@cloud-copilot/iam-lens 0.1.0 → 0.1.2

package/dist/esm/resources.js

@@ -0,0 +1,39 @@
+import { splitArnParts } from './util/arn.js';
+/**
+ * Get the account ID for a given resource ARN. Lookup index if necessary to find the account ID.
+ *
+ * @param collectClient the IAM collect client to use for retrieving the account ID
+ * @param resourceArn the ARN of the resource to get the account ID for
+ * @returns the account ID for the specified resource, or undefined if not found
+ */
+export async function getAccountIdForResource(collectClient, resourceArn) {
+    const arnParts = splitArnParts(resourceArn);
+    let accountId = arnParts.accountId;
+    if (accountId) {
+        return accountId;
+    }
+    if (arnParts.service === 's3' && arnParts.resourceType === '') {
+        const bucketName = arnParts.resourcePath;
+        return collectClient.getAccountIdForBucket(bucketName);
+    }
+    else if (arnParts.service === 'apigateway' && arnParts.resourceType === 'restapis') {
+        const apiId = arnParts.resourcePath;
+        return collectClient.getAccountIdForRestApi(apiId);
+    }
+    return undefined;
+}
+/**
+ * Get the resource control policies (RCPs) for a given resource ARN.
+ *
+ * @param collectClient the IAM collect client to use for retrieving RCPs
+ * @param resourceArn the ARN of the resource to get RCPs for
+ * @returns an array of resource control policies for the specified resource
+ */
+export async function getRcpsForResource(collectClient, resourceArn) {
+    const accountId = await getAccountIdForResource(collectClient, resourceArn);
+    if (!accountId) {
+        throw new Error(`Unable to determine account ID for resource ARN: ${resourceArn}`);
+    }
+    return collectClient.getRcpHierarchyForAccount(accountId);
+}
+//# sourceMappingURL=resources.js.map

package/dist/esm/resources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAE7C;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,aAA+B,EAC/B,WAAmB;IAEnB,MAAM,QAAQ,GAAG,aAAa,CAAC,WAAW,CAAC,CAAA;IAC3C,IAAI,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAA;IAClC,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,CAAC,YAAY,KAAK,EAAE,EAAE,CAAC;QAC9D,MAAM,UAAU,GAAG,QAAQ,CAAC,YAAa,CAAA;QACzC,OAAO,aAAa,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAA;IACxD,CAAC;SAAM,IAAI,QAAQ,CAAC,OAAO,KAAK,YAAY,IAAI,QAAQ,CAAC,YAAY,KAAK,UAAU,EAAE,CAAC;QACrF,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAa,CAAA;QACpC,OAAO,aAAa,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAA;IACpD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,aAA+B,EAC/B,WAAmB;IAEnB,MAAM,SAAS,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,WAAW,CAAC,CAAA;IAC3E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,WAAW,EAAE,CAAC,CAAA;IACpF,CAAC;IACD,OAAO,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;AAC3D,CAAC"}

package/dist/esm/util/arn.d.ts

@@ -0,0 +1,26 @@
+export interface ArnParts {
+    partition: string | undefined;
+    service: string | undefined;
+    region: string | undefined;
+    accountId: string | undefined;
+    resource: string | undefined;
+    resourceType: string | undefined;
+    resourcePath: string | undefined;
+}
+/**
+ * Split an ARN into its parts
+ *
+ * @param arn the arn to split
+ * @returns the parts of the ARN
+ */
+export declare function splitArnParts(arn: string): ArnParts;
+/**
+ * Get the product/id segments of the resource portion of an ARN.
+ * The first segment is the product segment and the second segment is the resource id segment.
+ * This could be split by a colon or a slash, so it checks for both. It also checks for S3 buckets/objects.
+ *
+ * @param resource The resource to get the resource segments. Must be an ARN resource.
+ * @returns a tuple with the first segment being the product segment (without the separator) and the second segment being the resource id.
+ */
+export declare function getResourceSegments(service: string, accountId: string, region: string, resourceString: string): [string, string];
+//# sourceMappingURL=arn.d.ts.map

package/dist/esm/util/arn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"arn.d.ts","sourceRoot":"","sources":["../../../src/util/arn.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,OAAO,EAAE,MAAM,GAAG,SAAS,CAAA;IAC3B,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;IAC5B,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,CAkBnD;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,MAAM,GACrB,CAAC,MAAM,EAAE,MAAM,CAAC,CA+BlB"}

package/dist/esm/util/arn.js

@@ -0,0 +1,64 @@
+// Copied from https://github.com/cloud-copilot/iam-simulate/blob/main/src/util.ts
+/**
+ * Split an ARN into its parts
+ *
+ * @param arn the arn to split
+ * @returns the parts of the ARN
+ */
+export function splitArnParts(arn) {
+    const parts = arn.split(':');
+    const partition = parts.at(1);
+    const service = parts.at(2);
+    const region = parts.at(3);
+    const accountId = parts.at(4);
+    const resource = parts.slice(5).join(':');
+    const [resourceType, resourcePath] = getResourceSegments(service, accountId, region, resource);
+    return {
+        partition,
+        service,
+        region,
+        accountId,
+        resource,
+        resourceType,
+        resourcePath
+    };
+}
+/**
+ * Get the product/id segments of the resource portion of an ARN.
+ * The first segment is the product segment and the second segment is the resource id segment.
+ * This could be split by a colon or a slash, so it checks for both. It also checks for S3 buckets/objects.
+ *
+ * @param resource The resource to get the resource segments. Must be an ARN resource.
+ * @returns a tuple with the first segment being the product segment (without the separator) and the second segment being the resource id.
+ */
+export function getResourceSegments(service, accountId, region, resourceString) {
+    // This is terrible, and I hate it
+    if ((service === 's3' && accountId === '' && region === '') ||
+        service === 'sns' ||
+        service === 'sqs') {
+        return ['', resourceString];
+    }
+    if (resourceString.startsWith('/')) {
+        resourceString = resourceString.slice(1);
+    }
+    const slashIndex = resourceString.indexOf('/');
+    const colonIndex = resourceString.indexOf(':');
+    let splitIndex = slashIndex;
+    if (slashIndex != -1 && colonIndex != -1) {
+        splitIndex = Math.min(slashIndex, colonIndex) + 1;
+    }
+    else if (slashIndex == -1 && colonIndex == -1) {
+        splitIndex = resourceString.length + 1;
+    }
+    else if (colonIndex == -1) {
+        splitIndex = slashIndex + 1;
+    }
+    else if (slashIndex == -1) {
+        splitIndex = colonIndex + 1;
+    }
+    else {
+        throw new Error(`Unable to split resource ${resourceString}`);
+    }
+    return [resourceString.slice(0, splitIndex - 1), resourceString.slice(splitIndex)];
+}
+//# sourceMappingURL=arn.js.map

package/dist/esm/util/arn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"arn.js","sourceRoot":"","sources":["../../../src/util/arn.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAYlF;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,MAAM,SAAS,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC7B,MAAM,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IAC3B,MAAM,SAAS,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IAC9B,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,GAAG,mBAAmB,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;IAE9F,OAAO;QACL,SAAS;QACT,OAAO;QACP,MAAM;QACN,SAAS;QACT,QAAQ;QACR,YAAY;QACZ,YAAY;KACb,CAAA;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAAe,EACf,SAAiB,EACjB,MAAc,EACd,cAAsB;IAEtB,kCAAkC;IAClC,IACE,CAAC,OAAO,KAAK,IAAI,IAAI,SAAS,KAAK,EAAE,IAAI,MAAM,KAAK,EAAE,CAAC;QACvD,OAAO,KAAK,KAAK;QACjB,OAAO,KAAK,KAAK,EACjB,CAAC;QACD,OAAO,CAAC,EAAE,EAAE,cAAc,CAAC,CAAA;IAC7B,CAAC;IAED,IAAI,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,cAAc,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC9C,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAE9C,IAAI,UAAU,GAAG,UAAU,CAAA;IAC3B,IAAI,UAAU,IAAI,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QACzC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAA;IACnD,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QAChD,UAAU,GAAG,cAAc,CAAC,MAAM,GAAG,CAAC,CAAA;IACxC,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QAC5B,UAAU,GAAG,UAAU,GAAG,CAAC,CAAA;IAC7B,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QAC5B,UAAU,GAAG,UAAU,GAAG,CAAC,CAAA;IAC7B,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,4BAA4B,cAAc,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,GAAG,CAAC,CAAC,EAAE,cAAc,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAA;AACpF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloud-copilot/iam-lens",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Visibility in IAM in and across AWS accounts",
   "keywords": [
     "aws",
@@ -9,20 +9,16 @@
     "identity"
   ],
   "homepage": "https://github.com/cloud-copilot/iam-lens#readme",
-    "devDependencies": {
-    "@cloud-copilot/prettier-config": "^0.1.0",
-    "@semantic-release/changelog": "^6.0.3",
-    "@semantic-release/commit-analyzer": "^13.0.1",
-    "@semantic-release/git": "^10.0.1",
-    "@semantic-release/github": "^11.0.1",
-    "@semantic-release/npm": "^12.0.1",
-    "@semantic-release/release-notes-generator": "^14.0.3",
-    "@types/node": "^22.5.0",
-    "@vitest/coverage-v8": "^3.0.7",
-    "semantic-release": "^24.2.1",
-    "typescript": "^5.7.2",
-    "vitest": "^3.0.7"
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js"
+    }
   },
+  "files": [
+    "dist/**/*"
+  ],
+  "types": "dist/cjs/index.d.ts",
   "prettier": "@cloud-copilot/prettier-config",
   "bugs": {
     "url": "https://github.com/cloud-copilot/iam-lens/issues"
@@ -32,9 +28,7 @@
     "url": "git+https://github.com/cloud-copilot/iam-lens.git"
   },
   "license": "AGPL-3.0-or-later",
-  "author": "Cloud Copilot",
-  "type": "commonjs",
-  "main": "dist/esm/index.js",
+  "author": "David Kerber <dave@cloudcopilot.io>",
   "scripts": {
     "build": "npx tsc -p tsconfig.cjs.json && npx tsc -p tsconfig.esm.json && ./postbuild.sh",
     "clean": "rm -rf dist",
@@ -42,5 +36,79 @@
     "release": "npm install && npm run clean && npm run build && npm test && npm run format-check && npm publish",
     "format": "npx prettier --write src/",
     "format-check": "npx prettier --check src/"
+  },
+  "devDependencies": {
+    "@cloud-copilot/prettier-config": "^0.1.0",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/commit-analyzer": "^13.0.1",
+    "@semantic-release/git": "^10.0.1",
+    "@semantic-release/github": "^11.0.1",
+    "@semantic-release/npm": "^12.0.1",
+    "@semantic-release/release-notes-generator": "^14.0.3",
+    "@types/node": "^22.5.0",
+    "@vitest/coverage-v8": "^3.0.7",
+    "semantic-release": "^24.2.1",
+    "typescript": "^5.7.2",
+    "vitest": "^3.0.7"
+  },
+  "release": {
+    "branches": [
+      "main"
+    ],
+    "plugins": [
+      [
+        "@semantic-release/commit-analyzer",
+        {
+          "releaseRules": [
+            {
+              "type": "feat",
+              "release": "patch"
+            },
+            {
+              "type": "fix",
+              "release": "patch"
+            },
+            {
+              "breaking": true,
+              "release": "patch"
+            },
+            {
+              "type": "*",
+              "release": "patch"
+            }
+          ]
+        }
+      ],
+      "@semantic-release/release-notes-generator",
+      "@semantic-release/changelog",
+      [
+        "@semantic-release/npm",
+        {
+          "npmPublish": true
+        }
+      ],
+      [
+        "@semantic-release/git",
+        {
+          "assets": [
+            "package.json",
+            "package-lock.json",
+            "CHANGELOG.md"
+          ],
+          "message": "chore(release): ${nextRelease.version} [skip ci]"
+        }
+      ],
+      [
+        "@semantic-release/github",
+        {
+          "assets": []
+        }
+      ]
+    ]
+  },
+  "dependencies": {
+    "@cloud-copilot/iam-collect": "^0.1.63",
+    "@cloud-copilot/iam-policy": "^0.1.24",
+    "@cloud-copilot/iam-simulate": "^0.1.35"
   }
 }

package/.github/workflows/guarddog.yml

@@ -1,31 +0,0 @@
-name: GuardDog
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  guarddog:
-    permissions:
-      contents: read
-    name: Scan Dependencies and Source Code
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.10'
-
-      - name: Install GuardDog
-        run: pip install guarddog
-
-      - run: guarddog npm scan src/ --exit-non-zero-on-finding
-      # - run: guarddog npm verify package.json --exclude-rules empty_information --exit-non-zero-on-finding

package/.github/workflows/pr-checks.yml

@@ -1,101 +0,0 @@
-name: 'Lint PR'
-
-on:
-  pull_request_target:
-    types:
-      - opened
-      - edited
-      - synchronize
-      - reopened
-
-permissions:
-  contents: read
-
-jobs:
-  main:
-    name: Validate PR title
-    runs-on: ubuntu-latest
-    steps:
-      - uses: amannn/action-semantic-pull-request@v5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  lint:
-    name: Code Formatting Check
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out the repository
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Check Code Formatting
-        run: npm run format-check
-
-  test:
-    name: Build and Test
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out the repository
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-
-      - name: Set up Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Build
-        run: npm run build
-
-      - name: Check Tests
-        run: npm test
-
-  guarddog:
-    permissions:
-      contents: read
-    name: GuardDog Check
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out the repository
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          fetch-depth: 0
-
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: '3.10'
-
-      - name: Install GuardDog
-        run: pip install guarddog
-
-      - name: Run GuardDog scan on src
-        run: guarddog npm scan src/ --exit-non-zero-on-finding
-
-      # - name: Check if package.json changed
-      #   id: package_check
-      #   run: |
-      #     if git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }} | grep -q '^package\.json$'; then
-      #       echo "changed=true" >> $GITHUB_OUTPUT
-      #     else
-      #       echo "changed=false" >> $GITHUB_OUTPUT
-      #     fi
-
-      # - name: Conditionally run verify on package.json
-      #   if: steps.package_check.outputs.changed == 'true'
-      #   run: guarddog npm verify package.json --exclude-rules empty_information --exit-non-zero-on-finding

package/.github/workflows/update-dependencies.yml

@@ -1,16 +0,0 @@
-name: Update Dependencies
-
-on:
-  schedule:
-    - cron: '0 12 * * 6' # Every Saturday at 12:00 PM UTC
-  workflow_dispatch:
-
-jobs:
-  update-dependencies:
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write # Push branches
-      pull-requests: write # Create PRs
-    steps:
-      - name: Run dependency update
-        uses: cloud-copilot/update-dependencies@main

package/postbuild.sh

@@ -1,12 +0,0 @@
-cat >dist/cjs/package.json <<!EOF
-{
-    "type": "commonjs"
-}
-!EOF
-rm -rf dist/cjs/utils/readPackageFileEsm.*
-
-cat >dist/esm/package.json <<!EOF
-{
-    "type": "module"
-}
-!EOF

package/src/index.ts

@@ -1 +0,0 @@
-console.log('Hello, world!')

package/tsconfig.cjs.json

@@ -1,11 +0,0 @@
-{
-  "extends": "./tsconfig.json",
-
-  "include": ["src/**/*"],
-  "exclude": ["**/*.test.ts"],
-
-  "compilerOptions": {
-    "rootDir": "src",
-    "outDir": "dist/cjs",
-  }
-}

package/tsconfig.esm.json

@@ -1,14 +0,0 @@
-{
-  "extends": "./tsconfig.json",
-
-  "include": ["src/**/*"],
-  "exclude": ["**/*.test.ts"],
-
-  "compilerOptions": {
-    "target": "ES2020",
-    "module": "ES2020",
-    "moduleResolution": "node",
-    "rootDir": "src",
-    "outDir": "dist/esm"
-  }
-}

package/tsconfig.json

@@ -1,22 +0,0 @@
-{
-  "compilerOptions": {
-    "module": "commonjs",
-    "target": "es2022",
-    "outDir": "dist",
-    "rootDir": "src",
-    "sourceMap": true,
-    "strict": true,
-    "declaration": true,
-    "declarationMap": true,
-    "lib": ["es2023", "DOM"],
-    "noUnusedLocals": false,
-    "noUnusedParameters": false,
-    "noImplicitReturns": true,
-    "noFallthroughCasesInSwitch": false,
-    "experimentalDecorators": true,
-    "emitDecoratorMetadata": true,
-    "esModuleInterop": false,
-    "forceConsistentCasingInFileNames": true,
-  },
-  "exclude": ["tests", "test", "dist", "bin", "**/bin", "**/dist", "node_modules", "cdk.out"]
-}