Skip to content

Commit 7aa1948

Browse files
authored
Merge pull request #13 from cloudgraphdev/fix/CG-1068
fix: Included iamRole for AWS Kinesis Firehose
2 parents 2eb967a + f13c9fa commit 7aa1948

File tree

6 files changed

+51
-24
lines changed

6 files changed

+51
-24
lines changed

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -124,11 +124,11 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
124124
| iamServerCertificate | |
125125
| iamUser | iamGroup |
126126
| iamPolicy | iamRole, iamGroup |
127-
| iamRole | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda |
127+
| iamRole | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda, kinesisFirehose |
128128
| iamGroup | iamUser, iamPolicy |
129129
| igw | vpc |
130130
| iot | |
131-
| kinesisFirehose | kinesisStream, s3 |
131+
| kinesisFirehose | kinesisStream, s3, iamRole |
132132
| kinesisStream | kinesisFirehose |
133133
| kms | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, lambda, rdsClusterSnapshot, sns, sageMakerNotebookInstance, dmsReplicationInstance, redshiftCluster |
134134
| lambda | appSync, cognitoUserPool, kms, securityGroup, subnet, vpc, iamRole |

src/services/iamRole/connections.ts

Lines changed: 10 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -170,15 +170,12 @@ export default ({
170170
/**
171171
* Find any guardDutyDetector related data
172172
*/
173-
const detectors = data.find(
174-
({ name }) => name === services.guardDutyDetector
175-
)
173+
const detectors = data.find(({ name }) => name === services.guardDutyDetector)
176174
if (detectors?.data?.[region]) {
177175
const dataAtRegion: RawAwsGuardDutyDetector[] = detectors.data[
178176
region
179177
].filter(
180-
({ ServiceRole }: RawAwsGuardDutyDetector) =>
181-
ServiceRole === role.Arn
178+
({ ServiceRole }: RawAwsGuardDutyDetector) => ServiceRole === role.Arn
182179
)
183180
for (const detector of dataAtRegion) {
184181
connections.push({
@@ -189,19 +186,17 @@ export default ({
189186
})
190187
}
191188
}
192-
/**
189+
/**
193190
* Find any systemsManagerInstance related data
194191
*/
195-
const systemsManagerInstances = data.find(
192+
const systemsManagerInstances = data.find(
196193
({ name }) => name === services.systemsManagerInstance
197194
)
198195
if (systemsManagerInstances?.data?.[region]) {
199-
const dataAtRegion: RawAwsSystemsManagerInstance[] = systemsManagerInstances.data[
200-
region
201-
].filter(
202-
({ IamRole }: RawAwsSystemsManagerInstance) =>
203-
IamRole === role.Arn
204-
)
196+
const dataAtRegion: RawAwsSystemsManagerInstance[] =
197+
systemsManagerInstances.data[region].filter(
198+
({ IamRole }: RawAwsSystemsManagerInstance) => IamRole === role.Arn
199+
)
205200
for (const instance of dataAtRegion) {
206201
connections.push({
207202
id: instance.InstanceId,
@@ -215,15 +210,14 @@ export default ({
215210
/**
216211
* Find any sageMakerNotebookInstance related data
217212
*/
218-
const notebooks = data.find(
213+
const notebooks = data.find(
219214
({ name }) => name === services.sageMakerNotebookInstance
220215
)
221216
if (notebooks?.data?.[region]) {
222217
const dataAtRegion: RawAwsSageMakerNotebookInstance[] = notebooks.data[
223218
region
224219
].filter(
225-
({ RoleArn }: RawAwsSageMakerNotebookInstance) =>
226-
RoleArn === role.Arn
220+
({ RoleArn }: RawAwsSageMakerNotebookInstance) => RoleArn === role.Arn
227221
)
228222
for (const notebook of dataAtRegion) {
229223
connections.push({

src/services/iamRole/schema.graphql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,5 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
2727
cognitoUserPools: [awsCognitoUserPool] @hasInverse(field: iamRole)
2828
appSync: [awsAppSync] @hasInverse(field: iamRoles)
2929
lambda: [awsLambda] @hasInverse(field: iamRole)
30+
kinesisFirehose: [awsKinesisFirehose] @hasInverse(field: iamRole)
3031
}

src/services/kinesisFirehose/connections.ts

Lines changed: 35 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ import { TagMap } from '../../types'
88
import services from '../../enums/services'
99
import { RawAwsS3 } from '../s3/data'
1010
import { s3BucketArn } from '../../utils/generateArns'
11+
import { globalRegionName } from '../../enums/regions'
12+
import { RawAwsIamRole } from '../iamRole/data'
1113

1214
/**
1315
* Kinesis Firehose
@@ -26,7 +28,11 @@ export default ({
2628
region: string
2729
}): { [key: string]: ServiceConnection[] } => {
2830
const connections: ServiceConnection[] = []
29-
const { DeliveryStreamARN: id, Destinations: destinations = [] } = firehose
31+
const {
32+
DeliveryStreamARN: id,
33+
Destinations: destinations = [],
34+
Source = {},
35+
} = firehose
3036

3137
const kinesisStreamSourceARN =
3238
firehose.Source?.KinesisStreamSourceDescription?.KinesisStreamARN
@@ -63,10 +69,8 @@ export default ({
6369

6470
if (!isEmpty(destinations)) {
6571
destinations.map((destination: DestinationDescription) => {
66-
const {
67-
ExtendedS3DestinationDescription,
68-
S3DestinationDescription,
69-
} = destination
72+
const { ExtendedS3DestinationDescription, S3DestinationDescription } =
73+
destination
7074
const s3DestinationDescription =
7175
ExtendedS3DestinationDescription || S3DestinationDescription
7276
if (s3DestinationDescription) {
@@ -94,6 +98,32 @@ export default ({
9498
})
9599
}
96100

101+
/**
102+
* Find related IAM Roles
103+
*/
104+
const roles: { name: string; data: { [property: string]: any[] } } =
105+
data.find(({ name }) => name === services.iamRole)
106+
if (
107+
roles?.data?.[globalRegionName] &&
108+
Source?.KinesisStreamSourceDescription?.RoleARN
109+
) {
110+
const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
111+
role => role.Arn === Source.KinesisStreamSourceDescription.RoleARN
112+
)
113+
if (!isEmpty(dataAtRegion)) {
114+
for (const instance of dataAtRegion) {
115+
const { Arn: roleId } = instance
116+
117+
connections.push({
118+
id: roleId,
119+
resourceType: services.iamRole,
120+
relation: 'child',
121+
field: 'iamRole',
122+
})
123+
}
124+
}
125+
}
126+
97127
const kinesisFirehoseResult = {
98128
[id]: connections,
99129
}

src/services/kinesisFirehose/schema.graphql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,3 @@
1-
#TODO: add iam role connection
21
type awsKinesisFirehose implements awsBaseService @key(fields: "arn") {
32
name: String @search(by: [hash, regexp])
43
deliveryStreamStatus: String @search(by: [hash, regexp])
@@ -12,6 +11,7 @@ type awsKinesisFirehose implements awsBaseService @key(fields: "arn") {
1211
source: awsKinesisFirehoseSource
1312
kinesisStream: [awsKinesisStream] @hasInverse(field: kinesisFirehose)
1413
s3: [awsS3] @hasInverse(field: kinesisFirehose)
14+
iamRole: [awsIamRole] @hasInverse(field: kinesisFirehose)
1515
tags: [awsRawTag]
1616
}
1717

src/types/generated.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3064,6 +3064,7 @@ export type AwsIamRole = AwsBaseService & {
30643064
iamAttachedPolicies?: Maybe<Array<Maybe<AwsIamPolicy>>>;
30653065
iamInstanceProfiles?: Maybe<Array<Maybe<AwsIamInstanceProfile>>>;
30663066
inlinePolicies?: Maybe<Array<Maybe<Scalars['String']>>>;
3067+
kinesisFirehose?: Maybe<Array<Maybe<AwsKinesisFirehose>>>;
30673068
lambda?: Maybe<Array<Maybe<AwsLambda>>>;
30683069
managedAirflows?: Maybe<Array<Maybe<AwsManagedAirflow>>>;
30693070
maxSessionDuration?: Maybe<Scalars['Int']>;
@@ -3139,6 +3140,7 @@ export type AwsKinesisFirehose = AwsBaseService & {
31393140
encryptionConfig?: Maybe<AwsKinesisFirehoseEncryptionConfig>;
31403141
failureDescriptionDetails?: Maybe<Scalars['String']>;
31413142
failureDescriptionType?: Maybe<Scalars['String']>;
3143+
iamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
31423144
kinesisStream?: Maybe<Array<Maybe<AwsKinesisStream>>>;
31433145
lastUpdateTimestamp?: Maybe<Scalars['String']>;
31443146
name?: Maybe<Scalars['String']>;

0 commit comments

Comments
 (0)