⭐ Azure auto discovery should include all resources#6479
⭐ Azure auto discovery should include all resources#6479LittleSalkin1806 wants to merge 1 commit intomondoohq:mainfrom
Conversation
| var Auto = []string{ | ||
| DiscoverySubscriptions, | ||
| DiscoveryInstances, | ||
| //DiscoveryInstancesApi, |
There was a problem hiding this comment.
@preslavgerchev can you chime in here on the difference between these two and which things we should default to?
There was a problem hiding this comment.
instances will discover the os - like something you can connect to - the instancesAPI one is about instance configuration. we don't want both on right now for any cloud discovery, it will create double assets
|
@vjeffrey or @preslavgerchev can we merge ? |
|
@LittleSalkin1806 , this PR looks good from my perspective, I would like to pause it for a hot second until we figure out if there's a way for us to do a 'fast' discovery for shell sessions, compared to scan sessions. This is a general issue and not just azure-specific |
|
Sure our main problem is that the scans on mondoo integrations scans are not working with any input parameters therefore can only use the default behaviour. |
Can you provide more context @LittleSalkin1806 ? Maybe we're able to fix this elsewhere in that case |
|
Current State: We are currently writing custom policies and leveraging existing CIS policies. These policies will be enforced centrally through integrations across all major cloud providers: Azure – Organization-wide Previous Behavior (before my changes): For Azure (which I've already updated for GCP, and you guys the handling for AWS), Mondoo only scanned at the Account / Subscription / Project level by default via scheduled scans. I kept the structure you first introduced in AWS PR This happens because: --discover defaults to "auto" when no parameters are specified We need the ability to pass custom inputs (--filters, --discover) to the Mondoo platform scans for these integrations. Current Blocker: I received feedback (who contacted you directly on Slack) that this capability is currently not available. This means the only way to see scan results for all assets on the Mondoo platform is through local scanning or changing the discovered resources for "auto". I don't yet have visibility into what's being tracked on the T-Sec / Mondoo feature board, but I should have access soon. |
|
@LittleSalkin1806 we rolled out an improvement that should fix this internally for running scans, could you please verify if it works as expected? This PR still makes sense to me but I would like to park until we can figure out how to do fast shell connection |
|
Hey @preslavgerchev yeah Azure integration now discovers assets automatically. How can we ensure that this list of discovered resources is updated when a Resource of the respective provider is added ? For example Opensearch on AWS was added. |
Normally this is the place to fix it, just like your PR, I would just like to first make it possible that when opening a cnspec shell we don't run through the full discovery and we only apply this for scanning. This is something we need to fix and then we can merge this |
4 participants
As done for AWS and GCP now also for Azure as i am now using Azure Integration as well.
I have one question:
For AWS and GCP as i sticked to the AWS changes you did. And therfore not added certain resources to auto.
From my understanding it is crucial to make auto == all. As on the integrations used on the mondoo plattform we cant define any options as input for the scans right ?
When i look at
gcpandawsthere are some things excluded.I had this problem just today wanted to check ec2 instances but
ec2-instance-apiwas not included into auto behaviour and also not included inallbut worked perfectly fine on the shell on my laptop.I also dont understand the difference between
instancesandec2-instance-apiCould we align why this is the case and if it does not has any reasons also include it into the scans?
AWS PR
GCP PR