Merge branch 'alpha' into feature/CG-1073

Author: m-pizarro

CHANGELOG.md

@@ -1,3 +1,73 @@
+# [0.79.0-alpha.22](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.21...0.79.0-alpha.22) (2022-04-14)
+
+
+### Bug Fixes
+
+* **elasticSearchDomain:** add cloudwatchLogs, cognitoIdentityPool, cognitoUserPool, iamRole connections ([694d298](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/694d298af419a8f18f55ccebb5fc21b06574c930))
+
+# [0.79.0-alpha.21](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.20...0.79.0-alpha.21) (2022-04-14)
+
+
+### Bug Fixes
+
+* Created iamRole connection for emrCluster ([80a39e1](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/80a39e19046ad46a2897f667171b271b5a1f9cc7))
+
+# [0.79.0-alpha.20](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.19...0.79.0-alpha.20) (2022-04-14)
+
+
+### Features
+
+* **cognitoIdentityPool:** add iamRole/iamOpenIdConnectProvider/iamSamlProvider connections, generate arn ([3ba9610](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/3ba9610af535f9b84f229ce6abcfcf1e43664d45))
+
+# [0.79.0-alpha.19](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.18...0.79.0-alpha.19) (2022-04-13)
+
+
+### Bug Fixes
+
+* Added missing connections to managedAirflow ([dbb9405](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/dbb94058dd22c0b538b4f9491e6874031747480f))
+
+# [0.79.0-alpha.18](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.17...0.79.0-alpha.18) (2022-04-13)
+
+
+### Bug Fixes
+
+* **elasticBeanstalkEnv:** add connections with alb, elb, ec2 and sqs services ([fe21ecd](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/fe21ecd924695395dde77a8704bf0e7edcb26c36))
+
+# [0.79.0-alpha.17](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.16...0.79.0-alpha.17) (2022-04-13)
+
+
+### Bug Fixes
+
+* Added missing connections to RDS DB Instance ([206bd29](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/206bd29fd9189d10ab628c07f206e5e6a4725bf6))
+
+
+### Features
+
+* **rds:** add kms connection cluster/dbInstance ([f501a4e](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/f501a4e079503d10841f1af32d3a12f13d277aa2))
+* **rdsCluster:** add route53HostedZone connection ([6480e7f](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/6480e7f16c404ebb2c7f2f458aa95ae2db93f0dc))
+* **rdsCluster:** add subnet connection, add missing properties ([7706a02](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/7706a0243384d949f1c4adaf7ec0fa6dd1d4cd57))
+
+# [0.79.0-alpha.16](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.15...0.79.0-alpha.16) (2022-04-13)
+
+
+### Bug Fixes
+
+* iamInstanceProfile never returning when there's a permission's error ([63e6d4a](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/63e6d4a3b8622c5d14a082cc3d9f2eef338c670c))
+
+# [0.79.0-alpha.15](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.14...0.79.0-alpha.15) (2022-04-13)
+
+
+### Bug Fixes
+
+* add connection between networkInterface and securityGroup services ([8efe2aa](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/8efe2aa8e15536df124a666b05d5e08eec8e2f87))
+
+# [0.79.0-alpha.14](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.13...0.79.0-alpha.14) (2022-04-13)
+
+
+### Bug Fixes
+
+* **elasticBeanstalkApp:** add connection to iamRole, fixes to iamRole ([d5af1af](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/d5af1af67656058e42874dd0260b7d1bf63310f5))
+
 # [0.79.0-alpha.13](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.79.0-alpha.12...0.79.0-alpha.13) (2022-04-12)
 
 

README.md

@@ -1,6 +1,6 @@
 {
   "name": "@cloudgraph/cg-provider-aws",
-  "version": "0.79.0-alpha.13",
+  "version": "0.79.0-alpha.22",
   "description": "cloud-graph provider plugin for AWS used to fetch AWS cloud data.",
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",

package.json

@@ -47,6 +47,7 @@ export default {
   [services.iamUser]: 'iamUsers',
   [services.kinesisStream]: 'kinesisStreams',
   [services.lambda]: 'lambdaFunctions',
+  [services.managedAirflow]: 'managedAirflows',
   [services.nat]: 'natGateway',
   [services.networkInterface]: 'networkInterfaces',
   [services.organization]: 'organizations',

src/enums/serviceAliases.ts

@@ -21,6 +21,7 @@ type awsAlb implements awsBaseService @key(fields: "arn") {
   route53Record: [awsRoute53Record] @hasInverse(field: alb) #change to plural
   listeners: [awsAlbListener]
   subnet: [awsSubnet] @hasInverse(field: alb) #change to plural
+  elasticBeanstalkEnvs: [awsElasticBeanstalkEnv] @hasInverse(field: albs)
 }
 
 type awsAlbListener

src/services/alb/schema.graphql

@@ -131,6 +131,7 @@ type awsAsg implements awsBaseService @key(fields: "arn") {
   tags: [awsRawTag]
   launchConfiguration: awsLaunchConfiguration
   ec2Instance: [awsEc2] @hasInverse(field: asg) #change to plural
+  elasticBeanstalkEnvs: [awsElasticBeanstalkEnv] @hasInverse(field: asgs)
   securityGroups: [awsSecurityGroup] @hasInverse(field: asg)
   ebs: [awsEbs] @hasInverse(field: asg)
   subnet: [awsSubnet] @hasInverse(field: asg) #change to plural

src/services/asg/schema.graphql

@@ -14,6 +14,9 @@ type awsCloudwatchLog @key(fields: "arn") {
   cloudwatch: [awsCloudwatch] @hasInverse(field: cloudwatchLog)
   cloudtrail: [awsCloudtrail] @hasInverse(field: cloudwatchLog)
   ecsCluster: [awsEcsCluster] @hasInverse(field: cloudwatchLog)
+  elasticSearchDomains: [awsElasticSearchDomain] @hasInverse(field: cloudwatchLogs)
+  rdsDbInstance: [awsRdsDbInstance] @hasInverse(field: cloudwatchLogs)
+  managedAirflows: [awsManagedAirflow] @hasInverse(field: cloudwatchLogs)
 }
 
 type awsMetricFilter

src/services/cloudwatchLogs/schema.graphql

@@ -1 +1,104 @@
-// TODO Add Optional IAM saml provider
+import { ServiceConnection } from '@cloudgraph/sdk'
+import { isEmpty } from 'lodash'
+import services from '../../enums/services'
+import { RawAwsCognitoIdentityPool } from './data'
+import { RawAwsIamRole } from '../iamRole/data'
+import { globalRegionName } from '../../enums/regions'
+
+/**
+ * Cognito Identity Pool
+ */
+
+export default ({
+  service: identityPool,
+  data,
+  region,
+}: {
+  data: { name: string; data: { [property: string]: any[] } }[]
+  service: RawAwsCognitoIdentityPool
+  region: string
+}): { [key: string]: ServiceConnection[] } => {
+  const connections: ServiceConnection[] = []
+
+  const {
+    IdentityPoolId: id,
+    identityPoolRoles,
+    SamlProviderARNs = [],
+    OpenIdConnectProviderARNs = [],
+  } = identityPool
+
+  /**
+   * Find related IAM Roles
+   */
+  const roles: { name: string; data: { [property: string]: any[] } } =
+    data.find(({ name }) => name === services.iamRole)
+
+  const iamRoleArns = Object.values(identityPoolRoles?.Roles || {})
+
+  if (roles?.data?.[globalRegionName]) {
+    const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(role =>
+      iamRoleArns.includes(role.Arn)
+    )
+    if (!isEmpty(dataAtRegion)) {
+      for (const instance of dataAtRegion) {
+        const { Arn: arn }: RawAwsIamRole = instance
+
+        connections.push({
+          id: arn,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRoles',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find iamSamlProvider
+   * related to this cognito identity pool
+   */
+  const iamSamlProviders = data.find(({ name }) => name === services.iamSamlProvider)
+  if (iamSamlProviders?.data?.[region]) {
+    const dataInRegion = iamSamlProviders.data[region].filter(provider =>
+      SamlProviderARNs.includes(provider.arn)
+    )
+
+    if (!isEmpty(dataInRegion)) {
+      for (const provider of dataInRegion) {
+        connections.push({
+          id: provider.KeyId,
+          resourceType: services.iamSamlProvider,
+          relation: 'child',
+          field: 'iamSamlProviders',
+        })
+      }
+    }
+  }
+
+  /**
+   * Find iamOpenIdConnectProvider
+   * related to this cognito identity pool
+   */
+  const iamOpenIdConnectProviders = data.find(({ name }) => name === services.iamOpenIdConnectProvider)
+  if (iamOpenIdConnectProviders?.data?.[region]) {
+    const dataInRegion = iamOpenIdConnectProviders.data[region].filter(provider =>
+      OpenIdConnectProviderARNs.includes(provider.arn)
+    )
+
+    if (!isEmpty(dataInRegion)) {
+      for (const provider of dataInRegion) {
+        connections.push({
+          id: provider.KeyId,
+          resourceType: services.iamOpenIdConnectProvider,
+          relation: 'child',
+          field: 'iamOpenIdConnectProviders',
+        })
+      }
+    }
+  }
+
+  const identityPoolResult = {
+    [id]: connections,
+  }
+  return identityPoolResult
+}

src/services/cognitoIdentityPool/connections.ts

@@ -1,6 +1,7 @@
 import COGID, {
   IdentityPool,
   IdentityPoolShortDescription,
+  GetIdentityPoolRolesResponse,
 } from 'aws-sdk/clients/cognitoidentity'
 import { Config } from 'aws-sdk/lib/config'
 
@@ -25,6 +26,7 @@ const MAX_RESULTS = 60
 
 export interface RawAwsCognitoIdentityPool
   extends Omit<IdentityPool, 'IdentityPoolTags'> {
+  identityPoolRoles: GetIdentityPoolRolesResponse
   region: string
   Tags: TagMap
 }
@@ -91,6 +93,27 @@ const describeIdentityPool = async ({
   return null
 }
 
+const getIdentityPoolRoles = async ({
+  cogId,
+  IdentityPoolId,
+}: {
+  cogId: COGID
+  IdentityPoolId: string
+}): Promise<GetIdentityPoolRolesResponse> => {
+  try {
+    return await cogId
+      .getIdentityPoolRoles({ IdentityPoolId })
+      .promise()
+
+  } catch (err) {
+    errorLog.generateAwsErrorLog({
+      functionName: 'cognitoIdentityPool:getIdentityPoolRoles',
+      err,
+    })
+  }
+  return null
+}
+
 const listIdentityPoolData = async ({
   cogId,
   region,
@@ -106,8 +129,13 @@ const listIdentityPoolData = async ({
       cogId,
       IdentityPoolId: identityPoolId.IdentityPoolId,
     })
+    const identityPoolRoles = await getIdentityPoolRoles({
+      cogId,
+      IdentityPoolId: identityPoolId.IdentityPoolId,
+    })
     identityPoolData.push({
       ...identityPool,
+      identityPoolRoles,
       region,
     })
   }

src/services/cognitoIdentityPool/data.ts

@@ -1,10 +1,12 @@
-import { IdentityProviders } from 'aws-sdk/clients/cognitoidentity';
-import cuid from 'cuid';
+import { IdentityProviders } from 'aws-sdk/clients/cognitoidentity'
+import cuid from 'cuid'
 import t from '../../properties/translations'
-
-import { AwsCognitoIdentityPool, AwsSupportedLoginProvider } from '../../types/generated';
-import { formatTagsFromMap } from '../../utils/format';
-import { RawAwsCognitoIdentityPool } from './data';
+import { AwsCognitoIdentityPool, AwsSupportedLoginProvider } from '../../types/generated'
+import { formatTagsFromMap } from '../../utils/format'
+import { RawAwsCognitoIdentityPool } from './data'
+import {
+  cognitoIdentityPoolArn,
+} from '../../utils/generateArns'
 
 /**
  * Cognito Identity Pool
@@ -53,9 +55,12 @@ export default ({
     serverSideTokenCheck: serverSideTokenCheck? t.yes : t.no,
   })) || []
 
+  const arn = cognitoIdentityPoolArn({ region, account, identityPoolId })
+
   const identityPool  = {
     id: identityPoolId,
     accountId: account,
+    arn,
     identityPoolName,
     allowUnauthenticatedIdentities: allowUnauthenticatedIdentities? t.yes : t.no,
     allowClassicFlow: allowClassicFlow? t.yes : t.no,