When syncing multiple accounts, Cartography can incorrectly represent a single AWSRole as 2 nodes
achantavy opened this issue · comments
Description:
What issue is being seen? Describe what should be happening instead of the bug, for example: Cartography should not crash, the expected value isn't returned, the data schema is wrong, etc.
When syncing multiple accounts starting with a fresh graph, depending on the order of the accounts being synced, Cartography may incorrectly represent a single AWS role as a AWSPrincipal node and a separate AWSRole node - both with the same arn. The expected behavior is for a single node to be created with labels AWSPrincipal and AWSRole.
To Reproduce:
Steps to reproduce the behavior. Provide all data and inputs required to reproduce the issue.
Suppose we have AWS accounts with ids 123 and 456 such that
-
123 has role 'datateam' and 456 has role 'terraform'.
-
'arn:aws:iam::456:role/terraform' allows arn:aws:iam::123:role/datateam' to assume it.
That is, 'arn:aws:iam::456:role/terraform' has trust relationship document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123:role/datateam",
]
},
"Action": "sts:AssumeRole"
}
]
}
Start with a blank graph. Configure the cartography sync to sync account 456 first, and account 123 after.
Expected behavior
At the end of this, we will have the following paths:
(:AWSPrincipal:AWSRole{arn:"arn:aws:iam:456::role/terraform"})-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal:AWSRole{arn:"arn:aws:iam:123::role/datateam"}))
Actual behavior
The following paths are created:
(:AWSPrincipal:AWSRole{arn:"arn:aws:iam:456::role/terraform"})-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal{arn:"arn:aws:iam:123::role/datateam"}))
(:AWSRole{arn:"arn:aws:iam:123::role/datateam"}) // <-- this node is disconnected and has same arn as above!
Please complete the following information::
- Cartography release version or commit hash [e.g. 0.12.0 or 95e8e11]
0.75.1
The offending line of code is here:
cartography/cartography/intel/aws/iam.py
Line 325 in d94ef53
We should also fix this similar pattern too:
cartography/cartography/intel/aws/redshift.py
Line 117 in d94ef53
We should add an integration test to reproduce the error above and validate a fix.