Riffdog Terraform scanner - finding 'things' in the Real World (aka AWS) which Terraform didn't put there.

Overview

riffdog

Riffdog Terraform / Reality scanner - finding 'things' in the Real World which Terraform didn't put there.

This project works by firstly loading your terraform state files - not your terraform files, and building a memory object that represents what terraform thinks it has deployed. The second step is then to access your environment and actually look what is there, and it builds another memory object.

Then it compares the two, and looks for:

  • Things that TF put there, but arn't there
  • Things that are there, that TF doesn't know about

For this to work, you must install a resouce pack, for instance riffdog_aws

Command line vs Library

Riffdog is both a command line tool and a python library. The command line tool basically creates a config object and calls the scan method.

To install (for example with the AWS resources)

$ pip install riffdog[aws]

To run:

$ riffdog -b bucketname_containing_states

For full command line reference, please see the docs #FIXME - link to docs!

Light vs Full Scan mode

AWS and Terraform are very complex: for instance, a EC2 instance is a computer, a collection of network cards, volumes, etc. In 'light' mode, we do a high level scan to see if all the main components are there - in 'full' mode, it inspects all elements (as far as RiffDog is aware of, see below) - i.e. checks that all network cards, volumes, etc are mounted as intended.

Ignores

Its important to realise that not all infrastructure is deployed via TF - for instance auto scaling, or service discovery systems may be interacting with your infrastructure, and this is OK, but you don't want RiffDog raising alerts on those.

Caveats:

This is pretty much always a work under development, as AWS adds more features modules etc. The system is designed to be modular, but we're only able to keep up with modules that we use - so if you use a feature of AWS that we don't scan please feel free to add a module. If you need help, please contact us or file a ticket.

Testing

Automated testing of this system is quite difficult. Ultimatly these are here to make sure that changes to internal data structures do not break other functions (e.g. some data objects such as network interfaces are used by multiple features: both EC2 instances and Lambdas). The real test is whether it works against the current Terraform and AWS API's, not a snapshot from previous years.

  • Tests go into the tests folder,
  • Tox is used to make sure compatibility with various versions of python & libraries
Comments
  • Run tests on GitHub actions

    Run tests on GitHub actions

    Since I added a couple of tests, would be nice to actually run them presumably on GH actions if we can.

    Also, I used pytest because it's much nicer than nose (is nose even still used nowadays)?

    opened by dreynolds 2
  • Change the to_scan module process

    Change the to_scan module process

    This is an issue where new modules need to be added - but does it make sense to actually require this setting, i.e. shouldn't it be based on what modules there are in the discovery mode? And then allow (in future) config to --exclude particular modules (or white list), but by default use all available modules?

    enhancement question 
    opened by jmons 2
  • Dynamic Module Loading & Registration

    Dynamic Module Loading & Registration

    This comes with some notes, and items which might want to be changed:

    1. New 'resource' (was called modules) go into the resources folder. EAch file should contain One (or more) classes
    2. Should implement the Resource class - I've steered clear of "aws" terminology here so that in future resources can be for anything - I've used 'terraform' for the terraform and 'real' for things that actually exist (or don't)... (debate naming strategy)
    3. must decorate the class with the register decorator so that it links the state file to the class.

    Nothing else is needed - the class instance management is handled by the scanner, and it will find all classes in that folder.

    What I think is very much up for debate is this particular class interface - I don't think you can get away from the 'process state' (which is process an element in the state, not process the entire state file) being called multiple times, but perhaps the fetch_real_resources shouldn't take 'region' but a config, and in that config if its AWS it looks for aws_regions or something?

    from ..resource import Resource, register
    
    @register("aws-name-in-state-file")
    class MyResource(Resource):
        _local_real_things = {}
        _local_terraform_things = {} 
    
        def fetch_real_resources(self, region):
            # This may be called multiple times for each region in the scan list
            # i.e. append
            raise NotImplementedError()
    
        def process_state_resource(state_resource):
            # This function is called potentilly multiple times as each resource
            # is discovered by the state scanner i.e. append results to local store
            raise NotImplementedError()
    
        def compare(self, depth):
            # this function should be called once, take the local data and return
            # an array of result elements.
            raise NotImplementedError()
    

    More code cleanup is probably possible, I think I got all the debug entries into debug (don't try running with -vvv unless you're very brave (boto debug output becomes manic - fixing that requires a full logging config i.e. waiting for the configure file ticket).

    enhancement 
    opened by jmons 2
  • Fix `--exclude-resource` support and add `--include-resource` support

    Fix `--exclude-resource` support and add `--include-resource` support

    Fixes #45 If anything is in include-resource it completely overrides exclude-resource so it's like starting from a blank list.

    I went for --include-resource instead of --only so that the arguments are logically matched with --exclude-resource

    Happy to change if others disagree

    opened by dreynolds 1
  • Logging initialisation (First & Second Arg Parse)

    Logging initialisation (First & Second Arg Parse)

    Logging is not initialised until the Second argparse, which means logging in the initial import scan is impossible. This means exceptions in the import are completely silent and ignored.

    Some arguments need to be in both first and second - first to be parsed and second so the help works. Perhaps all core arguments?

    bug 
    opened by jmons 1
  • Framework to handle modules arguments

    Framework to handle modules arguments

    --region is really an aws argument - i.e. --aws_region but how does argparser (which hasn't had the module scanner run) know what the extra arguments are? Does it need to run twice, once before and one after loading?

    enhancement 
    opened by jmons 1
  • Adding basics for RDS Clusters (cluster, instances and param groups)

    Adding basics for RDS Clusters (cluster, instances and param groups)

    Implements https://github.com/jmons/riffdog/issues/17

    Added

    • RDS Cluster basics (cluster, instances, parameter groups.

    Fixed

    • Minor bug where the ResourceDirectory didnt have self in its str.
    • In order to support foldered module structure, the dynamic importing has changed a little.
    opened by Jamian 1
  • Documentation & Homepage revamp

    Documentation & Homepage revamp

    Giant homepage and docs revamp

    • making the home page more welcoming / project home page
    • added youtube video link (video needs review as well, see dm's)
    • added mailchimp (this may need a patch) for signup to news etc
    • added core team

    Then

    • fixed some of the help docs with some examples - because --help is quite good but brief, perhaps the command line reference morphs to being some tips and tricks type help? Don't want to really duplicate the wording of --help?
    • updated release notes to include the 0.1.0 release.
    opened by jmons 0
  • Initial command line tests using resource pack and module loader.

    Initial command line tests using resource pack and module loader.

    This is a relatively larger refactor

    1. It removes support for v3 state file (see #55 )
    2. It adds support for a file based state (and folder based state) - these don't have a named arguments but just go on the end of the command.
    3. it also adds support for the -b option to be a single folder or path e.g. -b bucketname/folder/ which speeds up dev/testing, especially with the --include-resource
    4. It fixes a bug in the alias - where before we had a bug that the --include-resource option did not apply to the scanning in state files, that fix introduced a new one where it excluded aliased. This fix now means that it will be included if the 'root' is in the list.

    In terms of testing, it now contains 2 state files, so when testing the core you can now do

    $ pip install -e tests/test_resource_pack
    $ riffdog -i test_resource_pack tests/test_state_files/
    

    The tox tests install the resource pack & then check that a scan finds the right items etc.

    opened by jmons 0
  • Bucket to Scan Hard Coded

    Bucket to Scan Hard Coded

    Looks like last merge we accidentally left in some code that was there to help with local devving. Flipping that back out (commenting it) and uncommenting the actual, release ready code that scans buckets dynamically.

    opened by Jamian 0
  • Revisit `--exclude` and create an `--only` option

    Revisit `--exclude` and create an `--only` option

    Using --exclude is more difficult now there are lots of resources - instead we should consider using an --only element to specify.

    I don't like the word --only though so feedback and ideas here appreciated.

    enhancement hot 
    opened by jmons 0
  • Proposal: Drop State file V3 support

    Proposal: Drop State file V3 support

    Whilst I added explicit support for V3 state files in 0.1.0, it seems that the structure of the individual states in the file are not compatible with V4- I had assumed they were because v4 states have schema_versions set to 0, which I assumed meant the state structure hadn't changed.

    But they have.

    In an upcoming PR, I have removed support for v3- explicitly with a warning.

    I think we need to set an overall output flag and change the table to indicate that there were states which look like tf states but we could not understand - but I think this ties into a statistics output so that a user knows what 'coverage' they are getting of their environment.

    documentation enhancement hot 
    opened by jmons 2
  • Dirty Reasons (not just a flag)

    Dirty Reasons (not just a flag)

    Implement a framework on the FoundItem (and then outputs) to store a Dirty Reason list, so that you know why a thing is dirty, not just given a flag.

    Consider output, and also perhaps guidance how to use it so outputs are concise.

    enhancement hot 
    opened by jmons 0
  • Investigate potential conflict of `depends_on` and `--exclude-resource`

    Investigate potential conflict of `depends_on` and `--exclude-resource`

    Consider the edge case:

    class Foo:
         ...
    
    class Bar:
        depends_on = [Foo]
        ...
    

    and then $ riffdog --exclude-resource Foo

    I think without checking that this means foo's real gets executed even though its states got ignored (?) (or it will error because Foo wasn't registered, not sure where the --exclude kicks in).

    question 
    opened by jmons 0
  • Config File Support

    Config File Support

    At the moment we're heading rapidly towards using just command line arguments, but I think we need to support a config file especially as we head towards more complex arguments such as AWS credentials etc.

    What do we want for this? YAML? (and then problems with yaml library imports - the pyyaml parser seems to have a lot of security patches which are mostly irrelevant in our case, but looks bad if we don't roll updates).

    enhancement 
    opened by jmons 1
  • Output to HTML

    Output to HTML

    It would be nice for this to have the option to generate a pretty output in HTML form. Useful if running this in an automated environment and you want to be able to link to a page/report. Something that is a bit more human friendly.

    One suggestion was to use Jinja and have it as optional?

    enhancement hot 
    opened by Jamian 2
Releases(0.1.0)
  • 0.1.0(Mar 2, 2020)

    Welcome to the beta release of Riffdog.

    To install this, please follow the guide - you will need at least one 'resource pack', and at the time of writing only the riffdog_aws resource pack exists.

    pip install riffdog[aws]

    Then to run:

    riffdog -b bucket_name_containing_states --show-matched

    Major changes:

    • The return data structure is radically different to before, which makes resource pack developers life easier.
    • Streamlined tabulated data outputs.
    • Introduced 'dirty' flag to indicate where resources exist, but do not match in some form of sub-data element.
    Source code(tar.gz)
    Source code(zip)
Owner
Riffdog
Community to support the riffdog app, riffdog plugins and associated repositories.
Riffdog
Terraform Cloud CLI for Managing Workspace Terraform Versions

Terraform Cloud Version Manager This tiny script makes it easy to update the Terraform Version on all of the Workspaces inside Terraform Cloud. It wil

Robert Hafner 1 Jan 7, 2022
Aws-cidr-finder - A Python CLI tool for finding unused CIDR blocks in AWS VPCs

aws-cidr-finder Overview An Example Installation Configuration Contributing Over

Cooper Walbrun 18 Jul 31, 2022
Automated AWS account hardening with AWS Control Tower and AWS Step Functions

Automate activities in Control Tower provisioned AWS accounts Table of contents Introduction Architecture Prerequisites Tools and services Usage Clean

AWS Samples 20 Dec 7, 2022
Implement backup and recovery with AWS Backup across your AWS Organizations using a CI/CD pipeline (AWS CodePipeline).

Backup and Recovery with AWS Backup This repository provides you with a management and deployment solution for implementing Backup and Recovery with A

AWS Samples 8 Nov 22, 2022
This repository contains free labs for setting up an entire workflow and DevOps environment from a real-world perspective in AWS

DevOps-The-Hard-Way-AWS This tutorial contains a full, real-world solution for setting up an environment that is using DevOps technologies and practic

Mike Levan 1.6k Jan 5, 2023
Terraform module to ship CloudTrail logs stored in a S3 bucket into a Kinesis stream for further processing and real-time analysis.

AWS infrastructure to ship CloudTrail logs from S3 to Kinesis This repository contains a Terraform module to ship CloudTrail logs stored in a S3 bucke

Nexthink 8 Sep 20, 2022
Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.

aws-allowlister Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance fr

Salesforce 189 Dec 8, 2022
SSH-Restricted deploys an SSH compliance rule (AWS Config) with auto-remediation via AWS Lambda if SSH access is public.

SSH-Restricted SSH-Restricted deploys an SSH compliance rule with auto-remediation via AWS Lambda if SSH access is public. SSH-Auto-Restricted checks

Adrian Hornsby 30 Nov 8, 2022
AWS Auto Inventory allows you to quickly and easily generate inventory reports of your AWS resources.

Photo by Denny Müller on Unsplash AWS Automated Inventory ( aws-auto-inventory ) Automates creation of detailed inventories from AWS resources. Table

AWS Samples 123 Dec 26, 2022
A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

A suite of utilities for AWS Lambda Functions that makes tracing with AWS X-Ray, structured logging and creating custom metrics asynchronously easier

Amazon Web Services - Labs 1.9k Jan 7, 2023
aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in a future time.

aws-lambda-scheduler aws-lambda-scheduler lets you call any existing AWS Lambda Function you have in the future. This functionality is achieved by dyn

Oğuzhan Yılmaz 57 Dec 17, 2022
Project template for using aws-cdk, Chalice and React in concert, including RDS Postgresql and AWS Cognito

What is This? This repository is an opinonated project template for using aws-cdk, Chalice and React in concert. Where aws-cdk and Chalice are in Pyth

Rasmus Jones 4 Nov 7, 2022
POC de uma AWS lambda que executa a consulta de preços de criptomoedas, e é implantada na AWS usando Github actions.

Cryptocurrency Prices Overview Instalação Repositório Configuração CI/CD Roadmap Testes Overview A ideia deste projeto é aplicar o conteúdo estudado s

Gustavo Santos 3 Aug 31, 2022
Python + AWS Lambda Hands OnPython + AWS Lambda Hands On

Python + AWS Lambda Hands On Python Criada em 1990, por Guido Van Rossum. "Bala de prata" (quase). Muito utilizado em: Automatizações - Selenium, Beau

Marcelo Ortiz de Santana 8 Sep 9, 2022
Unauthenticated enumeration of services, roles, and users in an AWS account or in every AWS account in existence.

Quiet Riot ?? C'mon, Feel The Noise ?? An enumeration tool for scalable, unauthenticated validation of AWS principals; including AWS Acccount IDs, roo

Wes Ladd 89 Jan 5, 2023
AWS Blog post code for running feature-extraction on images using AWS Batch and Cloud Development Kit (CDK).

Batch processing with AWS Batch and CDK Welcome This repository demostrates provisioning the necessary infrastructure for running a job on AWS Batch u

AWS Samples 7 Oct 18, 2022
Aws-lambda-requests-wrapper - Request/Response wrapper for AWS Lambda with API Gateway

AWS Lambda Requests Wrapper Request/Response wrapper for AWS Lambda with API Gat

null 1 May 20, 2022
AWS-serverless-starter - AWS Lambda serverless stack via Serverless framework

Serverless app via AWS Lambda, ApiGateway and Serverless framework Configuration

 Bəxtiyar 3 Feb 2, 2022
AWS CloudSaga - Simulate security events in AWS

AWS CloudSaga - Simulate security events in AWS AWS CloudSaga is for customers to test security controls and alerts within their Amazon Web Services (

Amazon Web Services - Labs 325 Dec 1, 2022