UNPKG

@cloud-copilot/iam-collect

Version:

Collect IAM information from AWS Accounts

github.com/cloud-copilot/iam-collect

cloud-copilot/iam-collect

210 lines 7.8 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
import { type AwsService } from '../services.js'; export type DataSourceType = 'aws-sdk' | 'aws-config'; export interface DataSourceConfig { /** * The type of data source to use for collecting AWS resource data * - 'aws-sdk': Use direct AWS SDK calls (default) * - 'aws-config': Use AWS Config service for resource queries */ name: DataSourceType; config: any; } export interface AuthConfig { /** * The profile to use when authenticating with AWS. If not present, the default AWS SDK credential resolution chain will be used. */ profile?: string; /** * An optional initial Role to assume in the first phase of the authentication process before * assuming any roles in the target accounts. */ initialRole?: (({ /** * Specify the ARN OR the path and name of the role to assume. * * Use arn if you want to always assume a role in a specific account. */ arn: string; } | { /** * Specify the path and name OR the ARN of the role to assume. * * Use pathAndName if you want to assume a role in the same account as your default credentials. */ pathAndName: string; }) & { /** * Optional, the external id to use when assuming the role. */ externalId?: string; /** * Optional, the session name to use when assuming the role. */ sessionName?: string; }) | null; role?: { /** * The path and name of the role to assume. Required if using a role. */ pathAndName: string; /** * Optional, the external id to use when assuming the role. */ externalId?: string; /** * Optional, the session name to use when assuming the role. */ sessionName?: string; }; } /** * An AuthConfig that is completely optional for all fields. * This is used to allow for partial auth configs in the account/service/region configs. */ export interface OptionalAuthConfig extends Omit<AuthConfig, 'role'> { role?: Partial<AuthConfig['role']>; } export interface FileSystemStorageConfig { type: 'file'; path: string; } export interface S3StorageConfig { type: 's3'; bucket: string; prefix?: string; region: string; endpoint?: string; auth?: AuthConfig; } export interface SqliteStorageConfig { type: 'sqlite'; path: string; } export type StorageConfig = FileSystemStorageConfig | S3StorageConfig | SqliteStorageConfig; interface BaseConfig { regions?: { included?: string[]; excluded?: string[]; }; services?: { included?: string[]; excluded?: string[]; }; auth?: AuthConfig; } interface ServiceConfig extends Omit<BaseConfig, 'auth'> { endpoint?: string; regionConfigs?: Record<string, Omit<ServiceConfig, 'regionConfigs'>>; syncConfigs?: Record<string, SyncConfig>; auth?: OptionalAuthConfig; } interface SyncConfig { custom?: Record<string, any>; regions?: { included?: string[]; excluded?: string[]; }; auth?: AuthConfig; } interface AccountConfig extends Omit<BaseConfig, 'auth'> { serviceConfigs?: Record<string, ServiceConfig>; auth?: OptionalAuthConfig; } export interface TopLevelConfig extends BaseConfig { name?: string; iamCollectVersion: string; dataSource?: DataSourceConfig; storage?: StorageConfig; auth?: AuthConfig; accounts?: { included?: string[]; }; accountConfigs?: Record<string, AccountConfig>; serviceConfigs?: Record<string, ServiceConfig>; } type ServicesForAccount = AwsService[]; type RegionsForAccountService = string[]; type AccountRegionList = string[]; export interface ResolvedAccountServiceRegionConfig { accountId: string; service: string; region: string; auth?: AuthConfig; endpoint?: string; } /** * Get the default auth config from the provided configs. * * @param configs the configs to search for the default auth config * @returns the default auth config, or an empty object if none found */ export declare function getDefaultAuthConfig(configs: TopLevelConfig[]): AuthConfig; export declare function servicesForAccount(account: string, configs: TopLevelConfig[], allServices: string[]): ServicesForAccount; /** * Look up the custom config for a specific sync for a service in an account and region. * * @param service the service to look up the sync for * @param syncName the name of the sync to look up * @param account the account to look up the sync for * @param region the region to look up the sync for * @param configs the configs to search * @returns the custom config for the sync, or undefined if not found */ export declare function customConfigForSync(service: string, syncName: string, account: string, region: string, configs: TopLevelConfig[]): Record<string, any> | undefined; /** * Look up the region list from the provided configs, if any. * * @param configs the configs to search * @param accountId the account id to look up the region list for * @returns the configured region list for the account, or undefined if none found */ export declare function configuredRegionListForAccount(configs: TopLevelConfig[], accountId: string): AccountRegionList | undefined; /** * Get the regions for a specific service and account. * * @param service the service to get the regions for * @param account the account to get the regions for * @param configs the configs to search * @param allRegions the list of all regions to filter from * @returns the regions for the service and account */ export declare function regionsForService(service: string, account: string, configs: TopLevelConfig[], allRegions: string[]): RegionsForAccountService; export declare function accountServiceRegionConfig(service: string, accountId: string, region: string, configs: TopLevelConfig[]): ResolvedAccountServiceRegionConfig; /** * Get the auth config for a specific account * * @param accountId the account id to get the auth config for * @param configs the configs to search * @returns the auth config for the account, or undefined if not found */ export declare function getAccountAuthConfig(accountId: string, configs: TopLevelConfig[]): AuthConfig | undefined; export declare function getStorageConfig(configs: TopLevelConfig[]): StorageConfig | undefined; /** * Check if a specific sync is enabled for given region. This checks the specific sync config within the service. * * This should only be used after the sync has been validated to be enabled for the account and service. * * @param accountId the account id to check * @param service the service to check * @param syncName the specific name of the sync to check * @param configs the configs to check * @param region the region being tested * @returns true if the sync is enabled for the region, false otherwise */ export declare function syncEnabledForRegion(accountId: string, service: string, syncName: string, configs: TopLevelConfig[], region: string): boolean; /** * Get the default accounts from the provided configs. * * @param configs the configs to search for the default accounts * @returns the default accounts, or an empty array if none found */ export declare function getConfiguredAccounts(configs: TopLevelConfig[]): string[]; /** * Get the data source configuration from the provided configs. * * @param configs the configs to search for the data source configuration * @returns the data source configuration, or undefined if none found */ export declare function getConfiguredDataSource(configs: TopLevelConfig[]): DataSourceConfig | undefined; export {}; //# sourceMappingURL=config.d.ts.map