feat(service): Add AWS service iamInstanceProfile

Author: m-pizarro

README.md

@@ -115,13 +115,14 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | glueJob                     | iamRole                                                                                                                                                   |
 | glueRegistry                     |                                                                                                                                                  |
 | guardDutyDetector                     | iamRole                                                                                                                                                  |
+| iamInstanceProfile          | iamRole                                                                                                                                                      |
 | iamPasswordPolicy           |                                                                                                                                                                                            |
 | iamSamlProvider             |                                                                                                                                                                                            |
 | iamOpenIdConnectProvider    |                                                                                                                                                                                            |
 | iamServerCertificate        |                                                                                                                                                                                            |
 | iamUser                     | iamGroup                                                                                                                                                                                   |
 | iamPolicy                   | iamRole, iamGroup                                                                                                                                                                          |
-| iamRole                     | codebuild, configurationRecorder, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector                                                                                                                                                 |
+| iamRole                     | codebuild, configurationRecorder, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector                                                                                                                                                 |
 | iamGroup                    | iamUser, iamPolicy                                                                                                                                                                         |
 | igw                         | vpc                                                                                                                                                                                        |
 | iot                         |                                                                                                                                                                                            |

src/enums/schemasMap.ts

@@ -62,6 +62,7 @@ export default {
   [services.iamPolicy]: 'awsIamPolicy',
   [services.iamSamlProvider]: 'awsIamSamlProvider',
   [services.iamServerCertificate]: 'awsIamServerCertificate',
+  [services.iamInstanceProfile]: 'awsIamInstanceProfile',
   [services.igw]: 'awsIgw',
   [services.iot]: 'awsIotThingAttribute',
   [services.kinesisFirehose]: 'awsKinesisFirehose',

src/enums/serviceAliases.ts

@@ -43,6 +43,7 @@ export default {
   [services.iamRole]: 'iamRoles',
   [services.iamSamlProvider]: 'iamSamlProviders',
   [services.iamServerCertificate]: 'iamServerCertificates',
+  [services.iamInstanceProfile]: 'iamInstanceProfiles',
   [services.iamUser]: 'iamUsers',
   [services.kinesisStream]: 'kinesisStreams',
   [services.lambda]: 'lambdaFunctions',

src/enums/serviceMap.ts

@@ -66,6 +66,7 @@ import IamPasswordPolicy from '../services/iamPasswordPolicy'
 import IamSamlProvider from '../services/iamSamlProvider'
 import IamOpenIdConnectProvider from '../services/iamOpenIdConnectProvider'
 import IamServerCertificate from '../services/iamServerCertificate'
+import IamInstanceProfile from '../services/iamInstanceProfile'
 import SNS from '../services/sns'
 import EKSCluster from '../services/eksCluster'
 import Cloud9Environment from '../services/cloud9'
@@ -178,6 +179,7 @@ export default {
   [services.iamSamlProvider]: IamSamlProvider,
   [services.iamOpenIdConnectProvider]: IamOpenIdConnectProvider,
   [services.iamServerCertificate]: IamServerCertificate,
+  [services.iamInstanceProfile]: IamInstanceProfile,
   [services.sns]: SNS,
   [services.ecsCluster]: EcsCluster,
   [services.ecsContainer]: EcsContainer,

src/enums/services.ts

@@ -56,6 +56,7 @@ export default {
   iamSamlProvider: 'iamSamlProvider',
   iamOpenIdConnectProvider: 'iamOpenIdConnectProvider',
   iamServerCertificate: 'iamServerCertificate',
+  iamInstanceProfile: 'iamInstanceProfile',
   igw: 'igw',
   iot: 'iot',
   kinesisFirehose: 'kinesisFirehose',

src/properties/logger.ts

@@ -37,6 +37,8 @@ export default {
   lookingForIamServerCertificates: 'Looking for IAM Server Certificates to add',
   foundServerCertificates: (num: number): string =>
     `Found ${num} Server Certificates to add`,
+  foundInstanceProfiles: (num: number): string =>
+    `Found ${num} Instance Profiles to add`,
   /**
    * CloudFormation
    */

src/services/account/schema.graphql

@@ -58,6 +58,7 @@ type awsAccount @key(fields: "id") {
   iamSamlProviders: [awsIamSamlProvider]
   iamServerCertificates: [awsIamServerCertificate]
   iamUsers: [awsIamUser]
+  iamInstanceProfiles: [awsIamInstanceProfile]
   igw: [awsIgw]
   iot: [awsIotThingAttribute]
   kinesisFirehose: [awsKinesisFirehose]

src/services/iamInstanceProfile/connections.ts

@@ -0,0 +1,57 @@
+import { ServiceConnection } from '@cloudgraph/sdk'
+import isEmpty from 'lodash/isEmpty'
+import services from '../../enums/services'
+import { RawAwsInstanceProfile } from './data'
+import { RawAwsIamRole } from '../iamRole/data'
+import { globalRegionName } from '../../enums/regions'
+
+/**
+ * IAM Instance Profiles
+ */
+
+export default ({
+  service: instanceProfile,
+  data,
+}: {
+  data: { name: string; data: { [property: string]: any[] } }[]
+  service: RawAwsInstanceProfile
+  account: string
+  region: string
+}): { [key: string]: ServiceConnection[] } => {
+  const connections: ServiceConnection[] = []
+
+  const { InstanceProfileId: id, Roles: instanceProfileRoles } = instanceProfile
+
+  /**
+   * Find related IAM Roles
+   */
+
+  const rolesArn = instanceProfileRoles?.map(({ Arn }) => Arn)
+
+  const roles: { name: string; data: { [property: string]: any[] } } =
+    data.find(({ name }) => name === services.iamRole)
+
+  if (roles?.data?.[globalRegionName]) {
+    const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
+      ({ Arn }: RawAwsIamRole) => rolesArn.includes(Arn)
+    )
+    if (!isEmpty(dataAtRegion)) {
+      for (const instance of dataAtRegion) {
+        const { Arn: arn  } = instance
+
+        connections.push({
+          id: arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRole',
+        })
+      }
+    }
+  }
+
+  const result = {
+    [id]: connections,
+  }
+
+  return result
+}

src/services/iamInstanceProfile/data.ts

@@ -0,0 +1,159 @@
+import CloudGraph from '@cloudgraph/sdk'
+import groupBy from 'lodash/groupBy'
+import isEmpty from 'lodash/isEmpty'
+import IAM, {
+  InstanceProfile,
+  ListInstanceProfilesRequest,
+  ListInstanceProfilesResponse,
+  ListInstanceProfileTagsResponse,
+} from 'aws-sdk/clients/iam'
+
+import { Config } from 'aws-sdk/lib/config'
+import { AWSError } from 'aws-sdk/lib/error'
+import { convertAwsTagsToTagMap } from '../../utils/format'
+import { AwsTag, TagMap } from '../../types'
+
+import awsLoggerText from '../../properties/logger'
+import { initTestEndpoint, setAwsRetryOptions } from '../../utils'
+import AwsErrorLog from '../../utils/errorLog'
+import { globalRegionName } from '../../enums/regions'
+
+import {
+  IAM_CUSTOM_DELAY,
+  MAX_FAILED_AWS_REQUEST_RETRIES,
+} from '../../config/constants'
+
+const lt = { ...awsLoggerText }
+const { logger } = CloudGraph
+const serviceName = 'IAM Instace Profile'
+const errorLog = new AwsErrorLog(serviceName)
+const endpoint = initTestEndpoint(serviceName)
+const customRetrySettings = setAwsRetryOptions({
+  maxRetries: MAX_FAILED_AWS_REQUEST_RETRIES,
+  baseDelay: IAM_CUSTOM_DELAY,
+})
+
+export const listInstancesProfiles = async (
+  iam: IAM
+): Promise<InstanceProfile[]> =>
+  new Promise(resolve => {
+    const instanceProfileList: InstanceProfile[] = []
+    let args: ListInstanceProfilesRequest = {}
+    const listAllInstanceProfiles = (marker?: string) => {
+      if (marker) {
+        args = { ...args, Marker: marker }
+      }
+      try {
+        iam.listInstanceProfiles(
+          args,
+          async (err: AWSError, data: ListInstanceProfilesResponse) => {
+            if (err) {
+              errorLog.generateAwsErrorLog({
+                functionName: 'iam:listInstanceProfiles',
+                err,
+              })
+            }
+
+            const { InstanceProfiles = [], IsTruncated, Marker } = data
+
+            instanceProfileList.push(...InstanceProfiles)
+
+            if (IsTruncated) {
+              listAllInstanceProfiles(Marker)
+            }
+
+            resolve(instanceProfileList)
+          }
+        )
+      } catch (error) {
+        resolve([])
+      }
+    }
+    listAllInstanceProfiles()
+  })
+
+export const getTags = async ({
+  iam,
+  name,
+}: {
+  iam: IAM
+  name: string
+}): Promise<TagMap> =>
+  new Promise(resolve => {
+    try {
+      iam.listInstanceProfileTags(
+        { InstanceProfileName: name },
+        (err: AWSError, data: ListInstanceProfileTagsResponse) => {
+          if (err) {
+            errorLog.generateAwsErrorLog({
+              functionName: 'iam:listInstanceProfileTags',
+              err,
+            })
+            resolve({})
+          }
+          const { Tags = [] } = data || {}
+          resolve(convertAwsTagsToTagMap(Tags as AwsTag[]))
+        }
+      )
+    } catch (error) {
+      resolve({})
+    }
+  })
+
+/**
+ * IAM Instance Profile
+ */
+
+export interface RawAwsInstanceProfile extends Omit<InstanceProfile, 'Tags'> {
+  region: string
+  Tags?: TagMap
+}
+
+export default async ({
+  config,
+}: {
+  regions: string
+  config: Config
+}): Promise<{
+  [region: string]: RawAwsInstanceProfile[]
+}> =>
+  new Promise(async resolve => {
+    const instancesProfilesResult: RawAwsInstanceProfile[] = []
+    const tagsPromises = []
+
+    const client = new IAM({
+      ...config,
+      region: globalRegionName,
+      endpoint,
+      ...customRetrySettings,
+    })
+
+    const instancesProfiles = await listInstancesProfiles(client)
+
+    if (!isEmpty(instancesProfiles)) {
+      instancesProfiles.map(
+        ({ Tags, InstanceProfileName, ...instancesProfile }, idx) => {
+          instancesProfilesResult.push({
+            InstanceProfileName,
+            ...instancesProfile,
+            region: globalRegionName,
+          })
+
+          const tagsPromise = new Promise<void>(async resolveTags => {
+            instancesProfilesResult[idx].Tags = await getTags({
+              iam: client,
+              name: InstanceProfileName,
+            })
+            resolveTags()
+          })
+          tagsPromises.push(tagsPromise)
+        }
+      )
+    }
+
+    logger.debug(lt.foundInstanceProfiles(instancesProfiles.length))
+    await Promise.all(tagsPromises)
+    errorLog.reset()
+
+    resolve(groupBy(instancesProfilesResult, 'region'))
+  })

src/services/iamInstanceProfile/format.ts

@@ -0,0 +1,37 @@
+import { AwsIamRole } from '../../types/generated'
+import { formatTagsFromMap } from '../../utils/format'
+
+import { RawAwsInstanceProfile } from './data'
+
+/**
+ * IAM Instance Profile
+ */
+
+export default ({
+  service: rawData,
+  account,
+}: {
+  service: RawAwsInstanceProfile
+  account: string
+  region: string
+}): AwsIamRole => {
+  const {
+    InstanceProfileId: instanceProfileId,
+    InstanceProfileName: instanceProfileName = '',
+    Arn: arn = '',
+    Path: path = '',
+    CreateDate: createDate,
+    Tags: tags = {},
+  } = rawData
+
+  const role = {
+    id: instanceProfileId,
+    arn,
+    accountId: account,
+    path,
+    name: instanceProfileName,
+    createDate: createDate?.toISOString(),
+    tags: formatTagsFromMap(tags),
+  }
+  return role
+}