TAG: Poll AWS EKS clusters fom AWS (#38984)

This PR polls the AWS EKS clusters and their AssociatedAccessPolicies and AccessEntries and syncs them into TAG. Part of gravitational/access-graph#459 Signed-off-by: Tiago Silva <[email protected]>
gravitational · Mar 7, 2024 · 58ebf54 · 58ebf54
1 parent c1a9b88
commit 58ebf54
Show file tree

Hide file tree

Showing 8 changed files with 1,723 additions and 364 deletions.
diff --git a/gen/proto/go/accessgraph/v1alpha/aws.pb.go b/gen/proto/go/accessgraph/v1alpha/aws.pb.go
diff --git a/lib/cloud/mocks/aws.go b/lib/cloud/mocks/aws.go
@@ -238,13 +238,17 @@ func (m *IAMErrorMock) PutUserPolicyWithContext(ctx aws.Context, input *iam.PutU
 // EKSMock is a mock EKS client.
 type EKSMock struct {
 	eksiface.EKSAPI
-	Clusters []*eks.Cluster
-	Notify   chan struct{}
+	Clusters           []*eks.Cluster
+	AccessEntries      []*eks.AccessEntry
+	AssociatedPolicies []*eks.AssociatedAccessPolicy
+	Notify             chan struct{}
 }
 
 func (e *EKSMock) DescribeClusterWithContext(_ aws.Context, req *eks.DescribeClusterInput, _ ...request.Option) (*eks.DescribeClusterOutput, error) {
 	defer func() {
-		e.Notify <- struct{}{}
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
 	}()
 	for _, cluster := range e.Clusters {
 		if aws.StringValue(req.Name) == aws.StringValue(cluster.Name) {
@@ -253,3 +257,63 @@ func (e *EKSMock) DescribeClusterWithContext(_ aws.Context, req *eks.DescribeClu
 	}
 	return nil, trace.NotFound("cluster %v not found", aws.StringValue(req.Name))
 }
+
+func (e *EKSMock) ListClustersPagesWithContext(_ aws.Context, _ *eks.ListClustersInput, f func(*eks.ListClustersOutput, bool) bool, _ ...request.Option) error {
+	defer func() {
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
+	}()
+	clusters := make([]*string, 0, len(e.Clusters))
+	for _, cluster := range e.Clusters {
+		clusters = append(clusters, cluster.Name)
+	}
+	f(&eks.ListClustersOutput{
+		Clusters: clusters,
+	}, true)
+	return nil
+}
+
+func (e *EKSMock) ListAccessEntriesPagesWithContext(_ aws.Context, _ *eks.ListAccessEntriesInput, f func(*eks.ListAccessEntriesOutput, bool) bool, _ ...request.Option) error {
+	defer func() {
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
+	}()
+	accessEntries := make([]*string, 0, len(e.Clusters))
+	for _, a := range e.AccessEntries {
+		accessEntries = append(accessEntries, a.PrincipalArn)
+	}
+	f(&eks.ListAccessEntriesOutput{
+		AccessEntries: accessEntries,
+	}, true)
+	return nil
+}
+
+func (e *EKSMock) DescribeAccessEntryWithContext(_ aws.Context, req *eks.DescribeAccessEntryInput, _ ...request.Option) (*eks.DescribeAccessEntryOutput, error) {
+	defer func() {
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
+	}()
+	for _, a := range e.AccessEntries {
+		if aws.StringValue(req.PrincipalArn) == aws.StringValue(a.PrincipalArn) && aws.StringValue(a.ClusterName) == aws.StringValue(req.ClusterName) {
+			return &eks.DescribeAccessEntryOutput{AccessEntry: a}, nil
+		}
+	}
+	return nil, trace.NotFound("access entry %v not found", aws.StringValue(req.PrincipalArn))
+}
+
+func (e *EKSMock) ListAssociatedAccessPoliciesPagesWithContext(_ aws.Context, _ *eks.ListAssociatedAccessPoliciesInput, f func(*eks.ListAssociatedAccessPoliciesOutput, bool) bool, _ ...request.Option) error {
+	defer func() {
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
+	}()
+
+	f(&eks.ListAssociatedAccessPoliciesOutput{
+		AssociatedAccessPolicies: e.AssociatedPolicies,
+	}, true)
+	return nil
+
+}
diff --git a/lib/srv/discovery/fetchers/aws-sync/aws-sync.go b/lib/srv/discovery/fetchers/aws-sync/aws-sync.go
@@ -102,6 +102,12 @@ type Resources struct {
 	RoleAttachedPolicies []*accessgraphv1alpha.AWSRoleAttachedPolicies
 	// InstanceProfiles is the list of AWS IAM instance profiles.
 	InstanceProfiles []*accessgraphv1alpha.AWSInstanceProfileV1
+	// EKSClusters is the list of EKS clusters
+	EKSClusters []*accessgraphv1alpha.AWSEKSClusterV1
+	// AssociatedAccessPolicies is the list of Associated Access policies
+	AssociatedAccessPolicies []*accessgraphv1alpha.AWSEKSAssociatedAccessPolicyV1
+	// AccessEntries is the list of Access Entries.
+	AccessEntries []*accessgraphv1alpha.AWSEKSClusterAccessEntryV1
 }
 
 // NewAWSFetcher creates a new AWS fetcher.
@@ -172,6 +178,9 @@ func (a *awsFetcher) poll(ctx context.Context) (*Resources, error) {
 	// fetch AWS S3 buckets.
 	eGroup.Go(a.pollAWSS3Buckets(ctx, result, collectErr))
 
+	// fetch AWS EKS clusters
+	eGroup.Go(a.pollAWSEKSClusters(ctx, result, collectErr))
+
 	if err := eGroup.Wait(); err != nil {
 		return nil, trace.Wrap(err)
 	}