cartography 0.99.0rc1__py3-none-any.whl → 0.100.0rc2__py3-none-any.whl

cartography/intel/gcp/iam.py

@@ -0,0 +1,222 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+
+import neo4j
+from googleapiclient.discovery import Resource
+
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.gcp.iam import GCPRoleSchema
+from cartography.models.gcp.iam import GCPServiceAccountSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+# GCP API can be subject to rate limiting, so add small delays between calls
+LIST_SLEEP = 1
+DESCRIBE_SLEEP = 1
+
+
+@timeit
+def get_gcp_service_accounts(iam_client: Resource, project_id: str) -> List[Dict[str, Any]]:
+    """
+    Retrieve a list of GCP service accounts for a given project.
+
+    :param iam_client: The IAM resource object created by googleapiclient.discovery.build().
+    :param project_id: The GCP Project ID to retrieve service accounts from.
+    :return: A list of dictionaries representing GCP service accounts.
+    """
+    service_accounts: List[Dict[str, Any]] = []
+    try:
+        request = iam_client.projects().serviceAccounts().list(
+            name=f'projects/{project_id}',
+        )
+        while request is not None:
+            response = request.execute()
+            if 'accounts' in response:
+                service_accounts.extend(response['accounts'])
+            request = iam_client.projects().serviceAccounts().list_next(
+                previous_request=request,
+                previous_response=response,
+            )
+    except Exception as e:
+        logger.warning(f"Error retrieving service accounts for project {project_id}: {e}")
+    return service_accounts
+
+
+@timeit
+def get_gcp_roles(iam_client: Resource, project_id: str) -> List[Dict]:
+    """
+    Retrieve custom and predefined roles from GCP for a given project.
+
+    :param iam_client: The IAM resource object created by googleapiclient.discovery.build().
+    :param project_id: The GCP Project ID to retrieve roles from.
+    :return: A list of dictionaries representing GCP roles.
+    """
+    try:
+        roles = []
+
+        # Get custom roles
+        custom_req = iam_client.projects().roles().list(parent=f'projects/{project_id}')
+        while custom_req is not None:
+            resp = custom_req.execute()
+            roles.extend(resp.get('roles', []))
+            custom_req = iam_client.projects().roles().list_next(custom_req, resp)
+
+        # Get predefined roles
+        predefined_req = iam_client.roles().list(view='FULL')
+        while predefined_req is not None:
+            resp = predefined_req.execute()
+            roles.extend(resp.get('roles', []))
+            predefined_req = iam_client.roles().list_next(predefined_req, resp)
+
+        return roles
+    except Exception as e:
+        logger.warning(f"Error getting GCP roles - {e}")
+        return []
+
+
+@timeit
+def load_gcp_service_accounts(
+    neo4j_session: neo4j.Session,
+    service_accounts: List[Dict[str, Any]],
+    project_id: str,
+    gcp_update_tag: int,
+) -> None:
+    """
+    Load GCP service account data into Neo4j.
+
+    :param neo4j_session: The Neo4j session.
+    :param service_accounts: A list of service account data to load.
+    :param project_id: The GCP Project ID associated with the service accounts.
+    :param gcp_update_tag: The timestamp of the current sync run.
+    """
+    logger.debug(f"Loading {len(service_accounts)} service accounts for project {project_id}")
+    transformed_service_accounts = []
+    for sa in service_accounts:
+        transformed_sa = {
+            'id': sa['uniqueId'],
+            'email': sa.get('email'),
+            'displayName': sa.get('displayName'),
+            'oauth2ClientId': sa.get('oauth2ClientId'),
+            'uniqueId': sa.get('uniqueId'),
+            'disabled': sa.get('disabled', False),
+            'projectId': project_id,
+        }
+        transformed_service_accounts.append(transformed_sa)
+
+    load(
+        neo4j_session,
+        GCPServiceAccountSchema(),
+        transformed_service_accounts,
+        lastupdated=gcp_update_tag,
+        projectId=project_id,
+        additional_labels=['GCPPrincipal'],
+    )
+
+
+@timeit
+def load_gcp_roles(
+    neo4j_session: neo4j.Session,
+    roles: List[Dict[str, Any]],
+    project_id: str,
+    gcp_update_tag: int,
+) -> None:
+    """
+    Load GCP role data into Neo4j.
+
+    :param neo4j_session: The Neo4j session.
+    :param roles: A list of role data to load.
+    :param project_id: The GCP Project ID associated with the roles.
+    :param gcp_update_tag: The timestamp of the current sync run.
+    """
+    logger.debug(f"Loading {len(roles)} roles for project {project_id}")
+    transformed_roles = []
+    for role in roles:
+        role_name = role['name']
+        if role_name.startswith('roles/'):
+            if role_name in ['roles/owner', 'roles/editor', 'roles/viewer']:
+                role_type = 'BASIC'
+            else:
+                role_type = 'PREDEFINED'
+        else:
+            role_type = 'CUSTOM'
+
+        transformed_role = {
+            'id': role_name,
+            'name': role_name,
+            'title': role.get('title'),
+            'description': role.get('description'),
+            'deleted': role.get('deleted', False),
+            'etag': role.get('etag'),
+            'includedPermissions': role.get('includedPermissions', []),
+            'roleType': role_type,
+            'projectId': project_id,
+        }
+        transformed_roles.append(transformed_role)
+
+    load(
+        neo4j_session,
+        GCPRoleSchema(),
+        transformed_roles,
+        lastupdated=gcp_update_tag,
+        projectId=project_id,
+    )
+
+
+@timeit
+def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict[str, Any]) -> None:
+    """
+    Run cleanup jobs for GCP IAM data in Neo4j.
+
+    :param neo4j_session: The Neo4j session.
+    :param common_job_parameters: Common job parameters for cleanup.
+    """
+    logger.debug("Running GCP IAM cleanup job")
+    job_params = {
+        **common_job_parameters,
+        'projectId': common_job_parameters.get('PROJECT_ID'),
+    }
+
+    cleanup_jobs = [
+        GraphJob.from_node_schema(GCPServiceAccountSchema(), job_params),
+        GraphJob.from_node_schema(GCPRoleSchema(), job_params),
+    ]
+
+    for cleanup_job in cleanup_jobs:
+        cleanup_job.run(neo4j_session)
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    iam_client: Resource,
+    project_id: str,
+    gcp_update_tag: int,
+    common_job_parameters: Dict[str, Any],
+) -> None:
+    """
+    Sync GCP IAM resources for a given project.
+
+    :param neo4j_session: The Neo4j session.
+    :param iam_client: The IAM resource object created by googleapiclient.discovery.build().
+    :param project_id: The GCP Project ID to sync.
+    :param gcp_update_tag: The timestamp of the current sync run.
+    :param common_job_parameters: Common job parameters for the sync.
+    """
+    logger.info(f"Syncing GCP IAM for project {project_id}")
+
+    # Get and load service accounts
+    service_accounts = get_gcp_service_accounts(iam_client, project_id)
+    logger.info(f"Found {len(service_accounts)} service accounts in project {project_id}")
+    load_gcp_service_accounts(neo4j_session, service_accounts, project_id, gcp_update_tag)
+
+    # Get and load roles
+    roles = get_gcp_roles(iam_client, project_id)
+    logger.info(f"Found {len(roles)} roles in project {project_id}")
+    load_gcp_roles(neo4j_session, roles, project_id, gcp_update_tag)
+
+    # Run cleanup
+    cleanup(neo4j_session, common_job_parameters)

cartography/intel/gsuite/__init__.py

@@ -6,6 +6,7 @@ from collections import namedtuple
 
 import googleapiclient.discovery
 import neo4j
+from google.auth import default
 from google.auth.exceptions import DefaultCredentialsError
 from google.auth.transport.requests import Request
 from google.oauth2 import credentials
@@ -18,10 +19,11 @@ from cartography.config import Config
 from cartography.intel.gsuite import api
 from cartography.util import timeit
 
-OAUTH_SCOPE = [
+OAUTH_SCOPES = [
     'https://www.googleapis.com/auth/admin.directory.user.readonly',
     'https://www.googleapis.com/auth/admin.directory.group.readonly',
     'https://www.googleapis.com/auth/admin.directory.group.member',
+    'https://www.googleapis.com/auth/cloud-platform',
 ]
 
 logger = logging.getLogger(__name__)
@@ -70,7 +72,7 @@ def start_gsuite_ingestion(neo4j_session: neo4j.Session, config: Config) -> None
         try:
             creds = service_account.Credentials.from_service_account_file(
                 config.gsuite_config,
-                scopes=OAUTH_SCOPE,
+                scopes=OAUTH_SCOPES,
             )
             creds = creds.with_subject(os.environ.get('GSUITE_DELEGATED_ADMIN'))
 
@@ -96,10 +98,10 @@ def start_gsuite_ingestion(neo4j_session: neo4j.Session, config: Config) -> None
                 refresh_token=auth_tokens['refresh_token'],
                 expiry=None,
                 token_uri=auth_tokens['token_uri'],
-                scopes=OAUTH_SCOPE,
+                scopes=OAUTH_SCOPES,
             )
             creds.refresh(Request())
-            creds = creds.create_scoped(OAUTH_SCOPE)
+            creds = creds.create_scoped(OAUTH_SCOPES)
         except DefaultCredentialsError as e:
             logger.error(
                 (
@@ -111,6 +113,21 @@ def start_gsuite_ingestion(neo4j_session: neo4j.Session, config: Config) -> None
                 e,
             )
             return
+    elif config.gsuite_auth_method == 'default':
+        logger.info('Attempting to authenticate to GSuite using default credentials')
+        try:
+            creds, _ = default(scopes=OAUTH_SCOPES)
+        except DefaultCredentialsError as e:
+            logger.error(
+                (
+                    "Unable to initialize GSuite creds using default credentials. If you don't have GSuite data or "
+                    "don't want to load GSuite data then you can ignore this message. Otherwise, the error code is: %s "
+                    "Make sure you have valid application default credentials configured. "
+                    "For more details see README"
+                ),
+                e,
+            )
+            return
 
     resources = _initialize_resources(creds)
     api.sync_gsuite_users(neo4j_session, resources.admin, config.update_tag, common_job_parameters)

cartography/intel/gsuite/api.py

@@ -4,6 +4,7 @@ from typing import List
 
 import neo4j
 from googleapiclient.discovery import Resource
+from googleapiclient.errors import HttpError
 
 from cartography.util import run_cleanup_job
 from cartography.util import timeit
@@ -30,9 +31,21 @@ def get_all_groups(admin: Resource) -> List[Dict]:
     request = admin.groups().list(customer='my_customer', maxResults=20, orderBy='email')
     response_objects = []
     while request is not None:
-        resp = request.execute(num_retries=GOOGLE_API_NUM_RETRIES)
-        response_objects.append(resp)
-        request = admin.groups().list_next(request, resp)
+        try:
+            resp = request.execute(num_retries=GOOGLE_API_NUM_RETRIES)
+            response_objects.append(resp)
+            request = admin.groups().list_next(request, resp)
+        except HttpError as e:
+            if e.resp.status == 403 and "Request had insufficient authentication scopes" in str(e):
+                logger.error(
+                    "Missing required GSuite scopes. If using the gcloud CLI, ",
+                    "run: gcloud auth application-default login --scopes="
+                    '"https://www.googleapis.com/auth/admin.directory.user.readonly,'
+                    'https://www.googleapis.com/auth/admin.directory.group.readonly,'
+                    'https://www.googleapis.com/auth/admin.directory.group.member.readonly,'
+                    'https://www.googleapis.com/auth/cloud-platform"',
+                )
+            raise
     return response_objects
 
 
@@ -140,6 +153,7 @@ def load_gsuite_groups(neo4j_session: neo4j.Session, groups: List[Dict], gsuite_
         g.etag = group.etag,
         g.kind = group.kind,
         g.name = group.name,
+        g:GCPPrincipal,
         g.lastupdated = $UpdateTag
     """
     logger.info(f'Ingesting {len(groups)} gsuite groups')
@@ -179,6 +193,7 @@ def load_gsuite_users(neo4j_session: neo4j.Session, users: List[Dict], gsuite_up
         u.suspended = user.suspended,
         u.thumbnail_photo_etag = user.thumbnailPhotoEtag,
         u.thumbnail_photo_url = user.thumbnailPhotoUrl,
+        u:GCPPrincipal,
         u.lastupdated = $UpdateTag
     """
     logger.info(f'Ingesting {len(users)} gsuite users')

cartography/models/aws/apigateway.py

@@ -0,0 +1,47 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class APIGatewayRestAPINodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('id', extra_index=True)
+    createddate: PropertyRef = PropertyRef('createdDate')
+    version: PropertyRef = PropertyRef('version')
+    minimumcompressionsize: PropertyRef = PropertyRef('minimumCompressionSize')
+    disableexecuteapiendpoint: PropertyRef = PropertyRef('disableExecuteApiEndpoint')
+    region: PropertyRef = PropertyRef('region', set_in_kwargs=True)
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+    anonymous_access: PropertyRef = PropertyRef('anonymous_access')
+    anonymous_actions: PropertyRef = PropertyRef('anonymous_actions')
+
+
+@dataclass(frozen=True)
+class APIGatewayRestAPIToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:APIGatewayRestAPI)<-[:RESOURCE]-(:AWSAccount)
+class APIGatewayRestAPIToAWSAccount(CartographyRelSchema):
+    target_node_label: str = 'AWSAccount'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: APIGatewayRestAPIToAwsAccountRelProperties = APIGatewayRestAPIToAwsAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class APIGatewayRestAPISchema(CartographyNodeSchema):
+    label: str = 'APIGatewayRestAPI'
+    properties: APIGatewayRestAPINodeProperties = APIGatewayRestAPINodeProperties()
+    sub_resource_relationship: APIGatewayRestAPIToAWSAccount = APIGatewayRestAPIToAWSAccount()

cartography/models/aws/apigatewaycertificate.py

@@ -0,0 +1,66 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class APIGatewayClientCertificateNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('clientCertificateId')
+    createddate: PropertyRef = PropertyRef('createdDate')
+    expirationdate: PropertyRef = PropertyRef('expirationDate')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class APIGatewayClientCertificateToStageRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class CertToStageRelProps(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:APIGatewayStage)-[:HAS_CERTIFICATE]->(:APIGatewayClientCertificate)
+class APIGatewayClientCertificateToStage(CartographyRelSchema):
+    target_node_label: str = 'APIGatewayStage'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('stageArn')},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "HAS_CERTIFICATE"
+    properties: CertToStageRelProps = CertToStageRelProps()
+
+
+@dataclass(frozen=True)
+class CertToAccountRelProps(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:APIGatewayClientCertificate)<-[:RESOURCE]-(:AWSAccount)
+class APIGatewayClientCertificateToAWSAccount(CartographyRelSchema):
+    target_node_label: str = 'AWSAccount'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: CertToAccountRelProps = CertToAccountRelProps()
+
+
+@dataclass(frozen=True)
+class APIGatewayClientCertificateSchema(CartographyNodeSchema):
+    label: str = 'APIGatewayClientCertificate'
+    properties: APIGatewayClientCertificateNodeProperties = APIGatewayClientCertificateNodeProperties()
+    sub_resource_relationship: APIGatewayClientCertificateToAWSAccount = APIGatewayClientCertificateToAWSAccount()
+    other_relationships: OtherRelationships = OtherRelationships([APIGatewayClientCertificateToStage()])

cartography/models/aws/apigatewayresource.py

@@ -0,0 +1,62 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class APIGatewayResourceNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('id')
+    path: PropertyRef = PropertyRef('path')
+    pathpart: PropertyRef = PropertyRef('pathPart')
+    parentid: PropertyRef = PropertyRef('parentId')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class APIGatewayResourceToRestAPIRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:APIGatewayResource)<-[:RESOURCE]-(:APIGatewayRestAPI)
+class APIGatewayResourceToRestAPI(CartographyRelSchema):
+    target_node_label: str = 'APIGatewayRestAPI'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('apiId')},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: APIGatewayResourceToRestAPIRelProperties = APIGatewayResourceToRestAPIRelProperties()
+
+
+@dataclass(frozen=True)
+class APIGatewayResourceToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:APIGatewayResource)<-[:RESOURCE]-(:AWSAccount)
+class APIGatewayResourceToAWSAccount(CartographyRelSchema):
+    target_node_label: str = 'AWSAccount'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: APIGatewayResourceToAwsAccountRelProperties = APIGatewayResourceToAwsAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class APIGatewayResourceSchema(CartographyNodeSchema):
+    label: str = 'APIGatewayResource'
+    properties: APIGatewayResourceNodeProperties = APIGatewayResourceNodeProperties()
+    sub_resource_relationship: APIGatewayResourceToAWSAccount = APIGatewayResourceToAWSAccount()
+    other_relationships: OtherRelationships = OtherRelationships([APIGatewayResourceToRestAPI()])

cartography/models/aws/apigatewaystage.py

@@ -0,0 +1,67 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class APIGatewayStageNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('arn')
+    stagename: PropertyRef = PropertyRef('stageName')
+    createddate: PropertyRef = PropertyRef('createdDate')
+    deploymentid: PropertyRef = PropertyRef('deploymentId')
+    clientcertificateid: PropertyRef = PropertyRef('clientCertificateId')
+    cacheclusterenabled: PropertyRef = PropertyRef('cacheClusterEnabled')
+    cacheclusterstatus: PropertyRef = PropertyRef('cacheClusterStatus')
+    tracingenabled: PropertyRef = PropertyRef('tracingEnabled')
+    webaclarn: PropertyRef = PropertyRef('webAclArn')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class APIGatewayStageToRestAPIRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:APIGatewayStage)<-[:ASSOCIATED_WITH]-(:APIGatewayRestAPI)
+class APIGatewayStageToRestAPI(CartographyRelSchema):
+    target_node_label: str = 'APIGatewayRestAPI'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('apiId')},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "ASSOCIATED_WITH"
+    properties: APIGatewayStageToRestAPIRelProperties = APIGatewayStageToRestAPIRelProperties()
+
+
+@dataclass(frozen=True)
+class APIGatewayStageToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:APIGatewayStage)<-[:RESOURCE]-(:AWSAccount)
+class APIGatewayStageToAWSAccount(CartographyRelSchema):
+    target_node_label: str = 'AWSAccount'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: APIGatewayStageToAwsAccountRelProperties = APIGatewayStageToAwsAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class APIGatewayStageSchema(CartographyNodeSchema):
+    label: str = 'APIGatewayStage'
+    properties: APIGatewayStageNodeProperties = APIGatewayStageNodeProperties()
+    sub_resource_relationship: APIGatewayStageToAWSAccount = APIGatewayStageToAWSAccount()
+    other_relationships: OtherRelationships = OtherRelationships([APIGatewayStageToRestAPI()])

cartography/models/gcp/iam.py

@@ -0,0 +1,70 @@
+import logging
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass(frozen=True)
+class GCPServiceAccountNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('id', extra_index=True)
+    email: PropertyRef = PropertyRef('email', extra_index=True)
+    display_name: PropertyRef = PropertyRef('displayName')
+    oauth2_client_id: PropertyRef = PropertyRef('oauth2ClientId')
+    unique_id: PropertyRef = PropertyRef('uniqueId')
+    disabled: PropertyRef = PropertyRef('disabled')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+    project_id: PropertyRef = PropertyRef('projectId', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class GCPRoleNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('name', extra_index=True)
+    name: PropertyRef = PropertyRef('name', extra_index=True)
+    title: PropertyRef = PropertyRef('title')
+    description: PropertyRef = PropertyRef('description')
+    deleted: PropertyRef = PropertyRef('deleted')
+    etag: PropertyRef = PropertyRef('etag')
+    permissions: PropertyRef = PropertyRef('includedPermissions')
+    role_type: PropertyRef = PropertyRef('roleType')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+    project_id: PropertyRef = PropertyRef('projectId', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class GCPIAMToProjectRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:GCPUser|GCPServiceAccount|GCPRole)<-[:RESOURCE]-(:GCPProject)
+class GCPPrincipalToProject(CartographyRelSchema):
+    target_node_label: str = 'GCPProject'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('projectId', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: GCPIAMToProjectRelProperties = GCPIAMToProjectRelProperties()
+
+
+@dataclass(frozen=True)
+class GCPServiceAccountSchema(CartographyNodeSchema):
+    label: str = 'GCPServiceAccount'
+    properties: GCPServiceAccountNodeProperties = GCPServiceAccountNodeProperties()
+    sub_resource_relationship: GCPPrincipalToProject = GCPPrincipalToProject()
+
+
+@dataclass(frozen=True)
+class GCPRoleSchema(CartographyNodeSchema):
+    label: str = 'GCPRole'
+    properties: GCPRoleNodeProperties = GCPRoleNodeProperties()
+    sub_resource_relationship: GCPPrincipalToProject = GCPPrincipalToProject()