Skip to content

feat(appSync): add iamRole/wafV2WebAcl connections #19

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tyler-dunkel merged 1 commit into from
Apr 8, 2022
Merged

feat(appSync): add iamRole/wafV2WebAcl connections #19

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
| apiGatewayRestApi | apiGatewayResource, apiGatewayStage, route53Record |
| apiGatewayStage | apiGatewayRestApi |
| apiGatewayResource | apiGatewayRestApi |
| appSync | cognitoUserPool, dynamodb, lambda, rdsCluster |
| appSync | cognitoUserPool, dynamodb, iamRole, lambda, rdsCluster, wafV2WebAcl |
| asg | ebs, ec2, securityGroup, subnet |
| athenaDataCatalog | |
| clientVpnEndpoint | securityGroup |
Expand Down Expand Up @@ -122,7 +122,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
| iamServerCertificate | |
| iamUser | iamGroup |
| iamPolicy | iamRole, iamGroup |
| iamRole | codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector |
| iamRole | appSync, codebuild, configurationRecorder, ec2, iamInstanceProfile, iamPolicy, eksCluster, ecsService, flowLog, glueJob, managedAirflow, sageMakerNotebookInstance, systemsManagerInstance guardDutyDetector |
| iamGroup | iamUser, iamPolicy |
| igw | vpc |
| iot | |
Expand Down Expand Up @@ -159,5 +159,5 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
| vpc | alb, codebuild, dmsReplicationInstance, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, elasticSearchDomain, lambda, nacl, natGateway, networkInterface, rdsClusterSnapshot, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment |
| vpnConnection | customerGateway, transitGateway, transitGatewayAttachment, vpnGateway |
| vpnGateway | vpc, vpnConnection |
| wafV2WebAcl | |
| wafV2WebAcl | appSync |

59 changes: 58 additions & 1 deletion src/services/appSync/connections.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,9 @@ import { RawAwsDynamoDbTable } from '../dynamodb/data'
import { RawAwsLambdaFunction } from '../lambda/data'
import { RawAwsCognitoUserPool } from '../cognitoUserPool/data'
import { RawAwsRdsCluster } from '../rdsCluster/data'
import { RawAwsIamRole } from '../iamRole/data'
import { globalRegionName } from '../../enums/regions'
import { RawAwsWafV2WebAcl } from '../wafV2WebAcl/data'

/**
* AppSync
Expand All @@ -27,7 +30,7 @@ export default ({
region: string
}): { [key: string]: ServiceConnection[] } => {
const connections: ServiceConnection[] = []
const { apiId: id, awsDataSources, userPoolConfig } = appSync
const { apiId: id, awsDataSources, userPoolConfig, wafWebAclArn } = appSync

/**
* Find cognito user pools
Expand Down Expand Up @@ -153,6 +156,60 @@ export default ({
}
}

/**
* Find related IAM Roles
*/
const roles: { name: string; data: { [property: string]: any[] } } =
data.find(({ name }) => name === services.iamRole)

const roleArns = awsDataSources?.map(
({ serviceRoleArn }) => serviceRoleArn
)

if (roles?.data?.[globalRegionName]) {
const dataAtRegion: RawAwsIamRole[] = roles.data[globalRegionName].filter(
role => roleArns.includes(role.Arn)
)
if (!isEmpty(dataAtRegion)) {
for (const instance of dataAtRegion) {
const { Arn: arn }: RawAwsIamRole = instance

connections.push({
id: arn,
resourceType: services.iamRole,
relation: 'child',
field: 'iamRoles',
})
}
}
}

/**
* Find wafV2WebAcls
*/
const acls: {
name: string
data: { [property: string]: RawAwsWafV2WebAcl[] }
} = data.find(({ name }) => name === services.wafV2WebAcl)

if (acls?.data) {
const allAcls = Object.values(acls.data).flat()
const dataInRegion: RawAwsWafV2WebAcl[] = allAcls.filter(
({ ARN }: RawAwsWafV2WebAcl) => ARN === wafWebAclArn
)

if (!isEmpty(dataInRegion)) {
for (const acl of dataInRegion) {
connections.push({
id: acl.Id,
resourceType: services.wafV2WebAcl,
relation: 'child',
field: 'webAcl',
})
}
}
}

const appSyncResult = {
[id]: connections,
}
Expand Down
6 changes: 3 additions & 3 deletions src/services/appSync/schema.graphql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -124,9 +124,7 @@ type awsAdditionalAuthenticationProvider
userPoolAwsRegion: String @search(by: [hash, regexp])
userPoolAppIdClientRegex: String @search(by: [hash, regexp])
}
# TODO: add iam role connection
# TODO: waf web acl connection
# TODO: add cloudwatchLog connection

type awsAppSync implements awsBaseService @key(fields: "arn") {
name: String @search(by: [hash, regexp])
authenticationType: String @search(by: [hash, regexp])
Expand Down Expand Up @@ -158,4 +156,6 @@ type awsAppSync implements awsBaseService @key(fields: "arn") {
dynamodb: [awsDynamoDbTable] @hasInverse(field: appSync)
lambda: [awsLambda] @hasInverse(field: appSync)
rdsCluster: [awsRdsCluster] @hasInverse(field: appSync)
iamRoles: [awsIamRole] @hasInverse(field: appSync)
webAcl: [awsWafV2WebAcl] @hasInverse(field: appSync)
}
1 change: 1 addition & 0 deletions src/services/iamRole/schema.graphql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,4 +24,5 @@ type awsIamRole implements awsBaseService @key(fields: "id") {
iamInstanceProfiles: [awsIamInstanceProfile] @hasInverse(field: iamRole)
ec2Instances: [awsEc2] @hasInverse(field: iamRole)
cognitoUserPools: [awsCognitoUserPool] @hasInverse(field: iamRole)
appSync: [awsAppSync] @hasInverse(field: iamRoles)
}
1 change: 1 addition & 0 deletions src/services/wafV2WebAcl/schema.graphql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ type awsWafV2WebAcl implements awsBaseService @key(fields: "arn") {
customResponseBodies: [awsWafV2CustomResponseBody]
loggingConfiguration: awsWafV2LoggingConfig
cloudfront: [awsCloudfront] @hasInverse(field: webAcl)
appSync: [awsAppSync] @hasInverse(field: webAcl)
}

type awsWafV2Rule {
Expand Down
4 changes: 4 additions & 0 deletions src/types/generated.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -354,6 +354,7 @@ export type AwsAppSync = AwsBaseService & {
dataSources?: Maybe<Array<Maybe<AwsAppSyncDataSource>>>;
dynamodb?: Maybe<Array<Maybe<AwsDynamoDbTable>>>;
functions?: Maybe<Array<Maybe<AwsAppSyncFunction>>>;
iamRoles?: Maybe<Array<Maybe<AwsIamRole>>>;
lambda?: Maybe<Array<Maybe<AwsLambda>>>;
lambdaAuthorizerIdentityValidationExpression?: Maybe<Scalars['String']>;
lambdaAuthorizerResultTtlInSeconds?: Maybe<Scalars['Int']>;
Expand All @@ -375,6 +376,7 @@ export type AwsAppSync = AwsBaseService & {
userPoolDefaultAction?: Maybe<Scalars['String']>;
userPoolId?: Maybe<Scalars['String']>;
wafWebAclArn?: Maybe<Scalars['String']>;
webAcl?: Maybe<Array<Maybe<AwsWafV2WebAcl>>>;
xrayEnabled?: Maybe<Scalars['String']>;
};

Expand Down Expand Up @@ -3017,6 +3019,7 @@ export type AwsIamPolicy = AwsBaseService & {
};

export type AwsIamRole = AwsBaseService & {
appSync?: Maybe<Array<Maybe<AwsAppSync>>>;
assumeRolePolicy?: Maybe<AwsIamJsonPolicy>;
cloudFormationStack?: Maybe<Array<Maybe<AwsCloudFormationStack>>>;
codebuilds?: Maybe<Array<Maybe<AwsCodebuild>>>;
Expand Down Expand Up @@ -4418,6 +4421,7 @@ export type AwsWafV2VisibilityConfig = {

export type AwsWafV2WebAcl = AwsBaseService & {
ManagedByFirewallManager?: Maybe<Scalars['Boolean']>;
appSync?: Maybe<Array<Maybe<AwsAppSync>>>;
capacity?: Maybe<Scalars['Int']>;
cloudfront?: Maybe<Array<Maybe<AwsCloudfront>>>;
customResponseBodies?: Maybe<Array<Maybe<AwsWafV2CustomResponseBody>>>;
Expand Down