Implement SSM instances and compliance items

client/client.go

@@ -52,6 +52,7 @@ import (
 	s3control "github.com/aws/aws-sdk-go-v2/service/s3control"
 	"github.com/aws/aws-sdk-go-v2/service/sns"
 	"github.com/aws/aws-sdk-go-v2/service/sqs"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	"github.com/aws/aws-sdk-go-v2/service/sts"
 	"github.com/aws/aws-sdk-go-v2/service/waf"
 	"github.com/aws/aws-sdk-go-v2/service/wafv2"
@@ -126,6 +127,7 @@ type Services struct {
 	S3                   S3Client
 	S3Control            S3ControlClient
 	S3Manager            S3ManagerClient
+	SSM                  SSMClient
 	SQS                  SQSClient
 	Apigateway           ApigatewayClient
 	Apigatewayv2         Apigatewayv2Client
@@ -388,6 +390,7 @@ func initServices(region string, c aws.Config) Services {
 		S3Control:            s3control.NewFromConfig(awsCfg),
 		S3Manager:            newS3ManagerFromConfig(awsCfg),
 		SNS:                  sns.NewFromConfig(awsCfg),
+		SSM:                  ssm.NewFromConfig(awsCfg),
 		SQS:                  sqs.NewFromConfig(awsCfg),
 		Waf:                  waf.NewFromConfig(awsCfg),
 		WafV2:                wafv2.NewFromConfig(awsCfg),

client/services.go

@@ -42,6 +42,7 @@ import (
 	s3control "github.com/aws/aws-sdk-go-v2/service/s3control"
 	"github.com/aws/aws-sdk-go-v2/service/sns"
 	"github.com/aws/aws-sdk-go-v2/service/sqs"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
 	"github.com/aws/aws-sdk-go-v2/service/waf"
 	"github.com/aws/aws-sdk-go-v2/service/wafv2"
 )
@@ -446,3 +447,9 @@ type GuardDutyClient interface {
 	guardduty.ListMembersAPIClient
 	GetDetector(ctx context.Context, params *guardduty.GetDetectorInput, optFns ...func(*guardduty.Options)) (*guardduty.GetDetectorOutput, error)
 }
+
+//go:generate mockgen -package=mocks -destination=./mocks/mock_ssm.go . SSMClient
+type SSMClient interface {
+	DescribeInstanceInformation(ctx context.Context, params *ssm.DescribeInstanceInformationInput, optFns ...func(*ssm.Options)) (*ssm.DescribeInstanceInformationOutput, error)
+	ListComplianceItems(ctx context.Context, params *ssm.ListComplianceItemsInput, optFns ...func(*ssm.Options)) (*ssm.ListComplianceItemsOutput, error)
+}

docs/tables/aws_ssm_instance_compliance_items.md

@@ -0,0 +1,18 @@
+
+# Table: aws_ssm_instance_compliance_items
+Information about the compliance as defined by the resource type
+## Columns
+| Name        | Type           | Description  |
+| ------------- | ------------- | -----  |
+|instance_cq_id|uuid|Unique CloudQuery ID of aws_ssm_instances table (FK)|
+|compliance_type|text|The compliance type|
+|details|jsonb|A "Key": "Value" tag combination for the compliance item.|
+|execution_summary_execution_time|timestamp without time zone|The time the execution ran as a datetime object that is saved in the following format: yyyy-MM-dd'T'HH:mm:ss'Z'.|
+|execution_summary_execution_id|text|An ID created by the system when PutComplianceItems was called|
+|execution_summary_execution_type|text|The type of execution|
+|id|text|An ID for the compliance item|
+|resource_id|text|An ID for the resource|
+|resource_type|text|The type of resource|
+|severity|text|The severity of the compliance status|
+|status|text|The status of the compliance item|
+|title|text|A title for the compliance item|

docs/tables/aws_ssm_instances.md

@@ -0,0 +1,29 @@
+
+# Table: aws_ssm_instances
+Describes a filter for a specific list of instances.
+## Columns
+| Name        | Type           | Description  |
+| ------------- | ------------- | -----  |
+|account_id|text|The AWS Account ID of the resource.|
+|region|text|The AWS Region of the resource.|
+|arn|text|The Amazon Resource Name (ARN) of the managed instance.|
+|activation_id|text|The activation ID created by Amazon Web Services Systems Manager when the server or virtual machine (VM) was registered.|
+|agent_version|text|The version of SSM Agent running on your Linux instance.|
+|association_overview_detailed_status|text|Detailed status information about the aggregated associations.|
+|association_overview_instance_association_status_aggregated_count|jsonb|The number of associations for the instance(s).|
+|association_status|text|The status of the association.|
+|computer_name|text|The fully qualified host name of the managed instance.|
+|ip_address|text|The IP address of the managed instance.|
+|iam_role|text|The Identity and Access Management (IAM) role assigned to the on-premises Systems Manager managed instance|
+|instance_id|text|The instance ID.|
+|is_latest_version|boolean|Indicates whether the latest version of SSM Agent is running on your Linux Managed Instance|
+|last_association_execution_date|timestamp without time zone|The date the association was last run.|
+|last_ping_date_time|timestamp without time zone|The date and time when the agent last pinged the Systems Manager service.|
+|last_successful_association_execution_date|timestamp without time zone|The last date the association was successfully run.|
+|name|text|The name assigned to an on-premises server or virtual machine (VM) when it is activated as a Systems Manager managed instance|
+|ping_status|text|Connection status of SSM Agent|
+|platform_name|text|The name of the operating system platform running on your instance.|
+|platform_type|text|The operating system platform type.|
+|platform_version|text|The version of the OS platform running on your instance.|
+|registration_date|timestamp without time zone|The date the server or VM was registered with Amazon Web Services as a managed instance.|
+|resource_type|text|The type of instance|

go.mod

@@ -134,6 +134,11 @@ require (
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 )
 
+require (
+	github.com/aws/aws-sdk-go-v2/service/s3control v1.14.1
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.16.0
+)
+
 require (
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.1 // indirect

go.sum

@@ -253,6 +253,8 @@ github.com/aws/aws-sdk-go-v2/service/sns v1.1.2 h1:1U/FujyBEkNwrvANUcZFuVnAQqy0E
 github.com/aws/aws-sdk-go-v2/service/sns v1.1.2/go.mod h1:/vvAGyo3/TG5CSrJQarIlwzjE6O/DjBIvJTRkpYkvwA=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.9.1 h1:8m+6iuSldxMrVQbjHRcWPnUxdpD3RCPtacmFFNkR4Vw=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.9.1/go.mod h1:nbjBtoH25NLQ7Pv/QqmB94JLDdy3kSGvys2iH2OBspk=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.16.0 h1:LP8DuA8sYKOf37HAEIyBFbcdeyD/ceqlARJD2LnVNvI=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.16.0/go.mod h1:0CzdxtFRsppljClOL0+1hXEz4C+i+nKfzMRh7LP3pNY=
 github.com/aws/aws-sdk-go-v2/service/sso v1.1.5/go.mod h1:bpGz0tidC4y39sZkQSkpO/J0tzWCMXHbw6FZ0j1GkWM=
 github.com/aws/aws-sdk-go-v2/service/sso v1.2.1 h1:alpXc5UG7al7QnttHe/9hfvUfitV8r3w0onPpPkGzi0=
 github.com/aws/aws-sdk-go-v2/service/sso v1.2.1/go.mod h1:VimPFPltQ/920i1X0Sb0VJBROLIHkDg2MNP10D46OGs=

resources/provider.go

@@ -114,6 +114,7 @@ func Provider() *provider.Provider {
 			"sns.subscriptions":                     SnsSubscriptions(),
 			"sns.topics":                            SnsTopics(),
 			"sqs.queues":                            SQSQueues(),
+			"ssm.instances":                         SsmInstances(),
 			"waf.rule_groups":                       WafRuleGroups(),
 			"waf.rules":                             WafRules(),
 			"waf.subscribed_rule_groups":            WafSubscribedRuleGroups(),