✨ Update to cnspec v9

Signed-off-by: Christian Zunker <[email protected]>

.github/workflows/pr-test-lint.yaml

@@ -9,7 +9,7 @@ on:
       - 'go.sum'
 
 env:
-  GO_VERSION: '1.20'
+  GO_VERSION: '1.21'
 
 jobs:
   goreleaser:

.github/workflows/release.yaml

@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: '1.21'
           cache: false
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v4

Makefile

@@ -5,14 +5,40 @@ COUNT?=1
 TEST?=$(shell go list ./...)
 HASHICORP_PACKER_PLUGIN_SDK_VERSION?=$(shell go list -m github.com/hashicorp/packer-plugin-sdk | cut -d " " -f2)
 
+ifndef LATEST_VERSION_TAG
+# echo "read LATEST_VERSION_TAG from git"
+LATEST_VERSION_TAG=$(shell git describe --abbrev=0 --tags)
+endif
+
+ifndef MANIFEST_VERSION
+# echo "read MANIFEST_VERSION from git"
+MANIFEST_VERSION=$(shell git describe --abbrev=0 --tags)
+endif
+
+ifndef TAG
+# echo "read TAG from git"
+TAG=$(shell git log --pretty=format:'%h' -n 1)
+endif
+
+ifndef VERSION
+# echo "read VERSION from git"
+VERSION=${LATEST_VERSION_TAG}+$(shell git rev-list --count HEAD)
+endif
+
 .PHONY: dev
 
 build:
-	CGO_ENABLED=0 go build -o ${BINARY} -ldflags="-X go.mondoo.com/packer-plugin-cnspec/version.Version=0.0.0 -X go.mondoo.com/packer-plugin-cnspec/version.Build=dev"
+	CGO_ENABLED=0 go build -o ${BINARY} -ldflags="-X go.mondoo.com/packer-plugin-cnspec/version.Version=${VERSION} -X go.mondoo.com/packer-plugin-cnspec/version.Build=${TAG}"
 
 dev: build
 	@mkdir -p ~/.packer.d/plugins/
 	@mv ${BINARY} ~/.packer.d/plugins/${BINARY}
+
+.PHONY: dev/linux
+dev/linux: build
+	@mkdir -p ~/.packer.d/plugins/github.com/mondoohq/cnspec/
+	@mv ${BINARY} ~/.packer.d/plugins/github.com/mondoohq/cnspec/${BINARY}_v${VERSION}_x5.0_linux_amd64
+	@cat ~/.packer.d/plugins/github.com/mondoohq/cnspec/packer-plugin-cnspec_v${VERSION}_x5.0_linux_amd64 | sha256sum -z --tag | cut -d"=" -f2 | tr -d " " > ~/.packer.d/plugins/github.com/mondoohq/cnspec/packer-plugin-cnspec_v${VERSION}_x5.0_linux_amd64_SHA256SUM
 
 test:
 	@go test -race -count $(COUNT) $(TEST) -timeout=3m

README.md

@@ -17,7 +17,7 @@ Packer plugin cnspec is designed to work in one of two modes:
 
 Check out the Packer tutorials on the Mondoo documentation site:
 
-- [Building secure AMIs with Mondoo and Packer]([https://mondoo.com/docs/cnspec/cnspec-aws/cnspec-aws-packer/)
+- [Building secure AMIs with Mondoo and Packer](https://mondoo.com/docs/cnspec/cnspec-aws/cnspec-aws-packer/)
 - [Building secure VM images in Google Cloud with cnspec and HashiCorp Packer](https://mondoo.com/docs/cnspec/cnspec-gcp/cnspec-gcp-packer/) 
 
 # Installation

examples/packer-docker/docker-ubuntu.pkr.hcl

@@ -0,0 +1,49 @@
+# Copyright (c) Mondoo, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+packer {
+  required_plugins {
+    docker = {
+      version = ">= 0.0.7"
+      source = "github.com/hashicorp/docker"
+    }
+    cnspec = {
+      version = ">= 9.0.0"
+      source  = "github.com/mondoohq/cnspec"
+    }
+  }
+}
+
+variable "image_prefix" {
+  type        = string
+  description = "Prefix to be applied to image name"
+  default     = "mondoo-gcp-ubuntu-2004-secure-base"
+}
+
+locals { timestamp = regex_replace(timestamp(), "[- TZ:]", "") }
+
+source "docker" "ubuntu" {
+  image  = "ubuntu:jammy"
+  commit = true
+}
+
+build {
+  name    = "mondoo-docker-ubuntu-2204-secure-base"
+  sources = [
+    "source.docker.ubuntu"
+  ]
+
+  provisioner "shell" {
+    inline = [
+      "echo \"${var.image_prefix}-${local.timestamp}\" > /etc/hostname",
+    ]
+  }
+
+  provisioner "cnspec" {
+    on_failure = "continue"
+    asset_name = "${var.image_prefix}-${local.timestamp}"
+    annotations = {
+      Name          = "${var.image_prefix}-${local.timestamp}"
+    }
+  }
+}

provisioner/provisioner.go

@@ -26,21 +26,18 @@ import (
 	"github.com/hashicorp/packer-plugin-sdk/template/config"
 	"github.com/hashicorp/packer-plugin-sdk/template/interpolate"
 	"github.com/mitchellh/mapstructure"
-	"github.com/spf13/afero"
 	"github.com/spf13/viper"
-	config_loader "go.mondoo.com/cnquery/cli/config"
-	"go.mondoo.com/cnquery/logger"
-	"go.mondoo.com/cnquery/motor/asset"
-	inventory "go.mondoo.com/cnquery/motor/inventory/v1"
-	"go.mondoo.com/cnquery/motor/providers"
-	"go.mondoo.com/cnquery/motor/vault"
-	"go.mondoo.com/cnquery/upstream"
-	cnspec_config "go.mondoo.com/cnspec/apps/cnspec/cmd/config"
-	"go.mondoo.com/cnspec/cli/reporter"
-	"go.mondoo.com/cnspec/policy"
-	"go.mondoo.com/cnspec/policy/scan"
+	config_loader "go.mondoo.com/cnquery/v9/cli/config"
+	"go.mondoo.com/cnquery/v9/logger"
+	"go.mondoo.com/cnquery/v9/providers"
+	"go.mondoo.com/cnquery/v9/providers-sdk/v1/inventory"
+	"go.mondoo.com/cnquery/v9/providers-sdk/v1/upstream"
+	"go.mondoo.com/cnquery/v9/providers-sdk/v1/vault"
+	cnspec_config "go.mondoo.com/cnspec/v9/apps/cnspec/cmd/config"
+	"go.mondoo.com/cnspec/v9/cli/reporter"
+	"go.mondoo.com/cnspec/v9/policy"
+	"go.mondoo.com/cnspec/v9/policy/scan"
 	"go.mondoo.com/packer-plugin-cnspec/version"
-	"go.mondoo.com/ranger-rpc"
 	"golang.org/x/crypto/ssh"
 )
 
@@ -330,21 +327,21 @@ func (p *Provisioner) ConfigSpec() hcldec.ObjectSpec {
 
 func (p *Provisioner) executeCnspec(ui packer.Ui, comm packer.Communicator) error {
 
-	assetConfig := &providers.Config{
-		Backend: providers.ProviderType_UNKNOWN,
+	assetConfig := &inventory.Config{
+		Type:    "unkown",
 		Options: map[string]string{},
 	}
 
 	if p.config.Sudo != nil && p.config.Sudo.Active {
 		ui.Message("activated sudo")
-		assetConfig.Sudo = &providers.Sudo{
+		assetConfig.Sudo = &inventory.Sudo{
 			Active: p.config.Sudo.Active,
 		}
 	}
 
 	if p.buildInfo.ConnType == "" || p.buildInfo.ConnType == "ssh" {
 		ui.Message("detected packer build via ssh")
-		assetConfig.Backend = providers.ProviderType_SSH
+		assetConfig.Type = "ssh"
 		assetConfig.Host = p.buildInfo.Host
 		assetConfig.Port = int32(p.buildInfo.Port)
 		assetConfig.Insecure = true // we do not check the hostkey for the packer build
@@ -377,15 +374,15 @@ func (p *Provisioner) executeCnspec(ui packer.Ui, comm packer.Communicator) erro
 		}
 	} else if p.buildInfo.ConnType == "winrm" {
 		ui.Message("detected packer build via winrm")
-		assetConfig.Backend = providers.ProviderType_WINRM
+		assetConfig.Type = "winrm"
 		assetConfig.Host = p.buildInfo.Host
 		assetConfig.Port = int32(p.buildInfo.Port)
 		assetConfig.Insecure = true // we do not check the hostkey for the packer build
 		cred := vault.NewPasswordCredential(p.buildInfo.User, p.buildInfo.Password)
 		assetConfig.Credentials = append(assetConfig.Credentials, cred)
 	} else if p.buildInfo.ConnType == "docker" {
 		ui.Message("detected packer container image build")
-		assetConfig.Backend = providers.ProviderType_DOCKER
+		assetConfig.Type = "docker-container"
 		// buildInfo.ID containers the docker container image id
 		assetConfig.Host = fmt.Sprintf("%s", p.buildInfo.ID)
 	} else {
@@ -417,9 +414,9 @@ func (p *Provisioner) executeCnspec(ui packer.Ui, comm packer.Communicator) erro
 	}
 
 	// build configuration
-	conf := inventory.New(inventory.WithAssets(&asset.Asset{
+	conf := inventory.New(inventory.WithAssets(&inventory.Asset{
 		Name:        p.config.AssetName,
-		Connections: []*providers.Config{assetConfig},
+		Connections: []*inventory.Config{assetConfig},
 		Annotations: p.config.Annotations,
 		Labels: map[string]string{
 			"packer.io/buildname": p.config.PackerBuildName,
@@ -477,13 +474,12 @@ func (p *Provisioner) executeCnspec(ui packer.Ui, comm packer.Communicator) erro
 		if p.config.MondooConfigPath != "" {
 			paths = append(paths, p.config.MondooConfigPath)
 		} else {
-			config_loader.AppFs = afero.NewOsFs() // TODO fix in config_loader package, this should not be here
-			homeConfig, exists, err := config_loader.HomePath()
-			if err == nil && exists {
+			homeConfig, err := config_loader.HomePath(config_loader.DefaultConfigFile)
+			if err == nil && homeConfig != "" {
 				paths = append(paths, homeConfig)
 			}
 
-			if path, ok := config_loader.SystemPath(); ok {
+			if path := config_loader.SystemConfigPath(config_loader.DefaultConfigFile); path != "" {
 				paths = append(paths, path)
 			}
 		}
@@ -528,7 +524,7 @@ func (p *Provisioner) executeCnspec(ui packer.Ui, comm packer.Communicator) erro
 	var err error
 	if p.config.Incognito {
 		ui.Message("scan packer build in incognito mode")
-		scanService := scan.NewLocalScanner()
+		scanService := scan.NewLocalScanner(scan.WithRecording(providers.NullRecording{}))
 		result, err = scanService.RunIncognito(context.Background(), scanJob)
 		if err != nil {
 			return err
@@ -545,15 +541,14 @@ func (p *Provisioner) executeCnspec(ui packer.Ui, comm packer.Communicator) erro
 		serviceAccount := cfg.GetServiceCredential()
 		if serviceAccount != nil {
 			ui.Message("using service account credentials")
-			scannerOpts = append(scannerOpts, scan.WithUpstream(cfg.UpstreamApiEndpoint(), cfg.GetParentMrn(), ranger.DefaultHttpClient()))
-			certAuth, err := upstream.NewServiceAccountRangerPlugin(serviceAccount)
-			if err != nil {
-				ui.Error("could not create service account plugin: " + err.Error())
-				return err
+			upstreamConfig := &upstream.UpstreamConfig{
+				SpaceMrn:    cfg.GetParentMrn(),
+				ApiEndpoint: cfg.UpstreamApiEndpoint(),
+				Creds:       serviceAccount,
 			}
-			plugins := []ranger.ClientPlugin{certAuth}
-			scannerOpts = append(scannerOpts, scan.WithPlugins(plugins))
+			scannerOpts = append(scannerOpts, scan.WithUpstream(upstreamConfig))
 		}
+		scannerOpts = append(scannerOpts, scan.WithRecording(providers.NullRecording{}))
 
 		ui.Message("scan packer build")
 		scanService := scan.NewLocalScanner(scannerOpts...)