Merge branch 'feature/CG-820' into 'master'

Resolve CG-820 WAFV2

Closes CG-820

See merge request auto-cloud/cloudgraph/provider/cloudgraph-provider-aws!209

Author: tyler-dunkel

README.md

@@ -151,4 +151,5 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | vpc                         | alb, codebuild, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, lambda, nacl, natGateway, networkInterface, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment |
 | vpnConnection               | customerGateway, transitGateway, transitGatewayAttachment, vpnGateway                                                                                                                                                                              |
 | vpnGateway                  | vpc, vpnConnection                                                                                                                                                                                        |
+| wafV2WebAcl                  |                                                                                                                                                                                        |
 

src/enums/schemasMap.ts

@@ -89,5 +89,6 @@ export default {
   [services.transitGatewayAttachment]: 'awsTransitGatewayAttachment',
   [services.vpnConnection]: 'awsVpnConnection',
   [services.organization]: 'awsOrganization',
+  [services.wafV2WebAcl]: 'awsWafV2WebAcl',
   tag: 'awsTag',
 }

src/enums/serviceMap.ts

@@ -85,6 +85,7 @@ import GlueRegistry from '../services/glueRegistry'
 import SageMakerProject from '../services/sageMakerProject'
 import SageMakerExperiment from '../services/sageMakerExperiment'
 import ManagedAirflow from '../services/managedAirflow'
+import WafV2WebAcl from '../services/wafV2WebAcl'
 
 /**
  * serviceMap is an object that contains all currently supported services for AWS
@@ -176,5 +177,6 @@ export default {
   [services.vpnGateway]: VpnGateway,
   [services.vpnConnection]: VpnConnection,
   [services.organization]: Organization,
+  [services.wafV2WebAcl]: WafV2WebAcl,
   tag: AwsTag,
 }

src/enums/services.ts

@@ -84,4 +84,5 @@ export default {
   vpc: 'vpc',
   vpnConnection: 'vpnConnection',
   vpnGateway: 'vpnGateway',
+  wafV2WebAcl: 'wafV2WebAcl'
 }

src/services/managedAirflow/format.ts

@@ -23,10 +23,15 @@ export default ({
     Arn: arn,
     CreatedAt: createdAt,
     DagS3Path: dagS3Path,
+    KmsKey,
     EnvironmentClass: environmentClass,
     ExecutionRoleArn: executionRoleArn,
     LastUpdate: {
       CreatedAt: lastUpdateCreatedAt,
+      Error: {
+        ErrorCode: errorCode,
+        ErrorMessage: errorMessage
+      } = {},
       Status: lastUpdateStatus,
     } = {},
     LoggingConfiguration: {
@@ -90,13 +95,18 @@ export default ({
     accountId: account,
     airflowConfigurationOptions: mappedAirflowConfigurationOptions,
     airflowVersion,
+    kmsKey: KmsKey,
     createdAt: createdAt?.toISOString(),
     dagS3Path,
     environmentClass,
     executionRoleArn,
     lastUpdate: {
       createdAt: lastUpdateCreatedAt?.toISOString(),
       status: lastUpdateStatus,
+      error: {
+        errorCode,
+        errorMessage
+      }
     },
     loggingConfiguration: {
       dagProcessingLogs: {

src/services/managedAirflow/schema.graphql

@@ -5,6 +5,7 @@ type awsManagedAirflow @key(fields: "arn") {
     region: String @search(by: [hash, regexp])
     airflowConfigurationOptions: [awsRawTag]
     airflowVersion: String @search(by: [hash, regexp])
+    kmsKey: String @search(by: [hash, regexp])
     createdAt: DateTime
     dagS3Path: String @search(by: [hash, regexp])
     environmentClass: String @search(by: [hash, regexp])
@@ -38,9 +39,15 @@ type awsManagedAirflow @key(fields: "arn") {
 
   type awsManagedAirflowLastUpdate {
     createdAt: DateTime
+    error: awsManagedAirflowLastUpdateError
     status: String @search(by: [hash, regexp])
   }
 
+  type awsManagedAirflowLastUpdateError {
+    errorCode: String @search(by: [hash, regexp])
+    errorMessage: String @search(by: [hash, regexp])
+  }
+
   type awsManagedAirflowLoggingConfig {
     dagProcessingLogs: awsManagedAirflowLogging
     schedulerLogs: awsManagedAirflowLogging

src/services/wafV2WebAcl/data.ts

@@ -0,0 +1,88 @@
+import { Config } from 'aws-sdk/lib/config'
+import WAFV2, { WebACLSummaries } from 'aws-sdk/clients/wafv2'
+import isEmpty from 'lodash/isEmpty'
+import groupBy from 'lodash/groupBy'
+import { initTestEndpoint } from '../../utils'
+import ErrorLog from '../../utils/errorLog'
+
+const serviceName = 'wafV2WebAcl'
+const errorLog = new ErrorLog(serviceName)
+const endpoint = initTestEndpoint(serviceName)
+
+const scopes = {
+  cloudfront: 'CLOUDFRONT',
+  regional: 'REGIONAL',
+}
+
+export interface RawAwsWafV2WebAcl extends WAFV2.WebACL {
+  region: string
+  loggingConfiguration: WAFV2.LoggingConfiguration
+}
+
+/**
+ * WafV2WebAcl
+ */
+
+export default async ({
+  regions,
+  config,
+}: {
+  regions: string
+  config: Config
+}): Promise<{ [region: string]: RawAwsWafV2WebAcl[] }> => {
+  const result: RawAwsWafV2WebAcl[] = []
+
+  const activeRegions = regions.split(',')
+  activeRegions.push('global')
+  for (const region of activeRegions) {
+    const client = new WAFV2({
+      ...config,
+      region: region === 'global' ? 'us-east-1' : region,
+      endpoint,
+    })
+    const scope = region === 'global' ? scopes.cloudfront : scopes.regional
+    const WafV2WebAclData: WebACLSummaries = []
+    try {
+      const { WebACLs, NextMarker } = await client
+        .listWebACLs({ Scope: scope, Limit: 10 })
+        .promise()
+      WafV2WebAclData.push(...WebACLs)
+      let marker = NextMarker
+      while (marker) {
+        const { WebACLs, NextMarker } = await client
+          .listWebACLs({ Scope: scope, Limit: 10, NextMarker: marker })
+          .promise()
+        marker = NextMarker
+        WafV2WebAclData.push(...WebACLs)
+      }
+    } catch (err) {
+      errorLog.generateAwsErrorLog({ functionName: 'listWebAcls', err })
+    }
+    if (!isEmpty(WafV2WebAclData)) {
+      for (const waf of WafV2WebAclData) {
+        let wafData
+        try {
+          wafData = await client
+            .getWebACL({ Name: waf.Name, Id: waf.Id, Scope: scope })
+            .promise()
+
+          const arn = wafData?.WebACL?.ARN
+          const loggingConfiguration = await client
+            .getLoggingConfiguration({ ResourceArn: arn })
+            .promise()
+          wafData.loggingConfiguration =
+            loggingConfiguration.LoggingConfiguration
+        } catch (err) {
+          errorLog.generateAwsErrorLog({ functionName: 'getWebACL', err })
+        }
+        result.push({
+          ...wafData?.WebACL,
+          loggingConfiguration: wafData?.loggingConfiguration,
+          region,
+        })
+      }
+    }
+  }
+  errorLog.reset()
+  return groupBy(result, 'region')
+}

src/services/wafV2WebAcl/format.ts

@@ -0,0 +1,111 @@
+import cuid from 'cuid'
+import {
+  formatFieldToMatch,
+  formatRuleLabels,
+  formatRuleStatement,
+  formatRuleAction,
+  formatRuleOverrideAction,
+  formatDefaultAction,
+  formatFirewallManagerRuleGroups,
+  formatVisibilityConfig
+} from './utils'
+import { AwsWafV2WebAcl } from '../../types/generated'
+import { RawAwsWafV2WebAcl } from './data'
+
+/**
+ * WafV2WebAcl
+ */
+
+export default ({
+  account,
+  service: rawData,
+  region,
+}: {
+  account: string
+  service: RawAwsWafV2WebAcl
+  region: string
+}): AwsWafV2WebAcl => {
+  const {
+    Id: id,
+    ARN: arn,
+    Name: name,
+    Description: description,
+    Rules,
+    DefaultAction,
+    Capacity: capacity,
+    VisibilityConfig,
+    PreProcessFirewallManagerRuleGroups,
+    PostProcessFirewallManagerRuleGroups,
+    ManagedByFirewallManager,
+    LabelNamespace: labelNamespace,
+    CustomResponseBodies,
+    loggingConfiguration,
+  } = rawData
+
+  const mappedRules = Rules?.map(rule => ({
+    id: cuid(),
+    name: rule.Name,
+    priority: rule.Priority,
+    statement: formatRuleStatement(rule.Statement),
+    action: formatRuleAction(rule.Action),
+    overrideAction: formatRuleOverrideAction(rule.OverrideAction),
+    ruleLabels: formatRuleLabels(rule.RuleLabels),
+    visibilityConfig: formatVisibilityConfig(rule.VisibilityConfig),
+  }))
+
+  const mappedCustomResponseBodies = Object.keys(
+    CustomResponseBodies ?? {}
+  ).map(key => ({
+    id: cuid(),
+    key,
+    contentType: CustomResponseBodies[key]?.ContentType,
+    content: CustomResponseBodies[key]?.Content,
+  }))
+
+  const formattedLoggingConfig = {
+    resourceArn: loggingConfiguration?.ResourceArn,
+    logDestinationConfigs: loggingConfiguration?.LogDestinationConfigs,
+    redactedFields: loggingConfiguration?.RedactedFields?.map(formatFieldToMatch),
+    managedByFirewallManager: loggingConfiguration?.ManagedByFirewallManager,
+    loggingFilter: {
+      filters: loggingConfiguration?.LoggingFilter?.Filters?.map(filter => ({
+        id: cuid(),
+        behavior: filter.Behavior,
+        requirement: filter.Requirement,
+        conditions: filter.Conditions?.map(condition => ({
+          id: cuid(),
+          actionCondtion: {
+            action: condition?.ActionCondition?.Action,
+          },
+          labelNameCondition: {
+            labelName: condition?.LabelNameCondition?.LabelName,
+          },
+        })),
+      })),
+      defaultBehavior: loggingConfiguration?.LoggingFilter?.DefaultBehavior
+    },
+  }
+
+  return {
+    id,
+    region,
+    accountId: account,
+    arn,
+    name,
+    description,
+    ManagedByFirewallManager,
+    capacity,
+    labelNamespace,
+    rules: mappedRules,
+    defaultAction: formatDefaultAction(DefaultAction),
+    visibilityConfig: formatVisibilityConfig(VisibilityConfig),
+    preProcessFirewallManagerRuleGroups: formatFirewallManagerRuleGroups(
+      PreProcessFirewallManagerRuleGroups
+    ),
+    postProcessFirewallManagerRuleGroups: formatFirewallManagerRuleGroups(
+      PostProcessFirewallManagerRuleGroups
+    ),
+    customResponseBodies: mappedCustomResponseBodies,
+    loggingConfiguration: formattedLoggingConfig,
+  }
+}

src/services/wafV2WebAcl/index.ts

@@ -0,0 +1,14 @@
+import { Service } from '@cloudgraph/sdk'
+  import BaseService from '../base'
+  import format from './format'
+  import getData from './data'
+  import mutation from './mutation'
+      
+  export default class WafV2WebAcl extends BaseService implements Service {
+    format = format.bind(this)
+      
+    getData = getData.bind(this)
+      
+    mutation = mutation
+  }
+  

src/services/wafV2WebAcl/mutation.ts

@@ -0,0 +1,5 @@
+export default `mutation($input: [AddawsWafV2WebAclInput!]!) {
+  addawsWafV2WebAcl(input: $input, upsert: true) {
+    numUids
+  }
+}`;