✨ Add AWS VPC subnet resource (#1827)

Signed-off-by: Marius Kimmina <[email protected]>

providers/aws/resources/aws.lr

@@ -50,6 +50,8 @@ private aws.vpc @defaults("arn isDefault") {
   flowLogs() []aws.vpc.flowlog
   // List of route tables for the VPC
   routeTables() []aws.vpc.routetable
+  // List of subnets for the VPC
+  subnets() []aws.vpc.subnet
   // Tags on the VPC
   tags map[string]string
 }
@@ -62,6 +64,18 @@ private aws.vpc.routetable @defaults("id") {
   routes []dict
 }
 
+// Amazon Virtual Private Cloud (VPC) Subnet
+private aws.vpc.subnet @defaults("arn") {
+  // ARN of the subnet
+  arn string
+  // Unique ID of the subnet
+  id string
+  // A list of CIDR descriptions
+  cidrs string
+  // Indicates whether instances launched in this subnet receive a public IPv4 address
+  mapPublicIpOnLaunch bool
+}
+
 // Amazon Virtual Private Cloud (VPC) Flow Log
 private aws.vpc.flowlog @defaults("id region status") {
   // Unique ID of the flow log

providers/aws/resources/aws.lr.manifest.yaml

@@ -2169,6 +2169,8 @@ resources:
       region: {}
       routeTables: {}
       state: {}
+      subnets:
+        min_mondoo_version: 9.0.0
       tags: {}
     is_private: true
     min_mondoo_version: 5.15.0
@@ -2196,3 +2198,14 @@ resources:
     platform:
       name:
       - aws
+  aws.vpc.subnet:
+    fields:
+      arn: {}
+      cidrs: {}
+      id: {}
+      mapPublicIpOnLaunch: {}
+    is_private: true
+    min_mondoo_version: 9.0.0
+    platform:
+      name:
+      - aws

providers/aws/resources/aws_vpc.go

@@ -180,6 +180,48 @@ func (a *mqlAwsVpc) routeTables() ([]interface{}, error) {
 	return res, nil
 }
 
+func (a *mqlAwsVpcSubnet) id() (string, error) {
+	return a.Arn.Data, nil
+}
+
+func (a *mqlAwsVpc) subnets() ([]interface{}, error) {
+	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
+	vpcVal := a.Id.Data
+
+	svc := conn.Ec2(a.Region.Data)
+	ctx := context.Background()
+	res := []interface{}{}
+
+	nextToken := aws.String("no_token_to_start_with")
+	filterName := "vpc-id"
+	params := &ec2.DescribeSubnetsInput{Filters: []vpctypes.Filter{{Name: &filterName, Values: []string{vpcVal}}}}
+	for nextToken != nil {
+		subnets, err := svc.DescribeSubnets(ctx, params)
+		if err != nil {
+			return nil, err
+		}
+		nextToken = subnets.NextToken
+		if subnets.NextToken != nil {
+			params.NextToken = nextToken
+		}
+
+		for _, subnet := range subnets.Subnets {
+			subnetResource, err := CreateResource(a.MqlRuntime, "aws.vpc.subnet",
+				map[string]*llx.RawData{
+					"arn":                 llx.StringData(fmt.Sprintf(subnetArnPattern, a.Region.Data, conn.AccountId(), convert.ToString(subnet.SubnetId))),
+					"id":                  llx.StringData(convert.ToString(subnet.SubnetId)),
+					"cidrs":               llx.StringData(*subnet.CidrBlock),
+					"mapPublicIpOnLaunch": llx.BoolData(*subnet.MapPublicIpOnLaunch),
+				})
+			if err != nil {
+				return nil, err
+			}
+			res = append(res, subnetResource)
+		}
+	}
+	return res, nil
+}
+
 func initAwsVpc(runtime *plugin.Runtime, args map[string]*llx.RawData) (map[string]*llx.RawData, plugin.Resource, error) {
 	if len(args) > 2 {
 		return args, nil, nil

providers/aws/resources/shared.go

@@ -36,6 +36,7 @@ const (
 	networkAclArnPattern        = "arn:aws:ec2:%s:%s:network-acl/%s"
 	imageArnPattern             = "arn:aws:ec2:%s:%s:image/%s"
 	keypairArnPattern           = "arn:aws:ec2:%s:%s:keypair/%s"
+	subnetArnPattern            = "arn:aws:ec2:%s:%s:subnet/%s"
 	s3ArnPattern                = "arn:aws:s3:::%s"
 	dynamoTableArnPattern       = "arn:aws:dynamodb:%s:%s:table/%s"
 	limitsArn                   = "arn:aws:dynamodb:%s:%s"