cartography 0.100.0rc4__py3-none-any.whl → 0.101.0rc2__py3-none-any.whl

cartography/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.100.0rc4'
-__version_tuple__ = version_tuple = (0, 100, 0)
+__version__ = version = '0.101.0rc2'
+__version_tuple__ = version_tuple = (0, 101, 0)

cartography/data/jobs/scoped_analysis/aws_ec2_iaminstanceprofile.json

@@ -0,0 +1,15 @@
+{
+    "name": "EC2 Instances assume IAM roles",
+    "statements": [
+        {
+            "__comment": "Create STS_ASSUMEROLE_ALLOW relationships from EC2 instances to the IAM roles they can assume via their iaminstanceprofiles",
+            "query":"MATCH (aa:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(i:EC2Instance)-[:INSTANCE_PROFILE]->(p:AWSInstanceProfile)-[:ASSOCIATED_WITH]->(r:AWSRole)\nMERGE (i)-[s:STS_ASSUMEROLE_ALLOW]->(r)\nON CREATE SET s.firstseen = timestamp(), s.lastupdated = $UPDATE_TAG",
+            "iterative": true
+        },
+        {
+            "__comment": "Cleanup",
+            "query":"MATCH (aa:AWSAccount{id: $AWS_ID})-[:RESOURCE]->(:EC2Instance)-[s:STS_ASSUMEROLE_ALLOW]->(:AWSRole)\nWHERE s.lastupdated <> $UPDATE_TAG\nDELETE s",
+            "iterative": true
+        }
+    ]
+}

cartography/graph/querybuilder.py

@@ -109,7 +109,10 @@ def _build_match_clause(matcher: TargetNodeMatcher) -> str:
     return ', '.join(match.safe_substitute(Key=key, PropRef=prop_ref) for key, prop_ref in matcher_asdict.items())
 
 
-def _build_where_clause_for_rel_match(node_var: str, matcher: TargetNodeMatcher) -> str:
+def _build_where_clause_for_rel_match(
+        node_var: str,
+        matcher: TargetNodeMatcher,
+) -> str:
     """
     Same as _build_match_clause, but puts the matching logic in a WHERE clause.
     This is intended specifically to use for joining with relationships where we need a case-insensitive match.
@@ -119,6 +122,8 @@ def _build_where_clause_for_rel_match(node_var: str, matcher: TargetNodeMatcher)
     match = Template("$node_var.$key = $prop_ref")
     case_insensitive_match = Template("toLower($node_var.$key) = toLower($prop_ref)")
     fuzzy_and_ignorecase_match = Template("toLower($node_var.$key) CONTAINS toLower($prop_ref)")
+    # This assumes that item.$prop_ref points to a list available on the data object
+    one_to_many_match = Template("$node_var.$key IN $prop_ref")
 
     matcher_asdict = asdict(matcher)
 
@@ -128,6 +133,9 @@ def _build_where_clause_for_rel_match(node_var: str, matcher: TargetNodeMatcher)
             prop_line = case_insensitive_match.safe_substitute(node_var=node_var, key=key, prop_ref=prop_ref)
         elif prop_ref.fuzzy_and_ignore_case:
             prop_line = fuzzy_and_ignorecase_match.safe_substitute(node_var=node_var, key=key, prop_ref=prop_ref)
+        elif prop_ref.one_to_many:
+            # Allow a single node to be attached to multiple others at once using a list of IDs provided in kwargs
+            prop_line = one_to_many_match.safe_substitute(node_var=node_var, key=key, prop_ref=prop_ref)
         else:
             # Exact match (default; most efficient)
             prop_line = match.safe_substitute(node_var=node_var, key=key, prop_ref=prop_ref)

cartography/graph/statement.py

@@ -73,7 +73,8 @@ class GraphStatement:
         if self.iterative:
             self._run_iterative(session)
         else:
-            session.write_transaction(self._run_noniterative).consume()
+            session.write_transaction(self._run_noniterative)
+
         logger.info(f"Completed {self.parent_job_name} statement #{self.parent_job_sequence_num}")
 
     def as_dict(self) -> Dict[str, Any]:
@@ -87,14 +88,17 @@ class GraphStatement:
             "iterationsize": self.iterationsize,
         }
 
-    def _run_noniterative(self, tx: neo4j.Transaction) -> neo4j.Result:
+    def _run_noniterative(self, tx: neo4j.Transaction) -> neo4j.ResultSummary:
         """
         Non-iterative statement execution.
+        Returns a ResultSummary instead of Result to avoid ResultConsumedError.
         """
         result: neo4j.Result = tx.run(self.query, self.parameters)
 
-        # Handle stats
+        # Ensure we consume the result inside the transaction
         summary: neo4j.ResultSummary = result.consume()
+
+        # Handle stats
         stat_handler.incr('constraints_added', summary.counters.constraints_added)
         stat_handler.incr('constraints_removed', summary.counters.constraints_removed)
         stat_handler.incr('indexes_added', summary.counters.indexes_added)
@@ -107,7 +111,7 @@ class GraphStatement:
         stat_handler.incr('relationships_created', summary.counters.relationships_created)
         stat_handler.incr('relationships_deleted', summary.counters.relationships_deleted)
 
-        return result
+        return summary
 
     def _run_iterative(self, session: neo4j.Session) -> None:
         """
@@ -118,14 +122,10 @@ class GraphStatement:
         self.parameters["LIMIT_SIZE"] = self.iterationsize
 
         while True:
-            result: neo4j.Result = session.write_transaction(self._run_noniterative)
+            summary: neo4j.ResultSummary = session.write_transaction(self._run_noniterative)
 
-            # Exit if we have finished processing all items
-            if not result.consume().counters.contains_updates:
-                # Ensure network buffers are cleared
-                result.consume()
+            if not summary.counters.contains_updates:
                 break
-            result.consume()
 
     @classmethod
     def create_from_json(

cartography/intel/aws/__init__.py

@@ -20,6 +20,7 @@ from cartography.util import merge_module_sync_metadata
 from cartography.util import run_analysis_and_ensure_deps
 from cartography.util import run_analysis_job
 from cartography.util import run_cleanup_job
+from cartography.util import run_scoped_analysis_job
 from cartography.util import timeit
 
 
@@ -75,7 +76,7 @@ def _sync_one_account(
     if 'resourcegroupstaggingapi' in aws_requested_syncs:
         RESOURCE_FUNCTIONS['resourcegroupstaggingapi'](**sync_args)
 
-    run_analysis_job(
+    run_scoped_analysis_job(
         'aws_ec2_iaminstanceprofile.json',
         neo4j_session,
         common_job_parameters,
@@ -211,6 +212,9 @@ def _perform_aws_analysis(
         neo4j_session: neo4j.Session,
         common_job_parameters: Dict[str, Any],
 ) -> None:
+    """
+    Performs AWS analysis jobs that span multiple accounts.
+    """
     requested_syncs_as_set = set(requested_syncs)
 
     ec2_asset_exposure_requirements = {

cartography/intel/aws/ec2/launch_templates.py

@@ -35,13 +35,29 @@ def get_launch_templates(
 def get_launch_template_versions(
     boto3_session: boto3.session.Session,
     region: str,
+    launch_templates: list[dict[str, Any]],
 ) -> list[dict[str, Any]]:
-    client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
-    paginator = client.get_paginator('describe_launch_template_versions')
     template_versions: list[dict[str, Any]] = []
-    for page in paginator.paginate():
-        paginated_versions = page['LaunchTemplateVersions']
-        template_versions.extend(paginated_versions)
+    for template in launch_templates:
+        launch_template_id = template['LaunchTemplateId']
+        versions = get_launch_template_versions_by_template(boto3_session, launch_template_id, region)
+        template_versions.extend(versions)
+
+    return template_versions
+
+
+@timeit
+@aws_handle_regions
+def get_launch_template_versions_by_template(
+        boto3_session: boto3.session.Session,
+        launch_template_id: str,
+        region: str,
+) -> list[dict[str, Any]]:
+    client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
+    v_paginator = client.get_paginator('describe_launch_template_versions')
+    template_versions = []
+    for versions in v_paginator.paginate(LaunchTemplateId=launch_template_id):
+        template_versions.extend(versions['LaunchTemplateVersions'])
     return template_versions
 
 
@@ -140,7 +156,7 @@ def sync_ec2_launch_templates(
     for region in regions:
         logger.info(f"Syncing launch templates for region '{region}' in account '{current_aws_account_id}'.")
         templates = get_launch_templates(boto3_session, region)
-        versions = get_launch_template_versions(boto3_session, region)
+        versions = get_launch_template_versions(boto3_session, region, templates)
         templates = transform_launch_templates(templates)
         load_launch_templates(neo4j_session, templates, region, current_aws_account_id, update_tag)
         versions = transform_launch_template_versions(versions)

cartography/intel/aws/iam_instance_profiles.py

@@ -0,0 +1,73 @@
+from typing import Any
+
+import boto3
+import neo4j
+
+from cartography.client.core.tx import load
+from cartography.intel.aws.ec2.util import get_botocore_config
+from cartography.models.aws.iam.instanceprofile import InstanceProfileSchema
+from cartography.util import aws_handle_regions
+from cartography.util import timeit
+
+
+@timeit
+@aws_handle_regions
+def get_iam_instance_profiles(boto3_session: boto3.Session) -> list[dict[str, Any]]:
+    client = boto3_session.client('iam', config=get_botocore_config())
+    paginator = client.get_paginator('list_instance_profiles')
+    instance_profiles = []
+    for page in paginator.paginate():
+        instance_profiles.extend(page['InstanceProfiles'])
+    return instance_profiles
+
+
+def transform_instance_profiles(data: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    transformed = []
+    for profile in data:
+        transformed_profile = {
+            'Arn': profile['Arn'],
+            'CreateDate': profile['CreateDate'],
+            'InstanceProfileId': profile['InstanceProfileId'],
+            'InstanceProfileName': profile['InstanceProfileName'],
+            'Path': profile['Path'],
+            'Roles': [role['Arn'] for role in profile.get('Roles', [])],
+        }
+        transformed.append(transformed_profile)
+    return transformed
+
+
+@timeit
+def load_iam_instance_profiles(
+        neo4j_session: neo4j.Session,
+        data: list[dict[str, Any]],
+        current_aws_account_id: str,
+        update_tag: int,
+        common_job_parameters: dict[str, Any],
+) -> None:
+    load(
+        neo4j_session,
+        InstanceProfileSchema(),
+        data,
+        AWS_ID=current_aws_account_id,
+        lastupdated=update_tag,
+    )
+
+
+@timeit
+def sync_iam_instance_profiles(
+        boto3_session: boto3.Session,
+        neo4j_session: neo4j.Session,
+        current_aws_account_id: str,
+        update_tag: int,
+        regions: list[str],
+        common_job_parameters: dict[str, Any],
+) -> None:
+    profiles = get_iam_instance_profiles(boto3_session)
+    profiles = transform_instance_profiles(profiles)
+    load_iam_instance_profiles(
+        neo4j_session,
+        profiles,
+        common_job_parameters['AWS_ID'],
+        common_job_parameters['UPDATE_TAG'],
+        common_job_parameters,
+    )

cartography/intel/aws/resources.py

@@ -1,3 +1,4 @@
+from typing import Callable
 from typing import Dict
 
 from . import apigateway
@@ -43,9 +44,11 @@ from .ec2.tgw import sync_transit_gateways
 from .ec2.volumes import sync_ebs_volumes
 from .ec2.vpc import sync_vpc
 from .ec2.vpc_peerings import sync_vpc_peerings
+from .iam_instance_profiles import sync_iam_instance_profiles
 
-RESOURCE_FUNCTIONS: Dict = {
+RESOURCE_FUNCTIONS: Dict[str, Callable[..., None]] = {
     'iam': iam.sync,
+    'iaminstanceprofiles': sync_iam_instance_profiles,
     's3': s3.sync,
     'dynamodb': dynamodb.sync,
     'ec2:launch_templates': sync_ec2_launch_templates,

cartography/intel/gcp/__init__.py

@@ -254,6 +254,30 @@ def _sync_single_project_dns(
         dns.sync(neo4j_session, dns_cred, project_id, gcp_update_tag, common_job_parameters)
 
 
+def _sync_single_project_iam(
+    neo4j_session: neo4j.Session,
+    resources: Resource,
+    project_id: str,
+    gcp_update_tag: int,
+    common_job_parameters: Dict,
+) -> None:
+    """
+    Handles graph sync for a single GCP project's IAM resources.
+    :param neo4j_session: The Neo4j session
+    :param resources: namedtuple of the GCP resource objects
+    :param project_id: The project ID number to sync.  See  the `projectId` field in
+    https://cloud.google.com/resource-manager/reference/rest/v1/projects
+    :param gcp_update_tag: The timestamp value to set our new Neo4j nodes with
+    :param common_job_parameters: Other parameters sent to Neo4j
+    :return: Nothing
+    """
+    # Determine if IAM service is enabled
+    enabled_services = _services_enabled_on_project(resources.serviceusage, project_id)
+    iam_cred = _get_iam_resource(get_gcp_credentials())
+    if service_names.iam in enabled_services:
+        iam.sync(neo4j_session, iam_cred, project_id, gcp_update_tag, common_job_parameters)
+
+
 def _sync_multiple_projects(
     neo4j_session: neo4j.Session, resources: Resource, projects: List[Dict],
     gcp_update_tag: int, common_job_parameters: Dict,
@@ -300,13 +324,7 @@ def _sync_multiple_projects(
     for project in projects:
         project_id = project['projectId']
         logger.info("Syncing GCP project %s for IAM", project_id)
-        iam.sync(
-            neo4j_session,
-            resources.iam,
-            project_id,
-            gcp_update_tag,
-            common_job_parameters,
-        )
+        _sync_single_project_iam(neo4j_session, resources, project_id, gcp_update_tag, common_job_parameters)
 
 
 @timeit

cartography/intel/gsuite/__init__.py

@@ -23,7 +23,6 @@ OAUTH_SCOPES = [
     'https://www.googleapis.com/auth/admin.directory.user.readonly',
     'https://www.googleapis.com/auth/admin.directory.group.readonly',
     'https://www.googleapis.com/auth/admin.directory.group.member',
-    'https://www.googleapis.com/auth/cloud-platform',
 ]
 
 logger = logging.getLogger(__name__)

cartography/models/aws/ec2/instances.py

@@ -71,6 +71,22 @@ class EC2InstanceToEC2Reservation(CartographyRelSchema):
     properties: EC2InstanceToEC2ReservationRelProperties = EC2InstanceToEC2ReservationRelProperties()
 
 
+@dataclass(frozen=True)
+class EC2InstanceToInstanceProfileRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class EC2InstanceToInstanceProfile(CartographyRelSchema):
+    target_node_label: str = 'AWSInstanceProfile'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'arn': PropertyRef('IamInstanceProfile')},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "INSTANCE_PROFILE"
+    properties: EC2InstanceToInstanceProfileRelProperties = EC2InstanceToInstanceProfileRelProperties()
+
+
 @dataclass(frozen=True)
 class EC2InstanceSchema(CartographyNodeSchema):
     label: str = 'EC2Instance'
@@ -79,5 +95,6 @@ class EC2InstanceSchema(CartographyNodeSchema):
     other_relationships: OtherRelationships = OtherRelationships(
         [
             EC2InstanceToEC2Reservation(),
+            EC2InstanceToInstanceProfile(),  # Add the new relationship
         ],
     )

cartography/models/aws/iam/instanceprofile.py

@@ -0,0 +1,67 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class InstanceProfileNodeProperties(CartographyNodeProperties):
+    """
+    Schema describing a InstanceProfile.
+    """
+    arn: PropertyRef = PropertyRef('Arn')
+    createdate: PropertyRef = PropertyRef('CreateDate')
+    id: PropertyRef = PropertyRef('Arn')
+    instance_profile_id: PropertyRef = PropertyRef('InstanceProfileId')
+    instance_profile_name: PropertyRef = PropertyRef('InstanceProfileName')
+    path: PropertyRef = PropertyRef('Path')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class InstanceProfileToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class InstanceProfileToAWSAccount(CartographyRelSchema):
+    target_node_label: str = 'AWSAccount'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: InstanceProfileToAwsAccountRelProperties = InstanceProfileToAwsAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class InstanceProfileToAWSRoleRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class InstanceProfileToAWSRole(CartographyRelSchema):
+    target_node_label: str = 'AWSRole'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'arn': PropertyRef('Roles', one_to_many=True)},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "ASSOCIATED_WITH"
+    properties: InstanceProfileToAWSRoleRelProperties = InstanceProfileToAWSRoleRelProperties()
+
+
+@dataclass(frozen=True)
+class InstanceProfileSchema(CartographyNodeSchema):
+    label: str = 'AWSInstanceProfile'
+    properties: InstanceProfileNodeProperties = InstanceProfileNodeProperties()
+    sub_resource_relationship: InstanceProfileToAWSAccount = InstanceProfileToAWSAccount()
+    other_relationships: OtherRelationships = OtherRelationships([
+        InstanceProfileToAWSRole(),
+    ])

cartography/models/core/common.py

@@ -9,12 +9,13 @@ class PropertyRef:
     """
 
     def __init__(
-        self,
-        name: str,
-        set_in_kwargs=False,
-        extra_index=False,
-        ignore_case=False,
-        fuzzy_and_ignore_case=False,
+            self,
+            name: str,
+            set_in_kwargs=False,
+            extra_index=False,
+            ignore_case=False,
+            fuzzy_and_ignore_case=False,
+            one_to_many=False,
     ):
         """
         :param name: The name of the property
@@ -44,19 +45,49 @@ class PropertyRef:
         this property using the `CONTAINS` operator.
         query. Defaults to False. This only has effect as part of a TargetNodeMatcher and is not supported for the
         sub resource relationship.
+        :param one_to_many: Indicates that this property is meant to create one-to-many associations. If set to True,
+        this property ref points to a list stored on the data dict where each item is an ID. Only has effect as
+        part of a TargetNodeMatcher and is not supported for the sub resource relationship. Defaults to False.
+            Example on why you would set this to True:
+            AWS IAM instance profiles can be associated with one or more roles. This is reflected in their API object:
+            when we call describe-iam-instance-profiles, the `Roles` field contains a list of all the roles that the
+            profile is associated with. So, to create AWSInstanceProfile nodes while attaching them to multiple roles,
+            we can create a CartographyRelSchema with
+            ```
+            class InstanceProfileSchema(Schema):
+                target_node_label: str = 'AWSRole'
+                target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+                    'arn': PropertyRef('Roles', one_to_many=True),
+                )
+                ...
+            ```
+            This means that as we create AWSInstanceProfile nodes, we will search for AWSRoles to attach to, and we do
+            this by checking if each role's `arn` field is in the `Roles` list of the data dict.
         """
         self.name = name
         self.set_in_kwargs = set_in_kwargs
         self.extra_index = extra_index
         self.ignore_case = ignore_case
         self.fuzzy_and_ignore_case = fuzzy_and_ignore_case
+        self.one_to_many = one_to_many
+
         if self.fuzzy_and_ignore_case and self.ignore_case:
             raise ValueError(
                 f'Error setting PropertyRef "{self.name}": ignore_case cannot be used together with'
                 'fuzzy_and_ignore_case. Pick one or the other.',
             )
 
+        if self.one_to_many and (self.ignore_case or self.fuzzy_and_ignore_case):
+            raise ValueError(
+                f'Error setting PropertyRef "{self.name}": one_to_many cannot be used together with '
+                '`ignore_case` or `fuzzy_and_ignore_case`.',
+            )
+
     def _parameterize_name(self) -> str:
+        """
+        Prefixes the name of the property ref with a '$' so that we can receive keyword args. See docs on __repr__ for
+        PropertyRef.
+        """
         return f"${self.name}"
 
     def __repr__(self) -> str:

{cartography-0.100.0rc4.dist-info → cartography-0.101.0rc2.dist-info}/METADATA

@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: cartography
-Version: 0.100.0rc4
+Version: 0.101.0rc2
 Summary: Explore assets and their relationships across your technical infrastructure.
 Maintainer: Cartography Contributors
 License: apache2
@@ -26,7 +26,7 @@ Requires-Dist: backoff>=2.1.2
 Requires-Dist: boto3>=1.15.1
 Requires-Dist: botocore>=1.18.1
 Requires-Dist: dnspython>=1.15.0
-Requires-Dist: neo4j<5.0.0,>=4.4.4
+Requires-Dist: neo4j>=4.4.4
 Requires-Dist: policyuniverse>=1.1.0.0
 Requires-Dist: google-api-python-client>=1.7.8
 Requires-Dist: google-auth>=2.37.0
@@ -62,7 +62,8 @@ Requires-Dist: pytest-mock; extra == "dev"
 Requires-Dist: pytest-cov==6.0.0; extra == "dev"
 Requires-Dist: pytest-rerunfailures; extra == "dev"
 Requires-Dist: types-PyYAML; extra == "dev"
-Requires-Dist: types-requests<2.32.0.20250302; extra == "dev"
+Requires-Dist: types-requests<2.32.0.20250307; extra == "dev"
+Dynamic: license-file
 
 ![Cartography](docs/root/images/logo-horizontal.png)
 

{cartography-0.100.0rc4.dist-info → cartography-0.101.0rc2.dist-info}/RECORD

@@ -1,6 +1,6 @@
 cartography/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/__main__.py,sha256=JftXT_nUPkqcEh8uxCCT4n-OyHYqbldEgrDS-4ygy0U,101
-cartography/_version.py,sha256=XNabPAacgLtT7W1DDFP4RS2MjLNRDWXmvHKjCNXBM9A,518
+cartography/_version.py,sha256=IBK6fMF_VPqJpOaJyK9R7AWPwDA7KRC-K8f8sNJSVFk,518
 cartography/cli.py,sha256=-77DOKUQn3N-TDIi55V4RHLb3k36ZGZ64o1XgiT0qmE,33370
 cartography/config.py,sha256=ZcadsKmooAkti9Kv0eDl8Ec1PcZDu3lWobtNaCnwY3k,11872
 cartography/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -18,8 +18,6 @@ cartography/data/permission_relationships.yaml,sha256=RuKGGc_3ZUQ7ag0MssB8k_zaon
 cartography/data/jobs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/data/jobs/analysis/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/data/jobs/analysis/aws_ec2_asset_exposure.json,sha256=wSR_-0TbieAMSFOWpNZohgbDHooa-F6jHm8DxdntLOY,3397
-cartography/data/jobs/analysis/aws_ec2_iaminstance.json,sha256=98wfe8pjwS-iQIjUpM1rxuASdxk7BGl9ooigrwfpmvU,500
-cartography/data/jobs/analysis/aws_ec2_iaminstanceprofile.json,sha256=7M8k0p0SvSYVzCk358FnUQ865IX25TyumtHTXqZS-t8,526
 cartography/data/jobs/analysis/aws_ec2_keypair_analysis.json,sha256=_ZBczunZbx5NHAbfVc4v6vJsbyl1xaePLzj4cyxW-4A,1741
 cartography/data/jobs/analysis/aws_eks_asset_exposure.json,sha256=Z6z4YTNJJqUJl2JqONeAYAvfH_2A9qEBxkFn-aou8D8,561
 cartography/data/jobs/analysis/aws_foreign_accounts.json,sha256=b8Li_KQLwIvNXxWt0F1bVTV1Vg9dxsbr7ZE8LH2-woc,686
@@ -116,6 +114,7 @@ cartography/data/jobs/cleanup/okta_groups_cleanup.json,sha256=cBI3f_okl4pnVH48L1
 cartography/data/jobs/cleanup/okta_import_cleanup.json,sha256=4XQwYpY9vITLhnLpijMVa5PxO0Tm38CcMydnbPdQPm0,3798
 cartography/data/jobs/cleanup/pagerduty_import_cleanup.json,sha256=RJqG_Uw_QEGTer_-s2IuZ3a2kykhUcCdDNZu0S7SEB4,4457
 cartography/data/jobs/scoped_analysis/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cartography/data/jobs/scoped_analysis/aws_ec2_iaminstanceprofile.json,sha256=hzFlYNozrAiTh96qGlQSwTt3yzlDEUXF3OfxMMZTGgU,808
 cartography/data/jobs/scoped_analysis/semgrep_sca_risk_analysis.json,sha256=eIYxbl5TdgVzN8En2JozWoyKAiIh3Dp8wUMkTDPGZY0,6485
 cartography/driftdetect/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/driftdetect/__main__.py,sha256=Sz24Kxy5x6RC3GQEkuUDXzjOV3SvlHVkZdvPl1GLl5E,125
@@ -134,13 +133,13 @@ cartography/graph/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU
 cartography/graph/cleanupbuilder.py,sha256=zZc7SvRz23sU_VN-RrHoyhug7dRZlqbbLwHbrlPdVik,9411
 cartography/graph/context.py,sha256=RGxGb8EnxowcqjR0nFF86baNhgRHeUF9wjIoFUoG8LU,1230
 cartography/graph/job.py,sha256=RZWsbNhHuJlcSpw4C73ZuovRTp7kGrcm3X9yUH8vT1Q,7488
-cartography/graph/querybuilder.py,sha256=7DtIGPlfeKcIWKw_ReCAX1OeUkhSnIRV_reeVaKL6I4,20416
-cartography/graph/statement.py,sha256=VsqG46ty_Mm87fr8YdIwfr6a82OUXU7yZe6S-Py9hZg,5345
+cartography/graph/querybuilder.py,sha256=m-BQ70yB8auP3qsa5nlsj6bwela_5A6f0vuFI0YoAXk,20839
+cartography/graph/statement.py,sha256=Dr6wrlmodUwwh8jnMVaHZAuxrkYyTASokQcmn9AnA9E,5311
 cartography/intel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/intel/analysis.py,sha256=gHtN42NqqLL1G5MOm2Q6rMyg-V5lU_wqbnKp5hbOOao,1499
 cartography/intel/create_indexes.py,sha256=HM2jB2v3NZvGqgVDtNoBQRVpkei_JXcYXqM14w8Rjss,741
 cartography/intel/dns.py,sha256=M-WSiGQoxWZsl0sg-2SDR8OD8e1Rexkt2Tbb2OpeioA,5596
-cartography/intel/aws/__init__.py,sha256=siRhVNypfGxMPNIXHSjfYbLX9qlB6RYyN6aWX64N-t8,11076
+cartography/intel/aws/__init__.py,sha256=g9NPDlIlvOi2oDCq0VY09kxv0TaD1wihFQLdOcJyk18,11212
 cartography/intel/aws/apigateway.py,sha256=w4QdxlwnVegKKsZFfoI36i-FGlIUjzxzaayZyz9oQvM,11654
 cartography/intel/aws/config.py,sha256=wrZbz7bc8vImLmRvTLkPcWnjjPzk3tOG4bB_BFS2lq8,7329
 cartography/intel/aws/dynamodb.py,sha256=LZ6LGNThLi0zC3eLMq2JN3mwiSwZeaH58YQQHvsXMGE,5013
@@ -151,6 +150,7 @@ cartography/intel/aws/elasticache.py,sha256=fCI47aDFmIDyE26GiReKYb6XIZUwrzcvsXBQ
 cartography/intel/aws/elasticsearch.py,sha256=ZL7MkXF_bXRSoXuDSI1dwGckRLG2zDB8LuAD07vSLnE,8374
 cartography/intel/aws/emr.py,sha256=xhWBVZngxJRFjMEDxwq3G6SgytRGLq0v2a_CeDvByR0,3372
 cartography/intel/aws/iam.py,sha256=zRlF9cKcYm44iL63G6bd-_flNOFHVrjsEfW0jZHpUNg,32387
+cartography/intel/aws/iam_instance_profiles.py,sha256=-bjBqhqni6n3SN2eFwy8bUufNAoshjRuxFB5dxD31ow,2255
 cartography/intel/aws/identitycenter.py,sha256=OnyvsSfn6AszB2e9dPAsGmzgne0zq0_7Ta0A6k_l_TE,8956
 cartography/intel/aws/inspector.py,sha256=S22ZgRKEnmnBTJ-u0rodqRPB7_LkSIek47NeBxN4XJw,9336
 cartography/intel/aws/kms.py,sha256=bZUzMxAH_DsAcGTJBs08gg2tLKYu-QWjvMvV9C-6v50,11731
@@ -160,7 +160,7 @@ cartography/intel/aws/permission_relationships.py,sha256=IarV9gt5BaplZ5TPo_mfypt
 cartography/intel/aws/rds.py,sha256=vnlNYmrO2Cc0PNn31CeG2QwYhwjVosbQFE9Ol1vQyLE,25252
 cartography/intel/aws/redshift.py,sha256=KOqiXIllHmtPTeaNGl-cX4srY5pFE6o12j8MQ5-zWpc,6694
 cartography/intel/aws/resourcegroupstaggingapi.py,sha256=I2VrL-oplGj2Jyhbo312V6vnER_FXpJRrc6OBJ-_VmI,10375
-cartography/intel/aws/resources.py,sha256=A8Dc3PtCfDyk5a1ZgAoHthhDPS6aWN_kR0PLwnHdC0Q,3370
+cartography/intel/aws/resources.py,sha256=lg5j0z6Iwj16Gv25yuAb3gHG6x4vOfRNm43FoOVRfqg,3541
 cartography/intel/aws/route53.py,sha256=IYqeQud1HuHnf11A7T-Jeif5DWgjpaaU-Jfr2cLUc_o,14099
 cartography/intel/aws/s3.py,sha256=SVxUMtMSkbdjZv5qOSYIbYb8BQa-QTojbHG85-EFWLA,27034
 cartography/intel/aws/secretsmanager.py,sha256=YogwRPT6qZPVg5HrND71zI-nNn60oxoWaW7eUlhuTS0,3304
@@ -174,7 +174,7 @@ cartography/intel/aws/ec2/images.py,sha256=SLoxcy_PQgNomVMDMdutm0zXJCOLosiHJlN63
 cartography/intel/aws/ec2/instances.py,sha256=uI8eVJmeEybS8y_T8CVKAkwxJyVDCH7sbuEJYeWGSWY,12468
 cartography/intel/aws/ec2/internet_gateways.py,sha256=dI-4-85_3DGGZZBcY_DN6XqESx9P26S6jKok314lcnQ,2883
 cartography/intel/aws/ec2/key_pairs.py,sha256=g4imIo_5jk8upq9J4--erg-OZXG2i3cJMe6SnNCYj9s,2635
-cartography/intel/aws/ec2/launch_templates.py,sha256=9s7opSzdpErDzxknAsPOXb63Cr0BJM4S-wcxFuInFXs,5346
+cartography/intel/aws/ec2/launch_templates.py,sha256=uw0_knQW0DGFgD4BUyaxYW0RpWyA_oXcDe-oT6MEaps,5902
 cartography/intel/aws/ec2/load_balancer_v2s.py,sha256=95FfQQn740gexINIHDJizOM4OKzRtQT_y2XQMipQ5Dg,8661
 cartography/intel/aws/ec2/load_balancers.py,sha256=1GwErzGqi3BKCARqfGJcD_r_D84rFKVy5kNMas9jAok,6756
 cartography/intel/aws/ec2/network_acls.py,sha256=_UiOx79OxcqH0ecRjcVMglAzz5XJ4aVYLlv6dl_ism4,6809
@@ -220,7 +220,7 @@ cartography/intel/duo/phones.py,sha256=ueJheqSLD2xYcMus5eOiixPYS3_xVjgQzeomjV2a6
 cartography/intel/duo/tokens.py,sha256=bEEnjfc4waQnkRHVSnZLAeGE8wHOOZL7FA9m80GGQdQ,2396
 cartography/intel/duo/users.py,sha256=lc7ly_XKeUjJ50szw31WT_GiCrZfGKJv1zVUpmTchh4,4097
 cartography/intel/duo/web_authn_credentials.py,sha256=IbDf3CWqfEyI7f9zJugUvoDd6vZOECfb_7ANZaRYzuk,2636
-cartography/intel/gcp/__init__.py,sha256=csFnE0_lznp3UfJZZSCCWF0gzdf_qz7sXuMzzZs_NvY,16516
+cartography/intel/gcp/__init__.py,sha256=iJPcmkXjMITBf2h9CFJ5-vpLMNRzReoKIazNihRPrNA,17472
 cartography/intel/gcp/compute.py,sha256=CH2cBdOwbLZCAbkfRJkkI-sFybXVKRWEUGDJANQmvyA,48333
 cartography/intel/gcp/crm.py,sha256=Uw5PILhVFhpM8gq7uu2v7F_YikDW3gsTZ3d7-e8Z1_k,12324
 cartography/intel/gcp/dns.py,sha256=y2pvbmV04cnrMyuu_nbW3oc7uwHX6yEzn1n7veCsjmk,7748
@@ -232,7 +232,7 @@ cartography/intel/github/repos.py,sha256=MmpxZASDJFQxDeSMxX3pZcpxCHFPos4_uYC_cX9
 cartography/intel/github/teams.py,sha256=AltQSmBHHmyzBtnRkez9Bo5yChEKBSt3wwzhGcfqmX4,14180
 cartography/intel/github/users.py,sha256=MCLE0V0UCzQm3k3KmrNe6PYkI6usRQZYy2rCN3mT8o0,8948
 cartography/intel/github/util.py,sha256=K0cXOPuhnGvN-aqcSUBO3vTuKQLjufVal9kn2HwOpbo,8110
-cartography/intel/gsuite/__init__.py,sha256=FZS4WVCjOCvGqrq2E-yhZ_dtViQSy1srs_YEohibpWU,5466
+cartography/intel/gsuite/__init__.py,sha256=R3hMZkaRQKHIPcvNpupwJuj7w1RuBrT4skGQASqxyOk,5412
 cartography/intel/gsuite/api.py,sha256=bx0mPn6x6fgssxgm343NHdwjbtFkO6SZTucOsoW0Hgk,11143
 cartography/intel/jamf/__init__.py,sha256=Nof-LrUeevoieo6oP2GyfTwx8k5TUIgreW6hSj53YjQ,419
 cartography/intel/jamf/computers.py,sha256=EfjlupQ-9HYTjOrmuwrGuJDy9ApAnJvk8WrYcp6_Jkk,1673
@@ -290,7 +290,7 @@ cartography/models/aws/dynamodb/tables.py,sha256=iNTnI0FLdqHs0-EYGqWLGHWEy4mkSED
 cartography/models/aws/ec2/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/aws/ec2/auto_scaling_groups.py,sha256=ImIu-i5iU_CJQ25oa2MDnOhOjL4jcpBagPiB95JUvSE,8660
 cartography/models/aws/ec2/images.py,sha256=uGhXS7Xb6sKUdwwkS0O0dWP4sIREjusUaV_unODv9gE,3012
-cartography/models/aws/ec2/instances.py,sha256=cNMHngdGNRhxoyID6AmG2F7CQGC1fYani8DV8lSKvsI,3902
+cartography/models/aws/ec2/instances.py,sha256=H2z-0pMVOmpsYORB9WfS8hHz3n-eY8qoKg5FMeXkpbg,4613
 cartography/models/aws/ec2/keypair.py,sha256=UzKj1-Oyd-xMAJeuELzkGlDNAih1H9KpBwEgCCp54T8,2235
 cartography/models/aws/ec2/keypair_instance.py,sha256=M1Ru8Z_2izW0cADAnQVVHaKsT_4FucNZnjr2DIGncJY,2943
 cartography/models/aws/ec2/launch_configurations.py,sha256=zdfWJEx93HXDXd_IzSEkhvcztkJI7_v_TCE_d8ZNAyI,2764
@@ -310,6 +310,8 @@ cartography/models/aws/ec2/subnet_networkinterface.py,sha256=JHlxfBojBw7LfJS4a5L
 cartography/models/aws/ec2/volumes.py,sha256=WSP7YNZeJE3s4wnY9QrIAbcJN3OathqNgEBX0cVahDg,4470
 cartography/models/aws/eks/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/aws/eks/clusters.py,sha256=WeuC1wcjB_twsvgS0EMvU2wENhD-pm4t6N3HZ19x3vk,2293
+cartography/models/aws/iam/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cartography/models/aws/iam/instanceprofile.py,sha256=tZL3vuWdimrrg4Fbx8JlVfaFWZEnHVMpdoBJrduBiKM,2838
 cartography/models/aws/identitycenter/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/aws/identitycenter/awsidentitycenter.py,sha256=lmpo-qqmMN6BMGEkBQyxmb0Nfal0qI1HetqmRmOWkSU,1988
 cartography/models/aws/identitycenter/awspermissionset.py,sha256=30BBY-XG3-rJMihKKTdUVobkdqQYWWGsFD83uTVJqkI,3539
@@ -324,7 +326,7 @@ cartography/models/bigfix/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJW
 cartography/models/bigfix/bigfix_computer.py,sha256=HQQsQPUphfkBsW8jIP0b9InNAb3vtOSWVD_GqSikkm4,3520
 cartography/models/bigfix/bigfix_root.py,sha256=GkyI0Gmnat8Q-3aQWJdCaNzKB89fY0ee4-lRvvPRLns,598
 cartography/models/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cartography/models/core/common.py,sha256=uAMmUAY7_ENDsq-CvEZ0bQNAwdWOFRCzIQEFz7NOtmI,4316
+cartography/models/core/common.py,sha256=Bk0dCBkO9Udj9v4e8WE9mgBGaZTI170m9QpoiiYoz48,6206
 cartography/models/core/nodes.py,sha256=h5dwBOk_a2uCHZWeQz3pidr7gkqMKf7buIZgl6M1Ox4,3699
 cartography/models/core/relationships.py,sha256=6AwXvk0dq48BxqyxBpHyBXZ3dJNm65t1y4vNg4n25uA,5103
 cartography/models/cve/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -358,9 +360,9 @@ cartography/models/snipeit/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJ
 cartography/models/snipeit/asset.py,sha256=FyRAaeXuZjMy0eUQcSDFcgEAF5lbLMlvqp1Tv9d3Lv4,3238
 cartography/models/snipeit/tenant.py,sha256=p4rFnpNNuF1W5ilGBbexDaETWTwavfb38RcQGoImkQI,679
 cartography/models/snipeit/user.py,sha256=MsB4MiCVNTH6JpESime7cOkB89autZOXQpL6Z0l7L6o,2113
-cartography-0.100.0rc4.dist-info/LICENSE,sha256=kvLEBRYaQ1RvUni6y7Ti9uHeooqnjPoo6n_-0JO1ETc,11351
-cartography-0.100.0rc4.dist-info/METADATA,sha256=Ybi85b9tT6kYixO3WY-Y5TDc1El7FmVRTG_7oWyH95g,11859
-cartography-0.100.0rc4.dist-info/WHEEL,sha256=52BFRY2Up02UkjOa29eZOS2VxUrpPORXg1pkohGGUS8,91
-cartography-0.100.0rc4.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
-cartography-0.100.0rc4.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
-cartography-0.100.0rc4.dist-info/RECORD,,
+cartography-0.101.0rc2.dist-info/licenses/LICENSE,sha256=kvLEBRYaQ1RvUni6y7Ti9uHeooqnjPoo6n_-0JO1ETc,11351
+cartography-0.101.0rc2.dist-info/METADATA,sha256=Hw5knSxZNezo5gXVd5_2dMrhDDP0Vki78Nb48XgQHW0,11874
+cartography-0.101.0rc2.dist-info/WHEEL,sha256=CmyFI0kx5cdEMTLiONQRbGQwjIoR1aIYB7eCAQ4KPJ0,91
+cartography-0.101.0rc2.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
+cartography-0.101.0rc2.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
+cartography-0.101.0rc2.dist-info/RECORD,,

{cartography-0.100.0rc4.dist-info → cartography-0.101.0rc2.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (76.0.0)
+Generator: setuptools (78.1.0)
 Root-Is-Purelib: true
 Tag: py3-none-any
 

cartography/data/jobs/analysis/aws_ec2_iaminstance.json

@@ -1,10 +0,0 @@
-{
-    "name": "EC2 Instances assume IAM roles",
-    "statements": [
-        {
-            "__comment": "Create STS_ASSUMEROLE_ALLOW realtionship from ec2 instance to the associated iaminstance iam role",
-            "query":"MATCH (aa:AWSAccount)-[:RESOURCE]->(i:EC2Instance)\nWITH SPLIT(i.iaminstanceprofile, '/')[-1] AS role_name, aa, i\nMATCH (aa)-[:RESOURCE]->(r:AWSRole)\nWHERE r.arn ENDS WITH role_name\nMERGE (i)-[:STS_ASSUMEROLE_ALLOW]->(r)",
-            "iterative": false
-        }
-    ]
-}

cartography/data/jobs/analysis/aws_ec2_iaminstanceprofile.json

@@ -1,10 +0,0 @@
-{
-    "name": "EC2 Instances assume IAM roles",
-    "statements": [
-        {
-            "__comment": "Create STS_ASSUMEROLE_ALLOW realtionships from EC2 instances to the IAM roles they can assume via their iaminstanceprofiles",
-            "query":"MATCH (aa:AWSAccount)-[:RESOURCE]->(i:EC2Instance)\nWITH SPLIT(i.iaminstanceprofile, '/')[-1] AS role_name, aa, i\nMATCH (aa)-[:RESOURCE]->(r:AWSRole)\nWHERE r.arn ENDS WITH role_name\nMERGE (i)-[:STS_ASSUMEROLE_ALLOW]->(r)",
-            "iterative": false
-        }
-    ]
-}