cartography 0.107.0rc2__py3-none-any.whl → 0.108.0__py3-none-any.whl

cartography/intel/aws/ec2/snapshots.py

@@ -1,4 +1,5 @@
 import logging
+from typing import Any
 from typing import Dict
 from typing import List
 
@@ -6,8 +7,11 @@ import boto3
 import neo4j
 from botocore.exceptions import ClientError
 
+from cartography.client.core.tx import load
+from cartography.client.core.tx import read_list_of_values_tx
+from cartography.graph.job import GraphJob
+from cartography.models.aws.ec2.snapshots import EBSSnapshotSchema
 from cartography.util import aws_handle_regions
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
@@ -24,12 +28,13 @@ def get_snapshots_in_use(
     WHERE v.region = $Region
     RETURN v.snapshotid as snapshot
     """
-    results = neo4j_session.run(
+    results = read_list_of_values_tx(
+        neo4j_session,
         query,
         AWS_ACCOUNT_ID=current_aws_account_id,
         Region=region,
     )
-    return [r["snapshot"] for r in results if r["snapshot"]]
+    return [str(snapshot) for snapshot in results if snapshot]
 
 
 @timeit
@@ -45,7 +50,6 @@ def get_snapshots(
     for page in paginator.paginate(OwnerIds=["self"]):
         snapshots.extend(page["Snapshots"])
 
-    # fetch in-use snapshots not in self_owned snapshots
     self_owned_snapshot_ids = {s["SnapshotId"] for s in snapshots}
     other_snapshot_ids = set(in_use_snapshot_ids) - self_owned_snapshot_ids
     if other_snapshot_ids:
@@ -55,8 +59,7 @@ def get_snapshots(
         except ClientError as e:
             if e.response["Error"]["Code"] == "InvalidSnapshot.NotFound":
                 logger.warning(
-                    f"Failed to retrieve page of in-use, \
-                    not owned snapshots. Continuing anyway. Error - {e}",
+                    f"Failed to retrieve page of in-use, not owned snapshots. Continuing anyway. Error - {e}"
                 )
             else:
                 raise
@@ -64,93 +67,53 @@ def get_snapshots(
     return snapshots
 
 
+def transform_snapshots(snapshots: List[Dict[str, Any]]) -> List[Dict[str, Any]]:
+    transformed: List[Dict[str, Any]] = []
+    for snap in snapshots:
+        transformed.append(
+            {
+                "SnapshotId": snap["SnapshotId"],
+                "Description": snap.get("Description"),
+                "Encrypted": snap.get("Encrypted"),
+                "Progress": snap.get("Progress"),
+                "StartTime": snap.get("StartTime"),
+                "State": snap.get("State"),
+                "StateMessage": snap.get("StateMessage"),
+                "VolumeId": snap.get("VolumeId"),
+                "VolumeSize": snap.get("VolumeSize"),
+                "OutpostArn": snap.get("OutpostArn"),
+                "DataEncryptionKeyId": snap.get("DataEncryptionKeyId"),
+                "KmsKeyId": snap.get("KmsKeyId"),
+            }
+        )
+    return transformed
+
+
 @timeit
 def load_snapshots(
     neo4j_session: neo4j.Session,
-    data: List[Dict],
+    data: List[Dict[str, Any]],
     region: str,
     current_aws_account_id: str,
     update_tag: int,
 ) -> None:
-    ingest_snapshots = """
-    UNWIND $snapshots_list as snapshot
-        MERGE (s:EBSSnapshot{id: snapshot.SnapshotId})
-        ON CREATE SET s.firstseen = timestamp()
-        SET s.lastupdated = $update_tag, s.description = snapshot.Description, s.encrypted = snapshot.Encrypted,
-        s.progress = snapshot.Progress, s.starttime = snapshot.StartTime, s.state = snapshot.State,
-        s.statemessage = snapshot.StateMessage, s.volumeid = snapshot.VolumeId, s.volumesize = snapshot.VolumeSize,
-        s.outpostarn = snapshot.OutpostArn, s.dataencryptionkeyid = snapshot.DataEncryptionKeyId,
-        s.kmskeyid = snapshot.KmsKeyId, s.region=$Region
-        WITH s
-        MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
-        MERGE (aa)-[r:RESOURCE]->(s)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $update_tag
-    """
-
-    for snapshot in data:
-        snapshot["StartTime"] = str(snapshot["StartTime"])
-
-    neo4j_session.run(
-        ingest_snapshots,
-        snapshots_list=data,
-        AWS_ACCOUNT_ID=current_aws_account_id,
+    load(
+        neo4j_session,
+        EBSSnapshotSchema(),
+        data,
+        lastupdated=update_tag,
         Region=region,
-        update_tag=update_tag,
-    )
-
-
-@timeit
-def get_snapshot_volumes(snapshots: List[Dict]) -> List[Dict]:
-    snapshot_volumes: List[Dict] = []
-    for snapshot in snapshots:
-        if snapshot.get("VolumeId"):
-            snapshot_volumes.append(snapshot)
-
-    return snapshot_volumes
-
-
-@timeit
-def load_snapshot_volume_relations(
-    neo4j_session: neo4j.Session,
-    data: List[Dict],
-    current_aws_account_id: str,
-    update_tag: int,
-) -> None:
-    ingest_volumes = """
-    UNWIND $snapshot_volumes_list as volume
-        MERGE (v:EBSVolume{id: volume.VolumeId})
-        ON CREATE SET v.firstseen = timestamp()
-        SET v.lastupdated = $update_tag, v.snapshotid = volume.SnapshotId
-        WITH v, volume
-        MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
-        MERGE (aa)-[r:RESOURCE]->(v)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $update_tag
-        WITH v, volume
-        MATCH (s:EBSSnapshot{id: volume.SnapshotId})
-        MERGE (s)-[r:CREATED_FROM]->(v)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $update_tag
-    """
-
-    neo4j_session.run(
-        ingest_volumes,
-        snapshot_volumes_list=data,
-        AWS_ACCOUNT_ID=current_aws_account_id,
-        update_tag=update_tag,
+        AWS_ID=current_aws_account_id,
     )
 
 
 @timeit
 def cleanup_snapshots(
     neo4j_session: neo4j.Session,
-    common_job_parameters: Dict,
+    common_job_parameters: Dict[str, Any],
 ) -> None:
-    run_cleanup_job(
-        "aws_import_snapshots_cleanup.json",
-        neo4j_session,
-        common_job_parameters,
+    GraphJob.from_node_schema(EBSSnapshotSchema(), common_job_parameters).run(
+        neo4j_session
     )
 
 
@@ -161,7 +124,7 @@ def sync_ebs_snapshots(
     regions: List[str],
     current_aws_account_id: str,
     update_tag: int,
-    common_job_parameters: Dict,
+    common_job_parameters: Dict[str, Any],
 ) -> None:
     for region in regions:
         logger.debug(
@@ -174,12 +137,12 @@ def sync_ebs_snapshots(
             region,
             current_aws_account_id,
         )
-        data = get_snapshots(boto3_session, region, snapshots_in_use)
-        load_snapshots(neo4j_session, data, region, current_aws_account_id, update_tag)
-        snapshot_volumes = get_snapshot_volumes(data)
-        load_snapshot_volume_relations(
+        raw_data = get_snapshots(boto3_session, region, snapshots_in_use)
+        transformed_data = transform_snapshots(raw_data)
+        load_snapshots(
             neo4j_session,
-            snapshot_volumes,
+            transformed_data,
+            region,
             current_aws_account_id,
             update_tag,
         )

cartography/intel/aws/ec2/subnets.py

@@ -1,17 +1,17 @@
 import logging
-from typing import Dict
-from typing import List
+from typing import Any
 
 import boto3
 import neo4j
 
+from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
 from cartography.models.aws.ec2.auto_scaling_groups import (
     EC2SubnetAutoScalingGroupSchema,
 )
 from cartography.models.aws.ec2.subnet_instance import EC2SubnetInstanceSchema
+from cartography.models.aws.ec2.subnets import EC2SubnetSchema
 from cartography.util import aws_handle_regions
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 
 from .util import get_botocore_config
@@ -21,86 +21,53 @@ logger = logging.getLogger(__name__)
 
 @timeit
 @aws_handle_regions
-def get_subnet_data(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
+def get_subnet_data(
+    boto3_session: boto3.session.Session, region: str
+) -> list[dict[str, Any]]:
     client = boto3_session.client(
         "ec2",
         region_name=region,
         config=get_botocore_config(),
     )
     paginator = client.get_paginator("describe_subnets")
-    subnets: List[Dict] = []
+    subnets: list[dict[str, Any]] = []
     for page in paginator.paginate():
         subnets.extend(page["Subnets"])
     return subnets
 
 
+def transform_subnet_data(subnets: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    """Transform subnet data into a loadable format."""
+    transformed: list[dict[str, Any]] = []
+    for subnet in subnets:
+        transformed.append(subnet.copy())
+    return transformed
+
+
 @timeit
 def load_subnets(
     neo4j_session: neo4j.Session,
-    data: List[Dict],
+    data: list[dict[str, Any]],
     region: str,
     aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
-
-    ingest_subnets = """
-    UNWIND $subnets as subnet
-    MERGE (snet:EC2Subnet{subnetid: subnet.SubnetId})
-    ON CREATE SET snet.firstseen = timestamp()
-    SET snet.lastupdated = $aws_update_tag, snet.name = subnet.CidrBlock, snet.cidr_block = subnet.CidrBlock,
-    snet.available_ip_address_count = subnet.AvailableIpAddressCount, snet.default_for_az = subnet.DefaultForAz,
-    snet.map_customer_owned_ip_on_launch = subnet.MapCustomerOwnedIpOnLaunch,
-    snet.state = subnet.State, snet.assignipv6addressoncreation = subnet.AssignIpv6AddressOnCreation,
-    snet.map_public_ip_on_launch = subnet.MapPublicIpOnLaunch, snet.subnet_arn = subnet.SubnetArn,
-    snet.availability_zone = subnet.AvailabilityZone, snet.availability_zone_id = subnet.AvailabilityZoneId,
-    snet.subnetid = subnet.SubnetId
-    """
-
-    ingest_subnet_vpc_relations = """
-    UNWIND $subnets as subnet
-    MATCH (snet:EC2Subnet{subnetid: subnet.SubnetId}), (vpc:AWSVpc{id: subnet.VpcId})
-    MERGE (snet)-[r:MEMBER_OF_AWS_VPC]->(vpc)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $aws_update_tag
-    """
-
-    ingest_subnet_aws_account_relations = """
-    UNWIND $subnets as subnet
-    MATCH (snet:EC2Subnet{subnetid: subnet.SubnetId}), (aws:AWSAccount{id: $aws_account_id})
-    MERGE (aws)-[r:RESOURCE]->(snet)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $aws_update_tag
-    """
-
-    neo4j_session.run(
-        ingest_subnets,
-        subnets=data,
-        aws_update_tag=aws_update_tag,
-        region=region,
-        aws_account_id=aws_account_id,
-    )
-    neo4j_session.run(
-        ingest_subnet_vpc_relations,
-        subnets=data,
-        aws_update_tag=aws_update_tag,
-        region=region,
-        aws_account_id=aws_account_id,
-    )
-    neo4j_session.run(
-        ingest_subnet_aws_account_relations,
-        subnets=data,
-        aws_update_tag=aws_update_tag,
-        region=region,
-        aws_account_id=aws_account_id,
+    load(
+        neo4j_session,
+        EC2SubnetSchema(),
+        data,
+        Region=region,
+        AWS_ID=aws_account_id,
+        lastupdated=aws_update_tag,
     )
 
 
 @timeit
-def cleanup_subnets(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
-    run_cleanup_job(
-        "aws_ingest_subnets_cleanup.json",
+def cleanup_subnets(
+    neo4j_session: neo4j.Session, common_job_parameters: dict[str, Any]
+) -> None:
+    GraphJob.from_node_schema(EC2SubnetSchema(), common_job_parameters).run(
         neo4j_session,
-        common_job_parameters,
     )
     GraphJob.from_node_schema(EC2SubnetInstanceSchema(), common_job_parameters).run(
         neo4j_session,
@@ -115,10 +82,10 @@ def cleanup_subnets(neo4j_session: neo4j.Session, common_job_parameters: Dict) -
 def sync_subnets(
     neo4j_session: neo4j.Session,
     boto3_session: boto3.session.Session,
-    regions: List[str],
+    regions: list[str],
     current_aws_account_id: str,
     update_tag: int,
-    common_job_parameters: Dict,
+    common_job_parameters: dict[str, Any],
 ) -> None:
     for region in regions:
         logger.info(
@@ -127,5 +94,12 @@ def sync_subnets(
             current_aws_account_id,
         )
         data = get_subnet_data(boto3_session, region)
-        load_subnets(neo4j_session, data, region, current_aws_account_id, update_tag)
+        transformed = transform_subnet_data(data)
+        load_subnets(
+            neo4j_session,
+            transformed,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
     cleanup_subnets(neo4j_session, common_job_parameters)

cartography/intel/aws/ecr.py

@@ -6,9 +6,12 @@ from typing import List
 import boto3
 import neo4j
 
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.aws.ecr.image import ECRImageSchema
+from cartography.models.aws.ecr.repository import ECRRepositorySchema
+from cartography.models.aws.ecr.repository_image import ECRRepositoryImageSchema
 from cartography.util import aws_handle_regions
-from cartography.util import batch
-from cartography.util import run_cleanup_job
 from cartography.util import timeit
 from cartography.util import to_asynchronous
 from cartography.util import to_synchronous
@@ -74,33 +77,17 @@ def load_ecr_repositories(
     current_aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
-    query = """
-    UNWIND $Repositories as ecr_repo
-        MERGE (repo:ECRRepository{id: ecr_repo.repositoryArn})
-        ON CREATE SET repo.firstseen = timestamp(),
-            repo.arn = ecr_repo.repositoryArn,
-            repo.name = ecr_repo.repositoryName,
-            repo.region = $Region,
-            repo.created_at = ecr_repo.createdAt
-        SET repo.lastupdated = $aws_update_tag,
-            repo.uri = ecr_repo.repositoryUri
-        WITH repo
-
-        MATCH (owner:AWSAccount{id: $AWS_ACCOUNT_ID})
-        MERGE (owner)-[r:RESOURCE]->(repo)
-        ON CREATE SET r.firstseen = timestamp()
-        SET r.lastupdated = $aws_update_tag
-    """
     logger.info(
         f"Loading {len(repos)} ECR repositories for region {region} into graph.",
     )
-    neo4j_session.run(
-        query,
-        Repositories=repos,
+    load(
+        neo4j_session,
+        ECRRepositorySchema(),
+        repos,
+        lastupdated=aws_update_tag,
         Region=region,
-        aws_update_tag=aws_update_tag,
-        AWS_ACCOUNT_ID=current_aws_account_id,
-    ).consume()  # See issue #440
+        AWS_ID=current_aws_account_id,
+    )
 
 
 @timeit
@@ -114,8 +101,13 @@ def transform_ecr_repository_images(repo_data: Dict) -> List[Dict]:
     for repo_uri in sorted(repo_data.keys()):
         repo_images = repo_data[repo_uri]
         for img in repo_images:
-            if "imageDigest" in img and img["imageDigest"]:
+            digest = img.get("imageDigest")
+            if digest:
+                tag = img.get("imageTag")
+                uri = repo_uri + (f":{tag}" if tag else "")
                 img["repo_uri"] = repo_uri
+                img["uri"] = uri
+                img["id"] = uri
                 repo_images_list.append(img)
             else:
                 logger.warning(
@@ -127,74 +119,51 @@ def transform_ecr_repository_images(repo_data: Dict) -> List[Dict]:
     return repo_images_list
 
 
-def _load_ecr_repo_img_tx(
-    tx: neo4j.Transaction,
-    repo_images_list: List[Dict],
-    aws_update_tag: int,
-    region: str,
-) -> None:
-    query = """
-    UNWIND $RepoList as repo_img
-        MERGE (ri:ECRRepositoryImage{id: repo_img.repo_uri + COALESCE(":" + repo_img.imageTag, '')})
-        ON CREATE SET ri.firstseen = timestamp()
-        SET ri.lastupdated = $aws_update_tag,
-            ri.tag = repo_img.imageTag,
-            ri.uri = repo_img.repo_uri + COALESCE(":" + repo_img.imageTag, ''),
-            ri.image_size_bytes = repo_img.imageSizeInBytes,
-            ri.image_pushed_at = repo_img.imagePushedAt,
-            ri.image_manifest_media_type = repo_img.imageManifestMediaType,
-            ri.artifact_media_type = repo_img.artifactMediaType,
-            ri.last_recorded_pull_time = repo_img.lastRecordedPullTime
-        WITH ri, repo_img
-
-        MERGE (img:ECRImage{id: repo_img.imageDigest})
-        ON CREATE SET img.firstseen = timestamp(),
-            img.digest = repo_img.imageDigest
-        SET img.lastupdated = $aws_update_tag,
-            img.region = $Region
-        WITH ri, img, repo_img
-
-        MERGE (ri)-[r1:IMAGE]->(img)
-        ON CREATE SET r1.firstseen = timestamp()
-        SET r1.lastupdated = $aws_update_tag
-        WITH ri, repo_img
-
-        MATCH (repo:ECRRepository{uri: repo_img.repo_uri})
-        MERGE (repo)-[r2:REPO_IMAGE]->(ri)
-        ON CREATE SET r2.firstseen = timestamp()
-        SET r2.lastupdated = $aws_update_tag
-    """
-    tx.run(
-        query,
-        RepoList=repo_images_list,
-        Region=region,
-        aws_update_tag=aws_update_tag,
-    )
-
-
 @timeit
 def load_ecr_repository_images(
     neo4j_session: neo4j.Session,
     repo_images_list: List[Dict],
     region: str,
+    current_aws_account_id: str,
     aws_update_tag: int,
 ) -> None:
     logger.info(
         f"Loading {len(repo_images_list)} ECR repository images in {region} into graph.",
     )
-    for repo_image_batch in batch(repo_images_list, size=10000):
-        neo4j_session.write_transaction(
-            _load_ecr_repo_img_tx,
-            repo_image_batch,
-            aws_update_tag,
-            region,
-        )
+    image_digests = {img["imageDigest"] for img in repo_images_list}
+    ecr_images = [{"imageDigest": d} for d in image_digests]
+
+    load(
+        neo4j_session,
+        ECRImageSchema(),
+        ecr_images,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
+
+    load(
+        neo4j_session,
+        ECRRepositoryImageSchema(),
+        repo_images_list,
+        lastupdated=aws_update_tag,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+    )
 
 
 @timeit
 def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
     logger.debug("Running ECR cleanup job.")
-    run_cleanup_job("aws_import_ecr_cleanup.json", neo4j_session, common_job_parameters)
+    GraphJob.from_node_schema(ECRRepositorySchema(), common_job_parameters).run(
+        neo4j_session
+    )
+    GraphJob.from_node_schema(ECRRepositoryImageSchema(), common_job_parameters).run(
+        neo4j_session
+    )
+    GraphJob.from_node_schema(ECRImageSchema(), common_job_parameters).run(
+        neo4j_session
+    )
 
 
 def _get_image_data(
@@ -251,5 +220,11 @@ def sync(
             update_tag,
         )
         repo_images_list = transform_ecr_repository_images(image_data)
-        load_ecr_repository_images(neo4j_session, repo_images_list, region, update_tag)
+        load_ecr_repository_images(
+            neo4j_session,
+            repo_images_list,
+            region,
+            current_aws_account_id,
+            update_tag,
+        )
     cleanup(neo4j_session, common_job_parameters)

cartography/intel/aws/ecs.py

@@ -169,6 +169,22 @@ def _get_containers_from_tasks(tasks: list[dict[str, Any]]) -> list[dict[str, An
     return containers
 
 
+def transform_ecs_tasks(tasks: list[dict[str, Any]]) -> list[dict[str, Any]]:
+    """
+    Extract network interface ID from task attachments.
+    """
+    for task in tasks:
+        for attachment in task.get("attachments", []):
+            if attachment.get("type") == "ElasticNetworkInterface":
+                details = attachment.get("details", [])
+                for detail in details:
+                    if detail.get("name") == "networkInterfaceId":
+                        task["networkInterfaceId"] = detail.get("value")
+                        break
+                break
+    return tasks
+
+
 @timeit
 def load_ecs_clusters(
     neo4j_session: neo4j.Session,
@@ -407,6 +423,7 @@ def _sync_ecs_task_and_container_defns(
         boto3_session,
         region,
     )
+    tasks = transform_ecs_tasks(tasks)
     containers = _get_containers_from_tasks(tasks)
     load_ecs_tasks(
         neo4j_session,