[Asset Inventory] [AWS] Add setup to support integration testing and automatic provisioning for Asset Inventory (#2477)

Author: kubasobon

.ci/scripts/set_cloud_env_params.sh

@@ -32,6 +32,10 @@ EC2_KSPM=$(terraform output -raw ec2_kspm_ssh_cmd)
 echo "::add-mask::$EC2_KSPM"
 echo "EC2_KSPM=$EC2_KSPM" >>"$GITHUB_ENV"
 
+EC2_ASSET_INV=$(terraform output -raw ec2_asset_inventory_ssh_cmd)
+echo "::add-mask::$EC2_ASSET_INV"
+echo "EC2_ASSET_INV=$EC2_ASSET_INV" >>"$GITHUB_ENV"
+
 EC2_CSPM_KEY=$(terraform output -raw ec2_cspm_key)
 echo "::add-mask::$EC2_CSPM_KEY"
 echo "EC2_CSPM_KEY=$EC2_CSPM_KEY" >>"$GITHUB_ENV"
@@ -40,10 +44,18 @@ EC2_KSPM_KEY=$(terraform output -raw ec2_kspm_key)
 echo "::add-mask::$EC2_KSPM_KEY"
 echo "EC2_KSPM_KEY=$EC2_KSPM_KEY" >>"$GITHUB_ENV"
 
+EC2_ASSET_INV_KEY=$(terraform output -raw ec2_asset_inventory_key)
+echo "::add-mask::$EC2_ASSET_INV_KEY"
+echo "EC2_ASSET_INV_KEY=$EC2_ASSET_INV_KEY" >>"$GITHUB_ENV"
+
 KSPM_PUBLIC_IP=$(terraform output -raw ec2_kspm_public_ip)
 echo "::add-mask::$KSPM_PUBLIC_IP"
 echo "KSPM_PUBLIC_IP=$KSPM_PUBLIC_IP" >>"$GITHUB_ENV"
 
+ASSET_INV_PUBLIC_IP=$(terraform output -raw ec2_asset_inventory_public_ip)
+echo "::add-mask::$ASSET_INV_PUBLIC_IP"
+echo "ASSET_INV_PUBLIC_IP=$ASSET_INV_PUBLIC_IP" >>"$GITHUB_ENV"
+
 CSPM_PUBLIC_IP=$(terraform output -raw ec2_cspm_public_ip)
 echo "::add-mask::$CSPM_PUBLIC_IP"
 echo "CSPM_PUBLIC_IP=$CSPM_PUBLIC_IP" >>"$GITHUB_ENV"

.github/actions/aws-asset-inventory-ci/action.yml

@@ -0,0 +1,69 @@
+name: 'AWS Asset Inventory CI'
+description: 'AWS Asset Inventory integration tests'
+inputs:
+  elk-version:
+    description: 'ELK version'
+    required: true
+  aws-access-key-id:
+    description: 'AWS access key id'
+    required: true
+  aws-secret-access-key:
+    description: 'AWS secret access key'
+    required: true
+  aws-account-type:
+    description: 'AWS account type'
+    required: false
+    default: single-account
+
+  debug:
+    description: 'debug'
+    required: false
+    default: 'false'
+runs:
+  using: composite
+  steps:
+    - name: Init Integration
+      uses: ./.github/actions/init-integration
+      with:
+        elk-version: ${{ inputs.elk-version }}
+
+    - name: Run cloudbeat in background
+      env:
+        ES_HOST: http://localhost:9200
+        ES_USERNAME: elastic
+        ES_PASSWORD: changeme
+        AWS_ACCESS_KEY_ID: ${{ inputs.aws-access-key-id }}
+        AWS_SECRET_ACCESS_KEY: ${{ inputs.aws-secret-access-key }}
+        AWS_ACCOUNT_TYPE: ${{ inputs.aws-account-type }}
+      shell: bash
+      run: |
+        ./cloudbeat -c deploy/aws-asset-inventory/cloudbeat-aws-asset-inventory.yml -d '*' &
+
+    - name: Wait for cloudbeat to send some events
+      shell: bash
+      run: sleep 20
+
+    - name: Check for assets
+      working-directory: ./tests
+      env:
+        USE_K8S: "false"
+      shell: bash
+      run: poetry run pytest -k "asset_inventory_aws" --alluredir=./allure/results/ --clean-alluredir
+
+    - name: Upload test results
+      if: ${{ always() }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: allure-results-ci-aws-asset-inventory
+        path: tests/allure/results/
+        overwrite: true
+
+    - if: ${{ failure() || cancelled() || inputs.debug == 'true' }}
+      name: Upload cloudbeat logs
+      uses: actions/upload-artifact@v4
+      with:
+        name: cloubeat-logs-ci-aws-asset-inventory
+        path: logs/
+        if-no-files-found: warn
+        retention-days: 1
+        overwrite: true

.github/actions/aws-ci/action.yml

@@ -48,7 +48,7 @@ runs:
       env:
         USE_K8S: "false"
       shell: bash
-      run: poetry run pytest -k "aws" --alluredir=./allure/results/ --clean-alluredir
+      run: poetry run pytest -k "cspm_aws" --alluredir=./allure/results/ --clean-alluredir
 
     - name: Upload test results
       if: ${{ always() }}

.github/actions/azure-ci/action.yml

@@ -49,7 +49,7 @@ runs:
       env:
         USE_K8S: "false"
       shell: bash
-      run: poetry run pytest -k "azure" --alluredir=./allure/results/ --clean-alluredir
+      run: poetry run pytest -k "cspm_azure" --alluredir=./allure/results/ --clean-alluredir
 
     - name: Upload test results
       if: ${{ always() }}

.github/workflows/ci.yml

@@ -76,6 +76,28 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
           aws-account-type: single-account
 
+  ci-aws-asset-inventory:
+    needs: [ init-hermit ]
+    name: AWS Asset Inventory CI
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    permissions:
+      contents: "read"
+      id-token: "write"
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Hermit Environment
+        uses: ./.github/actions/hermit
+
+      - name: Run AWS Asset Inventory integration tests
+        uses: ./.github/actions/aws-asset-inventory-ci
+        with:
+          elk-version: ${{ env.ELK_VERSION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }}
+
   ci-gcp:
     needs: [ init-hermit ]
     name: CIS GCP CI
@@ -225,6 +247,7 @@ jobs:
     needs:
       - ci-azure
       - ci-aws
+      - ci-aws-asset-inventory
       - ci-gcp
       - ci-cnvm
       - ci-k8s

.github/workflows/test-environment.yml

@@ -305,6 +305,7 @@ jobs:
           aws s3 cp "./terraform.tfstate" "${S3_BUCKET}/terraform.tfstate"
           aws s3 cp "${EC2_CSPM_KEY}" "${S3_BUCKET}/cspm.pem"
           aws s3 cp "${EC2_KSPM_KEY}" "${S3_BUCKET}/kspm.pem"
+          aws s3 cp "${EC2_ASSET_INV_KEY}" "${S3_BUCKET}/asset_inv.pem"
           echo "s3-bucket-folder=${S3_BUCKET}" >> $GITHUB_OUTPUT
           echo "aws-cnvm-stack=${CNVM_STACK_NAME}" >> $GITHUB_OUTPUT
           python3 ../../.ci/scripts/create_env_config.py
@@ -473,17 +474,31 @@ jobs:
           cmd="chmod +x $scriptname && ./$scriptname"
           ../../.ci/scripts/remote_setup.sh -k "$EC2_CSPM_KEY" -s "$src" -h "$CSPM_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
 
+      - name: Install AWS Asset Inventory integration
+        id: aws-asset-inventory
+        working-directory: ${{ env.INTEGRATIONS_SETUP_DIR }}
+        run: |
+          poetry run python ./install_aws_asset_inventory_integration.py
+
+      - name: Deploy AWS Asset Inventory agent
+        run: |
+          scriptname="aws-asset-inventory-linux.sh"
+          src="../../$INTEGRATIONS_SETUP_DIR/$scriptname"
+          cmd="chmod +x $scriptname && ./$scriptname"
+          ../../.ci/scripts/remote_setup.sh -k "$EC2_ASSET_INV_KEY" -s "$src" -h "$ASSET_INV_PUBLIC_IP" -d "~/$scriptname" -c "$cmd"
+
       - name: Upload Integrations data
         if: always()
         env:
           S3_BUCKET: "${{ env.S3_BASE_BUCKET }}/${{ env.DEPLOYMENT_NAME }}_${{ env.TF_STATE_FOLDER }}"
         working-directory: ${{ env.INTEGRATIONS_SETUP_DIR }}
         run: |
-          aws s3 cp "./kspm_unmanaged.yaml" "${{ env.S3_BUCKET }}/kspm_unmanaged.yaml"
-          aws s3 cp "./kspm_d4c.yaml" "${{ env.S3_BUCKET }}/kspm_d4c.yaml"
-          aws s3 cp "./kspm_eks.yaml" "${{ env.S3_BUCKET }}/kspm_eks.yaml"
-          aws s3 cp "./cspm-linux.sh" "${{ env.S3_BUCKET }}/cspm-linux.sh"
-          aws s3 cp "./state_data.json" "${{ env.S3_BUCKET }}/state_data.json"
+          aws s3 cp "./kspm_unmanaged.yaml" "$S3_BUCKET/kspm_unmanaged.yaml"
+          aws s3 cp "./kspm_d4c.yaml" "$S3_BUCKET/kspm_d4c.yaml"
+          aws s3 cp "./kspm_eks.yaml" "$S3_BUCKET/kspm_eks.yaml"
+          aws s3 cp "./cspm-linux.sh" "$S3_BUCKET/cspm-linux.sh"
+          aws s3 cp "./aws-asset-inventory-linux.sh" "$S3_BUCKET/aws-asset-inventory-linux.sh"
+          aws s3 cp "./state_data.json" "$S3_BUCKET/state_data.json"
 
       - name: Install Agentless integrations
         id: agentless

.gitignore

@@ -32,6 +32,8 @@ vendor/*
 test-logs/*.log
 tests/allure/results/*
 tests/allure/reports/*
+tests/integrations_setup/state_data.json
+tests/integrations_setup/*.sh
 
 # vscode
 .vscode*

deploy/aws-asset-inventory/cloudbeat-aws-asset-inventory.yml

@@ -0,0 +1,64 @@
+cloudbeat:
+  type: cloudbeat/asset_inventory
+  config:
+    v1:
+      type: asset_inventory
+      asset_inventory_provider: aws
+      aws:
+        credentials:
+          access_key_id: ${AWS_ACCESS_KEY_ID:""}
+          secret_access_key: ${AWS_SECRET_ACCESS_KEY:""}
+        account_type: ${AWS_ACCOUNT_TYPE:""}
+  # Defines how often an event is sent to the output
+  period: 30s
+  evaluator:
+    decision_logs: false
+# =================================== Kibana ===================================
+setup.kibana:
+  # Kibana Host
+  host: "http://host.docker.internal:5601"
+# =============================== Elastic Cloud ================================
+
+# These settings simplify using Cloudbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+# ---------------------------- Elasticsearch Output ----------------------------
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ${ES_HOST}
+
+  # Protocol - either `http` (default) or `https`.
+  #  protocol: "https"
+
+  # Authentication credentials - either API key or username/password.
+  #api_key: "id:api_key"
+  username: ${ES_USERNAME}
+  password: ${ES_PASSWORD}
+
+  # Enable to allow sending output to older ES versions
+  allow_older_versions: true
+
+# ================================= Processors =================================
+processors:
+  - add_cloud_metadata: ~
+  - add_docker_metadata: ~
+  - drop_fields:
+      fields: ["host.name"]
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+logging.level: debug
+# Enable debug output for selected components. To enable all selectors use ["*"]
+# Other available selectors are "beat", "publisher", "service"
+# Multiple selectors can be chained.
+#logging.selectors: ["publisher"]
+
+# Send all logging output to stderr. The default is false.
+#logging.to_stderr: false

deploy/test-environments/main.tf

@@ -47,6 +47,16 @@ module "aws_ec2_for_cspm" {
   specific_tags   = merge(local.common_tags, { "ec2_type" : "cspm" })
 }
 
+module "aws_ec2_for_asset_inventory" {
+  source          = "../cloud/modules/ec2"
+  providers       = { aws : aws }
+  aws_ami         = var.ami_map[var.region]
+  deploy_k8s      = false
+  deploy_agent    = false # Agent will not be deployed
+  deployment_name = "${var.deployment_name}-${random_string.suffix.result}"
+  specific_tags   = merge(local.common_tags, { "ec2_type" : "asset_inventory" })
+}
+
 module "gcp_audit_logs" {
   count                    = var.cdr_infra ? 1 : 0
   providers                = { google : google }
@@ -55,7 +65,6 @@ module "gcp_audit_logs" {
   deployment_name          = var.deployment_name
   network                  = "default"
   specific_tags            = merge(local.common_tags, { "vm_instance" : "audit-logs" })
-
 }
 
 resource "random_string" "suffix" {

deploy/test-environments/output.tf

@@ -37,6 +37,21 @@ output "ec2_cspm_key" {
   sensitive = true
 }
 
+output "ec2_asset_inventory_ssh_cmd" {
+  value     = module.aws_ec2_for_asset_inventory.cloudbeat_ssh_cmd
+  sensitive = true
+}
+
+output "ec2_asset_inventory_public_ip" {
+  value     = module.aws_ec2_for_asset_inventory.aws_instance_cloudbeat_public_ip
+  sensitive = true
+}
+
+output "ec2_asset_inventory_key" {
+  value     = module.aws_ec2_for_asset_inventory.ec2_ssh_key
+  sensitive = true
+}
+
 output "ec2_cloudtrail_ssh_cmd" {
   value     = var.cdr_infra ? module.aws_ec2_for_cloudtrail[0].cloudbeat_ssh_cmd : null
   sensitive = true

tests/commonlib/io_utils.py

@@ -56,6 +56,57 @@ def get_events_from_index(
     return events
 
 
+def get_assets_from_index(
+    elastic_client,
+    category: str,
+    sub_category: str,
+    type_: str,
+    sub_type: str,
+    time_after: datetime,
+) -> list[Munch]:
+    """
+    Resturns assets from a given index matching given classification.
+    @param elastic_client: Client to connect to Elasticsearch.
+    @param category: Asset category used as a filter
+    @param sub_category: Asset subcategory used as a filter
+    @param type: Asset type used as a filter
+    @param sub_type: Asset subtype used as a filter
+    @param time_after: Filter events having timestamp > time_after
+    @return: List of Munch objects
+    """
+    query = {
+        "bool": {
+            "must": [
+                {"match": {"asset.category": category}},
+                {"match": {"asset.sub_category": sub_category}},
+                {"match": {"asset.type": type_}},
+                {"match": {"asset.sub_type": sub_type}},
+            ],
+            "filter": [
+                {
+                    "range": {
+                        "@timestamp": {
+                            "gte": time_after.strftime("%Y-%m-%dT%H:%M:%S.%f"),
+                        },
+                    },
+                },
+            ],
+        },
+    }
+    sort = [{"@timestamp": {"order": "desc"}}]
+    result = elastic_client.get_index_data(
+        query=query,
+        sort=sort,
+        size=1000,
+    )
+
+    assets = []
+    for asset in munchify(dict(result)).hits.hits:
+        assets.append(asset._source)
+
+    return assets
+
+
 def get_logs_from_stream(stream: str) -> list[Munch]:
     """
     This function converts logs stream to list of Munch objects (dictionaries)