Riffdog Terraform scanner - finding 'things' in the Real World (aka AWS) which Terraform didn't put there.

Overview

riffdog

Riffdog Terraform / Reality scanner - finding 'things' in the Real World which Terraform didn't put there.

This project works by firstly loading your terraform state files - not your terraform files, and building a memory object that represents what terraform thinks it has deployed. The second step is then to access your environment and actually look what is there, and it builds another memory object.

Then it compares the two, and looks for:

  • Things that TF put there, but arn't there
  • Things that are there, that TF doesn't know about

For this to work, you must install a resouce pack, for instance riffdog_aws

Command line vs Library

Riffdog is both a command line tool and a python library. The command line tool basically creates a config object and calls the scan method.

To install (for example with the AWS resources)

$ pip install riffdog[aws]

To run:

$ riffdog -b bucketname_containing_states

For full command line reference, please see the docs #FIXME - link to docs!

Light vs Full Scan mode

AWS and Terraform are very complex: for instance, a EC2 instance is a computer, a collection of network cards, volumes, etc. In 'light' mode, we do a high level scan to see if all the main components are there - in 'full' mode, it inspects all elements (as far as RiffDog is aware of, see below) - i.e. checks that all network cards, volumes, etc are mounted as intended.

Ignores

Its important to realise that not all infrastructure is deployed via TF - for instance auto scaling, or service discovery systems may be interacting with your infrastructure, and this is OK, but you don't want RiffDog raising alerts on those.

Caveats:

This is pretty much always a work under development, as AWS adds more features modules etc. The system is designed to be modular, but we're only able to keep up with modules that we use - so if you use a feature of AWS that we don't scan please feel free to add a module. If you need help, please contact us or file a ticket.

Testing

Automated testing of this system is quite difficult. Ultimatly these are here to make sure that changes to internal data structures do not break other functions (e.g. some data objects such as network interfaces are used by multiple features: both EC2 instances and Lambdas). The real test is whether it works against the current Terraform and AWS API's, not a snapshot from previous years.

  • Tests go into the tests folder,
  • Tox is used to make sure compatibility with various versions of python & libraries
Comments
  • Run tests on GitHub actions

    Run tests on GitHub actions

    Since I added a couple of tests, would be nice to actually run them presumably on GH actions if we can.

    Also, I used pytest because it's much nicer than nose (is nose even still used nowadays)?

    opened by dreynolds 2
  • Change the to_scan module process

    Change the to_scan module process

    This is an issue where new modules need to be added - but does it make sense to actually require this setting, i.e. shouldn't it be based on what modules there are in the discovery mode? And then allow (in future) config to --exclude particular modules (or white list), but by default use all available modules?

    enhancement question 
    opened by jmons 2
  • Dynamic Module Loading & Registration

    Dynamic Module Loading & Registration

    This comes with some notes, and items which might want to be changed:

    1. New 'resource' (was called modules) go into the resources folder. EAch file should contain One (or more) classes
    2. Should implement the Resource class - I've steered clear of "aws" terminology here so that in future resources can be for anything - I've used 'terraform' for the terraform and 'real' for things that actually exist (or don't)... (debate naming strategy)
    3. must decorate the class with the register decorator so that it links the state file to the class.

    Nothing else is needed - the class instance management is handled by the scanner, and it will find all classes in that folder.

    What I think is very much up for debate is this particular class interface - I don't think you can get away from the 'process state' (which is process an element in the state, not process the entire state file) being called multiple times, but perhaps the fetch_real_resources shouldn't take 'region' but a config, and in that config if its AWS it looks for aws_regions or something?

    from ..resource import Resource, register
    
    @register("aws-name-in-state-file")
    class MyResource(Resource):
        _local_real_things = {}
        _local_terraform_things = {} 
    
        def fetch_real_resources(self, region):
            # This may be called multiple times for each region in the scan list
            # i.e. append
            raise NotImplementedError()
    
        def process_state_resource(state_resource):
            # This function is called potentilly multiple times as each resource
            # is discovered by the state scanner i.e. append results to local store
            raise NotImplementedError()
    
        def compare(self, depth):
            # this function should be called once, take the local data and return
            # an array of result elements.
            raise NotImplementedError()
    

    More code cleanup is probably possible, I think I got all the debug entries into debug (don't try running with -vvv unless you're very brave (boto debug output becomes manic - fixing that requires a full logging config i.e. waiting for the configure file ticket).

    enhancement 
    opened by jmons 2
  • Fix `--exclude-resource` support and add `--include-resource` support

    Fix `--exclude-resource` support and add `--include-resource` support

    Fixes #45 If anything is in include-resource it completely overrides exclude-resource so it's like starting from a blank list.

    I went for --include-resource instead of --only so that the arguments are logically matched with --exclude-resource

    Happy to change if others disagree

    opened by dreynolds 1
  • Logging initialisation (First & Second Arg Parse)

    Logging initialisation (First & Second Arg Parse)

    Logging is not initialised until the Second argparse, which means logging in the initial import scan is impossible. This means exceptions in the import are completely silent and ignored.

    Some arguments need to be in both first and second - first to be parsed and second so the help works. Perhaps all core arguments?

    bug 
    opened by jmons 1
  • Framework to handle modules arguments

    Framework to handle modules arguments

    --region is really an aws argument - i.e. --aws_region but how does argparser (which hasn't had the module scanner run) know what the extra arguments are? Does it need to run twice, once before and one after loading?

    enhancement 
    opened by jmons 1
  • Adding basics for RDS Clusters (cluster, instances and param groups)

    Adding basics for RDS Clusters (cluster, instances and param groups)

    Implements https://github.com/jmons/riffdog/issues/17

    Added

    • RDS Cluster basics (cluster, instances, parameter groups.

    Fixed

    • Minor bug where the ResourceDirectory didnt have self in its str.
    • In order to support foldered module structure, the dynamic importing has changed a little.
    opened by Jamian 1
  • Documentation & Homepage revamp

    Documentation & Homepage revamp

    Giant homepage and docs revamp

    • making the home page more welcoming / project home page
    • added youtube video link (video needs review as well, see dm's)
    • added mailchimp (this may need a patch) for signup to news etc
    • added core team

    Then

    • fixed some of the help docs with some examples - because --help is quite good but brief, perhaps the command line reference morphs to being some tips and tricks type help? Don't want to really duplicate the wording of --help?
    • updated release notes to include the 0.1.0 release.
    opened by jmons 0
  • Initial command line tests using resource pack and module loader.

    Initial command line tests using resource pack and module loader.

    This is a relatively larger refactor

    1. It removes support for v3 state file (see #55 )
    2. It adds support for a file based state (and folder based state) - these don't have a named arguments but just go on the end of the command.
    3. it also adds support for the -b option to be a single folder or path e.g. -b bucketname/folder/ which speeds up dev/testing, especially with the --include-resource
    4. It fixes a bug in the alias - where before we had a bug that the --include-resource option did not apply to the scanning in state files, that fix introduced a new one where it excluded aliased. This fix now means that it will be included if the 'root' is in the list.

    In terms of testing, it now contains 2 state files, so when testing the core you can now do

    $ pip install -e tests/test_resource_pack
    $ riffdog -i test_resource_pack tests/test_state_files/
    

    The tox tests install the resource pack & then check that a scan finds the right items etc.

    opened by jmons 0
  • Bucket to Scan Hard Coded

    Bucket to Scan Hard Coded

    Looks like last merge we accidentally left in some code that was there to help with local devving. Flipping that back out (commenting it) and uncommenting the actual, release ready code that scans buckets dynamically.

    opened by Jamian 0
  • Revisit `--exclude` and create an `--only` option

    Revisit `--exclude` and create an `--only` option

    Using --exclude is more difficult now there are lots of resources - instead we should consider using an --only element to specify.

    I don't like the word --only though so feedback and ideas here appreciated.

    enhancement hot 
    opened by jmons 0
  • Proposal: Drop State file V3 support

    Proposal: Drop State file V3 support

    Whilst I added explicit support for V3 state files in 0.1.0, it seems that the structure of the individual states in the file are not compatible with V4- I had assumed they were because v4 states have schema_versions set to 0, which I assumed meant the state structure hadn't changed.

    But they have.

    In an upcoming PR, I have removed support for v3- explicitly with a warning.

    I think we need to set an overall output flag and change the table to indicate that there were states which look like tf states but we could not understand - but I think this ties into a statistics output so that a user knows what 'coverage' they are getting of their environment.

    documentation enhancement hot 
    opened by jmons 2
  • Dirty Reasons (not just a flag)

    Dirty Reasons (not just a flag)

    Implement a framework on the FoundItem (and then outputs) to store a Dirty Reason list, so that you know why a thing is dirty, not just given a flag.

    Consider output, and also perhaps guidance how to use it so outputs are concise.

    enhancement hot 
    opened by jmons 0
  • Investigate potential conflict of `depends_on` and `--exclude-resource`

    Investigate potential conflict of `depends_on` and `--exclude-resource`

    Consider the edge case:

    class Foo:
         ...
    
    class Bar:
        depends_on = [Foo]
        ...
    

    and then $ riffdog --exclude-resource Foo

    I think without checking that this means foo's real gets executed even though its states got ignored (?) (or it will error because Foo wasn't registered, not sure where the --exclude kicks in).

    question 
    opened by jmons 0
  • Config File Support

    Config File Support

    At the moment we're heading rapidly towards using just command line arguments, but I think we need to support a config file especially as we head towards more complex arguments such as AWS credentials etc.

    What do we want for this? YAML? (and then problems with yaml library imports - the pyyaml parser seems to have a lot of security patches which are mostly irrelevant in our case, but looks bad if we don't roll updates).

    enhancement 
    opened by jmons 1
  • Output to HTML

    Output to HTML

    It would be nice for this to have the option to generate a pretty output in HTML form. Useful if running this in an automated environment and you want to be able to link to a page/report. Something that is a bit more human friendly.

    One suggestion was to use Jinja and have it as optional?

    enhancement hot 
    opened by Jamian 2
Releases(0.1.0)
  • 0.1.0(Mar 2, 2020)

    Welcome to the beta release of Riffdog.

    To install this, please follow the guide - you will need at least one 'resource pack', and at the time of writing only the riffdog_aws resource pack exists.

    pip install riffdog[aws]

    Then to run:

    riffdog -b bucket_name_containing_states --show-matched

    Major changes:

    • The return data structure is radically different to before, which makes resource pack developers life easier.
    • Streamlined tabulated data outputs.
    • Introduced 'dirty' flag to indicate where resources exist, but do not match in some form of sub-data element.
    Source code(tar.gz)
    Source code(zip)
Owner
Riffdog
Community to support the riffdog app, riffdog plugins and associated repositories.
Riffdog
A program that automates the boring parts of completing the Daily accounting spreadsheet at Taos Ski Valley

TSV_Daily_App A program that automates the boring parts of completing the Daily accounting spreadsheet at my old job. To see how it works you will nee

Devin Beck 2 Jan 01, 2022
Trading bot - A Trading bot With Python

Trading_bot Trading bot intended for 1) Tracking current prices of tokens 2) Set

Tymur Kotkov 29 Dec 01, 2022
Bot Maker For Discord - Python Edition

BMFD-PE Bot Maker For Discord - Python Edition BMFD-PE is a new version of BMFD write in Python The Version of BMFD-PE is : alpha0.1 Longer support :

Téo 2 Dec 22, 2021
A tool written in Python used to instalock agents in VALORANT using the local API.

Valorant Instalock Tool v2.1.0 by Mr. SOSA A tool written in Python used to instalock agents in VALORANT using the local API. This is NOT a hotkey pro

Mr. SOSA 3 Nov 18, 2021
Python CMR is an easy to use wrapper to the NASA EOSDIS Common Metadata Repository API.

This repository is a copy of jddeal/python_cmr which is no longer maintained. It has been copied here with the permission of the original author for t

NASA 9 Nov 16, 2022
ShoukoKomiRobot - An anime themed telegram bot that can convert telegram media

ShoukoKomiRobot • 𝕎𝕣𝕚𝕥𝕥𝕖𝕟 𝕀𝕟 Python3 • 𝕃𝕚𝕓𝕣𝕒𝕣𝕪 𝕌𝕤𝕖𝕕 Pyrogram

25 Aug 14, 2022
List of twitch bots n bigots

This is a collection of bot account names NamelistMASTER contains all the names we reccomend you ban in your channel Sometimes people get on that list

62 Sep 05, 2021
A Python library for rendering ASS subtitle file format using libass.

ass_renderer A Python library for rendering ASS subtitle file format using libass. Installation pip install --user ass-renderer Contributing # Clone

1 Nov 02, 2022
A simple python oriented telegram bot to give out creative font style's

Font-Bot A simple python oriented telegram bot to give out creative font style's REQUIREMENTS tgcrypto pyrogram==1.2.9 Installation Fork this reposito

BL4CK H47 4 Jan 30, 2022
Python app to notify via slack channel the status_code change from an URL

Python app to notify, via slack channel you choose to be notified, for the status_code change from the URL list you setup to be checked every yy seconds

Pedro Nunes 1 Oct 25, 2021
Python Library for Secp256k1 Bitcoin curve to do fast ECC calculation

secp256k1 Python Library for Secp256k1 Bitcoin curve to do fast ECC calculation Example Usage import secp256k1 as ice print('[C]',privatekey_to_addres

iceland 49 Jan 01, 2023
Rapid Sms Bomber For Indian Number.

Bombzilla Rapid Sms Bomber For Indian Number. Installation git clone https://github.com/sarv99/Bombzilla cd Bombzilla chmod +x setup.sh ./setup.sh Af

Saurav Jangid 1 Jan 12, 2022
Weather telegram bot with aiogram, on Russian language

weather_bot Weather telegram bot with aiogram, on Russian language #RU Бот по определению погоды в Telegram, написана на библиотеке aiogram, весь инте

LinkxWan 0 Jan 06, 2022
May or may not be work🚶

AnyDLBot There are multiple things I can do: 👉 All Supported Video Formats of https://rg3.github.io/youtube-dl/supportedsites.html 👉 Upload as file

Arun 2 Nov 16, 2021
⚔️ Fastest tibia bot API

📝 Description tibia bot api using python ⌨ Development ⚙ Running the app python bot.py ✅ ROADMAP Add confidence to floor level to have more accuracy

Lucas Santos 133 Dec 28, 2022
Auto Join: A GitHub action script to automatically invite everyone to the organization who comment at the issue page.

Auto Invite To Org By Issue Comment A GitHub action script to automatically invite everyone to the organization who comment at the issue page. What is

Max Base 6 Jun 08, 2022
Python client library for Google Maps API Web Services

Python Client for Google Maps Services Description Use Python? Want to geocode something? Looking for directions? Maybe matrices of directions? This l

Google Maps 3.8k Jan 01, 2023
Demo of using Telegram to send alert message

MIAI_Telegram Demo of using Telegram to send alert message Video link: https://youtu.be/oZ9CsIrlMgg #MìAI Fanpage: http://facebook.com/miaiblog Group

4 Jun 20, 2021
SongLink Discord Bot - Discord bot to share music links easily

SongLink_Discord_Bot Discord bot to share music links easily. Take a link from y

Edgar Lefevre 4 Feb 18, 2022
Yet another discord-BOT

Note I have not added comments to the initial code as it is for my educational purpose. Use This is the code for a discord-BOT API py-cord-2.0.0a4178+

IRONMELTS 1 Dec 18, 2021