paloaltonetworks / pcs-sizing-scripts Goto Github PK
View Code? Open in Web Editor NEWPrisma Cloud sizing scripts
License: ISC License
Prisma Cloud sizing scripts
License: ISC License
Please can we have resource counts for ELBs and EKS clusters?
I see code for listing the EKS clusters in the resource-count-aws.sh
script but no flag for it. Same for the ELBs as well.
Thank you.
When run using org mode, the first member account will be scanned. All of the other accounts will fail.
It should scan all of the member accounts
Warning: Failed to assume role into Member Account …, skipping ...
If you remove the 2>/dev/null
which discards the error output from the aws sts assume-role
command you'll see this additional detail:
Unable to locate credentials. You can configure credentials by running "aws configure".
Reviewing the code from #2, I believe the problem is related to the way assume_role()
overwrites its current credentials with the assumed role credentials, which allows that account to be scanned but then causes all subsequent accounts to fail since you'd need to call sts:AssumeRole
using the original credentials.
pcs-sizing-scripts/aws/resource-count-aws.sh
Lines 266 to 279 in 73fbe9a
resource-count-aws.sh org
with credentials in the Organization master account for an IAM user which has permission to assume the OrganizationAccountAccessRole in each member account.Health Check | Pass | Score | More Info |
---|---|---|---|
Contains a meaningful README.md file | ✅ | 20 / 20 | More info |
SUPPORT.md file exists | ✅ | 20 / 20 | More info |
Repo has a description | ✅ | 15 / 15 | More info |
Has a recognized open source license | ✅ | 15 / 15 | More info |
Has a descriptive repo name | ✅ | 15 / 15 | More info |
Required topics attached to repo | ✅ | 15 / 15 | More info |
CONTRIBUTING.md file with contribution guidelines | ✅ | 5 / 5 | More info |
Has custom issue and pull request templates | ❌ | 0 / 5 | More info |
Current score: 105
Target threshold: 100
Total possible: 110
Markdown is easier to edit!
resource-count-aws.sh
If there is an AMI launch Index, the EC2 count is different.
About AMI Lunch Index.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMI-launch-index-examples.html
Multiple EC2 instances in the AMI Launch Index are counted.
Multiple EC2 instances in the AMI Launch Index are not counted.
I am not good at jq.
For example, I think it is possible to implement the following using grep and wc.
resource-count-aws.sh
line 293
RESOURCE_COUNT=$(aws_ec2_describe_instances "${i}" | grep InstanceId | wc -l' 2>/dev/null)
It seems we are only checking for elb
, and not including elbv2
as part of our API queries.
I would like us to include support for aws elbv2 describe-load-balancers
.
Asking the client for how many ELBs they are using.
This issue was identified by a client during a PoC. They ran the script, and it returned zero for the ELB service. However, the client knows that they have several ELBs.
In cwp mode, ECS Task is not counted correctly.
The number of ECS Fargate Tasks cannot be obtained correctly in aws-resource-count.sh with cwp option.
To obtain the correct ECS cluster name and count the number of individual Fargate tasks.
FargateTask per cluster is not get correctly.
Modify the script function "get_ecs_fargate_task_count()".
For example, how about modifying the following?
https://github.com/PaloAltoNetworks/pcs-sizing-scripts/blob/main/aws/resource-count-aws.sh#L241-L253
**ECS_FARGATE_CLUSTERS=($(aws_ecs_list_clusters "${REGION}" | jq -r '.clusterArns[]' 2>/dev/null))**
XIFS=$IFS
# shellcheck disable=SC2206
**IFS=$'\n' ECS_FARGATE_CLUSTERS_LIST=(${ECS_FARGATE_CLUSTERS[@]})**
IFS=$XIFS
ECS_FARGATE_TASK_LIST_COUNT=0
RESULT=0
for CLUSTER in "${ECS_FARGATE_CLUSTERS_LIST[@]}"
do
**ECS_FARGATE_TASK_LIST_COUNT=($(aws_ecs_list_tasks "${REGION}" "${CLUSTER}" | jq -r '[.taskArns[]] | length' 2>/dev/null))**
./resource-count-aws.sh cwp
If an AWS account within an organization begins with a zero, it reports an error at line 190 in the aws/resource-count-aws.sh.as follows:
./resource-count-aws.sh: line 190: [[: 012345678983: value too great for base (error token is "012345678983")
Value is the test should be their string equivalent.
./resource-count-aws.sh: line 190: [[: 012345678983: value too great for base (error token is "012345678983")
Remove the double bracket test and use single brackets. See https://stackoverflow.com/questions/24777597/value-too-great-for-base-error-token-is-08
At line 189, insert something like: ACCOUNT_ID=012345678983
Ease of use
The AWS sizing script should have a "--compute" flag rather than be 2 separate scripts
There are currently 2 scripts as a workaround
On testing, I found there is a bug in Aliyun CLI which affects the sizing tool. With the bug, the sizing script would just return all 0 in the counting.
The Aliyun Sizing Script is reading the "Total Count" attribute from the json obtained by "aliyun ecs describeinstances". The "Total Count" should report the total ECS (VM) instances number.
But perhaps an API bug from Alicloud side, the "Total Count" is always 0 even there are vm listed.
Amend the script function "get_instance_count()", skip relying on the "Total Count" attribute. Instead, add the new lines to count the instances number instead.
get_instance_count() {
COUNT=0
RESULT=$(abc_compute_instances_list "${1}")
// COUNT=$(echo "${RESULT}" | jq -r '.TotalCount' 2>/dev/null) //commented this original line
INSTANCES=(
COUNT=$((COUNT + ${#INSTANCES[@]})) //add new line 2
echo "${COUNT}"
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.