CrowdStrike

crowdstrike

name: Source Plugin CrowdStrike Workflow

on:

pull_request:

paths:

- "plugins/source/crowdstrike/**"

- ".github/workflows/source_crowdstrike.yml"

push:

branches:

- main

paths:

- "plugins/source/crowdstrike/**"

- ".github/workflows/source_crowdstrike.yml"

jobs:

resolve-runner:

timeout-minutes: 5

runs-on: ubuntu-latest

outputs:

runner: ${{ steps.resolve.outputs.runner }}

steps:

- name: Check if should use large runner

id: large-runner

# We want to speed runs on the main branch which prime the cache

# We allow large runners only in this case to prevent forks from abusing them (it's enforced via runner groups access rules)

# IF YOU WANT TO USE A LARGE RUNNER YOU NEED TO ADD THE WORKFLOW TO THE `CloudQuery releases` GROUP IN https://github.com/organizations/cloudquery/settings/actions/runner-groups

if: github.event_name == 'push'

run: |

- name: Resolve runner

id: resolve

run: |

plugins-source-crowdstrike:

timeout-minutes: 30

name: "plugins/source/crowdstrike"

needs: [resolve-runner]

runs-on: ${{ needs.resolve-runner.outputs.runner }}

defaults:

run:

working-directory: ./plugins/source/crowdstrike

steps:

- uses: actions/checkout@v3

with:

fetch-depth: 2

- name: Set up Go 1.x

uses: actions/setup-go@v3

with:

go-version-file: plugins/source/crowdstrike/go.mod

cache: true

cache-dependency-path: plugins/source/crowdstrike/go.sum

- name: golangci-lint

uses: golangci/golangci-lint-action@v3

with:

version: v1.50.1

working-directory: plugins/source/crowdstrike

args: "--config ../../.golangci.yml"

- name: Get dependencies

run: go get -t -d ./...

- name: Build

run: go build .

- name: Test

run: make test

- name: gen

if: github.event_name == 'pull_request'

run: make gen

- name: Fail if generation updated files

if: github.event_name == 'pull_request'

run: test "$(git status -s | wc -l)" -eq 0

validate-release:

timeout-minutes: 30

needs: [resolve-runner]

runs-on: ${{ needs.resolve-runner.outputs.runner }}

env:

CGO_ENABLED: 0

steps:

- name: Checkout

if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'

uses: actions/checkout@v3

- uses: actions/cache@v3

if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'

with:

path: |

key: ${{ runner.os }}-go-1.19.3-release-cache-${{ hashFiles('plugins/source/crowdstrike/go.sum') }}

restore-keys: |

- name: Set up Go

if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'

uses: actions/setup-go@v3

with:

go-version-file: plugins/source/crowdstrike/go.mod

- name: Install GoReleaser

if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'

uses: goreleaser/goreleaser-action@v3

with:

distribution: goreleaser-pro

version: latest

install-only: true

- name: Run GoReleaser Dry-Run

if: startsWith(github.head_ref, 'release-please--branches--main--components') || github.event_name == 'push'

run: goreleaser release --snapshot --rm-dist --skip-validate --skip-publish --skip-sign -f ./plugins/source/crowdstrike/.goreleaser.yaml

env:

GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}

variables:

component: source/crowdstrike

binary: crowdstrike

project_name: plugins/source/crowdstrike

monorepo:

tag_prefix: plugins-source-crowdstrike-

dir: plugins/source/crowdstrike

includes:

- from_file:

# Relative to the directory Go Releaser is run from (which is the root of the repository)

path: ./plugins/.goreleaser.yaml

.PHONY: gen-mocks

gen-mocks:

go generate ./client/...

.PHONY: test

test:

go test -timeout 3m ./...

.PHONY: install-tools

install-tools:

@echo Installing tools from tools/tool.go

@cat tools/tool.go | grep _ | awk -F'"' '{print $$2}' | xargs -tI % go install %

.PHONY: install-hooks

install-hooks:

pre-commit install

.PHONY: gen-docs

gen-docs:

rm -rf ./docs/tables/*

go run main.go doc ./docs/tables

sed 's_(\(.*\))_(https://github.com/cloudquery/cloudquery/blob/main/plugins/source/crowdstrike/docs/tables/\1)_' docs/tables/README.md > ../../../website/pages/docs/plugins/sources/crowdstrike/tables.md

.PHONY: lint

lint:

golangci-lint run --config ../../.golangci.yml

.PHONY: gen-code

gen-code:

grep -rl '// Code generated by codegen; DO NOT EDIT.' resources/services/* | xargs rm

go run codegen/main.go

.PHONY: gen

gen: gen-code gen-docs

This plugin pulls information from CrowdStrike and loads it into any supported CloudQuery destination (e.g. PostgreSQL).

- [Tables](./docs/tables/README.md)

In order to fetch information from CrowdStrike, `cloudquery` needs to be authenticated. A client id and secret is required for authentication. Follow [these steps](https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/) to set these up. Note that you will also need to enlist the client to have the appropriate scope for what you want to query.

To configure CloudQuery to extract from CrowdStrike, create a `.yml` file in your CloudQuery configuration directory.

For example, the following configuration will extract information from CrowdStrike, and connect it to a `postgresql` destination plugin

kind: source

spec:

# Source spec section

name: crowdstrike

path: cloudquery/crowdstrike

version: "0.0.1" # latest version of crowdstrike plugin

tables: ["*"]

destinations: ["postgresql"]

spec:

client_id: <CLIENT_ID>

client_secret: <CLIENT_SECRET>

package client

import (

"context"

"errors"

"fmt"

"os"

"github.com/cloudquery/plugin-sdk/schema"

"github.com/cloudquery/plugin-sdk/specs"

"github.com/crowdstrike/gofalcon/falcon"

"github.com/rs/zerolog"

"github.com/rs/zerolog/log"

)

type Client struct {

logger zerolog.Logger

spec specs.Source

Services Services

}

type Services struct {

Incidents Incidents

Alerts Alerts

}

func (*Client) Logger() *zerolog.Logger {

return &log.Logger

}

func (c *Client) ID() string {

return c.spec.Name

}

func New(ctx context.Context, logger zerolog.Logger, s specs.Source) (schema.ClientMeta, error) {

crowdStrikeSpec := &Spec{}

if err := s.UnmarshalSpec(&crowdStrikeSpec); err != nil {

return nil, fmt.Errorf("failed to unmarshal CrowdStrike spec: %w", err)

}

clientId, ok := os.LookupEnv("FALCON_CLIENT_ID")

if !ok {

if crowdStrikeSpec.ClientID == "" {

return nil, errors.New("missing FALCON_CLIENT_ID, either set it as an environment variable or pass it in the configuration")

}

clientId = crowdStrikeSpec.ClientID

}

secret, ok := os.LookupEnv("FALCON_CLIENT_SECRET")

if !ok {

if crowdStrikeSpec.ClientID == "" {

return nil, errors.New("missing FALCON_CLIENT_SECRET, either set it as an environment variable or pass it in the configuration")

}

secret = crowdStrikeSpec.ClientSecret

}

c, err := falcon.NewClient(&falcon.ApiConfig{

ClientId: clientId,

ClientSecret: secret,

Context: ctx,

})

if err != nil {

return nil, err

}

return &Client{

logger: logger,

Services: Services{

Incidents: c.Incidents,

Alerts: c.Alerts,

},

spec: s,

}, nil

}