Merge pull request #24 from cloudgraphdev/feature/CG-1056

Christopher Brandt · web-flow · commit 97616df80596 · 2022-04-12T11:17:47.000-07:00
feat(asg): add iam role connection
diff --git a/README.md b/README.md
@@ -74,7 +74,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | apiGatewayStage             | apiGatewayRestApi                                                                                                                                                                                                                                                                                                                |
 | apiGatewayResource          | apiGatewayRestApi                                                                                                                                                                                                                                                                                                                |
 | appSync                     | cognitoUserPool, dynamodb, iamRole, lambda, rdsCluster, wafV2WebAcl                                                                                                                                                                                                                                                              |
-| asg                         | ebs, ec2, securityGroup, subnet                                                                                                                                                                                                                                                                                                  |
+| asg                         | ebs, ec2, iamRole, securityGroup, subnet                                                                                                                                                                                                                                                                                                  |
 | athenaDataCatalog           |                                                                                                                                                                                                                                                                                                                                  |
 | clientVpnEndpoint           | securityGroup                                                                                                                                                                                                                                                                                                                    |
 | cloud9                      |                                                                                                                                                                                                                                                                                                                                  |
@@ -124,7 +124,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | iamServerCertificate        |                                                                                                                                                                                                                                                                                                                                  |
 | iamUser                     | iamGroup                                                                                                                                                                                                                                                                                                                         |
 | iamPolicy                   | iamRole, iamGroup                                                                                                                                                                                                                                                                                                                |
-| iamRole                     | appSync, cloudformationStackSet, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda, kinesisFirehose, rdsCluster                                                                                |
+| iamRole                     | appSync, asg, cloudformationStackSet, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda, kinesisFirehose, rdsCluster                                                                                |
 | iamGroup                    | iamUser, iamPolicy                                                                                                                                                                                                                                                                                                               |
 | igw                         | vpc                                                                                                                                                                                                                                                                                                                              |
 | iot                         |                                                                                                                                                                                                                                                                                                                                  |
diff --git a/src/services/asg/connections.ts b/src/services/asg/connections.ts
@@ -10,6 +10,8 @@ import { SecurityGroup, Volume } from 'aws-sdk/clients/ec2'
 import { isEmpty } from 'lodash'
 import services from '../../enums/services'
 import { RawAwsSubnet } from '../subnet/data'
+import { RawAwsIamRole } from '../iamRole/data'
+import { globalRegionName } from '../../enums/regions'
 
 /**
  * ASG
@@ -34,6 +36,7 @@ export default ({
     AutoScalingGroupARN: id,
     Instances: instances = [],
     VPCZoneIdentifier: commaSeparatedSubnetIds = '',
+    ServiceLinkedRoleARN: roleArn,
   } = asg
 
   const { SecurityGroups: sgIds = [] } = asg.LaunchConfiguration
@@ -142,6 +145,29 @@ export default ({
     }
   }
 
+  /**
+   * Find related IAM Roles
+   */
+  const roles: { name: string; data: { [property: string]: any[] } } =
+    data.find(({ name }) => name === services.iamRole)
+  if (roles?.data?.[globalRegionName]) {
+    const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
+      role => role.Arn === roleArn
+    )
+    if (!isEmpty(dataAtRegion)) {
+      for (const instance of dataAtRegion) {
+        const { Arn: arn }: RawAwsIamRole = instance
+
+        connections.push({
+          id: arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRole',
+        })
+      }
+    }
+  }
+
   const asgResult = {
     [id]: connections,
   }
diff --git a/src/services/asg/schema.graphql b/src/services/asg/schema.graphql
@@ -134,4 +134,5 @@ type awsAsg implements awsBaseService @key(fields: "arn") {
   securityGroups: [awsSecurityGroup] @hasInverse(field: asg)
   ebs: [awsEbs] @hasInverse(field: asg)
   subnet: [awsSubnet] @hasInverse(field: asg) #change to plural
+  iamRole: [awsIamRole] @hasInverse(field: asg)
 }
diff --git a/src/services/iamRole/schema.graphql b/src/services/iamRole/schema.graphql
@@ -33,4 +33,5 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
     @hasInverse(field: monitoringIamRole)
   rdsClusterIamRoles: [awsRdsCluster] @hasInverse(field: iamRoles)
   cloudFormationStackSet: [awsCloudFormationStackSet] @hasInverse(field: iamRoles)
+  asg: [awsAsg] @hasInverse(field: iamRole)
 }
diff --git a/src/types/generated.ts b/src/types/generated.ts
@@ -472,6 +472,7 @@ export type AwsAsg = AwsBaseService & {
   enabledMetrics?: Maybe<Array<Maybe<AwsEnabledMetrics>>>;
   healthCheckGracePeriod?: Maybe<Scalars['Int']>;
   healthCheckType?: Maybe<Scalars['String']>;
+  iamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
   launchConfiguration?: Maybe<AwsLaunchConfiguration>;
   launchConfigurationName?: Maybe<Scalars['String']>;
   launchTemplateId?: Maybe<Scalars['String']>;
@@ -3048,6 +3049,7 @@ export type AwsIamPolicy = AwsBaseService & {
 
 export type AwsIamRole = AwsBaseService & {
   appSync?: Maybe<Array<Maybe<AwsAppSync>>>;
+  asg?: Maybe<Array<Maybe<AwsAsg>>>;
   assumeRolePolicy?: Maybe<AwsIamJsonPolicy>;
   cloudFormationStack?: Maybe<Array<Maybe<AwsCloudFormationStack>>>;
   cloudFormationStackSet?: Maybe<Array<Maybe<AwsCloudFormationStackSet>>>;
diff --git a/tests/aws_asg.test.ts b/tests/aws_asg.test.ts
@@ -3,6 +3,7 @@ import CloudGraph, { ServiceConnection } from '@cloudgraph/sdk'
 import EC2Service from '../src/services/ec2'
 import SGService from '../src/services/securityGroup'
 import EBSService from '../src/services/ebs'
+import IAMRoleService from '../src/services/iamRole'
 import AsgClass from '../src/services/asg'
 import { RawAwsAsg } from '../src/services/asg/data'
 import { initTestConfig } from '../src/utils'
@@ -26,6 +27,7 @@ describe.skip('ASG Service Test: ', () => {
           const ec2Class = new EC2Service({ logger: CloudGraph.logger })
           const sgService = new SGService({ logger: CloudGraph.logger })
           const ebsService = new EBSService({ logger: CloudGraph.logger })
+          const iamRoleService = new IAMRoleService({ logger: CloudGraph.logger })
 
           getDataResult = await asgClass.getData({
             credentials,
@@ -52,6 +54,12 @@ describe.skip('ASG Service Test: ', () => {
             regions: region,
           })
 
+          // Get IAM Role data
+          const iamRoleData = await iamRoleService.getData({
+            credentials,
+            regions: region,
+          })
+
           const [asg] = getDataResult[region]
           asgId = asg.AutoScalingGroupARN
 
@@ -76,6 +84,12 @@ describe.skip('ASG Service Test: ', () => {
                 account,
                 region,
               },
+              {
+                name: services.iamRole,
+                data: iamRoleData,
+                account,
+                region,
+              }
             ],
             region,
           })
@@ -150,5 +164,14 @@ describe.skip('ASG Service Test: ', () => {
       expect(ebsConnections).toBeDefined()
       expect(ebsConnections.length).toBe(1)
     })
+
+    test('should verify the connection to iam', async () => {
+      const iamConnections = asgConnections[asgId].filter(
+        connection => connection.resourceType === services.iamRole
+      )
+
+      expect(iamConnections).toBeDefined()
+      expect(iamConnections.length).toBe(1)
+    })
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -134,4 +134,5 @@ type awsAsg implements awsBaseService @key(fields: "arn") {`
`134`	`134`	`securityGroups: [awsSecurityGroup] @hasInverse(field: asg)`
`135`	`135`	`ebs: [awsEbs] @hasInverse(field: asg)`
`136`	`136`	`subnet: [awsSubnet] @hasInverse(field: asg) #change to plural`
	`137`	`+ iamRole: [awsIamRole] @hasInverse(field: asg)`
`137`	`138`	`}`
Original file line number	Diff line number	Diff line change
`@@ -33,4 +33,5 @@ type awsIamRole implements awsBaseService @key(fields: "id") {`
`33`	`33`	`@hasInverse(field: monitoringIamRole)`
`34`	`34`	`rdsClusterIamRoles: [awsRdsCluster] @hasInverse(field: iamRoles)`
`35`	`35`	`cloudFormationStackSet: [awsCloudFormationStackSet] @hasInverse(field: iamRoles)`
	`36`	`+ asg: [awsAsg] @hasInverse(field: iamRole)`
`36`	`37`	`}`