Cloudquery is silently missing resources

[dancrumb]

Describe the bug

When I run cloudquery fetch, I expect it to fetch all resources it can.

For instance, I see in the logs

{"level":"info","instance_id":"37cccfe8-c7d4-4e99-b6bf-67af116f01d9","@module":"aws","Region":"us-east-1","account_id":"2265xxxxxxxx","client_id":"aws_ec2_security_groups:2265xxxxxxxx:us-east-1","count":0,"table":"aws_ec2_security_groups","timestamp":"2022-05-26T09:54:02.352-0500","time":"2022-05-26T09:54:02-05:00","message":"fetched successfully"}

However, this account has 92 security groups in that region.

The DB, accordingly, does not contain these groups.

I see this across multiple accounts and regions. I imagine that it also exists for different resources

Expected Behavior

Cloudquery should fetch all resources or show errors if it cannot

Steps to Reproduce

// Configuration AutoGenerated by CloudQuery CLI
cloudquery {
  plugin_directory = "./cq/providers"
  policy_directory = "./cq/policies"

  provider "aws" {
    version = "latest"
  }

  connection {
    username = "postgres"
    password = "pass"
    host     = "localhost"
    port     = 5432
    database = "postgres"
    sslmode  = "disable"
  }
}

// All Provider Configurations

provider "aws" {
  configuration {
    org {
      member_role_name = "CloudQueryFetchRole"
      admin_account "admin" {
        local_profile = "org"
      }
    }
  }

  // list of resources to fetch
  resources = [
    // just the default resources, but I'm showing that we definitely have security groups
    "ec2.security_groups",
    // ...
  ]
}

// Module Configurations
modules {
  // drift configuration block
  drift "drift-example" {
    // state block defines from where to access the state
    terraform {
      // backend: "local" or "s3"
      backend = "local"

      // local backend options
      // files: list of tfstate files
      files = ["/path/to.tfstate"]
    }
  }
}

Then (once the DB is up and running), just run cloudquery fetch

Possible Solution

No response

Provider and CloudQuery version

CQ: 0.24.0, AWS: 0.12.0

Additional Context

No response

[bbernays]

@dancrumb Can you run cloudquery fetch -v this will enable verbose mode. When I run CloudQuery on my AWS account with a role that has no access to the following permissions:

- ec2:DescribeSecurityGroups
- ec2:DescribeSecurityGroupRules
- ec2:DescribeTags

I get a log output of this:

{"level":"info","instance_id":"e1dd1453-f8ca-45b2-b351-3656abfb074a","@module":"aws","Region":"us-east-2","account_id":"6157xxxxxxxx","client_id":"aws_ec2_security_groups:6157xxxxxxxx:us-east-2","count":0,"table":"aws_ec2_security_groups","timestamp":"2022-05-26T17:20:28.580-0400","time":"2022-05-26T17:20:28-04:00","message":"fetched successfully"}

While when I have the -v argument I get the following errors:

{"level":"debug","instance_id":"f657d4da-241f-43c9-8d67-0c91ef28be72","@module":"aws","Region":"us-east-1","account_id":"6157xxxxxxxx","client_id":"aws_ec2_security_groups:6157xxxxxxxx:us-east-1","err":"error at github.com/cloudquery/cq-provider-aws/resources/services/ec2.fetchEc2SecurityGroups[security_groups.go:238] operation error EC2: DescribeSecurityGroups, https response error StatusCode: 403, RequestID: d98d8ea1-d820-468a-9778-dfedb4aabe18, api error UnauthorizedOperation: You are not authorized to perform this operation.","table":"aws_ec2_security_groups","timestamp":"2022-05-26T17:25:04.298-0400","time":"2022-05-26T17:25:04-04:00","message":"ignored an error"}

[dancrumb]

Thanks! Running that now.

While I am, is there a recommended IAM policy that you use? I am currently using ReadOnlyAccess that comes from AWS, but I think it might be missing some important permission. I certainly see some warnings about XRay permissions.

[bbernays]

ReadOnlyAccess is definitely the correct policy to use. I see that you are using the AWS Orgs feature. Is the ReadOnlyAccess policy attached to each of the roles in each account?

[dancrumb]

OK - so it turns out there was a Service Control Policy that I had forgotten about which was preventing a bunch of actions.

I'm curious if the logging can be tweaked to find a middle ground whereby permissions errors could be better highlighted without need to do verbose logging?

Just a thought... otherwise you can close this if you wish.

Thanks for your help!

[bbernays]

Thank you very much for following up on this issue and I am glad we found the source of the missing resources in your DB.

Yes we will definitely look into how we can surface more of those issues without requiring the -v argument. I am going to open a new issue around improving logging/ communication of permission errors.