feat: Shield protections added

client/client.go

@@ -60,6 +60,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/s3control"
 	"github.com/aws/aws-sdk-go-v2/service/sagemaker"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/shield"
 	"github.com/aws/aws-sdk-go-v2/service/sns"
 	"github.com/aws/aws-sdk-go-v2/service/sqs"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
@@ -72,9 +73,8 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/xray"
 	"github.com/aws/smithy-go/logging"
 	"github.com/cloudquery/cq-provider-sdk/provider/diag"
-	"github.com/hashicorp/go-hclog"
-
 	"github.com/cloudquery/cq-provider-sdk/provider/schema"
+	"github.com/hashicorp/go-hclog"
 )
 
 var envVarsToCheck = []string{
@@ -147,6 +147,7 @@ type Services struct {
 	S3                     S3Client
 	S3Control              S3ControlClient
 	S3Manager              S3ManagerClient
+	Shield                 ShieldClient
 	SNS                    SnsClient
 	SQS                    SQSClient
 	SSM                    SSMClient
@@ -575,6 +576,7 @@ func initServices(region string, c aws.Config) Services {
 		S3Manager:              newS3ManagerFromConfig(awsCfg),
 		SageMaker:              sagemaker.NewFromConfig(awsCfg),
 		SecretsManager:         secretsmanager.NewFromConfig(awsCfg),
+		Shield:                 shield.NewFromConfig(awsCfg),
 		SNS:                    sns.NewFromConfig(awsCfg),
 		SSM:                    ssm.NewFromConfig(awsCfg),
 		SQS:                    sqs.NewFromConfig(awsCfg),

client/services.go

@@ -51,6 +51,7 @@ import (
 	"github.com/aws/aws-sdk-go-v2/service/s3control"
 	"github.com/aws/aws-sdk-go-v2/service/sagemaker"
 	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/shield"
 	"github.com/aws/aws-sdk-go-v2/service/sns"
 	"github.com/aws/aws-sdk-go-v2/service/sqs"
 	"github.com/aws/aws-sdk-go-v2/service/ssm"
@@ -671,3 +672,13 @@ type WafRegionalClient interface {
 type XrayClient interface {
 	GetEncryptionConfig(ctx context.Context, params *xray.GetEncryptionConfigInput, optFns ...func(*xray.Options)) (*xray.GetEncryptionConfigOutput, error)
 }
+
+//go:generate mockgen -package=mocks -destination=./mocks/shield.go . ShieldClient
+type ShieldClient interface {
+	ListProtections(ctx context.Context, params *shield.ListProtectionsInput, optFns ...func(*shield.Options)) (*shield.ListProtectionsOutput, error)
+	ListTagsForResource(ctx context.Context, params *shield.ListTagsForResourceInput, optFns ...func(*shield.Options)) (*shield.ListTagsForResourceOutput, error)
+	DescribeSubscription(ctx context.Context, params *shield.DescribeSubscriptionInput, optFns ...func(*shield.Options)) (*shield.DescribeSubscriptionOutput, error)
+	ListAttacks(ctx context.Context, params *shield.ListAttacksInput, optFns ...func(*shield.Options)) (*shield.ListAttacksOutput, error)
+	DescribeAttack(ctx context.Context, params *shield.DescribeAttackInput, optFns ...func(*shield.Options)) (*shield.DescribeAttackOutput, error)
+	ListProtectionGroups(ctx context.Context, params *shield.ListProtectionGroupsInput, optFns ...func(*shield.Options)) (*shield.ListProtectionGroupsOutput, error)
+}

docs/tables/aws_shield_attack_properties.md

@@ -0,0 +1,12 @@
+
+# Table: aws_shield_attack_properties
+Details of a Shield event
+## Columns
+| Name        | Type           | Description  |
+| ------------- | ------------- | -----  |
+|attack_cq_id|uuid|Unique CloudQuery ID of aws_shield_attacks table (FK)|
+|attack_layer|text|The type of Shield event that was observed|
+|attack_property_identifier|text|Defines the Shield event property information that is provided|
+|top_contributors|jsonb|Contributor objects for the top five contributors to a Shield event|
+|total|bigint|The total contributions made to this Shield event by all contributors|
+|unit|text|The unit used for the ContributorValue property|

docs/tables/aws_shield_attack_sub_resources.md

@@ -0,0 +1,11 @@
+
+# Table: aws_shield_attack_sub_resources
+The attack information for the specified SubResource
+## Columns
+| Name        | Type           | Description  |
+| ------------- | ------------- | -----  |
+|attack_cq_id|uuid|Unique CloudQuery ID of aws_shield_attacks table (FK)|
+|attack_vectors|jsonb|The list of attack types and associated counters|
+|counters|jsonb|The counters that describe the details of the attack|
+|id|text|The unique identifier (ID) of the SubResource|
+|type|text|The SubResource type|

docs/tables/aws_shield_attacks.md

@@ -0,0 +1,13 @@
+
+# Table: aws_shield_attacks
+The details of a DDoS attack
+## Columns
+| Name        | Type           | Description  |
+| ------------- | ------------- | -----  |
+|account_id|text|The AWS Account ID of the resource.|
+|attack_counters|jsonb|List of counters that describe the attack for the specified time period|
+|id|text|The unique identifier (ID) of the attack|
+|end_time|timestamp without time zone|The time the attack ended, in Unix time in seconds|
+|mitigations|text[]|List of mitigation actions taken for the attack|
+|resource_arn|text|The ARN (Amazon Resource Name) of the resource that was attacked|
+|start_time|timestamp without time zone|The time the attack started, in Unix time in seconds|

docs/tables/aws_shield_protection_groups.md

@@ -0,0 +1,14 @@
+
+# Table: aws_shield_protection_groups
+A grouping of protected resources that you and Shield Advanced can monitor as a collective
+## Columns
+| Name        | Type           | Description  |
+| ------------- | ------------- | -----  |
+|account_id|text|The AWS Account ID of the resource.|
+|tags|jsonb||
+|aggregation|text|Defines how Shield combines resource data for the group in order to detect, mitigate, and report events  * Sum - Use the total traffic across the group This is a good choice for most cases|
+|members|text[]|The Amazon Resource Names (ARNs) of the resources to include in the protection group|
+|pattern|text|The criteria to use to choose the protected resources for inclusion in the group|
+|id|text|The name of the protection group|
+|arn|text|The ARN (Amazon Resource Name) of the protection group|
+|resource_type|text|The resource type to include in the protection group|

docs/tables/aws_shield_protections.md

@@ -0,0 +1,15 @@
+
+# Table: aws_shield_protections
+An object that represents a resource that is under DDoS protection.
+## Columns
+| Name        | Type           | Description  |
+| ------------- | ------------- | -----  |
+|account_id|text|The AWS Account ID of the resource.|
+|region|text|The AWS Region of the resource.|
+|tags|jsonb|The AWS tags of the resource.|
+|application_automatic_response_configuration_status|text|Indicates whether automatic application layer DDoS mitigation is enabled for the protection|
+|health_check_ids|text[]|The unique identifier (ID) for the Route 53 health check that's associated with the protection|
+|id|text|The unique identifier (ID) of the protection|
+|name|text|The name of the protection|
+|arn|text|The ARN (Amazon Resource Name) of the protection|
+|resource_arn|text|The ARN (Amazon Resource Name) of the Amazon Web Services resource that is protected|

docs/tables/aws_shield_subscriptions.md

@@ -0,0 +1,17 @@
+
+# Table: aws_shield_subscriptions
+Information about the Shield Advanced subscription for an account
+## Columns
+| Name        | Type           | Description  |
+| ------------- | ------------- | -----  |
+|account_id|text|The AWS Account ID of the resource.|
+|protection_group_limits_max_protection_groups|integer|The maximum number of protection groups that you can have at one time|
+|protection_group_limits_arbitrary_pattern_limits_max_members|integer|The maximum number of resources you can specify for a single arbitrary pattern in a protection group|
+|protected_resource_type_limits|jsonb|The maximum number of resource types that you can specify in a protection|
+|auto_renew|text|If ENABLED, the subscription will be automatically renewed at the end of the existing subscription period|
+|end_time|timestamp without time zone|The date and time your subscription will end|
+|limits|jsonb|Specifies how many protections of a given type you can create|
+|proactive_engagement_status|text|If ENABLED, the Shield Response Team (SRT) will use email and phone to notify contacts about escalations to the SRT and to initiate proactive customer support|
+|start_time|timestamp without time zone|The start time of the subscription, in Unix time in seconds|
+|arn|text|The ARN (Amazon Resource Name) of the subscription|
+|time_commitment_in_seconds|integer|The length, in seconds, of the Shield Advanced subscription for the account|

go.mod

@@ -3,7 +3,7 @@ module github.com/cloudquery/cq-provider-aws
 go 1.17
 
 require (
-	github.com/aws/aws-sdk-go-v2 v1.16.2
+	github.com/aws/aws-sdk-go-v2 v1.16.3
 	github.com/aws/aws-sdk-go-v2/config v1.3.0
 	github.com/aws/aws-sdk-go-v2/credentials v1.2.1
 	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.2.1
@@ -84,14 +84,15 @@ require (
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.1.1 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.4 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.0.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/backup v1.15.4
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.5.0 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.3.3 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.9.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/shield v1.16.4
 	github.com/aws/aws-sdk-go-v2/service/sso v1.2.1 // indirect
 	github.com/aws/aws-sdk-go-v2/service/wafregional v1.12.3
 	github.com/creasty/defaults v1.5.2 // indirect