From e52824dc4fb226c822ee2174a7dec8fed7add30c Mon Sep 17 00:00:00 2001
From: Kostas Stamatakis <kostas.stamatakis@elastic.co>
Date: Thu, 30 Jan 2025 13:04:22 +0200
Subject: [PATCH] add cloud connectors config

---
 internal/config/config.go      |  34 ++++++++-
 internal/config/config_test.go | 124 ++++++++++++++++++++++++++++++---
 2 files changed, 146 insertions(+), 12 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index 7eebf6d622..bddddec5c9 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -67,9 +67,10 @@ type CloudConfig struct {
 }
 
 type AwsConfig struct {
-	Cred            aws.ConfigAWS `config:"credentials"`
-	AccountType     string        `config:"account_type"`
-	CloudConnectors bool          `config:"supports_cloud_connectors"`
+	Cred                  aws.ConfigAWS `config:"credentials"`
+	AccountType           string        `config:"account_type"`
+	CloudConnectors       bool          `config:"supports_cloud_connectors"`
+	CloudConnectorsConfig CloudConnectorsConfig
 }
 
 type GcpConfig struct {
@@ -170,6 +171,10 @@ func New(cfg *config.C) (*Config, error) {
 		))
 	}
 
+	if c.CloudConfig.Aws.CloudConnectors {
+		c.CloudConfig.Aws.CloudConnectorsConfig = newCloudConnectorsConfig()
+	}
+
 	return c, nil
 }
 
@@ -204,3 +209,26 @@ func isSupportedBenchmark(benchmark string) bool {
 	}
 	return false
 }
+
+// Cloud Connectors roles and resource id must be provided by the system (controller)
+// and not user input (package policy) for security reasons.
+
+const (
+	CloudConnectorsLocalRoleEnvVar  = "CLOUD_CONNECTORS_LOCAL_ROLE"
+	CloudConnectorsGlobalRoleEnvVar = "CLOUD_CONNECTORS_GLOBAL_ROLE"
+	ResourceIDEnvVar                = "RESOURCE_ID"
+)
+
+type CloudConnectorsConfig struct {
+	LocalRoleARN  string
+	GlobalRoleARN string
+	ResourceID    string
+}
+
+func newCloudConnectorsConfig() CloudConnectorsConfig {
+	return CloudConnectorsConfig{
+		LocalRoleARN:  os.Getenv(CloudConnectorsLocalRoleEnvVar),
+		GlobalRoleARN: os.Getenv(CloudConnectorsGlobalRoleEnvVar),
+		ResourceID:    os.Getenv(ResourceIDEnvVar),
+	}
+}
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index b72accba9e..f6333efed0 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -47,25 +47,25 @@ func (s *ConfigTestSuite) TestNew() {
 		expectedCloudConfig CloudConfig
 	}{
 		{
-			`
+			config: `
 config:
   v1:
     benchmark: cis_k8s
 `,
-			"cis_k8s",
-			CloudConfig{},
+			expectedType:        "cis_k8s",
+			expectedCloudConfig: CloudConfig{},
 		},
 		{
-			`
+			config: `
 config:
   v1:
     benchmark: cis_azure
 `,
-			"cis_azure",
-			CloudConfig{},
+			expectedType:        "cis_azure",
+			expectedCloudConfig: CloudConfig{},
 		},
 		{
-			`
+			config: `
 config:
   v1:
     benchmark: cis_eks
@@ -79,8 +79,8 @@ config:
         credential_profile_name: credential_profile_name
         role_arn: role_arn
 `,
-			"cis_eks",
-			CloudConfig{
+			expectedType: "cis_eks",
+			expectedCloudConfig: CloudConfig{
 				Aws: AwsConfig{
 					Cred: aws.ConfigAWS{
 						AccessKeyID:          "key",
@@ -229,3 +229,109 @@ revision: 1`,
 		})
 	}
 }
+
+func (s *ConfigTestSuite) TestCloudConnectorsConfig() {
+	tests := map[string]struct {
+		config              string
+		overwriteEnv        func(t *testing.T)
+		expectedType        string
+		expectedCloudConfig CloudConfig
+	}{
+		"happy path cloud connectors enabled": {
+			config: `
+config:
+  v1:
+    benchmark: cis_aws
+    aws:
+        supports_cloud_connectors: true
+        credentials:
+            external_id: abc123
+`,
+			expectedType: "cis_aws",
+			expectedCloudConfig: CloudConfig{
+				Aws: AwsConfig{
+					CloudConnectors: true,
+					Cred: aws.ConfigAWS{
+						ExternalID: "abc123",
+					},
+					CloudConnectorsConfig: CloudConnectorsConfig{},
+				},
+			},
+		},
+		"happy path cloud connectors enabled - attempt overwrite roles": {
+			config: `
+config:
+  v1:
+    benchmark: cis_aws
+    aws:
+        account_type: single-account
+        supports_cloud_connectors: true
+        credentials:
+            external_id: abc123
+        CloudConnectorsConfig:
+            LocalRoleARN: "abc123"
+            LocalRoleARN: "abc123"
+`,
+			expectedType: "cis_aws",
+			expectedCloudConfig: CloudConfig{
+				Aws: AwsConfig{
+					AccountType:     SingleAccount,
+					CloudConnectors: true,
+					Cred: aws.ConfigAWS{
+						ExternalID: "abc123",
+					},
+					CloudConnectorsConfig: CloudConnectorsConfig{},
+				},
+			},
+		},
+		"happy path cloud connectors enabled - env vars set": {
+			config: `
+config:
+  v1:
+    benchmark: cis_aws
+    aws:
+        account_type: single-account
+        supports_cloud_connectors: true
+        credentials:
+            external_id: abc123
+`,
+			overwriteEnv: func(t *testing.T) {
+				t.Helper()
+				t.Setenv(CloudConnectorsLocalRoleEnvVar, "abc123")
+				t.Setenv(CloudConnectorsGlobalRoleEnvVar, "abc456")
+				t.Setenv(ResourceIDEnvVar, "abc789")
+			},
+			expectedType: "cis_aws",
+			expectedCloudConfig: CloudConfig{
+				Aws: AwsConfig{
+					AccountType:     SingleAccount,
+					CloudConnectors: true,
+					Cred: aws.ConfigAWS{
+						ExternalID: "abc123",
+					},
+					CloudConnectorsConfig: CloudConnectorsConfig{
+						LocalRoleARN:  "abc123",
+						GlobalRoleARN: "abc456",
+						ResourceID:    "abc789",
+					},
+				},
+			},
+		},
+	}
+
+	for i, test := range tests {
+		s.Run(fmt.Sprint(i), func() {
+			if test.overwriteEnv != nil {
+				test.overwriteEnv(s.T())
+			}
+			cfg, err := config.NewConfigFrom(test.config)
+			s.Require().NoError(err)
+
+			c, err := New(cfg)
+			s.Require().NoError(err)
+
+			s.Equal(test.expectedType, c.Benchmark)
+			s.Equal(test.expectedCloudConfig, c.CloudConfig)
+		})
+	}
+}