-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathsetup.sh
179 lines (130 loc) · 4.83 KB
/
setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#!/bin/bash
# written by Kyle Butler
source ./func/func.sh
source ./secrets/secrets
printf '\n%s\n%s\n%s\n' "This script will set up your secrets file in the ./secrets directory and modify the permissions so the user running it will be the only one who can modify the file." \
"It will also verify you have the proper dependencies and ensure an api token can be retrieved." \
"It will override any existing file you have in the .secrets/secrets directory"
printf '\n%s\n' "Would you like to continue?"
read -r ANSWER
if [ "$ANSWER" != "${ANSWER#[Yy]}" ]
then
printf '\n%s\n\n' "checking dependencies..."
else
exit
fi
if ! command -v jq > /dev/null 2>&1; then
printf '\n%s\n%s\n' "ERROR: Jq is not available." \
"These scripts require jq, please install and try again."
exit 1
fi
if ! command -v curl -V > /dev/null 2>&1; then
printf '\n%s\n%s\n' "ERROR: curl is not available." \
"These scripts require jq, please install and try again."
exit 1
fi
if ! docker info > /dev/null 2>&1
then
printf '%s\n%s\n' "ERROR: docker is not available or not runnning." \
"This script requires docker, please install and try again."
exit 1
fi
if ! docker compose version > /dev/null 2>&1
then
printf '%s\n%s\n' "ERROR: docker compose is not available or not runnning." \
"This script requires docker compose, please install and try again."
exit 1
fi
printf '\n%s\n\n' "dependency check passed...checking secret file"
PATH_TO_SECRETS_FILE="./secrets/secrets"
if [ ! -f "$PATH_TO_SECRETS_FILE" ]
then
printf '\n%s\n' "creating secrets file"
touch $PATH_TO_SECRETS_FILE
fi
if [ -z "$PC_SECRETKEY" ] || [ -z "$PC_ACCESSKEY" ] || [ -z "$PC_APIURL" ];
then
printf '\n%s\n' "Is it okay to reconfigure the ./secrets/secrets file?"
read -r VERIFY
if [ "$VERIFY" != "${VERIFY#[Yy]}" ]
then
printf '\n%s\n\n' "checking variable assignement..."
else
exit
fi
printf '\n%s\n' "enter your prisma cloud access key id:"
read -r PC_ACCESSKEY
printf '\n%s\n' "enter your prisma cloud secret key id:"
read -r -s PC_SECRETKEY
printf '\n%s\n' "enter your prisma cloud api url (found here https://prisma.pan.dev/api/cloud/api-urls):"
read -r PC_APIURL
pce-var-check
fi
AUTH_PAYLOAD=$(cat <<EOF
{"username": "$PC_ACCESSKEY", "password": "$PC_SECRETKEY"}
EOF
)
PC_JWT_RESPONSE=$(curl -s --request POST \
--url "$PC_APIURL/login" \
--header 'Accept: application/json; charset=UTF-8' \
--header 'Content-Type: application/json; charset=UTF-8' \
--data "${AUTH_PAYLOAD}")
PC_JWT=$(printf %s "$PC_JWT_RESPONSE" | jq -r '.token' )
if [ -z "$PC_JWT" ]
then
printf '\n%s\n' "Prisma Cloud Enterprise CSPM api token not retrieved, have you verified the expiration date of the access key and secret key? Have you verified connectivity to the url provided? Troubleshoot and then you'll need to run this script again"
exit 1
else
printf '\n%s\n' "Token retrieved, access key, secret key, and prisma cloud enterprise edition api url are valid"
fi
printf '%s\n%s\n%s\n%s\n' "#!/usr/bin/env bash" \
"PC_APIURL=\"$PC_APIURL\"" \
"PC_ACCESSKEY=\"$PC_ACCESSKEY\"" \
"PC_SECRETKEY=\"$PC_SECRETKEY\"" > "$PATH_TO_SECRETS_FILE"
chmod 700 ./secrets/secrets
printf '%s\n\n\n' "beginning dgraph deployment"
docker compose up -d
printf '%s\n\n\n%s\n\n\n%s\n\n' 'dgraph, ratel, and alpha are up!' 'Starting etl...' 'This could take a while to retrieve the data from Prisma Cloud'
sleep 5
{
bash ./etl.sh
}
GRAPHQL_QUERY=$(cat <<EOF
{
vm(func: has(name), first: 100){
rrn
name
imageId
vpc_id: networkInterfaces {
vpcId
security_group: groups {
groupId
}
network_association: privateIpAddresses {
publicIp: association {
publicIp
}
}
}
blockDeviceMappings {
ebs_volume: ebs {
volumeId
}
}
iam_permissions: iam {
sourceCloudResourceRrn
sourceResourceName
destCloudServiceName
}
vulnerability {
normalizedName
}
}
}
EOF
)
printf '\n\n\n%s\n\n%s\n\n\n%s\n\n\n%s\n\n' 'Ready! Open a browser and navigate to: http://localhost:8001/?local' \
'Copy and paste the query below in the query section and then hit run:' \
"$GRAPHQL_QUERY" \
'Make sure to hit the expand all nodes and to look at the legend in the bottom. You can now start applying filters'
exit