feat(rds): add kms connection cluster/dbInstance

Christopher Brandt · Marco Franceschi · commit f501a4e07950 · 2022-04-13T12:27:53.000-04:00
diff --git a/README.md b/README.md
@@ -130,7 +130,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | iot                         |                                                                                                                                                                                                                                                                                                                                  |
 | kinesisFirehose             | kinesisStream, s3, iamRole                                                                                                                                                                                                                                                                                                       |
 | kinesisStream               | kinesisFirehose                                                                                                                                                                                                                                                                                                                  |
-| kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, lambda, rdsClusterSnapshot, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster, rdsCluster                                                                                 |
+| kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster                                                                                 |
 | lambda                      | appSync, cognitoUserPool, kms, s3, secretsManager, securityGroup, subnet, vpc, iamRole                                                                                                                                                                                                                                                               |
 | managedAirflow              | iamRole, securityGroups, subnet, s3                                                                                                                                                                                                                                                                                              |
 | nacl                        | vpc                                                                                                                                                                                                                                                                                                                              |
@@ -139,7 +139,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | organization                |
 | rdsCluster                  | appSync, rdsClusterSnapshot, rdsDbInstance, securityGroup, subnet, iamRole, kms                                                                                                                                                                                                                                                          |
 | rdsClusterSnapshot          | kms, rdsCluster, vpc                                                                                                                                                                                                                                                                                                             |
-| rdsDbInstance               | rdsCluster, securityGroup, vpc, subnet                                                                                                                                                                                                                                                                                           |
+| rdsDbInstance               | kms, rdsCluster, securityGroup, vpc, subnet                                                                                                                                                                                                                                                                                           |
 | redshiftCluster             | kms, vpc                                                                                                                                                                                                                                                                                                                         |
 | route53Record               | alb, apiGatewayRestApi, elb, route53HostedZone                                                                                                                                                                                                                                                                                   |
 | route53HostedZone           | route53Record, vpc                                                                                                                                                                                                                                                                                                               |
diff --git a/src/services/kms/schema.graphql b/src/services/kms/schema.graphql
@@ -53,4 +53,6 @@ type awsKms implements awsBaseService @key(fields: "id") {
     @hasInverse(field: activityStreamKms)
   rdsClusterPerformanceInsights: [awsRdsCluster]
     @hasInverse(field: performanceInsightsKms)
+  rdsCluster: [awsRdsCluster] @hasInverse(field: kms)
+  rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: kms)
 }
diff --git a/src/services/rdsCluster/connections.ts b/src/services/rdsCluster/connections.ts
@@ -211,13 +211,33 @@ export default ({
     }
   }
 
+  /**
+   * Find KMS
+   */
+  const kmsKeys = data.find(({ name }) => name === services.kms)
+  if (kmsKeys?.data?.[region]) {
+    const kmsKeyInRegion = kmsKeys.data[region].filter(
+      kmsKey => kmsKey.Arn === KmsKeyId
+    )
+    if (!isEmpty(kmsKeyInRegion)) {
+      for (const kms of kmsKeyInRegion) {
+        connections.push({
+          id: kms.KeyId,
+          resourceType: services.kms,
+          relation: 'child',
+          field: 'kms',
+        })
+      }
+    }
+  }
+
   /**
    * Find Subnets
    * related to this RDS Cluster
    */
   const subnets = data.find(({ name }) => name === services.subnet)
-  const subnetIds = dbSubnetGroups?.map(
-    ({ Subnets }) => Subnets?.map(subnet => subnet.SubnetIdentifier)
+  const subnetIds = dbSubnetGroups?.map(({ Subnets }) =>
+    Subnets?.map(subnet => subnet.SubnetIdentifier)
   )
   if (subnets?.data?.[region]) {
     const subnetsInRegion = subnets.data[region].filter(
diff --git a/src/services/rdsCluster/schema.graphql b/src/services/rdsCluster/schema.graphql
@@ -35,6 +35,7 @@ type awsRdsCluster implements awsBaseService @key(fields: "arn") {
   securityGroups: [awsSecurityGroup] @hasInverse(field: rdsCluster)
   subnets: [awsSubnet] @hasInverse(field: rdsCluster)
   appSync: [awsAppSync] @hasInverse(field: rdsCluster)
+  kms: [awsKms] @hasInverse(field: rdsCluster)
   monitoringIamRole: [awsIamRole] @hasInverse(field: rdsClusterMonitoringRole)
   iamRoles: [awsIamRole] @hasInverse(field: rdsClusterIamRoles)
   storageEncryptedKms: [awsKms] @hasInverse(field: rdsClusterStorageEncryption)
diff --git a/src/services/rdsDbInstance/connections.ts b/src/services/rdsDbInstance/connections.ts
@@ -17,7 +17,7 @@ export default ({
   [property: string]: ServiceConnection[]
 } => {
   const connections: ServiceConnection[] = []
-  const { DBInstanceArn: id, VpcSecurityGroups, DBSubnetGroup } = service
+  const { DBInstanceArn: id, VpcSecurityGroups, DBSubnetGroup, KmsKeyId } = service
 
   const sgIds = VpcSecurityGroups.map(
     ({ VpcSecurityGroupId }) => VpcSecurityGroupId
@@ -73,6 +73,26 @@ export default ({
     }
   }
 
+  /**
+   * Find KMS
+   */
+  const kmsKeys = data.find(({ name }) => name === services.kms)
+  if (kmsKeys?.data?.[region]) {
+    const kmsKeyInRegion = kmsKeys.data[region].filter(
+      kmsKey => kmsKey.Arn === KmsKeyId
+    )
+    if (!isEmpty(kmsKeyInRegion)) {
+      for (const kms of kmsKeyInRegion) {
+        connections.push({
+          id: kms.KeyId,
+          resourceType: services.kms,
+          relation: 'child',
+          field: 'kms',
+        })
+      }
+    }
+  }
+
   const rdsDbInstanceResult = {
     [id]: connections,
   }
diff --git a/src/services/rdsDbInstance/schema.graphql b/src/services/rdsDbInstance/schema.graphql
@@ -31,6 +31,7 @@ type awsRdsDbInstance implements awsBaseService @key(fields: "arn") {
   licenseModel: String @search(by: [hash, regexp])
   tags: [awsRawTag]
   cluster: [awsRdsCluster] @hasInverse(field: instances)
+  kms: [awsKms] @hasInverse(field: rdsDbInstance)
   securityGroups: [awsSecurityGroup] @hasInverse(field: rdsDbInstance)
   subnet: [awsSubnet] @hasInverse(field: rdsDbInstance)
   vpc: [awsVpc] @hasInverse(field: rdsDbInstance)
diff --git a/src/types/generated.ts b/src/types/generated.ts
@@ -3212,10 +3212,12 @@ export type AwsKms = AwsBaseService & {
   lambda?: Maybe<Array<Maybe<AwsLambda>>>;
   origin?: Maybe<Scalars['String']>;
   policy?: Maybe<AwsIamJsonPolicy>;
+  rdsCluster?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   rdsClusterActivityStream?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   rdsClusterPerformanceInsights?: Maybe<Array<Maybe<AwsRdsCluster>>>;
   rdsClusterSnapshots?: Maybe<Array<Maybe<AwsRdsClusterSnapshot>>>;
   rdsClusterStorageEncryption?: Maybe<Array<Maybe<AwsRdsCluster>>>;
+  rdsDbInstance?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
   redshiftCluster?: Maybe<Array<Maybe<AwsRedshiftCluster>>>;
   sageMakerNotebookInstances?: Maybe<Array<Maybe<AwsSageMakerNotebookInstance>>>;
   secretsManager?: Maybe<Array<Maybe<AwsSecretsManager>>>;
@@ -3528,6 +3530,7 @@ export type AwsRdsCluster = AwsBaseService & {
   iamDbAuthenticationEnabled?: Maybe<Scalars['Boolean']>;
   iamRoles?: Maybe<Array<Maybe<AwsIamRole>>>;
   instances?: Maybe<Array<Maybe<AwsRdsDbInstance>>>;
+  kms?: Maybe<Array<Maybe<AwsKms>>>;
   kmsKey?: Maybe<Scalars['String']>;
   monitoringIamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
   multiAZ?: Maybe<Scalars['Boolean']>;
@@ -3599,6 +3602,7 @@ export type AwsRdsDbInstance = AwsBaseService & {
   hostedZoneId?: Maybe<Scalars['String']>;
   iamDbAuthenticationEnabled?: Maybe<Scalars['Boolean']>;
   instanceClass?: Maybe<Scalars['String']>;
+  kms?: Maybe<Array<Maybe<AwsKms>>>;
   kmsKey?: Maybe<Scalars['String']>;
   licenseModel?: Maybe<Scalars['String']>;
   multiAZ?: Maybe<Scalars['Boolean']>;
diff --git a/tests/aws_rdsDBInstance.test.ts b/tests/aws_rdsDBInstance.test.ts
@@ -5,6 +5,7 @@ import { account, credentials, region } from '../src/properties/test'
 import services from '../src/enums/services'
 import Subnet from '../src/services/subnet'
 import SecurityGroup from '../src/services/securityGroup'
+import KMS from '../src/services/kms'
 
 // TODO: Localstack Pro Tier
 describe.skip('RDS DB Instance Service Test: ', () => {
@@ -19,6 +20,7 @@ describe.skip('RDS DB Instance Service Test: ', () => {
     try {
       const subnetService = new Subnet({ logger: CloudGraph.logger })
       const sgService = new SecurityGroup({ logger: CloudGraph.logger })
+      const kmsService = new KMS({ logger: CloudGraph.logger })
       const classInstance = new RDSDbInstance({
         logger: CloudGraph.logger,
       })
@@ -43,6 +45,12 @@ describe.skip('RDS DB Instance Service Test: ', () => {
         regions: region,
       })
 
+      // Get kms data
+      const kmsData = await kmsService.getData({
+        credentials,
+        regions: region,
+      })
+
       const [cluster] = getDataResult[region]
       rdsDbInstanceId = cluster.DBInstanceArn
 
@@ -61,6 +69,12 @@ describe.skip('RDS DB Instance Service Test: ', () => {
             account,
             region,
           },
+          {
+            name: services.kms,
+            data: kmsData,
+            account,
+            region,
+          },
         ],
         region,
         account,
@@ -189,5 +203,14 @@ describe.skip('RDS DB Instance Service Test: ', () => {
       expect(sgConnections).toBeDefined()
       expect(sgConnections.length).toBe(1)
     })
+
+    test('should verify the connection to kms', () => {
+      const kmsConnections = rdsDbInstanceConnections[rdsDbInstanceId]?.filter(
+        connection => connection.resourceType === services.kms
+      )
+
+      expect(kmsConnections).toBeDefined()
+      expect(kmsConnections.length).toBe(1)
+    })
   })
 })

Original file line number	Diff line number	Diff line change
`@@ -53,4 +53,6 @@ type awsKms implements awsBaseService @key(fields: "id") {`
`53`	`53`	`@hasInverse(field: activityStreamKms)`
`54`	`54`	`rdsClusterPerformanceInsights: [awsRdsCluster]`
`55`	`55`	`@hasInverse(field: performanceInsightsKms)`
	`56`	`+ rdsCluster: [awsRdsCluster] @hasInverse(field: kms)`
	`57`	`+ rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: kms)`
`56`	`58`	`}`