feat: Fetched extra grant information for kms service

Author: Marco Franceschi

src/services/kms/data.ts

@@ -11,6 +11,7 @@ import KMS, {
   KeyMetadata,
   ListKeysRequest,
   ListKeysResponse,
+  GrantListEntry
 } from 'aws-sdk/clients/kms'
 
 import { TagMap } from '../../types'
@@ -35,6 +36,7 @@ export type AwsKms = KeyListEntry &
     Tags: TagMap
     keyRotationEnabled: boolean
     Aliases?: AliasListEntry[]
+    Grants?: GrantListEntry[]
   }
 
 export default async ({
@@ -53,6 +55,7 @@ export default async ({
     const policyPromises = []
     const tagPromises = []
     const aliasesPromises = []
+    const grantsPromises = []
 
     /**
      * Step 1) for all regions, list the kms keys
@@ -373,11 +376,43 @@ export default async ({
           resolveAliases()
         })
       )
-
       aliasesPromises.push(aliasesPromise)
+
+      const grantsPromise = new Promise<void>(resolveGrants =>
+        kms.listGrants({ KeyId }, (err, data) => {
+          if (err) {
+            errorLog.generateAwsErrorLog({
+              functionName: 'kms:listGrants',
+              err,
+            })
+            resolveGrants()
+          }
+
+          /**
+           * No grants data
+           */
+
+          if (isEmpty(data)) {
+            return resolveGrants()
+          }
+
+          /**
+           * Add the grants to the key
+           */
+
+          const { Grants: grants } = data || {}
+
+          kmsData[idx].Grants = grants
+
+          resolveGrants()
+        })
+      )
+
+      grantsPromises.push(grantsPromise)
     })
 
     await Promise.all(aliasesPromises)
+    await Promise.all(grantsPromises)
     errorLog.reset()
 
     resolve(groupBy(kmsData, 'region'))

src/services/kms/format.ts

@@ -1,10 +1,11 @@
 import { generateUniqueId } from '@cloudgraph/sdk'
-import { AliasListEntry } from 'aws-sdk/clients/kms'
+import { AliasListEntry, GrantListEntry } from 'aws-sdk/clients/kms'
 
 import { AwsKms } from './data'
 import {
   AwsKms as AwsKmsType,
   AwsKmsAliasListEntry,
+  AwsKmsGrantListEntry,
 } from '../../types/generated'
 import { formatTagsFromMap, formatIamJsonPolicy } from '../../utils/format'
 
@@ -38,6 +39,7 @@ export default ({
     DeletionDate: deletionDate,
     ValidTo: validTo,
     Aliases: aliases = [],
+    Grants: grants = []
   } = key
 
   const formatAliases = (
@@ -58,6 +60,27 @@ export default ({
     )
   }
 
+  const formatGrants = (
+    grants?: GrantListEntry[]
+  ): AwsKmsGrantListEntry[] => {
+    return (
+      grants?.map(a => ({
+        id: generateUniqueId({
+          arn,
+          ...a,
+        }),
+        grantId: a.GrantId,
+        name: a.Name,
+        creationDate: a.CreationDate?.toISOString(),
+        granteePrincipal: a.GranteePrincipal,
+        retiringPrincipal: a.RetiringPrincipal,
+        issuingAccount: a.IssuingAccount,
+        keyId: a.KeyId,
+        operations: a.Operations
+      })) || []
+    )
+  }
+
   return {
     accountId: account,
     arn,
@@ -78,5 +101,6 @@ export default ({
     deletionDate: deletionDate?.toISOString(),
     validTo: validTo?.toISOString(),
     aliases: formatAliases(aliases),
+    grants: formatGrants(grants),
   }
 }

src/services/kms/schema.graphql

@@ -1,3 +1,20 @@
+type awsKmsGrantListEntry
+  @generate(
+    query: { get: false, query: true, aggregate: false }
+    mutation: { add: false, delete: false }
+    subscription: false
+  ) {
+  id: String! @id
+  grantId: String @search(by: [hash, regexp])
+  keyId: String @search(by: [hash, regexp])
+  name: String @search(by: [hash, regexp])
+  creationDate: DateTime @search(by: [day])
+  granteePrincipal: String @search(by: [hash, regexp])
+  retiringPrincipal: String @search(by: [hash, regexp])
+  issuingAccount: String @search(by: [hash, regexp])
+  operations: [String] @search(by: [hash, regexp])
+}
+
 type awsKmsAliasListEntry
   @generate(
     query: { get: false, query: true, aggregate: false }
@@ -28,6 +45,7 @@ type awsKms implements awsBaseService @key(fields: "id") {
   deletionDate: DateTime @search(by: [day])
   validTo: DateTime @search(by: [day])
   aliases: [awsKmsAliasListEntry]
+  grants: [awsKmsGrantListEntry]
   lambda: [awsLambda] @hasInverse(field: kms) #change to plural
   cloudtrail: [awsCloudtrail] @hasInverse(field: kms) #change to plural
   redshiftCluster: [awsRedshiftCluster] @hasInverse(field: kms) #change to plural

src/types/generated.ts

@@ -3326,6 +3326,7 @@ export type AwsKms = AwsBaseService & {
   elasticSearchDomains?: Maybe<Array<Maybe<AwsElasticSearchDomain>>>;
   emrCluster?: Maybe<Array<Maybe<AwsEmrCluster>>>;
   enabled?: Maybe<Scalars['Boolean']>;
+  grants?: Maybe<Array<Maybe<AwsKmsGrantListEntry>>>;
   keyManager?: Maybe<Scalars['String']>;
   keyRotationEnabled?: Maybe<Scalars['Boolean']>;
   keyState?: Maybe<Scalars['String']>;
@@ -3356,6 +3357,18 @@ export type AwsKmsAliasListEntry = {
   targetKeyId?: Maybe<Scalars['String']>;
 };
 
+export type AwsKmsGrantListEntry = {
+  creationDate?: Maybe<Scalars['DateTime']>;
+  grantId?: Maybe<Scalars['String']>;
+  granteePrincipal?: Maybe<Scalars['String']>;
+  id: Scalars['String'];
+  issuingAccount?: Maybe<Scalars['String']>;
+  keyId?: Maybe<Scalars['String']>;
+  name?: Maybe<Scalars['String']>;
+  operations?: Maybe<Array<Maybe<Scalars['String']>>>;
+  retiringPrincipal?: Maybe<Scalars['String']>;
+};
+
 export type AwsLambda = AwsBaseService & {
   appSync?: Maybe<Array<Maybe<AwsAppSync>>>;
   cognitoUserPools?: Maybe<Array<Maybe<AwsCognitoUserPool>>>;