🧹 aws fixes; make aws ec2 instance-connect and aws ec2 ssm work

[vjeffrey]

DEBUG=1 go run apps/cnquery/cnquery.go shell aws ec2 instance-connect ec2-user@i-01cbf9d3b50b96946 --profile home --region us-east-1

DEBUG=1 go run apps/cnquery/cnquery.go shell aws ec2 ssm ec2-user@i-01cbf9d3b50b96946 --profile home --region us-east-1

i transferred the ebs stuff over but it's not all hooked up yet, that's coming in the next pr

[vjeffrey]

the ebs connection is hooked up in here and technically functional but in my testing the setup is being called too many times. i'll work on that today

[vjeffrey]

DEBUG=1 go run apps/cnquery/cnquery.go run aws ec2 instance-connect ec2-user@INSTANCEID --profile home --region us-east-1 -c 'asset.name'

DEBUG=1 go run apps/cnquery/cnquery.go run aws ec2 ssm ec2-user@INSTANCEID --profile home --region us-east-1 -c 'asset.name'

scp the built cnquery to a machine in ec2,
[root@ip-172-31-38-240 ec2-user]# DEBUG=1 ./cnquery shell aws ec2 ebs i-01cbf9d3b50b96946 --log-level debug

[czunker]

instance-connect is working, but the name is missing:

cnquery run aws ec2 instance-connect ec2-user@i-0ce9fbb81409b89a5 --region eu-central-1 -c 'asset{ name title ids platform }' --verbose
! CLI pre-processing encountered an issue error="unknown flag: --region"
DBG using provider aws with connector aws
DBG no need to update provider last-refresh=27.940711354s provider=aws
DBG running provider plugin path=/home/christian/.config/mondoo/providers/aws/aws
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
DBG running provider plugin path=/home/christian/.config/mondoo/providers/os/os
! your platform is not supported for hostname detection
DBG starting query execution qrid=TeZjrXq1BCc=
DBG finished query execution qrid=TeZjrXq1BCc=
DBG zUgch8DMejOrxRGPjbYldKd/Un7AzdxhRcUBhfakytdaBNEb+B4qS65wszSYcauK7tCOYM6rLbRCtClxW6q50w== finished
DBG graph has received all datapoints
asset: {
  title: "Amazon Web Services"
  platform: "aws"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/ssh/hostkey/SHA256-tMJYn/RJDDE/UEfribgU81UzO2ALX22cWdy2z0YrJKw"
  ]
  name: ""
}

Perhaps, because of:

! your platform is not supported for hostname detection

My EC2 instance is running an AL2023 image.

[vjeffrey]

hmm, that looks like the wrong platform info..

[czunker]

I get the same for ssm connect:

cnquery run aws ec2 ssm ec2-user@i-0ce9fbb81409b89a5 --profile AdministratorAccess-735798807192 --region eu-central-1 -c 'asset{ name title ids platform }' --verbose     ✔ │ 7s │ 16:36:29 
! CLI pre-processing encountered an issue error="unknown flag: --profile"
DBG using provider aws with connector aws
DBG no need to update provider last-refresh=30m29.384587524s provider=aws
DBG running provider plugin path=/home/christian/.config/mondoo/providers/aws/aws
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
DBG running provider plugin path=/home/christian/.config/mondoo/providers/os/os
! your platform is not supported for hostname detection
DBG starting query execution qrid=TeZjrXq1BCc=
DBG finished query execution qrid=TeZjrXq1BCc=
DBG zUgch8DMejOrxRGPjbYldKd/Un7AzdxhRcUBhfakytdaBNEb+B4qS65wszSYcauK7tCOYM6rLbRCtClxW6q50w== finished
DBG graph has received all datapoints
asset: {
  title: "Amazon Web Services"
  platform: "aws"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/ssh/hostkey/SHA256-tMJYn/RJDDE/UEfribgU81UzO2ALX22cWdy2z0YrJKw"
  ]
  name: ""
}

Something for a follow-up: #1812

[vjeffrey]

ah, i think im missing some logic in the detect, looking now

[vjeffrey]

asset: {
  version: "2023"
  platform: "amazonlinux"
  name: "ip-172-31-39-53.ec2.internal"
}

ill push up the change in a sec

[czunker]

Got EBS scanning working:

sudo ./cnquery run aws ec2 ebs i-0ce9fbb81409b89a5 --verbose --region eu-central-1 -c "asset{ name title ids }"
! can't find any paths for providers, none are configured system-path=/opt/mondoo/providers
! CLI pre-processing encountered an issue error="unknown flag: --verbose"
DBG using provider aws with connector aws
! using builtin provider for aws
→ no Mondoo configuration file provided, using defaults
DBG new aws ebs connection
DBG target info={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"} type=instance
→ validate state instance={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"}
DBG setup for target instance instance id=i-0ce9fbb81409b89a5
→ find volume id instance={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"}
→ found instance block devices device=/dev/xvda
→ find recent snapshot
→ found snapshot snapshot={"Account":"","Id":"snap-027d442676d1ecb08","Region":"eu-central-1"}
→ checking snapshot region scanner instance=eu-central-1 snapshot=eu-central-1
→ create volume
→ waiting for volume creation completion; sleeping 10 seconds state=creating
→ attach volume volume id=vol-01c86240855687d3a
DBG attached volume location=/dev/sdw
DBG target volume location=/dev/sdw
→ waiting for volume attachment completion state=in-use
DBG created tmp scan dir dir=/tmp/cnspec-scan246994269
DBG search for target volume
DBG get matching block entry name=/dev/sdw
DBG found block device children=[{"fstype":"xfs","label":"/","name":"xvda1","uuid":"425e98fd-a883-4fcd-b198-f7f1be92d02f"},{"name":"xvda127"},{"fstype":"vfat","name":"xvda128","uuid":"BF44-0AE6"}] mountpoint= name=xvda
DBG found block device children=[{"fstype":"xfs","label":"/","name":"xvdf1","uuid":"425e98fd-a883-4fcd-b198-f7f1be92d02f"},{"name":"xvdf127"},{"fstype":"vfat","name":"xvdf128","uuid":"BF44-0AE6"}] mountpoint= name=xvdf
DBG found block device children=[{"fstype":"xfs","label":"/","name":"xvdr1","uuid":"425e98fd-a883-4fcd-b198-f7f1be92d02f"},{"name":"xvdr127"},{"fstype":"vfat","name":"xvdr128","uuid":"BF44-0AE6"}] mountpoint= name=xvdr
DBG found block device children=[{"fstype":"xfs","label":"/","name":"xvdw1","uuid":"425e98fd-a883-4fcd-b198-f7f1be92d02f"},{"name":"xvdw127"},{"fstype":"vfat","name":"xvdw128","uuid":"BF44-0AE6"}] mountpoint= name=xvdw
DBG found match
DBG found target volume device name=/dev/xvdw1
DBG mount volume to scan dir device=/dev/xvdw1 fstype=xfs opts=nouuid scandir=/tmp/cnspec-scan246994269
DBG load filesystem path=/tmp/cnspec-scan246994269
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> cannot parse lsb config on this linux system error="open /tmp/cnspec-scan246994269/etc/lsb-release: no such file or directory"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["linux","unix","os"] platform=amazonlinux
DBG resolved 1 assets
! using builtin provider for aws
DBG new aws ebs connection
DBG target info={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"} type=instance
→ validate state instance={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"}
→ skipping setup step
→ skipping mount step
DBG load filesystem path=/tmp/cnspec-scan246994269
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> cannot parse lsb config on this linux system error="open /tmp/cnspec-scan246994269/etc/lsb-release: no such file or directory"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["linux","unix","os"] platform=amazonlinux
! using builtin provider for aws
DBG new aws ebs connection
DBG target info={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"} type=instance
→ validate state instance={"AccountId":"","Id":"i-0ce9fbb81409b89a5","PlatformId":"","Region":"eu-central-1"}
→ skipping setup step
→ skipping mount step
DBG load filesystem path=/tmp/cnspec-scan246994269
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> cannot parse lsb config on this linux system error="open /tmp/cnspec-scan246994269/etc/lsb-release: no such file or directory"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["linux","unix","os"] platform=amazonlinux
DBG starting query execution qrid=yUp43Eqx7A0=
DBG finished query execution qrid=yUp43Eqx7A0=
DBG RxtxMUtWQdxr7ZJqN+Koz/D2xwlkNuB0UizzDadCyS0TgRkabiO360s5+XhGkqoxVlp0Y+XIq1CbElkcBhVYeA== finished
DBG graph has received all datapoints
asset: {
  title: "Amazon Linux 2023"
  ids: []
  name: "i-0ce9fbb81409b89a5"
}

ids is empty.

And the scan isn't cleaning up afterwards:

/dev/xvdr1 on /tmp/cnspec-scan2653270300 type xfs (rw,relatime,seclabel,nouuid,attr2,inode64,logbufs=8,logbsize=32k,sunit=1024,swidth=1024,noquota)
/dev/xvdw1 on /tmp/cnspec-scan246994269 type xfs (rw,relatime,seclabel,nouuid,attr2,inode64,logbufs=8,logbsize=32k,sunit=1024,swidth=1024,noquota)

I had the same problem with the GCP snapshot scanning. I had to call the cleanup explicitly in the Shutdown func.

[vjeffrey]

instance connect and ssm are now working well:

asset: {
  version: "2023"
  platform: "amazonlinux"
  ids: [
    0: "//platformid.api.mondoo.app/hostname/ip-172-31-39-53.ec2.internal"
  ]
  name: "ip-172-31-39-53.ec2.internal"
}

[vjeffrey]

ebs scan is working, but the cleanup isn't working well yet

DBG load filesystem path=/tmp/cnspec-scan1529096487
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["debian","linux","unix","os"] platform=ubuntu
→ connected to Ubuntu 22.04.2 LTS
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondoo™      |_|                |___/  interactive shell

cnquery> asset { platform ids version }
DBG starting query execution qrid=nqKXIz+kR5o=
DBG finished query execution qrid=nqKXIz+kR5o=
DBG EXyajUbhaeKlC5ESbsD0IQax8PdK0iWwkedbNXUYCO3F/jP4EUTvfmm0F5nFS9hAnHIV0l7PNMchq/QyeojLtQ== finished
DBG graph has received all datapoints
asset: {
  version: "22.04"
  platform: "ubuntu"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/aws/ec2/v1/accounts/367400545713/regions/us-east-1/instances/i-09739098c40b6df84"
  ]
}
cnquery> exit

ill work on the cleanup in a followup pr

[czunker]

instance-connect is working:

cnquery run aws ec2 instance-connect ec2-user@i-08db02ceb047ea7fb --profile AdministratorAccess-1234567890 --region eu-central-1 -c 'asset{ name title ids platform }'
! CLI pre-processing encountered an issue error="unknown flag: --profile"
! using builtin provider for aws
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
→ no AWS region found, using us-east-1
! using builtin provider for os
asset: {
  title: "Amazon Linux 2023"
  platform: "amazonlinux"
  ids: [
    0: "//platformid.api.mondoo.app/hostname/ip-172-31-21-20.eu-central-1.compute.internal"
  ]
  name: "ip-172-31-21-20.eu-central-1.compute.internal"
}

But I had problems with the profile. I created a follow-up for this: #1846

[czunker]

ssm connect is working:

cnquery run aws ec2 ssm ec2-user@i-055ab2729fd61ea8b --profile AdministratorAccess-1234567890 --region eu-central-1 -c 'asset{ name title ids platform }'
! CLI pre-processing encountered an issue error="unknown flag: --profile"
! using builtin provider for aws
→ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
→ no AWS region found, using us-east-1
! using builtin provider for os
asset: {
  title: "Amazon Linux 2023"
  platform: "amazonlinux"
  ids: [
    0: "//platformid.api.mondoo.app/hostname/ip-172-31-31-57.eu-central-1.compute.internal"
  ]
  name: "ip-172-31-31-57.eu-central-1.compute.internal"
}

But also affected by #1846

[czunker]

ebs scan is working:

asset: {
  title: "Amazon Linux 2023"
  platform: "amazonlinux"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/aws/ec2/v1/accounts/735798807192/regions/eu-central-1/instances/i-0ce9fbb81409b89a5"
  ]
  name: "i-0ce9fbb81409b89a5"
}

[czunker]

ebs scan is working, but the cleanup isn't working well yet

DBG load filesystem path=/tmp/cnspec-scan1529096487
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG could not execute os release detection command error="provider does not implement RunCommand"
DBG platform> detected os family=["debian","linux","unix","os"] platform=ubuntu
→ connected to Ubuntu 22.04.2 LTS
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondoo™      |_|                |___/  interactive shell

cnquery> asset { platform ids version }
DBG starting query execution qrid=nqKXIz+kR5o=
DBG finished query execution qrid=nqKXIz+kR5o=
DBG EXyajUbhaeKlC5ESbsD0IQax8PdK0iWwkedbNXUYCO3F/jP4EUTvfmm0F5nFS9hAnHIV0l7PNMchq/QyeojLtQ== finished
DBG graph has received all datapoints
asset: {
  version: "22.04"
  platform: "ubuntu"
  ids: [
    0: "//platformid.api.mondoo.app/runtime/aws/ec2/v1/accounts/367400545713/regions/us-east-1/instances/i-09739098c40b6df84"
  ]
}
cnquery> exit

ill work on the cleanup in a followup pr

I added an issue for that, so we can track it: #1847

[czunker]

nit: This can be removed.

[czunker]

Should we throw an error when there is something unexpected in args[1]?

[czunker]

Ok, just gave it a try:

FTL failed to run query error="cannot connect to asset, no connection info provided"

LGTM.