Merge pull request #39 from cloudgraphdev/fix/CG-990

fix(waf): Added missing connections for webAcl

Author: hjaraujof

README.md

@@ -69,9 +69,9 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 
 | Service                     | Relations                                                                                                                                                                                                                                                                                                                                                                     |
 | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| alb                         | ec2, elasticBeanstalkEnv, route53Record, securityGroup, subnet, vpc                                                                                                                                                                                                                                                                                                           |
+| alb                         | ec2, elasticBeanstalkEnv, route53Record, securityGroup, subnet, vpc, wafV2WebAcl                                                                                                                                                                                                                                                                                              |
 | apiGatewayRestApi           | apiGatewayResource, apiGatewayStage, route53Record                                                                                                                                                                                                                                                                                                                            |
-| apiGatewayStage             | apiGatewayRestApi                                                                                                                                                                                                                                                                                                                                                             |
+| apiGatewayStage             | apiGatewayRestApi, wafV2WebAcl                                                                                                                                                                                                                                                                                                                                                |
 | apiGatewayResource          | apiGatewayRestApi                                                                                                                                                                                                                                                                                                                                                             |
 | appSync                     | cognitoUserPool, dynamodb, iamRole, lambda, rdsCluster, wafV2WebAcl                                                                                                                                                                                                                                                                                                           |
 | asg                         | ebs, ec2, elasticBeanstalkEnv, iamRole, securityGroup, subnet                                                                                                                                                                                                                                                                                                                 |
@@ -161,4 +161,4 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | vpc                         | alb, codebuild, dmsReplicationInstance, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, elasticSearchDomain, lambda, nacl, natGateway, networkInterface, rdsClusterSnapshot, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment                                              |
 | vpnConnection               | customerGateway, transitGateway, transitGatewayAttachment, vpnGateway                                                                                                                                                                                                                                                                                                         |
 | vpnGateway                  | vpc, vpnConnection                                                                                                                                                                                                                                                                                                                                                            |
-| wafV2WebAcl                 | appSync                                                                                                                                                                                                                                                                                                                                                                       |
+| wafV2WebAcl                 | appSync, apiGatewayStage, alb                                                                                                                                                                                                                                                                                                                                                 |

src/services/alb/schema.graphql

@@ -22,6 +22,7 @@ type awsAlb implements awsBaseService @key(fields: "arn") {
   listeners: [awsAlbListener]
   subnet: [awsSubnet] @hasInverse(field: alb) #change to plural
   elasticBeanstalkEnvs: [awsElasticBeanstalkEnv] @hasInverse(field: albs)
+  webAcl: [awsWafV2WebAcl] @hasInverse(field: albs)
 }
 
 type awsAlbListener

src/services/apiGatewayStage/data.ts

@@ -39,6 +39,7 @@ export interface RawAwsApiGatewayStage extends Omit<Stage, 'Tags'> {
   restApiId: string
   Tags?: TagMap
   region: string
+  arn: string
 }
 
 const getStages = async ({ apiGw, restApiId }): Promise<ListOfStage> =>
@@ -133,11 +134,19 @@ export default async ({
       })
       const additionalPromise = new Promise<void>(async resolveAdditional => {
         const stages = await getStages({ apiGw, restApiId })
+        const arn = apiGatewayRestApiArn({
+          restApiArn: apiGatewayArn({ region }),
+          id: restApiId,
+        })
         apiGatewayStages.push(
           ...stages.map(stage => ({
             ...stage,
             restApiId,
             region,
+            arn: apiGatewayStageArn({
+              restApiArn: arn,
+              name: stage.stageName,
+            }),
           }))
         )
 
@@ -152,24 +161,17 @@ export default async ({
 
     // get all tags for each stage
     apiGatewayStages.map(stage => {
-      const { stageName, restApiId, region } = stage
+      const { arn, region } = stage
       const apiGw = new APIGW({
         ...config,
         region,
         endpoint,
         ...customRetrySettings,
       })
       const tagsPromise = new Promise<void>(async resolveTags => {
-        const arn = apiGatewayRestApiArn({
-          restApiArn: apiGatewayArn({ region }),
-          id: restApiId,
-        })
         stage.Tags = await getTags({
           apiGw,
-          arn: apiGatewayStageArn({
-            restApiArn: arn,
-            name: stageName,
-          }),
+          arn,
         })
         resolveTags()
       })

src/services/apiGatewayStage/format.ts

@@ -2,11 +2,6 @@ import cuid from 'cuid'
 
 import { RawAwsApiGatewayStage } from './data'
 import { AwsApiGatewayStage as AwsAGStageType } from '../../types/generated'
-import {
-  apiGatewayArn,
-  apiGatewayRestApiArn,
-  apiGatewayStageArn,
-} from '../../utils/generateArns'
 import { formatTagsFromMap } from '../../utils/format'
 
 export default ({
@@ -17,6 +12,7 @@ export default ({
   account: string
 }): AwsAGStageType => {
   const {
+    arn,
     stageName: name,
     description,
     cacheClusterEnabled,
@@ -26,19 +22,10 @@ export default ({
     clientCertificateId,
     tracingEnabled,
     variables: vars = {},
-    restApiId,
     tags = {},
     region,
   } = service
 
-  const arn = apiGatewayStageArn({
-    restApiArn: apiGatewayRestApiArn({
-      restApiArn: apiGatewayArn({ region }),
-      id: restApiId,
-    }),
-    name,
-  })
-
   const variables = Object.entries(vars).map(([k, v]) => ({
     id: cuid(),
     key: k,

src/services/apiGatewayStage/schema.graphql

@@ -32,4 +32,5 @@ type awsApiGatewayStage implements awsBaseService @key(fields: "arn") {
   variables: [awsApiGatewayStageVariable]
   tags: [awsRawTag]
   restApi: [awsApiGatewayRestApi] @hasInverse(field: stages)
+  webAcl: [awsWafV2WebAcl] @hasInverse(field: apiGatewayStages)
 }

src/services/appSync/connections.ts

@@ -12,7 +12,6 @@ import { RawAwsCognitoUserPool } from '../cognitoUserPool/data'
 import { RawAwsRdsCluster } from '../rdsCluster/data'
 import { RawAwsIamRole } from '../iamRole/data'
 import { globalRegionName } from '../../enums/regions'
-import { RawAwsWafV2WebAcl } from '../wafV2WebAcl/data'
 
 /**
  * AppSync
@@ -30,7 +29,7 @@ export default ({
   region: string
 }): { [key: string]: ServiceConnection[] } => {
   const connections: ServiceConnection[] = []
-  const { apiId: id, awsDataSources, userPoolConfig, wafWebAclArn } = appSync
+  const { apiId: id, awsDataSources, userPoolConfig } = appSync
 
   /**
    * Find cognito user pools
@@ -162,9 +161,7 @@ export default ({
   const roles: { name: string; data: { [property: string]: any[] } } =
     data.find(({ name }) => name === services.iamRole)
 
-  const roleArns = awsDataSources?.map(
-    ({ serviceRoleArn }) => serviceRoleArn
-  )
+  const roleArns = awsDataSources?.map(({ serviceRoleArn }) => serviceRoleArn)
 
   if (roles?.data?.[globalRegionName]) {
     const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
@@ -184,32 +181,6 @@ export default ({
     }
   }
 
-  /**
-   * Find wafV2WebAcls
-   */
-  const acls: {
-    name: string
-    data: { [property: string]: RawAwsWafV2WebAcl[] }
-  } = data.find(({ name }) => name === services.wafV2WebAcl)
-
-  if (acls?.data) {
-    const allAcls = Object.values(acls.data).flat()
-    const dataInRegion: RawAwsWafV2WebAcl[] = allAcls.filter(
-      ({ ARN }: RawAwsWafV2WebAcl) => ARN === wafWebAclArn
-    )
-
-    if (!isEmpty(dataInRegion)) {
-      for (const acl of dataInRegion) {
-        connections.push({
-          id: acl.Id,
-          resourceType: services.wafV2WebAcl,
-          relation: 'child',
-          field: 'webAcl',
-        })
-      }
-    }
-  }
-  
   const appSyncResult = {
     [id]: connections,
   }

src/services/wafV2WebAcl/connections.ts

@@ -0,0 +1,112 @@
+import isEmpty from 'lodash/isEmpty'
+
+import { ServiceConnection } from '@cloudgraph/sdk'
+
+import services from '../../enums/services'
+import { RawAwsAlb } from '../alb/data'
+import { RawAwsApiGatewayStage } from '../apiGatewayStage/data'
+import { RawAwsAppSync } from '../appSync/data'
+import { RawAwsWafV2WebAcl } from './data'
+
+/**
+ * WAF
+ */
+
+export default ({
+  service: waf,
+  data,
+  region,
+}: {
+  account: string
+  data: { name: string; data: { [property: string]: any[] } }[]
+  service: RawAwsWafV2WebAcl
+  region: string
+}): { [key: string]: ServiceConnection[] } => {
+  const connections: ServiceConnection[] = []
+  const { Id: id, wafResources } = waf
+
+  /**
+   * Find ALBs
+   * related to this WAF
+   */
+  const albs: {
+    name: string
+    data: { [property: string]: any[] }
+  } = data.find(({ name }) => name === services.alb)
+
+  if (albs?.data?.[region] && wafResources?.elasticloadbalancing?.length > 0) {
+    const associatedALBs: RawAwsAlb[] = albs.data[region].filter(
+      ({ LoadBalancerArn }: RawAwsAlb) =>
+        wafResources?.elasticloadbalancing?.find(arn => arn === LoadBalancerArn)
+    )
+
+    if (!isEmpty(associatedALBs)) {
+      for (const { LoadBalancerArn } of associatedALBs) {
+        connections.push({
+          id: LoadBalancerArn,
+          resourceType: services.alb,
+          relation: 'child',
+          field: 'albs',
+        })
+      }
+    }
+  }
+  /**
+   * Find Rest API Stages
+   * related to this WAF
+   */
+  const stages: {
+    name: string
+    data: { [property: string]: any[] }
+  } = data.find(({ name }) => name === services.apiGatewayStage)
+
+  if (stages?.data?.[region] && wafResources?.apigateway?.length > 0) {
+    const associatedStages: RawAwsApiGatewayStage[] = stages.data[
+      region
+    ].filter(({ arn: stageArn }: RawAwsApiGatewayStage) =>
+      wafResources?.apigateway?.find(arn => arn === stageArn)
+    )
+
+    if (!isEmpty(associatedStages)) {
+      for (const { arn } of associatedStages) {
+        connections.push({
+          id: arn,
+          resourceType: services.apiGatewayStage,
+          relation: 'child',
+          field: 'apiGatewayStages',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find Apps Sync
+   * related to this WAF
+   */
+  const apps: {
+    name: string
+    data: { [property: string]: any[] }
+  } = data.find(({ name }) => name === services.appSync)
+
+  if (apps?.data?.[region] && wafResources?.appsync?.length > 0) {
+    const associatedApps: RawAwsAppSync[] = apps.data[region].filter(
+      ({ arn: apiArn }: RawAwsAppSync) =>
+        wafResources?.appsync?.find(arn => arn === apiArn)
+    )
+
+    if (!isEmpty(associatedApps)) {
+      for (const { apiId } of associatedApps) {
+        connections.push({
+          id: apiId,
+          resourceType: services.appSync,
+          relation: 'child',
+          field: 'appSync',
+        })
+      }
+    }
+  }
+
+  return {
+    [id]: connections,
+  }
+}

src/services/wafV2WebAcl/data.ts

@@ -14,9 +14,34 @@ const scopes = {
   regional: 'REGIONAL',
 }
 
+const resources = [
+  { name: 'elasticloadbalancing', type: 'APPLICATION_LOAD_BALANCER' },
+  { name: 'apigateway', type: 'API_GATEWAY' },
+  { name: 'appsync', type: 'APPSYNC' },
+]
+
 export interface RawAwsWafV2WebAcl extends WAFV2.WebACL {
   region: string
   loggingConfiguration: WAFV2.LoggingConfiguration
+  wafResources: { [resource: string]: string[] }
+}
+
+const listResources = async (
+  client: WAFV2,
+  wafArn: string
+): Promise<{ [resource: string]: string[] }> => {
+  const wafResources = {}
+  for (const { name, type } of resources) {
+    const { ResourceArns } = (await client
+      .listResourcesForWebACL({
+        WebACLArn: wafArn,
+        ResourceType: type,
+      })
+      .promise()) ?? { ResourceArns: [] }
+
+    wafResources[name] = ResourceArns
+  }
+  return wafResources
 }
 
 /**
@@ -72,12 +97,15 @@ export default async ({
             .promise()
           wafData.loggingConfiguration =
             loggingConfiguration.LoggingConfiguration
+
+          wafData.wafResources = await listResources(client, arn)
         } catch (err) {
           errorLog.generateAwsErrorLog({ functionName: 'getWebACL', err })
         }
         result.push({
           ...wafData?.WebACL,
           loggingConfiguration: wafData?.loggingConfiguration,
+          wafResources: wafData?.wafResources,
           region,
         })
       }

src/services/wafV2WebAcl/index.ts

@@ -1,14 +1,16 @@
 import { Service } from '@cloudgraph/sdk'
-  import BaseService from '../base'
-  import format from './format'
-  import getData from './data'
-  import mutation from './mutation'
-      
-  export default class WafV2WebAcl extends BaseService implements Service {
-    format = format.bind(this)
-      
-    getData = getData.bind(this)
-      
-    mutation = mutation
-  }
-  
+import BaseService from '../base'
+import format from './format'
+import getData from './data'
+import getConnections from './connections'
+import mutation from './mutation'
+
+export default class WafV2WebAcl extends BaseService implements Service {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  getConnections = getConnections.bind(this)
+
+  mutation = mutation
+}

src/services/wafV2WebAcl/schema.graphql

@@ -13,6 +13,8 @@ type awsWafV2WebAcl implements awsBaseService @key(fields: "arn") {
   loggingConfiguration: awsWafV2LoggingConfig
   cloudfront: [awsCloudfront] @hasInverse(field: webAcl)
   appSync: [awsAppSync] @hasInverse(field: webAcl)
+  apiGatewayStages: [awsApiGatewayStage] @hasInverse(field: webAcl)
+  albs: [awsAlb] @hasInverse(field: webAcl)
 }
 
 type awsWafV2Rule {