chore(arn): improve resource ARNs in checks #3388

sergargar · 2024-02-12T15:07:04Z

Description

Improve resource ARNs in checks where we had the Account ARN, now Prowler will have the correct ARN for each resource.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

codecov · 2024-02-13T11:15:59Z

Codecov Report

Attention: Patch coverage is 95.72650% with 5 lines in your changes are missing coverage. Please review.

Project coverage is 85.89%. Comparing base (042976f) to head (3e92eb9).
Report is 80 commits behind head on master.

Files	Patch %	Lines
prowler/providers/aws/services/dlm/dlm_service.py	66.66%	1 Missing ⚠️
prowler/providers/aws/services/drs/drs_service.py	66.66%	1 Missing ⚠️
prowler/providers/aws/services/emr/emr_service.py	66.66%	1 Missing ⚠️
...rowler/providers/aws/services/glue/glue_service.py	50.00%	1 Missing ⚠️
...wler/providers/aws/services/macie/macie_service.py	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3388      +/-   ##
==========================================
+ Coverage   85.85%   85.89%   +0.04%     
==========================================
  Files         586      670      +84     
  Lines       18893    20827    +1934     
==========================================
+ Hits        16220    17890    +1670     
- Misses       2673     2937     +264

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

jfagoagas

As a general recommendation, save that generic ARNs in the services and then get that in the checks, we should define that in just one place. Check that please.

jfagoagas · 2024-02-16T10:56:54Z

prowler/providers/aws/services/backup/backup_plans_exist/backup_plans_exist.py

@@ -17,7 +17,7 @@ def execute(self):
            report = Check_Report_AWS(self.metadata())
            report.status = "FAIL"
            report.status_extended = "No Backup Plan exist."
-            report.resource_arn = backup_client.audited_account_arn
+            report.resource_arn = f"arn:{backup_client.audited_partition}:backup:{backup_client.region}:{backup_client.audited_account}:backup-plan"


This applies to all the backup checks.

Maybe you can define those ARNs in a single place to use that also for the tests. Maybe it's better to have something in the lib/arn with the service generic ARNs.

Good point, it would be a nice-to-have. But I see it complicated, since each check can have a different resource type and we need to use the information of each service.

Done! I have added them in each service class.

jfagoagas

Please, modify Prowler Developer Guide to reflect this change here https://docs.prowler.com/projects/prowler-open-source/en/latest/developer-guide/checks/#resource-id-name-and-arn

github-actions · 2024-02-28T16:06:29Z

You can check the documentation for this PR here -> SaaS Documentation

jfagoagas · 2024-02-28T17:08:39Z

docs/developer-guide/checks.md

@@ -125,7 +125,7 @@ All the checks MUST fill the `report.resource_id` and `report.resource_arn` with
    - Resource ARN -- `report.resource_arn`
        - AWS Account --> Root ARN `arn:aws:iam::123456789012:root`
        - AWS Resource --> Resource ARN
-        - Root resource --> Root ARN `arn:aws:iam::123456789012:root`
+        - Root resource --> Root ARN `f"arn:{service_client.audited_partition}:<service_name>:{service_client.region}:{service_client.audited_account}:<resource_type>"`


Name the result differently than root, maybe Service ARN or Resource Type ARN

github-actions · 2024-02-28T17:30:18Z

You can check the documentation for this PR here -> SaaS Documentation

github-actions · 2024-02-28T17:34:56Z

You can check the documentation for this PR here -> SaaS Documentation

github-actions · 2024-03-05T09:36:31Z

You can check the documentation for this PR here -> SaaS Documentation

github-actions · 2024-03-05T09:51:50Z

You can check the documentation for this PR here -> SaaS Documentation

jfagoagas · 2024-03-05T10:37:48Z

...nges_to_network_acls_alarm_configured/cloudwatch_changes_to_network_acls_alarm_configured.py

@@ -21,8 +21,8 @@ def execute(self):
            "No CloudWatch log groups found with metric filters or alarms associated."
        )
        report.region = cloudwatch_client.region


Suggested change

report.region = cloudwatch_client.region

report.region = logs_client.region

jfagoagas · 2024-03-05T10:37:59Z

...network_gateways_alarm_configured/cloudwatch_changes_to_network_gateways_alarm_configured.py

@@ -21,8 +21,8 @@ def execute(self):
            "No CloudWatch log groups found with metric filters or alarms associated."
        )
        report.region = cloudwatch_client.region


Suggested change

report.region = cloudwatch_client.region

report.region = logs_client.region

jfagoagas · 2024-03-05T10:38:20Z

...route_tables_alarm_configured/cloudwatch_changes_to_network_route_tables_alarm_configured.py

@@ -21,8 +21,8 @@ def execute(self):
            "No CloudWatch log groups found with metric filters or alarms associated."
        )
        report.region = cloudwatch_client.region


Suggested change

report.region = cloudwatch_client.region

report.region = logs_client.region

jfagoagas · 2024-03-05T10:38:27Z

...h/cloudwatch_changes_to_vpcs_alarm_configured/cloudwatch_changes_to_vpcs_alarm_configured.py

@@ -21,8 +21,8 @@ def execute(self):
            "No CloudWatch log groups found with metric filters or alarms associated."
        )
        report.region = cloudwatch_client.region


Suggested change

report.region = cloudwatch_client.region

report.region = logs_client.region

jfagoagas · 2024-03-05T10:39:36Z

...abled/cloudwatch_log_metric_filter_and_alarm_for_aws_config_configuration_changes_enabled.py

@@ -23,8 +23,8 @@ def execute(self):
            "No CloudWatch log groups found with metric filters or alarms associated."
        )
        report.region = cloudwatch_client.region


Suggested change

report.region = cloudwatch_client.region

report.region = logs_client.region

jfagoagas · 2024-03-05T10:40:00Z

...abled/cloudwatch_log_metric_filter_and_alarm_for_cloudtrail_configuration_changes_enabled.py

@@ -23,8 +23,8 @@ def execute(self):
            "No CloudWatch log groups found with metric filters or alarms associated."
        )
        report.region = cloudwatch_client.region


Suggested change

report.region = cloudwatch_client.region

report.region = logs_client.region

jfagoagas · 2024-03-05T10:44:56Z

prowler/providers/aws/services/ec2/ec2_ebs_default_encryption/ec2_ebs_default_encryption.py

@@ -8,7 +8,7 @@ def execute(self):
        for ebs_encryption in ec2_client.ebs_encryption_by_default:
            report = Check_Report_AWS(self.metadata())
            report.region = ebs_encryption.region


Check this region please.

jfagoagas · 2024-03-05T10:45:05Z

...ces/emr/emr_cluster_account_public_block_enabled/emr_cluster_account_public_block_enabled.py

@@ -9,7 +9,7 @@ def execute(self):
            report = Check_Report_AWS(self.metadata())
            report.region = region


Check this region please.

jfagoagas · 2024-03-05T10:45:53Z

...n_passwords_encryption_enabled/glue_data_catalogs_connection_passwords_encryption_enabled.py

@@ -10,7 +10,7 @@ def execute(self):
            if encryption.tables or not glue_client.audit_info.ignore_unused_services:
                report = Check_Report_AWS(self.metadata())
                report.resource_id = glue_client.audited_account
-                report.resource_arn = glue_client.audited_account_arn
+                report.resource_arn = glue_client.data_catalog_arn_template
                report.region = encryption.region


Check this region please.

jfagoagas · 2024-03-05T10:45:58Z

..._data_catalogs_metadata_encryption_enabled/glue_data_catalogs_metadata_encryption_enabled.py

@@ -10,7 +10,7 @@ def execute(self):
            if encryption.tables or not glue_client.audit_info.ignore_unused_services:
                report = Check_Report_AWS(self.metadata())
                report.resource_id = glue_client.audited_account
-                report.resource_arn = glue_client.audited_account_arn
+                report.resource_arn = glue_client.data_catalog_arn_template
                report.region = encryption.region


Check this region please.

jfagoagas · 2024-03-05T10:46:48Z

prowler/providers/aws/services/macie/macie_is_enabled/macie_is_enabled.py

@@ -9,7 +9,7 @@ def execute(self):
        for session in macie_client.sessions:
            report = Check_Report_AWS(self.metadata())
            report.region = session.region


Check this region please.

github-actions · 2024-03-05T13:08:03Z

You can check the documentation for this PR here -> SaaS Documentation

jfagoagas

Great improvement @sergargar 🚀

github-actions · 2024-03-05T14:16:18Z

You can check the documentation for this PR here -> SaaS Documentation

github-actions · 2024-03-05T14:40:54Z

You can check the documentation for this PR here -> SaaS Documentation

github-actions · 2024-03-05T14:49:50Z

You can check the documentation for this PR here -> SaaS Documentation

github-actions · 2024-03-05T15:06:31Z

You can check the documentation for this PR here -> SaaS Documentation

jfagoagas

👍

chore(arn): improve resource ARNs in checks

583ab69

sergargar requested a review from a team February 12, 2024 15:07

sergargar added 4 commits February 12, 2024 16:32

add more testing

ab58e46

add more testing

a4ac401

add more testing

81ce232

add more testing

31726a3

sergargar added the provider/aws Issues/PRs related with the AWS provider label Feb 13, 2024

delete job.yaml

1fd3162

jfagoagas requested changes Feb 16, 2024

View reviewed changes

jfagoagas self-requested a review February 19, 2024 09:18

jfagoagas requested changes Feb 19, 2024

View reviewed changes

change docs

1f5afc4

github-actions bot added the documentation label Feb 28, 2024

jfagoagas reviewed Feb 28, 2024

View reviewed changes

save arns in service class

a5d022a

sergargar requested a review from jfagoagas February 28, 2024 17:29

fix docs

68022e1

fix tests

049a012

fix tests

8f614c2

jfagoagas reviewed Mar 5, 2024

View reviewed changes

jfagoagas requested changes Mar 5, 2024

View reviewed changes

solve comments

ac12434

jfagoagas previously approved these changes Mar 5, 2024

View reviewed changes

fix tests

68924b3

sergargar dismissed jfagoagas’s stale review via 68924b3 March 5, 2024 14:16

sergargar requested a review from jfagoagas March 5, 2024 14:18

tests: fix ebs

6f33e1c

tests: fix config

8a81b44

jfagoagas previously approved these changes Mar 5, 2024

View reviewed changes

fix tests

3e92eb9

sergargar dismissed jfagoagas’s stale review via 3e92eb9 March 5, 2024 15:06

sergargar requested a review from jfagoagas March 5, 2024 15:06

jfagoagas approved these changes Mar 5, 2024

View reviewed changes

jfagoagas merged commit fcb2df9 into master Mar 5, 2024
11 of 12 checks passed

jfagoagas deleted the improve-resource-arn branch March 5, 2024 17:10

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(arn): improve resource ARNs in checks #3388

chore(arn): improve resource ARNs in checks #3388

sergargar commented Feb 12, 2024

codecov bot commented Feb 13, 2024 •

edited

Loading

jfagoagas left a comment

jfagoagas Feb 16, 2024

jfagoagas Feb 16, 2024

sergargar Feb 28, 2024 •

edited

Loading

sergargar Feb 28, 2024

jfagoagas left a comment

github-actions bot commented Feb 28, 2024

jfagoagas Feb 28, 2024

github-actions bot commented Feb 28, 2024

github-actions bot commented Feb 28, 2024

github-actions bot commented Mar 5, 2024

github-actions bot commented Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

jfagoagas Mar 5, 2024

github-actions bot commented Mar 5, 2024

jfagoagas left a comment

github-actions bot commented Mar 5, 2024

github-actions bot commented Mar 5, 2024

github-actions bot commented Mar 5, 2024

github-actions bot commented Mar 5, 2024

jfagoagas left a comment

	report.region = cloudwatch_client.region
	report.region = logs_client.region

		@@ -9,7 +9,7 @@ def execute(self):
		report = Check_Report_AWS(self.metadata())
		report.region = region

chore(arn): improve resource ARNs in checks #3388

chore(arn): improve resource ARNs in checks #3388

Conversation

sergargar commented Feb 12, 2024

Description

License

codecov bot commented Feb 13, 2024 • edited Loading

Codecov Report

jfagoagas left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

sergargar Feb 28, 2024 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

jfagoagas left a comment

Choose a reason for hiding this comment

github-actions bot commented Feb 28, 2024

Choose a reason for hiding this comment

github-actions bot commented Feb 28, 2024

github-actions bot commented Feb 28, 2024

github-actions bot commented Mar 5, 2024

github-actions bot commented Mar 5, 2024

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

github-actions bot commented Mar 5, 2024

jfagoagas left a comment

Choose a reason for hiding this comment

github-actions bot commented Mar 5, 2024

github-actions bot commented Mar 5, 2024

github-actions bot commented Mar 5, 2024

github-actions bot commented Mar 5, 2024

jfagoagas left a comment

Choose a reason for hiding this comment

codecov bot commented Feb 13, 2024 •

edited

Loading

sergargar Feb 28, 2024 •

edited

Loading