UNPKG

@cloud-copilot/iam-collect

Version:

Collect IAM information from AWS Accounts

github.com/cloud-copilot/iam-collect

cloud-copilot/iam-collect

143 lines 6.17 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
import { GetAccessPointPolicyCommand, GetBucketPolicyCommand, GetBucketTaggingCommand, ListAccessPointsCommand, ListRegionalBucketsCommand, S3ControlClient } from '@aws-sdk/client-s3-control'; import { ListOutpostsWithS3Command, S3OutpostsClient } from '@aws-sdk/client-s3outposts'; import { AwsClientPool } from '../../aws/ClientPool.js'; import { runAndCatch404 } from '../../utils/client-tools.js'; import { parseIfPresent } from '../../utils/json.js'; import { log } from '../../utils/log.js'; import { convertTagsToRecord } from '../../utils/tags.js'; import { syncData } from '../sync.js'; import { paginateResource } from '../typedSync.js'; export const S3OutpostsBucketsSync = { awsService: 's3outposts', name: 'buckets', execute: async (accountId, region, credentials, storage, endpoint, syncOptions) => { const outpostsClient = AwsClientPool.defaultInstance.client(S3OutpostsClient, credentials, region, endpoint); const outposts = await listS3Outposts(outpostsClient); const regionalBuckets = []; for (const outpost of outposts) { const controlClient = controlClientForOutpost(credentials, region, outpost.OutpostId); const buckets = await paginateResource(outpostsClient, ListRegionalBucketsCommand, 'RegionalBucketList', { inputKey: 'NextToken', outputKey: 'NextToken' }, { OutpostId: outpost.OutpostId }); for (const bucket of buckets) { regionalBuckets.push({ arn: bucket.BucketArn, metadata: { arn: bucket.BucketArn, name: bucket.Bucket, outpostId: bucket.OutpostId, publicAccessBlockEnabled: bucket.PublicAccessBlockEnabled, bucket: 'true' }, policy: await runAndCatch404(async () => { const result = await controlClient.send(new GetBucketPolicyCommand({ Bucket: bucket.Bucket })); return parseIfPresent(result.Policy); }), tags: await runAndCatch404(async () => { const tags = await controlClient.send(new GetBucketTaggingCommand({ Bucket: bucket.Bucket })); return convertTagsToRecord(tags.TagSet); }) }); } } await syncData(regionalBuckets, storage, accountId, { service: 's3outposts', resourceType: 'outpost', account: accountId, region: region, metadata: { bucket: 'true' } }); } }; export const S3OutpostsAccessPointsSync = { awsService: 's3outposts', name: 'accessPoints', execute: async (accountId, region, credentials, storage, endpoint, syncOptions) => { const outpostsClient = AwsClientPool.defaultInstance.client(S3OutpostsClient, credentials, region, endpoint); const outposts = await listS3Outposts(outpostsClient); const accessPoints = []; for (const outpost of outposts) { const controlClient = controlClientForOutpost(credentials, region, outpost.OutpostId); const points = await paginateResource(controlClient, ListAccessPointsCommand, 'AccessPointList', { inputKey: 'NextToken', outputKey: 'NextToken' }, { AccountId: accountId }); for (const point of points) { accessPoints.push({ arn: point.AccessPointArn, metadata: { arn: point.AccessPointArn, name: point.Name, outpostId: outpost.OutpostId, networkOrigin: point.NetworkOrigin, vpc: point.VpcConfiguration?.VpcId, bucket: point.Bucket, bucketAccount: point.BucketAccountId, accesspoint: 'true' }, policy: await runAndCatch404(async () => { const result = await controlClient.send(new GetAccessPointPolicyCommand({ Name: point.Name, AccountId: accountId })); return parseIfPresent(result.Policy); }) }); } } await syncData(accessPoints, storage, accountId, { service: 's3outposts', resourceType: 'outpost', account: accountId, region: region, metadata: { accesspoint: 'true' } }); } }; /** * List the Outposts in the account that have S3 * * @param outpostsClient the S3OutpostsClient to use * @returns and array of Outpost objects */ async function listS3Outposts(outpostsClient) { return paginateResource(outpostsClient, ListOutpostsWithS3Command, 'Outposts', { inputKey: 'NextToken', outputKey: 'NextToken' }); } /** * Create a new S3ControlClient with the Outpost ID set in the headers * * @param credentials the credentials to use for the client * @param region the region to use for the client * @param outpostId the Outpost ID to set in the headers * @returns a new S3ControlClient with the Outpost ID set in the headers */ function controlClientForOutpost(credentials, region, outpostId) { const controlClient = new S3ControlClient({ credentials, region }); controlClient.middlewareStack.add((next, context) => (args) => { if (args.request) { log.trace('Adding outpost ID to request headers'); args.request.headers['x-amz-outpost-id'] = outpostId; } return next(args); }, { step: 'build' }); return controlClient; } //# sourceMappingURL=s3OutpostsSyncs.js.map