Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement support for Macie member accounts #323

Merged
merged 15 commits into from
Jul 18, 2022
Merged

Conversation

zackproser
Copy link
Contributor

@zackproser zackproser commented Jul 6, 2022

Description

Fixes #322 by implementing support for "nuking" Macie accounts that were created by Invitation only. (Macie member accounts created via AWS Organizations do not have sufficient permissions to disassociate themselves from the Org).

Programmatic testing with Macie is pretty awkward. I found that you can continuously accept an invite from another account to become a member account, then disassociate yourself (nuke), then re-use the same standing invitation to re-associate yourself as a member account. I'm currently using this workaround to leave a "standing" invite from our phxdevops account in us-east-1 for sanity.

We could expand our test coverage out to other regions, but that would just require maintaining a map of regions to standing invitation IDs.

Furthermore, Macie member accounts don't expose anything useful to us in terms of filtering resources by their creation time, so the usual semantics of excludeAfter won't work here. As a result, I just include all found member Macie accounts as nuke-able.

TODOs

Read the Gruntwork contribution guidelines.

  • Update the docs.
  • Run the relevant tests successfully, including pre-commit checks.
  • Ensure any 3rd party code adheres with our license policy or delete this line if its not applicable.
  • Include release notes. If this PR is backward incompatible, include a migration guide.

Release Notes (draft)

Added / Removed / Updated [X].

Migration Guide

Implement support for inspecting and nuking Macie member accounts that were created via Invitation only. (Macie member accounts created via AWS Organizations are not able to disassociate themselves).

@zackproser zackproser changed the title [WIP] Implement support for Macie member accounts Implement support for Macie member accounts Jul 12, 2022
Copy link
Contributor

@yorinasub17 yorinasub17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM! Had a few nits on terminology, and a potential bug in the if logic.

aws/macie.go Outdated Show resolved Hide resolved
aws/aws.go Outdated Show resolved Hide resolved
aws/macie.go Outdated Show resolved Hide resolved
aws/macie.go Outdated Show resolved Hide resolved
aws/macie.go Outdated Show resolved Hide resolved
aws/macie_types.go Outdated Show resolved Hide resolved
aws/macie_test.go Outdated Show resolved Hide resolved
rhoboat
rhoboat previously approved these changes Jul 13, 2022
Copy link
Contributor

@rhoboat rhoboat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@zackproser
Copy link
Contributor Author

zackproser commented Jul 14, 2022

Thanks for reviews @yorinasub17 and @rhoboat - looks like we're actually running cloud-nuke against phxdevops, so I updated our test invite and account ID and the Macie test is now passing.

Current failure is a single known flaky test, so I think this is ready for another look.

"github.com/gruntwork-io/go-commons/errors"
)

func getAllMacieMemberAccounts(session *session.Session, excludeAfter time.Time, configObj config.Config) ([]string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Noticed that excludeAfter and configObj aren't used now or this is for future usage?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah - unfortunately we can't really implement this pattern with Macie member accounts. Since account membership is determined by the invitation acceptance status, and since the API doesn't expose when an account last accepted an invite, we don't have much to go off.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps remove it from the arg list and add a comment indicating that we can't support it?

Copy link
Contributor

@yorinasub17 yorinasub17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM! Found two potential bugs.

aws/macie.go Outdated Show resolved Hide resolved
Comment on lines 35 to 42
// Macie is not very conducive to programmatic testing. In order to make this test work, we maintain a standing invite
// from our phxdevops test account to our nuclear-wasteland account. We can continuously "nuke" our membership because
// Macie supports a member account *that was invited* to remove its own association at any time. Meanwhile, disassociating
// in this manner does not destroy or invalidate the original invitation, which allows us to to continually re-accept it
// from our nuclear-wasteland account (where cloud-nuke tests are run), just so that we can nuke it again
//
// Macie is also regional, so for the purposes of cost-savings and lower admin overhead, we're initially only testing this
// in the one hardcoded region
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this have risk of breaking our macie test in the other repos? E.g., in CIS service catalog: https://github.com/gruntwork-io/terraform-aws-cis-service-catalog/blob/master/test/security/macie_test.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell, that test is using a very similar pattern:

  • The Sandbox account is the administrator account, which invites phxdevops
  • Phxdevops accepts the invite, to become a member account of Sandbox

However, Macie is regional, and the CIS service catalog test is using regions in the EU, whereas this cloud-nuke Macie test is currently hardcoded to us-east-1.

I think that will prevent conflict - so long as neither test has its testing regions expanded.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added more context in 7438eea

aws/macie.go Outdated Show resolved Hide resolved
@zackproser
Copy link
Contributor Author

Looks like the current test failure is TestListElasticacheClustersWithConfigFile which is marked as Flaky.

Copy link
Contributor

@yorinasub17 yorinasub17 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly LGTM! Just had one nit regarding the extraneous args.

"github.com/gruntwork-io/go-commons/errors"
)

func getAllMacieMemberAccounts(session *session.Session, excludeAfter time.Time, configObj config.Config) ([]string, error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps remove it from the arg list and add a comment indicating that we can't support it?

@zackproser
Copy link
Contributor Author

Thanks for review! I'll merge this PR now and open a follow-up to make the improvement you suggested.

@zackproser zackproser merged commit 127dad6 into master Jul 18, 2022
@zackproser zackproser deleted the feature/macie branch July 18, 2022 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Feaure: Add support for Macie member accounts
4 participants