fix(elasticSearchDomain): add cloudwatchLogs, cognitoIdentityPool, cognitoUserPool, iamRole connections

Author: hjaraujof

README.md

@@ -83,10 +83,10 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | cloudfront                  | elb, s3                                                                                                                                                                                                                                                                                                                                                                       |
 | cloudtrail                  | cloudwatch, cloudwatchLog, kms, s3, sns                                                                                                                                                                                                                                                                                                                                       |
 | cloudwatch                  | cloudtrail, cloudwatchLog, sns                                                                                                                                                                                                                                                                                                                                                |
-| cloudwatchLog               | cloudtrail, cloudwatch, ecsCluster, kms, managedAirflow, rdsDbInstance                                                                                                                                                                                                                                                                                                        |
+| cloudwatchLog               | cloudtrail, cloudwatch, ecsCluster, elasticSearchDomain, kms, managedAirflow, rdsDbInstance                                                                                                                                                                                                                                                                                   |
 | codebuild                   | iamRole, kms, vpc, securityGroup, subnet                                                                                                                                                                                                                                                                                                                                      |
-| cognitoIdentityPool         | iamRole, iamOpenIdConnectProvider, iamSamlProvider                                                                                                                                                                                                                                                                                                                            |
-| cognitoUserPool             | appSync, lambda                                                                                                                                                                                                                                                                                                                                                               |
+| cognitoIdentityPool         | iamRole, iamOpenIdConnectProvider, iamSamlProvider, elasticSearchDomain                                                                                                                                                                                                                                                                                                       |
+| cognitoUserPool             | appSync, elasticSearchDomain, lambda                                                                                                                                                                                                                                                                                                                                          |
 | configurationRecorder       | iamRole                                                                                                                                                                                                                                                                                                                                                                       |
 | customerGateway             | vpnConnection                                                                                                                                                                                                                                                                                                                                                                 |
 | dynamodb                    | appSync, iamRole, kms                                                                                                                                                                                                                                                                                                                                                         |
@@ -108,7 +108,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | elastiCacheReplicationGroup | kms                                                                                                                                                                                                                                                                                                                                                                           |
 | elasticBeanstalkApp         | elasticBeanstalkEnv, iamRole                                                                                                                                                                                                                                                                                                                                                  |
 | elasticBeanstalkEnv         | alb, asg, ec2, elb, elasticBeanstalkApp, iamRole, sqs                                                                                                                                                                                                                                                                                                                         |
-| elasticSearchDomain         | kms, securityGroup, subnet, vpc                                                                                                                                                                                                                                                                                                                                               |
+| elasticSearchDomain         | cloudwatchLog, cognitoIdentityPool, cognitoUserPool, iamRole, kms, securityGroup, subnet, vpc                                                                                                                                                                                                                                                                                |
 | elb                         | cloudfront, ecsService, elasticBeanstalkEnv, securityGroup, subnet, vpc                                                                                                                                                                                                                                                                                                       |
 | emrCluster                  | iamRole, kms, subnet                                                                                                                                                                                                                                                                                                                                                          |
 | emrInstance                 | ebs, ec2                                                                                                                                                                                                                                                                                                                                                                      |
@@ -124,7 +124,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | iamServerCertificate        |                                                                                                                                                                                                                                                                                                                                                                               |
 | iamUser                     | iamGroup                                                                                                                                                                                                                                                                                                                                                                      |
 | iamPolicy                   | iamRole, iamGroup                                                                                                                                                                                                                                                                                                                                                             |
-| iamRole                     | appSync, asg, cloudformationStackSet, codebuild, cognitoIdentityPool, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, emrCluster, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv |
+| iamRole                     | appSync, asg, cloudformationStackSet, codebuild, cognitoIdentityPool, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, emrCluster, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv, elasticSearchDomain |
 | iamGroup                    | iamUser, iamPolicy                                                                                                                                                                                                                                                                                                                                                            |
 | igw                         | vpc                                                                                                                                                                                                                                                                                                                                                                           |
 | iot                         |                                                                                                                                                                                                                                                                                                                                                                               |

src/services/cloudwatchLogs/schema.graphql

@@ -14,6 +14,7 @@ type awsCloudwatchLog @key(fields: "arn") {
   cloudwatch: [awsCloudwatch] @hasInverse(field: cloudwatchLog)
   cloudtrail: [awsCloudtrail] @hasInverse(field: cloudwatchLog)
   ecsCluster: [awsEcsCluster] @hasInverse(field: cloudwatchLog)
+  elasticSearchDomains: [awsElasticSearchDomain] @hasInverse(field: cloudwatchLogs)
   rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: cloudwatchLogs)
   managedAirflows: [awsManagedAirflow] @hasInverse(field: cloudwatchLogs)
 }

src/services/cognitoIdentityPool/schema.graphql

@@ -34,6 +34,7 @@ type awsCognitoIdentityPool @key(fields: "id") {
   cognitoIdentityProviders: [awsCognitoIdentityProviders]
   samlProviderARNs: [String] @search
   tags: [awsRawTag]
+  elasticSearchDomains: [awsElasticSearchDomain] @hasInverse(field: cognitoIdentityPool)
   iamRoles: [awsIamRole] @hasInverse(field: awsCognitoIdentityPool)
   iamOpenIdConnectProviders: [awsIamOpenIdConnectProvider] @hasInverse(field: awsCognitoIdentityPool)
   iamSamlProviders: [awsIamSamlProvider] @hasInverse(field: awsCognitoIdentityPool)

src/services/cognitoUserPool/schema.graphql

@@ -124,4 +124,5 @@ type awsCognitoUserPool implements awsBaseService @key(fields: "id") {
   kms: [awsKms] @hasInverse(field: cognitoUserPools)
   ses: [awsSes] @hasInverse(field: cognitoUserPools)
   iamRole: [awsIamRole] @hasInverse(field: cognitoUserPools)
-}
+  elasticSearchDomains: [awsElasticSearchDomain] @hasInverse(field: cognitoUserPool)
+}

src/services/elasticSearchDomain/connections.ts

@@ -1,9 +1,15 @@
 import { ServiceConnection } from '@cloudgraph/sdk'
 
+import isEmpty from 'lodash/isEmpty'
 import services from '../../enums/services'
 import { RawAwsElasticSearchDomain } from './data'
 import { AwsSecurityGroup } from '../securityGroup/data'
 import { AwsKms } from '../kms/data'
+import { RawAwsCognitoIdentityPool } from '../cognitoIdentityPool/data'
+import { RawAwsCognitoUserPool } from '../cognitoUserPool/data'
+import { RawAwsIamRole } from '../iamRole/data'
+import { RawAwsLogGroup } from '../cloudwatchLogs/data'
+import { globalRegionName } from '../../enums/regions'
 
 export default ({
   service: domain,
@@ -20,9 +26,14 @@ export default ({
     DomainId,
     VPCOptions: { SecurityGroupIds = [] } = {},
     EncryptionAtRestOptions: { KmsKeyId } = {},
+    CognitoOptions: { IdentityPoolId, UserPoolId, RoleArn } = {},
+    LogPublishingOptions = {},
   } = domain
   const connections: ServiceConnection[] = []
-
+  const logGroupsArns: string[] = Object.entries(LogPublishingOptions).map(
+    ([, value]) => value.CloudWatchLogsLogGroupArn
+  ) || []
+  
   /**
    * Find any securityGroup related data
    */
@@ -59,6 +70,91 @@ export default ({
     }
   }
 
+  /**
+   * Find any cognito identity pool related data
+   */
+  const identityPools = data.find(
+    ({ name }) => name === services.cognitoIdentityPool
+  )
+  if (identityPools?.data?.[region]) {
+    const dataAtRegion: RawAwsCognitoIdentityPool[] = identityPools.data[
+      region
+    ].filter(
+      ({ IdentityPoolId: poolId }: RawAwsCognitoIdentityPool) =>
+        poolId === IdentityPoolId
+    )
+    for (const identityPool of dataAtRegion) {
+      connections.push({
+        id: identityPool.IdentityPoolId,
+        resourceType: services.cognitoIdentityPool,
+        relation: 'child',
+        field: 'cognitoIdentityPool',
+      })
+    }
+  }
+
+  /**
+   * Find any cognito user pool related data
+   */
+  const userPools = data.find(({ name }) => name === services.cognitoUserPool)
+  if (userPools?.data?.[region]) {
+    const dataAtRegion: RawAwsCognitoUserPool[] = userPools.data[region].filter(
+      ({ Id }: RawAwsCognitoUserPool) => Id === UserPoolId
+    )
+    for (const userPool of dataAtRegion) {
+      connections.push({
+        id: userPool.Id,
+        resourceType: services.cognitoUserPool,
+        relation: 'child',
+        field: 'cognitoUserPool',
+      })
+    }
+  }
+
+  /**
+   * Find any IAM role related data
+   */
+  const roles = data.find(({ name }) => name === services.iamRole)
+  if (roles?.data?.[globalRegionName]) {
+    const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
+      ({ Arn }: RawAwsIamRole) => Arn === RoleArn
+    )
+    for (const role of dataAtRegion) {
+      connections.push({
+        id: role.Arn,
+        resourceType: services.iamRole,
+        relation: 'child',
+        field: 'iamRole',
+      })
+    }
+  }
+
+  /**
+   * Find any cloudwatch log group related data
+   */
+  const cloudwatchLogGroups = data.find(
+    ({ name }) => name === services.cloudwatchLog
+  )
+  if (cloudwatchLogGroups?.data?.[region]) {
+    const dataAtRegion: RawAwsLogGroup[] = cloudwatchLogGroups.data[
+      region
+    ].filter(
+      ({ arn }: RawAwsLogGroup) =>
+        !isEmpty(logGroupsArns) &&
+        logGroupsArns.filter(
+          str => `${str}:*`.includes(arn) // A small interpolation hack to be able to match the full arn
+        ).length > 0
+    )
+    for (const cloudwatchLogGroup of dataAtRegion) {
+      connections.push({
+        id: cloudwatchLogGroup.logGroupName,
+        resourceType: services.cloudwatchLog,
+        relation: 'child',
+        field: 'cloudwatchLogs',
+      })
+    }
+  }
+
   const natResult = {
     [DomainId]: connections,
   }

src/services/elasticSearchDomain/format.ts

@@ -87,7 +87,6 @@ export default ({
     securityGroupIds: vpcOptions?.SecurityGroupIds
   }
 
-  // TODO: create connections for cognito and role arn
   const formattedCognioOptions = {
     enabled: cognitoOptions?.Enabled,
     userPoolId: cognitoOptions?.UserPoolId,
@@ -110,7 +109,6 @@ export default ({
     value: advancedOptions[key]
   }))
 
-  // TODO: create connections for cloud watch logs groups
   const mappedLogPublishingOptions = Object.keys(logPublishingOptions ?? {}).map(key => ({
     id: cuid(),
     key,

src/services/elasticSearchDomain/schema.graphql

@@ -1,4 +1,3 @@
-#TODO add connection for userPool, identityPool, iamRole, cloudwatchLogs
 type awsElasticSearchDomain implements awsBaseService @key(fields: "arn") {
   domainName: String @search(by: [hash, regexp])
   created: Boolean @search
@@ -28,6 +27,10 @@ type awsElasticSearchDomain implements awsBaseService @key(fields: "arn") {
   subnets: [awsSubnet] @hasInverse(field: elasticSearchDomains)
   securityGroups: [awsSecurityGroup] @hasInverse(field: elasticSearchDomains)
   kms: [awsKms] @hasInverse(field: elasticSearchDomains)
+  cognitoIdentityPool: [awsCognitoIdentityPool] @hasInverse(field: elasticSearchDomains)
+  cognitoUserPool: [awsCognitoUserPool] @hasInverse(field: elasticSearchDomains)
+  iamRole: [awsIamRole] @hasInverse(field: elasticSearchDomains)
+  cloudwatchLogs: [awsCloudwatchLog] @hasInverse(field: elasticSearchDomains)
 }
 
 type awsElasticSearchClusterConfig {

src/services/iamRole/schema.graphql

@@ -37,5 +37,6 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   asg: [awsAsg] @hasInverse(field: iamRole)
   awsCognitoIdentityPool: [awsCognitoIdentityPool] @hasInverse(field: iamRoles)
   rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: iamRoles)
+  elasticSearchDomains: [awsElasticSearchDomain] @hasInverse(field: iamRole)
   emrCluster: [awsEmrCluster] @hasInverse(field: iamRoles)
 }