Add support for security group references

gsoltis · gsoltis · commit 665c062f633e · 2021-08-02T14:32:33.000-07:00
diff --git a/introspector/aws/ec2.py b/introspector/aws/ec2.py
@@ -22,6 +22,17 @@ def _synthesize_defaults(proxy: ServiceProxy,
   yield 'Defaults', defaults
 
 
+def _add_security_group_references(proxy: ServiceProxy, response: Dict):
+  security_groups = response.get('SecurityGroups', [])
+  for security_group in security_groups:
+    group_id = security_group['GroupId']
+    result = proxy.list('describe_security_group_references', GroupId=group_id)
+    if result is not None:
+      # everything is mutable, sigh...
+      security_group['references'] = result[1].get('SecurityGroupReferenceSet',
+                                                   [])
+
+
 def _add_user_data(proxy: ServiceProxy, response: Dict):
   reservations = response.get('Reservations', [])
   for reservation in reservations:
@@ -86,6 +97,8 @@ def _import_ec2_region(
             _add_launch_permissions(proxy, result[1])
           elif resource == 'describe_images':
             _add_image_attributes(proxy, result[1])
+          elif resource == 'describe_security_groups':
+            _add_security_group_references(proxy, result[1])
           yield result[0], result[1]
         _log.info(f'done with {resource}')
   if resource_gate(spec, 'Defaults'):
diff --git a/introspector/aws/transforms/ec2/SecurityGroups.yml b/introspector/aws/transforms/ec2/SecurityGroups.yml
@@ -29,3 +29,10 @@ resources:
         value: vpc
       id:
         path: ''
+  - relation: referenced-by
+    path: references
+    uri:
+      resource_name:
+        value: vpc-peering-connection
+      id:
+        path: VpcPeeringConnectionId
diff --git a/introspector/queries/0028-aws_ec2_securitygroup.sql b/introspector/queries/0028-aws_ec2_securitygroup.sql
@@ -101,3 +101,27 @@ SET
     _account_id = EXCLUDED._account_id
   ;
 
+
+
+INSERT INTO aws_ec2_securitygroup_vpcpeeringconnection
+SELECT
+  aws_ec2_securitygroup.id AS securitygroup_id,
+  aws_ec2_vpcpeeringconnection.id AS vpcpeeringconnection_id,
+  aws_ec2_securitygroup.provider_account_id AS provider_account_id
+FROM
+  resource AS aws_ec2_securitygroup
+  INNER JOIN resource_relation AS RR
+    ON RR.resource_id = aws_ec2_securitygroup.id
+    AND RR.relation = 'referenced-by'
+  INNER JOIN resource AS aws_ec2_vpcpeeringconnection
+    ON aws_ec2_vpcpeeringconnection.id = RR.target_id
+    AND aws_ec2_vpcpeeringconnection.provider_type = 'VpcPeeringConnection'
+    AND aws_ec2_vpcpeeringconnection.service = 'ec2'
+    AND aws_ec2_vpcpeeringconnection.provider_account_id = :provider_account_id
+  WHERE
+    aws_ec2_securitygroup.provider_account_id = :provider_account_id
+    AND aws_ec2_securitygroup.provider_type = 'SecurityGroup'
+    AND aws_ec2_securitygroup.service = 'ec2'
+ON CONFLICT (securitygroup_id, vpcpeeringconnection_id)
+DO NOTHING
+;
diff --git a/migrations/provider/aws/0093-add_security_group_references.sql b/migrations/provider/aws/0093-add_security_group_references.sql
@@ -0,0 +1,18 @@
+-- migrate:up
+
+CREATE TABLE IF NOT EXISTS aws_ec2_securitygroup_vpcpeeringconnection (
+  securitygroup_id INTEGER NOT NULL REFERENCES aws_ec2_securitygroup (_id) ON DELETE CASCADE,
+  vpcpeeringconnection_id INTEGER NOT NULL REFERENCES aws_ec2_vpcpeeringconnection (_id) ON DELETE CASCADE,
+  provider_account_id INTEGER NOT NULL REFERENCES provider_account (id) ON DELETE CASCADE,PRIMARY KEY (securitygroup_id, vpcpeeringconnection_id)
+);
+
+ALTER TABLE aws_ec2_securitygroup_vpcpeeringconnection ENABLE ROW LEVEL SECURITY;
+CREATE POLICY read_aws_ec2_securitygroup_vpcpeeringconnection ON aws_ec2_securitygroup_vpcpeeringconnection
+USING (
+  current_user = 'introspector_ro'
+  OR
+  provider_account_id = current_setting('introspector.provider_account_id', true)::int
+);
+
+-- migrate:down
+DROP TABLE aws_ec2_securitygroup_vpcpeeringconnection;
