Merge pull request #22 from cloudgraphdev/fix/CG-1069

fix: Added kms and iam roles connections to rds cluster

Author: tyler-dunkel

README.md

@@ -124,20 +124,20 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | iamServerCertificate        |                                                                                                                                                                                                                                                                                                                                  |
 | iamUser                     | iamGroup                                                                                                                                                                                                                                                                                                                         |
 | iamPolicy                   | iamRole, iamGroup                                                                                                                                                                                                                                                                                                                |
-| iamRole                     | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda, kinesisFirehose                                                                                            |
+| iamRole                     | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda, kinesisFirehose, rdsCluster                                                                                |
 | iamGroup                    | iamUser, iamPolicy                                                                                                                                                                                                                                                                                                               |
 | igw                         | vpc                                                                                                                                                                                                                                                                                                                              |
 | iot                         |                                                                                                                                                                                                                                                                                                                                  |
 | kinesisFirehose             | kinesisStream, s3, iamRole                                                                                                                                                                                                                                                                                                       |
 | kinesisStream               | kinesisFirehose                                                                                                                                                                                                                                                                                                                  |
-| kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, lambda, rdsClusterSnapshot, sns, sageMakerNotebookInstance, dmsReplicationInstance, redshiftCluster                                                                                             |
+| kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, lambda, rdsClusterSnapshot, sns, sageMakerNotebookInstance, dmsReplicationInstance, redshiftCluster, rdsCluster                                                                                 |
 | lambda                      | appSync, cognitoUserPool, kms, securityGroup, subnet, vpc, iamRole                                                                                                                                                                                                                                                               |
 | managedAirflow              | iamRole, securityGroups, subnet, s3                                                                                                                                                                                                                                                                                              |
 | nacl                        | vpc                                                                                                                                                                                                                                                                                                                              |
 | natGateway                  | networkInterface, subnet, vpc                                                                                                                                                                                                                                                                                                    |
 | networkInterface            | ec2, eip, efsMountTarget, natGateway, sageMakerNotebookInstance, subnet, vpc, flowLog                                                                                                                                                                                                                                            |
 | organization                |
-| rdsCluster                  | appSync, rdsClusterSnapshot, rdsDbInstance, securityGroup                                                                                                                                                                                                                                                                        |
+| rdsCluster                  | appSync, rdsClusterSnapshot, rdsDbInstance, securityGroup, iamRole, kms                                                                                                                                                                                                                                                          |
 | rdsClusterSnapshot          | kms, rdsCluster, vpc                                                                                                                                                                                                                                                                                                             |
 | rdsDbInstance               | rdsCluster, securityGroup, vpc, subnet                                                                                                                                                                                                                                                                                           |
 | redshiftCluster             | kms, vpc                                                                                                                                                                                                                                                                                                                         |

src/services/iamRole/schema.graphql

@@ -28,4 +28,7 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   appSync: [awsAppSync] @hasInverse(field: iamRoles)
   lambda: [awsLambda] @hasInverse(field: iamRole)
   kinesisFirehose: [awsKinesisFirehose] @hasInverse(field: iamRole)
+  rdsClusterMonitoringRole: [awsRdsCluster]
+    @hasInverse(field: monitoringIamRole)
+  rdsClusterIamRoles: [awsRdsCluster] @hasInverse(field: iamRoles)
 }

src/services/kms/schema.graphql

@@ -31,4 +31,10 @@ type awsKms implements awsBaseService @key(fields: "id") {
   ecsCluster: [awsEcsCluster] @hasInverse(field: kms)
   dynamodb: [awsDynamoDbTable] @hasInverse(field: kms)
   cognitoUserPools: [awsCognitoUserPool] @hasInverse(field: kms)
+  rdsClusterStorageEncryption: [awsRdsCluster]
+    @hasInverse(field: storageEncryptedKms)
+  rdsClusterActivityStream: [awsRdsCluster]
+    @hasInverse(field: activityStreamKms)
+  rdsClusterPerformanceInsights: [awsRdsCluster]
+    @hasInverse(field: performanceInsightsKms)
 }

src/services/rdsCluster/connections.ts

@@ -5,6 +5,9 @@ import { DBInstance, DBCluster } from 'aws-sdk/clients/rds'
 
 import services from '../../enums/services'
 import { RawAwsRdsClusterSnapshot } from '../rdsClusterSnapshot/data'
+import { RawAwsIamRole } from '../iamRole/data'
+import { AwsKms } from '../kms/data'
+import { globalRegionName } from '../../enums/regions'
 
 export default ({
   service,
@@ -21,6 +24,11 @@ export default ({
   const {
     DBClusterArn: id,
     DBClusterIdentifier: clusterId,
+    MonitoringRoleArn: monitoringRoleArn,
+    AssociatedRoles: associatedRoles = [],
+    KmsKeyId,
+    ActivityStreamKmsKeyId,
+    PerformanceInsightsKMSKeyId,
     VpcSecurityGroups,
   } = service
   const sgIds = VpcSecurityGroups.map(
@@ -55,14 +63,17 @@ export default ({
   /**
    * Find cluster snapshots
    */
-   const snapshots: {
+  const snapshots: {
     name: string
     data: { [property: string]: RawAwsRdsClusterSnapshot[] }
   } = data.find(({ name }) => name === services.rdsClusterSnapshot)
 
   if (snapshots?.data?.[region]) {
-    const dataInRegion: RawAwsRdsClusterSnapshot[] = snapshots.data[region].filter(
-      ({ DBClusterIdentifier }: RawAwsRdsClusterSnapshot) => DBClusterIdentifier === clusterId
+    const dataInRegion: RawAwsRdsClusterSnapshot[] = snapshots.data[
+      region
+    ].filter(
+      ({ DBClusterIdentifier }: RawAwsRdsClusterSnapshot) =>
+        DBClusterIdentifier === clusterId
     )
     if (!isEmpty(dataInRegion)) {
       for (const snapshot of dataInRegion) {
@@ -101,6 +112,102 @@ export default ({
     }
   }
 
+  /**
+   * Find KMS
+   * related to this RDS Cluster
+   */
+  const kms: {
+    name: string
+    data: { [property: string]: AwsKms[] }
+  } = data.find(({ name }) => name === services.kms)
+
+  if (kms?.data?.[region]) {
+    // set storage encryption kms key
+    let kmsInRegion: AwsKms[] = kms.data[region].filter(
+      ({ Arn }: AwsKms) => Arn === KmsKeyId
+    )
+    if (!isEmpty(kmsInRegion)) {
+      for (const instance of kmsInRegion) {
+        connections.push({
+          id: instance.KeyId,
+          resourceType: services.kms,
+          relation: 'child',
+          field: 'storageEncryptedKms',
+        })
+      }
+    }
+
+    // set activity stream kms key
+    kmsInRegion = kms.data[region].filter(
+      ({ Arn }: AwsKms) => Arn === ActivityStreamKmsKeyId
+    )
+    if (!isEmpty(kmsInRegion)) {
+      for (const instance of kmsInRegion) {
+        connections.push({
+          id: instance.KeyId,
+          resourceType: services.kms,
+          relation: 'child',
+          field: 'activityStreamKms',
+        })
+      }
+    }
+
+    // set performance insights kms key
+    kmsInRegion = kms.data[region].filter(
+      ({ Arn }: AwsKms) => Arn === PerformanceInsightsKMSKeyId
+    )
+    if (!isEmpty(kmsInRegion)) {
+      for (const instance of kmsInRegion) {
+        connections.push({
+          id: instance.KeyId,
+          resourceType: services.kms,
+          relation: 'child',
+          field: 'performanceInsightsKms',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find IAM Role
+   * related to this RDS Cluster
+   */
+  const iamRoles: {
+    name: string
+    data: { [property: string]: RawAwsIamRole[] }
+  } = data.find(({ name }) => name === services.iamRole)
+
+  if (iamRoles?.data?.[globalRegionName]) {
+    let iamRolesInRegion: RawAwsIamRole[] = iamRoles.data[
+      globalRegionName
+    ].filter(({ Arn }: RawAwsIamRole) =>
+      associatedRoles.find(r => r.RoleArn === Arn)
+    )
+    if (!isEmpty(iamRolesInRegion)) {
+      for (const instance of iamRolesInRegion) {
+        connections.push({
+          id: instance.Arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRoles',
+        })
+      }
+    }
+    iamRolesInRegion = iamRoles.data[globalRegionName].filter(
+      ({ Arn }: RawAwsIamRole) => Arn === monitoringRoleArn
+    )
+    if (!isEmpty(iamRolesInRegion)) {
+      for (const instance of iamRolesInRegion) {
+        connections.push({
+          id: instance.Arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'monitoringIamRole',
+        })
+      }
+    }
+  }
+
   const rdsClusterResult = {
     [id]: connections,
   }

src/services/rdsCluster/format.ts

@@ -1,15 +1,12 @@
 import { RawAwsRdsCluster } from './data'
-import { 
-  AwsRdsCluster, 
-} from '../../types/generated'
+import { AwsRdsCluster } from '../../types/generated'
 import { formatTagsFromMap } from '../../utils/format'
 
 export default ({
   service,
   account,
-  region
-}: 
-{
+  region,
+}: {
   service: RawAwsRdsCluster
   account: string
   region: string

src/services/rdsCluster/schema.graphql

@@ -33,7 +33,10 @@ type awsRdsCluster implements awsBaseService @key(fields: "arn") {
   snapshots: [awsRdsClusterSnapshot] @hasInverse(field: cluster)
   securityGroups: [awsSecurityGroup] @hasInverse(field: rdsCluster)
   appSync: [awsAppSync] @hasInverse(field: rdsCluster)
+  monitoringIamRole: [awsIamRole] @hasInverse(field: rdsClusterMonitoringRole)
+  iamRoles: [awsIamRole] @hasInverse(field: rdsClusterIamRoles)
+  storageEncryptedKms: [awsKms] @hasInverse(field: rdsClusterStorageEncryption)
+  activityStreamKms: [awsKms] @hasInverse(field: rdsClusterActivityStream)
+  performanceInsightsKms: [awsKms]
+    @hasInverse(field: rdsClusterPerformanceInsights)
 }
-
-# TODO: create connection to iam roles using AssociatedRoles property AND DomainMemberships AND MonitoringRole
-# TODO: create connection to kms using all kms related fields

src/types/generated.ts

@@ -3070,6 +3070,8 @@ export type AwsIamRole = AwsBaseService & {
   maxSessionDuration?: Maybe<Scalars['Int']>;
   name?: Maybe<Scalars['String']>;
   path?: Maybe<Scalars['String']>;
+  rdsClusterIamRoles?: Maybe<Array<Maybe<AwsRdsCluster>>>;
+  rdsClusterMonitoringRole?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   sageMakerNotebookInstances?: Maybe<Array<Maybe<AwsSageMakerNotebookInstance>>>;
   systemsManagerInstances?: Maybe<Array<Maybe<AwsSystemsManagerInstance>>>;
   tags?: Maybe<Array<Maybe<AwsRawTag>>>;
@@ -3199,7 +3201,10 @@ export type AwsKms = AwsBaseService & {
   lambda?: Maybe<Array<Maybe<AwsLambda>>>;
   origin?: Maybe<Scalars['String']>;
   policy?: Maybe<AwsIamJsonPolicy>;
+  rdsClusterActivityStream?: Maybe<Array<Maybe<AwsRdsCluster>>>;
+  rdsClusterPerformanceInsights?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   rdsClusterSnapshots?: Maybe<Array<Maybe<AwsRdsClusterSnapshot>>>;
+  rdsClusterStorageEncryption?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   redshiftCluster?: Maybe<Array<Maybe<AwsRedshiftCluster>>>;
   sageMakerNotebookInstances?: Maybe<Array<Maybe<AwsSageMakerNotebookInstance>>>;
   sns?: Maybe<Array<Maybe<AwsSns>>>;
@@ -3473,6 +3478,7 @@ export type AwsRawTag = {
 };
 
 export type AwsRdsCluster = AwsBaseService & {
+  activityStreamKms?: Maybe<Array<Maybe<AwsKms>>>;
   allocatedStorage?: Maybe<Scalars['Int']>;
   appSync?: Maybe<Array<Maybe<AwsAppSync>>>;
   backupRetentionPeriod?: Maybe<Scalars['Int']>;
@@ -3493,17 +3499,21 @@ export type AwsRdsCluster = AwsBaseService & {
   hostedZoneId?: Maybe<Scalars['String']>;
   httpEndpointEnabled?: Maybe<Scalars['Boolean']>;
   iamDbAuthenticationEnabled?: Maybe<Scalars['Boolean']>;
+  iamRoles?: Maybe<Array<Maybe<AwsIamRole>>>;
   instances?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
   kmsKey?: Maybe<Scalars['String']>;
+  monitoringIamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
   multiAZ?: Maybe<Scalars['Boolean']>;
   percentProgress?: Maybe<Scalars['String']>;
+  performanceInsightsKms?: Maybe<Array<Maybe<AwsKms>>>;
   port?: Maybe<Scalars['Int']>;
   readerEndpoint?: Maybe<Scalars['String']>;
   replicationSourceIdentifier?: Maybe<Scalars['String']>;
   resourceId?: Maybe<Scalars['String']>;
   securityGroups?: Maybe<Array<Maybe<AwsSecurityGroup>>>;
   snapshots?: Maybe<Array<Maybe<AwsRdsClusterSnapshot>>>;
   status?: Maybe<Scalars['String']>;
+  storageEncryptedKms?: Maybe<Array<Maybe<AwsKms>>>;
   subnets?: Maybe<Scalars['String']>;
   tags?: Maybe<Array<Maybe<AwsRawTag>>>;
   username?: Maybe<Scalars['String']>;