Merge branch 'alpha' into feature/CG-1072

m-pizarro · m-pizarro · commit 745f16892e89 · 2022-04-11T15:12:26.000-03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,17 @@
+# [0.79.0-alpha.8](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.7...0.79.0-alpha.8) (2022-04-11)
+
+
+### Bug Fixes
+
+* Added iamRole connection to kinesisFirehose service ([dc17214](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/dc1721403a6d86aa1d7a00542dff237011514654))
+
+# [0.79.0-alpha.7](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.6...0.79.0-alpha.7) (2022-04-11)
+
+
+### Bug Fixes
+
+* Added iamRole to lambda service ([ae6177d](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/ae6177de995975ab5194c5d2fcc8aaf98ec8d06d))
+
 # [0.79.0-alpha.6](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.5...0.79.0-alpha.6) (2022-04-11)
 
 
diff --git a/README.md b/README.md
@@ -3,6 +3,7 @@
 Use the CloudGraph AWS Provider to scan and normalize cloud infrastructure using the [AWS SDK](https://github.com/aws/aws-sdk-js)
 
 <!-- toc -->
+
 - [Docs](#install)
 - [Install](#install)
 - [Authentication](#authentication)
@@ -13,9 +14,10 @@ Use the CloudGraph AWS Provider to scan and normalize cloud infrastructure using
 
 # Docs
 
-⭐ [CloudGraph Readme](https://github.com/cloudgraphdev/cli)  
+⭐ [CloudGraph Readme](https://github.com/cloudgraphdev/cli)
 
 💻 [Full CloudGraph Documentation Including AWS Examples](https://docs.cloudgraph.dev)
+
 # Install
 
 Install the aws provider in CloudGraph
@@ -122,14 +124,14 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | iamServerCertificate        |                                                                                                                                                                                            |
 | iamUser                     | iamGroup                                                                                                                                                                                   |
 | iamPolicy                   | iamRole, iamGroup                                                                                                                                                                          |
-| iamRole                     | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector                                                                                                                                                 |
+| iamRole                     | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, kinesisFirehose, lambda, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector                                                                                                                                                 |
 | iamGroup                    | iamUser, iamPolicy                                                                                                                                                                         |
 | igw                         | vpc                                                                                                                                                                                        |
 | iot                         |                                                                                                                                                                                            |
-| kinesisFirehose             | kinesisStream, s3                                                                                                                                                                          |
+| kinesisFirehose             | iamRole, kinesisStream, s3                                                                                                                                                                          |
 | kinesisStream               | kinesisFirehose                                                                                                                                                                            |
 | kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, dmsReplicationInstance, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, lambda, redshiftCluster, rdsClusterSnapshot, sageMakerNotebookInstance, secretsManager, sns                                                             |
-| lambda                      | appSync, cognitoUserPool, kms, secretsManager, securityGroup, subnet, vpc                                                                                                                                           |
+| lambda                      | appSync, cognitoUserPool, iamRole, kms, secretsManager, securityGroup, subnet, vpc                                                                                                                                           |
 | managedAirflow                      | iamRole, securityGroups, subnet, s3                                                                                                                                          |
 | nacl                        | vpc                                                                                                                                                                                        |
 | natGateway                  | networkInterface, subnet, vpc                                                                                                                                                              |
@@ -157,7 +159,6 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | transitGateway              | routeTable, transitGatewayAttachment, vpnConnection                                                                                                                                                                                           |
 | transitGatewayAttachment    | routeTable, transitGateway, vpc, vpnConnection                                                                                                                                                                            |
 | vpc                         | alb, codebuild, dmsReplicationInstance, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, elasticSearchDomain, lambda, nacl, natGateway, networkInterface, rdsClusterSnapshot, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment |
-| vpnConnection               | customerGateway, transitGateway, transitGatewayAttachment, vpnGateway                                                                                                                                                                              |
-| vpnGateway                  | vpc, vpnConnection                                                                                                                                                                                        |
-| wafV2WebAcl                  | appSync                                                                                                                                                                                        |
-
+| vpnConnection               | customerGateway, transitGateway, transitGatewayAttachment, vpnGateway                                                                                                                                                                                                                                                            |
+| vpnGateway                  | vpc, vpnConnection                                                                                                                                                                                                                                                                                                               |
+| wafV2WebAcl                 | appSync                                                                                                                                                                                                                                                                                                                          |
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cloudgraph/cg-provider-aws",
-  "version": "0.79.0-alpha.6",
+  "version": "0.79.0-alpha.8",
   "description": "cloud-graph provider plugin for AWS used to fetch AWS cloud data.",
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",
diff --git a/src/services/iamRole/connections.ts b/src/services/iamRole/connections.ts
@@ -170,15 +170,12 @@ export default ({
   /**
    * Find any guardDutyDetector related data
    */
-  const detectors = data.find(
-    ({ name }) => name === services.guardDutyDetector
-  )
+  const detectors = data.find(({ name }) => name === services.guardDutyDetector)
   if (detectors?.data?.[region]) {
     const dataAtRegion: RawAwsGuardDutyDetector[] = detectors.data[
       region
     ].filter(
-      ({ ServiceRole }: RawAwsGuardDutyDetector) =>
-      ServiceRole === role.Arn
+      ({ ServiceRole }: RawAwsGuardDutyDetector) => ServiceRole === role.Arn
     )
     for (const detector of dataAtRegion) {
       connections.push({
@@ -189,19 +186,17 @@ export default ({
       })
     }
   }
- /**
+  /**
    * Find any systemsManagerInstance related data
    */
-   const systemsManagerInstances = data.find(
+  const systemsManagerInstances = data.find(
     ({ name }) => name === services.systemsManagerInstance
   )
   if (systemsManagerInstances?.data?.[region]) {
-    const dataAtRegion: RawAwsSystemsManagerInstance[] = systemsManagerInstances.data[
-      region
-    ].filter(
-      ({ IamRole }: RawAwsSystemsManagerInstance) =>
-        IamRole === role.Arn
-    )
+    const dataAtRegion: RawAwsSystemsManagerInstance[] =
+      systemsManagerInstances.data[region].filter(
+        ({ IamRole }: RawAwsSystemsManagerInstance) => IamRole === role.Arn
+      )
     for (const instance of dataAtRegion) {
       connections.push({
         id: instance.InstanceId,
@@ -215,15 +210,14 @@ export default ({
   /**
    * Find any sageMakerNotebookInstance related data
    */
-   const notebooks = data.find(
+  const notebooks = data.find(
     ({ name }) => name === services.sageMakerNotebookInstance
   )
   if (notebooks?.data?.[region]) {
     const dataAtRegion: RawAwsSageMakerNotebookInstance[] = notebooks.data[
       region
     ].filter(
-      ({ RoleArn }: RawAwsSageMakerNotebookInstance) =>
-      RoleArn === role.Arn
+      ({ RoleArn }: RawAwsSageMakerNotebookInstance) => RoleArn === role.Arn
     )
     for (const notebook of dataAtRegion) {
       connections.push({
diff --git a/src/services/iamRole/schema.graphql b/src/services/iamRole/schema.graphql
@@ -26,4 +26,6 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   ec2Instances: [awsEc2] @hasInverse(field: iamRole)
   cognitoUserPools: [awsCognitoUserPool] @hasInverse(field: iamRole)
   appSync: [awsAppSync] @hasInverse(field: iamRoles)
+  lambda: [awsLambda] @hasInverse(field: iamRole)
+  kinesisFirehose: [awsKinesisFirehose] @hasInverse(field: iamRole)
 }
diff --git a/src/services/kinesisFirehose/connections.ts b/src/services/kinesisFirehose/connections.ts
@@ -8,6 +8,8 @@ import { TagMap } from '../../types'
 import services from '../../enums/services'
 import { RawAwsS3 } from '../s3/data'
 import { s3BucketArn } from '../../utils/generateArns'
+import { globalRegionName } from '../../enums/regions'
+import { RawAwsIamRole } from '../iamRole/data'
 
 /**
  * Kinesis Firehose
@@ -26,7 +28,11 @@ export default ({
   region: string
 }): { [key: string]: ServiceConnection[] } => {
   const connections: ServiceConnection[] = []
-  const { DeliveryStreamARN: id, Destinations: destinations = [] } = firehose
+  const {
+    DeliveryStreamARN: id,
+    Destinations: destinations = [],
+    Source = {},
+  } = firehose
 
   const kinesisStreamSourceARN =
     firehose.Source?.KinesisStreamSourceDescription?.KinesisStreamARN
@@ -63,10 +69,8 @@ export default ({
 
   if (!isEmpty(destinations)) {
     destinations.map((destination: DestinationDescription) => {
-      const {
-        ExtendedS3DestinationDescription,
-        S3DestinationDescription,
-      } = destination
+      const { ExtendedS3DestinationDescription, S3DestinationDescription } =
+        destination
       const s3DestinationDescription =
         ExtendedS3DestinationDescription || S3DestinationDescription
       if (s3DestinationDescription) {
@@ -94,6 +98,32 @@ export default ({
     })
   }
 
+  /**
+   * Find related IAM Roles
+   */
+  const roles: { name: string; data: { [property: string]: any[] } } =
+    data.find(({ name }) => name === services.iamRole)
+  if (
+    roles?.data?.[globalRegionName] &&
+    Source?.KinesisStreamSourceDescription?.RoleARN
+  ) {
+    const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
+      role => role.Arn === Source.KinesisStreamSourceDescription.RoleARN
+    )
+    if (!isEmpty(dataAtRegion)) {
+      for (const instance of dataAtRegion) {
+        const { Arn: roleId } = instance
+
+        connections.push({
+          id: roleId,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRole',
+        })
+      }
+    }
+  }
+
   const kinesisFirehoseResult = {
     [id]: connections,
   }
diff --git a/src/services/kinesisFirehose/schema.graphql b/src/services/kinesisFirehose/schema.graphql
@@ -1,4 +1,3 @@
-#TODO: add iam role connection
 type awsKinesisFirehose implements awsBaseService @key(fields: "arn") {
   name: String @search(by: [hash, regexp])
   deliveryStreamStatus: String @search(by: [hash, regexp])
@@ -12,6 +11,7 @@ type awsKinesisFirehose implements awsBaseService @key(fields: "arn") {
   source: awsKinesisFirehoseSource
   kinesisStream: [awsKinesisStream] @hasInverse(field: kinesisFirehose)
   s3: [awsS3] @hasInverse(field: kinesisFirehose)
+  iamRole: [awsIamRole] @hasInverse(field: kinesisFirehose)
   tags: [awsRawTag]
 }
 
diff --git a/src/services/lambda/connections.ts b/src/services/lambda/connections.ts
@@ -7,6 +7,8 @@ import { SecurityGroup } from 'aws-sdk/clients/ec2'
 
 import services from '../../enums/services'
 import { RawAwsSubnet } from '../subnet/data'
+import { RawAwsIamRole } from '../iamRole/data'
+import { globalRegionName } from '../../enums/regions'
 
 export default ({
   service: lambda,
@@ -22,6 +24,7 @@ export default ({
   const {
     KMSKeyArn,
     FunctionArn: id,
+    Role,
     VpcConfig: { SecurityGroupIds: sgIds = [], SubnetIds: subnetIds = [] } = {},
   } = lambda
   const connections: ServiceConnection[] = []
@@ -83,7 +86,7 @@ export default ({
     if (!isEmpty(subnetsInRegion)) {
       for (const subnet of subnetsInRegion) {
         connections.push({
-          id:subnet.SubnetId,
+          id: subnet.SubnetId,
           resourceType: services.subnet,
           relation: 'child',
           field: 'subnet',
@@ -92,6 +95,30 @@ export default ({
     }
   }
 
+  /**
+   * Find IAM Role
+   * related to this lambda function
+   */
+  const iamRoles: {
+    name: string
+    data: { [property: string]: RawAwsIamRole[] }
+  } = data.find(({ name }) => name === services.iamRole)
+  if (iamRoles?.data?.[globalRegionName]) {
+    const iamRolesInRegion: RawAwsIamRole[] = iamRoles.data[
+      globalRegionName
+    ].filter(({ Arn }: RawAwsIamRole) => Arn === Role)
+    if (!isEmpty(iamRolesInRegion)) {
+      for (const role of iamRolesInRegion) {
+        connections.push({
+          id: role.Arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRole',
+        })
+      }
+    }
+  }
+
   const lambdaResult = {
     [id]: connections,
   }
diff --git a/src/services/lambda/format.ts b/src/services/lambda/format.ts
@@ -1,17 +1,16 @@
 import isEmpty from 'lodash/isEmpty'
 import t from '../../properties/translations'
 import { AwsLambda } from '../../types/generated'
-import { formatTagsFromMap } from '../../utils/format'
+import { formatTagsFromMap, formatIamJsonPolicy } from '../../utils/format'
 import { RawAwsLambdaFunction } from './data'
-import { formatIamJsonPolicy } from '../../utils/format'
 
 /**
  * Lambda
  */
 export default ({
   service: rawData,
   account,
-  region
+  region,
 }: {
   service: RawAwsLambdaFunction
   account: string
@@ -33,10 +32,7 @@ export default ({
     Version: version,
     reservedConcurrentExecutions: rawReservedConcurrentExecutions,
     VpcConfig: vpcConfig,
-    PolicyData: {
-      Policy: policy = '',
-      RevisionId: policyRevisionId = ''
-    }
+    PolicyData: { Policy: policy = '', RevisionId: policyRevisionId = '' },
   } = rawData
   const environmentVariables = []
   const secretNames = [t.pass, t.secret, t.private, t.cert]
@@ -53,7 +49,11 @@ export default ({
           }
         })
 
-        environmentVariables.push({ id: `${key}:${desiredValue}`, key, value: desiredValue })
+        environmentVariables.push({
+          id: `${key}:${desiredValue}`,
+          key,
+          value: desiredValue,
+        })
       })
     }
   }
@@ -65,7 +65,7 @@ export default ({
   const formattedVpcConfig = {
     vpcId: vpcConfig?.VpcId,
     subnetIds: vpcConfig?.SubnetIds,
-    securityGroupIds: vpcConfig?.SecurityGroupIds
+    securityGroupIds: vpcConfig?.SecurityGroupIds,
   }
 
   return {
@@ -79,7 +79,6 @@ export default ({
     lastModified,
     memorySize,
     reservedConcurrentExecutions,
-    role: handler,
     runtime,
     sourceCodeSize: `${codeSize * 0.001} Kb`,
     timeout,
diff --git a/src/services/lambda/schema.graphql b/src/services/lambda/schema.graphql
@@ -5,7 +5,6 @@ type awsLambda implements awsBaseService @key(fields: "arn") {
   lastModified: String @search(by: [hash, regexp])
   memorySize: Int @search
   reservedConcurrentExecutions: Int @search
-  role: String @search(by: [hash, regexp]) # TODO: add iamRole connection here
   runtime: String @search(by: [hash, regexp])
   sourceCodeSize: String @search(by: [hash, regexp])
   timeout: Int @search
@@ -23,6 +22,7 @@ type awsLambda implements awsBaseService @key(fields: "arn") {
   cognitoUserPools: [awsCognitoUserPool] @hasInverse(field: lambdas)
   appSync: [awsAppSync] @hasInverse(field: lambda)
   secretsManager: [awsSecretsManager] @hasInverse(field: lambda)
+  iamRole: [awsIamRole] @hasInverse(field: lambda)
 }
 
 type awsLambdaEnvironmentVariable
diff --git a/src/types/generated.ts b/src/types/generated.ts
@@ -3064,6 +3064,8 @@ export type AwsIamRole = AwsBaseService & {
   iamAttachedPolicies?: Maybe<Array<Maybe<AwsIamPolicy>>>;
   iamInstanceProfiles?: Maybe<Array<Maybe<AwsIamInstanceProfile>>>;
   inlinePolicies?: Maybe<Array<Maybe<Scalars['String']>>>;
+  kinesisFirehose?: Maybe<Array<Maybe<AwsKinesisFirehose>>>;
+  lambda?: Maybe<Array<Maybe<AwsLambda>>>;
   managedAirflows?: Maybe<Array<Maybe<AwsManagedAirflow>>>;
   maxSessionDuration?: Maybe<Scalars['Int']>;
   name?: Maybe<Scalars['String']>;
@@ -3138,6 +3140,7 @@ export type AwsKinesisFirehose = AwsBaseService & {
   encryptionConfig?: Maybe<AwsKinesisFirehoseEncryptionConfig>;
   failureDescriptionDetails?: Maybe<Scalars['String']>;
   failureDescriptionType?: Maybe<Scalars['String']>;
+  iamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
   kinesisStream?: Maybe<Array<Maybe<AwsKinesisStream>>>;
   lastUpdateTimestamp?: Maybe<Scalars['String']>;
   name?: Maybe<Scalars['String']>;
@@ -3222,14 +3225,14 @@ export type AwsLambda = AwsBaseService & {
   description?: Maybe<Scalars['String']>;
   environmentVariables?: Maybe<Array<Maybe<AwsLambdaEnvironmentVariable>>>;
   handler?: Maybe<Scalars['String']>;
+  iamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
   kms?: Maybe<Array<Maybe<AwsKms>>>;
   kmsKeyArn?: Maybe<Scalars['String']>;
   lastModified?: Maybe<Scalars['String']>;
   memorySize?: Maybe<Scalars['Int']>;
   policy?: Maybe<AwsIamJsonPolicy>;
   policyRevisionId?: Maybe<Scalars['String']>;
   reservedConcurrentExecutions?: Maybe<Scalars['Int']>;
-  role?: Maybe<Scalars['String']>;
   runtime?: Maybe<Scalars['String']>;
   secretsManager?: Maybe<Array<Maybe<AwsSecretsManager>>>;
   securityGroups?: Maybe<Array<Maybe<AwsSecurityGroup>>>;

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@cloudgraph/cg-provider-aws",`
`3`		`- "version": "0.79.0-alpha.6",`
	`3`	`+ "version": "0.79.0-alpha.8",`
`4`	`4`	`"description": "cloud-graph provider plugin for AWS used to fetch AWS cloud data.",`
`5`	`5`	`"publishConfig": {`
`6`	`6`	`"registry": "https://registry.npmjs.org/",`
Original file line number	Diff line number	Diff line change
`@@ -26,4 +26,6 @@ type awsIamRole implements awsBaseService @key(fields: "id") {`
`26`	`26`	`ec2Instances: [awsEc2] @hasInverse(field: iamRole)`
`27`	`27`	`cognitoUserPools: [awsCognitoUserPool] @hasInverse(field: iamRole)`
`28`	`28`	`appSync: [awsAppSync] @hasInverse(field: iamRoles)`
	`29`	`+ lambda: [awsLambda] @hasInverse(field: iamRole)`
	`30`	`+ kinesisFirehose: [awsKinesisFirehose] @hasInverse(field: iamRole)`
`29`	`31`	`}`