regscale-cli 6.27.3.0__py3-none-any.whl → 6.28.1.0__py3-none-any.whl

regscale/integrations/commercial/aws/inventory/resources/containers.py

@@ -1,12 +1,32 @@
 """AWS container resource collectors."""
 
-from typing import Dict, List, Any
+from typing import Dict, List, Any, Optional
 
 from ..base import BaseCollector
 
 
 class ContainerCollector(BaseCollector):
-    """Collector for AWS container resources."""
+    """Collector for AWS container resources with filtering support."""
+
+    def __init__(
+        self,
+        session: Any,
+        region: str,
+        account_id: Optional[str] = None,
+        tags: Optional[Dict[str, str]] = None,
+        enabled_services: Optional[Dict[str, bool]] = None,
+    ):
+        """
+        Initialize container collector with filtering support.
+
+        :param session: AWS session to use for API calls
+        :param str region: AWS region to collect from
+        :param str account_id: Optional AWS account ID to filter resources
+        :param dict tags: Optional tag filters (AND logic)
+        :param dict enabled_services: Optional dict of service names to boolean flags for enabling/disabling collection
+        """
+        super().__init__(session, region, account_id, tags)
+        self.enabled_services = enabled_services or {}
 
     @staticmethod
     def _get_repository_policy(ecr, repository_name: str) -> Dict[str, Any]:
@@ -78,9 +98,45 @@ class ContainerCollector(BaseCollector):
             "Images": images,
         }
 
+    def _should_include_repository(self, ecr, repo_arn: str) -> bool:
+        """
+        Check if repository should be included based on account and tag filters.
+
+        :param ecr: ECR client
+        :param str repo_arn: Repository ARN
+        :return: True if repository should be included, False otherwise
+        :rtype: bool
+        """
+        if not self._matches_account(repo_arn):
+            return False
+
+        if self.tags:
+            try:
+                tags_response = ecr.list_tags_for_resource(resourceArn=repo_arn)
+                repo_tags = tags_response.get("tags", [])
+                return self._matches_tags(repo_tags)
+            except Exception:
+                return False
+
+        return True
+
+    def _process_single_repository(self, ecr, repo: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Process a single repository, retrieving policy, images, and building data.
+
+        :param ecr: ECR client
+        :param repo: Repository data
+        :return: Processed repository data
+        :rtype: Dict[str, Any]
+        """
+        repo_name = repo["repositoryName"]
+        policy = self._get_repository_policy(ecr, repo_name)
+        images = self._get_repository_images(ecr, repo_name)
+        return self._build_repository_data(repo, policy, images)
+
     def get_ecr_repositories(self) -> List[Dict[str, Any]]:
         """
-        Get information about ECR repositories.
+        Get information about ECR repositories with filtering.
 
         :return: List of ECR repository information
         :rtype: List[Dict[str, Any]]
@@ -93,9 +149,12 @@ class ContainerCollector(BaseCollector):
             for page in paginator.paginate():
                 for repo in page.get("repositories", []):
                     try:
-                        policy = self._get_repository_policy(ecr, repo["repositoryName"])
-                        images = self._get_repository_images(ecr, repo["repositoryName"])
-                        repo_data = self._build_repository_data(repo, policy, images)
+                        repo_arn = repo.get("repositoryArn", "")
+
+                        if not self._should_include_repository(ecr, repo_arn):
+                            continue
+
+                        repo_data = self._process_single_repository(ecr, repo)
                         repositories.append(repo_data)
                     except Exception as e:
                         self._handle_error(e, f"ECR repository {repo['repositoryName']}")
@@ -105,9 +164,15 @@ class ContainerCollector(BaseCollector):
 
     def collect(self) -> Dict[str, Any]:
         """
-        Collect all container resources.
+        Collect container resources based on enabled_services configuration.
 
-        :return: Dictionary containing all container resource information
+        :return: Dictionary containing enabled container resource information
         :rtype: Dict[str, Any]
         """
-        return {"ECRRepositories": self.get_ecr_repositories()}
+        result = {}
+
+        # ECR Repositories
+        if self.enabled_services.get("ecr", True):
+            result["ECRRepositories"] = self.get_ecr_repositories()
+
+        return result

regscale/integrations/commercial/aws/inventory/resources/database.py

@@ -1,16 +1,36 @@
 """AWS database resource collectors."""
 
-from typing import Dict, List, Any
+from typing import Dict, List, Any, Optional
 
 from ..base import BaseCollector
 
 
 class DatabaseCollector(BaseCollector):
-    """Collector for AWS database resources."""
+    """Collector for AWS database resources with filtering support."""
+
+    def __init__(
+        self,
+        session: Any,
+        region: str,
+        account_id: Optional[str] = None,
+        tags: Optional[Dict[str, str]] = None,
+        enabled_services: Optional[Dict[str, bool]] = None,
+    ):
+        """
+        Initialize database collector with filtering support.
+
+        :param session: AWS session to use for API calls
+        :param str region: AWS region to collect from
+        :param str account_id: Optional AWS account ID to filter resources
+        :param dict tags: Optional tag filters (AND logic)
+        :param dict enabled_services: Optional dict of service names to boolean flags for enabling/disabling collection
+        """
+        super().__init__(session, region, account_id, tags)
+        self.enabled_services = enabled_services or {}
 
     def get_rds_instances(self) -> List[Dict[str, Any]]:
         """
-        Get information about RDS instances.
+        Get information about RDS instances with filtering.
 
         :return: List of RDS instance information
         :rtype: List[Dict[str, Any]]
@@ -22,10 +42,20 @@ class DatabaseCollector(BaseCollector):
 
             for page in paginator.paginate():
                 for instance in page.get("DBInstances", []):
+                    # Apply tag filtering
+                    if self.tags and not self._matches_tags(instance.get("TagList", [])):
+                        continue
+
+                    # Apply account filtering using DBInstanceArn
+                    instance_arn = instance.get("DBInstanceArn", "")
+                    if not self._matches_account(instance_arn):
+                        continue
+
                     instances.append(
                         {
                             "Region": self.region,
                             "DBInstanceIdentifier": instance.get("DBInstanceIdentifier"),
+                            "DBInstanceArn": instance.get("DBInstanceArn"),
                             "DBInstanceClass": instance.get("DBInstanceClass"),
                             "Engine": instance.get("Engine"),
                             "EngineVersion": instance.get("EngineVersion"),
@@ -34,6 +64,7 @@ class DatabaseCollector(BaseCollector):
                             "AllocatedStorage": instance.get("AllocatedStorage"),
                             "InstanceCreateTime": str(instance.get("InstanceCreateTime")),
                             "VpcId": instance.get("DBSubnetGroup", {}).get("VpcId"),
+                            "AvailabilityZone": instance.get("AvailabilityZone"),
                             "MultiAZ": instance.get("MultiAZ"),
                             "PubliclyAccessible": instance.get("PubliclyAccessible"),
                             "StorageEncrypted": instance.get("StorageEncrypted"),
@@ -45,9 +76,60 @@ class DatabaseCollector(BaseCollector):
             self._handle_error(e, "RDS instances")
         return instances
 
+    def _should_include_table(self, dynamodb, table_arn: str, table_name: str) -> bool:
+        """
+        Check if table should be included based on account and tag filters.
+
+        :param dynamodb: DynamoDB client
+        :param str table_arn: Table ARN
+        :param str table_name: Table name
+        :return: True if table should be included, False otherwise
+        :rtype: bool
+        """
+        if not self._matches_account(table_arn):
+            return False
+
+        if self.tags:
+            try:
+                tags_response = dynamodb.list_tags_of_resource(ResourceArn=table_arn)
+                table_tags = tags_response.get("Tags", [])
+                return self._matches_tags(table_tags)
+            except Exception as e:
+                self._handle_error(e, f"DynamoDB table tags for {table_name}")
+                return False
+
+        return True
+
+    def _build_table_data(self, table: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Build table data dictionary.
+
+        :param table: Raw table data
+        :return: Processed table data
+        :rtype: Dict[str, Any]
+        """
+        return {
+            "Region": self.region,
+            "TableName": table.get("TableName"),
+            "TableStatus": table.get("TableStatus"),
+            "CreationDateTime": str(table.get("CreationDateTime")),
+            "TableSizeBytes": table.get("TableSizeBytes"),
+            "ItemCount": table.get("ItemCount"),
+            "TableArn": table.get("TableArn"),
+            "ProvisionedThroughput": {
+                "ReadCapacityUnits": table.get("ProvisionedThroughput", {}).get("ReadCapacityUnits"),
+                "WriteCapacityUnits": table.get("ProvisionedThroughput", {}).get("WriteCapacityUnits"),
+            },
+            "BillingModeSummary": table.get("BillingModeSummary", {}),
+            "GlobalSecondaryIndexes": table.get("GlobalSecondaryIndexes", []),
+            "LocalSecondaryIndexes": table.get("LocalSecondaryIndexes", []),
+            "StreamSpecification": table.get("StreamSpecification", {}),
+            "SSEDescription": table.get("SSEDescription", {}),
+        }
+
     def get_dynamodb_tables(self) -> List[Dict[str, Any]]:
         """
-        Get information about DynamoDB tables.
+        Get information about DynamoDB tables with filtering.
 
         :return: List of DynamoDB table information
         :rtype: List[Dict[str, Any]]
@@ -61,30 +143,13 @@ class DatabaseCollector(BaseCollector):
                 for table_name in page.get("TableNames", []):
                     try:
                         table = dynamodb.describe_table(TableName=table_name)["Table"]
-                        tables.append(
-                            {
-                                "Region": self.region,
-                                "TableName": table.get("TableName"),
-                                "TableStatus": table.get("TableStatus"),
-                                "CreationDateTime": str(table.get("CreationDateTime")),
-                                "TableSizeBytes": table.get("TableSizeBytes"),
-                                "ItemCount": table.get("ItemCount"),
-                                "TableArn": table.get("TableArn"),
-                                "ProvisionedThroughput": {
-                                    "ReadCapacityUnits": table.get("ProvisionedThroughput", {}).get(
-                                        "ReadCapacityUnits"
-                                    ),
-                                    "WriteCapacityUnits": table.get("ProvisionedThroughput", {}).get(
-                                        "WriteCapacityUnits"
-                                    ),
-                                },
-                                "BillingModeSummary": table.get("BillingModeSummary", {}),
-                                "GlobalSecondaryIndexes": table.get("GlobalSecondaryIndexes", []),
-                                "LocalSecondaryIndexes": table.get("LocalSecondaryIndexes", []),
-                                "StreamSpecification": table.get("StreamSpecification", {}),
-                                "SSEDescription": table.get("SSEDescription", {}),
-                            }
-                        )
+                        table_arn = table.get("TableArn", "")
+
+                        if not self._should_include_table(dynamodb, table_arn, table_name):
+                            continue
+
+                        table_data = self._build_table_data(table)
+                        tables.append(table_data)
                     except Exception as e:
                         self._handle_error(e, f"DynamoDB table {table_name}")
         except Exception as e:
@@ -93,9 +158,19 @@ class DatabaseCollector(BaseCollector):
 
     def collect(self) -> Dict[str, Any]:
         """
-        Collect all database resources.
+        Collect database resources based on enabled_services configuration.
 
-        :return: Dictionary containing all database resource information
+        :return: Dictionary containing enabled database resource information
         :rtype: Dict[str, Any]
         """
-        return {"RDSInstances": self.get_rds_instances(), "DynamoDBTables": self.get_dynamodb_tables()}
+        result = {}
+
+        # RDS Instances
+        if self.enabled_services.get("rds", True):
+            result["RDSInstances"] = self.get_rds_instances()
+
+        # DynamoDB Tables
+        if self.enabled_services.get("dynamodb", True):
+            result["DynamoDBTables"] = self.get_dynamodb_tables()
+
+        return result

regscale/integrations/commercial/aws/inventory/resources/guardduty.py

@@ -0,0 +1,286 @@
+"""AWS GuardDuty resource collection."""
+
+import logging
+from typing import Any, Dict, List, Optional
+
+from botocore.exceptions import ClientError
+
+from regscale.integrations.commercial.aws.inventory.base import BaseCollector
+
+logger = logging.getLogger("regscale")
+
+
+class GuardDutyCollector(BaseCollector):
+    """Collector for AWS GuardDuty resources."""
+
+    def __init__(
+        self,
+        session: Any,
+        region: str,
+        account_id: Optional[str] = None,
+        tags: Optional[Dict[str, str]] = None,
+        collect_findings: bool = True,
+    ):
+        """
+        Initialize GuardDuty collector.
+
+        :param session: AWS session to use for API calls
+        :param str region: AWS region to collect from
+        :param str account_id: Optional AWS account ID to filter resources
+        :param dict tags: Optional tags to filter resources (key-value pairs)
+        :param bool collect_findings: Whether to collect GuardDuty findings. Default True.
+        """
+        super().__init__(session, region)
+        self.account_id = account_id
+        self.tags = tags or {}
+        self.collect_findings = collect_findings
+
+    def collect(self) -> Dict[str, Any]:
+        """
+        Collect GuardDuty resources.
+
+        :return: Dictionary containing GuardDuty detectors, findings, and members
+        :rtype: Dict[str, Any]
+        """
+        result = {"Detectors": [], "Findings": [], "Members": []}
+
+        try:
+            client = self._get_client("guardduty")
+            detector_ids = self._list_detectors(client)
+
+            for detector_id in detector_ids:
+                self._process_detector(client, detector_id, result)
+
+            if self.collect_findings:
+                logger.info(
+                    f"Collected {len(result['Detectors'])} GuardDuty detector(s), "
+                    f"{len(result['Findings'])} finding(s) from {self.region}"
+                )
+            else:
+                logger.info(f"Collected {len(result['Detectors'])} GuardDuty detector(s) from {self.region}")
+
+        except ClientError as e:
+            self._handle_error(e, "GuardDuty resources")
+        except Exception as e:
+            logger.error(f"Unexpected error collecting GuardDuty resources: {e}", exc_info=True)
+
+        return result
+
+    def _process_detector(self, client: Any, detector_id: str, result: Dict[str, Any]) -> None:
+        """
+        Process a single detector and add its details to result.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID to process
+        :param dict result: Result dictionary to populate
+        """
+        detector_info = self._get_detector(client, detector_id)
+        if not detector_info:
+            return
+
+        if not self._should_include_detector(detector_info, detector_id):
+            return
+
+        detector_info = self._enrich_detector_info(client, detector_id, detector_info)
+        result["Detectors"].append(detector_info)
+
+        if self.collect_findings:
+            findings = self._list_and_get_findings(client, detector_id)
+            result["Findings"].extend(findings)
+        else:
+            logger.debug(f"Skipping GuardDuty findings collection for detector {detector_id} (collect_findings=False)")
+
+        members = self._list_members(client, detector_id)
+        result["Members"].extend(members)
+
+    def _should_include_detector(self, detector_info: Dict[str, Any], detector_id: str) -> bool:
+        """
+        Check if detector should be included based on filters.
+
+        :param dict detector_info: Detector information
+        :param str detector_id: Detector ID
+        :return: True if detector should be included
+        :rtype: bool
+        """
+        if self.account_id and not self._matches_account_id(detector_info.get("AccountId", "")):
+            logger.debug(f"Skipping detector {detector_id} - does not match account ID {self.account_id}")
+            return False
+
+        if self.tags:
+            detector_tags = self._get_detector_tags(
+                self._get_client("guardduty"), detector_id, detector_info.get("AccountId", "")
+            )
+            if not self._matches_tags(detector_tags):
+                logger.debug(f"Skipping detector {detector_id} - does not match tag filters")
+                return False
+
+        return True
+
+    def _enrich_detector_info(self, client: Any, detector_id: str, detector_info: Dict[str, Any]) -> Dict[str, Any]:
+        """
+        Enrich detector info with additional metadata.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :param dict detector_info: Detector information to enrich
+        :return: Enriched detector information
+        :rtype: Dict[str, Any]
+        """
+        if self.tags:
+            detector_tags = self._get_detector_tags(client, detector_id, detector_info.get("AccountId", ""))
+            detector_info["Tags"] = detector_tags
+
+        detector_info["DetectorId"] = detector_id
+        detector_info["Region"] = self.region
+        return detector_info
+
+    def _list_detectors(self, client: Any) -> List[str]:
+        """
+        List GuardDuty detectors.
+
+        :param client: GuardDuty client
+        :return: List of detector IDs
+        :rtype: List[str]
+        """
+        try:
+            response = client.list_detectors()
+            return response.get("DetectorIds", [])
+        except ClientError as e:
+            if e.response["Error"]["Code"] == "AccessDeniedException":
+                logger.warning(f"Access denied to list GuardDuty detectors in {self.region}")
+                return []
+            raise
+
+    def _get_detector(self, client: Any, detector_id: str) -> Optional[Dict[str, Any]]:
+        """
+        Get details about a specific GuardDuty detector.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :return: Detector details or None
+        :rtype: Optional[Dict[str, Any]]
+        """
+        try:
+            response = client.get_detector(DetectorId=detector_id)
+            # Remove ResponseMetadata
+            response.pop("ResponseMetadata", None)
+            return response
+        except ClientError as e:
+            logger.error(f"Error getting detector {detector_id}: {e}")
+            return None
+
+    def _list_and_get_findings(self, client: Any, detector_id: str, max_findings: int = 50) -> List[Dict[str, Any]]:
+        """
+        List and get detailed information about GuardDuty findings.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :param int max_findings: Maximum number of findings to retrieve
+        :return: List of findings with details
+        :rtype: List[Dict[str, Any]]
+        """
+        findings = []
+
+        try:
+            # List finding IDs
+            list_response = client.list_findings(DetectorId=detector_id, MaxResults=max_findings)
+            finding_ids = list_response.get("FindingIds", [])
+
+            if not finding_ids:
+                return findings
+
+            # Get detailed information for findings
+            get_response = client.get_findings(DetectorId=detector_id, FindingIds=finding_ids)
+            findings = get_response.get("Findings", [])
+
+            # Add region information
+            for finding in findings:
+                finding["Region"] = self.region
+                finding["DetectorId"] = detector_id
+
+        except ClientError as e:
+            if e.response["Error"]["Code"] == "AccessDeniedException":
+                logger.warning(f"Access denied to list findings for detector {detector_id}")
+            else:
+                logger.error(f"Error listing findings for detector {detector_id}: {e}")
+
+        return findings
+
+    def _list_members(self, client: Any, detector_id: str) -> List[Dict[str, Any]]:
+        """
+        List member accounts for a GuardDuty detector.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :return: List of member accounts
+        :rtype: List[Dict[str, Any]]
+        """
+        members = []
+
+        try:
+            response = client.list_members(DetectorId=detector_id)
+            members = response.get("Members", [])
+
+            # Add region and detector information
+            for member in members:
+                member["Region"] = self.region
+                member["DetectorId"] = detector_id
+
+        except ClientError as e:
+            if e.response["Error"]["Code"] == "AccessDeniedException":
+                logger.debug(f"Access denied to list members for detector {detector_id}")
+            else:
+                logger.error(f"Error listing members for detector {detector_id}: {e}")
+
+        return members
+
+    def _matches_account_id(self, detector_account_id: str) -> bool:
+        """
+        Check if detector account ID matches the specified account ID.
+
+        :param str detector_account_id: Account ID from detector
+        :return: True if matches or no account_id filter specified
+        :rtype: bool
+        """
+        if not self.account_id:
+            return True
+
+        return detector_account_id == self.account_id
+
+    def _get_detector_tags(self, client: Any, detector_id: str, account_id: str) -> Dict[str, str]:
+        """
+        Get tags for a GuardDuty detector.
+
+        :param client: GuardDuty client
+        :param str detector_id: Detector ID
+        :param str account_id: AWS account ID
+        :return: Dictionary of tags (TagKey -> TagValue)
+        :rtype: Dict[str, str]
+        """
+        try:
+            # Construct the detector ARN
+            detector_arn = f"arn:aws:guardduty:{self.region}:{account_id}:detector/{detector_id}"
+            response = client.list_tags_for_resource(ResourceArn=detector_arn)
+            tags = response.get("Tags", {})
+            return tags
+        except ClientError as e:
+            logger.debug(f"Error getting tags for detector {detector_id}: {e}")
+            return {}
+
+    def _matches_tags(self, resource_tags: Dict[str, str]) -> bool:
+        """
+        Check if resource tags match the specified filter tags.
+
+        :param dict resource_tags: Tags on the resource
+        :return: True if all filter tags match
+        :rtype: bool
+        """
+        if not self.tags:
+            return True
+
+        # All filter tags must match
+        for key, value in self.tags.items():
+            if resource_tags.get(key) != value:
+                return False
+
+        return True