TAG: Poll AWS EKS clusters fom AWS (#38984)

This PR polls the AWS EKS clusters and their AssociatedAccessPolicies and AccessEntries and syncs them into TAG. Part of gravitational/access-graph#459 Signed-off-by: Tiago Silva <[email protected]>
gravitational · Mar 12, 2024 · 7961f3c · 7961f3c
1 parent 3f29502
commit 7961f3c
Show file tree

Hide file tree

Showing 10 changed files with 1,726 additions and 367 deletions.
diff --git a/gen/proto/go/accessgraph/v1alpha/aws.pb.go b/gen/proto/go/accessgraph/v1alpha/aws.pb.go
diff --git a/go.mod b/go.mod
@@ -37,7 +37,7 @@ require (
 	github.com/andybalholm/brotli v1.0.5
 	github.com/aquasecurity/libbpfgo v0.5.1-libbpf-1.2
 	github.com/armon/go-radix v1.0.0
-	github.com/aws/aws-sdk-go v1.47.0
+	github.com/aws/aws-sdk-go v1.50.36
 	github.com/aws/aws-sdk-go-v2 v1.22.2
 	github.com/aws/aws-sdk-go-v2/config v1.19.1
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.43

diff --git a/go.sum b/go.sum
@@ -197,8 +197,8 @@ github.com/aws/aws-lambda-go v1.13.3/go.mod h1:4UKl9IzQMoD+QF79YdCuzCwp8VbmG4VAQ
 github.com/aws/aws-sdk-go v1.17.4/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.44.263/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
-github.com/aws/aws-sdk-go v1.47.0 h1:/JUg9V1+xh+qBn8A6ec/l15ETPaMaBqxkjz+gg63dNk=
-github.com/aws/aws-sdk-go v1.47.0/go.mod h1:DlEaEbWKZmsITVbqlSVvekPARM1HzeV9PMYg15ymSDA=
+github.com/aws/aws-sdk-go v1.50.36 h1:PjWXHwZPuTLMR1NIb8nEjLucZBMzmf84TLoLbD8BZqk=
+github.com/aws/aws-sdk-go v1.50.36/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
 github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g=
 github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
 github.com/aws/aws-sdk-go-v2 v1.21.0/go.mod h1:/RfNgGmRxI+iFOB1OeJUyxiU+9s88k3pfHvDagGEp0M=

diff --git a/lib/cloud/mocks/aws.go b/lib/cloud/mocks/aws.go
@@ -236,13 +236,17 @@ func (m *IAMErrorMock) PutUserPolicyWithContext(ctx aws.Context, input *iam.PutU
 // EKSMock is a mock EKS client.
 type EKSMock struct {
 	eksiface.EKSAPI
-	Clusters []*eks.Cluster
-	Notify   chan struct{}
+	Clusters           []*eks.Cluster
+	AccessEntries      []*eks.AccessEntry
+	AssociatedPolicies []*eks.AssociatedAccessPolicy
+	Notify             chan struct{}
 }
 
 func (e *EKSMock) DescribeClusterWithContext(_ aws.Context, req *eks.DescribeClusterInput, _ ...request.Option) (*eks.DescribeClusterOutput, error) {
 	defer func() {
-		e.Notify <- struct{}{}
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
 	}()
 	for _, cluster := range e.Clusters {
 		if aws.StringValue(req.Name) == aws.StringValue(cluster.Name) {
@@ -251,3 +255,63 @@ func (e *EKSMock) DescribeClusterWithContext(_ aws.Context, req *eks.DescribeClu
 	}
 	return nil, trace.NotFound("cluster %v not found", aws.StringValue(req.Name))
 }
+
+func (e *EKSMock) ListClustersPagesWithContext(_ aws.Context, _ *eks.ListClustersInput, f func(*eks.ListClustersOutput, bool) bool, _ ...request.Option) error {
+	defer func() {
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
+	}()
+	clusters := make([]*string, 0, len(e.Clusters))
+	for _, cluster := range e.Clusters {
+		clusters = append(clusters, cluster.Name)
+	}
+	f(&eks.ListClustersOutput{
+		Clusters: clusters,
+	}, true)
+	return nil
+}
+
+func (e *EKSMock) ListAccessEntriesPagesWithContext(_ aws.Context, _ *eks.ListAccessEntriesInput, f func(*eks.ListAccessEntriesOutput, bool) bool, _ ...request.Option) error {
+	defer func() {
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
+	}()
+	accessEntries := make([]*string, 0, len(e.Clusters))
+	for _, a := range e.AccessEntries {
+		accessEntries = append(accessEntries, a.PrincipalArn)
+	}
+	f(&eks.ListAccessEntriesOutput{
+		AccessEntries: accessEntries,
+	}, true)
+	return nil
+}
+
+func (e *EKSMock) DescribeAccessEntryWithContext(_ aws.Context, req *eks.DescribeAccessEntryInput, _ ...request.Option) (*eks.DescribeAccessEntryOutput, error) {
+	defer func() {
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
+	}()
+	for _, a := range e.AccessEntries {
+		if aws.StringValue(req.PrincipalArn) == aws.StringValue(a.PrincipalArn) && aws.StringValue(a.ClusterName) == aws.StringValue(req.ClusterName) {
+			return &eks.DescribeAccessEntryOutput{AccessEntry: a}, nil
+		}
+	}
+	return nil, trace.NotFound("access entry %v not found", aws.StringValue(req.PrincipalArn))
+}
+
+func (e *EKSMock) ListAssociatedAccessPoliciesPagesWithContext(_ aws.Context, _ *eks.ListAssociatedAccessPoliciesInput, f func(*eks.ListAssociatedAccessPoliciesOutput, bool) bool, _ ...request.Option) error {
+	defer func() {
+		if e.Notify != nil {
+			e.Notify <- struct{}{}
+		}
+	}()
+
+	f(&eks.ListAssociatedAccessPoliciesOutput{
+		AssociatedAccessPolicies: e.AssociatedPolicies,
+	}, true)
+	return nil
+
+}
diff --git a/lib/srv/discovery/fetchers/aws-sync/aws-sync.go b/lib/srv/discovery/fetchers/aws-sync/aws-sync.go
@@ -102,6 +102,12 @@ type Resources struct {
 	RoleAttachedPolicies []*accessgraphv1alpha.AWSRoleAttachedPolicies
 	// InstanceProfiles is the list of AWS IAM instance profiles.
 	InstanceProfiles []*accessgraphv1alpha.AWSInstanceProfileV1
+	// EKSClusters is the list of EKS clusters
+	EKSClusters []*accessgraphv1alpha.AWSEKSClusterV1
+	// AssociatedAccessPolicies is the list of Associated Access policies
+	AssociatedAccessPolicies []*accessgraphv1alpha.AWSEKSAssociatedAccessPolicyV1
+	// AccessEntries is the list of Access Entries.
+	AccessEntries []*accessgraphv1alpha.AWSEKSClusterAccessEntryV1
 }
 
 // NewAWSFetcher creates a new AWS fetcher.
@@ -172,6 +178,9 @@ func (a *awsFetcher) poll(ctx context.Context) (*Resources, error) {
 	// fetch AWS S3 buckets.
 	eGroup.Go(a.pollAWSS3Buckets(ctx, result, collectErr))
 
+	// fetch AWS EKS clusters
+	eGroup.Go(a.pollAWSEKSClusters(ctx, result, collectErr))
+
 	if err := eGroup.Wait(); err != nil {
 		return nil, trace.Wrap(err)
 	}