Merge branch 'alpha' into feature/CG-1063

Author: m-pizarro

CHANGELOG.md

@@ -1,3 +1,24 @@
+# [0.79.0-alpha.22](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.21...0.79.0-alpha.22) (2022-04-14)
+
+
+### Bug Fixes
+
+* **elasticSearchDomain:** add cloudwatchLogs, cognitoIdentityPool, cognitoUserPool, iamRole connections ([694d298](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/694d298af419a8f18f55ccebb5fc21b06574c930))
+
+# [0.79.0-alpha.21](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.20...0.79.0-alpha.21) (2022-04-14)
+
+
+### Bug Fixes
+
+* Created iamRole connection for emrCluster ([80a39e1](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/80a39e19046ad46a2897f667171b271b5a1f9cc7))
+
+# [0.79.0-alpha.20](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.19...0.79.0-alpha.20) (2022-04-14)
+
+
+### Features
+
+* **cognitoIdentityPool:** add iamRole/iamOpenIdConnectProvider/iamSamlProvider connections, generate arn ([3ba9610](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/3ba9610af535f9b84f229ce6abcfcf1e43664d45))
+
 # [0.79.0-alpha.19](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.18...0.79.0-alpha.19) (2022-04-13)
 
 

README.md

@@ -1,6 +1,6 @@
 {
   "name": "@cloudgraph/cg-provider-aws",
-  "version": "0.79.0-alpha.19",
+  "version": "0.79.0-alpha.22",
   "description": "cloud-graph provider plugin for AWS used to fetch AWS cloud data.",
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",

package.json

@@ -14,6 +14,7 @@ type awsCloudwatchLog @key(fields: "arn") {
   cloudwatch: [awsCloudwatch] @hasInverse(field: cloudwatchLog)
   cloudtrail: [awsCloudtrail] @hasInverse(field: cloudwatchLog)
   ecsCluster: [awsEcsCluster] @hasInverse(field: cloudwatchLog)
+  elasticSearchDomains: [awsElasticSearchDomain] @hasInverse(field: cloudwatchLogs)
   rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: cloudwatchLogs)
   managedAirflows: [awsManagedAirflow] @hasInverse(field: cloudwatchLogs)
 }

src/services/cloudwatchLogs/schema.graphql

@@ -1 +1,104 @@
-// TODO Add Optional IAM saml provider
+import { ServiceConnection } from '@cloudgraph/sdk'
+import { isEmpty } from 'lodash'
+import services from '../../enums/services'
+import { RawAwsCognitoIdentityPool } from './data'
+import { RawAwsIamRole } from '../iamRole/data'
+import { globalRegionName } from '../../enums/regions'
+
+/**
+ * Cognito Identity Pool
+ */
+
+export default ({
+  service: identityPool,
+  data,
+  region,
+}: {
+  data: { name: string; data: { [property: string]: any[] } }[]
+  service: RawAwsCognitoIdentityPool
+  region: string
+}): { [key: string]: ServiceConnection[] } => {
+  const connections: ServiceConnection[] = []
+
+  const {
+    IdentityPoolId: id,
+    identityPoolRoles,
+    SamlProviderARNs = [],
+    OpenIdConnectProviderARNs = [],
+  } = identityPool
+
+  /**
+   * Find related IAM Roles
+   */
+  const roles: { name: string; data: { [property: string]: any[] } } =
+    data.find(({ name }) => name === services.iamRole)
+
+  const iamRoleArns = Object.values(identityPoolRoles?.Roles || {})
+
+  if (roles?.data?.[globalRegionName]) {
+    const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(role =>
+      iamRoleArns.includes(role.Arn)
+    )
+    if (!isEmpty(dataAtRegion)) {
+      for (const instance of dataAtRegion) {
+        const { Arn: arn }: RawAwsIamRole = instance
+
+        connections.push({
+          id: arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRoles',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find iamSamlProvider
+   * related to this cognito identity pool
+   */
+  const iamSamlProviders = data.find(({ name }) => name === services.iamSamlProvider)
+  if (iamSamlProviders?.data?.[region]) {
+    const dataInRegion = iamSamlProviders.data[region].filter(provider =>
+      SamlProviderARNs.includes(provider.arn)
+    )
+
+    if (!isEmpty(dataInRegion)) {
+      for (const provider of dataInRegion) {
+        connections.push({
+          id: provider.KeyId,
+          resourceType: services.iamSamlProvider,
+          relation: 'child',
+          field: 'iamSamlProviders',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find iamOpenIdConnectProvider
+   * related to this cognito identity pool
+   */
+  const iamOpenIdConnectProviders = data.find(({ name }) => name === services.iamOpenIdConnectProvider)
+  if (iamOpenIdConnectProviders?.data?.[region]) {
+    const dataInRegion = iamOpenIdConnectProviders.data[region].filter(provider =>
+      OpenIdConnectProviderARNs.includes(provider.arn)
+    )
+
+    if (!isEmpty(dataInRegion)) {
+      for (const provider of dataInRegion) {
+        connections.push({
+          id: provider.KeyId,
+          resourceType: services.iamOpenIdConnectProvider,
+          relation: 'child',
+          field: 'iamOpenIdConnectProviders',
+        })
+      }
+    }
+  }
+
+  const identityPoolResult = {
+    [id]: connections,
+  }
+  return identityPoolResult
+}

src/services/cognitoIdentityPool/connections.ts

@@ -1,6 +1,7 @@
 import COGID, {
   IdentityPool,
   IdentityPoolShortDescription,
+  GetIdentityPoolRolesResponse,
 } from 'aws-sdk/clients/cognitoidentity'
 import { Config } from 'aws-sdk/lib/config'
 
@@ -25,6 +26,7 @@ const MAX_RESULTS = 60
 
 export interface RawAwsCognitoIdentityPool
   extends Omit<IdentityPool, 'IdentityPoolTags'> {
+  identityPoolRoles: GetIdentityPoolRolesResponse
   region: string
   Tags: TagMap
 }
@@ -91,6 +93,27 @@ const describeIdentityPool = async ({
   return null
 }
 
+const getIdentityPoolRoles = async ({
+  cogId,
+  IdentityPoolId,
+}: {
+  cogId: COGID
+  IdentityPoolId: string
+}): Promise<GetIdentityPoolRolesResponse> => {
+  try {
+    return await cogId
+      .getIdentityPoolRoles({ IdentityPoolId })
+      .promise()
+
+  } catch (err) {
+    errorLog.generateAwsErrorLog({
+      functionName: 'cognitoIdentityPool:getIdentityPoolRoles',
+      err,
+    })
+  }
+  return null
+}
+
 const listIdentityPoolData = async ({
   cogId,
   region,
@@ -106,8 +129,13 @@ const listIdentityPoolData = async ({
       cogId,
       IdentityPoolId: identityPoolId.IdentityPoolId,
     })
+    const identityPoolRoles = await getIdentityPoolRoles({
+      cogId,
+      IdentityPoolId: identityPoolId.IdentityPoolId,
+    })
     identityPoolData.push({
       ...identityPool,
+      identityPoolRoles,
       region,
     })
   }

src/services/cognitoIdentityPool/data.ts

@@ -1,10 +1,12 @@
-import { IdentityProviders } from 'aws-sdk/clients/cognitoidentity';
-import cuid from 'cuid';
+import { IdentityProviders } from 'aws-sdk/clients/cognitoidentity'
+import cuid from 'cuid'
 import t from '../../properties/translations'
-
-import { AwsCognitoIdentityPool, AwsSupportedLoginProvider } from '../../types/generated';
-import { formatTagsFromMap } from '../../utils/format';
-import { RawAwsCognitoIdentityPool } from './data';
+import { AwsCognitoIdentityPool, AwsSupportedLoginProvider } from '../../types/generated'
+import { formatTagsFromMap } from '../../utils/format'
+import { RawAwsCognitoIdentityPool } from './data'
+import {
+  cognitoIdentityPoolArn,
+} from '../../utils/generateArns'
 
 /**
  * Cognito Identity Pool
@@ -53,9 +55,12 @@ export default ({
     serverSideTokenCheck: serverSideTokenCheck? t.yes : t.no,
   })) || []
 
+  const arn = cognitoIdentityPoolArn({ region, account, identityPoolId })
+
   const identityPool  = {
     id: identityPoolId,
     accountId: account,
+    arn,
     identityPoolName,
     allowUnauthenticatedIdentities: allowUnauthenticatedIdentities? t.yes : t.no,
     allowClassicFlow: allowClassicFlow? t.yes : t.no,

src/services/cognitoIdentityPool/format.ts

@@ -2,15 +2,15 @@ import { Service } from '@cloudgraph/sdk';
 import BaseService from '../base';
 import format from './format';
 import getData from './data';
-// import getConnections from './connections'
+import getConnections from './connections'
 import mutation from './mutation';
 
 export default class AwsCognitoIdentityPool extends BaseService implements Service {
   format = format.bind(this);
 
   getData = getData.bind(this);
 
-  // getConnections = getConnections.bind(this)
+  getConnections = getConnections.bind(this)
 
   mutation = mutation;
 }

src/services/cognitoIdentityPool/index.ts

@@ -22,6 +22,7 @@ type awsCognitoIdentityProviders
 
 type awsCognitoIdentityPool @key(fields: "id") {
   id: String! @id @search(by: [hash])
+  arn: String! @search(by: [hash])
   accountId: String! @search(by: [hash])
   region: String @search(by: [hash, regexp])
   identityPoolName: String @search(by: [hash, regexp])
@@ -33,8 +34,8 @@ type awsCognitoIdentityPool @key(fields: "id") {
   cognitoIdentityProviders: [awsCognitoIdentityProviders]
   samlProviderARNs: [String] @search
   tags: [awsRawTag]
+  elasticSearchDomains: [awsElasticSearchDomain] @hasInverse(field: cognitoIdentityPool)
+  iamRoles: [awsIamRole] @hasInverse(field: awsCognitoIdentityPool)
+  iamOpenIdConnectProviders: [awsIamOpenIdConnectProvider] @hasInverse(field: awsCognitoIdentityPool)
+  iamSamlProviders: [awsIamSamlProvider] @hasInverse(field: awsCognitoIdentityPool)
 }
-
-# TODO: add an arn for identity pool see here: https://docs.aws.amazon.com/cognito/latest/developerguide/security_iam_service-with-iam.html
-#TODO: add connections to iamSamlProvider and iamOpenIdConnectProvider
-#TODO: try to add connection to iam role using getIdentityPoolRoles 

src/services/cognitoIdentityPool/schema.graphql

@@ -124,4 +124,5 @@ type awsCognitoUserPool implements awsBaseService @key(fields: "id") {
   kms: [awsKms] @hasInverse(field: cognitoUserPools)
   ses: [awsSes] @hasInverse(field: cognitoUserPools)
   iamRole: [awsIamRole] @hasInverse(field: cognitoUserPools)
-}
+  elasticSearchDomains: [awsElasticSearchDomain] @hasInverse(field: cognitoUserPool)
+}