1

AWS Config 有一组托管规则,我正在尝试使用 Golang AWS 开发工具包来使用 DescribeConfigRules API 来检索 AWS Config 托管规则名称列表和其他详细信息。

似乎每个请求都会收到 25 条规则的响应和下一组结果的 NextToken。我无法理解的是如何使用这个 NextToken 来检索下一组结果?

这是我到目前为止所拥有的。

package main

    import (
        "fmt"
        "log"

        "github.com/aws/aws-sdk-go/aws"
        "github.com/aws/aws-sdk-go/aws/credentials"
        "github.com/aws/aws-sdk-go/aws/session"
        "github.com/aws/aws-sdk-go/service/configservice"
    )

    func main() {

        //Create an aws session

        sess, err := session.NewSession(&aws.Config{Region: aws.String("us-west-2"), Credentials: credentials.NewSharedCredentials("", "my-aws-profile")})

        // Create a ConfigService client from just a session.
        configsvc := configservice.New(sess)

        rules := (*configservice.DescribeConfigRulesInput)(nil)

        configrulesoutput, err := configsvc.DescribeConfigRules(rules)

        if err != nil {
            log.Fatal(err)
        }

        for _, rule := range configrulesoutput.ConfigRules {
            fmt.Println("Rule: ", *rule.ConfigRuleName)
        }

    }

上面的代码成功打印了响应中收到的前 25 条规则。但是我不确定如何使用响应中收到的 NextToken 来获得下一组结果。

样本响应。

ConfigRules: [
    {
      ConfigRuleArn: "ConfigRuleARN",
      ConfigRuleId: "config-rule-ppwclr",
      ConfigRuleName: "cloudtrail-enabled",
      ConfigRuleState: "ACTIVE",
      Description: "Checks whether AWS CloudTrail is enabled in your AWS account. Optionally, you can specify which S3 bucket, SNS topic, and Amazon CloudWatch Logs ARN to use.",
      InputParameters: "{}",
      MaximumExecutionFrequency: "TwentyFour_Hours",
      Source: {
        Owner: "AWS",
        SourceIdentifier: "CLOUD_TRAIL_ENABLED"
      }
    },
    { Rule 2 }, ....{ Rule 25}
  ],
  NextToken: "nexttoken"
}

代码从响应中提取规则名称,输出如下。

Rule:  cloudtrail-enabled
Rule:  restricted-ssh
Rule:  securityhub-access-keys-rotated
Rule:  securityhub-autoscaling-group-elb-healthcheck-required
Rule:  securityhub-cloud-trail-cloud-watch-logs-enabled
Rule:  securityhub-cloud-trail-encryption-enabled
Rule:  securityhub-cloud-trail-log-file-validation-enabled
Rule:  securityhub-cloudtrail-enabled
Rule:  securityhub-cmk-backing-key-rotation-enabled
Rule:  securityhub-codebuild-project-envvar-awscred-check
Rule:  securityhub-codebuild-project-source-repo-url-check
Rule:  securityhub-ebs-snapshot-public-restorable-check
Rule:  securityhub-ec2-managedinstance-patch-compliance
Rule:  securityhub-ec2-security-group-attached-to-eni
Rule:  securityhub-eip-attached
Rule:  securityhub-elasticsearch-encrypted-at-rest
Rule:  securityhub-elasticsearch-in-vpc-only
Rule:  securityhub-iam-password-policy-ensure-expires
Rule:  securityhub-iam-password-policy-lowercase-letter-check
Rule:  securityhub-iam-password-policy-minimum-length-check
Rule:  securityhub-iam-password-policy-number-check
Rule:  securityhub-iam-password-policy-prevent-reuse-check
Rule:  securityhub-iam-password-policy-symbol-check
Rule:  securityhub-iam-password-policy-uppercase-letter-check
Rule:  securityhub-iam-policy-no-statements-with-admin-access

最终目标:使用 golang AWS 开发工具包,提取 AWS Config 托管规则详细信息,并使用 Excelize 将其放入 Excel 格式,以查看我们希望启用哪些 AWS Config 规则。

提前感谢您的帮助。

---新基于@Adrian 的评论和文档参考---

根据文档

type DescribeConfigRulesInput struct {

    // The names of the AWS Config rules for which you want details. If you do not
    // specify any names, AWS Config returns details for all your rules.
    ConfigRuleNames []*string `type:"list"`

    // The nextToken string returned on a previous page that you use to get the
    // next page of results in a paginated response.
    NextToken *string `type:"string"`
    // contains filtered or unexported fields }

所以这就是我正在尝试的。指定 nil 应该给我所有的规则。nextToken 是第一次调用的空白字符串。

configsvc := configservice.New(sess)
rules := (*configservice.DescribeConfigRulesInput)(nil)
nextToken := ""
rules.SetNextToken(nextToken)
getConfigRulesFunc(configsvc, rules)

//getConfigRulesFunc 函数

func getConfigRulesFunc(cfgsvc *configservice.ConfigService, ruleset *configservice.DescribeConfigRulesInput) {

    configrulesoutput, err := cfgsvc.DescribeConfigRules(ruleset)

    if err != nil {
        log.Fatal(err)
    }

    for i, r := range configrulesoutput.ConfigRules {
        fmt.Println("Rule: ", i, ""+*r.ConfigRuleName)
    }

    if *configrulesoutput.NextToken != "" {
        ruleset := (*configservice.DescribeConfigRulesInput)(nil)
        ruleset.SetNextToken(*configrulesoutput.NextToken)
        getConfigRulesFunc(cfgsvc, ruleset)
    }

}

上面的代码编译得很好,但这里我相信运行时错误是因为 nil。

configsvc type: *configservice.ConfigService
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x13c7ed2]

goroutine 1 [running]:
github.com/aws/aws-sdk-go/service/configservice.(*DescribeConfigRulesInput).SetNextToken(...)
    /Users/user/go/src/github.com/aws/aws-sdk-go/service/configservice/api.go:12230
main.main()
    /Users/user/golang/awsgotest/awsgotest.go:26 +0x232
4

2 回答 2

0

好的,终于在一个非常友善的 Alex Diehl 的帮助下通过官方 aws-sdk-go 存储库上的这张票https://github.com/aws/aws-sdk-go/issues/3293解决了这个问题。

我仍然会说 go 的 aws sdk 至少在推荐使用方面肯定缺少简单的 configservice 示例。

这是有效的代码。这还将展示如何在 go 中使用简单的递归函数来使用 NextToken 对跨越多个页面的 api 结果进行分页,尤其是没有内置分页器的 api。

另请注意,DescribeConfigRules API 并未列出所有 AWS Managed Config Rules,仅列出为您的账户启用的 Config 规则。

package main

import (
    "fmt"
    "log"

    "github.com/aws/aws-sdk-go/aws"
    "github.com/aws/aws-sdk-go/aws/credentials"
    "github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/configservice"
)

var i int = 0

func main() {
    sess, err := session.NewSession(&aws.Config{Region: aws.String("us-west-2"), Credentials: credentials.NewSharedCredentials("", "my-profile")})
    if err != nil {
        log.Fatal(err)
    }

    //Create a ConfigService client from just a session.
    configsvc := configservice.New(sess)
    fmt.Printf("configsvc type: %T\n", configsvc)
    rules := &configservice.DescribeConfigRulesInput{}
    getConfigRulesFunc(configsvc, rules)
}

func getConfigRulesFunc(cfgsvc *configservice.ConfigService, ruleset *configservice.DescribeConfigRulesInput) {

    configrulesoutput, err := cfgsvc.DescribeConfigRules(ruleset)

    if err != nil {
        log.Fatal(err)
    }

    for _, r := range configrulesoutput.ConfigRules {
        fmt.Println("Rule: ", i, ""+*r.ConfigRuleName)
        i = i + 1
    }

    if configrulesoutput.NextToken != nil {
        fmt.Println("In if nexttoken is not empty")
        fmt.Println("Print NextToken: ", *configrulesoutput.NextToken)
        ruleset := &configservice.DescribeConfigRulesInput{}
        ruleset.SetNextToken(*configrulesoutput.NextToken)
        getConfigRulesFunc(cfgsvc, ruleset)
    }

}

粗体代码让我对如何使用 NextToken 感到悲痛,这至少基于 go sdk for aws 的最佳实践。

于 2020-04-30T01:36:58.347 回答
0

仅供参考,您可以查看 AWS Go 指南,因为有一个关于分页的部分:https ://docs.aws.amazon.com/sdk-for-go/v1/developer-guide/making-requests.html#using -分页方法

于 2020-04-30T13:55:20.393 回答