Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor the AWS scanner to scan for _all_ resource types, instead of specific ones #575

Closed
ThomasLaPiana opened this issue May 4, 2022 · 3 comments · Fixed by #939
Closed

Refactor the AWS scanner to scan for _all_ resource types, instead of specific ones #575

ThomasLaPiana opened this issue May 4, 2022 · 3 comments · Fixed by #939
Assignees
@earmenda
Milestone
Fidesctl 1.8.0

Comments

@ThomasLaPiana
Copy link
Contributor

ThomasLaPiana commented May 4, 2022
edited by mfbrown
Loading

Is your feature request related to a specific problem?

Currently, the AWS scanner can only return a narrow set of resource types

Describe the solution you'd like

The AWS scanner should reply resources of all types

Describe alternatives you've considered, if any

A description of any alternative solutions or features you've considered.

Additional context

There seems to be an additional API that enables this (https://stackoverflow.com/questions/44391817/is-there-a-way-to-list-all-resources-in-aws)

We need:

  • name
  • arn
  • resource type
  • zone
@ThomasLaPiana ThomasLaPiana added this to the 1.7.0 milestone May 4, 2022
@ThomasLaPiana
Copy link
Contributor Author

@earmenda can you note here what is possible to get when scanning an entire AWS account?

@ThomasLaPiana ThomasLaPiana mentioned this issue May 9, 2022
Closed
@earmenda
Copy link
Contributor

@ThomasLaPiana

I was able to find a full list of resource types which are supported by the resource tagging api here - https://docs.aws.amazon.com/resourcegroupstagging/latest/APIReference/supported-services.html

I also did some testing and was able to see what that looks like using this command:

aws resourcegroupstaggingapi get-resources | jq -r '.ResourceTagMappingList[].ResourceARN'

This returned 450 arns for our account with id 658462651023. This includes all sorts of things which I added to a page internally - https://ethyca.atlassian.net/wiki/spaces/EN/pages/2343862301/AWS+Resource+Tagging+Api

There is some downsides to this approach:

  • Some resource wont be available through this api but I will need guidance on which resources we are interested in
  • In the current code some resources rely on metadata to decide if a resource should be created. There is no way to do this through this api. An example of this is RDS, where we only create a system for an RDS database if it is not part of an RDS Cluster.
  • We will need some additional metadata for future use cases so it's not clear to me how useful this api is.

@ThomasLaPiana
Copy link
Contributor Author

Interesting, 450 seems like a lot!

If we think about the foundational reason for this feature's existence, its to help people find systems within their AWS infrastructure. Maybe a good route to go here is to list all of the AWS resources that could potentially be a system and go from there? That way we can decide if the path of least resistance is using this API or updating our current solution to handle all of those resource types

@ThomasLaPiana ThomasLaPiana modified the milestones: 1.7.0, 1.8.0 Jun 15, 2022
@earmenda earmenda mentioned this issue Jul 22, 2022
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@earmenda earmenda

Labels
None yet
Projects
None yet
Milestone
Fidesctl 1.8.0
Development

Successfully merging a pull request may close this issue.

Generate systems from get tagging resources call ethyca/fides
2 participants
@ThomasLaPiana @earmenda