snyk · bgdanix · Dec 13, 2021 · Dec 14, 2021 · Dec 15, 2021 · Dec 20, 2021
@@ -62,6 +62,22 @@ func NewScanCmd(opts *pkg.ScanOptions) *cobra.Command {
  )
  }
 
+ GCPScope, _ := cmd.Flags().GetStringSlice("gcp-scope")
+ limitScope := make([]string, 0)
+
+ if to == common.RemoteGoogleTerraform && len(GCPScope) > 0 {
+ limitScope, err = parseScopeFlag(GCPScope)
+ if err != nil {
+ return err
+ }
+ } else if to != common.RemoteGoogleTerraform && len(GCPScope) > 0 {
+ return errors.New("gcp-scope can only be utilized when using " + common.RemoteGoogleTerraform + " flag")
+ } else if to == common.RemoteGoogleTerraform && len(GCPScope) == 0 {
+ return errors.New("gcp-scope must be specified when using " + common.RemoteGoogleTerraform + " flag")
+ }
+
+ opts.GCPScope = limitScope
+
  outputFlag, _ := cmd.Flags().GetStringSlice("output")
 
  out, err := parseOutputFlags(outputFlag)
@@ -124,6 +140,11 @@ func NewScanCmd(opts *pkg.ScanOptions) *cobra.Command {
  false,
  "Do not display anything but scan results",
  )
+ fl.StringSlice(
+ "gcp-scope",
+ []string{},
+ "Set the GCP scope for search",
+ )
  fl.StringArray(
  "filter",
  []string{},
@@ -239,7 +260,7 @@ func scanRun(opts *pkg.ScanOptions) error {
 
  resFactory := terraform.NewTerraformResourceFactory(resourceSchemaRepository)
 
- err := remote.Activate(opts.To, opts.ProviderVersion, alerter, providerLibrary, remoteLibrary, scanProgress, resourceSchemaRepository, resFactory, opts.ConfigDir)
+ err := remote.Activate(opts.To, opts.ProviderVersion, opts.GCPScope, alerter, providerLibrary, remoteLibrary, scanProgress, resourceSchemaRepository, resFactory, opts.ConfigDir)
  if err != nil {
  return err
  }
@@ -323,6 +344,26 @@ func scanRun(opts *pkg.ScanOptions) error {
  return nil
 }
 
+func parseScopeFlag(scope []string) ([]string, error) {
+
+ scopeRegex := `projects/\S*$|folders/\d*$|organizations/\d*$`
+ r := regexp.MustCompile(scopeRegex)
+
+ for _, v := range scope {
+ if !r.MatchString(v) {
+ return nil, errors.Wrapf(
+ cmderrors.NewUsageError(
+ "\nAccepted formats are: projects/<project-id>, folders/<folder-number>, organizations/<org-id>",
+ ),
+ "Unable to parse GCP scope '%s'",
+ v,
+ )
+ }
+ }
+
+ return scope, nil
+}
+
 func parseFromFlag(from []string) ([]config.SupplierConfig, error) {
 
  configs := make([]config.SupplierConfig, 0, len(from))

@@ -356,14 +356,14 @@ func Test_Options(t *testing.T) {
  },
  {
  name: "should not find provider version in lockfile",
- args: []string{"scan", "--to", "gcp+tf", "--tf-lockfile", "testdata/terraform_valid.lock.hcl"},
+ args: []string{"scan", "--to", "gcp+tf", "--gcp-scope", "organizations/123", "--tf-lockfile", "testdata/terraform_valid.lock.hcl"},
  assertOptions: func(t *testing.T, opts *pkg.ScanOptions) {
  assert.Equal(t, "", opts.ProviderVersion)
  },
  },
  {
  name: "should fail to read lockfile with silent error",
- args: []string{"scan", "--to", "gcp+tf", "--tf-lockfile", "testdata/terraform_invalid.lock.hcl"},
+ args: []string{"scan", "--to", "gcp+tf", "--gcp-scope", "organizations/123", "--tf-lockfile", "testdata/terraform_invalid.lock.hcl"},
  assertOptions: func(t *testing.T, opts *pkg.ScanOptions) {
  assert.Equal(t, "", opts.ProviderVersion)
  },

@@ -24,6 +24,7 @@ type ScanOptions struct {
  Detect bool
  From []config.SupplierConfig
  To string
+ GCPScope []string
  Output []output.OutputConfig
  Filter *jmespath.JMESPath
  Quiet bool

@@ -1,7 +1,5 @@
 package config
 
 type GCPTerraformConfig struct {
- Project string `cty:"project"`
- Region string `cty:"region"`
- Zone string `cty:"zone"`
+ Scopes []string `cty:"scopes"`
 }
@@ -16,7 +16,7 @@ import (
  "google.golang.org/api/cloudresourcemanager/v1"
 )
 
-func Init(version string, alerter *alerter.Alerter,
+func Init(version string, gcpScope []string, alerter *alerter.Alerter,
  providerLibrary *terraform.ProviderLibrary,
  remoteLibrary *common.RemoteLibrary,
  progress output.Progress,
@@ -51,9 +51,9 @@ func Init(version string, alerter *alerter.Alerter,
  return err
  }
 
- assetRepository := repository.NewAssetRepository(assetClient, provider.GetConfig(), repositoryCache)
+ assetRepository := repository.NewAssetRepository(assetClient, provider.SetConfig(gcpScope), repositoryCache)
  storageRepository := repository.NewStorageRepository(storageClient, repositoryCache)
- iamRepository := repository.NewCloudResourceManagerRepository(crmService, provider.GetConfig(), repositoryCache)
+ iamRepository := repository.NewCloudResourceManagerRepository(crmService, provider.SetConfig(gcpScope), repositoryCache)
 
  providerLibrary.AddProvider(terraform.GOOGLE, provider)
  deserializer := resource.NewDeserializer(factory)

@@ -1,8 +1,6 @@
 package google
 
 import (
- "os"
-
  "github.com/snyk/driftctl/pkg/output"
  "github.com/snyk/driftctl/pkg/remote/google/config"
  "github.com/snyk/driftctl/pkg/remote/terraform"
@@ -34,7 +32,7 @@ func NewGCPTerraformProvider(version string, progress output.Progress, configDir
  tfProvider, err := terraform.NewTerraformProvider(installer, terraform.TerraformProviderConfig{
  Name: p.name,
  GetProviderConfig: func(alias string) interface{} {
- return p.GetConfig()
+ return p.SetConfig(nil)
  },
  }, progress)
 
@@ -55,10 +53,8 @@ func (p *GCPTerraformProvider) Version() string {
  return p.version
 }
 
-func (p *GCPTerraformProvider) GetConfig() config.GCPTerraformConfig {
+func (p *GCPTerraformProvider) SetConfig(scopes []string) config.GCPTerraformConfig {
  return config.GCPTerraformConfig{
- Project: os.Getenv("CLOUDSDK_CORE_PROJECT"),
- Region: os.Getenv("CLOUDSDK_COMPUTE_REGION"),
- Zone: os.Getenv("CLOUDSDK_COMPUTE_ZONE"),
+ Scopes: scopes,
  }
 }
@@ -2,13 +2,16 @@ package repository
 
 import (
  "context"
+ "errors"
  "fmt"
 
  asset "cloud.google.com/go/asset/apiv1"
  "github.com/snyk/driftctl/pkg/remote/cache"
  "github.com/snyk/driftctl/pkg/remote/google/config"
  "google.golang.org/api/iterator"
  assetpb "google.golang.org/genproto/googleapis/cloud/asset/v1"
+ "google.golang.org/grpc/codes"
+ "google.golang.org/grpc/status"
 )
 
 // https://cloud.google.com/asset-inventory/docs/supported-asset-types#supported_resource_types
@@ -75,102 +78,145 @@ func NewAssetRepository(client *asset.Client, config config.GCPTerraformConfig,
 }
 
 func (s assetRepository) listAllResources(ty string) ([]*assetpb.Asset, error) {
- req := &assetpb.ListAssetsRequest{
- Parent: fmt.Sprintf("projects/%s", s.config.Project),
- ContentType: assetpb.ContentType_RESOURCE,
- AssetTypes: []string{
- cloudFunctionsFunction,
- bigtableInstanceAssetType,
- bigtableTableAssetType,
- sqlDatabaseInstanceAssetType,
- computeGlobalAddressAssetType,
- nodeGroupAssetType,
- },
- }
- var results []*assetpb.Asset
 
- cacheKey := "listAllResources"
- cachedResults := s.cache.GetAndLock(cacheKey)
- defer s.cache.Unlock(cacheKey)
- if cachedResults != nil {
- results = cachedResults.([]*assetpb.Asset)
- }
+ filteredResults := []*assetpb.Asset{}
+ var errorString string
+ var errCode codes.Code
+
+ for _, scope := range s.config.Scopes {
+ cacheKey := fmt.Sprintf("listAllResources_%s", scope)
+ cachedResults := s.cache.GetAndLock(cacheKey)
+ defer s.cache.Unlock(cacheKey)
+
+ req := &assetpb.ListAssetsRequest{
+ Parent: scope,
+ ContentType: assetpb.ContentType_RESOURCE,
+ AssetTypes: []string{
+ cloudFunctionsFunction,
+ bigtableInstanceAssetType,
+ bigtableTableAssetType,
+ sqlDatabaseInstanceAssetType,
+ computeGlobalAddressAssetType,
+ nodeGroupAssetType,
+ },
+ }
+
+ var results []*assetpb.Asset
+
+ if cachedResults != nil {
+ results = cachedResults.([]*assetpb.Asset)
+ }
 
- if results == nil {
- it := s.client.ListAssets(context.Background(), req)
- for {
- resource, err := it.Next()
- if err == iterator.Done {
- break
+ if results == nil {
+ it := s.client.ListAssets(context.Background(), req)
+ for {
+ resource, err := it.Next()
+ if err == iterator.Done {
+ break
+ }
+ if err != nil && resource != nil {
+ errorString = errorString + fmt.Sprintf("For scope %s on resource %s got error: %s; ", scope, resource.AssetType, err.Error())
+ continue
+ }
+ if err != nil && resource == nil {
+ errorString = errorString + fmt.Sprintf("For scope %s got error: %s; ", scope, err.Error())
+ errCode = status.Code(err)
+ break
+ }
+ results = append(results, resource)
  }
- if err != nil {
- return nil, err
+ s.cache.Put(cacheKey, results)
+ }
+
+ for _, result := range results {
+ if result.AssetType == ty {
+ filteredResults = append(filteredResults, result)
  }
- results = append(results, resource)
  }
- s.cache.Put(cacheKey, results)
  }
 
- filteredResults := []*assetpb.Asset{}
- for _, result := range results {
- if result.AssetType == ty {
- filteredResults = append(filteredResults, result)
- }
+ if len(errorString) > 0 && len(filteredResults) > 0 {
+ return filteredResults, errors.New(errorString)
+ }
+
+ if len(errorString) > 0 && len(filteredResults) == 0 {
+ return nil, status.Error(errCode, errorString)
  }
 
  return filteredResults, nil
 }
 
 func (s assetRepository) searchAllResources(ty string) ([]*assetpb.ResourceSearchResult, error) {
- req := &assetpb.SearchAllResourcesRequest{
- Scope: fmt.Sprintf("projects/%s", s.config.Project),
- AssetTypes: []string{
- storageBucketAssetType,
- computeFirewallAssetType,
- computeRouterAssetType,
- computeInstanceAssetType,
- computeNetworkAssetType,
- computeSubnetworkAssetType,
- dnsManagedZoneAssetType,
- computeInstanceGroupAssetType,
- bigqueryDatasetAssetType,
- bigqueryTableAssetType,
- computeAddressAssetType,
- computeDiskAssetType,
- computeImageAssetType,
- healthCheckAssetType,
- cloudRunServiceAssetType,
- },
- }
- var results []*assetpb.ResourceSearchResult
 
- cacheKey := "SearchAllResources"
- cachedResults := s.cache.GetAndLock(cacheKey)
- defer s.cache.Unlock(cacheKey)
- if cachedResults != nil {
- results = cachedResults.([]*assetpb.ResourceSearchResult)
- }
+ filteredResults := []*assetpb.ResourceSearchResult{}
+ var errorString string
+ var errCode codes.Code
+
+ for _, scope := range s.config.Scopes {
+ cacheKey := fmt.Sprintf("SearchAllResources_%s", scope)
+ cachedResults := s.cache.GetAndLock(cacheKey)
+ defer s.cache.Unlock(cacheKey)
+
+ req := &assetpb.SearchAllResourcesRequest{
+ Scope: scope,
+ AssetTypes: []string{
+ storageBucketAssetType,
+ computeFirewallAssetType,
+ computeRouterAssetType,
+ computeInstanceAssetType,
+ computeNetworkAssetType,
+ computeSubnetworkAssetType,
+ dnsManagedZoneAssetType,
+ computeInstanceGroupAssetType,
+ bigqueryDatasetAssetType,
+ bigqueryTableAssetType,
+ computeAddressAssetType,
+ computeDiskAssetType,
+ computeImageAssetType,
+ healthCheckAssetType,
+ cloudRunServiceAssetType,
+ },
+ }
+ var results []*assetpb.ResourceSearchResult
+
+ if cachedResults != nil {
+ results = cachedResults.([]*assetpb.ResourceSearchResult)
+ }
 
- if results == nil {
- it := s.client.SearchAllResources(context.Background(), req)
- for {
- resource, err := it.Next()
- if err == iterator.Done {
- break
+ if results == nil {
+ it := s.client.SearchAllResources(context.Background(), req)
+ for {
+ resource, err := it.Next()
+ if err == iterator.Done {
+ break
+ }
+ if err != nil && resource != nil {
+ errorString = errorString + fmt.Sprintf("For scope %s on resource %s got error: %s; ", scope, resource.AssetType, err.Error())
+ continue
+ }
+ if err != nil && resource == nil {
+ errorString = errorString + fmt.Sprintf("For scope %s got error: %s; ", scope, err.Error())
+ errCode = status.Code(err)
+ break
+ }
+ results = append(results, resource)
  }
- if err != nil {
- return nil, err
+ s.cache.Put(cacheKey, results)
+ }
+
+ for _, result := range results {
+ if result.AssetType == ty {
+ filteredResults = append(filteredResults, result)
  }
- results = append(results, resource)
  }
- s.cache.Put(cacheKey, results)
  }
 
- filteredResults := []*assetpb.ResourceSearchResult{}
- for _, result := range results {
- if result.AssetType == ty {
- filteredResults = append(filteredResults, result)
- }
+ if len(errorString) > 0 && len(filteredResults) > 0 {
+ return filteredResults, errors.New(errorString)
+ }
+
+ if len(errorString) > 0 && len(filteredResults) == 0 {
+ return nil, status.Error(errCode, errorString)
  }
 
  return filteredResults, nil