✨ Add AWS VPC Endpoints

Signed-off-by: Marius Kimmina <[email protected]>

providers/aws/resources/aws.lr

@@ -46,6 +46,8 @@ private aws.vpc @defaults("arn isDefault") {
   isDefault bool
   // Region the VPC exists in
   region string
+  // A list of endpoints for the VPC
+  endpoints() []aws.vpc.endpoint
   // A list of flowlogs for the VPC
   flowLogs() []aws.vpc.flowlog
   // List of route tables for the VPC
@@ -62,6 +64,22 @@ private aws.vpc.routetable @defaults("id") {
   routes []dict
 }
 
+// Amazon Virtual Private Cloud (VPC) Endpoint
+private aws.vpc.endpoint @defaults("id") {
+  // Unique ID of the endpoint
+  id string
+  // type of the endpoint
+  type string
+  // VPC the endpoint exists in
+  vpc string
+  // The name of the endpoint service
+  serviceName string
+  // The policy document associated with the endpoint, if applicable.
+  policyDocument string
+  // the subnets for the (interface) endpoint
+  subnets []string
+}
+
 // Amazon Virtual Private Cloud (VPC) Flow Log
 private aws.vpc.flowlog @defaults("id region status") {
   // Unique ID of the flow log

providers/aws/resources/aws.lr.manifest.yaml

@@ -1421,6 +1421,8 @@ resources:
   aws.vpc:
     fields:
       arn: {}
+      endpoints:
+        min_mondoo_version: 9.0.0
       flowLogs: {}
       id: {}
       isDefault: {}
@@ -1433,6 +1435,19 @@ resources:
     platform:
       name:
       - aws
+  aws.vpc.endpoint:
+    fields:
+      id: {}
+      policyDocument: {}
+      serviceName: {}
+      subnets: {}
+      type: {}
+      vpc: {}
+    is_private: true
+    min_mondoo_version: 9.0.0
+    platform:
+      name:
+      - aws
   aws.vpc.flowlog:
     fields:
       id: {}

providers/aws/resources/aws_vpc.go

@@ -101,6 +101,50 @@ func (a *mqlAws) getVpcs(conn *connection.AwsConnection) []*jobpool.Job {
 	return tasks
 }
 
+func (a *mqlAwsVpc) endpoints() ([]interface{}, error) {
+	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
+	vpc := a.Id.Data
+
+	svc := conn.Ec2(a.Region.Data)
+	ctx := context.Background()
+	endpoints := []interface{}{}
+	filterKeyVal := "vpc-id"
+	nextToken := aws.String("no_token_to_start_with")
+	params := &ec2.DescribeVpcEndpointsInput{Filters: []vpctypes.Filter{{Name: &filterKeyVal, Values: []string{vpc}}}}
+	for nextToken != nil {
+		endpointsRes, err := svc.DescribeVpcEndpoints(ctx, params)
+		if err != nil {
+			return nil, err
+		}
+		nextToken = endpointsRes.NextToken
+		if endpointsRes.NextToken != nil {
+			params.NextToken = nextToken
+		}
+
+		for _, endpoint := range endpointsRes.VpcEndpoints {
+			var subnetIds []interface{}
+			for _, subnet := range endpoint.SubnetIds {
+				subnetIds = append(subnetIds, subnet)
+			}
+			mqlEndpoint, err := CreateResource(a.MqlRuntime, "aws.vpc.endpoint",
+				map[string]*llx.RawData{
+					"id":             llx.StringData(*endpoint.VpcEndpointId),
+					"type":           llx.StringData(string(endpoint.VpcEndpointType)),
+					"vpc":            llx.StringData(*endpoint.VpcId),
+					"serviceName":    llx.StringData(*endpoint.ServiceName),
+					"policyDocument": llx.StringData(*endpoint.PolicyDocument),
+					"subnets":        llx.ArrayData(subnetIds, types.String),
+				},
+			)
+			if err != nil {
+				return nil, err
+			}
+			endpoints = append(endpoints, mqlEndpoint)
+		}
+	}
+	return endpoints, nil
+}
+
 func (a *mqlAwsVpc) flowLogs() ([]interface{}, error) {
 	conn := a.MqlRuntime.Connection.(*connection.AwsConnection)
 	vpc := a.Id.Data