Merge pull request #86 from lacework-dev/via-scripts-update

Bug fixes, error handling, improved output and a readme.

Author: Bjorn Boe

bash/README.md

@@ -0,0 +1,166 @@
+# Handy BASH scrips for working with Lacework
+
+## lw_aws_inventory.sh
+Script for estimating license vCPUs in an AWS environment. It leverages the AWS CLI and leverages by default the default profile that’s either configured using environment variables or configuration files in the ~/.aws folder. The script provides output in a CSV format to be imported into a spreadsheet, as well as an easy-to-read summary.
+
+Note the following about the script:
+* It requires AWS CLI v2 to run
+* It does not work on Windows
+* It has only been verified to work on Mac and Linux based systems
+* It works great in a cloud shell
+
+The output from running the script can look as follows:
+```
+./lw_aws_inventory.sh -p admin-account -o -r us-east-1
+Profile, Account ID, Regions, EC2 Instances, EC2 vCPUs, ECS Fargate Clusters, ECS Fargate Running Containers/Tasks, ECS Fargate CPU Units, ECS Fargate License vCPUs, Lambda Functions, MB Lambda Memory, Lambda License vCPUs, Total vCPUSs
+sandbox-1, 123456789012, us-east-1, 2, 2, 0, 0, 0, 0, 0, 0, 0, 2
+sandbox-2, 234567890123, us-east-1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+logging, 345678901234, us-east-1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+######################################################################
+Lacework inventory collection complete.
+
+Organizations Analyzed: 1
+Accounts Analyzed:      3
+
+EC2 Information
+====================
+EC2 Instances:     2
+EC2 vCPUs:         2
+
+Fargate Information
+====================
+ECS Clusters:                    0
+ECS Fargate Running Tasks:       0
+ECS Fargate Container CPU Units: 0
+ECS Fargate vCPUs:               0
+
+Lambda Information
+====================
+Lambda Functions:     0
+MB Lambda Memory:     0
+Lambda License vCPUs: 0
+
+License Summary
+====================
+  EC2 vCPUs:            2
++ ECS Fargate vCPUs:    0
++ Lambda License vCPUs: 0
+----------------------------
+= Total vCPUs:          2
+```
+The following options can be used to modify how the script is run:
+### Specify one or more account profiles to scan using -p parameter
+```
+./lw_aws_inventory.sh -p default,lw-customerdemo
+```
+### Specify what regions to scan, to speed up scanning or avoid restricted regions
+```
+./lw_aws_inventory.sh -r us-east-1,us-east-2
+```
+### Scan all accounts in an AWS Organization
+```
+./lw_aws_inventory.sh -o
+```
+This will leverage the OrganizationAccountAccessRole to scan all accounts in an organization.
+
+## lw_gcp_inventory.sh
+Script for estimating license vCPUs in a GCP environment, based on folder, project or organization level. 
+
+Note the following about the script:
+* It does not work on Windows
+* It has only been verified to work on Mac and Linux based systems
+* It works great in a cloud shell
+
+```
+$ ./lw_gcp_inventory.sh -help
+Usage: ./lw_gcp_inventory.sh [-f folder] [-o organization] [-p project]
+Any single scope can have multiple values comma delimited, but multiple scopes cannot be defined.
+```
+
+By default, the script will scan any project that the user has access to:
+```
+$ ./lw_gcp_inventory.sh
+"Project", "VM Count", "vCPUs"
+"projects/project-one", 2, 8
+"projects/project-two", 3, 12
+##########################################
+Lacework inventory collection complete.
+
+License Summary:
+================================================
+Number of VMs, including standard GKE: 5
+vCPUs:                                 20
+```
+
+The scope of the scan can be further refined using the -f, -o or -p parameters:
+```
+$ ./lw_gcp_inventory.sh -p project-one,project-two
+"Project", "VM Count", "vCPUs"
+"projects/project-one", 2, 8
+"projects/project-two", 3, 12
+##########################################
+Lacework inventory collection complete.
+
+License Summary:
+================================================
+Number of VMs, including standard GKE: 5
+vCPUs:                                 20
+```
+
+## lw_azure_inventory.sh
+Script for estimating license vCPUs in an Azure environment, based on folder, project or organization level. 
+
+Note the following about the script:
+* It does not work on Windows
+* It has only been verified to work on Mac and Linux based systems
+* It works great in a cloud shell
+
+```
+./lw_azure_inventory.sh -help
+Usage: ./lw_azure_inventory.sh [-m management_group] [-s subscription]
+Any single scope can have multiple values comma delimited, but multiple scopes cannot be defined.
+```
+
+By default, the script will scan any subscriptions the user has configured access to:
+```
+$ ./lw_azure_inventory.sh -m b448f327-c977-4cb8-9c27-09cfaa781bb9
+resource-graph extension already present...
+Building Azure VM SKU to vCPU map...
+Map built successfully.
+Load subscriptions
+Load VMs
+Load VMSS
+"Subscription ID", "Subscription Name", "VM Instances", "VM vCPUs", "VM Scale Sets", "VM Scale Set Instances", "VM Scale Set vCPUs", "Total Subscription vCPUs"
+"1215ba55...", "Subscription Number One", 2, 4, 0, 0, 0, 4
+"72165fcf...", "Subscription Number Two", 1, 2, 0, 0, 0, 2
+##########################################
+Lacework inventory collection complete.
+
+VM Summary:
+===============================
+VM Instances:     3
+VM vCPUS:         6
+
+VM Scale Set Summary:
+===============================
+VM Scale Sets:          0
+VM Scale Set Instances: 0
+VM Scale Set vCPUs:     0
+
+License Summary
+===============================
+  VM vCPUS:             6
++ VM Scale Set vCPUs:   0
+-------------------------------
+Total vCPUs:            6
+```
+
+The scope can further be refined by specifying management groups or subscriptions.
+### Specify subscriptions to scan
+```
+$ ./lw_azure_inventory.sh -s 1215ba55,72165fcf
+```
+### Specify management group to scan
+```
+$ ./lw_azure_inventory.sh -m mymanagementgroup,myothermanagementgroup
+```

bash/lw_aws_inventory.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 # Script to fetch AWS inventory for Lacework sizing.
-# Requirements: awscli, jq
+# Requirements: awscli v2, jq
 
 # You can specify a profile with the -p flag and to scan an AWS organization using the -o flag
 # Note:
@@ -46,6 +46,15 @@ while getopts ":p:or:" opt; do
 done
 shift $((OPTIND -1))
 
+#Check AWS CLI pre-requisites
+AWS_CLI_VERSION=$(aws --version 2>&1 | cut -d " " -f1 | cut -d "/" -f2)
+if [[ $AWS_CLI_VERSION = 1* ]]
+then
+  echo The script requires AWS CLI v2 to run. The current version installed is version $AWS_CLI_VERSION.
+  echo See https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html for instructions on how to upgrade.
+  exit
+fi
+
 # Set the initial counts to zero.
 ACCOUNTS=0
 ORGANIZATIONS=0
@@ -87,10 +96,12 @@ function getECSFargateRunningTasks {
   RUNNING_FARGATE_TASKS=0
   for c in $ecsfargateclusters; do
     allclustertasks=$(aws $profile_string ecs list-tasks --region $r --output json --cluster $c --no-cli-pager | jq -r '.taskArns | join(" ")')
-    if [ -n "${allclustertasks}" ]; then
-      fargaterunningtasks=$(aws $profile_string ecs describe-tasks --region $r --output json --tasks $allclustertasks --cluster $c --no-cli-pager | jq '[.tasks[] | select(.launchType=="FARGATE") | select(.lastStatus=="RUNNING")] | length')
-      RUNNING_FARGATE_TASKS=$(($RUNNING_FARGATE_TASKS + $fargaterunningtasks))
-    fi
+    while read -r batch; do
+      if [ -n "${batch}" ]; then
+        fargaterunningtasks=$(aws $profile_string ecs describe-tasks --region $r --output json --tasks $batch --cluster $c --no-cli-pager | jq '[.tasks[] | select(.launchType=="FARGATE") | select(.lastStatus=="RUNNING")] | length')
+        RUNNING_FARGATE_TASKS=$(($RUNNING_FARGATE_TASKS + $fargaterunningtasks))
+      fi
+    done < <(echo $allclustertasks | xargs -n 90)
   done
 
   echo "${RUNNING_FARGATE_TASKS}"
@@ -100,13 +111,15 @@ function getECSFargateRunningCPUs {
   RUNNING_FARGATE_CPUS=0
   for c in $ecsfargateclusters; do
     allclustertasks=$(aws $profile_string ecs list-tasks --region $r --output json --cluster $c --no-cli-pager | jq -r '.taskArns | join(" ")')
-    if [ -n "${allclustertasks}" ]; then
-      cpucounts=$(aws $profile_string ecs describe-tasks --region $r --output json --tasks $allclustertasks --cluster $c --no-cli-pager | jq '[.tasks[] | select(.launchType=="FARGATE") | select(.lastStatus=="RUNNING")] | .[].cpu | tonumber')
-
-      for cpucount in $cpucounts; do
-        RUNNING_FARGATE_CPUS=$(($RUNNING_FARGATE_CPUS + $cpucount))
-      done
-    fi
+    while read -r batch; do
+      if [ -n "${batch}" ]; then
+        cpucounts=$(aws $profile_string ecs describe-tasks --region $r --output json --tasks $batch --cluster $c --no-cli-pager | jq '[.tasks[] | select(.launchType=="FARGATE") | select(.lastStatus=="RUNNING")] | .[].cpu | tonumber')
+
+        for cpucount in $cpucounts; do
+          RUNNING_FARGATE_CPUS=$(($RUNNING_FARGATE_CPUS + $cpucount))
+        done
+      fi
+    done < <(echo $allclustertasks | xargs -n 90)
   done
 
   echo "${RUNNING_FARGATE_CPUS}"
@@ -230,7 +243,7 @@ function doAnalyzeOrganization {
     for account in $(echo $accounts | jq -r '.Id')
     do
         ACCOUNTS=$(($ACCOUNTS + 1))
-        local account_name=$(echo $accounts | jq -c | grep $account | jq -r '.Name')
+        local account_name=$(echo $accounts | jq -r --arg account "$account" 'select(.Id==$account) | .Name')
         local account_credentials=$(aws $org_profile_string sts assume-role --role-session-name LW-INVENTORY --role-arn arn:aws:iam::$account:role/OrganizationAccountAccessRole)
 
         export AWS_ACCESS_KEY_ID=$(echo $account_credentials | jq -r '.Credentials.AccessKeyId')

bash/lw_azure_inventory.sh

@@ -17,11 +17,11 @@ while getopts ":m:s:" opt; do
       MANAGEMENT_GROUP=$OPTARG
       ;;
     \? )
-      echo "Usage: ./lw_azure_inventory.sh [-m management_group] [-s subscription] \nAny single scope can have multiple values comma delimited, but multiple scopes cannot be defined." 1>&2
+      printf "Usage: ./lw_azure_inventory.sh [-m management_group] [-s subscription] \nAny single scope can have multiple values comma delimited, but multiple scopes cannot be defined.\n" 1>&2
       exit 1
       ;;
     : )
-      echo "Usage: ./lw_azure_inventory.sh [-m management_group] [-s subscription] \nAny single scope can have multiple values comma delimited, but multiple scopes cannot be defined." 1>&2
+      printf "Usage: ./lw_azure_inventory.sh [-m management_group] [-s subscription] \nAny single scope can have multiple values comma delimited, but multiple scopes cannot be defined.\n" 1>&2
       exit 1
       ;;
   esac

bash/lw_gcp_inventory.sh

@@ -20,11 +20,11 @@ while getopts ":f:o:p:" opt; do
       PROJECTS=$OPTARG
       ;;
     \? )
-      echo "Usage: ./lw_gcp_inventory.sh [-f folder] [-o organization] [-p project] \nAny single scope can have multiple values comma delimited, but multiple scopes cannot be defined." 1>&2
+      printf "Usage: ./lw_gcp_inventory.sh [-f folder] [-o organization] [-p project] \nAny single scope can have multiple values comma delimited, but multiple scopes cannot be defined.\n" 1>&2
       exit 1
       ;;
     : )
-      echo "Usage: ./lw_gcp_inventory.sh [-f folder] [-o organization] [-p project] \nAny single scope can have multiple values comma delimited, but multiple scopes cannot be defined." 1>&2
+      printf "Usage: ./lw_gcp_inventory.sh [-f folder] [-o organization] [-p project] \nAny single scope can have multiple values comma delimited, but multiple scopes cannot be defined.\n" 1>&2
       exit 1
       ;;
   esac