feat: Enhance cloud inventory scripts with serverless and container counts #52
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…with improved error handling
…proved accuracy and efficiency
This commit updates and optimizes the resource counting scripts for OCI, Alibaba Cloud, and AWS, and verifies existing Azure and GCP scripts against documentation. Key changes include: OCI: - Refactored script to use efficient `oci search resource structured-search` command. - Counts Compute Instances, DB Systems, and Load Balancers via a single query. Alibaba Cloud: - Added counting for RDS instances (`DescribeDBInstances`). - Added counting for SLB instances (`DescribeLoadBalancers`). - Retained per-region iteration due to lack of cross-service search API. AWS: - Added counting for EKS clusters (`list-clusters`). - Added counting for ECS clusters (`list-clusters`). - Added counting for running ECS tasks (`list-services`, `describe-services`). - Added counting for EC2 instances tagged as Docker hosts (`describe-instances` with tag filter, default tag: DockerHost). - Improved region iteration and error handling. All Scripts: - Verified CLI command usage, parameters, pagination, and output parsing against official documentation for OCI, Alibaba, AWS, Azure, and GCP scripts.
Adds logic to count AWS Lambda functions within the specified region or across all active regions. - Initializes `total_lambda_functions` counter. - In `count_resources` (non-DSPM mode), iterates through regions and uses `aws lambda list-functions --no-paginate --query "Functions" --output json | jq 'length'` to get the count per region. - Adds the Lambda function count to the final summary output.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR enhances the cloud resource inventory scripts for AWS, Azure, GCP, OCI, and Alibaba Cloud. Key updates include:
oci search resource structured-searchcommand.shellspectest files with new mocks and assertions to reflect script changes.code-security/README.mdto recommend a newer Checkov version (3.0.0+).README.mdto summarize recent script enhancements.Motivation and Context
The primary motivation was to provide more comprehensive and accurate resource counts for Prisma Cloud sizing, particularly by including serverless functions which are increasingly common. Additionally, the changes aimed to:
How Has This Been Tested?
shellspectest files (spec/*.spec) for AWS, GCP, OCI, and Alibaba Cloud were updated. Mocks were created/modified for the relevant CLI commands (e.g.,oci search,gcloud asset search,aws ecs list/describe,aws lambda list,aliyun fc-open, etc.). Test cases were updated to assert the expected counts based on these mocks, verifying the script's parsing and aggregation logic.Screenshots (if appropriate)
N/A
Types of changes
Checklist