New attack technique: Invoke Bedrock Model (#581)

* New attack technique: Invoke Bedrock Model

* Generate docs

* Use context.Background() instead of context.TODO()

* Simplify error handling logic

* Rename wrapper to be a package-visible struct only

* added detection recommendations

* fixed detection

* fixed detection

* fixed detection

* autogenerate docs

* Added call to GetFoundationModelAvailability

* Updated docs, including the Permiso article

* Add Permiso ref

* Error handling and avoid using context.TODO()

* Autogen docs

* Added calls to ListFoundationModelAgreementOffers, CreateFoundationModelAgreement, PutFoundationModelEntitlement

* changed idempotent to false

* Autogen docs

* Rework Bedrock attack

* autogenerate docs

* only create use-case and model agreement once per account

* Update docs

* Update docs and refactor signature functions

* Better error descriptions and remove incorrect status code check

* Refactor methods inside a struct

* Add detonation logs

* Revert unnecessary Go version changes

* Use go 1.21 in CI

* Fix CI

* Fix base Docker image

* Make final Stratus binary smaller by removing debug symbols

* Upgrade staticcheck

* Attempt using staticcheck 2023.1.4

* Install the appropriate Go version for staticcheck

* allow raw.githubusercontent.com network call in staticcheck CI

* Fix SAST findings

---------

Co-authored-by: Christophe Tafani-Dereeper <[email protected]>

Author: Brucedh

.github/workflows/docker.yml

@@ -32,6 +32,7 @@ jobs:
             pkg-containers.githubusercontent.com:443
             production.cloudflare.docker.com:443
             proxy.golang.org:443
+            sum.golang.org:443            
             registry-1.docker.io:443
             storage.googleapis.com:443
             *.actions.githubusercontent.com:443

.github/workflows/release.yml

@@ -41,7 +41,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version: 1.19
+          go-version: 1.21
       - name: Run GoReleaser
         timeout-minutes: 60
         uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0

.github/workflows/static-analysis.yml

@@ -27,18 +27,15 @@ jobs:
             storage.googleapis.com:443
             sum.golang.org:443
             golang.org:443
+            sum.golang.org:443
             *.actions.githubusercontent.com:443
             objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
             go.dev:443
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
         with:
           fetch-depth: 1
-      - name: Set up Go
-        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
-        with:
-          go-version: 1.19
       - uses: dominikh/staticcheck-action@fe1dd0c3658873b46f8c9bb3291096a617310ca6
         with:
-          version: "2022.1"
-          install-go: false
+          install-go: true
           working-directory: "./v2"

.github/workflows/test.yml

@@ -26,6 +26,7 @@ jobs:
             objects.githubusercontent.com:443
             go.dev:443
             golang.org:443
+            sum.golang.org:443
             api.github.com:443
             *.actions.githubusercontent.com:443
       - name: Checkout repository
@@ -34,7 +35,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version: 1.19
+          go-version: 1.21
 
       - name: Run unit tests
         run: make test

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.20.4-alpine3.16@sha256:6469405d7297f82d56195c90a3270b0806ef4bd897aa0628477d9959ab97a577 AS builder
+FROM golang:1.21.13-alpine3.20@sha256:2414035b086e3c42b99654c8b26e6f5b1b1598080d65fd03c7f499552ff4dc94 AS builder
 ARG VERSION=dev-snapshot
 RUN mkdir /build
 RUN apk add --update make

Makefile

@@ -10,7 +10,7 @@ export GO111MODULE=on
 BIN_DIR := $(ROOT_DIR)/bin
 
 # Define go flags
-GOFLAGS := -ldflags="-X main.BuildVersion=$(BUILD_VERSION)"
+GOFLAGS := -ldflags="-X main.BuildVersion=$(BUILD_VERSION) -w"
 
 .PHONY: build docs test thirdparty-licenses mocks
 
@@ -44,4 +44,4 @@ mocks:
 	@cd v2 && mockery --name=StateManager --dir internal/state --output internal/state/mocks
 	@cd v2 && mockery --name=TerraformManager --dir pkg/stratus/runner --output pkg/stratus/runner/mocks
 	@cd v2 && mockery --name=FileSystem --structname FileSystemMock --dir internal/state --output internal/state/mocks
-	@echo "Mocks generated successfully."
+	@echo "Mocks generated successfully."

README.md

@@ -33,7 +33,7 @@ See the documentation at **[stratus-red-team.cloud](https://stratus-red-team.clo
 
 ### Direct install
 
-Requires Go 1.19+
+Requires Go 1.21+
 
 ```
 go install -v github.com/datadog/stratus-red-team/v2/cmd/stratus@latest