Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

🐛 fix fetching of service accounts on gke cluster nodepool config #5149

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🐛 fix fetching of service accounts on gke cluster nodepool config #5149

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion providers/gcp/resources/gke.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -589,7 +589,7 @@ func (g *mqlGcpProjectGkeServiceClusterNodepoolConfig) serviceAccount() (*mqlGcp
}
email := g.ServiceAccountEmail.Data

res, err := CreateResource(g.MqlRuntime, "gcp.project.iamService.serviceAccount", map[string]*llx.RawData{
res, err := NewResource(g.MqlRuntime, "gcp.project.iamService.serviceAccount", map[string]*llx.RawData{
"projectId": llx.StringData(projectId),
"email": llx.StringData(email),
})
Expand Down
18 changes: 17 additions & 1 deletion providers/gcp/resources/iam.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"errors"
"fmt"

"github.com/rs/zerolog/log"
"go.mondoo.com/cnquery/v11/llx"
"go.mondoo.com/cnquery/v11/providers-sdk/v1/plugin"
"go.mondoo.com/cnquery/v11/providers/gcp/connection"
Expand Down Expand Up @@ -74,7 +75,15 @@ func initGcpProjectIamServiceServiceAccount(runtime *plugin.Runtime, args map[st
return args, sa, nil
}
}
return nil, nil, errors.New("service account not found")

args["name"] = llx.NilData
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this change needed? I think the error should be there... If we reach this point in the code, then we tried to find something that doesn't exist. Setting everything to nil will acts as if there is an actual service account with all nil fields

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hmm ya you're right, let me see if there's another way to do this - basically you can have references to external service accounts, which means they wont be found, and that's ok, but we still need to be able to reference it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so i've tried playing around with this, but if we return the error then we block loading the rest of the information, but it's expected to have references to external service accounts

go run apps/cnquery/cnquery.go shell gcp project (prod-account) --discover gke-clusters

with the error returned, we block the rest of the output:

nquery> gcloud.project.gke.clusters { nodePools { config {*} }}
1 error occurred:
	* 1 error occurred:
	* 1 error occurred:
	* service account not found
gcloud.project.gke.clusters: [
  0: {
    nodePools: 1 error occurred:
	* 1 error occurred:
	* service account not found

vs.

cnquery> gcloud.project.gke.clusters { nodePools { config {*} }}
gcloud.project.gke.clusters: [
  0: {
    nodePools: [
      0: {
        config: {
          gcfsConfig: null
          machineType: "e2-standard-4"
          diskSizeGb: 50
          sandboxConfig: null
          ....
         ```

args["uniqueId"] = llx.NilData
args["displayName"] = llx.NilData
args["description"] = llx.NilData
args["oauth2ClientId"] = llx.NilData
args["disabled"] = llx.NilData
log.Error().Interface("email", args["email"].Value).Err(errors.New("service account not found")).Send()
return args, nil, nil
}

func (g *mqlGcpProjectIamService) serviceAccounts() ([]interface{}, error) {
Expand Down Expand Up @@ -137,6 +146,13 @@ func (g *mqlGcpProjectIamServiceServiceAccount) keys() ([]interface{}, error) {
}
email := g.Email.Data

// if the unique id is null, we were not able to find a record of this service account
// so skip the keys discovery
if g.UniqueId.IsNull() {
g.Keys.State = plugin.StateIsNull | plugin.StateIsSet
return nil, nil
}

conn := g.MqlRuntime.Connection.(*connection.GcpConnection)

creds, err := conn.Credentials(admin.DefaultAuthScopes()...)
Expand Down
Loading