@cloud-copilot/iam-lens 0.1.1 → 0.1.3

package/dist/esm/resources.js

@@ -0,0 +1,39 @@
+import { splitArnParts } from './util/arn.js';
+/**
+ * Get the account ID for a given resource ARN. Lookup index if necessary to find the account ID.
+ *
+ * @param collectClient the IAM collect client to use for retrieving the account ID
+ * @param resourceArn the ARN of the resource to get the account ID for
+ * @returns the account ID for the specified resource, or undefined if not found
+ */
+export async function getAccountIdForResource(collectClient, resourceArn) {
+    const arnParts = splitArnParts(resourceArn);
+    let accountId = arnParts.accountId;
+    if (accountId) {
+        return accountId;
+    }
+    if (arnParts.service === 's3' && arnParts.resourceType === '') {
+        const bucketName = arnParts.resourcePath;
+        return collectClient.getAccountIdForBucket(bucketName);
+    }
+    else if (arnParts.service === 'apigateway' && arnParts.resourceType === 'restapis') {
+        const apiId = arnParts.resourcePath;
+        return collectClient.getAccountIdForRestApi(apiId);
+    }
+    return undefined;
+}
+/**
+ * Get the resource control policies (RCPs) for a given resource ARN.
+ *
+ * @param collectClient the IAM collect client to use for retrieving RCPs
+ * @param resourceArn the ARN of the resource to get RCPs for
+ * @returns an array of resource control policies for the specified resource
+ */
+export async function getRcpsForResource(collectClient, resourceArn) {
+    const accountId = await getAccountIdForResource(collectClient, resourceArn);
+    if (!accountId) {
+        throw new Error(`Unable to determine account ID for resource ARN: ${resourceArn}`);
+    }
+    return collectClient.getRcpHierarchyForAccount(accountId);
+}
+//# sourceMappingURL=resources.js.map

package/dist/esm/resources.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resources.js","sourceRoot":"","sources":["../../src/resources.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAE7C;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,aAA+B,EAC/B,WAAmB;IAEnB,MAAM,QAAQ,GAAG,aAAa,CAAC,WAAW,CAAC,CAAA;IAC3C,IAAI,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAA;IAClC,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,SAAS,CAAA;IAClB,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,CAAC,YAAY,KAAK,EAAE,EAAE,CAAC;QAC9D,MAAM,UAAU,GAAG,QAAQ,CAAC,YAAa,CAAA;QACzC,OAAO,aAAa,CAAC,qBAAqB,CAAC,UAAU,CAAC,CAAA;IACxD,CAAC;SAAM,IAAI,QAAQ,CAAC,OAAO,KAAK,YAAY,IAAI,QAAQ,CAAC,YAAY,KAAK,UAAU,EAAE,CAAC;QACrF,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAa,CAAA;QACpC,OAAO,aAAa,CAAC,sBAAsB,CAAC,KAAK,CAAC,CAAA;IACpD,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,aAA+B,EAC/B,WAAmB;IAEnB,MAAM,SAAS,GAAG,MAAM,uBAAuB,CAAC,aAAa,EAAE,WAAW,CAAC,CAAA;IAC3E,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,WAAW,EAAE,CAAC,CAAA;IACpF,CAAC;IACD,OAAO,aAAa,CAAC,yBAAyB,CAAC,SAAS,CAAC,CAAA;AAC3D,CAAC"}

package/dist/esm/util/arn.d.ts

@@ -0,0 +1,26 @@
+export interface ArnParts {
+    partition: string | undefined;
+    service: string | undefined;
+    region: string | undefined;
+    accountId: string | undefined;
+    resource: string | undefined;
+    resourceType: string | undefined;
+    resourcePath: string | undefined;
+}
+/**
+ * Split an ARN into its parts
+ *
+ * @param arn the arn to split
+ * @returns the parts of the ARN
+ */
+export declare function splitArnParts(arn: string): ArnParts;
+/**
+ * Get the product/id segments of the resource portion of an ARN.
+ * The first segment is the product segment and the second segment is the resource id segment.
+ * This could be split by a colon or a slash, so it checks for both. It also checks for S3 buckets/objects.
+ *
+ * @param resource The resource to get the resource segments. Must be an ARN resource.
+ * @returns a tuple with the first segment being the product segment (without the separator) and the second segment being the resource id.
+ */
+export declare function getResourceSegments(service: string, accountId: string, region: string, resourceString: string): [string, string];
+//# sourceMappingURL=arn.d.ts.map

package/dist/esm/util/arn.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"arn.d.ts","sourceRoot":"","sources":["../../../src/util/arn.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,QAAQ;IACvB,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,OAAO,EAAE,MAAM,GAAG,SAAS,CAAA;IAC3B,MAAM,EAAE,MAAM,GAAG,SAAS,CAAA;IAC1B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAA;IAC7B,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAA;IAC5B,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;IAChC,YAAY,EAAE,MAAM,GAAG,SAAS,CAAA;CACjC;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,CAkBnD;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CACjC,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,MAAM,GACrB,CAAC,MAAM,EAAE,MAAM,CAAC,CA+BlB"}

package/dist/esm/util/arn.js

@@ -0,0 +1,64 @@
+// Copied from https://github.com/cloud-copilot/iam-simulate/blob/main/src/util.ts
+/**
+ * Split an ARN into its parts
+ *
+ * @param arn the arn to split
+ * @returns the parts of the ARN
+ */
+export function splitArnParts(arn) {
+    const parts = arn.split(':');
+    const partition = parts.at(1);
+    const service = parts.at(2);
+    const region = parts.at(3);
+    const accountId = parts.at(4);
+    const resource = parts.slice(5).join(':');
+    const [resourceType, resourcePath] = getResourceSegments(service, accountId, region, resource);
+    return {
+        partition,
+        service,
+        region,
+        accountId,
+        resource,
+        resourceType,
+        resourcePath
+    };
+}
+/**
+ * Get the product/id segments of the resource portion of an ARN.
+ * The first segment is the product segment and the second segment is the resource id segment.
+ * This could be split by a colon or a slash, so it checks for both. It also checks for S3 buckets/objects.
+ *
+ * @param resource The resource to get the resource segments. Must be an ARN resource.
+ * @returns a tuple with the first segment being the product segment (without the separator) and the second segment being the resource id.
+ */
+export function getResourceSegments(service, accountId, region, resourceString) {
+    // This is terrible, and I hate it
+    if ((service === 's3' && accountId === '' && region === '') ||
+        service === 'sns' ||
+        service === 'sqs') {
+        return ['', resourceString];
+    }
+    if (resourceString.startsWith('/')) {
+        resourceString = resourceString.slice(1);
+    }
+    const slashIndex = resourceString.indexOf('/');
+    const colonIndex = resourceString.indexOf(':');
+    let splitIndex = slashIndex;
+    if (slashIndex != -1 && colonIndex != -1) {
+        splitIndex = Math.min(slashIndex, colonIndex) + 1;
+    }
+    else if (slashIndex == -1 && colonIndex == -1) {
+        splitIndex = resourceString.length + 1;
+    }
+    else if (colonIndex == -1) {
+        splitIndex = slashIndex + 1;
+    }
+    else if (slashIndex == -1) {
+        splitIndex = colonIndex + 1;
+    }
+    else {
+        throw new Error(`Unable to split resource ${resourceString}`);
+    }
+    return [resourceString.slice(0, splitIndex - 1), resourceString.slice(splitIndex)];
+}
+//# sourceMappingURL=arn.js.map

package/dist/esm/util/arn.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"arn.js","sourceRoot":"","sources":["../../../src/util/arn.ts"],"names":[],"mappings":"AAAA,kFAAkF;AAYlF;;;;;GAKG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC5B,MAAM,SAAS,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAC7B,MAAM,OAAO,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IAC5B,MAAM,MAAM,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IAC3B,MAAM,SAAS,GAAG,KAAK,CAAC,EAAE,CAAC,CAAC,CAAE,CAAA;IAC9B,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACzC,MAAM,CAAC,YAAY,EAAE,YAAY,CAAC,GAAG,mBAAmB,CAAC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAA;IAE9F,OAAO;QACL,SAAS;QACT,OAAO;QACP,MAAM;QACN,SAAS;QACT,QAAQ;QACR,YAAY;QACZ,YAAY;KACb,CAAA;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,OAAe,EACf,SAAiB,EACjB,MAAc,EACd,cAAsB;IAEtB,kCAAkC;IAClC,IACE,CAAC,OAAO,KAAK,IAAI,IAAI,SAAS,KAAK,EAAE,IAAI,MAAM,KAAK,EAAE,CAAC;QACvD,OAAO,KAAK,KAAK;QACjB,OAAO,KAAK,KAAK,EACjB,CAAC;QACD,OAAO,CAAC,EAAE,EAAE,cAAc,CAAC,CAAA;IAC7B,CAAC;IAED,IAAI,cAAc,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,cAAc,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAC1C,CAAC;IAED,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAC9C,MAAM,UAAU,GAAG,cAAc,CAAC,OAAO,CAAC,GAAG,CAAC,CAAA;IAE9C,IAAI,UAAU,GAAG,UAAU,CAAA;IAC3B,IAAI,UAAU,IAAI,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QACzC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,UAAU,CAAC,GAAG,CAAC,CAAA;IACnD,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,CAAC,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QAChD,UAAU,GAAG,cAAc,CAAC,MAAM,GAAG,CAAC,CAAA;IACxC,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QAC5B,UAAU,GAAG,UAAU,GAAG,CAAC,CAAA;IAC7B,CAAC;SAAM,IAAI,UAAU,IAAI,CAAC,CAAC,EAAE,CAAC;QAC5B,UAAU,GAAG,UAAU,GAAG,CAAC,CAAA;IAC7B,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,4BAA4B,cAAc,EAAE,CAAC,CAAA;IAC/D,CAAC;IAED,OAAO,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,GAAG,CAAC,CAAC,EAAE,cAAc,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAA;AACpF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cloud-copilot/iam-lens",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Visibility in IAM in and across AWS accounts",
   "keywords": [
     "aws",
@@ -105,5 +105,10 @@
         }
       ]
     ]
+  },
+  "dependencies": {
+    "@cloud-copilot/iam-collect": "^0.1.63",
+    "@cloud-copilot/iam-policy": "^0.1.24",
+    "@cloud-copilot/iam-simulate": "^0.1.35"
   }
 }