Merge pull request #30 from cloudgraphdev/feature/CG-1058

Christopher Brandt · web-flow · commit 25b03d1d4782 · 2022-04-14T08:09:08.000-07:00
feat(cognitoIdentityPool): add iamRole/iamOpenIdConnectProvider/iamSa…
diff --git a/README.md b/README.md
@@ -85,7 +85,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | cloudwatch                  | cloudtrail, cloudwatchLog, sns                                                                                                                                                                                                                                                                                                               |
 | cloudwatchLog               | cloudtrail, cloudwatch, ecsCluster, kms, managedAirflow, rdsDbInstance                                                                                                                                                                                                                                                                       |
 | codebuild                   | iamRole, kms, vpc, securityGroup, subnet                                                                                                                                                                                                                                                                                                     |
-| cognitoIdentityPool         |                                                                                                                                                                                                                                                                                                                                              |
+| cognitoIdentityPool         | iamRole, iamOpenIdConnectProvider, iamSamlProvider                                                                                                                                                                                                                                                                                                                                |
 | cognitoUserPool             | appSync, lambda                                                                                                                                                                                                                                                                                                                              |
 | configurationRecorder       | iamRole                                                                                                                                                                                                                                                                                                                                      |
 | customerGateway             | vpnConnection                                                                                                                                                                                                                                                                                                                                |
@@ -119,12 +119,12 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | guardDutyDetector           | iamRole                                                                                                                                                                                                                                                                                                                                      |
 | iamInstanceProfile          | ec2, iamRole                                                                                                                                                                                                                                                                                                                                 |
 | iamPasswordPolicy           |                                                                                                                                                                                                                                                                                                                                              |
-| iamSamlProvider             |                                                                                                                                                                                                                                                                                                                                              |
-| iamOpenIdConnectProvider    |                                                                                                                                                                                                                                                                                                                                              |
+| iamSamlProvider             | cognitoIdentityPool                                                                                                                                                                                                                                                                                                                                             |
+| iamOpenIdConnectProvider    | cognitoIdentityPool                                                                                                                                                                                                                                                                                                                                             |
 | iamServerCertificate        |                                                                                                                                                                                                                                                                                                                                              |
 | iamUser                     | iamGroup                                                                                                                                                                                                                                                                                                                                     |
 | iamPolicy                   | iamRole, iamGroup                                                                                                                                                                                                                                                                                                                            |
-| iamRole                     | appSync, asg, cloudformationStackSet, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv |
+| iamRole                     | appSync, asg, cloudformationStackSet, codebuild, cognitoIdentityPool, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv |
 | iamGroup                    | iamUser, iamPolicy                                                                                                                                                                                                                                                                                                                           |
 | igw                         | vpc                                                                                                                                                                                                                                                                                                                                          |
 | iot                         |                                                                                                                                                                                                                                                                                                                                              |
diff --git a/src/services/cognitoIdentityPool/connections.ts b/src/services/cognitoIdentityPool/connections.ts
@@ -1 +1,104 @@
-// TODO Add Optional IAM saml provider
+import { ServiceConnection } from '@cloudgraph/sdk'
+import { isEmpty } from 'lodash'
+import services from '../../enums/services'
+import { RawAwsCognitoIdentityPool } from './data'
+import { RawAwsIamRole } from '../iamRole/data'
+import { globalRegionName } from '../../enums/regions'
+
+/**
+ * Cognito Identity Pool
+ */
+
+export default ({
+  service: identityPool,
+  data,
+  region,
+}: {
+  data: { name: string; data: { [property: string]: any[] } }[]
+  service: RawAwsCognitoIdentityPool
+  region: string
+}): { [key: string]: ServiceConnection[] } => {
+  const connections: ServiceConnection[] = []
+
+  const {
+    IdentityPoolId: id,
+    identityPoolRoles,
+    SamlProviderARNs = [],
+    OpenIdConnectProviderARNs = [],
+  } = identityPool
+
+  /**
+   * Find related IAM Roles
+   */
+  const roles: { name: string; data: { [property: string]: any[] } } =
+    data.find(({ name }) => name === services.iamRole)
+
+  const iamRoleArns = Object.values(identityPoolRoles?.Roles || {})
+
+  if (roles?.data?.[globalRegionName]) {
+    const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(role =>
+      iamRoleArns.includes(role.Arn)
+    )
+    if (!isEmpty(dataAtRegion)) {
+      for (const instance of dataAtRegion) {
+        const { Arn: arn }: RawAwsIamRole = instance
+
+        connections.push({
+          id: arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRoles',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find iamSamlProvider
+   * related to this cognito identity pool
+   */
+  const iamSamlProviders = data.find(({ name }) => name === services.iamSamlProvider)
+  if (iamSamlProviders?.data?.[region]) {
+    const dataInRegion = iamSamlProviders.data[region].filter(provider =>
+      SamlProviderARNs.includes(provider.arn)
+    )
+
+    if (!isEmpty(dataInRegion)) {
+      for (const provider of dataInRegion) {
+        connections.push({
+          id: provider.KeyId,
+          resourceType: services.iamSamlProvider,
+          relation: 'child',
+          field: 'iamSamlProviders',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find iamOpenIdConnectProvider
+   * related to this cognito identity pool
+   */
+  const iamOpenIdConnectProviders = data.find(({ name }) => name === services.iamOpenIdConnectProvider)
+  if (iamOpenIdConnectProviders?.data?.[region]) {
+    const dataInRegion = iamOpenIdConnectProviders.data[region].filter(provider =>
+      OpenIdConnectProviderARNs.includes(provider.arn)
+    )
+
+    if (!isEmpty(dataInRegion)) {
+      for (const provider of dataInRegion) {
+        connections.push({
+          id: provider.KeyId,
+          resourceType: services.iamOpenIdConnectProvider,
+          relation: 'child',
+          field: 'iamOpenIdConnectProviders',
+        })
+      }
+    }
+  }
+
+  const identityPoolResult = {
+    [id]: connections,
+  }
+  return identityPoolResult
+}
diff --git a/src/services/cognitoIdentityPool/data.ts b/src/services/cognitoIdentityPool/data.ts
@@ -1,6 +1,7 @@
 import COGID, {
   IdentityPool,
   IdentityPoolShortDescription,
+  GetIdentityPoolRolesResponse,
 } from 'aws-sdk/clients/cognitoidentity'
 import { Config } from 'aws-sdk/lib/config'
 
@@ -25,6 +26,7 @@ const MAX_RESULTS = 60
 
 export interface RawAwsCognitoIdentityPool
   extends Omit<IdentityPool, 'IdentityPoolTags'> {
+  identityPoolRoles: GetIdentityPoolRolesResponse
   region: string
   Tags: TagMap
 }
@@ -91,6 +93,27 @@ const describeIdentityPool = async ({
   return null
 }
 
+const getIdentityPoolRoles = async ({
+  cogId,
+  IdentityPoolId,
+}: {
+  cogId: COGID
+  IdentityPoolId: string
+}): Promise<GetIdentityPoolRolesResponse> => {
+  try {
+    return await cogId
+      .getIdentityPoolRoles({ IdentityPoolId })
+      .promise()
+
+  } catch (err) {
+    errorLog.generateAwsErrorLog({
+      functionName: 'cognitoIdentityPool:getIdentityPoolRoles',
+      err,
+    })
+  }
+  return null
+}
+
 const listIdentityPoolData = async ({
   cogId,
   region,
@@ -106,8 +129,13 @@ const listIdentityPoolData = async ({
       cogId,
       IdentityPoolId: identityPoolId.IdentityPoolId,
     })
+    const identityPoolRoles = await getIdentityPoolRoles({
+      cogId,
+      IdentityPoolId: identityPoolId.IdentityPoolId,
+    })
     identityPoolData.push({
       ...identityPool,
+      identityPoolRoles,
       region,
     })
   }
diff --git a/src/services/cognitoIdentityPool/format.ts b/src/services/cognitoIdentityPool/format.ts
@@ -1,10 +1,12 @@
-import { IdentityProviders } from 'aws-sdk/clients/cognitoidentity';
-import cuid from 'cuid';
+import { IdentityProviders } from 'aws-sdk/clients/cognitoidentity'
+import cuid from 'cuid'
 import t from '../../properties/translations'
-
-import { AwsCognitoIdentityPool, AwsSupportedLoginProvider } from '../../types/generated';
-import { formatTagsFromMap } from '../../utils/format';
-import { RawAwsCognitoIdentityPool } from './data';
+import { AwsCognitoIdentityPool, AwsSupportedLoginProvider } from '../../types/generated'
+import { formatTagsFromMap } from '../../utils/format'
+import { RawAwsCognitoIdentityPool } from './data'
+import {
+  cognitoIdentityPoolArn,
+} from '../../utils/generateArns'
 
 /**
  * Cognito Identity Pool
@@ -53,9 +55,12 @@ export default ({
     serverSideTokenCheck: serverSideTokenCheck? t.yes : t.no,
   })) || []
 
+  const arn = cognitoIdentityPoolArn({ region, account, identityPoolId })
+
   const identityPool  = {
     id: identityPoolId,
     accountId: account,
+    arn,
     identityPoolName,
     allowUnauthenticatedIdentities: allowUnauthenticatedIdentities? t.yes : t.no,
     allowClassicFlow: allowClassicFlow? t.yes : t.no,
diff --git a/src/services/cognitoIdentityPool/index.ts b/src/services/cognitoIdentityPool/index.ts
@@ -2,15 +2,15 @@ import { Service } from '@cloudgraph/sdk';
 import BaseService from '../base';
 import format from './format';
 import getData from './data';
-// import getConnections from './connections'
+import getConnections from './connections'
 import mutation from './mutation';
 
 export default class AwsCognitoIdentityPool extends BaseService implements Service {
   format = format.bind(this);
 
   getData = getData.bind(this);
 
-  // getConnections = getConnections.bind(this)
+  getConnections = getConnections.bind(this)
 
   mutation = mutation;
 }
diff --git a/src/services/cognitoIdentityPool/schema.graphql b/src/services/cognitoIdentityPool/schema.graphql
@@ -22,6 +22,7 @@ type awsCognitoIdentityProviders
 
 type awsCognitoIdentityPool @key(fields: "id") {
   id: String! @id @search(by: [hash])
+  arn: String! @search(by: [hash])
   accountId: String! @search(by: [hash])
   region: String @search(by: [hash, regexp])
   identityPoolName: String @search(by: [hash, regexp])
@@ -33,8 +34,7 @@ type awsCognitoIdentityPool @key(fields: "id") {
   cognitoIdentityProviders: [awsCognitoIdentityProviders]
   samlProviderARNs: [String] @search
   tags: [awsRawTag]
+  iamRoles: [awsIamRole] @hasInverse(field: awsCognitoIdentityPool)
+  iamOpenIdConnectProviders: [awsIamOpenIdConnectProvider] @hasInverse(field: awsCognitoIdentityPool)
+  iamSamlProviders: [awsIamSamlProvider] @hasInverse(field: awsCognitoIdentityPool)
 }
-
-# TODO: add an arn for identity pool see here: https://docs.aws.amazon.com/cognito/latest/developerguide/security_iam_service-with-iam.html
-#TODO: add connections to iamSamlProvider and iamOpenIdConnectProvider
-#TODO: try to add connection to iam role using getIdentityPoolRoles 
diff --git a/src/services/iamOpenIdConnectProvider/schema.graphql b/src/services/iamOpenIdConnectProvider/schema.graphql
@@ -4,4 +4,5 @@ type awsIamOpenIdConnectProvider @key(fields: "id") {
   accountId: String! @search(by: [hash, regexp])
   region: String @search(by: [hash, regexp])
   cgId: String @search(by: [hash, regexp])
+  awsCognitoIdentityPool: [awsCognitoIdentityPool] @hasInverse(field: iamOpenIdConnectProviders)
 }
diff --git a/src/services/iamRole/schema.graphql b/src/services/iamRole/schema.graphql
@@ -35,5 +35,6 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   cloudFormationStackSet: [awsCloudFormationStackSet]
     @hasInverse(field: iamRoles)
   asg: [awsAsg] @hasInverse(field: iamRole)
+  awsCognitoIdentityPool: [awsCognitoIdentityPool] @hasInverse(field: iamRoles)
   rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: iamRoles)
 }
diff --git a/src/services/iamSamlProvider/schema.graphql b/src/services/iamSamlProvider/schema.graphql
@@ -1,4 +1,5 @@
 type awsIamSamlProvider implements awsOptionalService @key(fields: "id") {
   validUntil: String @search(by: [hash, regexp])
   createdDate: String @search(by: [hash, regexp])
+  awsCognitoIdentityPool: [awsCognitoIdentityPool] @hasInverse(field: iamSamlProviders)
 }
diff --git a/src/types/generated.ts b/src/types/generated.ts
@@ -1119,8 +1119,12 @@ export type AwsCognitoIdentityPool = {
   accountId: Scalars['String'];
   allowClassicFlow?: Maybe<Scalars['String']>;
   allowUnauthenticatedIdentities?: Maybe<Scalars['String']>;
+  arn: Scalars['String'];
   cognitoIdentityProviders?: Maybe<Array<Maybe<AwsCognitoIdentityProviders>>>;
   developerProviderName?: Maybe<Scalars['String']>;
+  iamOpenIdConnectProviders?: Maybe<Array<Maybe<AwsIamOpenIdConnectProvider>>>;
+  iamRoles?: Maybe<Array<Maybe<AwsIamRole>>>;
+  iamSamlProviders?: Maybe<Array<Maybe<AwsIamSamlProvider>>>;
   id: Scalars['String'];
   identityPoolName?: Maybe<Scalars['String']>;
   openIdConnectProviderARNs?: Maybe<Array<Maybe<Scalars['String']>>>;
@@ -3028,6 +3032,7 @@ export type AwsIamMfaDevice = {
 export type AwsIamOpenIdConnectProvider = {
   accountId: Scalars['String'];
   arn: Scalars['String'];
+  awsCognitoIdentityPool?: Maybe<Array<Maybe<AwsCognitoIdentityPool>>>;
   cgId?: Maybe<Scalars['String']>;
   id: Scalars['String'];
   region?: Maybe<Scalars['String']>;
@@ -3063,6 +3068,7 @@ export type AwsIamRole = AwsBaseService & {
   appSync?: Maybe<Array<Maybe<AwsAppSync>>>;
   asg?: Maybe<Array<Maybe<AwsAsg>>>;
   assumeRolePolicy?: Maybe<AwsIamJsonPolicy>;
+  awsCognitoIdentityPool?: Maybe<Array<Maybe<AwsCognitoIdentityPool>>>;
   cloudFormationStack?: Maybe<Array<Maybe<AwsCloudFormationStack>>>;
   cloudFormationStackSet?: Maybe<Array<Maybe<AwsCloudFormationStackSet>>>;
   codebuilds?: Maybe<Array<Maybe<AwsCodebuild>>>;
@@ -3097,6 +3103,7 @@ export type AwsIamRole = AwsBaseService & {
 };
 
 export type AwsIamSamlProvider = AwsOptionalService & {
+  awsCognitoIdentityPool?: Maybe<Array<Maybe<AwsCognitoIdentityPool>>>;
   createdDate?: Maybe<Scalars['String']>;
   validUntil?: Maybe<Scalars['String']>;
 };
diff --git a/src/utils/generateArns.ts b/src/utils/generateArns.ts
@@ -260,3 +260,13 @@ export const ssmDocumentArn = ({
   account: string
   name: string
 }): string => `arn:aws:ssm:${region}:${account}:document/${name}`
+
+export const cognitoIdentityPoolArn = ({
+  region,
+  account,
+  identityPoolId,
+}: {
+  region: string
+  account: string
+  identityPoolId: string
+}): string => `arn:aws:cognito-identity:${region}:${account}:identitypool/${identityPoolId}`
diff --git a/tests/aws_cognitoIdentityPool.test.ts b/tests/aws_cognitoIdentityPool.test.ts

Original file line number	Diff line number	Diff line change
`@@ -4,4 +4,5 @@ type awsIamOpenIdConnectProvider @key(fields: "id") {`
`4`	`4`	`accountId: String! @search(by: [hash, regexp])`
`5`	`5`	`region: String @search(by: [hash, regexp])`
`6`	`6`	`cgId: String @search(by: [hash, regexp])`
	`7`	`+ awsCognitoIdentityPool: [awsCognitoIdentityPool] @hasInverse(field: iamOpenIdConnectProviders)`
`7`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,5 +35,6 @@ type awsIamRole implements awsBaseService @key(fields: "id") {`
`35`	`35`	`cloudFormationStackSet: [awsCloudFormationStackSet]`
`36`	`36`	`@hasInverse(field: iamRoles)`
`37`	`37`	`asg: [awsAsg] @hasInverse(field: iamRole)`
	`38`	`+ awsCognitoIdentityPool: [awsCognitoIdentityPool] @hasInverse(field: iamRoles)`
`38`	`39`	`rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: iamRoles)`
`39`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`type awsIamSamlProvider implements awsOptionalService @key(fields: "id") {`
`2`	`2`	`validUntil: String @search(by: [hash, regexp])`
`3`	`3`	`createdDate: String @search(by: [hash, regexp])`
	`4`	`+ awsCognitoIdentityPool: [awsCognitoIdentityPool] @hasInverse(field: iamSamlProviders)`
`4`	`5`	`}`