Merge pull request #125 from cloudgraphdev/feature/CG-1340-support-aws-acm-service

feat(CG-1340): support aws ACM service

Author: tyler-dunkel

README.md

@@ -70,6 +70,7 @@ CloudGraph AWS Provider will ask you what regions you would like to crawl and wi
 
 | Service                     | Relations                                                                                                                                                                                                                                                                                                                                                                     |
 | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| acm                         |                                                                                                                                                                                                                                                                                                                                                                               |
 | alb                         | ec2, elasticBeanstalkEnv, route53Record, securityGroup, subnet, vpc, wafV2WebAcl                                                                                                                                                                                                                                                                                              |
 | apiGatewayDomainName        | apiGatewayHttpApi, apiGatewayRestApi                                                                                                                                                                                                                                                                                        |
 | apiGatewayHttpApi           | apiGatewayDomainName                                                                                                                                                                                                                                                                                     |

src/enums/resources.ts

@@ -1,4 +1,5 @@
 export default {
+  acm: 'aws_acm',
   alb: 'aws_lb',
   elb: 'aws_elb',
   vpc: 'aws_vpc',

src/enums/schemasMap.ts

@@ -5,6 +5,7 @@ import services from './services'
  */
 export default {
   account: 'awsAccount',
+  [services.acm]: 'awsAcm',
   [services.alb]: 'awsAlb',
   [services.apiGatewayDomainName]: 'awsApiGatewayDomainName',
   [services.apiGatewayHttpApi]: 'awsApiGatewayHttpApi',

src/enums/serviceAliases.ts

@@ -1,6 +1,7 @@
 import services from './services'
 
 export default {
+  [services.acm]: 'acms',
   [services.alb]: 'albs',
   [services.apiGatewayDomainName]: 'apiGatewayDomainNames',
   [services.apiGatewayHttpApi]: 'apiGatewayHttpApis',

src/enums/serviceMap.ts

@@ -1,4 +1,5 @@
 import Account from '../services/account'
+import ACM from '../services/acm'
 import ALB from '../services/alb'
 import APIGatewayResource from '../services/apiGatewayResource'
 import APIGatewayRestApi from '../services/apiGatewayRestApi'
@@ -113,6 +114,7 @@ import VpcPeeringConnection from '../services/vpcPeeringConnection'
 export default {
   account: Account,
   [services.appSync]: AppSync,
+  [services.acm]: ACM,
   [services.alb]: ALB,
   [services.apiGatewayDomainName]: APIGatewayDomainName,
   [services.apiGatewayHttpApi]: APIGatewayHttpApi,

src/enums/services.ts

@@ -1,4 +1,5 @@
 export default {
+  acm: 'acm',
   alb: 'alb',
   apiGatewayDomainName: 'apiGatewayDomainName',
   apiGatewayHttpApi: 'apiGatewayHttpApi',

src/properties/logger.ts

@@ -10,6 +10,11 @@ export default {
   regionNotFound: (name: string): string =>
     `❌ The region ${name} was not found in the list of supported AWS regions ❌`,
   globalAwsRegion: 'Found Global AWS region, adding global resources',
+  /**
+   * ACM
+   */
+  fetchedAcmCertificates: (num: number): string =>
+    `Fetched ${num} ACM certificates`,
   /**
    * IAM
    */

src/services/acm/data.ts

@@ -0,0 +1,173 @@
+import CloudGraph from '@cloudgraph/sdk'
+import ACM, { CertificateSummary, ListCertificatesRequest, ListCertificatesResponse, ListTagsForCertificateRequest, ListTagsForCertificateResponse, Tag } from 'aws-sdk/clients/acm'
+import { AWSError } from 'aws-sdk/lib/error'
+import { Config } from 'aws-sdk/lib/config'
+import isEmpty from 'lodash/isEmpty'
+import groupBy from 'lodash/groupBy'
+import awsLoggerText from '../../properties/logger'
+import { initTestEndpoint, setAwsRetryOptions } from '../../utils'
+import AwsErrorLog from '../../utils/errorLog'
+import { API_GATEWAY_CUSTOM_DELAY } from '../../config/constants'
+import { TagMap } from '../../types'
+
+const lt = { ...awsLoggerText }
+const { logger } = CloudGraph
+const MAX_CERTIFICATES = 500
+const serviceName = 'ACM'
+const errorLog = new AwsErrorLog(serviceName)
+const endpoint = initTestEndpoint(serviceName)
+const customRetrySettings = setAwsRetryOptions({
+  baseDelay: API_GATEWAY_CUSTOM_DELAY,
+})
+
+export const getCertificatesForRegion = async (
+  acm: ACM
+): Promise<CertificateSummary[]> =>
+  new Promise(async resolve => {
+    const certificateSummaryList: CertificateSummary[] = []
+    const listCertificatesOpts: ListCertificatesRequest = {}
+    const listAllCertificates = (token?: string): void => {
+      listCertificatesOpts.MaxItems = MAX_CERTIFICATES
+      if (token) {
+        listCertificatesOpts.NextToken = token
+      }
+      try {
+        acm.listCertificates(
+          listCertificatesOpts,
+          (err: AWSError, data: ListCertificatesResponse) => {
+            if (err) {
+              errorLog.generateAwsErrorLog({
+                functionName: 'acm:listCertificates',
+                err,
+              })
+            }
+
+            if (isEmpty(data)) {
+              return resolve([])
+            }
+
+            const { NextToken: nextToken, CertificateSummaryList: items = [] } = data || {}
+
+            if (isEmpty(items)) {
+              return resolve([])
+            }
+
+            logger.debug(lt.fetchedAcmCertificates(items.length))
+
+            certificateSummaryList.push(...items)
+
+            if (nextToken) {
+              listAllCertificates(nextToken)
+            } else {
+              resolve(certificateSummaryList)
+            }
+          }
+        )
+      } catch (error) {
+        resolve([])
+      }
+    }
+    listAllCertificates()
+  })
+
+const getTagsForCertificate = (
+  acm: ACM,
+  certificateArn: string
+): Promise<{ certificateArn: string; tags: Tag[] }> =>
+  new Promise<{ certificateArn: string; tags: Tag[] }>(resolve => {
+    const args: ListTagsForCertificateRequest = { CertificateArn: certificateArn }
+    const listTags = (): void => {
+      try {
+        acm.listTagsForCertificate(
+          args,
+          (err: AWSError, data: ListTagsForCertificateResponse) => {
+            if (err) {
+              errorLog.generateAwsErrorLog({
+                functionName: 'acm:listTagsForCertificate',
+                err,
+              })
+            }
+            if (isEmpty(data)) {
+              return resolve({
+                certificateArn,
+                tags: [],
+              })
+            }
+            const { Tags: tags = [] } = data || {}
+
+            resolve({ certificateArn, tags })
+          }
+        );
+  
+      } catch (error) {
+        resolve({
+          certificateArn,
+          tags: [],
+        })
+      }
+    }
+    listTags();
+  })
+
+export interface RawAwsAcm extends CertificateSummary {
+  region: string
+  Tags: TagMap
+  account
+}
+
+export default async ({
+  regions,
+  config,
+  account,
+}: {
+  account: string
+  regions: string
+  config: Config
+}): Promise<{
+  [region: string]: RawAwsAcm[]
+}> =>
+  new Promise(async resolve => {
+    const acmResult: RawAwsAcm[] = []
+
+    const regionPromises = regions.split(',').map(region => {
+      const acm = new ACM({
+        ...config,
+        region,
+        endpoint,
+        ...customRetrySettings,
+      })
+
+      return new Promise<void>(async resolveAcmData => {
+        // Get ACM certificate summaries
+        const certificates = await getCertificatesForRegion(acm)
+
+        const tagsPromises = certificates.map(
+          ({ CertificateArn: certificateArn }) => getTagsForCertificate(acm, certificateArn)
+        )
+
+        const tagsData = await Promise.all(tagsPromises)
+
+        if (!isEmpty(certificates)) {
+          for (const certificate of certificates) {
+            acmResult.push({
+              ...certificate,
+              Tags: tagsData?.find(t => t.certificateArn === certificate.CertificateArn)
+                ?.tags.reduce((tagMap, {Key, Value}) => {
+                  tagMap[Key] = Value;
+                  return tagMap;
+                }, {}),
+              region,
+              account,
+            })
+          }
+        }
+
+        resolveAcmData()
+      })
+    })
+
+    await Promise.all(regionPromises)
+    errorLog.reset()
+
+    resolve(groupBy(acmResult, 'region'))
+  })

src/services/acm/format.ts

@@ -0,0 +1,60 @@
+import { RawAwsAcm } from './data'
+import { AwsAcm } from '../../types/generated'
+import { formatTagsFromMap } from '../../utils/format'
+
+export default ({
+  service,
+  account: accountId,
+  region,
+}: {
+  service: RawAwsAcm
+  account: string
+  region: string
+}): AwsAcm => {
+  const {
+    CertificateArn: arn,
+    DomainName: domainName,
+    SubjectAlternativeNameSummaries: subjectAlternativeNameSummaries,
+    HasAdditionalSubjectAlternativeNames: hasAdditionalSubjectAlternativeNames,
+    Status: status,
+    Type: type,
+    KeyAlgorithm: keyAlgorithm,
+    KeyUsages: keyUsages,
+    ExtendedKeyUsages: extendedKeyUsages,
+    InUse: inUse,
+    Exported: exported,
+    RenewalEligibility: renewalEligibility,
+    NotBefore: notBefore,
+    NotAfter: notAfter,
+    CreatedAt: createdAt,
+    IssuedAt: issuedAt,
+    ImportedAt: importedAt,
+    RevokedAt: revokedAt,
+    Tags: tags,
+  } = service
+
+  return {
+    id: arn,
+    accountId,
+    arn,
+    region,
+    domainName,
+    subjectAlternativeNameSummaries,
+    hasAdditionalSubjectAlternativeNames,
+    status,
+    type,
+    keyAlgorithm,
+    keyUsages,
+    extendedKeyUsages,
+    inUse,
+    exported,
+    renewalEligibility,
+    notBefore: notBefore?.toISOString(),
+    notAfter: notAfter?.toISOString(),
+    createdAt: createdAt?.toISOString(),
+    issuedAt: issuedAt?.toISOString(),
+    importedAt: importedAt?.toISOString(),
+    revokedAt: revokedAt?.toISOString(),
+    tags: formatTagsFromMap(tags),
+  }
+}

src/services/acm/index.ts

@@ -0,0 +1,13 @@
+import { Service } from '@cloudgraph/sdk'
+import BaseService from '../base'
+import format from './format'
+import getData from './data'
+import mutation from './mutation'
+
+export default class Acm extends BaseService implements Service {
+  format = format.bind(this)
+
+  getData = getData.bind(this)
+
+  mutation = mutation
+}