GCP Assets Inventory integration fetcher (#2460)

Author: orouz

internal/flavors/assetinventory/strategy.go

@@ -30,9 +30,12 @@ import (
 	"github.com/elastic/cloudbeat/internal/inventory"
 	"github.com/elastic/cloudbeat/internal/inventory/awsfetcher"
 	"github.com/elastic/cloudbeat/internal/inventory/azurefetcher"
+	"github.com/elastic/cloudbeat/internal/inventory/gcpfetcher"
 	"github.com/elastic/cloudbeat/internal/resources/providers/awslib"
 	"github.com/elastic/cloudbeat/internal/resources/providers/azurelib"
 	azure_auth "github.com/elastic/cloudbeat/internal/resources/providers/azurelib/auth"
+	gcp_auth "github.com/elastic/cloudbeat/internal/resources/providers/gcplib/auth"
+	gcp_inventory "github.com/elastic/cloudbeat/internal/resources/providers/gcplib/inventory"
 )
 
 type Strategy interface {
@@ -54,7 +57,7 @@ func (s *strategy) NewAssetInventory(ctx context.Context, client beat.Client) (i
 	case config.ProviderAzure:
 		fetchers, err = s.initAzureFetchers(ctx)
 	case config.ProviderGCP:
-		err = fmt.Errorf("GCP branch not implemented")
+		fetchers, err = s.initGcpFetchers(ctx)
 	case "":
 		err = fmt.Errorf("missing config.v1.asset_inventory_provider setting")
 	default:
@@ -99,6 +102,20 @@ func (s *strategy) initAzureFetchers(_ context.Context) ([]inventory.AssetFetche
 	return azurefetcher.New(s.logger, provider, azureConfig), nil
 }
 
+func (s *strategy) initGcpFetchers(ctx context.Context) ([]inventory.AssetFetcher, error) {
+	cfgProvider := &gcp_auth.ConfigProvider{AuthProvider: &gcp_auth.GoogleAuthProvider{}}
+	gcpConfig, err := cfgProvider.GetGcpClientConfig(ctx, s.cfg.CloudConfig.Gcp, s.logger)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize gcp config: %w", err)
+	}
+	inventoryInitializer := &gcp_inventory.ProviderInitializer{}
+	provider, err := inventoryInitializer.Init(ctx, s.logger, *gcpConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize gcp asset inventory: %v", err)
+	}
+	return gcpfetcher.New(s.logger, provider), nil
+}
+
 func GetStrategy(logger *logp.Logger, cfg *config.Config) Strategy {
 	return &strategy{
 		logger: logger,

internal/inventory/ASSETS.md

@@ -162,9 +162,9 @@ Infrastructure: 27% (12/43)
 
 ## GCP Resources
 
-**Progress: 0% (0/25)**
-Identity: 0% (0/4)
-Infrastructure: 0% (0/20)
+**Progress: 36% (9/25)**
+Identity: 50% (2/4)
+Infrastructure: 35% (7/20)
 Management: 0% (0/1)
 
 <details> <summary>Full table</summary>
@@ -173,28 +173,28 @@ Management: 0% (0/1)
 |---|---|---|---|---|
 | Identity | Access Management | IAM Policy | GCP IAM Policy | No ❌ |
 | Identity | Access Management | IAM Role | GCP IAM Role | No ❌ |
-| Identity | Service Identity | Service Account Key | GCP Service Account Key | No ❌ |
-| Identity | Service Identity | Service Account | GCP Service Account | No ❌ |
-| Infrastructure | Compute | Virtual Machine | GCP Instance | No ❌ |
+| Identity | Service Identity | Service Account Key | GCP Service Account Key | Yes ✅ |
+| Identity | Service Identity | Service Account | GCP Service Account | Yes ✅ |
+| Infrastructure | Compute | Virtual Machine | GCP Instance | Yes ✅ |
 | Infrastructure | Container | Orchestration | GKE Cluster | No ❌ |
 | Infrastructure | Container | Serverless | GCP Cloud Run Service | No ❌ |
-| Infrastructure | Management | Cloud Account | GCP Organization | No ❌ |
-| Infrastructure | Management | Cloud Account | GCP Project | No ❌ |
-| Infrastructure | Management | Resource Hierarchy | GCP Folder | No ❌ |
+| Infrastructure | Management | Cloud Account | GCP Organization | Yes ✅ |
+| Infrastructure | Management | Cloud Account | GCP Project | Yes ✅ |
+| Infrastructure | Management | Resource Hierarchy | GCP Folder | Yes ✅ |
 | Infrastructure | Network | DNS | GCP DNS Record Set | No ❌ |
 | Infrastructure | Network | DNS | GCP DNS Zone | No ❌ |
 | Infrastructure | Network | Firewall Rule | GCP IP Rule | No ❌ |
-| Infrastructure | Network | Firewall | GCP Firewall | No ❌ |
+| Infrastructure | Network | Firewall | GCP Firewall | Yes ✅ |
 | Infrastructure | Network | Firewall | GCP Network Tag | No ❌ |
 | Infrastructure | Network | IP Address Range | IP Range | No ❌ |
 | Infrastructure | Network | Load Balancing | GCP Compute Target Pool | No ❌ |
 | Infrastructure | Network | Load Balancing | GCP Forwarding Rule | No ❌ |
 | Infrastructure | Network | Network Interface | GCP Network Interface | No ❌ |
 | Infrastructure | Network | Network Interface | GCP Network Interface Access Config | No ❌ |
-| Infrastructure | Network | Subnet | GCP Subnet | No ❌ |
+| Infrastructure | Network | Subnet | GCP Subnet | Yes ✅ |
 | Infrastructure | Network | Virtual Network | GCP VPC | No ❌ |
 | Infrastructure | Serverless | Function | GCP Cloud Function | No ❌ |
-| Infrastructure | Storage | Object Storage | GCP Bucket | No ❌ |
+| Infrastructure | Storage | Object Storage | GCP Bucket | Yes ✅ |
 | Management | Resource Management | Label | GCP Bucket Label | No ❌ |
 
 </details>

internal/inventory/asset.go

@@ -40,6 +40,7 @@ const (
 	SubCategoryMessaging       AssetSubCategory = "messaging"
 	SubCategoryNetwork         AssetSubCategory = "network"
 	SubCategoryStorage         AssetSubCategory = "storage"
+	SubCategoryServiceIdentity AssetSubCategory = "service-identity"
 )
 
 // AssetType is used to build the document index. Use only numbers, letters and dashes (-)
@@ -72,6 +73,9 @@ const (
 	TypeVirtualMachine      AssetType = "virtual-machine"
 	TypeVirtualNetwork      AssetType = "virtual-network"
 	TypeWebApplication      AssetType = "web-application"
+	TypeServiceAccount      AssetType = "service-account"
+	TypeServiceAccountKey   AssetType = "service-account-key"
+	TypeResourceHierarchy   AssetType = "resource-hierarchy"
 )
 
 // AssetSubType is used to build the document index. Use only numbers, letters and dashes (-)
@@ -115,11 +119,21 @@ const (
 	SubTypeVpc                      AssetSubType = "vpc"
 	SubTypeVpcAcl                   AssetSubType = "s3-access-control-list"
 	SubTypeVpcPeeringConnection     AssetSubType = "vpc-peering-connection"
+	SubTypeGcpProject               AssetSubType = "gcp-project"
+	SubTypeGcpInstance              AssetSubType = "gcp-instance"
+	SubTypeGcpSubnet                AssetSubType = "gcp-subnet"
+	SubTypeGcpFirewall              AssetSubType = "gcp-firewall"
+	SubTypeGcpBucket                AssetSubType = "gcp-bucket"
+	SubTypeGcpOrganization          AssetSubType = "gcp-organization"
+	SubTypeGcpFolder                AssetSubType = "gcp-folder"
+	SubTypeGcpServiceAccount        AssetSubType = "gcp-service-account"
+	SubTypeGcpServiceAccountKey     AssetSubType = "gcp-service-account-key"
 )
 
 const (
 	AwsCloudProvider   = "aws"
 	AzureCloudProvider = "azure"
+	GcpCloudProvider   = "gcp"
 )
 
 // AssetClassification holds the taxonomy of an asset
@@ -171,6 +185,17 @@ var (
 	AssetClassificationAzureSubscription        = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryManagement, Type: TypeCloudAccount, SubType: SubTypeAzureSubscription}
 	AssetClassificationAzureTenant              = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryManagement, Type: TypeCloudAccount, SubType: SubTypeAzureTenant}
 	AssetClassificationAzureVirtualMachine      = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryCompute, Type: TypeVirtualMachine, SubType: SubTypeAzureVirtualMachine}
+
+	// GCP
+	AssetClassificationGcpProject           = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryManagement, Type: TypeCloudAccount, SubType: SubTypeGcpProject}
+	AssetClassificationGcpOrganization      = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryManagement, Type: TypeCloudAccount, SubType: SubTypeGcpOrganization}
+	AssetClassificationGcpFolder            = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryManagement, Type: TypeResourceHierarchy, SubType: SubTypeGcpFolder}
+	AssetClassificationGcpInstance          = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryCompute, Type: TypeVirtualMachine, SubType: SubTypeGcpInstance}
+	AssetClassificationGcpBucket            = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryStorage, Type: TypeObjectStorage, SubType: SubTypeGcpBucket}
+	AssetClassificationGcpFirewall          = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryNetwork, Type: TypeFirewall, SubType: SubTypeGcpFirewall}
+	AssetClassificationGcpSubnet            = AssetClassification{Category: CategoryInfrastructure, SubCategory: SubCategoryNetwork, Type: TypeSubnet, SubType: SubTypeGcpSubnet}
+	AssetClassificationGcpServiceAccount    = AssetClassification{Category: CategoryIdentity, SubCategory: SubCategoryServiceIdentity, Type: TypeServiceAccount, SubType: SubTypeGcpServiceAccount}
+	AssetClassificationGcpServiceAccountKey = AssetClassification{Category: CategoryIdentity, SubCategory: SubCategoryServiceIdentity, Type: TypeServiceAccountKey, SubType: SubTypeGcpServiceAccountKey}
 )
 
 // AssetEvent holds the whole asset
@@ -210,21 +235,27 @@ type AssetNetwork struct {
 
 // AssetCloud contains information about the cloud provider
 type AssetCloud struct {
-	AvailabilityZone *string             `json:"availability_zone,omitempty"`
-	Provider         string              `json:"provider,omitempty"`
-	Region           string              `json:"region,omitempty"`
-	Account          AssetCloudAccount   `json:"account"`
-	Instance         *AssetCloudInstance `json:"instance,omitempty"`
-	Machine          *AssetCloudMachine  `json:"machine,omitempty"`
-	Project          *AssetCloudProject  `json:"project,omitempty"`
-	Service          *AssetCloudService  `json:"service,omitempty"`
+	AvailabilityZone *string                `json:"availability_zone,omitempty"`
+	Provider         string                 `json:"provider,omitempty"`
+	Region           string                 `json:"region,omitempty"`
+	Account          AssetCloudAccount      `json:"account"`
+	Organization     AssetCloudOrganization `json:"organization,omitempty"`
+	Instance         *AssetCloudInstance    `json:"instance,omitempty"`
+	Machine          *AssetCloudMachine     `json:"machine,omitempty"`
+	Project          *AssetCloudProject     `json:"project,omitempty"`
+	Service          *AssetCloudService     `json:"service,omitempty"`
 }
 
 type AssetCloudAccount struct {
 	Id   string `json:"id,omitempty"`
 	Name string `json:"name,omitempty"`
 }
 
+type AssetCloudOrganization struct {
+	Id   string `json:"id,omitempty"`
+	Name string `json:"name,omitempty"`
+}
+
 type AssetCloudInstance struct {
 	Id   string `json:"id,omitempty"`
 	Name string `json:"name,omitempty"`

internal/inventory/gcpfetcher/fetcher_assets.go

@@ -0,0 +1,100 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package gcpfetcher
+
+import (
+	"context"
+
+	"github.com/elastic/elastic-agent-libs/logp"
+
+	"github.com/elastic/cloudbeat/internal/inventory"
+	gcpinventory "github.com/elastic/cloudbeat/internal/resources/providers/gcplib/inventory"
+)
+
+type (
+	assetsInventory struct {
+		logger   *logp.Logger
+		provider inventoryProvider
+	}
+	inventoryProvider interface {
+		ListAllAssetTypesByName(ctx context.Context, assets []string) ([]*gcpinventory.ExtendedGcpAsset, error)
+	}
+	ResourcesClassification struct {
+		assetType      string
+		classification inventory.AssetClassification
+	}
+)
+
+var ResourcesToFetch = []ResourcesClassification{
+	{gcpinventory.CrmOrgAssetType, inventory.AssetClassificationGcpOrganization},
+	{gcpinventory.CrmFolderAssetType, inventory.AssetClassificationGcpFolder},
+	{gcpinventory.CrmProjectAssetType, inventory.AssetClassificationGcpProject},
+	{gcpinventory.ComputeInstanceAssetType, inventory.AssetClassificationGcpInstance},
+	{gcpinventory.ComputeFirewallAssetType, inventory.AssetClassificationGcpFirewall},
+	{gcpinventory.StorageBucketAssetType, inventory.AssetClassificationGcpBucket},
+	{gcpinventory.ComputeSubnetworkAssetType, inventory.AssetClassificationGcpSubnet},
+	{gcpinventory.IamServiceAccountAssetType, inventory.AssetClassificationGcpServiceAccount},
+	{gcpinventory.IamServiceAccountKeyAssetType, inventory.AssetClassificationGcpServiceAccountKey},
+}
+
+func newAssetsInventoryFetcher(logger *logp.Logger, provider inventoryProvider) inventory.AssetFetcher {
+	return &assetsInventory{
+		logger:   logger,
+		provider: provider,
+	}
+}
+
+func (f *assetsInventory) Fetch(ctx context.Context, assetChan chan<- inventory.AssetEvent) {
+	for _, r := range ResourcesToFetch {
+		f.fetch(ctx, assetChan, r.assetType, r.classification)
+	}
+}
+
+func (f *assetsInventory) fetch(ctx context.Context, assetChan chan<- inventory.AssetEvent, assetType string, classification inventory.AssetClassification) {
+	f.logger.Infof("Fetching %s", assetType)
+	defer f.logger.Infof("Fetching %s - Finished", assetType)
+
+	gcpAssets, err := f.provider.ListAllAssetTypesByName(ctx, []string{assetType})
+	if err != nil {
+		f.logger.Errorf("Could not fetch %s: %v", assetType, err)
+		return
+	}
+
+	for _, item := range gcpAssets {
+		assetChan <- inventory.NewAssetEvent(
+			classification,
+			[]string{item.Name},
+			item.Name,
+			inventory.WithRawAsset(item),
+			inventory.WithCloud(inventory.AssetCloud{
+				Provider: inventory.GcpCloudProvider,
+				Account: inventory.AssetCloudAccount{
+					Id:   item.CloudAccount.AccountId,
+					Name: item.CloudAccount.AccountName,
+				},
+				Organization: inventory.AssetCloudOrganization{
+					Id:   item.CloudAccount.OrganisationId,
+					Name: item.CloudAccount.OrganizationName,
+				},
+				Service: &inventory.AssetCloudService{
+					Name: assetType,
+				},
+			}),
+		)
+	}
+}

internal/inventory/gcpfetcher/fetcher_assets_test.go

@@ -0,0 +1,77 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package gcpfetcher
+
+import (
+	"testing"
+
+	"cloud.google.com/go/asset/apiv1/assetpb"
+	"github.com/elastic/elastic-agent-libs/logp"
+	"github.com/samber/lo"
+	"github.com/stretchr/testify/mock"
+
+	"github.com/elastic/cloudbeat/internal/inventory"
+	"github.com/elastic/cloudbeat/internal/inventory/testutil"
+	"github.com/elastic/cloudbeat/internal/resources/fetching"
+	gcpinventory "github.com/elastic/cloudbeat/internal/resources/providers/gcplib/inventory"
+)
+
+func TestAccountFetcher_Fetch_Assets(t *testing.T) {
+	logger := logp.NewLogger("gcpfetcher_test")
+	assets := []*gcpinventory.ExtendedGcpAsset{
+		{
+			Asset: &assetpb.Asset{
+				Name: "/projects/<project UUID>/some_resource", // name is the ID
+			},
+			CloudAccount: &fetching.CloudAccountMetadata{
+				AccountId:        "<project UUID>",
+				AccountName:      "<project name>",
+				OrganisationId:   "<org UUID>",
+				OrganizationName: "<org name>",
+			},
+		},
+	}
+
+	expected := lo.Map(ResourcesToFetch, func(r ResourcesClassification, _ int) inventory.AssetEvent {
+		return inventory.NewAssetEvent(
+			r.classification,
+			[]string{"/projects/<project UUID>/some_resource"},
+			"/projects/<project UUID>/some_resource",
+			inventory.WithRawAsset(assets[0]),
+			inventory.WithCloud(inventory.AssetCloud{
+				Provider: inventory.GcpCloudProvider,
+				Account: inventory.AssetCloudAccount{
+					Id:   "<project UUID>",
+					Name: "<project name>",
+				},
+				Organization: inventory.AssetCloudOrganization{
+					Id:   "<org UUID>",
+					Name: "<org name>",
+				},
+				Service: &inventory.AssetCloudService{
+					Name: r.assetType,
+				},
+			}),
+		)
+	})
+
+	provider := newMockInventoryProvider(t)
+	provider.EXPECT().ListAllAssetTypesByName(mock.Anything, mock.AnythingOfType("[]string")).Return(assets, nil)
+	fetcher := newAssetsInventoryFetcher(logger, provider)
+	testutil.CollectResourcesAndMatch(t, fetcher, expected)
+}

internal/inventory/gcpfetcher/gcpfetchers.go

@@ -0,0 +1,31 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package gcpfetcher
+
+import (
+	"github.com/elastic/elastic-agent-libs/logp"
+
+	"github.com/elastic/cloudbeat/internal/inventory"
+	gcpinventory "github.com/elastic/cloudbeat/internal/resources/providers/gcplib/inventory"
+)
+
+func New(logger *logp.Logger, provider gcpinventory.ServiceAPI) []inventory.AssetFetcher {
+	return []inventory.AssetFetcher{
+		newAssetsInventoryFetcher(logger, provider),
+	}
+}