update(plugins/cloudtrail): Make our default interval ""

Make our default interval "" (which fetches all logs) instead of "24h". Signed-off-by: Gerald Combs <[email protected]>
falcosecurity · Jul 14, 2023 · 0da7894 · 0da7894
1 parent 07d11f2
commit 0da7894
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 13 deletions.
diff --git a/plugins/cloudtrail/pkg/cloudtrail/config.go b/plugins/cloudtrail/pkg/cloudtrail/config.go
@@ -19,7 +19,7 @@ package cloudtrail
 // Struct for plugin init config
 type PluginConfig struct {
 	S3DownloadConcurrency int             `json:"s3DownloadConcurrency" jsonschema:"title=S3 download concurrency,description=Controls the number of background goroutines used to download S3 files (Default: 32),default=32"`
-	S3Interval            string          `json:"s3Interval" jsonschema:"title=S3 log interval,description=Download log files over the specified interval (Default: 24h),default=24h"`
+	S3Interval            string          `json:"s3Interval" jsonschema:"title=S3 log interval,description=Download log files over the specified interval (Default: no interval),default="`
 	SQSDelete             bool            `json:"sqsDelete" jsonschema:"title=Delete SQS messages,description=If true then the plugin will delete SQS messages from the queue immediately after receiving them (Default: true),default=true"`
 	UseAsync              bool            `json:"useAsync" jsonschema:"title=Use async extraction,description=If true then async extraction optimization is enabled (Default: true),default=true"`
 	UseS3SNS              bool            `json:"useS3SNS" jsonschema:"title=Use S3 SNS,description=If true then the plugin will expect SNS messages to originate from S3 instead of directly from Cloudtrail (Default: false),default=false"`
@@ -30,7 +30,7 @@ type PluginConfig struct {
 func (p *PluginConfig) Reset() {
 	p.SQSDelete = true
 	p.S3DownloadConcurrency = 32
-	p.S3Interval = "24h"
+	p.S3Interval = ""
 	p.UseAsync = true
 	p.UseS3SNS = false
 	p.AWS.Reset()

diff --git a/plugins/cloudtrail/pkg/cloudtrail/interval.go b/plugins/cloudtrail/pkg/cloudtrail/interval.go
@@ -69,7 +69,7 @@ func ParseInterval(interval string) (time.Time, time.Time, error) {
 		if err == nil {
 			endTime, err = parseEndpoint(matches[2])
 		}
-	} else {
+	} else if interval != "" {
 		startTime, err = parseEndpoint(interval)
 	}
 	return startTime, endTime, err

diff --git a/plugins/cloudtrail/pkg/cloudtrail/source.go b/plugins/cloudtrail/pkg/cloudtrail/source.go
@@ -182,6 +182,7 @@ func (oCtx *PluginInstance) openS3(input string) error {
 	var inputParams []listOrigin
 	ctx := context.Background()
 
+	// XXX Make empty mean no startTime.
 	startTime, endTime, err := ParseInterval(oCtx.config.S3Interval)
 	if err != nil {
 		return fmt.Errorf(PluginName + " invalid interval: \"%s\": %s", oCtx.config.S3Interval, err.Error())
@@ -194,7 +195,6 @@ func (oCtx *PluginInstance) openS3(input string) error {
 	// here, then trim individual filepaths below.
 
 	intervalPrefix := prefix
-	startAfterSuffix := startTime.Format("2006/01/02/")
 
 	// For durations, carve out a special case for "Copy S3 URI" in the AWS console, which gives you
 	// bucket_name/prefix_name/AWSLogs/<Account ID>/
@@ -216,9 +216,13 @@ func (oCtx *PluginInstance) openS3(input string) error {
 		})
 		if err == nil {
 			for _, commonPrefix := range output.CommonPrefixes {
-				// startAfter doesn't have to be a real key.
-				startAfter := *commonPrefix.Prefix + startAfterSuffix
-				params := listOrigin {prefix: commonPrefix.Prefix, startAfter: &startAfter}
+				params := listOrigin {prefix: commonPrefix.Prefix}
+				if !startTime.IsZero() {
+					// startAfter doesn't have to be a real key.
+					startAfterSuffix := startTime.Format("2006/01/02/")
+					startAfter := *commonPrefix.Prefix + startAfterSuffix
+					params.startAfter = &startAfter
+				}
 				inputParams = append(inputParams, params)
 			}
 		}
@@ -229,12 +233,14 @@ func (oCtx *PluginInstance) openS3(input string) error {
 	var endTS string
 
 	if len(inputParams) > 0 {
-		startTS = startTime.Format("20060102T0304")
-		if !endTime.IsZero() {
-			endTS = endTime.Format("20060102T0304")
-			if endTS < startTS {
-			return fmt.Errorf(PluginName + " start time %s must be less than end time %s", startTime.Format(RFC3339Simple), endTime.Format(RFC3339Simple))
-	}
+		if !startTime.IsZero() {
+			startTS = startTime.Format("20060102T0304")
+			if !endTime.IsZero() {
+				endTS = endTime.Format("20060102T0304")
+				if endTS < startTS {
+					return fmt.Errorf(PluginName + " start time %s must be less than end time %s", startTime.Format(RFC3339Simple), endTime.Format(RFC3339Simple))
+				}
+			}
 		}
 	} else {
 		// No region prefixes found, just use what we were given.