Internal use only

Adding a Component to the EPM Component Discovery Process

This document outlines the steps required to add a new component to the EPM Component Discovery process. Follow the instructions carefully to ensure successful integration.

Prerequisites

Before proceeding with the steps below, ensure the following prerequisites are met:

Component Definition: The component must be defined via the content management workflow.
Published State: The component must be in a published state.
Matching Slug Attribute: The bean definition for the component must include a slug attribute that matches the slug of the component defined in the content management workflow.

Step 1: Identify the Source

Use Socrates: Identify the source of data for the new component using Socrates.
- Socrates is used to extract data and gather the necessary information for the component.

Step 2: Define a SQL Query

Create a SQL Query File: Write a SQL query that adheres to the required structure for EPM compliance. Save the query as a .sql file in the resources/compliance.assets.sql/ directory.
Mandatory Output Fields: Ensure your query includes the following mandatory fields, each serving a critical role in the component discovery process:
- utilizingService (String): This field identifies the service that the component instance belongs to. This association is crucial because it determines which service the component instance rolls up to. Ensure this field is extracted accurately, as incorrect associations can lead to misalignment in compliance reporting.
- resourceName (String): This represents the component's name and is used to determine uniqueness. Be cautious with how this name is generated:
  - Consistency is Key: If the resourceName changes between runs (e.g., due to dynamic name generation), it can result in loss of previous evaluations of any Component Instance Responsibilities (CIRs). Consistent naming ensures continuity in evaluations and historical data.
- arn (String): The Amazon Resource Name (ARN) uniquely identifies the component and is critical for integration with assessment processes. Any changes or inaccuracies in ARN formatting can disrupt assessment integration, so ensure this field is correctly extracted.

Example Query Structure: Use the following example as a guide for your query structure, ensuring all mandatory fields are included:

1
2
WITH unique_assets_S3 AS (
    SELECT
        arn,
        awsAccountId,
        awsRegion,
        resourceType,
        resourcename as resourceName,
        CASE WHEN get_json_object(tags, '$.environment_type')= 'prod' OR get_json_object(tags, '$.environment') ILIKE '%Prod%' THEN 'prod' ELSE 'unknown' END AS environment,
        COALESCE(get_json_object(supplementaryconfiguration, '$.ServerSideEncryptionConfiguration')) AS config,
        COALESCE(get_json_object(tags, '$.micros_service_id'), get_json_object(tags, '$.service_name'), get_json_object(tags, '$.name')) AS utilizingService,
        resourceId,
        hour,
        ROW_NUMBER() OVER (PARTITION BY ARN ORDER BY hour DESC) AS row_number
    FROM zone_ceng.case_data_spark
    WHERE
        YEAR >= date_format(CURRENT_TIMESTAMP - interval '3' HOUR, "yyyy")
      AND YEAR <= date_format(CURRENT_TIMESTAMP - interval '1' HOUR, "yyyy")
      AND MONTH >= date_format(CURRENT_TIMESTAMP - interval '3' HOUR, "yyyy-MM")
      AND MONTH <= date_format(CURRENT_TIMESTAMP - interval '1' HOUR, "yyyy-MM")
      AND DAY >= date_format(CURRENT_TIMESTAMP - interval '3' HOUR, "yyyy-MM-dd")
      AND DAY <= date_format(CURRENT_TIMESTAMP - interval '1' HOUR, "yyyy-MM-dd")
      AND HOUR BETWEEN date_format(CURRENT_TIMESTAMP - interval '3' HOUR, "yyyy-MM-dd'T'HH")
      AND date_format(CURRENT_TIMESTAMP - interval '1' HOUR, "yyyy-MM-dd'T'HH")
      AND service = 'S3'
      AND resource = 'Bucket'
      AND awsaccountid not in (select id from zone_ceng.aws_accounts where platform = 'PaaS')
)
SELECT arn, awsAccountId, awsRegion, resourceType, resourceName, environment, utilizingService, resourceId, hour, config,
    get_json_object(config, '$.rules[0].applyServerSideEncryptionByDefault.sseAlgorithm') IN ('aws:kms', 'AES256') as status
FROM unique_assets_S3
WHERE row_number = 1
AND arn NOT LIKE 'arn:aws:s3:::atl-vault-backup--%'

Common Gotchas:
- Utilizing Service: Ensure that the service association is correct to avoid compliance discrepancies.
- Component Name: Maintain a stable naming convention to preserve historical data integrity.
- ARN Field: Verify the ARN format to ensure seamless assessment integration.

Step 3: Define a Bean for the Component

Update the ComponentDiscoveryConfig: Define a bean for the new component in the ComponentDiscoveryConfig class.
- This involves creating a ComponentConfiguration object for the new component.

Example Bean Definition:

1
2
@Bean
fun newComponent(): ComponentConfiguration {
    return ComponentConfiguration(
        ComplianceAsset.NEW_COMPONENT, // Replace with actual ComplianceAsset
        NewComponentProcessor(), // Replace with actual processor class
        "New Component Type" // Replace with actual component type
    )
}

Map the Component in the Asset to Query Name Map:
- Add an entry for the new component in the assetToQueryNameMap.

Step 4: Implement the Component Processor

Create a Processor Class: Implement a new processor class for the component.
- This class should handle the logic for processing and managing the component.

Example Processor Implementation:

1
2
class NewComponentProcessor : ComponentProcessor {
    // Implement processor logic here
}

Final Steps

Test the Integration: Ensure that the component is correctly integrated and tested within the EPM Component Discovery process.
Review Documentation: Update any relevant documentation to reflect the addition of the new component.

By following these steps, you can successfully add a new component to the EPM Component Discovery process.