Merge pull request #29 from cloudgraphdev/fix/CG-1070

fix: Added missing connections to RDS DB Instance

Author: tyler-dunkel

README.md

@@ -14,6 +14,7 @@ type awsCloudwatchLog @key(fields: "arn") {
   cloudwatch: [awsCloudwatch] @hasInverse(field: cloudwatchLog)
   cloudtrail: [awsCloudtrail] @hasInverse(field: cloudwatchLog)
   ecsCluster: [awsEcsCluster] @hasInverse(field: cloudwatchLog)
+  rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: cloudwatchLogs)
 }
 
 type awsMetricFilter

src/services/cloudwatchLogs/schema.graphql

@@ -29,9 +29,9 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   appSync: [awsAppSync] @hasInverse(field: iamRoles)
   lambda: [awsLambda] @hasInverse(field: iamRole)
   kinesisFirehose: [awsKinesisFirehose] @hasInverse(field: iamRole)
-  rdsClusterMonitoringRole: [awsRdsCluster]
-    @hasInverse(field: monitoringIamRole)
-  rdsClusterIamRoles: [awsRdsCluster] @hasInverse(field: iamRoles)
-  cloudFormationStackSet: [awsCloudFormationStackSet] @hasInverse(field: iamRoles)
+  rdsCluster: [awsRdsCluster] @hasInverse(field: iamRoles)
+  cloudFormationStackSet: [awsCloudFormationStackSet]
+    @hasInverse(field: iamRoles)
   asg: [awsAsg] @hasInverse(field: iamRole)
+  rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: iamRoles)
 }

src/services/iamRole/schema.graphql

@@ -47,10 +47,6 @@ type awsKms implements awsBaseService @key(fields: "id") {
   ecsCluster: [awsEcsCluster] @hasInverse(field: kms)
   dynamodb: [awsDynamoDbTable] @hasInverse(field: kms)
   cognitoUserPools: [awsCognitoUserPool] @hasInverse(field: kms)
-  rdsClusterStorageEncryption: [awsRdsCluster]
-    @hasInverse(field: storageEncryptedKms)
-  rdsClusterActivityStream: [awsRdsCluster]
-    @hasInverse(field: activityStreamKms)
-  rdsClusterPerformanceInsights: [awsRdsCluster]
-    @hasInverse(field: performanceInsightsKms)
+  rdsCluster: [awsRdsCluster] @hasInverse(field: kms)
+  rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: kms)
 }

src/services/kms/schema.graphql

@@ -1,11 +1,14 @@
 import { ServiceConnection } from '@cloudgraph/sdk'
 import { isEmpty } from 'lodash'
 import { SecurityGroup } from 'aws-sdk/clients/ec2'
-import { DBInstance, DBCluster } from 'aws-sdk/clients/rds'
+import { DBInstance } from 'aws-sdk/clients/rds'
 
 import services from '../../enums/services'
+import { RawAwsRdsCluster } from './data'
+import { RawAwsRoute53HostedZone } from '../route53HostedZone/data'
 import { RawAwsRdsClusterSnapshot } from '../rdsClusterSnapshot/data'
 import { RawAwsIamRole } from '../iamRole/data'
+import { RawAwsSubnet } from '../subnet/data'
 import { AwsKms } from '../kms/data'
 import { globalRegionName } from '../../enums/regions'
 
@@ -14,7 +17,7 @@ export default ({
   data,
   region,
 }: {
-  service: DBCluster
+  service: RawAwsRdsCluster
   data: Array<{ name: string; data: { [property: string]: any[] } }>
   region: string
 }): {
@@ -24,12 +27,14 @@ export default ({
   const {
     DBClusterArn: id,
     DBClusterIdentifier: clusterId,
+    dbSubnetGroups,
     MonitoringRoleArn: monitoringRoleArn,
     AssociatedRoles: associatedRoles = [],
     KmsKeyId,
     ActivityStreamKmsKeyId,
     PerformanceInsightsKMSKeyId,
     VpcSecurityGroups,
+    HostedZoneId: hostedZoneId,
   } = service
   const sgIds = VpcSecurityGroups.map(
     ({ VpcSecurityGroupId }) => VpcSecurityGroupId
@@ -122,47 +127,19 @@ export default ({
   } = data.find(({ name }) => name === services.kms)
 
   if (kms?.data?.[region]) {
-    // set storage encryption kms key
-    let kmsInRegion: AwsKms[] = kms.data[region].filter(
-      ({ Arn }: AwsKms) => Arn === KmsKeyId
+    const kmsInRegion: AwsKms[] = kms.data[region].filter(
+      ({ Arn }: AwsKms) =>
+        Arn === KmsKeyId ||
+        Arn === ActivityStreamKmsKeyId ||
+        Arn === PerformanceInsightsKMSKeyId
     )
     if (!isEmpty(kmsInRegion)) {
       for (const instance of kmsInRegion) {
         connections.push({
           id: instance.KeyId,
           resourceType: services.kms,
           relation: 'child',
-          field: 'storageEncryptedKms',
-        })
-      }
-    }
-
-    // set activity stream kms key
-    kmsInRegion = kms.data[region].filter(
-      ({ Arn }: AwsKms) => Arn === ActivityStreamKmsKeyId
-    )
-    if (!isEmpty(kmsInRegion)) {
-      for (const instance of kmsInRegion) {
-        connections.push({
-          id: instance.KeyId,
-          resourceType: services.kms,
-          relation: 'child',
-          field: 'activityStreamKms',
-        })
-      }
-    }
-
-    // set performance insights kms key
-    kmsInRegion = kms.data[region].filter(
-      ({ Arn }: AwsKms) => Arn === PerformanceInsightsKMSKeyId
-    )
-    if (!isEmpty(kmsInRegion)) {
-      for (const instance of kmsInRegion) {
-        connections.push({
-          id: instance.KeyId,
-          resourceType: services.kms,
-          relation: 'child',
-          field: 'performanceInsightsKms',
+          field: 'kms',
         })
       }
     }
@@ -178,10 +155,12 @@ export default ({
   } = data.find(({ name }) => name === services.iamRole)
 
   if (iamRoles?.data?.[globalRegionName]) {
-    let iamRolesInRegion: RawAwsIamRole[] = iamRoles.data[
+    const iamRolesInRegion: RawAwsIamRole[] = iamRoles.data[
       globalRegionName
-    ].filter(({ Arn }: RawAwsIamRole) =>
-      associatedRoles.find(r => r.RoleArn === Arn)
+    ].filter(
+      ({ Arn }: RawAwsIamRole) =>
+        Arn === monitoringRoleArn ||
+        associatedRoles.find(r => r.RoleArn === Arn)
     )
     if (!isEmpty(iamRolesInRegion)) {
       for (const instance of iamRolesInRegion) {
@@ -193,16 +172,56 @@ export default ({
         })
       }
     }
-    iamRolesInRegion = iamRoles.data[globalRegionName].filter(
-      ({ Arn }: RawAwsIamRole) => Arn === monitoringRoleArn
+  }
+
+  /**
+   * Find Route53 hosted zones
+   */
+  const route53HostedZones: {
+    name: string
+    data: { [property: string]: RawAwsRoute53HostedZone[] }
+  } = data.find(({ name }) => name === services.route53HostedZone)
+
+  if (route53HostedZones?.data?.[region]) {
+    const instancesInRegion: RawAwsRoute53HostedZone[] =
+      route53HostedZones.data[region].filter(
+        ({ Id }: RawAwsRoute53HostedZone) => Id === hostedZoneId
+      )
+    if (!isEmpty(instancesInRegion)) {
+      for (const instance of instancesInRegion) {
+        const { Id: id } = instance
+        connections.push({
+          id,
+          resourceType: services.route53HostedZone,
+          relation: 'child',
+          field: 'route53HostedZone',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find Subnets
+   * related to this RDS Cluster
+   */
+  const subnets = data.find(({ name }) => name === services.subnet)
+  const subnetIds = dbSubnetGroups?.map(({ Subnets }) =>
+    Subnets?.map(subnet => subnet.SubnetIdentifier)
+  )
+  if (subnets?.data?.[region]) {
+    const subnetsInRegion = subnets.data[region].filter(
+      (subnet: RawAwsSubnet) =>
+        subnetIds.some(ids => ids.includes(subnet.SubnetId))
     )
-    if (!isEmpty(iamRolesInRegion)) {
-      for (const instance of iamRolesInRegion) {
+    if (!isEmpty(subnetsInRegion)) {
+      for (const subnet of subnetsInRegion) {
+        const { SubnetId } = subnet
+
         connections.push({
-          id: instance.Arn,
-          resourceType: services.iamRole,
+          id: SubnetId,
+          resourceType: services.subnet,
           relation: 'child',
-          field: 'monitoringIamRole',
+          field: 'subnets',
         })
       }
     }

src/services/rdsCluster/connections.ts

@@ -4,6 +4,8 @@ import RDS, {
   TagListMessage,
   DescribeDBClustersMessage,
   DBClusterMessage,
+  DBSubnetGroup,
+  DBSubnetGroupMessage,
 } from 'aws-sdk/clients/rds'
 import { AWSError } from 'aws-sdk/lib/error'
 import groupBy from 'lodash/groupBy'
@@ -57,6 +59,29 @@ const listClustersForRegion = async rds =>
     listAllClusters()
   })
 
+const describeDBSubnetGroups = async (rds: RDS, DBSubnetGroupName: string): Promise<DBSubnetGroup[]> =>
+  new Promise(resolve => {
+    try {
+      rds.describeDBSubnetGroups(
+        { DBSubnetGroupName },
+        (err: AWSError, data: DBSubnetGroupMessage) => {
+          if (err) {
+            errorLog.generateAwsErrorLog({
+              functionName: 'rds:describeDBSubnetGroups',
+              err,
+            })
+            return resolve([])
+          }
+          if (!isEmpty(data)) {
+            resolve(data.DBSubnetGroups)
+          }
+        }
+      )
+    } catch (error) {
+      resolve([])
+    }
+  })
+
 const getResourceTags = async (rds: RDS, arn: string): Promise<TagMap> =>
   new Promise(resolve => {
     try {
@@ -80,6 +105,7 @@ const getResourceTags = async (rds: RDS, arn: string): Promise<TagMap> =>
   })
 
 export interface RawAwsRdsCluster extends DBCluster {
+  dbSubnetGroups: DBSubnetGroup[]
   Tags?: TagMap
   region: string
 }
@@ -104,10 +130,11 @@ export default async ({
 
         if (!isEmpty(clusters)) {
           rdsData.push(
-            ...clusters.map(cluster => ({
+            ...await Promise.all(clusters.map(async (cluster) => ({
               ...cluster,
+              dbSubnetGroups: await describeDBSubnetGroups(rds, cluster.DBSubnetGroup),
               region,
-            }))
+            })))
           )
         }
         resolveRegion()

src/services/rdsCluster/data.ts

@@ -14,7 +14,8 @@ export default ({
   const {
     DBClusterArn: arn,
     DBClusterIdentifier: dbClusterIdentifier,
-    DBSubnetGroup: subnets,
+    DBClusterParameterGroup: dbClusterParameterGroup,
+    DBSubnetGroup: dbSubnetGroup,
     Status: status,
     Engine: engine,
     EngineVersion: engineVersion,
@@ -55,7 +56,8 @@ export default ({
     characterSetName,
     databaseName,
     dbClusterIdentifier,
-    subnets,
+    dbClusterParameterGroup,
+    dbSubnetGroup,
     status,
     percentProgress,
     readerEndpoint,

src/services/rdsCluster/format.ts

@@ -4,7 +4,8 @@ type awsRdsCluster implements awsBaseService @key(fields: "arn") {
   characterSetName: String @search(by: [hash, regexp])
   databaseName: String @search(by: [hash, regexp])
   dbClusterIdentifier: String @search(by: [hash])
-  subnets: String @search(by: [hash])
+  dbClusterParameterGroup: String @search(by: [hash])
+  dbSubnetGroup: String @search(by: [hash])
   status: String @search(by: [hash, regexp])
   percentProgress: String @search(by: [hash, regexp])
   readerEndpoint: String @search(by: [hash, regexp])
@@ -32,11 +33,9 @@ type awsRdsCluster implements awsBaseService @key(fields: "arn") {
   instances: [awsRdsDbInstance] @hasInverse(field: cluster)
   snapshots: [awsRdsClusterSnapshot] @hasInverse(field: cluster)
   securityGroups: [awsSecurityGroup] @hasInverse(field: rdsCluster)
+  subnets: [awsSubnet] @hasInverse(field: rdsCluster)
   appSync: [awsAppSync] @hasInverse(field: rdsCluster)
-  monitoringIamRole: [awsIamRole] @hasInverse(field: rdsClusterMonitoringRole)
-  iamRoles: [awsIamRole] @hasInverse(field: rdsClusterIamRoles)
-  storageEncryptedKms: [awsKms] @hasInverse(field: rdsClusterStorageEncryption)
-  activityStreamKms: [awsKms] @hasInverse(field: rdsClusterActivityStream)
-  performanceInsightsKms: [awsKms]
-    @hasInverse(field: rdsClusterPerformanceInsights)
+  kms: [awsKms] @hasInverse(field: rdsCluster)
+  route53HostedZone: [awsRoute53HostedZone] @hasInverse(field: rdsCluster)
+  iamRoles: [awsIamRole] @hasInverse(field: rdsCluster)
 }