Skip to content

Commit e25bffb

Browse files
author
Christopher Brandt
committed
feat(cloudFormationStackSet): add iam role connection
1 parent a4d4ed0 commit e25bffb

7 files changed

Lines changed: 107 additions & 41 deletions

File tree

README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -79,7 +79,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
7979
| clientVpnEndpoint | securityGroup |
8080
| cloud9 | |
8181
| cloudformationStack | cloudformationStack, iamRole, sns |
82-
| cloudformationStackSet | |
82+
| cloudformationStackSet | iamRole |
8383
| cloudfront | elb, s3 |
8484
| cloudtrail | cloudwatch, cloudwatchLog, kms, s3, sns |
8585
| cloudwatch | cloudtrail, cloudwatchLog, sns |
@@ -124,7 +124,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
124124
| iamServerCertificate | |
125125
| iamUser | iamGroup |
126126
| iamPolicy | iamRole, iamGroup |
127-
| iamRole | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda, kinesisFirehose, rdsCluster |
127+
| iamRole | appSync, cloudformationStackSet, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda, kinesisFirehose, rdsCluster |
128128
| iamGroup | iamUser, iamPolicy |
129129
| igw | vpc |
130130
| iot | |

src/services/cloudFormationStackSet/connections.ts

Lines changed: 56 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -1,34 +1,60 @@
1-
// TODO: Enable when IAM is added
2-
// import { ServiceConnection } from '@cloudgraph/sdk';
3-
// import { Stack } from 'aws-sdk/clients/cloudformation';
4-
// import { TagMap } from '../../types'
1+
import isEmpty from 'lodash/isEmpty'
2+
import { ServiceConnection } from '@cloudgraph/sdk';
3+
import { StackSet } from 'aws-sdk/clients/cloudformation';
4+
import { TagMap } from '../../types'
5+
import services from '../../enums/services'
6+
import { RawAwsIamRole } from '../iamRole/data'
7+
import { globalRegionName } from '../../enums/regions'
58

6-
// /**
7-
// * Cloud Formation StackSet
8-
// */
9+
/**
10+
* Cloud Formation StackSet
11+
*/
912

10-
// export default ({
11-
// service: cfStackSet,
12-
// data,
13-
// region,
14-
// }: {
15-
// data: { name: string; data: { [property: string]: any[] } }[]
16-
// service: Stack & {
17-
// region: string
18-
// Tags: TagMap,
19-
// },
20-
// region: string
21-
// }): { [key: string]: ServiceConnection[] } => {
22-
// const connections: ServiceConnection[] = []
13+
export default ({
14+
service: cfStackSet,
15+
data,
16+
region,
17+
}: {
18+
data: { name: string; data: { [property: string]: any[] } }[]
19+
service: StackSet & {
20+
region: string
21+
Tags: TagMap,
22+
},
23+
region: string
24+
}): { [key: string]: ServiceConnection[] } => {
25+
const connections: ServiceConnection[] = []
2326

24-
// const {
25-
// StackId: id,
26-
// // TODO add connection role
27-
// // AdministrationRoleARN: administrationRoleARN
28-
// } = cfStackSet
27+
const {
28+
StackSetId: id,
29+
AdministrationRoleARN: administrationRoleARN,
30+
ExecutionRoleName: executionRoleName,
31+
} = cfStackSet
2932

30-
// const cfStackSetResult = {
31-
// [id]: connections,
32-
// }
33-
// return cfStackSetResult
34-
// }
33+
/**
34+
* Find related IAM Roles
35+
*/
36+
const roles: { name: string; data: { [property: string]: any[] } } =
37+
data.find(({ name }) => name === services.iamRole)
38+
if (roles?.data?.[globalRegionName]) {
39+
const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
40+
role => role.Arn === administrationRoleARN || role.RoleName === executionRoleName
41+
)
42+
if (!isEmpty(dataAtRegion)) {
43+
for (const instance of dataAtRegion) {
44+
const { Arn: arn }: RawAwsIamRole = instance
45+
46+
connections.push({
47+
id: arn,
48+
resourceType: services.iamRole,
49+
relation: 'child',
50+
field: 'iamRoles',
51+
})
52+
}
53+
}
54+
}
55+
56+
const cfStackSetResult = {
57+
[id]: connections,
58+
}
59+
return cfStackSetResult
60+
}

src/services/cloudFormationStackSet/index.ts

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,16 +2,15 @@ import { Service } from '@cloudgraph/sdk';
22
import BaseService from '../base';
33
import format from './format';
44
import getData from './data';
5-
// import getConnections from './connections'
5+
import getConnections from './connections'
66
import mutation from './mutation';
77

88
export default class AwsCloudFormation extends BaseService implements Service {
99
format = format.bind(this);
1010

1111
getData = getData.bind(this);
1212

13-
// TODO: Enable when IAM is added
14-
// getConnections = getConnections.bind(this)
13+
getConnections = getConnections.bind(this)
1514

1615
mutation = mutation;
1716
}

src/services/cloudFormationStackSet/schema.graphql

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ type awsCloudFormationStackAutoDeploymentConfig {
4040
enabled: String @search(by: [hash, regexp])
4141
retainStacksOnAccountRemoval: String @search(by: [hash, regexp])
4242
}
43-
# TODO: add accountId to cloudFormationStackSet
43+
4444
type awsCloudFormationStackSet implements awsBaseService @key(fields: "arn") {
4545
name: String @search(by: [hash, regexp])
4646
description: String @search(by: [hash, regexp])
@@ -55,6 +55,5 @@ type awsCloudFormationStackSet implements awsBaseService @key(fields: "arn") {
5555
autoDeploymentConfig: awsCloudFormationStackAutoDeploymentConfig
5656
permissionModel: String @search(by: [hash, regexp])
5757
organizationalUnitIds: [String] @search
58+
iamRoles: [awsIamRole] @hasInverse(field: cloudFormationStackSet)
5859
}
59-
60-
# TODO: add iam role connection using AdministrationRoleARN (also see if a connection can be made using ExecutionRoleName)

src/services/iamRole/schema.graphql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,4 +31,5 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
3131
rdsClusterMonitoringRole: [awsRdsCluster]
3232
@hasInverse(field: monitoringIamRole)
3333
rdsClusterIamRoles: [awsRdsCluster] @hasInverse(field: iamRoles)
34+
cloudFormationStackSet: [awsCloudFormationStackSet] @hasInverse(field: iamRoles)
3435
}

src/types/generated.ts

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -701,6 +701,7 @@ export type AwsCloudFormationStackSet = AwsBaseService & {
701701
description?: Maybe<Scalars['String']>;
702702
driftDetectionDetail?: Maybe<AwsCloudFormationStackSetDriftDetectionDetail>;
703703
executionRoleName?: Maybe<Scalars['String']>;
704+
iamRoles?: Maybe<Array<Maybe<AwsIamRole>>>;
704705
name?: Maybe<Scalars['String']>;
705706
organizationalUnitIds?: Maybe<Array<Maybe<Scalars['String']>>>;
706707
parameters?: Maybe<Array<Maybe<AwsCloudFormationStackSetParameter>>>;
@@ -3049,6 +3050,7 @@ export type AwsIamRole = AwsBaseService & {
30493050
appSync?: Maybe<Array<Maybe<AwsAppSync>>>;
30503051
assumeRolePolicy?: Maybe<AwsIamJsonPolicy>;
30513052
cloudFormationStack?: Maybe<Array<Maybe<AwsCloudFormationStack>>>;
3053+
cloudFormationStackSet?: Maybe<Array<Maybe<AwsCloudFormationStackSet>>>;
30523054
codebuilds?: Maybe<Array<Maybe<AwsCodebuild>>>;
30533055
cognitoUserPools?: Maybe<Array<Maybe<AwsCognitoUserPool>>>;
30543056
configurationRecorder?: Maybe<Array<Maybe<AwsConfigurationRecorder>>>;

tests/aws_cloudFormationStackSet.test.ts

Lines changed: 42 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,24 @@
11
import CloudGraph from '@cloudgraph/sdk'
2-
32
import CloudFormationClass from '../src/services/cloudFormationStackSet'
4-
5-
import { credentials, region } from '../src/properties/test'
3+
import IamRoleService from '../src/services/iamRole'
4+
import { account, credentials, region } from '../src/properties/test'
65
import { initTestConfig } from '../src/utils'
76
import { RawAwsCloudFormationStackSet } from '../src/services/cloudFormationStackSet/data'
7+
import services from '../src/enums/services'
88

99
describe('Cloud formation Service Test: ', () => {
1010
let getDataResult
1111
let formatResult
12+
let cfConnections
13+
let cfStackSetId
1214

1315
initTestConfig()
1416

1517
beforeAll(
1618
async () =>
1719
new Promise<void>(async resolve => {
1820
try {
21+
const iamRoleService = new IamRoleService({ logger: CloudGraph.logger })
1922
const cfClass = new CloudFormationClass({ logger: CloudGraph.logger })
2023

2124
getDataResult = await cfClass.getData({
@@ -27,6 +30,29 @@ describe('Cloud formation Service Test: ', () => {
2730
(item: RawAwsCloudFormationStackSet) =>
2831
cfClass.format({ service: item, region })
2932
)
33+
34+
// Get IAM Role data
35+
const securityGroupData = await iamRoleService.getData({
36+
credentials,
37+
regions: region,
38+
})
39+
40+
const [cfStackSet] = getDataResult[region]
41+
cfStackSetId = cfStackSet.StackSetId
42+
43+
cfConnections = cfClass.getConnections({
44+
service: cfStackSet,
45+
data: [
46+
{
47+
name: services.iamRole,
48+
data: securityGroupData,
49+
account,
50+
region,
51+
},
52+
],
53+
region,
54+
account,
55+
})
3056
} catch (error) {
3157
console.error(error) // eslint-disable-line no-console
3258
}
@@ -67,4 +93,17 @@ describe('Cloud formation Service Test: ', () => {
6793
)
6894
})
6995
})
96+
97+
describe('connections', () => {
98+
test('should verify the connection to iam roles', () => {
99+
const iamRoleConnections = cfConnections[
100+
cfStackSetId
101+
]?.filter(
102+
connection => connection.resourceType === services.iamRole
103+
)
104+
105+
expect(iamRoleConnections).toBeDefined()
106+
expect(iamRoleConnections.length).toBe(1)
107+
})
108+
})
70109
})

0 commit comments

Comments
 (0)