diff --git a/README.md b/README.md index cb7b04d..a7fa098 100644 --- a/README.md +++ b/README.md @@ -1,40 +1 @@ -# Compliance Framework Plugin Template - -This is a template for building a compliance framework plugin. - -Inspect main.go for a detailed description of how to build the plugin. - -## Prerequisites - -* GoReleaser https://goreleaser.com/install/ - -## Building - -Once you are ready to serve the plugin, you need to build the binaries which can be used by the agent. - -```shell -goreleaser release --snapshot --clean -``` - -## Usage - -You can use this plugin by passing it to the compliiance agent - -```shell -agent --plugin=[PATH_TO_YOUR_BINARY] -``` - -## Releasing - -This plugin is released using goreleaser to build binaries, and Docker to build OCI artifacts (WIP), which will ensure a binary is built for most OS and Architecture combinations. - -You can find the binaries on each release of this plugin in the GitHub releases page. - -You can find the OCI implementations in the GitHub Packages page. - -[Not Yet Implemented] To run this plugin with the Compliance Agent, you can specify the release. The agent will take care of pulling the correct binary. - -```shell -concom agent --plugin=https://github.com/compliance-framework/plugin-template/releases/tag/0.0.1 -``` - +# AWS networking sercurity plugin diff --git a/go.mod b/go.mod index 907b59d..50636a5 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,10 @@ -module github.com/compliance-framework/plugin-template +module github.com/compliance-framework/plugin-aws-networking-security go 1.23.2 require ( + github.com/aws/aws-sdk-go-v2/config v1.29.9 + github.com/aws/aws-sdk-go-v2/service/ec2 v1.208.0 github.com/compliance-framework/agent v0.0.15 github.com/compliance-framework/configuration-service v0.0.5 github.com/google/uuid v1.6.0 @@ -14,6 +16,18 @@ require ( require ( github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/agnivade/levenshtein v1.2.0 // indirect + github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect + github.com/aws/aws-sdk-go-v2/credentials v1.17.62 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect + github.com/aws/smithy-go v1.22.2 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect github.com/defenseunicorns/go-oscal v0.6.2 // indirect @@ -28,6 +42,7 @@ require ( github.com/hashicorp/yamux v0.1.1 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect + github.com/moby/sys/user v0.3.0 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/oklog/run v1.0.0 // indirect github.com/open-policy-agent/opa v1.0.0 // indirect diff --git a/go.sum b/go.sum index 5c95b58..df018da 100644 --- a/go.sum +++ b/go.sum @@ -16,6 +16,34 @@ github.com/agnivade/levenshtein v1.2.0 h1:U9L4IOT0Y3i0TIlUIDJ7rVUziKi/zPbrJGaFrt github.com/agnivade/levenshtein v1.2.0/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q= github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= +github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM= +github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg= +github.com/aws/aws-sdk-go-v2/config v1.29.9 h1:Kg+fAYNaJeGXp1vmjtidss8O2uXIsXwaRqsQJKXVr+0= +github.com/aws/aws-sdk-go-v2/config v1.29.9/go.mod h1:oU3jj2O53kgOU4TXq/yipt6ryiooYjlkqqVaZk7gY/U= +github.com/aws/aws-sdk-go-v2/credentials v1.17.62 h1:fvtQY3zFzYJ9CfixuAQ96IxDrBajbBWGqjNTCa79ocU= +github.com/aws/aws-sdk-go-v2/credentials v1.17.62/go.mod h1:ElETBxIQqcxej++Cs8GyPBbgMys5DgQPTwo7cUPDKt8= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.208.0 h1:qzT4wyLo7ssa4QU8Xcf+h+iyCF4WTeQtM8fjr+UUKyI= +github.com/aws/aws-sdk-go-v2/service/ec2 v1.208.0/go.mod h1:ouvGEfHbLaIlWwpDpOVWPWR+YwO0HDv3vm5tYLq8ImY= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY= +github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 h1:8JdC7Gr9NROg1Rusk25IcZeTO59zLxsKgE0gkh5O6h0= +github.com/aws/aws-sdk-go-v2/service/sso v1.25.1/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 h1:KwuLovgQPcdjNMfFt9OhUd9a2OwcOKhxfvF4glTzLuA= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 h1:PZV5W8yk4OtH1JAuhV2PXwwO9v5G5Aoj+eMCn4T+1Kc= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.17/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4= +github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= +github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA= @@ -168,8 +196,8 @@ github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkV github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc= github.com/moby/sys/sequential v0.5.0 h1:OPvI35Lzn9K04PBbCLW0g4LcFAJgHsvXsRyewg5lXtc= github.com/moby/sys/sequential v0.5.0/go.mod h1:tH2cOOs5V9MlPiXcQzRC+eEyab644PWKGRYaaV5ZZlo= -github.com/moby/sys/user v0.1.0 h1:WmZ93f5Ux6het5iituh9x2zAG7NFY9Aqi49jjE1PaQg= -github.com/moby/sys/user v0.1.0/go.mod h1:fKJhFOnsCN6xZ5gSfbM6zaHGgDJMrqt9/reuj4T7MmU= +github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo= +github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs= github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g= github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= diff --git a/main.go b/main.go index 3557f90..24ba031 100644 --- a/main.go +++ b/main.go @@ -4,8 +4,12 @@ import ( "context" "errors" "fmt" + "os" "time" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/service/ec2" policyManager "github.com/compliance-framework/agent/policy-manager" "github.com/compliance-framework/agent/runner" "github.com/compliance-framework/agent/runner/proto" @@ -22,223 +26,216 @@ type CompliancePlugin struct { config map[string]string } -// Configure, and Eval are called at different times during the plugin execution lifecycle, -// and are responsible for different tasks: -// -// Configure is called on plugin startup. It is primarily used to configure a plugin for its lifetime. -// Here you should store any configurations like usernames and password required by the plugin. -// -// Eval is called once for each scheduled execution with a list of policy paths and it is responsible -// for evaluating each of these policy paths against the data it requires to evaluate those policies. -// The plugin is responsible for collecting the data it needs to evaluate the policies in the Eval -// method and then running the policies against that data. -// -// The simplest way to handle multiple policies is to do an initial lookup of all the data that may -// be required for all policies in the method, and then run the policies against that data. This, -// however, may not be the most efficient way to run policies, and you may want to optimize this -// while writing plugins to reduce the amount of data you need to collect and store in memory. It -// is the plugins responsibility to ensure that it is (reasonably) efficient in its use of -// resources. -// -// A user starts the agent, and passes the plugin and any policy bundles. -// -// The agent will: -// - Start the plugin -// - Call Configure() with teh required config -// - Call PrepareForEval() so the plugin can collect the relevant state -// - Call Eval() with the first policy bundles (one by one, in turn), -// so the plugin can report any violations against the configuration -func (l *CompliancePlugin) Configure(req *proto.ConfigureRequest) (*proto.ConfigureResponse, error) { - - // Configure is used to set up any configuration needed by this plugin over its lifetime. - // This will likely only be called once on plugin startup, which may then run for an extended period of time. - - // In this method, you should save any configuration values to your plugin struct, so you can later - // re-use them in PrepareForEval and Eval. +type Tag struct { + Key string `json:"Key"` + Value string `json:"Value"` +} +func (l *CompliancePlugin) Configure(req *proto.ConfigureRequest) (*proto.ConfigureResponse, error) { l.config = req.GetConfig() return &proto.ConfigureResponse{}, nil } func (l *CompliancePlugin) Eval(request *proto.EvalRequest, apiHelper runner.ApiHelper) (*proto.EvalResponse, error) { - // Eval is used to run policies against the data you've collected in PrepareForEval. - // Eval will be called N times for every scheduled plugin execution where N is the amount of matching policies - // passed to the agent. - - // When a user passes multiple policy bundles to the agent, each will be passed to Eval in turn to run against the - // same data collected in PrepareForEval. - - var errAcc error - - data := map[string]interface{}{ - "hello": "world", - } - ctx := context.TODO() startTime := time.Now() - evalStatus := proto.ExecutionStatus_SUCCESS + var errAcc error - for _, policyPath := range request.PolicyPaths { - // The Policy Manager aggregates much of the policy execution and output structuring. - results, err := policyManager.New(ctx, l.logger, policyPath).Execute(ctx, "compliance_plugin", data) - - if err != nil { - l.logger.Error("Failed to evaluate against policy bundle", "error", err) - evalStatus = proto.ExecutionStatus_FAILURE - errAcc = errors.Join(errAcc, err) - continue - } + cfg, err := config.LoadDefaultConfig(ctx, config.WithRegion(os.Getenv("AWS_REGION"))) + if err != nil { + l.logger.Error("unable to load SDK config", "error", err) + evalStatus = proto.ExecutionStatus_FAILURE + errAcc = errors.Join(errAcc, err) + } - assessmentResult := runner.NewCallableAssessmentResult() - assessmentResult.Title = "Plugin template" + svc := ec2.NewFromConfig(cfg) - for _, result := range results { + // Describe Security Groups + output, err := svc.DescribeSecurityGroups(context.TODO(), &ec2.DescribeSecurityGroupsInput{}) + if err != nil { + l.logger.Error("cant list security groups", "error", err) + evalStatus = proto.ExecutionStatus_FAILURE + errAcc = errors.Join(errAcc, err) + } - // There are no violations reported from the policies. - // We'll send the observation back to the agent - if len(result.Violations) == 0 { - title := "The plugin succeeded. No compliance issues to report." - assessmentResult.AddObservation(&proto.Observation{ - Uuid: uuid.New().String(), - Title: &title, - Description: "The plugin policies did not return any violations. The configuration is in compliance with policies.", - Collected: timestamppb.New(time.Now()), - Expires: timestamppb.New(time.Now().AddDate(0, 1, 0)), // Add one month for the expiration - RelevantEvidence: []*proto.RelevantEvidence{ - { - Description: fmt.Sprintf("Policy %v was evaluated, and no violations were found on machineId: %s", result.Policy.Package.PurePackage(), "ARN:12345"), - }, - }, - Labels: map[string]string{ - "package": string(result.Policy.Package), - "type": "template", - }, - }) + var securityGroups []map[string]interface{} + for _, group := range output.SecurityGroups { + l.logger.Debug("SG ID: ", group.GroupId) + securityGroups = append(securityGroups, map[string]interface{}{ + "SecurityGroupID": aws.ToString(group.GroupId), + "IpPermissions": group.IpPermissions, + "IpPermissionsEgress": group.IpPermissionsEgress, + }) + } - assessmentResult.AddFinding(&proto.Finding{ - Title: fmt.Sprintf("No violations found on %s", result.Policy.Package.PurePackage()), - Description: fmt.Sprintf("No violations found on the %s policy within the Template Compliance Plugin.", result.Policy.Package.PurePackage()), - Target: &proto.FindingTarget{ - Status: &proto.ObjectiveStatus{ - State: runner.FindingTargetStatusSatisfied, - }, - }, - Labels: map[string]string{ - "package": string(result.Policy.Package), - "type": "template", - }, - }) + l.logger.Debug("evaluating data", securityGroups) + + // Run policy checks + for _, instance := range securityGroups { + for _, policyPath := range request.GetPolicyPaths() { + results, err := policyManager.New(ctx, l.logger, policyPath).Execute(ctx, "compliance_plugin", instance) + if err != nil { + l.logger.Error("policy evaluation failed", "error", err) + evalStatus = proto.ExecutionStatus_FAILURE + errAcc = errors.Join(errAcc, err) + continue } - // There are violations in the policy checks. - // We'll send these observations back to the agent - if len(result.Violations) > 0 { - title := fmt.Sprintf("The plugin found violations for policy %s on machineId: %s", result.Policy.Package.PurePackage(), "ARN:12345") - observationUuid := uuid.New().String() - assessmentResult.AddObservation(&proto.Observation{ - Uuid: observationUuid, - Title: &title, - Description: fmt.Sprintf("Observed %d violation(s) for policy %s within the Plugin on machineId: %s.", len(result.Violations), result.Policy.Package.PurePackage(), "ARN:12345"), - Collected: timestamppb.New(time.Now()), - Expires: timestamppb.New(time.Now().AddDate(0, 1, 0)), // Add one month for the expiration - RelevantEvidence: []*proto.RelevantEvidence{ - { - Description: fmt.Sprintf("Policy %v was evaluated, and %d violations were found on machineId: %s", result.Policy.Package.PurePackage(), len(result.Violations), "ARN:12345"), - }, - }, - Labels: map[string]string{ - "package": string(result.Policy.Package), - "type": "template", - }, - }) - - for _, violation := range result.Violations { - assessmentResult.AddFinding(&proto.Finding{ - Title: violation.Title, - Description: violation.Description, - Remarks: &violation.Remarks, - RelatedObservations: []*proto.RelatedObservation{ + // Build and send results (this is also from your existing logic) + assessmentResult := runner.NewCallableAssessmentResult() + assessmentResult.Title = "Security Group checks - AWS plugin" + + for _, result := range results { + + // There are no violations reported from the policies. + // We'll send the observation back to the agent + if len(result.Violations) == 0 { + title := "The plugin succeeded. No compliance issues to report." + assessmentResult.AddObservation(&proto.Observation{ + Uuid: uuid.New().String(), + Title: &title, + Description: "The plugin policies did not return any violations. The configuration is in compliance with policies.", + Collected: timestamppb.New(time.Now()), + Expires: timestamppb.New(time.Now().AddDate(0, 1, 0)), // Add one month for the expiration + RelevantEvidence: []*proto.RelevantEvidence{ { - ObservationUuid: observationUuid, + Description: fmt.Sprintf("Policy %v was evaluated, and no violations were found on machineId: %s", result.Policy.Package.PurePackage(), "ARN:12345"), }, }, + Labels: map[string]string{ + "package": string(result.Policy.Package), + "type": "aws-cloud--network-security", + "security_group_id": fmt.Sprintf("%v", instance["SecurityGroupID"]), + }, + }) + + status := runner.FindingTargetStatusSatisfied + assessmentResult.AddFinding(&proto.Finding{ + Title: fmt.Sprintf("No violations found on %s", result.Policy.Package.PurePackage()), + Description: fmt.Sprintf("No violations found on the %s policy within the Template Compliance Plugin.", result.Policy.Package.PurePackage()), Target: &proto.FindingTarget{ Status: &proto.ObjectiveStatus{ - State: runner.FindingTargetStatusNotSatisfied, + State: status, }, }, Labels: map[string]string{ - "package": string(result.Policy.Package), - "type": "template", + "package": string(result.Policy.Package), + "type": "aws-cloud--network-security", + "security_group_id": fmt.Sprintf("%v", instance["SecurityGroupID"]), }, }) } - } - for _, risk := range result.Risks { - links := []*proto.Link{} - for _, link := range risk.Links { - links = append(links, &proto.Link{ - Href: link.URL, - Text: &link.Text, + // There are violations in the policy checks. + // We'll send these observations back to the agent + if len(result.Violations) > 0 { + title := fmt.Sprintf("The plugin found violations for policy %s on machineId: %s", result.Policy.Package.PurePackage(), "ARN:12345") + observationUuid := uuid.New().String() + assessmentResult.AddObservation(&proto.Observation{ + Uuid: observationUuid, + Title: &title, + Description: fmt.Sprintf("Observed %d violation(s) for policy %s", len(result.Violations), result.Policy.Package.PurePackage()), + Collected: timestamppb.New(time.Now()), + Expires: timestamppb.New(time.Now().AddDate(0, 1, 0)), // Add one month for the expiration + RelevantEvidence: []*proto.RelevantEvidence{ + { + Description: fmt.Sprintf("Policy %v was evaluated, and %d violations were found", result.Policy.Package.PurePackage(), len(result.Violations)), + }, + }, + Labels: map[string]string{ + "package": string(result.Policy.Package), + "type": "aws-cloud--network-security", + "security_group_id": fmt.Sprintf("%v", instance["SecurityGroupID"]), + }, }) + + for _, violation := range result.Violations { + status := runner.FindingTargetStatusNotSatisfied + assessmentResult.AddFinding(&proto.Finding{ + Title: violation.Title, + Description: violation.Description, + Remarks: &violation.Remarks, + RelatedObservations: []*proto.RelatedObservation{ + { + ObservationUuid: observationUuid, + }, + }, + Target: &proto.FindingTarget{ + Status: &proto.ObjectiveStatus{ + State: status, + }, + }, + Labels: map[string]string{ + "package": string(result.Policy.Package), + "type": "aws-cloud--network-security", + "security_group_id": fmt.Sprintf("%v", instance["SecurityGroupID"]), + }, + }) + } } - assessmentResult.AddRiskEntry(&proto.Risk{ - Title: risk.Title, - Description: risk.Description, - Statement: risk.Statement, - Props: []*proto.Property{}, - Links: []*proto.Link{}, - }) + for _, risk := range result.Risks { + links := []*proto.Link{} + for _, link := range risk.Links { + links = append(links, &proto.Link{ + Href: link.URL, + Text: &link.Text, + }) + } + + assessmentResult.AddRiskEntry(&proto.Risk{ + Title: risk.Title, + Description: risk.Description, + Statement: risk.Statement, + Props: []*proto.Property{}, + Links: links, + }) + } } - } - endTime := time.Now() + assessmentResult.Start = timestamppb.New(startTime) - // Send the results back to the agent using the API Helper process the agent created for us - assessmentResult.Start = timestamppb.New(startTime) - assessmentResult.End = timestamppb.New(endTime) + var endTime = time.Now() + assessmentResult.End = timestamppb.New(endTime) - assessmentResult.AddLogEntry(&proto.AssessmentLog_Entry{ - Title: protolang.String("Template check"), - Description: protolang.String("Template plugin checks completed successfully"), - Start: timestamppb.New(startTime), - End: timestamppb.New(endTime), - }) - - streamId, err := sdk.SeededUUID(map[string]string{ - "type": "template", - "policy": policyPath, - }) - if err != nil { - evalStatus = proto.ExecutionStatus_FAILURE - errAcc = errors.Join(errAcc, err) - continue - } - - err = apiHelper.CreateResult( - streamId.String(), - map[string]string{ - "type": "template", - }, - policyPath, - assessmentResult.Result(), - ) + streamId, err := sdk.SeededUUID(map[string]string{ + "type": "aws-cloud--network-security", + "_policy": policyPath, + }) + if err != nil { + l.logger.Error("Failed to seedUUID", "error", err) + evalStatus = proto.ExecutionStatus_FAILURE + errAcc = errors.Join(errAcc, err) + continue + } - if err != nil { - l.logger.Error("Failed to add assessment result", "error", err) - evalStatus = proto.ExecutionStatus_FAILURE - errAcc = errors.Join(errAcc, err) + assessmentResult.AddLogEntry(&proto.AssessmentLog_Entry{ + Title: protolang.String("Template check"), + Description: protolang.String("Template plugin checks completed successfully"), + Start: timestamppb.New(startTime), + End: timestamppb.New(endTime), + }) + + err = apiHelper.CreateResult( + streamId.String(), + map[string]string{ + "type": "aws-cloud--network-security", + "_policy": policyPath, + }, + policyPath, + assessmentResult.Result()) + if err != nil { + l.logger.Error("Failed to add assessment result", "error", err) + evalStatus = proto.ExecutionStatus_FAILURE + errAcc = errors.Join(errAcc, err) + } } } - resp := &proto.EvalResponse{ + return &proto.EvalResponse{ Status: evalStatus, - } - - return resp, errAcc + }, errAcc } func main() { @@ -251,7 +248,7 @@ func main() { logger: logger, } // pluginMap is the map of plugins we can dispense. - logger.Debug("initiating plugin") + logger.Debug("Initiating AWS network security plugin") goplugin.Serve(&goplugin.ServeConfig{ HandshakeConfig: runner.HandshakeConfig,