def test_scan(self):
account_id = "123456789012"
region_name = "us-east-1"
session = boto3.Session()
ec2_client = session.client("ec2", region_name=region_name)
list_resp = ec2_client.describe_vpcs()
present_vpcs = list_resp["Vpcs"]
self.assertEqual(len(present_vpcs), 1)
present_vpc_id = present_vpcs[0]["VpcId"]
present_vpc_arn = f"arn:aws:ec2:us-east-1:123456789012:vpc/{present_vpc_id}"
create_resp = ec2_client.create_vpc(CidrBlock="10.0.0.0/16")
created_vpc_id = create_resp["Vpc"]["VpcId"]
created_vpc_arn = f"arn:aws:ec2:us-east-1:123456789012:vpc/{created_vpc_id}"
scan_accessor = AWSAccessor(session=session, account_id=account_id, region_name=region_name)
resources = VPCResourceSpec.scan(scan_accessor=scan_accessor)
expected_resources = [
Resource(
resource_id=present_vpc_arn,
type="aws:ec2:vpc",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="is_default", obj=True),
SimpleLink(pred="cidr_block", obj="172.31.0.0/16"),
SimpleLink(pred="state", obj="available"),
),
resource_links=(
ResourceLink(pred="account", obj="arn:aws::::account/123456789012"),
ResourceLink(pred="region", obj="arn:aws:::123456789012:region/us-east-1"),
),
),
),
Resource(
resource_id=created_vpc_arn,
type="aws:ec2:vpc",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="is_default", obj=False),
SimpleLink(pred="cidr_block", obj="10.0.0.0/16"),
SimpleLink(pred="state", obj="available"),
),
resource_links=(
ResourceLink(pred="account", obj="arn:aws::::account/123456789012"),
ResourceLink(pred="region", obj="arn:aws:::123456789012:region/us-east-1"),
),
),
),
]
self.assertEqual(resources, expected_resources)
def setUp(self):
resource_a1 = Resource(
resource_id="123",
type="test:a",
link_collection=LinkCollection(simple_links=[SimpleLink(pred="has-foo", obj="goo")]),
)
resource_a2 = Resource(
resource_id="123",
type="test:a",
link_collection=LinkCollection(simple_links=[SimpleLink(pred="has-goo", obj="foo")]),
)
resource_b1 = Resource(
resource_id="abc",
type="test:b",
link_collection=LinkCollection(resource_links=[ResourceLink(pred="has-a", obj="123")]),
)
resource_b2 = Resource(
resource_id="def",
type="test:b",
link_collection=LinkCollection(simple_links=[SimpleLink(pred="name", obj="sue")]),
)
resources = (resource_a1, resource_a2, resource_b1, resource_b2)
self.validated_graph_set = ValidatedGraphSet(
name="test-name",
version="1",
start_time=1234,
end_time=4567,
resources=resources,
errors=["test err 1", "test err 2"],
)
def parse(self, data: str, context: Dict[str, Any]) -> LinkCollection:
"""Parse this field and return a LinkCollection.
Args:
data: data to parse
context: contains data from higher level parsing code.
Returns:
LinkCollection
"""
if isinstance(self._resource_spec_class, str):
resource_spec_class: Type[
ResourceSpec] = ResourceSpec.get_by_class_name(
self._resource_spec_class)
else:
resource_spec_class = self._resource_spec_class
if not self.alti_key:
self.alti_key = resource_spec_class.type_name
short_resource_id = data
if self.value_is_id:
resource_id = short_resource_id
else:
resource_id = resource_spec_class.generate_id(
short_resource_id, context)
return LinkCollection(
resource_links=[ResourceLink(pred=self.alti_key,
obj=resource_id)], )
def test_scan(self):
account_id = "123456789012"
region_name = "us-east-1"
session = boto3.Session()
client = session.client("iam")
oidc_url = "https://oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E"
oidc_client_ids = ["sts.amazonaws.com"]
oidc_thumbprints = ["9999999999999999999999999999999999999999"]
_ = client.create_open_id_connect_provider(
Url=oidc_url,
ClientIDList=oidc_client_ids,
ThumbprintList=oidc_thumbprints,
)
scan_accessor = AWSAccessor(session=session,
account_id=account_id,
region_name=region_name)
resources = IAMOIDCProviderResourceSpec.scan(
scan_accessor=scan_accessor)
expected_resources = [
Resource(
resource_id=
"arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E",
type="aws:iam:oidc-provider",
link_collection=LinkCollection(
simple_links=(
SimpleLink(
pred="url",
obj=
"oidc.eks.us-east-1.amazonaws.com/id/EXAMPLED539D4633E53DE1B716D3041E",
),
SimpleLink(
pred="create_date",
obj=resources[0].link_collection.simple_links[1].
obj,
),
SimpleLink(pred="client_id", obj="sts.amazonaws.com"),
SimpleLink(
pred="thumbprint",
obj="9999999999999999999999999999999999999999"),
),
multi_links=None,
tag_links=None,
resource_links=(ResourceLink(
pred="account",
obj="arn:aws::::account/123456789012"), ),
transient_resource_links=None,
),
)
]
self.assertEqual(resources, expected_resources)
def test_scan(self):
account_id = "123456789012"
region_name = "us-east-1"
session = boto3.Session()
ec2_client = session.client("ec2", region_name=region_name)
resp = ec2_client.create_volume(Size=1, AvailabilityZone="us-east-1a")
create_time = resp["CreateTime"]
created_volume_id = resp["VolumeId"]
created_volume_arn = f"arn:aws:ec2:us-east-1:123456789012:volume/{created_volume_id}"
scan_accessor = AWSAccessor(session=session,
account_id=account_id,
region_name=region_name)
resources = EBSVolumeResourceSpec.scan(scan_accessor=scan_accessor)
expected_resources = [
Resource(
resource_id=created_volume_arn,
type="aws:ec2:volume",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="availability_zone", obj="us-east-1a"),
SimpleLink(pred="create_time", obj=create_time),
SimpleLink(pred="size", obj=True),
SimpleLink(pred="state", obj="available"),
SimpleLink(pred="volume_type", obj="standard"),
SimpleLink(pred="encrypted", obj=False),
),
resource_links=(
ResourceLink(pred="account",
obj="arn:aws::::account/123456789012"),
ResourceLink(
pred="region",
obj="arn:aws:::123456789012:region/us-east-1"),
),
),
)
]
self.assertEqual(resources, expected_resources)
def testToLpg(self):
pred = "test-pred"
obj = "test-obj"
link = ResourceLink(pred=pred, obj=obj)
parent = {"~id": "123"}
vertices = []
edges = []
link.to_lpg(parent, vertices, edges, "")
self.assertEqual(1, len(edges))
self.assertEqual("resource_link", edges[0]["~label"])
self.assertEqual(parent["~id"], edges[0]["~from"])
self.assertEqual("test-obj", edges[0]["~to"])
def _list_from_aws_result_to_resources(
cls: Type["AWSResourceSpec"],
list_from_aws_result: ListFromAWSResult,
context: Dict[str, str],
) -> List[Resource]:
resources: List[Resource] = []
for arn, resource_dict in list_from_aws_result.resources.items():
try:
partial_resource_link_collection = cls.schema.parse(
resource_dict, context)
except Exception as ex:
raise SchemaParseException((
f"Error parsing {cls.__name__} : "
f"{arn}:\n\nData: {resource_dict}\n\nError: {ex}")) from ex
resource_account_id = arn.split(":")[4]
account_region_links = []
if resource_account_id:
if resource_account_id != "aws":
account_link = ResourceLink(
pred="account",
obj=f"arn:aws::::account/{resource_account_id}")
account_region_links.append(account_link)
resource_region_name = arn.split(":")[3]
if resource_region_name:
region_link = ResourceLink(
pred="region",
obj=
f"arn:aws:::{resource_account_id}:region/{resource_region_name}",
)
account_region_links.append(region_link)
link_collection = partial_resource_link_collection + LinkCollection.from_links(
account_region_links)
resource = Resource(
resource_id=arn,
type=cls.get_full_type_name(),
link_collection=link_collection,
)
resources.append(resource)
return resources
def testToRdf(self):
pred = "test-pred"
obj = "test-obj"
link = ResourceLink(pred=pred, obj=obj)
bnode = BNode()
graph = Graph()
namespace = Namespace("test:")
node_cache = NodeCache()
link.to_rdf(subj=bnode,
namespace=namespace,
graph=graph,
node_cache=node_cache)
results = graph.query("select ?s ?p ?o where {?s ?p ?o}")
obj_bnode = node_cache["test-obj"]
self.assertEqual(1, len(results))
for result in results:
s, p, o = result
self.assertEqual(s, bnode)
self.assertEqual(str(p), "test:test-pred")
self.assertEqual(o, obj_bnode)
def test_orphaned_ref(self):
resource_a1 = Resource(
resource_id="123",
type="test:a",
link_collection=LinkCollection(simple_links=[SimpleLink(pred="has-foo", obj="goo")]),
)
resource_b1 = Resource(
resource_id="abc",
type="test:b",
link_collection=LinkCollection(resource_links=[ResourceLink(pred="has-a", obj="456")]),
)
resources = [resource_a1, resource_b1]
graph_set = GraphSet(
name="test-name",
version="1",
start_time=1234,
end_time=4567,
resources=resources,
errors=["test err 1", "test err 2"],
)
with self.assertRaises(GraphSetOrphanedReferencesException):
ValidatedGraphSet.from_graph_set(graph_set)
def parse(self, data: Dict[str, Any],
context: Dict[str, Any]) -> LinkCollection:
"""Parse this field and return a LinkCollection
Args:
data: data to parse
context: contains data from higher level parsing code.
Returns:
LinkCollection
"""
if isinstance(self._resource_spec_class, str):
resource_spec_class: Type[
ResourceSpec] = ResourceSpec.get_by_class_name(
self._resource_spec_class)
else:
resource_spec_class = self._resource_spec_class
if not self.alti_key:
self.alti_key = resource_spec_class.type_name
short_resource_id = data.get(self.source_key)
if not short_resource_id:
if self.optional:
return LinkCollection()
raise ResourceLinkFieldSourceKeyNotFoundException(
f"Expected key '{self.source_key}' with non-empty/zero value in {data}"
)
if not isinstance(short_resource_id, str):
raise ResourceLinkFieldValueNotAStringException((
f"ResourceLinkField for {self.source_key} expected a string but got a "
f"{type(short_resource_id)} : {short_resource_id}"))
if self.value_is_id:
resource_id = short_resource_id
else:
resource_id = resource_spec_class.generate_id(
short_resource_id, context)
return LinkCollection(
resource_links=[ResourceLink(pred=self.alti_key,
obj=resource_id)], )
def test(self):
with tempfile.TemporaryDirectory() as temp_dir:
resource_region_name = "us-east-1"
# get moto"s enabled regions
ec2_client = boto3.client("ec2", region_name=resource_region_name)
all_regions = ec2_client.describe_regions(
Filters=[{
"Name": "opt-in-status",
"Values": ["opt-in-not-required", "opted-in"]
}])["Regions"]
account_id = get_account_id()
all_region_names = tuple(region["RegionName"]
for region in all_regions)
enabled_region_names = tuple(
region["RegionName"] for region in all_regions
if region["OptInStatus"] != "not-opted-in")
delete_vpcs(all_region_names)
# add a diverse set of resources which are supported by moto
## dynamodb
# TODO moto is not returning TableId in list/describe
# dynamodb_table_1_arn = create_dynamodb_table(
# name="test_table_1",
# attr_name="test_hash_key_attr_1",
# attr_type="S",
# key_type="HASH",
# region_name=region_name,
# )
## s3
bucket_1_name = "test_bucket"
bucket_1_arn, bucket_1_creation_date = create_bucket(
name=bucket_1_name,
account_id=account_id,
region_name=resource_region_name)
## ec2
vpc_1_cidr = "10.0.0.0/16"
vpc_1_id = create_vpc(cidr_block=vpc_1_cidr,
region_name=resource_region_name)
vpc_1_arn = VPCResourceSpec.generate_arn(
resource_id=vpc_1_id,
account_id=account_id,
region=resource_region_name)
subnet_1_cidr = "10.0.0.0/24"
subnet_1_cidr_network = ipaddress.IPv4Network(subnet_1_cidr,
strict=False)
subnet_1_first_ip, subnet_1_last_ip = (
int(subnet_1_cidr_network[0]),
int(subnet_1_cidr_network[-1]),
)
subnet_1_id = create_subnet(cidr_block=subnet_1_cidr,
vpc_id=vpc_1_id,
region_name=resource_region_name)
subnet_1_arn = SubnetResourceSpec.generate_arn(
resource_id=subnet_1_id,
account_id=account_id,
region=resource_region_name)
fixed_bucket_1_arn = f"arn:aws:s3:::{bucket_1_name}"
flow_log_1_id, flow_log_1_creation_time = create_flow_log(
vpc_id=vpc_1_id,
dest_bucket_arn=fixed_bucket_1_arn,
region_name=resource_region_name,
)
flow_log_1_arn = FlowLogResourceSpec.generate_arn(
resource_id=flow_log_1_id,
account_id=account_id,
region=resource_region_name)
ebs_volume_1_size = 128
ebs_volume_1_az = f"{resource_region_name}a"
ebs_volume_1_arn, ebs_volume_1_create_time = create_volume(
size=ebs_volume_1_size,
az=ebs_volume_1_az,
region_name=resource_region_name)
## iam
policy_1_name = "test_policy_1"
policy_1_arn, policy_1_id = create_iam_policy(
name=policy_1_name,
policy_doc={
"Version":
"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "logs:CreateLogGroup",
"Resource": "*"
},
],
},
)
role_1_name = "test_role_1"
role_1_assume_role_policy_doc = {
"Version":
"2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Sid": "",
}],
}
role_1_description = "Test Role 1"
role_1_max_session_duration = 3600
role_1_arn = create_iam_role(
name=role_1_name,
assume_role_policy_doc=role_1_assume_role_policy_doc,
description=role_1_description,
max_session_duration=role_1_max_session_duration,
)
## lambda
lambda_function_1_name = "test_lambda_function_1"
lambda_function_1_runtime = "python3.7"
lambda_function_1_handler = "lambda_function.lambda_handler"
lambda_function_1_description = "Test Lambda Function 1"
lambda_function_1_timeout = 30
lambda_function_1_memory_size = 256
lambda_function_1_arn = create_lambda_function(
name=lambda_function_1_name,
runtime=lambda_function_1_runtime,
role_name=role_1_arn,
handler=lambda_function_1_handler,
description=lambda_function_1_description,
timeout=lambda_function_1_timeout,
memory_size=lambda_function_1_memory_size,
publish=False,
region_name=resource_region_name,
)
# scan
test_scan_id = "test_scan_id"
aws_config = AWSConfig(
artifact_path=temp_dir,
pruner_max_age_min=4320,
graph_name="alti",
concurrency=ConcurrencyConfig(max_account_scan_threads=1,
max_svc_scan_threads=1,
max_account_scan_tries=2),
scan=ScanConfig(
accounts=(),
regions=(),
scan_sub_accounts=False,
preferred_account_scan_regions=(
"us-west-1",
"us-west-2",
"us-east-1",
"us-east-2",
),
),
accessor=Accessor(
credentials_cache=AWSCredentialsCache(cache={}),
multi_hop_accessors=[],
cache_creds=True,
),
write_master_json=True,
)
resource_spec_classes = (
# DynamoDbTableResourceSpec, TODO moto
EBSVolumeResourceSpec,
FlowLogResourceSpec,
IAMPolicyResourceSpec,
IAMRoleResourceSpec,
LambdaFunctionResourceSpec,
S3BucketResourceSpec,
SubnetResourceSpec,
VPCResourceSpec,
)
muxer = LocalAWSScanMuxer(
scan_id=test_scan_id,
config=aws_config,
resource_spec_classes=resource_spec_classes,
)
with unittest.mock.patch(
"altimeter.aws.scan.account_scanner.get_all_enabled_regions"
) as mock_get_all_enabled_regions:
mock_get_all_enabled_regions.return_value = enabled_region_names
aws2n_result = aws2n(
scan_id=test_scan_id,
config=aws_config,
muxer=muxer,
load_neptune=False,
)
graph_set = GraphSet.from_json_file(
Path(aws2n_result.json_path))
self.assertEqual(len(graph_set.errors), 0)
self.assertEqual(graph_set.name, "alti")
self.assertEqual(graph_set.version, "2")
# now check each resource type
self.maxDiff = None
## Accounts
expected_account_resources = [
Resource(
resource_id=f"arn:aws::::account/{account_id}",
type="aws:account",
link_collection=LinkCollection(
simple_links=(SimpleLink(pred="account_id",
obj=account_id), ), ),
)
]
account_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:account"
]
self.assertCountEqual(account_resources,
expected_account_resources)
## Regions
expected_region_resources = [
Resource(
resource_id=
f"arn:aws:::{account_id}:region/{region['RegionName']}",
type="aws:region",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="name",
obj=region["RegionName"]),
SimpleLink(pred="opt_in_status",
obj=region["OptInStatus"]),
),
resource_links=(ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"), ),
),
) for region in all_regions
]
region_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:region"
]
self.assertCountEqual(region_resources,
expected_region_resources)
## IAM Policies
expected_iam_policy_resources = [
Resource(
resource_id=policy_1_arn,
type="aws:iam:policy",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="name", obj=policy_1_name),
SimpleLink(pred="policy_id", obj=policy_1_id),
SimpleLink(pred="default_version_id",
obj="v1"),
SimpleLink(
pred="default_version_policy_document_text",
obj=
'{"Statement": [{"Action": "logs:CreateLogGroup", "Effect": "Allow", "Resource": "*"}], "Version": "2012-10-17"}',
),
),
resource_links=(ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"), ),
),
)
]
iam_policy_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:iam:policy"
]
self.assertCountEqual(iam_policy_resources,
expected_iam_policy_resources)
## IAM Roles
expected_iam_role_resources = [
Resource(
resource_id=role_1_arn,
type="aws:iam:role",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="name", obj=role_1_name),
SimpleLink(pred="max_session_duration",
obj=role_1_max_session_duration),
SimpleLink(pred="description",
obj=role_1_description),
SimpleLink(
pred="assume_role_policy_document_text",
obj=policy_doc_dict_to_sorted_str(
role_1_assume_role_policy_doc),
),
),
multi_links=(MultiLink(
pred="assume_role_policy_document",
obj=LinkCollection(
simple_links=(SimpleLink(
pred="version", obj="2012-10-17"), ),
multi_links=(MultiLink(
pred="statement",
obj=LinkCollection(
simple_links=(
SimpleLink(pred="effect",
obj="Allow"),
SimpleLink(
pred="action",
obj="sts:AssumeRole"),
),
multi_links=(MultiLink(
pred="principal",
obj=LinkCollection(
simple_links=(SimpleLink(
pred="service",
obj=
"lambda.amazonaws.com",
), )),
), ),
),
), ),
),
), ),
resource_links=(ResourceLink(
pred="account",
obj="arn:aws::::account/123456789012"), ),
),
)
]
iam_role_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:iam:role"
]
self.assertCountEqual(iam_role_resources,
expected_iam_role_resources)
## Lambda functions
expected_lambda_function_resources = [
Resource(
resource_id=lambda_function_1_arn,
type="aws:lambda:function",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="function_name",
obj=lambda_function_1_name),
SimpleLink(pred="runtime",
obj=lambda_function_1_runtime),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
transient_resource_links=(ResourceLink(
pred="role",
obj="arn:aws:iam::123456789012:role/test_role_1"
), ),
),
),
]
lambda_function_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:lambda:function"
]
self.assertCountEqual(lambda_function_resources,
expected_lambda_function_resources)
## EC2 VPCs
expected_ec2_vpc_resources = [
Resource(
resource_id=vpc_1_arn,
type="aws:ec2:vpc",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="is_default", obj=True),
SimpleLink(pred="cidr_block", obj=vpc_1_cidr),
SimpleLink(pred="state", obj="available"),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
),
)
]
ec2_vpc_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:ec2:vpc"
]
self.assertCountEqual(ec2_vpc_resources,
expected_ec2_vpc_resources)
## EC2 VPC Flow Logs
expected_ec2_vpc_flow_log_resources = [
Resource(
resource_id=flow_log_1_arn,
type="aws:ec2:flow-log",
link_collection=LinkCollection(
simple_links=(
SimpleLink(
pred="creation_time",
obj=flow_log_1_creation_time.replace(
tzinfo=datetime.timezone.utc).
isoformat(),
),
SimpleLink(pred="deliver_logs_status",
obj="SUCCESS"),
SimpleLink(pred="flow_log_status",
obj="ACTIVE"),
SimpleLink(pred="traffic_type", obj="ALL"),
SimpleLink(pred="log_destination_type",
obj="s3"),
SimpleLink(pred="log_destination",
obj=fixed_bucket_1_arn),
SimpleLink(
pred="log_format",
obj=
"${version} ${account-id} ${interface-id} ${srcaddr} ${dstaddr} ${srcport} ${dstport} ${protocol} ${packets} ${bytes} ${start} ${end} ${action} ${log-status}",
),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
transient_resource_links=(TransientResourceLink(
pred="vpc",
obj=vpc_1_arn,
), ),
),
)
]
ec2_vpc_flow_log_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:ec2:flow-log"
]
self.assertCountEqual(ec2_vpc_flow_log_resources,
expected_ec2_vpc_flow_log_resources)
## EC2 Subnets
expected_ec2_subnet_resources = [
Resource(
resource_id=subnet_1_arn,
type="aws:ec2:subnet",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="cidr_block",
obj=subnet_1_cidr),
SimpleLink(pred="first_ip",
obj=subnet_1_first_ip),
SimpleLink(pred="last_ip",
obj=subnet_1_last_ip),
SimpleLink(pred="state", obj="available"),
),
resource_links=(
ResourceLink(pred="vpc", obj=vpc_1_arn),
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
),
)
]
ec2_subnet_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:ec2:subnet"
]
self.assertCountEqual(ec2_subnet_resources,
expected_ec2_subnet_resources)
## EC2 EBS Volumes
expected_ec2_ebs_volume_resources = [
Resource(
resource_id=ebs_volume_1_arn,
type="aws:ec2:volume",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="availability_zone",
obj=ebs_volume_1_az),
SimpleLink(
pred="create_time",
obj=ebs_volume_1_create_time.replace(
tzinfo=datetime.timezone.utc).
isoformat(),
),
SimpleLink(pred="size", obj=ebs_volume_1_size),
SimpleLink(pred="state", obj="available"),
SimpleLink(pred="volume_type", obj="gp2"),
SimpleLink(pred="encrypted", obj=False),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
),
)
]
ec2_ebs_volume_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:ec2:volume"
]
self.assertCountEqual(ec2_ebs_volume_resources,
expected_ec2_ebs_volume_resources)
## S3 Buckets
expected_s3_bucket_resources = [
Resource(
resource_id=bucket_1_arn,
type="aws:s3:bucket",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="name", obj=bucket_1_name),
SimpleLink(
pred="creation_date",
obj=bucket_1_creation_date.replace(
tzinfo=datetime.timezone.utc).
isoformat(),
),
),
resource_links=(
ResourceLink(
pred="account",
obj=f"arn:aws::::account/{account_id}"),
ResourceLink(
pred="region",
obj=
f"arn:aws:::{account_id}:region/{resource_region_name}",
),
),
),
)
]
s3_bucket_resources = [
resource for resource in graph_set.resources
if resource.type == "aws:s3:bucket"
]
self.assertCountEqual(s3_bucket_resources,
expected_s3_bucket_resources)
expected_num_graph_set_resources = (
0 + len(expected_account_resources) +
len(expected_region_resources) +
len(expected_iam_policy_resources) +
len(expected_iam_role_resources) +
len(expected_lambda_function_resources) +
len(expected_ec2_ebs_volume_resources) +
len(expected_ec2_subnet_resources) +
len(expected_ec2_vpc_resources) +
len(expected_ec2_vpc_flow_log_resources) +
len(expected_s3_bucket_resources))
self.assertEqual(len(graph_set.resources),
expected_num_graph_set_resources)
def test_schema_parse(self):
resource_arn = "arn:aws:ec2:us-east-2:111122223333:route-table/rtb-099c7b032f2bbddda"
aws_resource_dict = {
"Associations": [
{
"Main": False,
"RouteTableAssociationId": "rtbassoc-069d59127bf10a728",
"RouteTableId": "rtb-099c7b032f2bbddda",
"SubnetId": "subnet-00f9fe55b9d7ca4fb",
},
{
"Main": False,
"RouteTableAssociationId": "rtbassoc-07bfd170c4ece33c8",
"RouteTableId": "rtb-099c7b032f2bbddda",
"SubnetId": "subnet-0b98092b454c882cf",
},
],
"PropagatingVgws": [],
"RouteTableId":
"rtb-099c7b032f2bbddda",
"Routes": [
{
"DestinationCidrBlock": "172.31.0.0/16",
"GatewayId": "local",
"Origin": "CreateRouteTable",
"State": "active",
},
{
"DestinationCidrBlock": "0.0.0.0/0",
"GatewayId": "igw-092e5ec1685fd0c0b",
"Origin": "CreateRoute",
"State": "active",
},
{
"DestinationPrefixListId": "pl-68a54001",
"GatewayId": "vpce-0678bce2b63b8ad0f",
"Origin": "CreateRoute",
"State": "active",
},
],
"VpcId":
"vpc-03c33051f57d21ff0",
"OwnerId":
"210554966933",
}
link_collection = EC2RouteTableResourceSpec.schema.parse(
data=aws_resource_dict,
context={
"account_id": "111122223333",
"region": "us-west-2"
})
resource = Resource(
resource_id=resource_arn,
type=EC2RouteTableResourceSpec.type_name,
link_collection=link_collection,
)
expected_alti_resource = Resource(
resource_id=
"arn:aws:ec2:us-east-2:111122223333:route-table/rtb-099c7b032f2bbddda",
type="route-table",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="route_table_id",
obj="rtb-099c7b032f2bbddda"),
SimpleLink(pred="owner_id", obj="210554966933"),
),
multi_links=(
MultiLink(
pred="route",
obj=LinkCollection(simple_links=(
SimpleLink(pred="destination_cidr_block",
obj="172.31.0.0/16"),
SimpleLink(pred="gateway_id", obj="local"),
SimpleLink(pred="origin", obj="CreateRouteTable"),
SimpleLink(pred="state", obj="active"),
), ),
),
MultiLink(
pred="route",
obj=LinkCollection(simple_links=(
SimpleLink(pred="destination_cidr_block",
obj="0.0.0.0/0"),
SimpleLink(pred="gateway_id",
obj="igw-092e5ec1685fd0c0b"),
SimpleLink(pred="origin", obj="CreateRoute"),
SimpleLink(pred="state", obj="active"),
), ),
),
MultiLink(
pred="route",
obj=LinkCollection(simple_links=(
SimpleLink(pred="destination_prefix_list_id",
obj="pl-68a54001"),
SimpleLink(pred="gateway_id",
obj="vpce-0678bce2b63b8ad0f"),
SimpleLink(pred="origin", obj="CreateRoute"),
SimpleLink(pred="state", obj="active"),
), ),
),
MultiLink(
pred="association",
obj=LinkCollection(simple_links=(
SimpleLink(pred="main", obj=False),
SimpleLink(
pred="route_table_association_id",
obj="rtbassoc-069d59127bf10a728",
),
SimpleLink(pred="route_table_id",
obj="rtb-099c7b032f2bbddda"),
SimpleLink(pred="subnet_id",
obj="subnet-00f9fe55b9d7ca4fb"),
), ),
),
MultiLink(
pred="association",
obj=LinkCollection(simple_links=(
SimpleLink(pred="main", obj=False),
SimpleLink(
pred="route_table_association_id",
obj="rtbassoc-07bfd170c4ece33c8",
),
SimpleLink(pred="route_table_id",
obj="rtb-099c7b032f2bbddda"),
SimpleLink(pred="subnet_id",
obj="subnet-0b98092b454c882cf"),
), ),
),
),
resource_links=(ResourceLink(
pred="vpc",
obj=
"arn:aws:ec2:us-west-2:111122223333:vpc/vpc-03c33051f57d21ff0",
), ),
),
)
self.assertEqual(resource, expected_alti_resource)
def testToJson(self):
pred = "test-pred"
obj = "test-obj"
link = ResourceLink(pred=pred, obj=obj)
self.assertDictEqual(link.dict(), {"pred": pred, "obj": obj})
def test_schema_parse(self):
resource_arn = "arn:aws:ec2:us-east-2:111122223333:vpc-endpoint/vpce-01dec98cb17ac542"
aws_resource_dict = {
"VpcEndpointId":
"vpce-01dec98cb17ac542f",
"VpcEndpointType":
"Gateway",
"VpcId":
"vpc-075db863045facc8e",
"ServiceName":
"com.amazonaws.us-west-2.s3",
"State":
"available",
"PolicyDocument":
'{"Version":"2008-10-17","Statement":[{"Effect":"Allow",'
'"Principal":"*","Action":"*","Resource":"*"}]}',
"RouteTableIds": [
"rtb-0c4c535bc5dee4d4d",
"rtb-0d107ed1efb1f72a7",
"rtb-052a8ac1d5ad0ffe6",
],
"SubnetIds": [],
"Groups": [],
"PrivateDnsEnabled":
False,
"RequesterManaged":
False,
"NetworkInterfaceIds": [],
"DnsEntries": [],
"CreationTimestamp":
datetime.datetime(2018, 4, 11, 18, 17, 45, tzinfo=tzutc()),
"Tags": [],
"OwnerId":
"111122223333",
}
link_collection = VpcEndpointResourceSpec.schema.parse(
data=aws_resource_dict,
context={
"account_id": "111122223333",
"region": "us-west-2"
})
resource = Resource(
resource_id=resource_arn,
type=VpcEndpointResourceSpec.type_name,
link_collection=link_collection,
)
expected_resource = Resource(
resource_id=
"arn:aws:ec2:us-east-2:111122223333:vpc-endpoint/vpce-01dec98cb17ac542",
type="vpc-endpoint",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="vpc_endpoint_type", obj="Gateway"),
SimpleLink(pred="service_name",
obj="com.amazonaws.us-west-2.s3"),
SimpleLink(pred="state", obj="available"),
),
resource_links=(ResourceLink(
pred="vpc",
obj=
"arn:aws:ec2:us-west-2:111122223333:vpc/vpc-075db863045facc8e",
), ),
),
)
self.assertEqual(resource, expected_resource)
def test_scan(self):
account_id = "123456789012"
region_name = "us-east-1"
session = boto3.Session()
iam_client = session.client("iam")
test_assume_role_policy_doc = {
"Version":
"2012-10-17",
"Statement": [{
"Sid": "abc",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole",
}],
}
iam_role_resp = iam_client.create_role(
RoleName="testrole",
AssumeRolePolicyDocument=json.dumps(test_assume_role_policy_doc),
)
iam_role_arn = iam_role_resp["Role"]["Arn"]
lambda_client = session.client("lambda", region_name=region_name)
lambda_client.create_function(
FunctionName="func_name",
Runtime="python3.7",
Role=iam_role_arn,
Handler="testhandler",
Description="testdescr",
Timeout=90,
MemorySize=128,
Code={"ZipFile": b"1234"},
Publish=False,
VpcConfig={
"SubnetIds": ["subnet-123"],
"SecurityGroupIds": ["sg-123"]
},
DeadLetterConfig={"TargetArn": "test_dl_config"},
Environment={"Variables": {
"TEST_VAR": "test_val"
}},
KMSKeyArn="test_kms_arn",
TracingConfig={"Mode": "Active"},
Tags={
"tagkey1": "tagval1",
"tagkey2": "tagval2"
},
)
scan_accessor = AWSAccessor(session=session,
account_id=account_id,
region_name=region_name)
resources = LambdaFunctionResourceSpec.scan(
scan_accessor=scan_accessor)
expected_resources = [
Resource(
resource_id=
"arn:aws:lambda:us-east-1:123456789012:function:func_name",
type="aws:lambda:function",
link_collection=LinkCollection(
simple_links=(
SimpleLink(pred="function_name", obj="func_name"),
SimpleLink(pred="runtime", obj="python3.7"),
),
resource_links=(
ResourceLink(pred="account",
obj="arn:aws::::account/123456789012"),
ResourceLink(
pred="region",
obj="arn:aws:::123456789012:region/us-east-1"),
),
transient_resource_links=(
TransientResourceLink(
pred="vpc",
obj=
"arn:aws:ec2:us-east-1:123456789012:vpc/vpc-123abc"
),
TransientResourceLink(
pred="role",
obj="arn:aws:iam::123456789012:role/testrole"),
),
),
)
]
self.maxDiff = None
self.assertEqual(resources, expected_resources)