fix: Added missing connections to RDS DB Instance

Author: Marco Franceschi

README.md

@@ -14,6 +14,7 @@ type awsCloudwatchLog @key(fields: "arn") {
   cloudwatch: [awsCloudwatch] @hasInverse(field: cloudwatchLog)
   cloudtrail: [awsCloudtrail] @hasInverse(field: cloudwatchLog)
   ecsCluster: [awsEcsCluster] @hasInverse(field: cloudwatchLog)
+  rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: cloudwatchLogs)
 }
 
 type awsMetricFilter

src/services/cloudwatchLogs/schema.graphql

@@ -33,4 +33,5 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   cloudFormationStackSet: [awsCloudFormationStackSet]
     @hasInverse(field: iamRoles)
   asg: [awsAsg] @hasInverse(field: iamRole)
+  rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: iamRoles)
 }

src/services/iamRole/schema.graphql

@@ -4,6 +4,12 @@ import { SecurityGroup } from 'aws-sdk/clients/ec2'
 import { DBInstance } from 'aws-sdk/clients/rds'
 import { RawAwsSubnet } from '../subnet/data'
 import services from '../../enums/services'
+import { RawAwsIamRole } from '../iamRole/data'
+import { globalRegionName } from '../../enums/regions'
+import { AwsKms } from '../kms/data'
+import { RawAwsLogGroup } from '../cloudwatchLogs/data'
+import { RawAwsRoute53HostedZone } from '../route53HostedZone/data'
+import { getHostedZoneId } from '../../utils/ids'
 
 export default ({
   service,
@@ -17,7 +23,19 @@ export default ({
   [property: string]: ServiceConnection[]
 } => {
   const connections: ServiceConnection[] = []
-  const { DBInstanceArn: id, VpcSecurityGroups, DBSubnetGroup, KmsKeyId } = service
+  const {
+    DBInstanceArn: id,
+    VpcSecurityGroups,
+    DBSubnetGroup,
+    MonitoringRoleArn: monitoringRoleArn,
+    AssociatedRoles: associatedRoles = [],
+    PerformanceInsightsKMSKeyId,
+    KmsKeyId,
+    ActivityStreamKmsKeyId,
+    DomainMemberships,
+    EnhancedMonitoringResourceArn,
+    Endpoint,
+  } = service
 
   const sgIds = VpcSecurityGroups.map(
     ({ VpcSecurityGroupId }) => VpcSecurityGroupId
@@ -73,13 +91,70 @@ export default ({
     }
   }
 
+  /**
+   * Find Cloudwatch Logs
+   */
+  const cloudwatchLogs = data.find(
+    ({ name }) => name === services.cloudwatchLog
+  )
+  if (cloudwatchLogs?.data?.[region]) {
+    // Search the correspondent cloudwatch log group name for the rds logs
+    // e.g. enhancedMonitoringArn arn:aws:logs:us-east-1::log-group:RDSOSMetrics:log-stream:db-databaseid
+    // belongs to cloudwatchLogs group arn arn:aws:logs:us-east-1::log-group:RDSOSMetrics:*
+    const cloudwatchLogsInRegion = cloudwatchLogs.data[region].filter(
+      ({ arn }: RawAwsLogGroup) =>
+        arn &&
+        EnhancedMonitoringResourceArn?.includes(
+          arn.substring(0, arn.length - 1)
+        )
+    )
+    if (!isEmpty(cloudwatchLogsInRegion)) {
+      for (const cloudwatchLog of cloudwatchLogsInRegion) {
+        connections.push({
+          id: cloudwatchLog.logGroupName,
+          resourceType: services.cloudwatchLog,
+          relation: 'child',
+          field: 'cloudwatchLogs',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find Route53 Hosted Zone
+   */
+  const route53HostedZones = data.find(
+    ({ name }) => name === services.route53HostedZone
+  )
+  if (route53HostedZones?.data?.[globalRegionName]) {
+    const route53HostedZonesInRegion = route53HostedZones.data[
+      globalRegionName
+    ].filter(
+      ({ Id }: RawAwsRoute53HostedZone) =>
+        Endpoint?.HostedZoneId && Id.includes(Endpoint.HostedZoneId)
+    )
+    if (!isEmpty(route53HostedZonesInRegion)) {
+      for (const route53HostedZone of route53HostedZonesInRegion) {
+        connections.push({
+          id: getHostedZoneId(route53HostedZone.Id),
+          resourceType: services.route53HostedZone,
+          relation: 'child',
+          field: 'route53HostedZone',
+        })
+      }
+    }
+  }
+
   /**
    * Find KMS
    */
   const kmsKeys = data.find(({ name }) => name === services.kms)
   if (kmsKeys?.data?.[region]) {
     const kmsKeyInRegion = kmsKeys.data[region].filter(
-      kmsKey => kmsKey.Arn === KmsKeyId
+      ({ Arn }) =>
+        Arn === KmsKeyId ||
+        Arn === ActivityStreamKmsKeyId ||
+        Arn === PerformanceInsightsKMSKeyId
     )
     if (!isEmpty(kmsKeyInRegion)) {
       for (const kms of kmsKeyInRegion) {
@@ -93,8 +168,38 @@ export default ({
     }
   }
 
+  /**
+   * Find IAM Role
+   * related to this RDS Cluster
+   */
+  const iamRoles: {
+    name: string
+    data: { [property: string]: RawAwsIamRole[] }
+  } = data.find(({ name }) => name === services.iamRole)
+
+  if (iamRoles?.data?.[globalRegionName]) {
+    const iamRolesInRegion: RawAwsIamRole[] = iamRoles.data[
+      globalRegionName
+    ].filter(
+      ({ Arn, RoleName }: RawAwsIamRole) =>
+        Arn === monitoringRoleArn ||
+        associatedRoles.find(r => r.RoleArn === Arn) ||
+        DomainMemberships.find(d => d.IAMRoleName === RoleName)
+    )
+    if (!isEmpty(iamRolesInRegion)) {
+      for (const instance of iamRolesInRegion) {
+        connections.push({
+          id: instance.Arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRoles',
+        })
+      }
+    }
+  }
+
   const rdsDbInstanceResult = {
     [id]: connections,
   }
   return rdsDbInstanceResult
-}
+}

src/services/rdsDbInstance/connections.ts

@@ -35,9 +35,7 @@ type awsRdsDbInstance implements awsBaseService @key(fields: "arn") {
   securityGroups: [awsSecurityGroup] @hasInverse(field: rdsDbInstance)
   subnet: [awsSubnet] @hasInverse(field: rdsDbInstance)
   vpc: [awsVpc] @hasInverse(field: rdsDbInstance)
+  cloudwatchLogs: [awsCloudwatchLog] @hasInverse(field: rdsDbInstance)
+  route53HostedZone: [awsRoute53HostedZone] @hasInverse(field: rdsDbInstance)
+  iamRoles: [awsIamRole] @hasInverse(field: rdsDbInstance)
 }
-
-#TODO: add connection to route53HostedZone using hostedZoneId in Endpoint
-# TODO: add connection to kms using kmsKeyId AND PerformanceInsightsKMSKeyId AND ActivityStreamKmsKeyId
-# TODO: add connection to IAM role using DomainMembership AND MonitoringRoleArn AND AssociatedRoles
-# TODO: add connection to cloudwatchLog using EnhancedMonitoringResourceArn

src/services/rdsDbInstance/schema.graphql

@@ -17,6 +17,7 @@ import awsLoggerText from '../../properties/logger'
 import { initTestEndpoint, setAwsRetryOptions } from '../../utils'
 import AwsErrorLog from '../../utils/errorLog'
 import { ROUTE_53_CUSTOM_DELAY } from '../../config/constants'
+import { globalRegionName } from '../../enums/regions'
 
 const lt = { ...awsLoggerText }
 const { logger } = CloudGraph
@@ -128,7 +129,7 @@ export const getHostedZoneData = async (
               ...data.HostedZone,
               DelegationSet: data.DelegationSet,
               VPCs: data.VPCs,
-              region: 'global',
+              region: globalRegionName,
             })
 
             return resolveZone()

src/services/route53HostedZone/data.ts

@@ -6,4 +6,5 @@ type awsRoute53HostedZone implements awsBaseService @key(fields: "arn") {
   rdsCluster: [awsRdsCluster] @hasInverse(field: route53HostedZone)
   route53Record: [awsRoute53Record] @hasInverse(field: route53HostedZone) #change to plural
   vpc: [awsVpc] @hasInverse(field: route53HostedZone)
+  rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: route53HostedZone)
 }

src/services/route53HostedZone/schema.graphql

@@ -21,6 +21,7 @@ import {
 } from '../route53HostedZone/data'
 import { ROUTE_53_CUSTOM_DELAY } from '../../config/constants'
 import services from '../../enums/services'
+import { globalRegionName } from '../../enums/regions'
 
 const lt = { ...awsLoggerText }
 const { logger } = CloudGraph
@@ -115,7 +116,7 @@ const listRecordsForHostedZone = async ({
        * If there are not, then add the records to the zone's records
        */
       for (const record of records) {
-        recordData.push({ ...record, HostedZoneId, region: 'global' })
+        recordData.push({ ...record, HostedZoneId, region: globalRegionName })
       }
 
       /**

src/services/route53Record/data.ts

@@ -922,6 +922,7 @@ export type AwsCloudwatchLog = {
   kmsKeyId?: Maybe<Scalars['String']>;
   metricFilterCount?: Maybe<Scalars['Int']>;
   metricFilters?: Maybe<Array<Maybe<AwsMetricFilter>>>;
+  rdsDbInstance?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
   region?: Maybe<Scalars['String']>;
   retentionInDays?: Maybe<Scalars['Int']>;
   storedBytes?: Maybe<Scalars['String']>;
@@ -3079,8 +3080,8 @@ export type AwsIamRole = AwsBaseService & {
   maxSessionDuration?: Maybe<Scalars['Int']>;
   name?: Maybe<Scalars['String']>;
   path?: Maybe<Scalars['String']>;
-  rdsClusterIamRoles?: Maybe<Array<Maybe<AwsRdsCluster>>>;
-  rdsClusterMonitoringRole?: Maybe<Array<Maybe<AwsRdsCluster>>>;
+  rdsCluster?: Maybe<Array<Maybe<AwsRdsCluster>>>;
+  rdsDbInstance?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
   s3?: Maybe<Array<Maybe<AwsS3>>>;
   sageMakerNotebookInstances?: Maybe<Array<Maybe<AwsSageMakerNotebookInstance>>>;
   systemsManagerInstances?: Maybe<Array<Maybe<AwsSystemsManagerInstance>>>;
@@ -3213,10 +3214,7 @@ export type AwsKms = AwsBaseService & {
   origin?: Maybe<Scalars['String']>;
   policy?: Maybe<AwsIamJsonPolicy>;
   rdsCluster?: Maybe<Array<Maybe<AwsRdsCluster>>>;
-  rdsClusterActivityStream?: Maybe<Array<Maybe<AwsRdsCluster>>>;
-  rdsClusterPerformanceInsights?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   rdsClusterSnapshots?: Maybe<Array<Maybe<AwsRdsClusterSnapshot>>>;
-  rdsClusterStorageEncryption?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   rdsDbInstance?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
   redshiftCluster?: Maybe<Array<Maybe<AwsRedshiftCluster>>>;
   sageMakerNotebookInstances?: Maybe<Array<Maybe<AwsSageMakerNotebookInstance>>>;
@@ -3505,7 +3503,6 @@ export type AwsRawTag = {
 };
 
 export type AwsRdsCluster = AwsBaseService & {
-  activityStreamKms?: Maybe<Array<Maybe<AwsKms>>>;
   allocatedStorage?: Maybe<Scalars['Int']>;
   appSync?: Maybe<Array<Maybe<AwsAppSync>>>;
   backupRetentionPeriod?: Maybe<Scalars['Int']>;
@@ -3532,10 +3529,8 @@ export type AwsRdsCluster = AwsBaseService & {
   instances?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
   kms?: Maybe<Array<Maybe<AwsKms>>>;
   kmsKey?: Maybe<Scalars['String']>;
-  monitoringIamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
   multiAZ?: Maybe<Scalars['Boolean']>;
   percentProgress?: Maybe<Scalars['String']>;
-  performanceInsightsKms?: Maybe<Array<Maybe<AwsKms>>>;
   port?: Maybe<Scalars['Int']>;
   readerEndpoint?: Maybe<Scalars['String']>;
   replicationSourceIdentifier?: Maybe<Scalars['String']>;
@@ -3544,7 +3539,6 @@ export type AwsRdsCluster = AwsBaseService & {
   securityGroups?: Maybe<Array<Maybe<AwsSecurityGroup>>>;
   snapshots?: Maybe<Array<Maybe<AwsRdsClusterSnapshot>>>;
   status?: Maybe<Scalars['String']>;
-  storageEncryptedKms?: Maybe<Array<Maybe<AwsKms>>>;
   subnets?: Maybe<Array<Maybe<AwsSubnet>>>;
   tags?: Maybe<Array<Maybe<AwsRawTag>>>;
   username?: Maybe<Scalars['String']>;
@@ -3591,6 +3585,7 @@ export type AwsRdsDbInstance = AwsBaseService & {
   autoMinorVersionUpgrade?: Maybe<Scalars['Boolean']>;
   availabilityZone?: Maybe<Scalars['String']>;
   certificateAuthority?: Maybe<Scalars['String']>;
+  cloudwatchLogs?: Maybe<Array<Maybe<AwsCloudwatchLog>>>;
   cluster?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   copyTagsToSnapshot?: Maybe<Scalars['Boolean']>;
   createdTime?: Maybe<Scalars['String']>;
@@ -3602,6 +3597,7 @@ export type AwsRdsDbInstance = AwsBaseService & {
   failoverPriority?: Maybe<Scalars['Int']>;
   hostedZoneId?: Maybe<Scalars['String']>;
   iamDbAuthenticationEnabled?: Maybe<Scalars['Boolean']>;
+  iamRoles?: Maybe<Array<Maybe<AwsIamRole>>>;
   instanceClass?: Maybe<Scalars['String']>;
   kms?: Maybe<Array<Maybe<AwsKms>>>;
   kmsKey?: Maybe<Scalars['String']>;
@@ -3614,6 +3610,7 @@ export type AwsRdsDbInstance = AwsBaseService & {
   port?: Maybe<Scalars['Int']>;
   publiclyAccessible?: Maybe<Scalars['Boolean']>;
   resourceId?: Maybe<Scalars['String']>;
+  route53HostedZone?: Maybe<Array<Maybe<AwsRoute53HostedZone>>>;
   securityGroups?: Maybe<Array<Maybe<AwsSecurityGroup>>>;
   status?: Maybe<Scalars['String']>;
   storageType?: Maybe<Scalars['String']>;
@@ -3688,6 +3685,7 @@ export type AwsRoute53HostedZone = AwsBaseService & {
   name?: Maybe<Scalars['String']>;
   nameServers?: Maybe<Array<Maybe<Scalars['String']>>>;
   rdsCluster?: Maybe<Array<Maybe<AwsRdsCluster>>>;
+  rdsDbInstance?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
   route53Record?: Maybe<Array<Maybe<AwsRoute53Record>>>;
   vpc?: Maybe<Array<Maybe<AwsVpc>>>;
 };