Merge pull request #5 from DataDog/example-terratest-custom-aws-deton…

…ator

Add an example using Terratest and the AWS detonator

examples/README.md

@@ -69,4 +69,8 @@ Connection succeeded
     --- PASS: TestCWSAlertsV2/java_spawns_shell (20.12s)
     --- PASS: TestCWSAlertsV2/curl_to_metadata_service (20.24s)
 PASS
-```
+```
+
+## Using the custom AWS detonator and Terratest to prepare infrastructure
+
+See [custom-aws-detonator-terratest](./custom-aws-detonator-terratest).

examples/custom-aws-detonator-terratest/README.md

@@ -0,0 +1,18 @@
+This examples shows how to use Threatest with pre-requisite infrastructure spun up by 
+[Terratest](https://terratest.gruntwork.io/).
+
+Note that when the attack technique you want to simulate is supported by Stratus Red Team, 
+it is simpler to use the Stratus Red Team detonator. 
+However, the AWS Detonator allows you to detonate arbitrary code using the AWS SDK, for reproducing custom or more advanced attack techniques.
+
+The AWS detonator injects the detonation UUID inside of the AWS SDK user-agent, allowing to 
+correlate the alert with the detonation.
+
+In this test, we attempt to change the S3 bucket of a running CloudTrail trail, simulating
+an attacker who attempts to disrupt CloudTrail logging.
+
+You need Terraform installed to run this test.
+
+```
+go test -v ./custom_aws_detonator_with_terratest_test.go
+```

examples/custom-aws-detonator-terratest/custom_aws_detonator_with_terratest_test.go

@@ -0,0 +1,45 @@
+package examples
+
+import (
+	"context"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/service/cloudtrail"
+	. "github.com/datadog/threatest/pkg/threatest"
+	. "github.com/datadog/threatest/pkg/threatest/detonators"
+	. "github.com/datadog/threatest/pkg/threatest/matchers/datadog"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"time"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+	"testing"
+)
+
+func TestCustomAWSDetonatorWithTerratest(t *testing.T) {
+	// Step 1: Use terratest to spin up our pre-requisite infrastructure
+	terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
+		TerraformDir: "./terraform",
+	})
+	defer terraform.Destroy(t, terraformOptions)
+	terraform.InitAndApply(t, terraformOptions)
+	trailName := terraform.Output(t, terraformOptions, "cloudtrail_trail_name")
+
+	// Step 2: Test scenario
+	threatest := Threatest()
+
+	threatest.Scenario("stopping cloudtrail trail").
+		WhenDetonating(NewAWSDetonator(func(config aws.Config, _ uuid.UUID) error {
+			// Threatest automatically injects the detonation UUID inside the AWS SDK user-agent
+			// allowing to correlate the alert with the detonation
+			cloudtrailClient := cloudtrail.NewFromConfig(config)
+			cloudtrailClient.UpdateTrail(context.Background(), &cloudtrail.UpdateTrailInput{
+				Name:         aws.String(trailName),
+				S3BucketName: aws.String("nope"),
+			})
+			return nil
+		})).
+		Expect(DatadogSecuritySignal("AWS CloudTrail configuration modified")).
+		WithTimeout(15 * time.Minute)
+
+	assert.NoError(t, threatest.Run())
+}

examples/custom-aws-detonator-terratest/go.mod

@@ -0,0 +1,122 @@
+module github.com/datadog/threatest/examples/custom-aws-detonator-terratest
+
+require (
+	github.com/aws/aws-sdk-go-v2 v1.16.7
+	github.com/aws/aws-sdk-go-v2/service/cloudtrail v1.13.0
+	github.com/datadog/threatest v0.0.0-20220727103622-b9af76ea2391
+	github.com/google/uuid v1.3.0
+	github.com/gruntwork-io/terratest v0.40.18
+	github.com/stretchr/testify v1.7.0
+)
+
+require (
+	cloud.google.com/go v0.99.0 // indirect
+	cloud.google.com/go/storage v1.14.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute v1.0.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v0.4.0 // indirect
+	github.com/DataDog/datadog-api-client-go v1.14.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
+	github.com/aws/aws-sdk-go v1.40.56 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.1.0 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.10.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.14 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ec2 v1.26.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/iam v1.14.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.6.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.7.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.10.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/lambda v1.17.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/organizations v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/rds v1.16.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/rolesanywhere v1.0.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.23.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.13.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.20.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.9.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.14.0 // indirect
+	github.com/aws/smithy-go v1.12.0 // indirect
+	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
+	github.com/datadog/stratus-red-team/v2 v2.2.3 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/go-logr/logr v1.2.0 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.1.1 // indirect
+	github.com/googleapis/gnostic v0.5.5 // indirect
+	github.com/hashicorp/errwrap v1.0.0 // indirect
+	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
+	github.com/hashicorp/go-getter v1.6.1 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-safetemp v1.0.0 // indirect
+	github.com/hashicorp/go-uuid v1.0.0 // indirect
+	github.com/hashicorp/go-version v1.4.0 // indirect
+	github.com/hashicorp/hc-install v0.3.2 // indirect
+	github.com/hashicorp/hcl/v2 v2.9.1 // indirect
+	github.com/hashicorp/terraform-exec v0.15.0 // indirect
+	github.com/hashicorp/terraform-json v0.13.0 // indirect
+	github.com/imdario/mergo v0.3.12 // indirect
+	github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kevinburke/ssh_config v0.0.0-20201106050909-4977a11b4351 // indirect
+	github.com/klauspost/compress v1.13.0 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/mitchellh/go-testing-interface v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/moby/spdystream v0.2.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/tmccombs/hcl2json v0.3.3 // indirect
+	github.com/ulikunitz/xz v0.5.8 // indirect
+	github.com/zclconf/go-cty v1.9.1 // indirect
+	go.opencensus.io v0.23.0 // indirect
+	golang.org/x/crypto v0.0.0-20220511200225-c6db032c6c88 // indirect
+	golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4 // indirect
+	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
+	golang.org/x/sys v0.0.0-20220517195934-5e4e11fc645e // indirect
+	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac // indirect
+	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
+	google.golang.org/api v0.63.0 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
+	google.golang.org/grpc v1.43.0 // indirect
+	google.golang.org/protobuf v1.27.1 // indirect
+	gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	k8s.io/api v0.23.3 // indirect
+	k8s.io/apimachinery v0.23.3 // indirect
+	k8s.io/client-go v0.23.3 // indirect
+	k8s.io/klog/v2 v2.30.0 // indirect
+	k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect
+	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
+	sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect
+	sigs.k8s.io/yaml v1.2.0 // indirect
+)
+
+replace github.com/datadog/threatest v0.0.0-20220727103622-b9af76ea2391 => ../../
+
+go 1.18