Merge branch 'fix/CG-910' into 'master'

fix: CG-910 Add virtualMFADevices to iamPolicies needed for aws cis 1.14

Closes CG-910

See merge request auto-cloud/cloudgraph/provider/cloudgraph-provider-aws!220

Author: tyler-dunkel

src/services/iamUser/data.ts

@@ -17,8 +17,11 @@ import IAM, {
   ListUserPoliciesResponse,
   ListUsersResponse,
   ListUserTagsResponse,
+  ListVirtualMFADevicesRequest,
+  ListVirtualMFADevicesResponse,
   MFADevice,
   User,
+  VirtualMFADevice,
 } from 'aws-sdk/clients/iam'
 import { Config } from 'aws-sdk/lib/config'
 
@@ -75,6 +78,7 @@ export interface RawAwsIamUserReport {
 export interface RawAwsIamUser extends Omit<User, 'Tags'> {
   AccessKeyLastUsedData: RawAwsAccessKey[]
   MFADevices: MFADevice[]
+  VirtualMFADevices?: VirtualMFADevice[]
   Groups: string[]
   Policies: string[]
   ManagedPolicies: AttachedPolicy[]
@@ -286,6 +290,45 @@ export const listMFADevicesByUsername = async (
     )
   })
 
+export const listVirtualMFADevices = async (
+  iam: IAM
+): Promise<VirtualMFADevice[]> =>
+  new Promise(resolve => {
+    const virtualMFADeviceList: VirtualMFADevice[] = []
+    let args: ListVirtualMFADevicesRequest = {}
+    const listAllVirtualMFADevices = (marker?: string) => {
+      if (marker) {
+        args = { ...args, Marker: marker }
+      }
+      try {
+        iam.listVirtualMFADevices(
+          args,
+          async (err: AWSError, data: ListVirtualMFADevicesResponse) => {
+            if (err) {
+              errorLog.generateAwsErrorLog({
+                functionName: 'iam:listVirtualMFADevices',
+                err,
+              })
+            }
+
+            const { VirtualMFADevices = [], IsTruncated, Marker } = data
+
+            virtualMFADeviceList.push(...VirtualMFADevices)
+
+            if (IsTruncated) {
+              listAllVirtualMFADevices(Marker)
+            }
+
+            resolve(virtualMFADeviceList)
+          }
+        )
+      } catch (error) {
+        resolve([])
+      }
+    }
+    listAllVirtualMFADevices()
+  })
+
 export const listIamUsers = async (
   iam: IAM,
   marker?: string
@@ -446,6 +489,9 @@ export default async ({
     // Fetch IAM Report Credential
     const credentialReport = await getCredentialReportData(client)
 
+    // Fetch all virtual MFA Devices
+    const virtualMFADevices = await listVirtualMFADevices(client)
+
     usersData = credentialReport
       .map(userReport => {
         const user = iamUsers.find(u => u.Arn === userReport.Arn)
@@ -459,6 +505,9 @@ export default async ({
             CreateDate: new Date(),
             AccessKeyLastUsedData: [],
             MFADevices: [],
+            VirtualMFADevices:
+              virtualMFADevices?.filter(d => d.User?.Arn === userReport.Arn) ||
+              [],
             Groups: [],
             Policies: [],
             ManagedPolicies: [],
@@ -471,8 +520,13 @@ export default async ({
           return undefined
         }
 
+        const { Arn, ...rest } = user
+
         return {
-          ...user,
+          Arn,
+          VirtualMFADevices:
+            virtualMFADevices?.filter(d => d.User?.Arn === Arn) || [],
+          ...rest,
           ReportData: userReport,
         }
       })

src/services/iamUser/format.ts

@@ -24,6 +24,7 @@ export default ({
     PasswordLastUsed: passwordLastUsed,
     AccessKeyLastUsedData: accessKeys = [],
     MFADevices: mfaDevices = [],
+    VirtualMFADevices: virtualMfaDevices = [],
     Groups: groups = [],
     Policies: inlinePolicies = [],
     ReportData: {
@@ -79,6 +80,17 @@ export default ({
     })
   }
 
+  // Virtual MFA Devices
+  const virtualMfaData = []
+  if (!isEmpty(virtualMfaDevices)) {
+    virtualMfaDevices.map(({ SerialNumber, EnableDate }) => {
+      virtualMfaData.push({
+        serialNumber: SerialNumber,
+        enableDate: EnableDate?.toISOString(),
+      })
+    })
+  }
+
   // Format User Tags
   const userTags = formatTagsFromMap(tags)
 
@@ -108,6 +120,7 @@ export default ({
     creationTime: creationTime?.toISOString() || '',
     accessKeyData,
     mfaDevices: mfaData,
+    virtualMfaDevices: virtualMfaData,
     accessKeysActive:
       accessKey1Active === 'true' || accessKey2Active === 'true',
     passwordLastUsed: passwordLastUsed?.toISOString() || '',

src/services/iamUser/schema.graphql

@@ -13,6 +13,7 @@ type awsIamUser @key(fields: "id") {
   accessKeysActive: Boolean @search
   accessKeyData: [awsIamAccessKey]
   mfaDevices: [awsIamMfaDevice]
+  virtualMfaDevices: [awsIamMfaDevice]
   groups: [String]
   tags: [awsRawTag]
   inlinePolicies: [String]

src/types/generated.ts

@@ -3213,6 +3213,7 @@ export type AwsIamUser = {
   passwordNextRotation?: Maybe<Scalars['String']>;
   path?: Maybe<Scalars['String']>;
   tags?: Maybe<Array<Maybe<AwsRawTag>>>;
+  virtualMfaDevices?: Maybe<Array<Maybe<AwsIamMfaDevice>>>;
 };
 
 export type AwsIgw = {