Pull request update/241209

3a33687 OS-8046. Add the GCP service to the Public S3 buckets recommendation c65660c OS-7996. GCP s3_public_buckets support 696f3dc OS-8040. Changed regions for discovering RDS + new region on Alibaba
hystax · Dec 9, 2024 · ea05125 · ea05125
2 parents aab38e0 + 3a33687
commit ea05125
Show file tree

Hide file tree

Showing 6 changed files with 41 additions and 13 deletions.
diff --git a/bumiworker/bumiworker/modules/recommendations/s3_public_buckets.py b/bumiworker/bumiworker/modules/recommendations/s3_public_buckets.py
@@ -5,6 +5,7 @@
 
 SUPPORTED_CLOUD_TYPES = [
     'aws_cnr',
+    'gcp_cnr',
     'nebius'
 ]
 

diff --git a/ngui/ui/src/containers/RecommendationsOverviewContainer/recommendations/PublicS3Buckets.tsx b/ngui/ui/src/containers/RecommendationsOverviewContainer/recommendations/PublicS3Buckets.tsx
@@ -1,9 +1,9 @@
 import { FormattedMessage } from "react-intl";
 import RecommendationListItemResourceLabel from "components/RecommendationListItemResourceLabel";
 import TextWithDataTestId from "components/TextWithDataTestId";
-import { AWS_S3, NEBIUS_SERVICE } from "hooks/useRecommendationServices";
+import { AWS_S3, GCP_CLOUD_STORAGE, NEBIUS_SERVICE } from "hooks/useRecommendationServices";
 import { detectedAt, poolOwner, resource, resourceLocation } from "utils/columns";
-import { AWS_CNR, NEBIUS } from "utils/constants";
+import { AWS_CNR, GCP_CNR, NEBIUS } from "utils/constants";
 import BaseRecommendation, { CATEGORY_SECURITY } from "./BaseRecommendation";
 
 const columns = [
@@ -58,9 +58,9 @@ class PublicS3Buckets extends BaseRecommendation {
 
   emptyMessageId = "noPublicS3Buckets";
 
-  services = [AWS_S3, NEBIUS_SERVICE];
+  services = [AWS_S3, NEBIUS_SERVICE, GCP_CLOUD_STORAGE];
 
-  appliedDataSources = [AWS_CNR, NEBIUS];
+  appliedDataSources = [AWS_CNR, NEBIUS, GCP_CNR];
 
   categories = [CATEGORY_SECURITY];
 

diff --git a/ngui/ui/src/hooks/useRecommendationServices.ts b/ngui/ui/src/hooks/useRecommendationServices.ts
@@ -21,6 +21,7 @@ export const AZURE_NETWORK = "azureNetwork";
 
 export const GCP_COMPUTE_ENGINE = "gcpComputeEngine";
 export const GCP_IAM = "gcpAim";
+export const GCP_CLOUD_STORAGE = "gcpCloudStorage";
 
 export const NEBIUS_SERVICE = "nebius";
 
@@ -93,6 +94,10 @@ const GCP_SERVICES = Object.freeze({
   [GCP_IAM]: {
     type: GCP_CNR,
     name: "services.iam"
+  },
+  [GCP_CLOUD_STORAGE]: {
+    type: GCP_CNR,
+    name: "services.cloudStorage"
   }
 });
 

diff --git a/ngui/ui/src/translations/en-US/app.json b/ngui/ui/src/translations/en-US/app.json
@@ -629,8 +629,6 @@
   "edit{}": "Edit {value}",
   "eitherMinOrMaxMustBeDefined": "Either minimimum or maximum must be defined",
   "email": "Email",
-  "emailVerificationDescription": "To verify your email, please enter the verification code sent to:",
-  "emailVerifiedSuccessfully": "Email has been verified successfully!",
   "emailNotifications": "Email notifications",
   "emailTemplates.accountManagement.invite.description": "Notification of an invitation to join OptScale",
   "emailTemplates.accountManagement.invite.title": "Invitation notification",
@@ -666,6 +664,8 @@
   "emailTemplates.systemNotifications.environment_changes.title": "Environment changed",
   "emailTemplates.systemNotifications.report_imports_passed_for_org.description": "Confirmation that initial expense processing for your organization is complete",
   "emailTemplates.systemNotifications.report_imports_passed_for_org.title": "Expenses initial processing completed",
+  "emailVerificationDescription": "To verify your email, please enter the verification code sent to:",
+  "emailVerifiedSuccessfully": "Email has been verified successfully!",
   "employee": "Employee",
   "enabled": "Enabled",
   "endDate": "End date",
@@ -1983,6 +1983,7 @@
   "serverError": "Server error",
   "service": "Service",
   "serviceAccountId": "Service account ID",
+  "services.cloudStorage": "Cloud Storage",
   "services.compute": "Compute",
   "services.computeEngine": "Compute Engine",
   "services.ebs": "EBS",

diff --git a/tools/cloud_adapter/clouds/alibaba.py b/tools/cloud_adapter/clouds/alibaba.py
@@ -43,6 +43,7 @@
 from aliyunsdkrds.request.v20140815 import (
     DescribeAvailableClassesRequest,
     DescribeDBInstancesRequest,
+    DescribeRegionsRequest as DescribeRdsRegionsRequest,
     DescribeTagsRequest as DescribeRdsTagsRequest,
     DescribeDBInstanceAttributeRequest,
 )
@@ -271,6 +272,11 @@ def _list_region_details(self):
         regions = self._send_request(request)['Regions']['Region']
         return self._exclude_closed_regions(regions)
 
+    def _list_rds_region_details(self):
+        request = DescribeRdsRegionsRequest.DescribeRegionsRequest()
+        regions = self._send_request(request)['Regions']['RDSRegion']
+        return self._exclude_closed_regions(regions)
+
     def _find_region(self, id_or_name):
         if id_or_name not in self._regions_map:
             for region_info in self._list_region_details():
@@ -641,11 +647,8 @@ def snapshot_chain_discovery_calls(self):
                 for r in self._list_region_details()]
 
     def rds_instance_discovery_calls(self):
-        excluded_regions = ['cn-wuhan-lr']
-        # rds instances discover in this regions raises error for some reasons
         return [(self._discover_region_rds_instances, (r,))
-                for r in self._list_region_details()
-                if r['RegionId'] not in excluded_regions]
+                for r in self._list_rds_region_details()]
 
     def ip_address_discovery_calls(self):
         return [(self._discover_ip_addresses, (r,))
@@ -713,6 +716,9 @@ def _get_coordinates_map(self):
             'cn-wulanchabu': {
                 'name': 'China (Ulanqab)',
                 'longitude': 113.0597863, 'latitude': 41.0177905},
+            'cn-wulanchabu-acdr-1': {
+                'name': 'Wulanchabu HDG ACDR',
+                'longitude': 113.132585, 'latitude': 40.994786},
             'cn-hangzhou': {
                 'name': 'China (Hangzhou)',
                 'longitude': 120.0314647, 'latitude': 30.2613156},

diff --git a/tools/cloud_adapter/clouds/gcp.py b/tools/cloud_adapter/clouds/gcp.py
@@ -488,13 +488,28 @@ def post_discover(self):
 
 
 class GcpBucket(tools.cloud_adapter.model.BucketResource, GcpResource):
+
     def __init__(self, cloud_bucket: storage.Bucket, cloud_adapter):
         GcpResource.__init__(self, cloud_bucket, cloud_adapter)
+        is_public_acls = False
+        is_public_policy = False
+        iam_policy = cloud_bucket.get_iam_policy()
+        iam = cloud_bucket.iam_configuration
+        if iam.public_access_prevention != 'enforced':
+            for binding in iam_policy.bindings:
+                if "allUsers" in binding["members"]:
+                    is_public_policy = True
+                    break
+            if not iam.uniform_bucket_level_access_enabled:
+                acls = list(cloud_bucket.acl)
+                for acl in acls:
+                    if acl["entity"] == "allUsers":
+                        is_public_acls = True
+                        break
         super().__init__(
             **self._common_fields,
-            # TODO: how to detect public buckets?
-            is_public_policy=False,
-            is_public_acls=False,
+            is_public_policy=is_public_policy,
+            is_public_acls=is_public_acls,
         )
 
     def _get_console_link(self):