diff --git a/terraform-provisioner-mondoo/Makefile b/terraform-provisioner-mondoo/Makefile index 9f32ff50..1813e9b5 100644 --- a/terraform-provisioner-mondoo/Makefile +++ b/terraform-provisioner-mondoo/Makefile @@ -24,6 +24,6 @@ HOST=52.31.244.47 test/noop: pushd ./test/noop && \ terraform init && \ - rm terraform.tfstat* && \ - terraform apply -auto-approve -var conn=${CONN} -var user=${USER} -var host=${HOST} && \ + rm terraform.tfstat* || true && \ + TF_LOG=ERROR terraform apply -auto-approve -var conn=${CONN} -var user=${USER} -var host=${HOST} && \ popd \ No newline at end of file diff --git a/terraform-provisioner-mondoo/mondoo/connection.go b/terraform-provisioner-mondoo/mondoo/connection.go new file mode 100644 index 00000000..342dbb21 --- /dev/null +++ b/terraform-provisioner-mondoo/mondoo/connection.go @@ -0,0 +1,50 @@ +package mondoo + +import ( + "errors" + "fmt" + + "github.com/hashicorp/terraform/communicator/shared" + "github.com/hashicorp/terraform/terraform" + "github.com/mitchellh/mapstructure" +) + +// see https://www.terraform.io/docs/provisioners/connection.html +type ProvisionerConnection struct { + Type string `mapstructure:"type"` + User string `mapstructure:"user"` + Password string `mapstructure:"password"` + PrivateKey string `mapstructure:"private_key"` + Host string `mapstructure:"host"` + Port int `mapstructure:"port"` +} + +func (p *ProvisionerConnection) ToMondooConnection() (string, error) { + switch p.Type { + case "ssh": + return fmt.Sprintf("ssh://%s@%s", p.User, p.Host), nil + case "local": + return "local://", nil + } + + return "", errors.New(fmt.Sprintf("the requested %s connection type is not supported by mondoo terraform provisioner", p.Type)) +} + +func tfConnection(s *terraform.InstanceState) (*ProvisionerConnection, error) { + connInfo := &ProvisionerConnection{} + decConf := &mapstructure.DecoderConfig{ + WeaklyTypedInput: true, + Result: connInfo, + } + dec, err := mapstructure.NewDecoder(decConf) + if err != nil { + return nil, err + } + if err := dec.Decode(s.Ephemeral.ConnInfo); err != nil { + return nil, err + } + + // format the host if needed, needed for IPv6 + connInfo.Host = shared.IpFormat(connInfo.Host) + return connInfo, nil +} diff --git a/terraform-provisioner-mondoo/mondoo/mondoo.go b/terraform-provisioner-mondoo/mondoo/mondoo.go index 8b2b7ad4..93806607 100644 --- a/terraform-provisioner-mondoo/mondoo/mondoo.go +++ b/terraform-provisioner-mondoo/mondoo/mondoo.go @@ -2,7 +2,6 @@ package mondoo import ( "context" - "fmt" "github.com/hashicorp/terraform/helper/schema" "github.com/hashicorp/terraform/terraform" @@ -17,8 +16,16 @@ func applyFn(ctx context.Context) error { data := ctx.Value(schema.ProvConfigDataKey).(*schema.ResourceData) o := ctx.Value(schema.ProvOutputKey).(terraform.UIOutput) + o.Output("start mondoo provisioner") + // read ssh connection information - sshConfig, err := tfConnInfo(s) + connInfo, err := tfConnection(s) + if err != nil { + return err + } + + // convert tf connection to mondoo connection string + mondooConn, err := connInfo.ToMondooConnection() if err != nil { return err } @@ -26,9 +33,10 @@ func applyFn(ctx context.Context) error { // build mondoo config conf := &VulnOpts{ Asset: &VulnOptsAsset{ - Connection: fmt.Sprintf("ssh://%s@%s", sshConfig.User, sshConfig.Host), + Connection: mondooConn, }, - Report: tfReportConfig(data), + Report: tfReportConfig(data), + Collector: tfCollector(data), } // run mondoo vuln command @@ -38,7 +46,11 @@ func applyFn(ctx context.Context) error { func Provisioner() terraform.ResourceProvisioner { return &schema.Provisioner{ Schema: map[string]*schema.Schema{ - "reporter": &schema.Schema{ + "collector": &schema.Schema{ + Type: schema.TypeString, + Optional: true, + }, + "report": &schema.Schema{ Type: schema.TypeMap, Optional: true, Elem: &schema.Resource{ diff --git a/terraform-provisioner-mondoo/mondoo/options.go b/terraform-provisioner-mondoo/mondoo/options.go index fa3f8514..c49073c0 100644 --- a/terraform-provisioner-mondoo/mondoo/options.go +++ b/terraform-provisioner-mondoo/mondoo/options.go @@ -35,6 +35,14 @@ func tfReportConfig(data *schema.ResourceData) *VulnOptsReport { return conf } +func tfCollector(data *schema.ResourceData) string { + collector, ok := data.Get("collector").(string) + if !ok { + return "" + } + return collector +} + func StringValue(keymap map[string]interface{}, key string) string { v, ok := keymap[key] if ok { diff --git a/terraform-provisioner-mondoo/mondoo/ssh.go b/terraform-provisioner-mondoo/mondoo/ssh.go deleted file mode 100644 index 8155e06d..00000000 --- a/terraform-provisioner-mondoo/mondoo/ssh.go +++ /dev/null @@ -1,34 +0,0 @@ -package mondoo - -import ( - "github.com/hashicorp/terraform/communicator/shared" - "github.com/hashicorp/terraform/terraform" - "github.com/mitchellh/mapstructure" -) - -type sshConnInfo struct { - User string - Password string - PrivateKey string `mapstructure:"private_key"` - Host string - Port int -} - -func tfConnInfo(s *terraform.InstanceState) (*sshConnInfo, error) { - connInfo := &sshConnInfo{} - decConf := &mapstructure.DecoderConfig{ - WeaklyTypedInput: true, - Result: connInfo, - } - dec, err := mapstructure.NewDecoder(decConf) - if err != nil { - return nil, err - } - if err := dec.Decode(s.Ephemeral.ConnInfo); err != nil { - return nil, err - } - - // format the host if needed, needed for IPv6 - connInfo.Host = shared.IpFormat(connInfo.Host) - return connInfo, nil -} diff --git a/terraform-provisioner-mondoo/test/noop/main.tf b/terraform-provisioner-mondoo/test/noop/main.tf index ca066d36..2449b719 100644 --- a/terraform-provisioner-mondoo/test/noop/main.tf +++ b/terraform-provisioner-mondoo/test/noop/main.tf @@ -2,16 +2,16 @@ provider "null" {} resource "null_resource" "mondoo" { provisioner "mondoo" { - reporter = { - format = "yaml" + report = { + format = "cli" } + # this is for testing here, normallly this does not need to be overridden connection { type = "${var.conn}" host = "${var.host}" user = "${var.user}" + password = "${var.password}" } - - on_failure = "continue" } } \ No newline at end of file diff --git a/terraform-provisioner-mondoo/test/noop/vars.tf b/terraform-provisioner-mondoo/test/noop/vars.tf index d1bbed35..a1df42c8 100644 --- a/terraform-provisioner-mondoo/test/noop/vars.tf +++ b/terraform-provisioner-mondoo/test/noop/vars.tf @@ -10,6 +10,11 @@ variable "user" { default = "ec2-user" } +variable "password" { + type = "string" + default = "" +} + variable "host" { type = "string" default = "52.31.244.47"