cartography 0.101.1rc2__py3-none-any.whl → 0.102.0rc2__py3-none-any.whl

cartography/_version.py

@@ -17,5 +17,5 @@ __version__: str
 __version_tuple__: VERSION_TUPLE
 version_tuple: VERSION_TUPLE
 
-__version__ = version = '0.101.1rc2'
-__version_tuple__ = version_tuple = (0, 101, 1)
+__version__ = version = '0.102.0rc2'
+__version_tuple__ = version_tuple = (0, 102, 0)

cartography/cli.py

@@ -211,6 +211,30 @@ class CLI:
                 'The name of environment variable containing Azure Client Secret for Service Principal Authentication.'
             ),
         )
+        parser.add_argument(
+            '--entra-tenant-id',
+            type=str,
+            default=None,
+            help=(
+                'Entra Tenant Id for Service Principal Authentication.'
+            ),
+        )
+        parser.add_argument(
+            '--entra-client-id',
+            type=str,
+            default=None,
+            help=(
+                'Entra Client Id for Service Principal Authentication.'
+            ),
+        )
+        parser.add_argument(
+            '--entra-client-secret-env-var',
+            type=str,
+            default=None,
+            help=(
+                'The name of environment variable containing Entra Client Secret for Service Principal Authentication.'
+            ),
+        )
         parser.add_argument(
             '--aws-requested-syncs',
             type=str,
@@ -615,6 +639,16 @@ class CLI:
         else:
             config.azure_client_secret = None
 
+        # Entra config
+        if config.entra_tenant_id and config.entra_client_id and config.entra_client_secret_env_var:
+            logger.debug(
+                "Reading Client Secret for Entra Authentication from environment variable %s",
+                config.entra_client_secret_env_var,
+            )
+            config.entra_client_secret = os.environ.get(config.entra_client_secret_env_var)
+        else:
+            config.entra_client_secret = None
+
         # Okta config
         if config.okta_org_id and config.okta_api_key_env_var:
             logger.debug(f"Reading API key for Okta from environment variable {config.okta_api_key_env_var}")
@@ -798,5 +832,9 @@ def main(argv=None):
     logging.getLogger('botocore').setLevel(logging.WARNING)
     logging.getLogger('googleapiclient').setLevel(logging.WARNING)
     logging.getLogger('neo4j').setLevel(logging.WARNING)
+    logging.getLogger('azure.identity').setLevel(logging.WARNING)
+    logging.getLogger('httpx').setLevel(logging.WARNING)
+    logging.getLogger('azure.core.pipeline.policies.http_logging_policy').setLevel(logging.WARNING)
+
     argv = argv if argv is not None else sys.argv[1:]
     sys.exit(CLI(prog='cartography').main(argv))

cartography/config.py

@@ -41,6 +41,12 @@ class Config:
     :param azure_client_id: Client Id for connecting in a Service Principal Authentication approach. Optional.
     :type azure_client_secret: str
     :param azure_client_secret: Client Secret for connecting in a Service Principal Authentication approach. Optional.
+    :type entra_tenant_id: str
+    :param entra_tenant_id: Tenant Id for connecting in a Service Principal Authentication approach. Optional.
+    :type entra_client_id: str
+    :param entra_client_id: Client Id for connecting in a Service Principal Authentication approach. Optional.
+    :type entra_client_secret: str
+    :param entra_client_secret: Client Secret for connecting in a Service Principal Authentication approach. Optional.
     :type aws_requested_syncs: str
     :param aws_requested_syncs: Comma-separated list of AWS resources to sync. Optional.
     :type analysis_job_directory: str
@@ -133,6 +139,9 @@ class Config:
         azure_tenant_id=None,
         azure_client_id=None,
         azure_client_secret=None,
+        entra_tenant_id=None,
+        entra_client_id=None,
+        entra_client_secret=None,
         aws_requested_syncs=None,
         analysis_job_directory=None,
         oci_sync_all_profiles=None,
@@ -191,6 +200,9 @@ class Config:
         self.azure_tenant_id = azure_tenant_id
         self.azure_client_id = azure_client_id
         self.azure_client_secret = azure_client_secret
+        self.entra_tenant_id = entra_tenant_id
+        self.entra_client_id = entra_client_id
+        self.entra_client_secret = entra_client_secret
         self.aws_requested_syncs = aws_requested_syncs
         self.analysis_job_directory = analysis_job_directory
         self.oci_sync_all_profiles = oci_sync_all_profiles

cartography/data/indexes.cypher

@@ -191,9 +191,6 @@ CREATE INDEX IF NOT EXISTS FOR (n:KMSGrant) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.name);
 CREATE INDEX IF NOT EXISTS FOR (n:LaunchConfiguration) ON (n.lastupdated);
-CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.dnsname);
-CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.id);
-CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancer) ON (n.lastupdated);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancerV2) ON (n.dnsname);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancerV2) ON (n.id);
 CREATE INDEX IF NOT EXISTS FOR (n:LoadBalancerV2) ON (n.lastupdated);

cartography/intel/aws/ec2/launch_templates.py

@@ -37,37 +37,18 @@ def get_launch_template_versions(
     boto3_session: boto3.session.Session,
     region: str,
     launch_templates: list[dict[str, Any]],
-) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]:
-    found_versions: list[dict[str, Any]] = []
-    found_templates: list[dict[str, Any]] = []
+) -> list[dict[str, Any]]:
+    template_versions: list[dict[str, Any]] = []
     for template in launch_templates:
         launch_template_id = template['LaunchTemplateId']
-        try:
-            versions = get_launch_template_versions_by_template(
-                boto3_session,
-                launch_template_id,
-                region,
-            )
-            # If the call succeeded, the template still exists.
-            # Add it and its versions (list might be empty if no versions exist).
-            found_templates.append(template)
-            found_versions.extend(versions)
-        except botocore.exceptions.ClientError as e:
-            if e.response['Error']['Code'] == 'InvalidLaunchTemplateId.NotFound':
-                logger.warning(
-                    "Launch template %s no longer exists in region %s, skipping.",
-                    launch_template_id, region,
-                )
-                # Skip this template, don't add it or its versions
-                continue
-            else:
-                # Re-raise any other client error
-                raise
-
-    return found_versions, found_templates
+        versions = get_launch_template_versions_by_template(boto3_session, launch_template_id, region)
+        template_versions.extend(versions)
+
+    return template_versions
 
 
 @timeit
+@aws_handle_regions
 def get_launch_template_versions_by_template(
         boto3_session: boto3.session.Session,
         launch_template_id: str,
@@ -76,15 +57,27 @@ def get_launch_template_versions_by_template(
     client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
     v_paginator = client.get_paginator('describe_launch_template_versions')
     template_versions = []
-    for versions_page in v_paginator.paginate(LaunchTemplateId=launch_template_id):
-        template_versions.extend(versions_page['LaunchTemplateVersions'])
+    try:
+        for versions in v_paginator.paginate(LaunchTemplateId=launch_template_id):
+            template_versions.extend(versions['LaunchTemplateVersions'])
+    except botocore.exceptions.ClientError as e:
+        error_code = e.response['Error']['Code']
+        if error_code == 'InvalidLaunchTemplateId.NotFound':
+            logger.warning("Launch template %s no longer exists in region %s", launch_template_id, region)
+        else:
+            raise
     return template_versions
 
 
-def transform_launch_templates(templates: list[dict[str, Any]]) -> list[dict[str, Any]]:
+def transform_launch_templates(templates: list[dict[str, Any]], versions: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    valid_template_ids = {v['LaunchTemplateId'] for v in versions}
     result: list[dict[str, Any]] = []
     for template in templates:
+        if template['LaunchTemplateId'] not in valid_template_ids:
+            continue
+
         current = template.copy()
+        # Convert CreateTime to timestamp string
         current['CreateTime'] = str(int(current['CreateTime'].timestamp()))
         result.append(current)
     return result
@@ -176,11 +169,13 @@ def sync_ec2_launch_templates(
     for region in regions:
         logger.info(f"Syncing launch templates for region '{region}' in account '{current_aws_account_id}'.")
         templates = get_launch_templates(boto3_session, region)
-        versions, found_templates = get_launch_template_versions(boto3_session, region, templates)
+        versions = get_launch_template_versions(boto3_session, region, templates)
 
-        # Transform and load only the templates that were found to exist
-        transformed_templates = transform_launch_templates(found_templates)
+        # Transform and load the templates that have versions
+        transformed_templates = transform_launch_templates(templates, versions)
         load_launch_templates(neo4j_session, transformed_templates, region, current_aws_account_id, update_tag)
+
+        # Transform and load the versions
         transformed_versions = transform_launch_template_versions(versions)
         load_launch_template_versions(neo4j_session, transformed_versions, region, current_aws_account_id, update_tag)
 

cartography/intel/aws/ec2/load_balancers.py

@@ -1,190 +1,168 @@
 import logging
-from typing import Dict
-from typing import List
 
 import boto3
 import neo4j
 
 from .util import get_botocore_config
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.ec2.load_balancer_listeners import ELBListenerSchema
+from cartography.models.aws.ec2.load_balancers import LoadBalancerSchema
 from cartography.util import aws_handle_regions
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 
 
+def _get_listener_id(load_balancer_id: str, port: int, protocol: str) -> str:
+    """
+    Generate a unique ID for a load balancer listener.
+
+    Args:
+        load_balancer_id: The ID of the load balancer
+        port: The listener port
+        protocol: The listener protocol
+
+    Returns:
+        A unique ID string for the listener
+    """
+    return f"{load_balancer_id}{port}{protocol}"
+
+
+def transform_load_balancer_listener_data(load_balancer_id: str, listener_data: list[dict]) -> list[dict]:
+    """
+    Transform load balancer listener data into a format suitable for cartography ingestion.
+
+    Args:
+        load_balancer_id: The ID of the load balancer
+        listener_data: List of listener data from AWS API
+
+    Returns:
+        List of transformed listener data
+    """
+    transformed = []
+    for listener in listener_data:
+        listener_info = listener['Listener']
+        transformed_listener = {
+            'id': _get_listener_id(load_balancer_id, listener_info['LoadBalancerPort'], listener_info['Protocol']),
+            'port': listener_info.get('LoadBalancerPort'),
+            'protocol': listener_info.get('Protocol'),
+            'instance_port': listener_info.get('InstancePort'),
+            'instance_protocol': listener_info.get('InstanceProtocol'),
+            'policy_names': listener.get('PolicyNames', []),
+            'LoadBalancerId': load_balancer_id,
+        }
+        transformed.append(transformed_listener)
+    return transformed
+
+
+def transform_load_balancer_data(load_balancers: list[dict]) -> tuple[list[dict], list[dict]]:
+    """
+    Transform load balancer data into a format suitable for cartography ingestion.
+
+    Args:
+        load_balancers: List of load balancer data from AWS API
+
+    Returns:
+        Tuple of (transformed load balancer data, transformed listener data)
+    """
+    transformed = []
+    listener_data = []
+
+    for lb in load_balancers:
+        load_balancer_id = lb['DNSName']
+        transformed_lb = {
+            'id': load_balancer_id,
+            'name': lb['LoadBalancerName'],
+            'dnsname': lb['DNSName'],
+            'canonicalhostedzonename': lb.get('CanonicalHostedZoneName'),
+            'canonicalhostedzonenameid': lb.get('CanonicalHostedZoneNameID'),
+            'scheme': lb.get('Scheme'),
+            'createdtime': str(lb['CreatedTime']),
+            'GROUP_NAME': lb.get('SourceSecurityGroup', {}).get('GroupName'),
+            'GROUP_IDS': [str(group) for group in lb.get('SecurityGroups', [])],
+            'INSTANCE_IDS': [instance['InstanceId'] for instance in lb.get('Instances', [])],
+            'LISTENER_IDS': [
+                _get_listener_id(
+                    load_balancer_id,
+                    listener['Listener']['LoadBalancerPort'],
+                    listener['Listener']['Protocol'],
+                ) for listener in lb.get('ListenerDescriptions', [])
+            ],
+        }
+        transformed.append(transformed_lb)
+
+        # Classic ELB listeners are not returned anywhere else in AWS, so we must parse them out
+        # of the describe_load_balancers response.
+        if lb.get('ListenerDescriptions'):
+            listener_data.extend(
+                transform_load_balancer_listener_data(
+                    load_balancer_id,
+                    lb.get('ListenerDescriptions', []),
+                ),
+            )
+
+    return transformed, listener_data
+
+
 @timeit
 @aws_handle_regions
-def get_loadbalancer_data(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
+def get_loadbalancer_data(boto3_session: boto3.session.Session, region: str) -> list[dict]:
     client = boto3_session.client('elb', region_name=region, config=get_botocore_config())
     paginator = client.get_paginator('describe_load_balancers')
-    elbs: List[Dict] = []
+    elbs: list[dict] = []
     for page in paginator.paginate():
         elbs.extend(page['LoadBalancerDescriptions'])
     return elbs
 
 
 @timeit
-def load_load_balancer_listeners(
-    neo4j_session: neo4j.Session, load_balancer_id: str, listener_data: List[Dict],
+def load_load_balancers(
+    neo4j_session: neo4j.Session, data: list[dict], region: str, current_aws_account_id: str,
     update_tag: int,
 ) -> None:
-    ingest_listener = """
-    MATCH (elb:LoadBalancer{id: $LoadBalancerId})
-    WITH elb
-    UNWIND $Listeners as data
-        MERGE (l:Endpoint:ELBListener{id: elb.id + toString(data.Listener.LoadBalancerPort) +
-                toString(data.Listener.Protocol)})
-        ON CREATE SET l.port = data.Listener.LoadBalancerPort, l.protocol = data.Listener.Protocol,
-        l.firstseen = timestamp()
-        SET l.instance_port = data.Listener.InstancePort, l.instance_protocol = data.Listener.InstanceProtocol,
-        l.policy_names = data.PolicyNames,
-        l.lastupdated = $update_tag
-        WITH l, elb
-        MERGE (elb)-[r:ELB_LISTENER]->(l)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $update_tag
-    """
-
-    neo4j_session.run(
-        ingest_listener,
-        LoadBalancerId=load_balancer_id,
-        Listeners=listener_data,
-        update_tag=update_tag,
+    load(
+        neo4j_session,
+        LoadBalancerSchema(),
+        data,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+        lastupdated=update_tag,
     )
 
 
 @timeit
-def load_load_balancer_subnets(
-    neo4j_session: neo4j.Session, load_balancer_id: str, subnets_data: List[Dict],
-    update_tag: int,
-) -> None:
-    ingest_load_balancer_subnet = """
-    MATCH (elb:LoadBalancer{id: $ID}), (subnet:EC2Subnet{subnetid: $SUBNET_ID})
-    MERGE (elb)-[r:SUBNET]->(subnet)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $update_tag
-    """
-
-    for subnet_id in subnets_data:
-        neo4j_session.run(
-            ingest_load_balancer_subnet,
-            ID=load_balancer_id,
-            SUBNET_ID=subnet_id,
-            update_tag=update_tag,
-        )
-
-
-@timeit
-def load_load_balancers(
-    neo4j_session: neo4j.Session, data: List[Dict], region: str, current_aws_account_id: str,
+def load_load_balancer_listeners(
+    neo4j_session: neo4j.Session, data: list[dict], region: str, current_aws_account_id: str,
     update_tag: int,
 ) -> None:
-    ingest_load_balancer = """
-    MERGE (elb:LoadBalancer{id: $ID})
-    ON CREATE SET elb.firstseen = timestamp(), elb.createdtime = $CREATED_TIME
-    SET elb.lastupdated = $update_tag, elb.name = $NAME, elb.dnsname = $DNS_NAME,
-    elb.canonicalhostedzonename = $HOSTED_ZONE_NAME, elb.canonicalhostedzonenameid = $HOSTED_ZONE_NAME_ID,
-    elb.scheme = $SCHEME, elb.region = $Region
-    WITH elb
-    MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
-    MERGE (aa)-[r:RESOURCE]->(elb)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $update_tag
-    """
-
-    ingest_load_balancersource_security_group = """
-    MATCH (elb:LoadBalancer{id: $ID}),
-    (group:EC2SecurityGroup{name: $GROUP_NAME})
-    MERGE (elb)-[r:SOURCE_SECURITY_GROUP]->(group)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $update_tag
-    """
-
-    ingest_load_balancer_security_group = """
-    MATCH (elb:LoadBalancer{id: $ID}),
-    (group:EC2SecurityGroup{groupid: $GROUP_ID})
-    MERGE (elb)-[r:MEMBER_OF_EC2_SECURITY_GROUP]->(group)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $update_tag
-    """
-
-    ingest_instances = """
-    MATCH (elb:LoadBalancer{id: $ID}), (instance:EC2Instance{instanceid: $INSTANCE_ID})
-    MERGE (elb)-[r:EXPOSE]->(instance)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $update_tag
-    WITH instance
-    MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
-    MERGE (aa)-[r:RESOURCE]->(instance)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $update_tag
-    """
-
-    for lb in data:
-        load_balancer_id = lb["DNSName"]
-
-        neo4j_session.run(
-            ingest_load_balancer,
-            ID=load_balancer_id,
-            CREATED_TIME=str(lb["CreatedTime"]),
-            NAME=lb["LoadBalancerName"],
-            DNS_NAME=load_balancer_id,
-            HOSTED_ZONE_NAME=lb.get("CanonicalHostedZoneName"),
-            HOSTED_ZONE_NAME_ID=lb.get("CanonicalHostedZoneNameID"),
-            SCHEME=lb.get("Scheme", ""),
-            AWS_ACCOUNT_ID=current_aws_account_id,
-            Region=region,
-            update_tag=update_tag,
-        )
-
-        if lb["Subnets"]:
-            load_load_balancer_subnets(neo4j_session, load_balancer_id, lb["Subnets"], update_tag)
-
-        if lb["SecurityGroups"]:
-            for group in lb["SecurityGroups"]:
-                neo4j_session.run(
-                    ingest_load_balancer_security_group,
-                    ID=load_balancer_id,
-                    GROUP_ID=str(group),
-                    update_tag=update_tag,
-                )
-
-        if lb["SourceSecurityGroup"]:
-            source_group = lb["SourceSecurityGroup"]
-            neo4j_session.run(
-                ingest_load_balancersource_security_group,
-                ID=load_balancer_id,
-                GROUP_NAME=source_group["GroupName"],
-                update_tag=update_tag,
-            )
-
-        if lb["Instances"]:
-            for instance in lb["Instances"]:
-                neo4j_session.run(
-                    ingest_instances,
-                    ID=load_balancer_id,
-                    INSTANCE_ID=instance["InstanceId"],
-                    AWS_ACCOUNT_ID=current_aws_account_id,
-                    update_tag=update_tag,
-                )
-
-        if lb["ListenerDescriptions"]:
-            load_load_balancer_listeners(neo4j_session, load_balancer_id, lb["ListenerDescriptions"], update_tag)
+    load(
+        neo4j_session,
+        ELBListenerSchema(),
+        data,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+        lastupdated=update_tag,
+    )
 
 
 @timeit
-def cleanup_load_balancers(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job('aws_ingest_load_balancers_cleanup.json', neo4j_session, common_job_parameters)
+def cleanup_load_balancers(neo4j_session: neo4j.Session, common_job_parameters: dict) -> None:
+    GraphJob.from_node_schema(ELBListenerSchema(), common_job_parameters).run(neo4j_session)
+    GraphJob.from_node_schema(LoadBalancerSchema(), common_job_parameters).run(neo4j_session)
 
 
 @timeit
 def sync_load_balancers(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: List[str], current_aws_account_id: str,
-    update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: list[str], current_aws_account_id: str,
+    update_tag: int, common_job_parameters: dict,
 ) -> None:
     for region in regions:
         logger.info("Syncing EC2 load balancers for region '%s' in account '%s'.", region, current_aws_account_id)
         data = get_loadbalancer_data(boto3_session, region)
-        load_load_balancers(neo4j_session, data, region, current_aws_account_id, update_tag)
+        transformed_data, listener_data = transform_load_balancer_data(data)
+
+        load_load_balancers(neo4j_session, transformed_data, region, current_aws_account_id, update_tag)
+        load_load_balancer_listeners(neo4j_session, listener_data, region, current_aws_account_id, update_tag)
+
     cleanup_load_balancers(neo4j_session, common_job_parameters)