feat(services): add new services systemsManager instance and document

Author: tyler-dunkel

src/enums/schemasMap.ts

@@ -89,6 +89,8 @@ export default {
   [services.secretsManager]: 'awsSecretsManager',
   [services.ses]: 'awsSes',
   [services.sns]: 'awsSns',
+  [services.systemsManagerInstance]: 'awsSystemsManagerInstance',
+  [services.systemsManagerDocument]: 'awsSystemsManagerDocument',
   [services.transitGateway]: 'awsTransitGateway',
   [services.transitGatewayAttachment]: 'awsTransitGatewayAttachment',
   [services.vpnConnection]: 'awsVpnConnection',

src/enums/serviceMap.ts

@@ -90,6 +90,8 @@ import GuardDutyDetector from '../services/guardDutyDetector'
 import ElasticSearchDomain from '../services/elasticSearchDomain'
 import DmsReplicationInstance from '../services/dmsReplicationInstance'
 import SageMakerNotebookInstance from '../services/sageMakerNotebookInstance'
+import SystemsManagerInstance from '../services/systemsManagerInstance'
+import SystemsManagerDocument from '../services/systemsManagerDocument'
 
 /**
  * serviceMap is an object that contains all currently supported services for AWS
@@ -186,5 +188,7 @@ export default {
   [services.vpnConnection]: VpnConnection,
   [services.organization]: Organization,
   [services.wafV2WebAcl]: WafV2WebAcl,
+  [services.systemsManagerInstance]: SystemsManagerInstance,
+  [services.systemsManagerDocument]: SystemsManagerDocument,
   tag: AwsTag,
 }

src/enums/services.ts

@@ -83,6 +83,8 @@ export default {
   sns: 'sns',
   sqs: 'sqs',
   subnet: 'subnet',
+  systemsManagerInstance: 'systemsManagerInstance',
+  systemsManagerDocument: 'systemsManagerDocument',
   transitGateway: 'transitGateway',
   transitGatewayAttachment: 'transitGatewayAttachment',
   vpc: 'vpc',

src/services/iamRole/connections.ts

@@ -14,6 +14,7 @@ import { glueJobArn } from '../../utils/generateArns'
 import { RawAwsManagedAirflow } from '../managedAirflow/data'
 import { RawAwsGuardDutyDetector } from '../guardDutyDetector/data'
 import { RawAwsSageMakerNotebookInstance } from '../sageMakerNotebookInstance/data'
+import { RawAwsSystemsManagerInstance } from '../systemsManagerInstance/data'
 
 /**
  * IAM Role
@@ -188,6 +189,28 @@ export default ({
       })
     }
   }
+ /**
+   * Find any systemsManagerInstance related data
+   */
+   const systemsManagerInstances = data.find(
+    ({ name }) => name === services.systemsManagerInstance
+  )
+  if (systemsManagerInstances?.data?.[region]) {
+    const dataAtRegion: RawAwsSystemsManagerInstance[] = systemsManagerInstances.data[
+      region
+    ].filter(
+      ({ IamRole }: RawAwsSystemsManagerInstance) =>
+        IamRole === role.Arn
+    )
+    for (const instance of dataAtRegion) {
+      connections.push({
+        id: instance.InstanceId,
+        resourceType: services.systemsManagerInstance,
+        relation: 'child',
+        field: 'systemManagerInstances',
+      })
+    }
+  }
 
   /**
    * Find any sageMakerNotebookInstance related data

src/services/iamRole/schema.graphql

@@ -21,4 +21,5 @@ type awsIamRole @key(fields: "id") {
   managedAirflows: [awsManagedAirflow] @hasInverse(field: iamRoles)
   guardDutyDetectors: [awsGuardDutyDetector] @hasInverse(field: iamRole)
   sageMakerNotebookInstances: [awsSageMakerNotebookInstance] @hasInverse(field: iamRole)
+  systemManagerInstances: [awsSystemsManagerInstance] @hasInverse(field: iamRole)
 }

src/services/systemsManagerDocument/data.ts

@@ -0,0 +1,105 @@
+import { Config } from 'aws-sdk/lib/config'
+import SSM, { DescribeDocumentPermissionResponse } from 'aws-sdk/clients/ssm'
+import STS, { GetCallerIdentityResponse } from 'aws-sdk/clients/sts'
+import { PromiseResult } from 'aws-sdk/lib/request'
+import { AWSError } from 'aws-sdk/lib/error'
+import isEmpty from 'lodash/isEmpty'
+import groupBy from 'lodash/groupBy'
+import { convertAwsTagsToTagMap } from '../../utils/format'
+import { TagMap } from '../../types'
+import { initTestEndpoint } from '../../utils'
+import AwsErrorLog from '../../utils/errorLog'
+
+const serviceName = 'systemsManagerDocument'
+const endpoint = initTestEndpoint(serviceName)
+const errorLog = new AwsErrorLog(serviceName)
+export interface RawAwsSystemsManagerDocument
+  extends Omit<SSM.DocumentIdentifier, 'Tags'> {
+  region: string
+  accountId: string
+  permissions: {
+    accountIds: string[]
+    accountSharingInfoList: {
+      AccountId?: string
+      SharedDocumentVersion?: string
+    }[]
+  }
+  Tags: TagMap
+}
+
+/**
+ * SystemsManagerDocument
+ */
+
+export default async ({
+  regions,
+  config,
+}: {
+  regions: string
+  config: Config
+}): Promise<{ [region: string]: RawAwsSystemsManagerDocument[] }> => {
+  const result: RawAwsSystemsManagerDocument[] = []
+
+  const activeRegions = regions.split(',')
+  // We need the account in the raw data so we can connect to trags
+  let account: PromiseResult<GetCallerIdentityResponse, AWSError>
+  try {
+    account = await new STS(config).getCallerIdentity().promise()
+  } catch (err) {
+    errorLog.generateAwsErrorLog({ functionName: 'getCallerIdentity', err })
+  }
+  const accountId = account?.Account
+  for (const region of activeRegions) {
+    const client = new SSM({ ...config, region, endpoint })
+    const systemsManagerDocumentData: SSM.DocumentIdentifier[] = []
+    try {
+      const filterParam = { Filters: [{ Key: 'Owner', Values: ['Self'] }] }
+      const data = await client.listDocuments(filterParam).promise()
+      systemsManagerDocumentData.push(...data.DocumentIdentifiers)
+      let marker = data.NextToken
+      while (marker) {
+        const nextPage = await client
+          .listDocuments({ ...filterParam, NextToken: marker })
+          .promise()
+        if (!isEmpty(data.DocumentIdentifiers)) {
+          systemsManagerDocumentData.push(...nextPage.DocumentIdentifiers)
+          marker = nextPage.NextToken
+        }
+      }
+    } catch (err) {
+      errorLog.generateAwsErrorLog({ functionName: 'listDocuments', err })
+    }
+    for (const doc of systemsManagerDocumentData) {
+      let documentPermissions: PromiseResult<
+        DescribeDocumentPermissionResponse,
+        AWSError
+      >
+      try {
+        documentPermissions = await client
+          .describeDocumentPermission({
+            Name: doc.Name,
+            PermissionType: 'Share',
+          })
+          .promise()
+      } catch (err) {
+        errorLog.generateAwsErrorLog({
+          functionName: 'describeDocumentPermission',
+          err,
+        })
+      }
+      result.push({
+        ...doc,
+        accountId,
+        permissions: {
+          accountIds: documentPermissions?.AccountIds,
+          accountSharingInfoList: documentPermissions?.AccountSharingInfoList,
+        },
+        Tags: convertAwsTagsToTagMap(doc.Tags ?? []),
+        region,
+      })
+    }
+  }
+
+  errorLog.reset()
+  return groupBy(result, 'region')
+}

src/services/systemsManagerDocument/format.ts

@@ -0,0 +1,60 @@
+import cuid from 'cuid'
+import { AwsSystemsManagerDocument } from '../../types/generated'
+import { RawAwsSystemsManagerDocument } from './data'
+import { formatTagsFromMap } from '../../utils/format'
+import { ssmDocumentArn } from '../../utils/generateArns'
+
+/**
+ * SystemsManagerDocument
+ */
+
+export default ({
+  account,
+  service: rawData,
+  region,
+}: {
+  account: string
+  service: RawAwsSystemsManagerDocument
+  region: string
+}): AwsSystemsManagerDocument => {
+  const {
+    Name: name,
+    CreatedDate: createdDate,
+    Owner: owner,
+    PlatformTypes: platformTypes,
+    DocumentVersion: documentVersion,
+    DocumentType: documentType,
+    SchemaVersion: schemaVersion,
+    DocumentFormat: documentFormat,
+    TargetType: targetType,
+    Tags: tags,
+    permissions
+  } = rawData
+
+  const formattedPermissions = {
+    accountIds: permissions?.accountIds,
+    accountSharingInfoList: permissions?.accountSharingInfoList?.map(({ AccountId, SharedDocumentVersion }) => ({
+      id: cuid(),
+      accountId: AccountId,
+      sharedDocumentVersion: SharedDocumentVersion
+    }))
+  }
+  const arn = ssmDocumentArn({ region, account, name })
+  return {
+    id: arn,
+    arn,
+    region,
+    accountId: account,
+    name,
+    createdDate: createdDate?.toISOString(),
+    owner,
+    platformTypes,
+    documentVersion,
+    documentType,
+    schemaVersion,
+    documentFormat,
+    targetType,
+    tags: formatTagsFromMap(tags ?? {}),
+    permissions: formattedPermissions
+  }
+}

src/services/systemsManagerDocument/index.ts

@@ -0,0 +1,14 @@
+import { Service } from '@cloudgraph/sdk'
+  import BaseService from '../base'
+  import format from './format'
+  import getData from './data'
+  import mutation from './mutation'
+      
+  export default class SystemsManagerDocument extends BaseService implements Service {
+    format = format.bind(this)
+      
+    getData = getData.bind(this)
+      
+    mutation = mutation
+  }
+  

src/services/systemsManagerDocument/mutation.ts

@@ -0,0 +1,5 @@
+export default `mutation($input: [AddawsSystemsManagerDocumentInput!]!) {
+  addawsSystemsManagerDocument(input: $input, upsert: true) {
+    numUids
+  }
+}`;

src/services/systemsManagerDocument/schema.graphql

@@ -0,0 +1,28 @@
+type awsSystemsManagerDocument @key(fields: "arn") {
+  id: String! @id @search(by: [hash])
+  arn: String! @id @search(by: [hash, regexp])
+  accountId: String! @search(by: [hash])
+  region: String @search(by: [hash])
+  name: String @search(by: [hash, regexp])
+  createdDate: DateTime @search(by: [day])
+  owner: String @search(by: [hash, regexp])
+  platformTypes: [String]
+  documentVersion: String @search(by: [hash, regexp])
+  documentType: String @search(by: [hash, regexp])
+  schemaVersion: String @search(by: [hash, regexp])
+  documentFormat: String @search(by: [hash, regexp])
+  targetType: String @search(by: [hash, regexp])
+  tags: [awsRawTag]
+  permissions: awsSystemsManagerDocumentPermissions
+}
+
+type awsSystemsManagerDocumentPermissions {
+  accountIds: [String] @search(by: [hash, regexp])
+  accountSharingInfoList: [awsSystemsManagerDocumentPermissionsSharingList]
+}
+
+type awsSystemsManagerDocumentPermissionsSharingList {
+  id: String! @id @search(by: [hash])
+  accountId: String @search(by: [hash, regexp])
+  sharedDocumentVersion: String @search(by: [hash, regexp])
+}