@cloud-copilot/iam-collect/dist/cjs/awsConfigClients/clients/AwsConfigEcrClient.js

Collect IAM information from AWS Accounts

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.AwsConfigEcrClient = void 0;
const client_ecr_1 = require("@aws-sdk/client-ecr");
const AbstractClient_js_1 = require("../../customClients/AbstractClient.js");
const json_js_1 = require("../../utils/json.js");
const AwsConfigClientContext_js_1 = require("../AwsConfigClientContext.js");
const awsConfigUtils_js_1 = require("../awsConfigUtils.js");
/**
 * Config-based ECR client implementation
 */
class AwsConfigEcrClient extends AbstractClient_js_1.AbstractClient {
    static clientName = client_ecr_1.ECRClient.name;
    constructor(options, customContext) {
        super(options, customContext);
    }
    /**
     * Register all ECR command implementations
     */
    registerCommands() {
        this.registerCommand(AwsConfigDescribeRepositoriesCommand);
        this.registerCommand(AwsConfigGetRepositoryPolicyCommand);
        this.registerCommand(AwsConfigListTagsForResourceCommand);
        this.registerCommand(AwsConfigGetRegistryPolicyCommand);
    }
}
exports.AwsConfigEcrClient = AwsConfigEcrClient;
/**
 * Config-based implementation of ECR GetRegistryPolicyCommand
 * Uses AWS::ECR::RegistryPolicy resource type from Config
 */
const AwsConfigGetRegistryPolicyCommand = (0, AwsConfigClientContext_js_1.awsConfigCommand)({
    command: client_ecr_1.GetRegistryPolicyCommand,
    execute: async (input, context) => {
        const query = `
      SELECT
        configuration.PolicyText
      WHERE
        resourceType = 'AWS::ECR::RegistryPolicy'
        AND accountId = '${context.accountId}'
        AND awsRegion = '${context.region}'
        AND ${awsConfigUtils_js_1.resourceStatusWhereClause}
    `;
        const results = await (0, awsConfigUtils_js_1.executeConfigQuery)(query, context);
        if (results.length === 0) {
            // Return undefined when no registry policy is configured
            return {
                policyText: undefined
            };
        }
        const { configuration } = (0, awsConfigUtils_js_1.parseConfigItem)(results[0]);
        return {
            policyText: configuration?.PolicyText ? JSON.stringify(configuration.PolicyText) : undefined
        };
    }
});
/**
 * Config-based implementation of ECR DescribeRepositoriesCommand
 *
 * Note: Without repository policies, repository listing provides no meaningful IAM analysis value.
 * ECR is primarily used for policy analysis, but policies are not available in Config.
 * Returning empty result to indicate no actionable data available.
 */
const AwsConfigDescribeRepositoriesCommand = (0, AwsConfigClientContext_js_1.awsConfigCommand)({
    command: client_ecr_1.DescribeRepositoriesCommand,
    execute: async (input, context) => {
        const sql = `
    SELECT
      resourceId,
      arn,
      configuration.RepositoryName,
      configuration.RepositoryPolicyText,
      tags
    WHERE
      resourceType = 'AWS::ECR::Repository'
      AND awsRegion = '${context.region}'
      AND accountId = '${context.accountId}'
      AND ${awsConfigUtils_js_1.resourceStatusWhereClause}
    `;
        const results = await (0, awsConfigUtils_js_1.executeConfigQuery)(sql, context);
        const repositories = results.map((resultString) => {
            const { configItem, configuration } = (0, awsConfigUtils_js_1.parseConfigItem)(resultString);
            // Cache data that will be needed by other commands
            context.putCache(configItem.resourceId, 'configuration', configuration);
            // Also cache by ARN for ListTagsForResourceCommand
            context.putCache(configItem.arn, 'configuration', configuration);
            return {
                repositoryName: configuration.RepositoryName
            };
        });
        return {
            repositories
        };
    }
});
/**
 * Config-based implementation of ECR GetRepositoryPolicyCommand
 *
 */
const AwsConfigGetRepositoryPolicyCommand = (0, AwsConfigClientContext_js_1.awsConfigCommand)({
    command: client_ecr_1.GetRepositoryPolicyCommand,
    execute: async (input, context) => {
        const configuration = context.getCache(input.repositoryName, 'configuration');
        return {
            policyText: (0, json_js_1.stringifyIfPresent)(configuration?.RepositoryPolicyText)
        };
    }
});
/**
 * Config-based implementation of ECR ListTagsForResourceCommand
 *
 */
const AwsConfigListTagsForResourceCommand = (0, AwsConfigClientContext_js_1.awsConfigCommand)({
    command: client_ecr_1.ListTagsForResourceCommand,
    execute: async (input, context) => {
        const tags = context.getCache(input.resourceArn, 'tags');
        return {
            tags: tags
        };
    }
});
//# sourceMappingURL=AwsConfigEcrClient.js.map