Merge branch 'alpha' into feature/CG-1192

Author: m-pizarro

CHANGELOG.md

@@ -1,3 +1,10 @@
+# [0.81.0-alpha.1](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.80.0...0.81.0-alpha.1) (2022-05-04)
+
+
+### Features
+
+* Add AWS IAM Access analyzer service ([cc3ae64](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/cc3ae64366e60f915ec1f4194ebc7cccf9969576))
+
 # [0.80.0](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0...0.80.0) (2022-05-02)
 
 

README.md

@@ -119,6 +119,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | glueJob                     | iamRole                                                                                                                                                                                                                                                                                                                                                                       |
 | glueRegistry                |                                                                                                                                                                                                                                                                                                                                                                               |
 | guardDutyDetector           | iamRole                                                                                                                                                                                                                                                                                                                                                                       |
+| iamAccessAnalyzer |                                                                                                                                                                                                                                                                                                                                                                  |
 | iamInstanceProfile          | ec2, iamRole                                                                                                                                                                                                                                                                                                                                                                  |
 | iamPasswordPolicy           |                                                                                                                                                                                                                                                                                                                                                                               |
 | iamSamlProvider             | cognitoIdentityPool                                                                                                                                                                                                                                                                                                                                                           |

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloudgraph/cg-provider-aws",
-  "version": "0.80.0",
+  "version": "0.81.0-alpha.1",
   "description": "cloud-graph provider plugin for AWS used to fetch AWS cloud data.",
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",

src/enums/schemasMap.ts

@@ -56,6 +56,7 @@ export default {
   [services.emrCluster]: 'awsEmrCluster',
   [services.emrInstance]: 'awsEmrInstance',
   [services.emrStep]: 'awsEmrStep',
+  [services.iamAccessAnalyzer]: 'awsIamAccessAnalyzer',
   [services.iamGroup]: 'awsIamGroup',
   [services.iamOpenIdConnectProvider]: 'awsIamOpenIdConnectProvider',
   [services.iamPasswordPolicy]: 'awsIamPasswordPolicy',

src/enums/serviceAliases.ts

@@ -38,6 +38,7 @@ export default {
   [services.glueJob]: 'glueJobs',
   [services.glueRegistry]: 'glueRegistries',
   [services.guardDutyDetector]: 'guardDutyDetectors',
+  [services.iamAccessAnalyzer]: 'iamAccessAnalyzers',
   [services.iamGroup]: 'iamGroups',
   [services.iamOpenIdConnectProvider]: 'iamOpenIdConnectProviders',
   [services.iamPasswordPolicy]: 'iamPasswordPolicies',

src/enums/serviceMap.ts

@@ -58,6 +58,7 @@ import SES from '../services/ses'
 import SQS from '../services/sqs'
 import VPC from '../services/vpc'
 import ECR from '../services/ecr'
+import IamAccessAnalyzer from '../services/iamAccessAnalyzer'
 import IamGroup from '../services/iamGroup'
 import IamUser from '../services/iamUser'
 import IamRole from '../services/iamRole'
@@ -175,6 +176,7 @@ export default {
   [services.s3]: S3,
   [services.secretsManager]: SecretsManager,
   [services.ses]: SES,
+  [services.iamAccessAnalyzer]: IamAccessAnalyzer,
   [services.iamUser]: IamUser,
   [services.iamGroup]: IamGroup,
   [services.iamRole]: IamRole,

src/enums/services.ts

@@ -50,6 +50,7 @@ export default {
   emrCluster: 'emrCluster',
   emrInstance: 'emrInstance',
   emrStep: 'emrStep',
+  iamAccessAnalyzer: 'iamAccessAnalyzer',
   iamUser: 'iamUser',
   iamGroup: 'iamGroup',
   iamRole: 'iamRole',

src/properties/logger.ts

@@ -668,4 +668,8 @@ export default {
    * Configuration Recorder Status
    */
    fetchedConfigurationRecorderStatus: (num: number): string => `Fetched ${num} Configuration Recorder Status`,
+  /**
+   * Access Analyzers
+   */
+  fetchedaccessAnalyzers: (num: number): string => `Found ${num} Access Analyzers`,
 }

src/services/account/schema.graphql

@@ -51,6 +51,7 @@ type awsAccount implements awsOptionalService @key(fields: "id") {
   glueJobs: [awsGlueJob]
   glueRegistries: [awsGlueRegistry]
   guardDutyDetectors: [awsGuardDutyDetector]
+  iamAccessAnalyzers: [awsIamAccessAnalyzer]
   iamGroups: [awsIamGroup]
   iamOpenIdConnectProviders: [awsIamOpenIdConnectProvider]
   iamPasswordPolicies: [awsIamPasswordPolicy]

src/services/iamAccessAnalyzer/data.ts

@@ -0,0 +1,125 @@
+import CloudGraph from '@cloudgraph/sdk'
+import groupBy from 'lodash/groupBy'
+import isEmpty from 'lodash/isEmpty'
+import AccessAnalyzer, {
+  ListAnalyzersRequest,
+  ListAnalyzersResponse,
+  AnalyzerSummary,
+  AnalyzersList,
+} from 'aws-sdk/clients/accessanalyzer'
+
+import { Config } from 'aws-sdk/lib/config'
+import { AWSError } from 'aws-sdk/lib/error'
+import awsLoggerText from '../../properties/logger'
+import { initTestEndpoint } from '../../utils'
+import AwsErrorLog from '../../utils/errorLog'
+import { TagMap } from '../../types'
+
+const lt = { ...awsLoggerText }
+const { logger } = CloudGraph
+const serviceName = 'IAM Access Analyzer'
+const errorLog = new AwsErrorLog(serviceName)
+const endpoint = initTestEndpoint(serviceName)
+
+const listAnalyzersData = async ({
+  accessAnalyzer,
+  region,
+  nextToken: NextToken = '',
+}: {
+  accessAnalyzer: AccessAnalyzer
+  region: string
+  nextToken?: string
+}): Promise<(AnalyzerSummary & { region: string })[]> =>
+  new Promise<(AnalyzerSummary & { region: string })[]>(resolve => {
+    let analyzerSummarytData: (AnalyzerSummary & {
+      region: string
+    })[] = []
+
+    const analyzersList: AnalyzersList = []
+    let args: ListAnalyzersRequest = {}
+
+    if (NextToken) {
+      args = { ...args, nextToken: NextToken }
+    }
+
+    accessAnalyzer.listAnalyzers(
+      args,
+      (err: AWSError, data: ListAnalyzersResponse) => {
+        if (err) {
+          errorLog.generateAwsErrorLog({
+            functionName: 'accessAnalyzer:listAnalyzers',
+            err,
+          })
+        }
+
+        if (!isEmpty(data)) {
+          const { nextToken, analyzers: analyzersData = [] } = data
+
+          analyzersList.push(...analyzersData)
+
+          logger.debug(lt.fetchedaccessAnalyzers(analyzersList.length))
+
+          if (nextToken) {
+            listAnalyzersData({ accessAnalyzer, region, nextToken })
+          }
+
+          analyzerSummarytData = analyzersList.map(analyzer => ({
+            ...analyzer,
+            region,
+          }))
+        }
+
+        resolve(analyzerSummarytData)
+      }
+    )
+  })
+
+/**
+ * IAM Access Analyzer
+ */
+
+export interface RawAwsAnalyzerSummary extends Omit<AnalyzerSummary, 'Tags'> {
+  region: string
+  Tags?: TagMap
+}
+
+export default async ({
+  regions,
+  config,
+}: {
+  regions: string
+  config: Config
+}): Promise<{
+  [region: string]: RawAwsAnalyzerSummary[]
+}> =>
+  new Promise(async resolve => {
+    const analyzerSummaryResult: RawAwsAnalyzerSummary[] = []
+
+    const regionPromises = regions.split(',').map(region => {
+      const accessAnalyzer = new AccessAnalyzer({ ...config, region, endpoint })
+
+      return new Promise<void>(async resolveAnalyzerSummaryData => {
+        const analyzerSummaryData = await listAnalyzersData({
+          accessAnalyzer,
+          region,
+        })
+
+        if (!isEmpty(analyzerSummaryData)) {
+          for (const analyzer of analyzerSummaryData) {
+            analyzerSummaryResult.push({
+              ...analyzer,
+              region,
+              Tags: analyzer.tags || {}
+            })
+          }
+        }
+
+        resolveAnalyzerSummaryData()
+      })
+    })
+
+    await Promise.all(regionPromises)
+    errorLog.reset()
+
+    resolve(groupBy(analyzerSummaryResult, 'region'))
+  })