fix: Included iamRole for AWS Kinesis Firehose

README.md

@@ -124,11 +124,11 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 | iamServerCertificate        |                                                                                                                                                                                                                                                                                                                                  |
 | iamUser                     | iamGroup                                                                                                                                                                                                                                                                                                                         |
 | iamPolicy                   | iamRole, iamGroup                                                                                                                                                                                                                                                                                                                |
-| iamRole                     | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda                                                                                                             |
+| iamRole                     | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector, lambda, kinesisFirehose                                                                                            |
 | iamGroup                    | iamUser, iamPolicy                                                                                                                                                                                                                                                                                                               |
 | igw                         | vpc                                                                                                                                                                                                                                                                                                                              |
 | iot                         |                                                                                                                                                                                                                                                                                                                                  |
-| kinesisFirehose             | kinesisStream, s3                                                                                                                                                                                                                                                                                                                |
+| kinesisFirehose             | kinesisStream, s3, iamRole                                                                                                                                                                                                                                                                                                       |
 | kinesisStream               | kinesisFirehose                                                                                                                                                                                                                                                                                                                  |
 | kms                         | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, lambda, rdsClusterSnapshot, sns, sageMakerNotebookInstance, dmsReplicationInstance, redshiftCluster                                                                                             |
 | lambda                      | appSync, cognitoUserPool, kms, securityGroup, subnet, vpc, iamRole                                                                                                                                                                                                                                                               |

src/services/iamRole/connections.ts

@@ -170,15 +170,12 @@ export default ({
   /**
    * Find any guardDutyDetector related data
    */
-  const detectors = data.find(
-    ({ name }) => name === services.guardDutyDetector
-  )
+  const detectors = data.find(({ name }) => name === services.guardDutyDetector)
   if (detectors?.data?.[region]) {
     const dataAtRegion: RawAwsGuardDutyDetector[] = detectors.data[
       region
     ].filter(
-      ({ ServiceRole }: RawAwsGuardDutyDetector) =>
-      ServiceRole === role.Arn
+      ({ ServiceRole }: RawAwsGuardDutyDetector) => ServiceRole === role.Arn
     )
     for (const detector of dataAtRegion) {
       connections.push({
@@ -189,19 +186,17 @@ export default ({
       })
     }
   }
- /**
+  /**
    * Find any systemsManagerInstance related data
    */
-   const systemsManagerInstances = data.find(
+  const systemsManagerInstances = data.find(
     ({ name }) => name === services.systemsManagerInstance
   )
   if (systemsManagerInstances?.data?.[region]) {
-    const dataAtRegion: RawAwsSystemsManagerInstance[] = systemsManagerInstances.data[
-      region
-    ].filter(
-      ({ IamRole }: RawAwsSystemsManagerInstance) =>
-        IamRole === role.Arn
-    )
+    const dataAtRegion: RawAwsSystemsManagerInstance[] =
+      systemsManagerInstances.data[region].filter(
+        ({ IamRole }: RawAwsSystemsManagerInstance) => IamRole === role.Arn
+      )
     for (const instance of dataAtRegion) {
       connections.push({
         id: instance.InstanceId,
@@ -215,15 +210,14 @@ export default ({
   /**
    * Find any sageMakerNotebookInstance related data
    */
-   const notebooks = data.find(
+  const notebooks = data.find(
     ({ name }) => name === services.sageMakerNotebookInstance
   )
   if (notebooks?.data?.[region]) {
     const dataAtRegion: RawAwsSageMakerNotebookInstance[] = notebooks.data[
       region
     ].filter(
-      ({ RoleArn }: RawAwsSageMakerNotebookInstance) =>
-      RoleArn === role.Arn
+      ({ RoleArn }: RawAwsSageMakerNotebookInstance) => RoleArn === role.Arn
     )
     for (const notebook of dataAtRegion) {
       connections.push({

src/services/iamRole/schema.graphql

@@ -27,4 +27,5 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
   cognitoUserPools: [awsCognitoUserPool] @hasInverse(field: iamRole)
   appSync: [awsAppSync] @hasInverse(field: iamRoles)
   lambda: [awsLambda] @hasInverse(field: iamRole)
+  kinesisFirehose: [awsKinesisFirehose] @hasInverse(field: iamRole)
 }

src/services/kinesisFirehose/connections.ts

@@ -8,6 +8,8 @@ import { TagMap } from '../../types'
 import services from '../../enums/services'
 import { RawAwsS3 } from '../s3/data'
 import { s3BucketArn } from '../../utils/generateArns'
+import { globalRegionName } from '../../enums/regions'
+import { RawAwsIamRole } from '../iamRole/data'
 
 /**
  * Kinesis Firehose
@@ -26,7 +28,11 @@ export default ({
   region: string
 }): { [key: string]: ServiceConnection[] } => {
   const connections: ServiceConnection[] = []
-  const { DeliveryStreamARN: id, Destinations: destinations = [] } = firehose
+  const {
+    DeliveryStreamARN: id,
+    Destinations: destinations = [],
+    Source = {},
+  } = firehose
 
   const kinesisStreamSourceARN =
     firehose.Source?.KinesisStreamSourceDescription?.KinesisStreamARN
@@ -63,10 +69,8 @@ export default ({
 
   if (!isEmpty(destinations)) {
     destinations.map((destination: DestinationDescription) => {
-      const {
-        ExtendedS3DestinationDescription,
-        S3DestinationDescription,
-      } = destination
+      const { ExtendedS3DestinationDescription, S3DestinationDescription } =
+        destination
       const s3DestinationDescription =
         ExtendedS3DestinationDescription || S3DestinationDescription
       if (s3DestinationDescription) {
@@ -94,6 +98,32 @@ export default ({
     })
   }
 
+  /**
+   * Find related IAM Roles
+   */
+  const roles: { name: string; data: { [property: string]: any[] } } =
+    data.find(({ name }) => name === services.iamRole)
+  if (
+    roles?.data?.[globalRegionName] &&
+    Source?.KinesisStreamSourceDescription?.RoleARN
+  ) {
+    const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
+      role => role.Arn === Source.KinesisStreamSourceDescription.RoleARN
+    )
+    if (!isEmpty(dataAtRegion)) {
+      for (const instance of dataAtRegion) {
+        const { Arn: roleId } = instance
+
+        connections.push({
+          id: roleId,
+          resourceType: services.iamRole,
+          relation: 'child',
+          field: 'iamRole',
+        })
+      }
+    }
+  }
+
   const kinesisFirehoseResult = {
     [id]: connections,
   }

src/services/kinesisFirehose/schema.graphql

@@ -1,4 +1,3 @@
-#TODO: add iam role connection
 type awsKinesisFirehose implements awsBaseService @key(fields: "arn") {
   name: String @search(by: [hash, regexp])
   deliveryStreamStatus: String @search(by: [hash, regexp])
@@ -12,6 +11,7 @@ type awsKinesisFirehose implements awsBaseService @key(fields: "arn") {
   source: awsKinesisFirehoseSource
   kinesisStream: [awsKinesisStream] @hasInverse(field: kinesisFirehose)
   s3: [awsS3] @hasInverse(field: kinesisFirehose)
+  iamRole: [awsIamRole] @hasInverse(field: kinesisFirehose)
   tags: [awsRawTag]
 }
 

src/types/generated.ts

@@ -3064,6 +3064,7 @@ export type AwsIamRole = AwsBaseService & {
   iamAttachedPolicies?: Maybe<Array<Maybe<AwsIamPolicy>>>;
   iamInstanceProfiles?: Maybe<Array<Maybe<AwsIamInstanceProfile>>>;
   inlinePolicies?: Maybe<Array<Maybe<Scalars['String']>>>;
+  kinesisFirehose?: Maybe<Array<Maybe<AwsKinesisFirehose>>>;
   lambda?: Maybe<Array<Maybe<AwsLambda>>>;
   managedAirflows?: Maybe<Array<Maybe<AwsManagedAirflow>>>;
   maxSessionDuration?: Maybe<Scalars['Int']>;
@@ -3139,6 +3140,7 @@ export type AwsKinesisFirehose = AwsBaseService & {
   encryptionConfig?: Maybe<AwsKinesisFirehoseEncryptionConfig>;
   failureDescriptionDetails?: Maybe<Scalars['String']>;
   failureDescriptionType?: Maybe<Scalars['String']>;
+  iamRole?: Maybe<Array<Maybe<AwsIamRole>>>;
   kinesisStream?: Maybe<Array<Maybe<AwsKinesisStream>>>;
   lastUpdateTimestamp?: Maybe<Scalars['String']>;
   name?: Maybe<Scalars['String']>;