From e5890322ec84743ffb9c68885d91505ed0633901 Mon Sep 17 00:00:00 2001 From: Matthias Veit Date: Fri, 5 Jan 2024 09:03:05 +0100 Subject: [PATCH] api_gateway --> apigateway --- .../resoto_plugin_aws/resource/apigateway.py | 38 +++++++++---------- .../aws/resoto_plugin_aws/resource/lambda_.py | 6 +-- plugins/aws/resoto_plugin_aws/resource/waf.py | 2 +- plugins/aws/test/resources/apigateway_test.py | 8 ++-- .../static/report/checks/aws/aws_acm.json | 7 +--- .../report/checks/aws/aws_apigateway.json | 16 ++++---- 6 files changed, 37 insertions(+), 40 deletions(-) diff --git a/plugins/aws/resoto_plugin_aws/resource/apigateway.py b/plugins/aws/resoto_plugin_aws/resource/apigateway.py index 411737d528..ca9a7fc386 100644 --- a/plugins/aws/resoto_plugin_aws/resource/apigateway.py +++ b/plugins/aws/resoto_plugin_aws/resource/apigateway.py @@ -62,7 +62,7 @@ def service_name(cls) -> str: @define(eq=False, slots=False) class AwsApiGatewayMethodResponse: - kind: ClassVar[str] = "aws_api_gateway_method_response" + kind: ClassVar[str] = "aws_apigateway_method_response" kind_display: ClassVar[str] = "AWS API Gateway Method Response" kind_description: ClassVar[str] = ( "API Gateway Method Response allows users to define the response parameters" @@ -81,7 +81,7 @@ class AwsApiGatewayMethodResponse: @define(eq=False, slots=False) class AwsApiGatewayIntegrationResponse: - kind: ClassVar[str] = "aws_api_gateway_integration_response" + kind: ClassVar[str] = "aws_apigateway_integration_response" kind_display: ClassVar[str] = "AWS API Gateway Integration Response" kind_description: ClassVar[str] = ( "API Gateway Integration Response is used to define the response structure" @@ -103,7 +103,7 @@ class AwsApiGatewayIntegrationResponse: @define(eq=False, slots=False) class AwsApiGatewayIntegration: - kind: ClassVar[str] = "aws_api_gateway_integration" + kind: ClassVar[str] = "aws_apigateway_integration" kind_display: ClassVar[str] = "AWS API Gateway Integration" kind_description: ClassVar[str] = ( "API Gateway Integration is a feature provided by AWS API Gateway that allows" @@ -146,7 +146,7 @@ class AwsApiGatewayIntegration: @define(eq=False, slots=False) class AwsApiGatewayMethod: - kind: ClassVar[str] = "aws_api_gateway_method" + kind: ClassVar[str] = "aws_apigateway_method" kind_display: ClassVar[str] = "AWS API Gateway Method" kind_description: ClassVar[str] = ( "AWS API Gateway Method allows users to define the individual methods that" @@ -182,13 +182,13 @@ class AwsApiGatewayMethod: @define(eq=False, slots=False) class AwsApiGatewayResource(AwsResource): # collection of resource resources happens in AwsApiGatewayRestApi.collect() - kind: ClassVar[str] = "aws_api_gateway_resource" + kind: ClassVar[str] = "aws_apigateway_resource" kind_display: ClassVar[str] = "AWS API Gateway Resource" kind_description: ClassVar[str] = ( "API Gateway Resource is a logical unit used in API Gateway to represent a" " part of an API's resource hierarchy." ) - reference_kinds: ClassVar[ModelReference] = {"successors": {"default": ["aws_api_gateway_authorizer"]}} + reference_kinds: ClassVar[ModelReference] = {"successors": {"default": ["aws_apigateway_authorizer"]}} mapping: ClassVar[Dict[str, Bender]] = { "id": S("id"), "resource_parent_id": S("parentId"), @@ -234,7 +234,7 @@ def service_name(cls) -> str: @define(eq=False, slots=False) class AwsApiGatewayAuthorizer(AwsResource): # collection of authorizer resources happens in AwsApiGatewayRestApi.collect() - kind: ClassVar[str] = "aws_api_gateway_authorizer" + kind: ClassVar[str] = "aws_apigateway_authorizer" kind_display: ClassVar[str] = "AWS API Gateway Authorizer" kind_description: ClassVar[str] = ( "API Gateway Authorizers are mechanisms that help control access to APIs" @@ -303,7 +303,7 @@ def service_name(cls) -> str: @define(eq=False, slots=False) class AwsApiGatewayCanarySetting: - kind: ClassVar[str] = "aws_api_gateway_canary_setting" + kind: ClassVar[str] = "aws_apigateway_canary_setting" kind_display: ClassVar[str] = "AWS API Gateway Canary Setting" kind_description: ClassVar[str] = ( "API Gateway Canary Setting is a feature in AWS API Gateway that allows you" @@ -325,7 +325,7 @@ class AwsApiGatewayCanarySetting: @define(eq=False, slots=False) class AwsApiGatewayStage(ApiGatewayTaggable, AwsResource): # collection of stage resources happens in AwsApiGatewayRestApi.collect() - kind: ClassVar[str] = "aws_api_gateway_stage" + kind: ClassVar[str] = "aws_apigateway_stage" kind_display: ClassVar[str] = "AWS API Gateway Stage" kind_description: ClassVar[str] = ( "API Gateway Stages are environment configurations for deploying and managing" @@ -386,14 +386,14 @@ def called_mutator_apis(cls) -> List[AwsApiSpec]: @define(eq=False, slots=False) class AwsApiGatewayDeployment(AwsResource): # collection of deployment resources happens in AwsApiGatewayRestApi.collect() - kind: ClassVar[str] = "aws_api_gateway_deployment" + kind: ClassVar[str] = "aws_apigateway_deployment" kind_display: ClassVar[str] = "AWS API Gateway Deployment" kind_description: ClassVar[str] = ( "API Gateway Deployments represents a deployment of an API to an API Gateway stage." " This allows the API to be invocable by end-users." ) - # edge to aws_api_gateway_stage is established in AwsApiGatewayRestApi.collect() - reference_kinds: ClassVar[ModelReference] = {"successors": {"default": ["aws_api_gateway_stage"]}} + # edge to aws_apigateway_stage is established in AwsApiGatewayRestApi.collect() + reference_kinds: ClassVar[ModelReference] = {"successors": {"default": ["aws_apigateway_stage"]}} mapping: ClassVar[Dict[str, Bender]] = { "id": S("id"), @@ -428,7 +428,7 @@ def service_name(cls) -> str: @define(eq=False, slots=False) class AwsApiGatewayEndpointConfiguration: - kind: ClassVar[str] = "aws_api_gateway_endpoint_configuration" + kind: ClassVar[str] = "aws_apigateway_endpoint_configuration" kind_display: ClassVar[str] = "AWS API Gateway Endpoint Configuration" kind_description: ClassVar[str] = ( "API Gateway Endpoint Configuration is a configuration that defines the" @@ -445,7 +445,7 @@ class AwsApiGatewayEndpointConfiguration: @define(eq=False, slots=False) class AwsApiGatewayRestApi(ApiGatewayTaggable, AwsResource): - kind: ClassVar[str] = "aws_api_gateway_rest_api" + kind: ClassVar[str] = "aws_apigateway_rest_api" kind_display: ClassVar[str] = "AWS API Gateway REST API" kind_description: ClassVar[str] = ( "API Gateway is a fully managed service that makes it easy for developers to" @@ -458,9 +458,9 @@ class AwsApiGatewayRestApi(ApiGatewayTaggable, AwsResource): "successors": { "default": [ "aws_vpc_endpoint", - "aws_api_gateway_deployment", - "aws_api_gateway_authorizer", - "aws_api_gateway_resource", + "aws_apigateway_deployment", + "aws_apigateway_authorizer", + "aws_apigateway_resource", ], "delete": ["aws_vpc_endpoint"], } @@ -581,7 +581,7 @@ def delete_resource(self, client: AwsClient, graph: Graph) -> bool: @define(eq=False, slots=False) class AwsApiGatewayMutualTlsAuthentication: - kind: ClassVar[str] = "aws_api_gateway_mutual_tls_authentication" + kind: ClassVar[str] = "aws_apigateway_mutual_tls_authentication" kind_display: ClassVar[str] = "AWS API Gateway Mutual TLS Authentication" kind_description: ClassVar[str] = ( "API Gateway Mutual TLS Authentication enables mutual TLS authentication for" @@ -600,7 +600,7 @@ class AwsApiGatewayMutualTlsAuthentication: @define(eq=False, slots=False) class AwsApiGatewayDomainName(ApiGatewayTaggable, AwsResource): - kind: ClassVar[str] = "aws_api_gateway_domain_name" + kind: ClassVar[str] = "aws_apigateway_domain_name" kind_display: ClassVar[str] = "AWS API Gateway Domain Name" kind_description: ClassVar[str] = ( "API Gateway Domain Name is a custom domain name that you can associate with" diff --git a/plugins/aws/resoto_plugin_aws/resource/lambda_.py b/plugins/aws/resoto_plugin_aws/resource/lambda_.py index 2d9db332c0..7b9ffb397d 100644 --- a/plugins/aws/resoto_plugin_aws/resource/lambda_.py +++ b/plugins/aws/resoto_plugin_aws/resource/lambda_.py @@ -242,12 +242,12 @@ class AwsLambdaFunction(AwsResource, BaseServerlessFunction): "aws_vpc", "aws_ec2_subnet", "aws_ec2_security_group", - "aws_api_gateway_rest_api", - "aws_api_gateway_resource", + "aws_apigateway_rest_api", + "aws_apigateway_resource", ], "delete": ["aws_vpc", "aws_ec2_subnet", "aws_ec2_security_group", "aws_kms_key"], }, - "successors": {"default": ["aws_kms_key"], "delete": ["aws_api_gateway_rest_api", "aws_api_gateway_resource"]}, + "successors": {"default": ["aws_kms_key"], "delete": ["aws_apigateway_rest_api", "aws_apigateway_resource"]}, } mapping: ClassVar[Dict[str, Bender]] = { "id": S("FunctionName"), diff --git a/plugins/aws/resoto_plugin_aws/resource/waf.py b/plugins/aws/resoto_plugin_aws/resource/waf.py index 654dddd4b2..3aefe3344f 100644 --- a/plugins/aws/resoto_plugin_aws/resource/waf.py +++ b/plugins/aws/resoto_plugin_aws/resource/waf.py @@ -801,7 +801,7 @@ class AwsWafWebACL(AwsResource): kind: ClassVar[str] = "aws_waf_web_acl" api_spec: ClassVar[AwsApiSpec] = AwsApiSpec("wafv2", "get-web-acl", "WebACL") reference_kinds: ClassVar[ModelReference] = { - "successors": {"default": ["aws_alb", "aws_api_gateway_rest_api", "aws_cognito_user_pool"]} + "successors": {"default": ["aws_alb", "aws_apigateway_rest_api", "aws_cognito_user_pool"]} } mapping: ClassVar[Dict[str, Bender]] = { "id": S("Id"), diff --git a/plugins/aws/test/resources/apigateway_test.py b/plugins/aws/test/resources/apigateway_test.py index 26b82fa3df..1f16c3c3aa 100644 --- a/plugins/aws/test/resources/apigateway_test.py +++ b/plugins/aws/test/resources/apigateway_test.py @@ -15,10 +15,10 @@ def test_rest_apis() -> None: type_count: Dict[str, int] = defaultdict(int) for node in builder.graph.nodes: type_count[node.kind] += 1 - assert type_count["aws_api_gateway_deployment"] == 2 - assert type_count["aws_api_gateway_stage"] == 1 - assert type_count["aws_api_gateway_authorizer"] == 1 - assert type_count["aws_api_gateway_resource"] == 1 + assert type_count["aws_apigateway_deployment"] == 2 + assert type_count["aws_apigateway_stage"] == 1 + assert type_count["aws_apigateway_authorizer"] == 1 + assert type_count["aws_apigateway_resource"] == 1 def test_api_tagging() -> None: diff --git a/resotocore/resotocore/static/report/checks/aws/aws_acm.json b/resotocore/resotocore/static/report/checks/aws/aws_acm.json index f3a2c06fb3..fc0e873148 100644 --- a/resotocore/resotocore/static/report/checks/aws/aws_acm.json +++ b/resotocore/resotocore/static/report/checks/aws/aws_acm.json @@ -5,11 +5,8 @@ { "name": "certificate_transparency_logging_enabled", "title": "Ensure that ACM certificate transparency is enabled to enhance the security of your website by providing visibility into the issuance and lifecycle of SSL/TLS certificates, helping to detect unauthorized certificates.", - "result_kinds": [ ], - "categories": [ - "security", - "compliance" - ], + "result_kinds": [ "aws_acm_certificate" ], + "categories": [ "security", "compliance"], "risk": "without ACM certificate transparency enabled, there's an increased risk of not being aware of potentially malicious or unauthorized SSL/TLS certificates, posing a threat to the security of your website or infrastructure", "severity": "medium", "detect": { diff --git a/resotocore/resotocore/static/report/checks/aws/aws_apigateway.json b/resotocore/resotocore/static/report/checks/aws/aws_apigateway.json index 5d833921f5..eae4dc3147 100644 --- a/resotocore/resotocore/static/report/checks/aws/aws_apigateway.json +++ b/resotocore/resotocore/static/report/checks/aws/aws_apigateway.json @@ -5,13 +5,13 @@ { "name": "authorizers_enabled", "title": "Check if API Gateway has configured authorizers.", - "result_kinds": ["aws_api_gateway_rest_api"], + "result_kinds": ["aws_apigateway_rest_api"], "categories": ["security", "compliance"], "risk": "If no authorizer is defined, anyone can use the service.", "severity": "medium", "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html", "detect": { - "resoto": "is(aws_api_gateway_rest_api) with(empty, --> is(aws_api_gateway_authorizer))" + "resoto": "is(aws_apigateway_rest_api) with(empty, --> is(aws_apigateway_authorizer))" }, "remediation": { "text": "Add a Cognito pool or attach a Lambda function to control access to your API.", @@ -23,13 +23,13 @@ { "name": "client_certificate_enabled", "title": "Check if API Gateway has client certificate enabled to access your backend endpoint.", - "result_kinds": ["aws_api_gateway_stage"], + "result_kinds": ["aws_apigateway_stage"], "categories": ["security", "compliance"], "risk": "Man in the middle attacks are possible and other similar risks.", "severity": "medium", "url": "https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-mutual-tls.html", "detect": { - "resoto": "is(aws_api_gateway_stage) and stage_client_certificate_id==null <-[2]- is(aws_api_gateway_rest_api)" + "resoto": "is(aws_apigateway_stage) and stage_client_certificate_id==null <-[2]- is(aws_apigateway_rest_api)" }, "remediation": { "text": "Enable client certificate. Mutual TLS is recommended and commonly used for business-to-business (B2B) applications. It iss used in standards such as Open Banking. API Gateway now provides integrated mutual TLS authentication at no additional cost.", @@ -39,12 +39,12 @@ { "name": "logging_enabled", "title": "Check if API Gateway has logging enabled.", - "result_kinds": ["aws_api_gateway_stage"], + "result_kinds": ["aws_apigateway_stage"], "categories": ["compliance"], "risk": "If not enabled, monitoring of service use is not possible. Real-time monitoring of API calls can be achieved by directing CloudTrail Logs to CloudWatch Logs and establishing corresponding metric filters and alarms.", "severity": "medium", "detect": { - "resoto": "is(aws_api_gateway_stage) and stage_method_settings!={}" + "resoto": "is(aws_apigateway_stage) and stage_method_settings!={}" }, "remediation": { "text": "Monitoring is an important part of maintaining the reliability, availability and performance of API Gateway and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution. CloudTrail provides a record of actions taken by a user, role, or an AWS service in API Gateway. Using the information collected by CloudTrail, you can determine the request that was made to API Gateway, the IP address from which the request was made, who made the request, etc.", @@ -54,12 +54,12 @@ { "name": "waf_acl_attached", "title": "Check if API Gateway has a WAF ACL attached.", - "result_kinds": ["aws_api_gateway_stage"], + "result_kinds": ["aws_apigateway_stage"], "categories": ["security"], "risk": "Potential attacks and / or abuse of service for internet reachable services.", "severity": "medium", "detect": { - "resoto": "is(aws_api_gateway_stage) and stage_web_acl_arn==null" + "resoto": "is(aws_apigateway_stage) and stage_web_acl_arn==null" }, "remediation": { "text": "Use AWS WAF to protect your API Gateway API from common web exploits, such as SQL injection and cross-site scripting (XSS) attacks. These could affect API availability and performance, compromise security or consume excessive resources.",