def test_two_tags_filter_resource(self):
resources = filter_resources(
[
Resource(
digest=ResourceDigest(id="1", type="type"),
name="name",
tags=[ResourceTag(key="key", value="value1")],
),
Resource(
digest=ResourceDigest(id="2", type="type"),
name="name",
tags=[ResourceTag(key="key", value="value2")],
),
Resource(
digest=ResourceDigest(id="3", type="type"),
name="name",
tags=[ResourceTag(key="key", value="wrong")],
),
],
[
ResourceTag(key="key", value="value1"),
ResourceTag(key="key", value="value2"),
],
)
assert_that(resources).is_length(2).extracting(0).contains(
ResourceDigest(id="1", type="type"),
ResourceDigest(id="2", type="type"))
def analyze_assume_statement(
self, resource_digest: ResourceDigest, statement
) -> List[Resource]:
resources_found = []
if "Principal" in statement and "Service" in statement["Principal"]:
assuming_services = statement["Principal"]["Service"]
if not isinstance(assuming_services, list):
assuming_services = [assuming_services]
for assuming_service in assuming_services:
if assuming_service in Principals.principals:
principal = Principals.principals[assuming_service]
principal_found = Resource(
digest=ResourceDigest(
id=assuming_service, type=principal["type"],
),
name=principal["name"],
details="principal",
group=principal["group"],
)
else:
principal_found = Resource(
digest=ResourceDigest(id=assuming_service, type="aws_general"),
name=assuming_service,
details="principal",
group="general",
)
if principal_found is not None:
resources_found.append(principal_found)
self.create_principal_relation(
resource_digest, principal_found.digest
)
return resources_found
def test_role_aggregation(self):
sut = PolicyDiagram()
principal_digest = ResourceDigest(id="ecs.amazonaws.com",
type="aws_ecs_cluster")
role_1_digest = ResourceDigest(id="AWSServiceRoleForECS1",
type="aws_iam_role")
role_2_digest = ResourceDigest(id="AWSServiceRoleForECS2",
type="aws_iam_role")
role_3_digest = ResourceDigest(id="AWSServiceRoleForECS3",
type="aws_iam_role")
policy_digest = ResourceDigest(
id=
"arn:aws:iam::policy/service-role/AmazonEC2ContainerServiceforEC2Role",
type="aws_iam_policy",
)
relations = [
ResourceEdge(from_node=role_1_digest,
to_node=principal_digest,
label="assumed by"),
ResourceEdge(from_node=role_2_digest,
to_node=principal_digest,
label="assumed by"),
ResourceEdge(from_node=role_3_digest,
to_node=principal_digest,
label="assumed by"),
ResourceEdge(from_node=role_3_digest, to_node=policy_digest),
]
result = sut.group_by_group(
[
Resource(digest=principal_digest, name="principal"),
Resource(digest=role_1_digest, name=""),
Resource(digest=role_2_digest, name=""),
Resource(digest=role_3_digest, name=""),
Resource(digest=policy_digest, name=""),
],
relations,
)
assert_that(result).contains_key("")
assert_that(result[""]).is_length(4)
for resource in result[""]:
assert_that(resource.digest).is_not_equal_to(role_1_digest)
assert_that(resource.digest).is_not_equal_to(role_2_digest)
relationships = sut.process_relationships(result, relations)
assert_that(relationships).is_length(3)
assert_that(relationships).contains(
ResourceEdge(
from_node=ResourceDigest(id=ROLE_AGGREGATE_PREFIX +
principal_digest.id,
type="aws_iam_role"),
to_node=principal_digest,
label="assumed by",
))
def restricted_ssh(self, restricted_ssh):
client = self.options.client("ec2")
security_groups = client.describe_security_groups()
resources_found = []
# pylint: disable=too-many-nested-blocks
for security_group in security_groups["SecurityGroups"]:
for ip_permission in security_group["IpPermissions"]:
if "FromPort" in ip_permission and "ToPort" in ip_permission:
# Port 22 possible opened using port range
if ip_permission["FromPort"] <= 22 >= ip_permission["ToPort"]:
# IPv4
for cidr in ip_permission["IpRanges"]:
if cidr["CidrIp"] == "0.0.0.0/0":
resources_found.append(
Resource(
digest=ResourceDigest(
id=security_group["GroupId"],
type="restricted_ssh",
),
details="The SSH port of this security group is opened to the world.",
name=security_group["GroupName"],
group="ec2_security",
security=SecurityValues(
status="CRITICAL",
parameter="restricted_ssh",
value="False",
),
)
)
# IPv6
for cidr in ip_permission["Ipv6Ranges"]:
if cidr["CidrIpv6"] == "::/0":
resources_found.append(
Resource(
digest=ResourceDigest(
id=security_group["GroupId"],
type="restricted_ssh",
),
details="The SSH port of this security group is opened to the world.",
name=security_group["GroupName"],
group="ec2_security",
security=SecurityValues(
status="CRITICAL",
parameter="restricted_ssh",
value="False",
),
)
)
return resources_found
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("ec2")
resources_found = []
filters = [{"Name": "vpc-id", "Values": [self.vpc_options.vpc_id]}]
response = client.describe_vpc_endpoints(Filters=filters)
if self.vpc_options.verbose:
message_handler("Collecting data from VPC Endpoints...", "HEADER")
for data in response["VpcEndpoints"]:
if data["VpcId"] == self.vpc_options.vpc_id:
endpoint_digest = ResourceDigest(
id=data["VpcEndpointId"], type="aws_vpc_endpoint_gateway")
if data["VpcEndpointType"] == "Gateway":
resources_found.append(
Resource(
digest=endpoint_digest,
name=data["VpcEndpointId"],
details="Vpc Endpoint Gateway RouteTable {}".
format(", ".join(data["RouteTableIds"])),
group="network",
tags=resource_tags(data),
))
self.relations_found.append(
ResourceEdge(
from_node=endpoint_digest,
to_node=self.vpc_options.vpc_digest(),
))
else:
resources_found.append(
Resource(
digest=endpoint_digest,
name=data["VpcEndpointId"],
details="Vpc Endpoint Service Subnet {}".format(
", ".join(data["SubnetIds"])),
group="network",
tags=resource_tags(data),
))
for subnet_id in data["SubnetIds"]:
self.relations_found.append(
ResourceEdge(
from_node=endpoint_digest,
to_node=ResourceDigest(id=subnet_id,
type="aws_subnet"),
))
return resources_found
def build_policy(data):
return Resource(
digest=ResourceDigest(id=data["Arn"], type="aws_iam_policy"),
name=data["PolicyName"],
details="IAM Policy version {}".format(data["DefaultVersionId"]),
group="",
)
def get_resources(self) -> List[Resource]:
if self.vpc_options.verbose:
message_handler("Collecting data from Instance Profiles...", "HEADER")
paginator = self.vpc_options.client("iam").get_paginator(
"list_instance_profiles"
)
pages = paginator.paginate()
resources_found = []
relations_found = []
for groups in pages:
for data in groups["InstanceProfiles"]:
profile_digest = ResourceDigest(
id=data["InstanceProfileName"], type="aws_iam_instance_profile"
)
resources_found.append(
Resource(
digest=profile_digest,
name=data["InstanceProfileName"],
details="",
group="",
)
)
if len(data["Roles"]) == 1:
relations_found.append(
ResourceEdge(
from_node=profile_digest,
to_node=ResourceDigest(
id=data["Roles"][0]["RoleName"], type="aws_iam_role"
),
)
)
self.relations_found = relations_found
return resources_found
def access_keys_rotated(self, max_age):
client = self.options.client("iam")
users = client.list_users()
resources_found = []
for user in users["Users"]:
paginator = client.get_paginator("list_access_keys")
for keys in paginator.paginate(UserName=user["UserName"]):
for key in keys["AccessKeyMetadata"]:
date_compare = datetime.utcnow() - timedelta(
days=int(max_age))
date_compare = date_compare.replace(tzinfo=pytz.utc)
last_rotate = key["CreateDate"]
if last_rotate < date_compare:
resources_found.append(
Resource(
digest=ResourceDigest(
id=key["AccessKeyId"],
type="access_keys_rotated"),
details="You must rotate your keys",
name=key["UserName"],
group="iam_security",
security=SecurityValues(
status="CRITICAL",
parameter="max_age",
value=str(max_age),
),
))
return resources_found
def pitr_enabled(self, pitr_enabled):
client = self.options.client("dynamodb")
tables = client.list_tables()["TableNames"]
resources_found = []
for table in tables:
if (client.describe_continuous_backups(
TableName=table)["ContinuousBackupsDescription"]
["PointInTimeRecoveryDescription"]["PointInTimeRecoveryStatus"]
== "DISABLED"):
resources_found.append(
Resource(
digest=ResourceDigest(id=table, type="pitr_enabled"),
details="PITR disabled",
name=table,
group="ddb_security",
security=SecurityValues(
status="CRITICAL",
parameter="pitr_enabled",
value="False",
),
))
return resources_found
def ebs_encryption(self, ebs_encryption):
client = self.options.client("ec2")
volumes = client.describe_volumes()["Volumes"]
resources_found = []
for volume in volumes:
if volume["Encrypted"] is False:
resources_found.append(
Resource(
digest=ResourceDigest(
id=volume["VolumeId"], type="ebs_encryption"
),
details="This volume is not encypted.",
name=volume["VolumeId"],
group="ec2_security",
security=SecurityValues(
status="CRITICAL",
parameter="ebs_encryption",
value="False",
),
)
)
return resources_found
def imdsv2_check(self, imdsv2_check):
client = self.options.client("ec2")
instances = client.describe_instances()["Reservations"]
resources_found = []
for instance in instances:
for instance_detail in instance["Instances"]:
if (
instance_detail["MetadataOptions"]["HttpEndpoint"] == "enabled"
and instance_detail["MetadataOptions"]["HttpTokens"] == "optional"
):
resources_found.append(
Resource(
digest=ResourceDigest(
id=instance_detail["InstanceId"], type="imdsv2_check"
),
details="IMDSv2 tokens not enforced",
name=instance_detail["InstanceId"],
group="ec2_security",
security=SecurityValues(
status="CRITICAL",
parameter="imdsv2_check",
value="False",
),
)
)
return resources_found
def analyze_bucket(self, client, data):
try:
documentpolicy = client.get_bucket_policy(Bucket=data["Name"])
except ClientError:
return False, None
document = json.dumps(documentpolicy, default=datetime_to_string)
# check either vpc_id or potential subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(document=document,
vpc_options=self.vpc_options)
if ipvpc_found is True:
tags_response = client.get_bucket_tagging(Bucket=data["Name"])
digest = ResourceDigest(id=data["Name"],
type="aws_s3_bucket_policy")
self.relations_found.append(
ResourceEdge(from_node=digest,
to_node=self.vpc_options.vpc_digest()))
return (
True,
Resource(
digest=digest,
name=data["Name"],
details="",
group="storage",
tags=resource_tags(tags_response),
),
)
return False, None
def get_resources(self) -> List[Resource]:
if self.options.verbose:
message_handler("Collecting data from IAM Roles...", "HEADER")
paginator = self.client.get_paginator("list_roles")
pages = paginator.paginate()
resources_found = []
for roles in pages:
for data in roles["Roles"]:
resource_digest = ResourceDigest(
id=data["RoleName"], type="aws_iam_role"
)
tag_response = self.client.list_role_tags(RoleName=data["RoleName"],)
resources_found.append(
Resource(
digest=resource_digest,
name=data["RoleName"],
details="",
group="",
tags=resource_tags(tag_response),
)
)
if (
"AssumeRolePolicyDocument" in data
and "Statement" in data["AssumeRolePolicyDocument"]
):
for statement in data["AssumeRolePolicyDocument"]["Statement"]:
resources_found.extend(
self.analyze_assume_statement(resource_digest, statement)
)
self.resources_found = resources_found
return resources_found
def analyze_restapi(self, data):
if "policy" in data:
documentpolicy = data["policy"]
else:
return False, None
document = json.dumps(documentpolicy, default=datetime_to_string)
# check either vpc_id or potential subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(document=document,
vpc_options=self.vpc_options)
if ipvpc_found is not False:
digest = ResourceDigest(id=data["id"],
type="aws_api_gateway_rest_api")
self.relations_found.append(
ResourceEdge(from_node=digest,
to_node=self.vpc_options.vpc_digest()))
return (
True,
Resource(
digest=digest,
name=data["name"],
details="",
group="network",
tags=resource_tags(data),
),
)
return False, None
def analyze_policy(self, client, data):
documentpolicy = client.get_policy_version(
PolicyArn=data["Arn"], VersionId=data["DefaultVersionId"]
)
document = json.dumps(documentpolicy, default=datetime_to_string)
# check either vpc_id or potential subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(
document=document, vpc_options=self.vpc_options
)
if ipvpc_found is True:
digest = ResourceDigest(id=data["Arn"], type="aws_iam_policy")
self.relations_found.append(
ResourceEdge(from_node=digest, to_node=self.vpc_options.vpc_digest())
)
return (
True,
Resource(
digest=digest,
name=data["PolicyName"],
details="IAM Policy version {}".format(data["DefaultVersionId"]),
group="security",
),
)
return False, None
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("ec2")
resources_found = []
filters = [{"Name": "vpc-id", "Values": [self.vpc_options.vpc_id]}]
response = client.describe_security_groups(Filters=filters)
if self.vpc_options.verbose:
message_handler("Collecting data from Security Groups...",
"HEADER")
for data in response["SecurityGroups"]:
group_digest = ResourceDigest(id=data["GroupId"],
type="aws_security_group")
resources_found.append(
Resource(
digest=group_digest,
name=data["GroupName"],
details="",
group="network",
tags=resource_tags(data),
))
self.relations_found.append(
ResourceEdge(from_node=group_digest,
to_node=self.vpc_options.vpc_digest()))
return resources_found
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("ec2")
resources_found = []
filters = [{"Name": "vpc-id", "Values": [self.vpc_options.vpc_id]}]
response = client.describe_subnets(Filters=filters)
if self.vpc_options.verbose:
message_handler("Collecting data from Subnets...", "HEADER")
for data in response["Subnets"]:
nametag = get_name_tag(data)
name = data["SubnetId"] if nametag is None else nametag
subnet_digest = ResourceDigest(id=data["SubnetId"],
type="aws_subnet")
resources_found.append(
Resource(
digest=subnet_digest,
name=name,
details="Subnet using CidrBlock {} and AZ {}".format(
data["CidrBlock"], data["AvailabilityZone"]),
group="network",
tags=resource_tags(data),
))
self.relations_found.append(
ResourceEdge(from_node=subnet_digest,
to_node=self.vpc_options.vpc_digest()))
return resources_found
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("ec2")
resources_found = []
filters = [{"Name": "vpc-id", "Values": [self.vpc_options.vpc_id]}]
response = client.describe_route_tables(Filters=filters)
if self.vpc_options.verbose:
message_handler("Collecting data from Route Tables...", "HEADER")
# Iterate to get all route table filtered
for route_table in response["RouteTables"]:
nametag = get_name_tag(route_table)
name = route_table["RouteTableId"] if nametag is None else nametag
table_digest = ResourceDigest(id=route_table["RouteTableId"],
type="aws_route_table")
is_main = False
for association in route_table["Associations"]:
if association["Main"] is True:
is_main = True
if is_main:
self.relations_found.append(
ResourceEdge(
from_node=table_digest,
to_node=self.vpc_options.vpc_digest(),
))
else:
for association in route_table["Associations"]:
if "SubnetId" in association:
self.relations_found.append(
ResourceEdge(
from_node=table_digest,
to_node=ResourceDigest(
id=association["SubnetId"],
type="aws_subnet"),
))
is_public = False
for route in route_table["Routes"]:
if ("DestinationCidrBlock" in route
and route["DestinationCidrBlock"] == "0.0.0.0/0"
and "GatewayId" in route
and route["GatewayId"].startswith("igw-")):
is_public = True
resources_found.append(
Resource(
digest=table_digest,
name=name,
details="default: {}, public: {}".format(
is_main, is_public),
group="network",
tags=resource_tags(route_table),
))
return resources_found
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("ec2")
client_vpn_endpoints = client.describe_client_vpn_endpoints()
resources: List[Resource] = []
for client_vpn_endpoint in client_vpn_endpoints["ClientVpnEndpoints"]:
if client_vpn_endpoint["VpcId"] == self.vpc_options.vpc_id:
digest = ResourceDigest(
id=client_vpn_endpoint["ClientVpnEndpointId"],
type="aws_vpn_client_endpoint",
)
nametag = get_name_tag(client_vpn_endpoint)
name = (client_vpn_endpoint["ClientVpnEndpointId"]
if nametag is None else nametag)
resources.append(
Resource(
digest=digest,
name=name,
group="network",
tags=resource_tags(client_vpn_endpoint),
))
self.relations_found.append(
ResourceEdge(from_node=digest,
to_node=self.vpc_options.vpc_digest()))
return resources
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("es")
resources_found = []
response = client.list_domain_names()
if self.vpc_options.verbose:
message_handler("Collecting data from Elasticsearch Domains...", "HEADER")
for data in response["DomainNames"]:
elasticsearch_domain = client.describe_elasticsearch_domain(
DomainName=data["DomainName"]
)
documentpolicy = elasticsearch_domain["DomainStatus"]["AccessPolicies"]
document = json.dumps(documentpolicy, default=datetime_to_string)
# check either vpc_id or potencial subnet ip are found
ipvpc_found = check_ipvpc_inpolicy(
document=document, vpc_options=self.vpc_options
)
# elasticsearch uses accesspolicies too, so check both situation
if (
elasticsearch_domain["DomainStatus"]["VPCOptions"]["VPCId"]
== self.vpc_options.vpc_id
or ipvpc_found is True
):
list_tags_response = client.list_tags(
ARN=elasticsearch_domain["DomainStatus"]["ARN"]
)
digest = ResourceDigest(
id=elasticsearch_domain["DomainStatus"]["DomainId"],
type="aws_elasticsearch_domain",
)
resources_found.append(
Resource(
digest=digest,
name=elasticsearch_domain["DomainStatus"]["DomainName"],
details="",
group="analytics",
tags=resource_tags(list_tags_response),
)
)
for subnet_id in elasticsearch_domain["DomainStatus"]["VPCOptions"][
"SubnetIds"
]:
self.relations_found.append(
ResourceEdge(
from_node=digest,
to_node=ResourceDigest(id=subnet_id, type="aws_subnet"),
)
)
return resources_found
def test_public_subnet(self):
sut = VpcDiagram("4")
subnet_1_digest = ResourceDigest(id="1", type="aws_subnet")
subnet_2_digest = ResourceDigest(id="2", type="aws_subnet")
route_digest = ResourceDigest(id="3", type="aws_route_table")
vpc_digest = ResourceDigest(id="4", type="aws_vpc")
ec2_1_digest = ResourceDigest(id="5", type="aws_instance")
ec2_2_digest = ResourceDigest(id="6", type="aws_instance")
lambda_digest = ResourceDigest(id="6", type="aws_lambda_function")
relations = [
ResourceEdge(from_node=subnet_1_digest, to_node=vpc_digest),
ResourceEdge(from_node=subnet_2_digest, to_node=vpc_digest),
ResourceEdge(from_node=route_digest, to_node=vpc_digest),
ResourceEdge(from_node=ec2_1_digest, to_node=subnet_1_digest),
ResourceEdge(from_node=ec2_2_digest, to_node=subnet_2_digest),
ResourceEdge(from_node=lambda_digest, to_node=subnet_1_digest),
ResourceEdge(from_node=lambda_digest, to_node=subnet_2_digest),
]
result = sut.group_by_group(
[
Resource(digest=subnet_1_digest, name=""),
Resource(digest=subnet_2_digest, name=""),
Resource(digest=route_digest,
name="",
details="default: True, public: True"),
Resource(digest=vpc_digest, name=""),
Resource(digest=ec2_1_digest, name=""),
Resource(digest=ec2_2_digest, name=""),
Resource(digest=lambda_digest, name=""),
],
relations,
)
assert_that(result).contains_key("")
assert_that(result[""]).is_length(6)
for resource in result[""]:
assert_that(resource.digest).is_not_equal_to(subnet_1_digest)
assert_that(resource.digest).is_not_equal_to(subnet_2_digest)
relationships = sut.process_relationships(result, relations)
assert_that(relationships).is_length(8)
assert_that(relationships).contains(
ResourceEdge(
from_node=ResourceDigest(id=PUBLIC_SUBNET, type="aws_subnet"),
to_node=vpc_digest,
))
assert_that(relationships).contains(
ResourceEdge(from_node=route_digest, to_node=vpc_digest))
assert_that(relationships).contains(
ResourceEdge(
from_node=ec2_1_digest,
to_node=ResourceDigest(id=PUBLIC_SUBNET, type="aws_subnet"),
))
assert_that(relationships).contains(
ResourceEdge(
from_node=ec2_2_digest,
to_node=ResourceDigest(id=PUBLIC_SUBNET, type="aws_subnet"),
))
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("ec2")
vpc_response = client.describe_vpcs(VpcIds=[self.vpc_options.vpc_id])
return [
Resource(
digest=self.vpc_options.vpc_digest(),
name=self.vpc_options.vpc_id,
tags=resource_tags(vpc_response["Vpcs"][0]),
)
]
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("autoscaling")
resources_found = []
response = client.describe_auto_scaling_groups()
if self.vpc_options.verbose:
message_handler("Collecting data from Autoscaling Groups...", "HEADER")
for data in response["AutoScalingGroups"]:
asg_subnets = data["VPCZoneIdentifier"].split(",")
# Using subnet to check VPC
subnets = describe_subnet(
vpc_options=self.vpc_options, subnet_ids=asg_subnets
)
if subnets is not None:
# Iterate subnet to get VPC
for data_subnet in subnets["Subnets"]:
if data_subnet["VpcId"] == self.vpc_options.vpc_id:
asg_name = data["AutoScalingGroupName"]
digest = ResourceDigest(
id=asg_name, type="aws_autoscaling_group"
)
if "LaunchConfigurationName" in data:
details = "Using LaunchConfigurationName {0}".format(
data["LaunchConfigurationName"]
)
else:
details = "Using Launch Template"
resources_found.append(
Resource(
digest=digest,
name=asg_name,
details=details,
group="compute",
tags=resource_tags(data),
)
)
self.relations_found.append(
ResourceEdge(
from_node=digest,
to_node=ResourceDigest(
id=data_subnet["SubnetId"], type="aws_subnet"
),
)
)
return resources_found
def test_one_type_filter_resource(self):
resources = filter_resources(
[
Resource(
digest=ResourceDigest(id="1", type="type1"),
name="name",
tags=[ResourceTag(key="key", value="value")],
),
Resource(
digest=ResourceDigest(id="2", type="type2"),
name="name",
tags=[ResourceTag(key="key", value="wrong")],
),
],
[ResourceType(type="type1")],
)
assert_that(resources).is_length(1)
assert_that(resources[0].digest).is_equal_to(
ResourceDigest(id="1", type="type1"))
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("ec2")
resources_found = []
response = client.describe_instances()
if self.vpc_options.verbose:
message_handler("Collecting data from EC2 Instances...", "HEADER")
for data in response["Reservations"]:
for instances in data["Instances"]:
if "VpcId" in instances:
if instances["VpcId"] == self.vpc_options.vpc_id:
nametag = get_name_tag(instances)
asg_name = get_tag(instances, "aws:autoscaling:groupName")
instance_name = (
instances["InstanceId"] if nametag is None else nametag
)
ec2_digest = ResourceDigest(
id=instances["InstanceId"], type="aws_instance"
)
resources_found.append(
Resource(
digest=ec2_digest,
name=instance_name,
details="",
group="compute",
tags=resource_tags(instances),
)
)
self.relations_found.append(
ResourceEdge(
from_node=ec2_digest,
to_node=ResourceDigest(
id=instances["SubnetId"], type="aws_subnet"
),
)
)
if asg_name is not None:
self.relations_found.append(
ResourceEdge(
from_node=ec2_digest,
to_node=ResourceDigest(
id=asg_name, type="aws_autoscaling_group"
),
)
)
return resources_found
def aggregate_subnets(groups, group_type, group_name):
if group_type in groups:
subnet_ids = []
for subnet in groups[group_type]:
subnet_ids.append(subnet.digest.id)
groups[""].append(
Resource(
digest=ResourceDigest(id=group_type, type="aws_subnet"),
name=group_name + ", ".join(subnet_ids),
details=", ".join(subnet_ids),
))
def test_file_generation(self):
general_resources = [
Resource(
digest=ResourceDigest(id="123", type="aws_vpc"),
name="name",
details="details",
)
]
grouped_resources = {"": general_resources}
relations = []
result = self.sut.build_diagram(grouped_resources, relations)
assert_that(result).starts_with(MX_FILE[:200])
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("mediaconnect")
resources_found = []
response = client.list_flows()
if self.vpc_options.verbose:
message_handler("Collecting data from Media Connect...", "HEADER")
for data in response["Flows"]:
tags_response = client.list_tags_for_resource(
ResourceArn=data["FlowArn"])
data_flow = client.describe_flow(FlowArn=data["FlowArn"])
if "VpcInterfaces" in data_flow["Flow"]:
for data_interfaces in data_flow["Flow"]["VpcInterfaces"]:
# Using subnet to check VPC
subnets = describe_subnet(
vpc_options=self.vpc_options,
subnet_ids=data_interfaces["SubnetId"],
)
if subnets is not None:
if subnets["Subnets"][0][
"VpcId"] == self.vpc_options.vpc_id:
digest = ResourceDigest(id=data["FlowArn"],
type="aws_media_connect")
resources_found.append(
Resource(
digest=digest,
name=data["Name"],
details=
"Flow using VPC {} in VPC Interface {}".
format(self.vpc_options.vpc_id,
data_interfaces["Name"]),
group="mediaservices",
tags=resource_tags(tags_response),
))
self.relations_found.append(
ResourceEdge(
from_node=digest,
to_node=ResourceDigest(
id=data_interfaces["SubnetId"],
type="aws_subnet",
),
))
return resources_found
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("efs")
resources_found = []
# get filesystems available
response = client.describe_file_systems()
if self.vpc_options.verbose:
message_handler("Collecting data from EFS Mount Targets...",
"HEADER")
for data in response["FileSystems"]:
filesystem = client.describe_mount_targets(
FileSystemId=data["FileSystemId"])
nametag = get_name_tag(data)
filesystem_name = data[
"FileSystemId"] if nametag is None else nametag
# iterate filesystems to get mount targets
for datafilesystem in filesystem["MountTargets"]:
# Using subnet to check VPC
subnets = describe_subnet(
vpc_options=self.vpc_options,
subnet_ids=datafilesystem["SubnetId"])
if subnets is not None:
if subnets["Subnets"][0][
"VpcId"] == self.vpc_options.vpc_id:
digest = ResourceDigest(id=data["FileSystemId"],
type="aws_efs_file_system")
resources_found.append(
Resource(
digest=digest,
name=filesystem_name,
details="",
group="storage",
tags=resource_tags(data),
))
self.relations_found.append(
ResourceEdge(
from_node=digest,
to_node=ResourceDigest(
id=datafilesystem["SubnetId"],
type="aws_subnet"),
))
return resources_found
def get_resources(self) -> List[Resource]:
client = self.vpc_options.client("sagemaker")
resources_found = []
response = client.list_training_jobs()
if self.vpc_options.verbose:
message_handler("Collecting data from Sagemaker Training Job...",
"HEADER")
for data in response["TrainingJobSummaries"]:
tags_response = client.list_tags(
ResourceArn=data["TrainingJobArn"], )
training_job = client.describe_training_job(
TrainingJobName=data["TrainingJobName"])
if "VpcConfig" in training_job:
for subnets in training_job["VpcConfig"]["Subnets"]:
# Using subnet to check VPC
subnet = describe_subnet(vpc_options=self.vpc_options,
subnet_ids=subnets)
if subnet is not None:
if subnet["Subnets"][0][
"VpcId"] == self.vpc_options.vpc_id:
sagemaker_trainingjob_digest = ResourceDigest(
id=data["TrainingJobArn"],
type="aws_sagemaker_training_job",
)
resources_found.append(
Resource(
digest=sagemaker_trainingjob_digest,
name=data["TrainingJobName"],
details="",
group="ml",
tags=resource_tags(tags_response),
))
self.relations_found.append(
ResourceEdge(
from_node=sagemaker_trainingjob_digest,
to_node=ResourceDigest(id=subnets,
type="aws_subnet"),
))
return resources_found
