Introduces a new function called Complement. It calculates the complement of two lists, as demonstrated by the unit tests. It replaces RemoveIndexFromSlice, which contained a bug highlighted by @tjsilver caused by subsequent elements in a slice all moving up one after the preceding element was removed.
Previously, we were excluding buckets if they contained a gu:cdk:version tag. This allowed us to skip buckets provisioned using guardian/cdk. A limitation of this was that we were unable to find buckets provisioned using Infrastructure as Code via other methods, such as JSON or YAML templates. listBucketsInStacks is now able to identify buckets that exist in stacks, which the tool will avoid, so as not to introduce stack drift. A potential issue here is how many results are returned per page, or if pagination happens at all (I suspect this will end up being a non-issue that the Go SDK handles for us. So far, it has not been an issue, as the number of stacks returned by the function matches the numberreturned by cloudquery, and we are extremely unlikely to return a number so large that pagination is required. Nonetheless, I've added a note to the ticket to explore this,
How to test
Run following the instructions in the README
How can we measure success?
We do not introduce unnecessary stack drift while addressing important security issues
Have we considered potential risks?
Here we are balancing the desire not to interfere with existing IaC, with the desire to keep our bucket config secure. One risk is that we are slower to hit our KRs, leaving things slightly more insecure, as we are deliberately choosing to skip particular buckets. Typically, however, we only end up skipping one or two buckets per account, so I don't think this represents a particularly large risk, or a huge amount of additional work for teams.
What does this change?
Introduces a new function called Complement. It calculates the complement of two lists, as demonstrated by the unit tests. It replaces RemoveIndexFromSlice, which contained a bug highlighted by @tjsilver caused by subsequent elements in a slice all moving up one after the preceding element was removed.
Previously, we were excluding buckets if they contained a
gu:cdk:versiontag. This allowed us to skip buckets provisioned using guardian/cdk. A limitation of this was that we were unable to find buckets provisioned using Infrastructure as Code via other methods, such as JSON or YAML templates.listBucketsInStacksis now able to identify buckets that exist in stacks, which the tool will avoid, so as not to introduce stack drift. A potential issue here is how many results are returned per page, or if pagination happens at all (I suspect this will end up being a non-issue that the Go SDK handles for us. So far, it has not been an issue, as the number of stacks returned by the function matches the numberreturned by cloudquery, and we are extremely unlikely to return a number so large that pagination is required. Nonetheless, I've added a note to the ticket to explore this,How to test
Run following the instructions in the README
How can we measure success?
We do not introduce unnecessary stack drift while addressing important security issues
Have we considered potential risks?
Here we are balancing the desire not to interfere with existing IaC, with the desire to keep our bucket config secure. One risk is that we are slower to hit our KRs, leaving things slightly more insecure, as we are deliberately choosing to skip particular buckets. Typically, however, we only end up skipping one or two buckets per account, so I don't think this represents a particularly large risk, or a huge amount of additional work for teams.
Images