Giters

lyft / cartography

Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.

Home Page:https://lyft.github.io/cartography/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

When syncing multiple accounts, Cartography can incorrectly represent a single AWSRole as 2 nodes

achantavy opened this issue · comments

commented

Description:

What issue is being seen? Describe what should be happening instead of the bug, for example: Cartography should not crash, the expected value isn't returned, the data schema is wrong, etc.

When syncing multiple accounts starting with a fresh graph, depending on the order of the accounts being synced, Cartography may incorrectly represent a single AWS role as a AWSPrincipal node and a separate AWSRole node - both with the same arn. The expected behavior is for a single node to be created with labels AWSPrincipal and AWSRole.

To Reproduce:

Steps to reproduce the behavior. Provide all data and inputs required to reproduce the issue.

Suppose we have AWS accounts with ids 123 and 456 such that

  1. 123 has role 'datateam' and 456 has role 'terraform'.

  2. 'arn:aws:iam::456:role/terraform' allows arn:aws:iam::123:role/datateam' to assume it.

That is, 'arn:aws:iam::456:role/terraform' has trust relationship document

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123:role/datateam",
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Start with a blank graph. Configure the cartography sync to sync account 456 first, and account 123 after.

Expected behavior

At the end of this, we will have the following paths:

(:AWSPrincipal:AWSRole{arn:"arn:aws:iam:456::role/terraform"})-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal:AWSRole{arn:"arn:aws:iam:123::role/datateam"}))

Actual behavior

The following paths are created:

(:AWSPrincipal:AWSRole{arn:"arn:aws:iam:456::role/terraform"})-[:TRUSTS_AWS_PRINCIPAL]->(:AWSPrincipal{arn:"arn:aws:iam:123::role/datateam"}))

(:AWSRole{arn:"arn:aws:iam:123::role/datateam"}) // <-- this node is disconnected and has same arn as above!

Please complete the following information::

  • Cartography release version or commit hash [e.g. 0.12.0 or 95e8e11]
    0.75.1

The offending line of code is here:

cartography/cartography/intel/aws/iam.py

Line 325 in d94ef53

MERGE (spnnode:AWSPrincipal{arn: $SpnArn})

We should also fix this similar pattern too:

cartography/cartography/intel/aws/redshift.py

Line 117 in d94ef53

MERGE (p:AWSPrincipal{arn:$RoleArn})

We should add an integration test to reproduce the error above and validate a fix.