feat(cloudtrail): add support for SNS ingestion (#588)

* Add support for CloudTrail SNS ingestion * update tests * update style * update logic to support empty cloudprovider and cloudprovider_id * update docs * remove redundant line and fix comments * update docs
sysdiglabs · Jan 15, 2025 · edee724 · edee724
1 parent fa105cf
commit edee724
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 12 deletions.
diff --git a/sysdig/data_source_sysdig_secure_onboarding.go b/sysdig/data_source_sysdig_secure_onboarding.go
@@ -8,10 +8,11 @@ import (
 	"time"
 
 	"github.com/aws/aws-sdk-go/aws/arn"
-	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+
+	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
 )
 
 func getSecureOnboardingClient(c SysdigClients) (v2.OnboardingSecureInterface, error) {
@@ -344,6 +345,15 @@ func dataSourceSysdigSecureCloudIngestionAssets() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
+			"cloud_provider": {
+				Type:         schema.TypeString,
+				Optional:     true,
+				ValidateFunc: validation.StringInSlice([]string{"aws", "gcp", "azure"}, false),
+			},
+			"cloud_provider_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+			},
 			"aws": {
 				Type:     schema.TypeMap,
 				Computed: true,
@@ -370,18 +380,25 @@ func dataSourceSysdigSecureCloudIngestionAssetsRead(ctx context.Context, d *sche
 		return diag.FromErr(err)
 	}
 
-	assets, err := client.GetCloudIngestionAssetsSecure(ctx)
+	assets, err := client.GetCloudIngestionAssetsSecure(ctx, d.Get("cloud_provider").(string), d.Get("cloud_provider_id").(string))
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
 	assetsAws, _ := assets["aws"].(map[string]interface{})
 	assetsGcp, _ := assets["gcp"].(map[string]interface{})
 
+	var ingestionURL string
+	if assetsAws["snsMetadata"] != nil {
+		ingestionURL = assetsAws["snsMetadata"].(map[string]interface{})["ingestionURL"].(string)
+	}
+
 	d.SetId("cloudIngestionAssets")
 	err = d.Set("aws", map[string]interface{}{
-		"eventBusARN":    assetsAws["eventBusARN"],
-		"eventBusARNGov": assetsAws["eventBusARNGov"],
+		"eventBusARN":     assetsAws["eventBusARN"],
+		"eventBusARNGov":  assetsAws["eventBusARNGov"],
+		"sns_routing_key": assetsAws["snsRoutingKey"],
+		"sns_routing_url": ingestionURL,
 	})
 	if err != nil {
 		return diag.FromErr(err)
@@ -456,8 +473,10 @@ func dataSourceSysdigSecureTrustedOracleAppRead(ctx context.Context, d *schema.R
 	return nil
 }
 
-var matchFirstCap = regexp.MustCompile("(.)([A-Z][a-z]+)")
-var matchAllCap = regexp.MustCompile("([a-z0-9])([A-Z])")
+var (
+	matchFirstCap = regexp.MustCompile("(.)([A-Z][a-z]+)")
+	matchAllCap   = regexp.MustCompile("([a-z0-9])([A-Z])")
+)
 
 func snakeCase(str string) string {
 	snake := matchFirstCap.ReplaceAllString(str, "${1}_${2}")

diff --git a/sysdig/data_source_sysdig_secure_onboarding_test.go b/sysdig/data_source_sysdig_secure_onboarding_test.go
@@ -175,10 +175,17 @@ func TestAccCloudIngestionAssetsDataSource(t *testing.T) {
 			},
 		},
 		Steps: []resource.TestStep{
+			{
+				Config: `data "sysdig_secure_cloud_ingestion_assets" "assets" {
+						cloud_provider = "invalid"
+						cloud_provider_id = "123"
+						}`,
+				ExpectError: regexp.MustCompile(`.*expected cloud_provider to be one of.*`),
+			},
 			{
 				Config: `data "sysdig_secure_cloud_ingestion_assets" "assets" {}`,
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("data.sysdig_secure_cloud_ingestion_assets.assets", "aws.%", "2"),
+					resource.TestCheckResourceAttr("data.sysdig_secure_cloud_ingestion_assets.assets", "aws.%", "4"),
 					// not asserting the gov exported fields because not every backend environment is gov supported and thus will have empty values
 
 					resource.TestCheckResourceAttrSet("data.sysdig_secure_cloud_ingestion_assets.assets", "gcp_routing_key"),
@@ -188,6 +195,16 @@ func TestAccCloudIngestionAssetsDataSource(t *testing.T) {
 					resource.TestCheckResourceAttrSet("data.sysdig_secure_cloud_ingestion_assets.assets", "gcp_metadata.ingestionURL"),
 				),
 			},
+			{
+				Config: `data "sysdig_secure_cloud_ingestion_assets" "assets" {
+						cloud_provider = "aws" 
+						cloud_provider_id = "012345678901"
+				}`,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet("data.sysdig_secure_cloud_ingestion_assets.assets", "aws.sns_routing_key"),
+					resource.TestCheckResourceAttrSet("data.sysdig_secure_cloud_ingestion_assets.assets", "aws.sns_routing_url"),
+				),
+			},
 		},
 	})
 }

diff --git a/sysdig/internal/client/v2/onboarding.go b/sysdig/internal/client/v2/onboarding.go
@@ -11,7 +11,7 @@ const (
 	onboardingTrustedAzureAppPath         = "%s/api/secure/onboarding/v2/trustedAzureApp?app=%s"
 	onboardingTenantExternaIDPath         = "%s/api/secure/onboarding/v2/externalID"
 	onboardingAgentlessScanningAssetsPath = "%s/api/secure/onboarding/v2/agentlessScanningAssets"
-	onboardingCloudIngestionAssetsPath    = "%s/api/secure/onboarding/v2/cloudIngestionAssets"
+	onboardingCloudIngestionAssetsPath    = "%s/api/secure/onboarding/v2/cloudIngestionAssets?provider=%s&providerID=%s"
 	onboardingTrustedRegulationAssetsPath = "%s/api/secure/onboarding/v2/trustedRegulationAssets?provider=%s"
 	onboardingTrustedOracleAppPath        = "%s/api/secure/onboarding/v2/trustedOracleApp?app=%s"
 )
@@ -22,7 +22,7 @@ type OnboardingSecureInterface interface {
 	GetTrustedAzureAppSecure(ctx context.Context, app string) (map[string]string, error)
 	GetTenantExternalIDSecure(ctx context.Context) (string, error)
 	GetAgentlessScanningAssetsSecure(ctx context.Context) (map[string]any, error)
-	GetCloudIngestionAssetsSecure(ctx context.Context) (map[string]any, error)
+	GetCloudIngestionAssetsSecure(ctx context.Context, provider, providerID string) (map[string]any, error)
 	GetTrustedCloudRegulationAssetsSecure(ctx context.Context, provider string) (map[string]string, error)
 	GetTrustedOracleAppSecure(ctx context.Context, app string) (map[string]string, error)
 }
@@ -83,8 +83,8 @@ func (client *Client) GetAgentlessScanningAssetsSecure(ctx context.Context) (map
 	return Unmarshal[map[string]interface{}](response.Body)
 }
 
-func (client *Client) GetCloudIngestionAssetsSecure(ctx context.Context) (map[string]interface{}, error) {
-	response, err := client.requester.Request(ctx, http.MethodGet, fmt.Sprintf(onboardingCloudIngestionAssetsPath, client.config.url), nil)
+func (client *Client) GetCloudIngestionAssetsSecure(ctx context.Context, provider, providerID string) (map[string]interface{}, error) {
+	response, err := client.requester.Request(ctx, http.MethodGet, fmt.Sprintf(onboardingCloudIngestionAssetsPath, client.config.url, provider, providerID), nil)
 	if err != nil {
 		return nil, err
 	}

diff --git a/website/docs/d/secure_cloud_ingestion_assets.md b/website/docs/d/secure_cloud_ingestion_assets.md
@@ -28,7 +28,10 @@ In addition to all arguments above, the following attributes are exported:
 
 * `aws.eventBusARNGov` - AWS Gov event bus (if supported) from which Sysdig Cloud Ingestion operates
 
+* `aws.sns_routing_key` - AWS CloudTrail SNS ingestion routing key
+
+* `aws.sns_routing_url` - AWS CloudTrail SNS ingestion URL
+
 * `gcp_routing_key` - GCP ingestion routing key
 
 * `gcp_metadata` - GCP ingestion metadata
-