regscale-cli 6.21.2.0__py3-none-any.whl → 6.28.2.1__py3-none-any.whl

regscale/integrations/commercial/aws/inventory/resources/developer_tools.py

@@ -0,0 +1,253 @@
+"""AWS developer tools resource collectors."""
+
+import logging
+from typing import Dict, List, Any, Optional
+
+from ..base import BaseCollector
+
+logger = logging.getLogger("regscale")
+
+
+class DeveloperToolsCollector(BaseCollector):
+    """Collector for AWS developer tools resources with filtering support."""
+
+    def __init__(
+        self,
+        session: Any,
+        region: str,
+        account_id: Optional[str] = None,
+        tags: Optional[Dict[str, str]] = None,
+        enabled_services: Optional[Dict[str, bool]] = None,
+    ):
+        """
+        Initialize developer tools collector with filtering support.
+
+        :param session: AWS session to use for API calls
+        :param str region: AWS region to collect from
+        :param str account_id: Optional AWS account ID to filter resources
+        :param dict tags: Optional tag filters (AND logic)
+        :param dict enabled_services: Optional dict of service names to boolean flags for enabling/disabling collection
+        """
+        super().__init__(session, region, account_id, tags)
+        self.enabled_services = enabled_services or {}
+
+    def get_codepipeline_pipelines(self) -> List[Dict[str, Any]]:
+        """
+        Get information about CodePipeline pipelines.
+
+        :return: List of CodePipeline pipeline information
+        :rtype: List[Dict[str, Any]]
+        """
+        pipelines = []
+        try:
+            codepipeline_client = self._get_client("codepipeline")
+            paginator = codepipeline_client.get_paginator("list_pipelines")
+
+            for page in paginator.paginate():
+                for pipeline_summary in page.get("pipelines", []):
+                    pipeline_name = pipeline_summary.get("name")
+
+                    try:
+                        pipeline_detail = codepipeline_client.get_pipeline(name=pipeline_name)
+                        pipeline = pipeline_detail.get("pipeline", {})
+                        pipeline_arn = pipeline.get("pipelineArn", "")
+
+                        if not self._matches_account(pipeline_arn):
+                            continue
+
+                        tags_response = codepipeline_client.list_tags_for_resource(resourceArn=pipeline_arn)
+                        pipeline_tags = tags_response.get("tags", [])
+
+                        if not self._matches_tags(pipeline_tags):
+                            continue
+
+                        pipelines.append(
+                            {
+                                "Region": self.region,
+                                "PipelineName": pipeline_name,
+                                "PipelineArn": pipeline_arn,
+                                "RoleArn": pipeline.get("roleArn"),
+                                "Version": pipeline.get("version"),
+                                "Created": pipeline_summary.get("created"),
+                                "Updated": pipeline_summary.get("updated"),
+                                "Tags": pipeline_tags,
+                            }
+                        )
+                    except Exception as pipeline_error:
+                        logger.debug("Error getting CodePipeline details for %s: %s", pipeline_name, pipeline_error)
+                        continue
+
+        except Exception as e:
+            self._handle_error(e, "CodePipeline pipelines")
+        return pipelines
+
+    def get_codebuild_projects(self) -> List[Dict[str, Any]]:
+        """
+        Get information about CodeBuild projects.
+
+        :return: List of CodeBuild project information
+        :rtype: List[Dict[str, Any]]
+        """
+        projects = []
+        try:
+            codebuild_client = self._get_client("codebuild")
+            paginator = codebuild_client.get_paginator("list_projects")
+
+            for page in paginator.paginate():
+                project_names = page.get("projects", [])
+
+                if not project_names:
+                    continue
+
+                batch_response = codebuild_client.batch_get_projects(names=project_names)
+                for project in batch_response.get("projects", []):
+                    project_arn = project.get("arn", "")
+
+                    if not self._matches_account(project_arn):
+                        continue
+
+                    if not self._matches_tags(project.get("tags", [])):
+                        continue
+
+                    projects.append(
+                        {
+                            "Region": self.region,
+                            "ProjectName": project.get("name"),
+                            "ProjectArn": project_arn,
+                            "Description": project.get("description"),
+                            "ServiceRole": project.get("serviceRole"),
+                            "Created": project.get("created"),
+                            "LastModified": project.get("lastModified"),
+                            "Environment": project.get("environment"),
+                            "Tags": project.get("tags", []),
+                        }
+                    )
+
+        except Exception as e:
+            self._handle_error(e, "CodeBuild projects")
+        return projects
+
+    def get_codedeploy_applications(self) -> List[Dict[str, Any]]:
+        """
+        Get information about CodeDeploy applications.
+
+        :return: List of CodeDeploy application information
+        :rtype: List[Dict[str, Any]]
+        """
+        applications = []
+        try:
+            codedeploy_client = self._get_client("codedeploy")
+            paginator = codedeploy_client.get_paginator("list_applications")
+
+            for page in paginator.paginate():
+                for app_name in page.get("applications", []):
+                    try:
+                        app_detail = codedeploy_client.get_application(applicationName=app_name)
+                        application = app_detail.get("application", {})
+                        app_arn = f"arn:aws:codedeploy:{self.region}:{self.account_id or '*'}:application:{app_name}"
+
+                        if not self._matches_account(app_arn):
+                            continue
+
+                        tags_response = codedeploy_client.list_tags_for_resource(ResourceArn=app_arn)
+                        app_tags = tags_response.get("Tags", [])
+
+                        if not self._matches_tags(app_tags):
+                            continue
+
+                        applications.append(
+                            {
+                                "Region": self.region,
+                                "ApplicationName": app_name,
+                                "ApplicationId": application.get("applicationId"),
+                                "CreateTime": application.get("createTime"),
+                                "ComputePlatform": application.get("computePlatform"),
+                                "Tags": app_tags,
+                            }
+                        )
+                    except Exception as app_error:
+                        logger.debug("Error getting CodeDeploy application details for %s: %s", app_name, app_error)
+                        continue
+
+        except Exception as e:
+            self._handle_error(e, "CodeDeploy applications")
+        return applications
+
+    def get_codecommit_repositories(self) -> List[Dict[str, Any]]:
+        """
+        Get information about CodeCommit repositories.
+
+        :return: List of CodeCommit repository information
+        :rtype: List[Dict[str, Any]]
+        """
+        repositories = []
+        try:
+            codecommit_client = self._get_client("codecommit")
+            paginator = codecommit_client.get_paginator("list_repositories")
+
+            for page in paginator.paginate():
+                for repo_metadata in page.get("repositories", []):
+                    repo_name = repo_metadata.get("repositoryName")
+
+                    try:
+                        repo_detail = codecommit_client.get_repository(repositoryName=repo_name)
+                        repository = repo_detail.get("repositoryMetadata", {})
+                        repo_arn = repository.get("Arn", "")
+
+                        if not self._matches_account(repo_arn):
+                            continue
+
+                        tags_response = codecommit_client.list_tags_for_resource(resourceArn=repo_arn)
+                        repo_tags = tags_response.get("tags", {})
+
+                        if not self._matches_tags(repo_tags):
+                            continue
+
+                        repositories.append(
+                            {
+                                "Region": self.region,
+                                "RepositoryName": repo_name,
+                                "RepositoryId": repository.get("repositoryId"),
+                                "RepositoryArn": repo_arn,
+                                "DefaultBranch": repository.get("defaultBranch"),
+                                "CloneUrlHttp": repository.get("cloneUrlHttp"),
+                                "CloneUrlSsh": repository.get("cloneUrlSsh"),
+                                "CreationDate": repository.get("creationDate"),
+                                "LastModifiedDate": repository.get("lastModifiedDate"),
+                                "Tags": repo_tags,
+                            }
+                        )
+                    except Exception as repo_error:
+                        logger.debug("Error getting CodeCommit repository details for %s: %s", repo_name, repo_error)
+                        continue
+
+        except Exception as e:
+            self._handle_error(e, "CodeCommit repositories")
+        return repositories
+
+    def collect(self) -> Dict[str, Any]:
+        """
+        Collect developer tools resources based on enabled_services configuration.
+
+        :return: Dictionary containing enabled developer tools resource information
+        :rtype: Dict[str, Any]
+        """
+        result = {}
+
+        # CodePipeline
+        if self.enabled_services.get("codepipeline", True):
+            result["CodePipelinePipelines"] = self.get_codepipeline_pipelines()
+
+        # CodeBuild
+        if self.enabled_services.get("codebuild", True):
+            result["CodeBuildProjects"] = self.get_codebuild_projects()
+
+        # CodeDeploy
+        if self.enabled_services.get("codedeploy", True):
+            result["CodeDeployApplications"] = self.get_codedeploy_applications()
+
+        # CodeCommit
+        if self.enabled_services.get("codecommit", True):
+            result["CodeCommitRepositories"] = self.get_codecommit_repositories()
+
+        return result

regscale/integrations/commercial/aws/inventory/resources/guardduty.py

@@ -0,0 +1,286 @@
+"""AWS GuardDuty resource collection."""
+
+import logging
+from typing import Any, Dict, List, Optional
+
+from botocore.exceptions import ClientError
+
+from regscale.integrations.commercial.aws.inventory.base import BaseCollector
+
+logger = logging.getLogger("regscale")
+
+
+class GuardDutyCollector(BaseCollector):
+    """Collector for AWS GuardDuty resources."""
+
+    def __init__(
+        self,
+        session: Any,
+        region: str,
+        account_id: Optional[str] = None,
+        tags: Optional[Dict[str, str]] = None,
+        collect_findings: bool = True,
+    ):
+        """
+        Initialize GuardDuty collector.
+
+        :param session: AWS session to use for API calls
+        :param str region: AWS region to collect from
+        :param str account_id: Optional AWS account ID to filter resources
+        :param dict tags: Optional tags to filter resources (key-value pairs)
+        :param bool collect_findings: Whether to collect GuardDuty findings. Default True.
+        """
+        super().__init__(session, region)
+        self.account_id = account_id
+        self.tags = tags or {}
+        self.collect_findings = collect_findings
+
+    def collect(self) -> Dict[str, Any]:
+        """
+        Collect GuardDuty resources.
+
+        :return: Dictionary containing GuardDuty detectors, findings, and members
+        :rtype: Dict[str, Any]
+        """
+        result = {"Detectors": [], "Findings": [], "Members": []}
+
+        try:
+            client = self._get_client("guardduty")
+            detector_ids = self._list_detectors(client)
+
+            for detector_id in detector_ids:
+                self._process_detector(client, detector_id, result)
+
+            if self.collect_findings:
+                logger.info(
+                    f"Collected {len(result['Detectors'])} GuardDuty detector(s), "
+                    f"{len(result['Findings'])} finding(s) from {self.region}"
+                )
+            else:
+                logger.info(f"Collected {len(result['Detectors'])} GuardDuty detector(s) from {self.region}")
+
+        except ClientError as e:
+            self._handle_error(e, "GuardDuty resources")
+        except Exception as e:
+            logger.error(f"Unexpected error collecting GuardDuty resources: {e}", exc_info=True)
+
+        return result
+
+    def _process_detector(self, client: Any, detector_id: str, result: Dict[str, Any]) -> None:
+        """
+        Process a single detector and add its details to result.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID to process
+        :param dict result: Result dictionary to populate
+        """
+        detector_info = self._get_detector(client, detector_id)
+        if not detector_info:
+            return
+
+        if not self._should_include_detector(detector_info, detector_id):
+            return
+
+        detector_info = self._enrich_detector_info(client, detector_id, detector_info)
+        result["Detectors"].append(detector_info)
+
+        if self.collect_findings:
+            findings = self._list_and_get_findings(client, detector_id)
+            result["Findings"].extend(findings)
+        else:
+            logger.debug(f"Skipping GuardDuty findings collection for detector {detector_id} (collect_findings=False)")
+
+        members = self._list_members(client, detector_id)
+        result["Members"].extend(members)
+
+    def _should_include_detector(self, detector_info: Dict[str, Any], detector_id: str) -> bool:
+        """
+        Check if detector should be included based on filters.
+
+        :param dict detector_info: Detector information
+        :param str detector_id: Detector ID
+        :return: True if detector should be included
+        :rtype: bool
+        """
+        if self.account_id and not self._matches_account_id(detector_info.get("AccountId", "")):
+            logger.debug(f"Skipping detector {detector_id} - does not match account ID {self.account_id}")
+            return False
+
+        if self.tags:
+            detector_tags = self._get_detector_tags(
+                self._get_client("guardduty"), detector_id, detector_info.get("AccountId", "")
+            )
+            if not self._matches_tags(detector_tags):
+                logger.debug(f"Skipping detector {detector_id} - does not match tag filters")
+                return False
+
+        return True
+
+    def _enrich_detector_info(self, client: Any, detector_id: str, detector_info: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Enrich detector info with additional metadata.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :param dict detector_info: Detector information to enrich
+        :return: Enriched detector information
+        :rtype: Dict[str, Any]
+        """
+        if self.tags:
+            detector_tags = self._get_detector_tags(client, detector_id, detector_info.get("AccountId", ""))
+            detector_info["Tags"] = detector_tags
+
+        detector_info["DetectorId"] = detector_id
+        detector_info["Region"] = self.region
+        return detector_info
+
+    def _list_detectors(self, client: Any) -> List[str]:
+        """
+        List GuardDuty detectors.
+
+        :param client: GuardDuty client
+        :return: List of detector IDs
+        :rtype: List[str]
+        """
+        try:
+            response = client.list_detectors()
+            return response.get("DetectorIds", [])
+        except ClientError as e:
+            if e.response["Error"]["Code"] == "AccessDeniedException":
+                logger.warning(f"Access denied to list GuardDuty detectors in {self.region}")
+                return []
+            raise
+
+    def _get_detector(self, client: Any, detector_id: str) -> Optional[Dict[str, Any]]:
+        """
+        Get details about a specific GuardDuty detector.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :return: Detector details or None
+        :rtype: Optional[Dict[str, Any]]
+        """
+        try:
+            response = client.get_detector(DetectorId=detector_id)
+            # Remove ResponseMetadata
+            response.pop("ResponseMetadata", None)
+            return response
+        except ClientError as e:
+            logger.error(f"Error getting detector {detector_id}: {e}")
+            return None
+
+    def _list_and_get_findings(self, client: Any, detector_id: str, max_findings: int = 50) -> List[Dict[str, Any]]:
+        """
+        List and get detailed information about GuardDuty findings.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :param int max_findings: Maximum number of findings to retrieve
+        :return: List of findings with details
+        :rtype: List[Dict[str, Any]]
+        """
+        findings = []
+
+        try:
+            # List finding IDs
+            list_response = client.list_findings(DetectorId=detector_id, MaxResults=max_findings)
+            finding_ids = list_response.get("FindingIds", [])
+
+            if not finding_ids:
+                return findings
+
+            # Get detailed information for findings
+            get_response = client.get_findings(DetectorId=detector_id, FindingIds=finding_ids)
+            findings = get_response.get("Findings", [])
+
+            # Add region information
+            for finding in findings:
+                finding["Region"] = self.region
+                finding["DetectorId"] = detector_id
+
+        except ClientError as e:
+            if e.response["Error"]["Code"] == "AccessDeniedException":
+                logger.warning(f"Access denied to list findings for detector {detector_id}")
+            else:
+                logger.error(f"Error listing findings for detector {detector_id}: {e}")
+
+        return findings
+
+    def _list_members(self, client: Any, detector_id: str) -> List[Dict[str, Any]]:
+        """
+        List member accounts for a GuardDuty detector.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :return: List of member accounts
+        :rtype: List[Dict[str, Any]]
+        """
+        members = []
+
+        try:
+            response = client.list_members(DetectorId=detector_id)
+            members = response.get("Members", [])
+
+            # Add region and detector information
+            for member in members:
+                member["Region"] = self.region
+                member["DetectorId"] = detector_id
+
+        except ClientError as e:
+            if e.response["Error"]["Code"] == "AccessDeniedException":
+                logger.debug(f"Access denied to list members for detector {detector_id}")
+            else:
+                logger.error(f"Error listing members for detector {detector_id}: {e}")
+
+        return members
+
+    def _matches_account_id(self, detector_account_id: str) -> bool:
+        """
+        Check if detector account ID matches the specified account ID.
+
+        :param str detector_account_id: Account ID from detector
+        :return: True if matches or no account_id filter specified
+        :rtype: bool
+        """
+        if not self.account_id:
+            return True
+
+        return detector_account_id == self.account_id
+
+    def _get_detector_tags(self, client: Any, detector_id: str, account_id: str) -> Dict[str, str]:
+        """
+        Get tags for a GuardDuty detector.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :param str account_id: AWS account ID
+        :return: Dictionary of tags (TagKey -> TagValue)
+        :rtype: Dict[str, str]
+        """
+        try:
+            # Construct the detector ARN
+            detector_arn = f"arn:aws:guardduty:{self.region}:{account_id}:detector/{detector_id}"
+            response = client.list_tags_for_resource(ResourceArn=detector_arn)
+            tags = response.get("Tags", {})
+            return tags
+        except ClientError as e:
+            logger.debug(f"Error getting tags for detector {detector_id}: {e}")
+            return {}
+
+    def _matches_tags(self, resource_tags: Dict[str, str]) -> bool:
+        """
+        Check if resource tags match the specified filter tags.
+
+        :param dict resource_tags: Tags on the resource
+        :return: True if all filter tags match
+        :rtype: bool
+        """
+        if not self.tags:
+            return True
+
+        # All filter tags must match
+        for key, value in self.tags.items():
+            if resource_tags.get(key) != value:
+                return False
+
+        return True