & 9 deletions b/‎PROVIDERS.md‎
Lines changed: 154 additions & 9 deletions
@@ -3,4 +3,14 @@ cmd/cloudlist/cloudlist
 dist
 .env
 provider-config.yaml
-cloudlist
+cloudlist
+.claude/settings.local.json
+
+# Test files and credentials
+TEST_RESULTS.md
+test-*.yaml
+*-sa.json
+*.key.json
+/cloudlist
+/terraform/
+azure-readonly-config.yaml
@@ -0,0 +1,185 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+**Cloudlist** is a multi-cloud asset discovery tool written in Go that enumerates resources (IPs, DNS names) from various cloud providers using their APIs. It's designed for blue team security operations to maintain centralized cloud asset inventories.
+
+## Build & Development Commands
+
+### Building
+```bash
+# Build the binary
+make build
+# or
+go build -v -o cloudlist cmd/cloudlist/main.go
+```
+
+### Testing
+```bash
+# Run all tests
+make test
+# or
+go test -v ./...
+
+# Run tests for specific package
+go test -v ./pkg/providers/aws/
+```
+
+### Linting
+```bash
+# Run golangci-lint (same as CI)
+golangci-lint run --timeout 5m
+
+# Auto-fix issues
+golangci-lint run --fix --timeout 5m
+```
+
+### Running
+```bash
+# Basic usage
+./cloudlist -pc ~/.config/cloudlist/provider-config.yaml
+
+# Filter by provider
+./cloudlist -pc provider-config.yaml -p aws,gcp
+
+# Filter by service
+./cloudlist -pc provider-config.yaml -s compute,dns
+
+# Output formats
+./cloudlist -pc provider-config.yaml -json > output.json
+./cloudlist -pc provider-config.yaml -host  # DNS names only
+./cloudlist -pc provider-config.yaml -ip    # IPs only
+```
+
+## Architecture
+
+### Core Components
+
+1. **Provider Interface** (`pkg/schema/schema.go:18-28`)
+   - All providers implement the `schema.Provider` interface
+   - Key methods: `Name()`, `ID()`, `Resources(ctx)`, `Services()`
+   - Returns `*schema.Resources` containing `[]*schema.Resource`
+
+2. **Provider Registration** (`pkg/inventory/inventory.go:92-137`)
+   - `nameToProvider()` function maps provider names to implementations
+   - Add new providers here as a case statement
+
+3. **Resource Model** (`pkg/schema/schema.go:142-163`)
+   - Each resource represents a cloud asset with IP/DNS information
+   - Fields: `Public`, `Provider`, `Service`, `ID`, `PublicIPv4/v6`, `PrivateIpv4/v6`, `DNSName`, `Metadata`
+   - Resources are automatically deduplicated by IP/DNS values
+
+4. **Provider Structure Pattern**
+   - Providers in `pkg/providers/<provider>/`
+   - Main file: `<provider>.go` with `New()` constructor and `Resources()` implementation
+   - Service-specific files: `instances.go`, `dns.go`, etc. for complex providers (see AWS)
+   - Each provider has a `Services` slice listing supported service types
+
+### Provider Implementation Pattern
+
+When implementing providers, follow this structure:
+
+1. **Main provider file** (`<provider>.go`):
+   - Struct with provider-specific client and configuration
+   - `New(block schema.OptionBlock)` constructor that validates config
+   - `Resources(ctx context.Context) (*schema.Resources, error)` that orchestrates resource gathering
+   - Service-specific helper methods
+
+2. **Service-specific files** (for complex providers):
+   - AWS example: `instances.go`, `route53.go`, `s3.go`, `eks.go`, etc.
+   - Each file handles one service type's resource enumeration
+   - Returns `*schema.Resources` that main `Resources()` method merges
+
+3. **Configuration Parsing**:
+   - Use `block.GetMetadata(key)` to read config values
+   - Environment variables supported via `$VAR_NAME` syntax (auto-resolved)
+   - Return `&schema.ErrNoSuchKey{Name: key}` for missing required config
+
+### Important Patterns
+
+- **Resource Deduplication**: Resources are automatically deduplicated by the `ResourceDeduplicator` in schema
+- **Service Filtering**: Users can filter by service via `-s` flag; providers check this in `Services()` method
+- **Metadata**: Extended metadata can be added to resources via the `Metadata` map[string]string field
+- **Context Handling**: All provider `Resources()` methods receive context for cancellation support
+
+## Adding a New Provider
+
+Required steps:
+
+1. **Create provider directory**: `pkg/providers/<provider-name>/`
+
+2. **Implement provider struct** with these methods:
+   ```go
+   func New(block schema.OptionBlock) (schema.Provider, error)
+   func (p *Provider) Name() string
+   func (p *Provider) ID() string
+   func (p *Provider) Resources(ctx context.Context) (*schema.Resources, error)
+   func (p *Provider) Services() []string
+   ```
+
+3. **Register in inventory**: Add case to `nameToProvider()` in `pkg/inventory/inventory.go`
+
+4. **Add to services map**: Add provider and its services to `Providers` map in `pkg/inventory/inventory.go`
+
+5. **Document configuration**: Add provider config documentation to `PROVIDERS.md`
+
+See reference implementations:
+- Simple: `pkg/providers/digitalocean/` (single service)
+- Complex: `pkg/providers/aws/` (multiple services, sub-files)
+- With special auth: `pkg/providers/gcp/` (JSON service account keys)
+
+## Key Files
+
+- `cmd/cloudlist/main.go` - CLI entry point
+- `internal/runner/runner.go` - Main enumeration orchestrator
+- `internal/runner/options.go` - CLI flag definitions
+- `pkg/schema/schema.go` - Core interfaces and data structures
+- `pkg/inventory/inventory.go` - Provider registration and factory
+- `pkg/providers/*/` - Individual cloud provider implementations
+
+## GCP-Specific Notes
+
+GCP provider supports **two discovery modes**:
+
+1. **Individual Service APIs** (default): Project-level discovery using service-specific APIs
+2. **Organization-Level Asset API**: Org-wide discovery when `organization_id` is specified
+
+Key distinction in code:
+- Check for `organization_id` in config to determine mode
+- Asset API mode uses `cloud.google.com/go/asset` package
+- Individual APIs mode uses service-specific clients (compute, dns, etc.)
+
+See `docs/GCP_ASSET_API.md` for detailed implementation guide.
+
+## Testing Guidelines
+
+- Integration tests require cloud provider credentials (usually skipped in CI)
+- Unit tests should mock cloud provider clients
+- Use table-driven tests for resource parsing logic
+- Test error handling for missing/invalid credentials
+
+## GitHub Actions CI
+
+- **lint-test.yml**: Runs `golangci-lint` on Go code changes
+- **build-test.yml**: Tests builds on Ubuntu, Windows, macOS with Go 1.22.x
+- **release-binary.yml**: Creates releases with GoReleaser
+
+## Common Gotchas
+
+1. **Resource fields**: Either IP or DNS must be populated; empty resources are invalid
+2. **Provider IDs**: The `id` field in config is user-defined for filtering, not a cloud resource ID
+3. **Service names**: Must match entries in provider's `Services` slice and inventory's `Providers` map
+4. **Credential handling**: Use environment variables (`$VAR`) in config rather than hardcoding
+5. **Context cancellation**: Always respect context in long-running API calls
+6. **Deduplication**: Don't manually deduplicate; use `Resources.Append()` which handles it automatically
+
+## Module Information
+
+- Go version: 1.24+ (see `go.mod`)
+- Module path: `github.com/projectdiscovery/cloudlist`
+- Key dependencies:
+  - Provider SDKs: `aws-sdk-go`, `azure-sdk-for-go`, `google.golang.org/api`, etc.
+  - ProjectDiscovery libs: `goflags`, `gologger`, `utils`
+  - Concurrency: `github.com/alitto/pond/v2` for worker pools
@@ -47,25 +47,170 @@ References -
 
 ### Google Cloud Platform (GCP)
 
-Google Cloud Platform can be integrated by using the following configuration block.
+Google Cloud Platform supports **two discovery approaches** and **two authentication modes**:
+
+#### Authentication Modes
+
+**A. Traditional Authentication (Static Credentials)**
+- Service account keys (JSON files) - long-lived
+- Application Default Credentials (ADC) - often long-lived
+
+**B. Short-lived Credentials (Recommended for Enhanced Security)**
+- Generate temporary access tokens (up to 1 hour)
+- Eliminates reliance on static service account keys
+- Uses Service Account Credentials API for token generation
+- Supports service account impersonation
+
+---
+
+#### 1. Individual Service APIs (Project-Level Discovery)
+
+**Option 1: Traditional Static Credentials**
 
 ```yaml
 - # provider is the name of the provider
   provider: gcp
   # id is the name defined by user for filtering (optional)
-  id: staging
+  id: project-discovery
   # gcp_service_account_key is the key token of service account.
-  gcp_service_account_key: '{}'
+  gcp_service_account_key: '{
+    "type": "service_account",
+    "project_id": "your-project-id",
+    "private_key_id": "...",
+    "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
+    "client_email": "cloudlist-sa@your-project-id.iam.gserviceaccount.com",
+    "client_id": "...",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://oauth2.googleapis.com/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/cloudlist-sa%40your-project-id.iam.gserviceaccount.com",
+    "universe_domain": "googleapis.com"
+  }'
 ```
 
-`gcp_service_account_key` can be retrieved by creating a new service account. To do so, create service account with Read Only access to `cloudresourcemanager` and `dns` scopes in IAM. Next, generate a new account key for the Service Account by following steps in Reference 2. This should give you a json which can be pasted in a single line in the `gcp_service_account_key`.
+**Option 2: Short-lived Credentials (Developer Workflow - Zero Keys)**
 
-Scopes Required - 
-1. Cloud DNS
+```yaml
+- provider: gcp
+  id: dev-discovery
+  use_short_lived_credentials: true
+  service_account_email: "cloudlist@project.iam.gserviceaccount.com"
+  # Uses: gcloud auth login → ADC → short-lived token
+  # No service account key file needed!
+```
 
-References - 
-1. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_iam_read-only-console.html
-2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
+**Option 3: Short-lived Credentials (CI/CD with Minimal Permissions)**
+
+```yaml
+- provider: gcp
+  id: ci-discovery
+  use_short_lived_credentials: true
+  service_account_email: "powerful-sa@project.iam.gserviceaccount.com"
+  source_credentials: "minimal-ci-sa.json"  # Only has impersonation permission
+  token_lifetime: "7200s"  # 2 hours
+```
+
+**Option 4: Short-lived Credentials (GKE/Compute Engine - Zero Secrets)**
+
+```yaml
+- provider: gcp
+  id: workload-discovery
+  use_short_lived_credentials: true
+  service_account_email: "cloudlist@project.iam.gserviceaccount.com"
+  # Uses workload identity automatically
+```
+
+**Option 5: Short-lived Credentials (Migration from Existing Keys)**
+
+```yaml
+- provider: gcp
+  id: migrating-discovery
+  use_short_lived_credentials: true
+  service_account_email: "cloudlist@project.iam.gserviceaccount.com"
+  gcp_service_account_key: "existing-key.json"  # Generates short-lived from static key
+  token_lifetime: "3600s"  # 1 hour (default)
+```
+
+**Required Scopes (Traditional Authentication):**
+1. `roles/compute.viewer` - Compute instances and forwarding rules
+2. `roles/dns.reader` - DNS records
+3. `roles/storage.objectViewer` - Storage buckets
+4. `roles/run.viewer` - Cloud Run services
+5. `roles/cloudfunctions.viewer` - Cloud Functions
+6. `roles/container.viewer` - GKE clusters
+7. `roles/tpu.viewer` - TPU nodes
+8. `roles/file.viewer` - Filestore instances
+9. `roles/resourcemanager.viewer` - List projects
+
+**Additional Requirements for Short-lived Credentials:**
+- **Source credentials** need: `roles/iam.serviceAccountTokenCreator` or `iam.serviceAccounts.generateAccessToken` permission on the target service account
+- **Target service account** needs: Same viewer roles listed above
+- **Service Account Credentials API** must be enabled in the project
+
+**Configuration Parameters:**
+- `use_short_lived_credentials` (bool): Enable short-lived token generation (default: false)
+- `service_account_email` (string, required if short-lived): Target service account to impersonate
+- `source_credentials` (string, optional): Path to source credentials file (uses ADC if not provided)
+- `token_lifetime` (string, optional): Token lifetime in seconds (e.g., "3600s") or Go duration format (e.g., "1h"). Range: 1s to 3600s (1 hour). Default: "3600s"
+
+---
+
+#### 2. Organization-Level Asset API (Organization-Wide Discovery)
+
+**Traditional Authentication:**
+
+```yaml
+- # provider is the name of the provider
+  provider: gcp
+  # id is the name defined by user for filtering (optional)
+  id: org-discovery
+  # organization_id enables Asset API for organization-wide discovery
+  organization_id: "123456789012"
+  # gcp_service_account_key with organization-level permissions
+  gcp_service_account_key: '{
+    "type": "service_account",
+    "project_id": "your-project-id",
+    "private_key_id": "...",
+    "private_key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n",
+    "client_email": "asset-viewer-sa@your-project-id.iam.gserviceaccount.com",
+    "client_id": "...",
+    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+    "token_uri": "https://oauth2.googleapis.com/token",
+    "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+    "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/asset-viewer-sa%40your-project-id.iam.gserviceaccount.com",
+    "universe_domain": "googleapis.com"
+  }'
+```
+
+**Short-lived Credentials (Organization-Level):**
+
+```yaml
+- provider: gcp
+  id: org-discovery-secure
+  organization_id: "123456789012"
+  use_short_lived_credentials: true
+  service_account_email: "asset-viewer-sa@project.iam.gserviceaccount.com"
+  token_lifetime: "7200s"  # 2 hours
+```
+
+**Required Organization-Level Roles:**
+1. `roles/cloudasset.viewer` - Core Asset API access
+2. `roles/resourcemanager.viewer` - List projects in organization
+3. (For short-lived) `roles/iam.serviceAccountTokenCreator` - On source credentials
+
+**Key Differences:**
+- **Individual APIs**: Fast, project-specific, detailed results
+- **Asset API**: Comprehensive, organization-wide, higher resource count
+- **Short-lived Credentials**: Enhanced security, tokens auto-expire (up to 1 hour)
+
+📚 **For detailed setup instructions, see: [docs/GCP_ASSET_API.md](docs/GCP_ASSET_API.md)**
+
+References -
+1. https://cloud.google.com/asset-inventory/docs/overview
+2. https://cloud.google.com/iam/docs/creating-managing-service-accounts
+3. https://cloud.google.com/iam/docs/understanding-roles
+4. https://cloud.google.com/iam/docs/service-account-creds (Short-lived credentials)
+5. https://cloud.google.com/docs/authentication/provide-credentials-adc (Application Default Credentials)
 
 
 ### Microsoft Azure