Merge pull request #119 from cloudgraphdev/alpha

Beta release
cloudgraphdev · Mar 8, 2023 · 13858b8 · 13858b8
2 parents 2caf4c3 + 83ea1d4
commit 13858b8
Show file tree

Hide file tree

Showing 29 changed files with 615 additions and 3 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,33 @@
+# [0.86.0-alpha.1](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.85.2-alpha.1...0.86.0-alpha.1) (2023-03-08)
+
+
+### Bug Fixes
+
+* **services:** expose scope on wafv2 ([82f044a](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/82f044a715795171414c87753ab5d81ffc15cbc5))
+* **services:** update format file for new schema ([2a3333f](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/2a3333fb4d3384564f24206384d3b0e8ae1f131b))
+* **services:** update route53 to have setIdentifier and name in the schema ([904ba79](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/904ba7969be00078ee33bc7890bf35dc6fb7ce1c))
+
+
+### Features
+
+* **CG-1339:** add aws ebs snapshot ([376551a](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/376551ad7bdd0de51833351c24c13c99a974df93))
+* **CG-1339:** add kms connection to ebs snapshot ([beac5fd](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/beac5fd6bf78e29dac14cbbd4ae58f70dfe19cb0))
+* **CG-1339:** update README ([38a9d5e](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/38a9d5e43c75734c73505bcc074fe2c61517617a))
+
+## [0.85.2-alpha.1](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.85.1...0.85.2-alpha.1) (2023-03-05)
+
+
+### Bug Fixes
+
+* **CG-1328:** add account level s3 public access block for the rule check ([0ab5f21](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/0ab5f21c2d6dfd8d4697e731bd659c8b26101114))
+
+## [0.85.1](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.85.0...0.85.1) (2023-02-11)
+
+
+### Bug Fixes
+
+* **auth:** add debug log for mfa ([d698c68](https://github.com/cloudgraphdev/cloudgraph-provider-aws/commit/d698c683375b7b890f4e86305307d5cb03180775))
+
 ## [0.85.1-beta.1](https://github.com/cloudgraphdev/cloudgraph-provider-aws/compare/0.85.0...0.85.1-beta.1) (2023-02-11)
 
 

diff --git a/README.md b/README.md
@@ -94,7 +94,8 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | customerGateway             | vpnConnection                                                                                                                                                                                                                                                                                                                                                                 |
 | dynamodb                    | appSync, iamRole, kms                                                                                                                                                                                                                                                                                                                                                         |
 | dmsReplicationInstance      | securityGroup, subnet, vpc, kms                                                                                                                                                                                                                                                                                                                                               |
-| ebs                         | asg, ec2, emrInstance                                                                                                                                                                                                                                                                                                                                                         |
+| ebs                         | asg, ec2, emrInstance, ebsSnapshot                                                                                                                                                                                                                                                                                                                                            |
+| ebsSnapshot                 | ebs, kms                                                                                                                                                                                                                                                                                                                                                                       |
 | ec2                         | alb, asg, ebs, eip, emrInstance, eksCluster, elasticBeanstalkEnv, iamInstanceProfile, iamRole, networkInterface, securityGroup, subnet, systemsManagerInstance, vpc, ecsContainer                                                                                                                                                                                             |
 | ecr                         |                                                                                                                                                                                                                                                                                                                                                                               |
 | ecsCluster                  | cloudwatchLog, ecsService, ecsTask, ecsTaskSet, kms, s3                                                                                                                                                                                                                                                                                                                       |
@@ -134,7 +135,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | iot                         |                                                                                                                                                                                                                                                                                                                                                                               |
 | kinesisFirehose             | kinesisStream, s3, iamRole                                                                                                                                                                                                                                                                                                                                                    |
 | kinesisStream               | kinesisFirehose                                                                                                                                                                                                                                                                                                                                                               |
-| kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster, s3                                                                               |
+| kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster, s3, ebsSnapshot                                                                  |
 | lambda                      | appSync, cognitoUserPool, kms, s3, secretsManager, securityGroup, subnet, vpc, iamRole                                                                                                                                                                                                                                                                                        |
 | managedAirflow              | cloudwatchLog, iamRole, kms, securityGroups, subnet, s3                                                                                                                                                                                                                                                                                                                       |
 | managedPrefixList           |                                                                                                                                                                                                                                                                                                                        |

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cloudgraph/cg-provider-aws",
-  "version": "0.85.1-beta.1",
+  "version": "0.86.0-alpha.1",
   "description": "cloud-graph provider plugin for AWS used to fetch AWS cloud data.",
   "publishConfig": {
     "registry": "https://registry.npmjs.org/",

diff --git a/src/enums/resources.ts b/src/enums/resources.ts
@@ -23,6 +23,7 @@ export default {
   sqsQueue: 'aws_sqs_queue',
   iamGroup: 'aws_iam_group',
   snsTopic: 'aws_sns_topic',
+  ebsSnapshot: 'aws_ebs_snapshot',
   ebsVolume: 'aws_ebs_volume',
   iamPolicy: 'aws_iam_policy',
   vpnGateway: 'aws_vpn_gateway',

diff --git a/src/enums/schemasMap.ts b/src/enums/schemasMap.ts
@@ -31,6 +31,7 @@ export default {
   [services.dmsReplicationInstance]: 'awsDmsReplicationInstance',
   [services.dynamodb]: 'awsDynamoDbTable',
   [services.ebs]: 'awsEbs',
+  [services.ebsSnapshot]: 'awsEbsSnapshot',
   [services.ec2Instance]: 'awsEc2',
   [services.ecr]: 'awsEcr',
   [services.ecsCluster]: 'awsEcsCluster',

diff --git a/src/enums/serviceAliases.ts b/src/enums/serviceAliases.ts
@@ -17,6 +17,7 @@ export default {
   [services.codebuild]: 'codebuilds',
   [services.configurationRecorder]: 'configurationRecorders',
   [services.dmsReplicationInstance]: 'dmsReplicationInstances',
+  [services.ebsSnapshot]: 'ebsSnapshots',
   [services.ec2Instance]: 'ec2Instances',
   [services.ecsCluster]: 'ecsClusters',
   [services.ecsContainer]: 'ecsContainers',

diff --git a/src/enums/serviceMap.ts b/src/enums/serviceMap.ts
@@ -23,6 +23,7 @@ import CognitoIdentityPool from '../services/cognitoIdentityPool'
 import CognitoUserPool from '../services/cognitoUserPool'
 import DynamoDB from '../services/dynamodb'
 import EBS from '../services/ebs'
+import EBSSnapshot from '../services/ebsSnapshot'
 import EC2 from '../services/ec2'
 import EcsCluster from '../services/ecsCluster'
 import EcsContainer from '../services/ecsContainer'
@@ -133,6 +134,7 @@ export default {
   [services.cognitoUserPool]: CognitoUserPool,
   [services.configurationRecorder]: ConfigurationRecorder,
   [services.ebs]: EBS,
+  [services.ebsSnapshot]: EBSSnapshot,
   [services.ec2Instance]: EC2,
   [services.ecr]: ECR,
   [services.efs]: EFS,

diff --git a/src/enums/services.ts b/src/enums/services.ts
@@ -25,6 +25,7 @@ export default {
   dmsReplicationInstance: 'dmsReplicationInstance',
   dynamodb: 'dynamodb',
   ebs: 'ebs',
+  ebsSnapshot: 'ebsSnapshot',
   ec2Instance: 'ec2Instance',
   ecr: 'ecr',
   ecsCluster: 'ecsCluster',

diff --git a/src/properties/logger.ts b/src/properties/logger.ts
@@ -249,6 +249,13 @@ export default {
   doneFetchingEbsData: '✅ Done fetching EBS Data ✅',
   fetchedEbsVolumes: (num: number): string => `Fetched ${num} EBS Volumes`,
   lookingForEbs: 'Looking for EBS volumes for EC2 instances...',
+  /**
+   * EBS Snapshot
+   */
+    fetchingEbsSnapshotData: 'Fetching EBS Snapshot data for this AWS account via the AWS SDK...',
+    doneFetchingEbsSnapshotData: '✅ Done fetching EBS Snapshot Data ✅',
+    fetchedEbsSnapshots: (num: number): string => `Fetched ${num} EBS Snapshots`,
+    lookingForEbsSnapshot: 'Looking for EBS Snapshots...',
   /**
    * EC2
    */

diff --git a/src/services/ebs/connections.ts b/src/services/ebs/connections.ts
@@ -0,0 +1,68 @@
+import isEmpty from 'lodash/isEmpty'
+
+import {
+  Volume,
+  Snapshot,
+  TagList,
+} from 'aws-sdk/clients/ec2'
+
+import { ServiceConnection } from '@cloudgraph/sdk'
+
+import services from '../../enums/services'
+
+/**
+ * EBS
+ */
+
+export default ({
+    service: volume,
+    data,
+    region,
+    account,
+  }: {
+    account: string
+    data: { name: string; data: { [property: string]: any[] } }[]
+    service: Volume & {
+      region: string
+      Tags?: TagList
+    }
+    region: string
+}): { [key: string]: ServiceConnection[] } => {
+    const connections: ServiceConnection[] = []
+
+    const {
+      VolumeId: id,
+      SnapshotId: snapshotId,
+    } = volume
+
+    /**
+     * Find EBS Snapshot
+     * related to this EBS Volume
+     */
+    const ebsSnapshots: {
+      name: string
+      data: { [property: string]: Snapshot[] }
+    } = data.find(({ name }) => name === services.ebsSnapshot)
+
+    if (ebsSnapshots?.data?.[region]) {
+      const snapshotInRegion: Snapshot[] = ebsSnapshots.data[region].filter(
+        ({ SnapshotId }: Snapshot) => SnapshotId === snapshotId
+      )
+
+      if (!isEmpty(snapshotInRegion)) {
+        for (const sh of snapshotInRegion) {
+          connections.push({
+            id: sh.SnapshotId,
+            resourceType: services.ebsSnapshot,
+            relation: 'child',
+            field: 'ebsSnapshots',
+          })
+        }
+      }
+    }
+
+    const ebsResult = {
+      [id]: connections,
+    }
+    return ebsResult
+}
diff --git a/src/services/ebs/index.ts b/src/services/ebs/index.ts
@@ -2,12 +2,15 @@ import { Service } from '@cloudgraph/sdk'
 import BaseService from '../base'
 import format from './format'
 import getData from './data'
+import getConnections from './connections'
 import mutation from './mutation'
 
 export default class EBS extends BaseService implements Service {
   format = format.bind(this)
 
   getData = getData.bind(this)
 
+  getConnections = getConnections.bind(this)
+
   mutation = mutation
 }
diff --git a/src/services/ebs/schema.graphql b/src/services/ebs/schema.graphql
@@ -15,6 +15,7 @@ type awsEbs implements awsBaseService @key(fields: "arn") {
   ec2Instance: [awsEc2] @hasInverse(field: ebs)
   asg: [awsAsg] @hasInverse(field: ebs)
   emrInstance: [awsEmrInstance] @hasInverse(field: ebs)
+  ebsSnapshots: [awsEbsSnapshot] @hasInverse(field: ebs)
 }
 
 type awsEbsAttachment

diff --git a/src/services/ebsSnapshot/connections.ts b/src/services/ebsSnapshot/connections.ts
@@ -0,0 +1,64 @@
+import isEmpty from 'lodash/isEmpty'
+
+import {
+  Snapshot,
+  TagList,
+} from 'aws-sdk/clients/ec2'
+
+import { ServiceConnection } from '@cloudgraph/sdk'
+
+import services from '../../enums/services'
+
+
+/**
+ * EBS Snapshot
+ */
+
+export default ({
+    service: snapshot,
+    data,
+    region,
+    account,
+  }: {
+    account: string
+    data: { name: string; data: { [property: string]: any[] } }[]
+    service: Snapshot & {
+      region: string
+      Tags?: TagList
+    }
+    region: string
+}): { [key: string]: ServiceConnection[] } => {
+    const connections: ServiceConnection[] = []
+
+    const {
+      SnapshotId: id,
+      KmsKeyId: kmsKeyId,
+    } = snapshot
+
+    /**
+     * Find KMS
+     * related to the cloudTrail
+     */
+    const kmsKeys = data.find(({ name }) => name === services.kms)
+    if (kmsKeys?.data?.[region]) {
+      const kmsKeyInRegion = kmsKeys.data[region].filter(
+        kmsKey => kmsKey.Arn === kmsKeyId
+      )
+
+      if (!isEmpty(kmsKeyInRegion)) {
+        for (const kms of kmsKeyInRegion) {
+          connections.push({
+            id: kms.KeyId,
+            resourceType: services.kms,
+            relation: 'child',
+            field: 'kms',
+          })
+        }
+      }
+    }
+
+    const snapshotResult = {
+      [id]: connections,
+    }
+    return snapshotResult
+}