Skip to content

feat: Enhance cloud inventory scripts with serverless and container counts#52

Open
bmeyer99 wants to merge 14 commits intoPaloAltoNetworks:mainfrom
bmeyer99:main
Open

feat: Enhance cloud inventory scripts with serverless and container counts#52
bmeyer99 wants to merge 14 commits intoPaloAltoNetworks:mainfrom
bmeyer99:main

Conversation

@bmeyer99
Copy link

@bmeyer99 bmeyer99 commented Apr 1, 2025

This PR enhances the cloud resource inventory scripts for AWS, Azure, GCP, OCI, and Alibaba Cloud. Key updates include:

  • Added counting for serverless functions across all providers (Lambda, Azure Functions, Cloud Functions, OCI Functions, Function Compute).
  • Enhanced AWS script to count EKS clusters, ECS clusters, running ECS tasks, and tagged EC2 Docker hosts.
  • Optimized OCI script using the oci search resource structured-search command.
  • Enhanced Alibaba script to count RDS and SLB instances.
  • Updated corresponding shellspec test files with new mocks and assertions to reflect script changes.
  • Updated code-security/README.md to recommend a newer Checkov version (3.0.0+).
  • Updated the main README.md to summarize recent script enhancements.

Motivation and Context

The primary motivation was to provide more comprehensive and accurate resource counts for Prisma Cloud sizing, particularly by including serverless functions which are increasingly common. Additionally, the changes aimed to:

  • Improve the accuracy and efficiency of scripts by using newer cloud provider APIs where applicable (OCI Search, Azure Resource Graph, GCP Cloud Asset Inventory).
  • Enhance container infrastructure visibility in AWS (EKS/ECS clusters, Docker hosts).
  • Ensure the scripts and documentation reflect current best practices and tool versions (Checkov).
  • Align the counted resources more consistently across different cloud providers.

How Has This Been Tested?

  • Documentation Verification: CLI commands, parameters, pagination methods, and output parsing for all added/modified functionality were verified against the latest official documentation for AWS CLI, Azure CLI, gcloud CLI, OCI CLI, Alibaba Cloud CLI, and Checkov.
  • Unit Testing (Mocks): The shellspec test files (spec/*.spec) for AWS, GCP, OCI, and Alibaba Cloud were updated. Mocks were created/modified for the relevant CLI commands (e.g., oci search, gcloud asset search, aws ecs list/describe, aws lambda list, aliyun fc-open, etc.). Test cases were updated to assert the expected counts based on these mocks, verifying the script's parsing and aggregation logic.
  • Note: Live testing against actual cloud environments was not performed as part of this development cycle. Testing relies on documentation verification and mocked CLI interactions.

Screenshots (if appropriate)

N/A

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • I have updated the documentation accordingly. (Main README, Code Security README)
  • I have read the CONTRIBUTING document. (Assuming this would be done by the PR author)
  • I have added tests to cover my changes if appropriate. (Spec files updated)
  • All new and existing tests passed. (Based on updated mocks)

bmeyer99 added 14 commits April 1, 2025 17:08
@bmeyer99
Update README files and add Azure, GCP, AWS resource counting script …
fe35181 
…with improved error handling
@bmeyer99
Refactor OCI resource counting script to use structured search for im…
2cfaab8 
…proved accuracy and efficiency
@bmeyer99
feat: Enhance and optimize cloud inventory scripts
9cec4a4 
This commit updates and optimizes the resource counting scripts for OCI, Alibaba Cloud, and AWS, and verifies existing Azure and GCP scripts against documentation.

Key changes include:

OCI:
- Refactored script to use efficient `oci search resource structured-search` command.
- Counts Compute Instances, DB Systems, and Load Balancers via a single query.

Alibaba Cloud:
- Added counting for RDS instances (`DescribeDBInstances`).
- Added counting for SLB instances (`DescribeLoadBalancers`).
- Retained per-region iteration due to lack of cross-service search API.

AWS:
- Added counting for EKS clusters (`list-clusters`).
- Added counting for ECS clusters (`list-clusters`).
- Added counting for running ECS tasks (`list-services`, `describe-services`).
- Added counting for EC2 instances tagged as Docker hosts (`describe-instances` with tag filter, default tag: DockerHost).
- Improved region iteration and error handling.

All Scripts:
- Verified CLI command usage, parameters, pagination, and output parsing against official documentation for OCI, Alibaba, AWS, Azure, and GCP scripts.
@bmeyer99
feat(aws): Add Lambda function counting to inventory script
8c90e4d 
Adds logic to count AWS Lambda functions within the specified region or across all active regions.

- Initializes `total_lambda_functions` counter.
- In `count_resources` (non-DSPM mode), iterates through regions and uses `aws lambda list-functions --no-paginate --query "Functions" --output json | jq 'length'` to get the count per region.
- Adds the Lambda function count to the final summary output.
@bmeyer99
feat(azure): Add Azure Function App counting
6a69bac
@bmeyer99
feat(gcp): Add Cloud Function counting
a5fbb9f
@bmeyer99
feat(oci): Add OCI Function counting
f7de186
@bmeyer99
feat(alibaba): Add Function Compute counting
8b3225a
@bmeyer99
refactor(gcp): Update spec file for Cloud Asset Inventory and Functions
50d935b
@bmeyer99
refactor(oci): Update spec file for search command and Functions
6d321f4
@bmeyer99
feat(alibaba): Update spec file for RDS, SLB, and Function Compute
956ff02
@bmeyer99
feat(aws): Enhance container and serverless counting in inventory script
f79ebf4
@bmeyer99
docs(checkov): Update recommended Checkov version in README
bc841a8
@bmeyer99
docs: Update main README with recent script enhancements
e6d5ca3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bmeyer99