diff --git a/pkg/engine2/operational_eval/vertex_property.go b/pkg/engine2/operational_eval/vertex_property.go index 0600d5130..aa98c2e37 100644 --- a/pkg/engine2/operational_eval/vertex_property.go +++ b/pkg/engine2/operational_eval/vertex_property.go @@ -161,9 +161,12 @@ func (v *propertyVertex) evaluateConstraints(sol solution_context.SolutionContex } ctx := solution_context.DynamicCtx(sol) - defaultVal, err := v.Template.GetDefaultValue(ctx, dynData) - if err != nil { - return fmt.Errorf("could not get default value for %s: %w", v.Ref, err) + var defaultVal any + if currentValue == nil { + defaultVal, err = v.Template.GetDefaultValue(ctx, dynData) + if err != nil { + return fmt.Errorf("could not get default value for %s: %w", v.Ref, err) + } } if currentValue == nil && setConstraint.Operator == "" && v.Template != nil && defaultVal != nil { err = solution_context.ConfigureResource( @@ -298,7 +301,7 @@ func (v *propertyVertex) Ready(eval *Evaluator) (ReadyPriority, error) { // properties that have values set via edge rules dont' have default values defaultVal, err := v.Template.GetDefaultValue(solution_context.DynamicCtx(eval.Solution), knowledgebase.DynamicValueData{Resource: v.Ref.Resource}) if err != nil { - return NotReadyMid, fmt.Errorf("could not get default value for %s: %w", v.Ref, err) + return NotReadyMid, nil } if defaultVal != nil { return ReadyNow, nil diff --git a/pkg/engine2/operational_rule/operational_action.go b/pkg/engine2/operational_rule/operational_action.go index 69dae05d3..295798b56 100644 --- a/pkg/engine2/operational_rule/operational_action.go +++ b/pkg/engine2/operational_rule/operational_action.go @@ -230,22 +230,23 @@ func (action *operationalResourceAction) useAvailableResources(resource *constru if edgeTmpl == nil { continue } - if edgeTmpl.Unique == (knowledgebase.Unique{}) { + + if !edgeTmpl.Unique.Target || !edgeTmpl.Unique.Source { // many-to-many is okay availableResources.Add(res) continue } switch action.Step.Direction { case knowledgebase.DirectionDownstream: - if !edgeTmpl.Unique.Target { - // one-to-many is okay + if !edgeTmpl.Unique.Source { + // many-to-one is okay availableResources.Add(res) continue } case knowledgebase.DirectionUpstream: - if !edgeTmpl.Unique.Source { - // many-to-one are okay + if !edgeTmpl.Unique.Target { + // one-to-many are okay availableResources.Add(res) continue } diff --git a/pkg/engine2/path_selection/edge_validity.go b/pkg/engine2/path_selection/edge_validity.go index b432c47cb..ac31b9ea0 100644 --- a/pkg/engine2/path_selection/edge_validity.go +++ b/pkg/engine2/path_selection/edge_validity.go @@ -87,7 +87,7 @@ func checkProperties(ctx solution_context.SolutionContext, resource, toCheck *co match, err := selector.CanUse(solution_context.DynamicCtx(ctx), knowledgebase.DynamicValueData{Resource: resource.ID}, toCheck) if err != nil { - return fmt.Errorf("error checking if resource %s matches selector %s: %w", toCheck, selector, err) + return fmt.Errorf("error checking if resource %s matches selector %s: %w", toCheck, selector.Selector, err) } // if its a match for the selectors, lets ensure that it has a dependency and exists in the properties of the rul if !match { @@ -261,7 +261,7 @@ func checkIfCreatedAsUniqueValidity(ctx solution_context.SolutionContext, resour match, err := selector.CanUse(solution_context.DynamicCtx(ctx), knowledgebase.DynamicValueData{Resource: currRes.ID}, resource) if err != nil { - return fmt.Errorf("error checking if resource %s matches selector %s: %w", other, selector, err) + return fmt.Errorf("error checking if resource %s matches selector %s: %w", other, selector.Selector, err) } // if its a match for the selectors, lets ensure that it has a dependency and exists in the properties of the rul if !match { diff --git a/pkg/engine2/testdata/2_routes.expect.yaml b/pkg/engine2/testdata/2_routes.expect.yaml index 36f73768e..5489d9bc5 100755 --- a/pkg/engine2/testdata/2_routes.expect.yaml +++ b/pkg/engine2/testdata/2_routes.expect.yaml @@ -50,6 +50,7 @@ resources: IntegrationHttpMethod: POST Method: aws:api_method:rest_api_1:api_method-0 Resource: aws:api_resource:rest_api_1:api_resource-0 + RequestParameters: {} RestApi: aws:rest_api:rest_api_1 Route: /lambda0/api Target: aws:lambda_function:lambda_function_0 @@ -58,6 +59,7 @@ resources: aws:api_integration:rest_api_1:integ1: IntegrationHttpMethod: POST Method: aws:api_method:rest_api_1:api_method-1 + RequestParameters: {} Resource: aws:api_resource:rest_api_1:api_resource-1 RestApi: aws:rest_api:rest_api_1 Route: /lambda1/api diff --git a/pkg/engine2/testdata/ecs_rds.dataflow-viz.yaml b/pkg/engine2/testdata/ecs_rds.dataflow-viz.yaml index 496e888be..f2bc779f3 100755 --- a/pkg/engine2/testdata/ecs_rds.dataflow-viz.yaml +++ b/pkg/engine2/testdata/ecs_rds.dataflow-viz.yaml @@ -12,6 +12,6 @@ resources: parent: vpc/vpc-0 ecs_service/ecs_service_0 -> rds_instance/rds-instance-2: - path: aws:ecs_task_definition:ecs_service_0,aws:iam_role:ecs_service_0-execution-role + path: aws:ecs_task_definition:ecs_service_0,aws:iam_role:ecs_service_0-rds-instance-2 diff --git a/pkg/engine2/testdata/ecs_rds.expect.yaml b/pkg/engine2/testdata/ecs_rds.expect.yaml index 2e269ea2a..fd92146d1 100755 --- a/pkg/engine2/testdata/ecs_rds.expect.yaml +++ b/pkg/engine2/testdata/ecs_rds.expect.yaml @@ -34,7 +34,7 @@ resources: rds-instance-2_RDS_ENDPOINT: aws:rds_instance:rds-instance-2#Endpoint rds-instance-2_RDS_PASSWORD: aws:rds_instance:rds-instance-2#Password rds-instance-2_RDS_USERNAME: aws:rds_instance:rds-instance-2#Username - ExecutionRole: aws:iam_role:ecs_service_0-execution-role + ExecutionRole: aws:iam_role:ecs_service_0-rds-instance-2 Image: aws:ecr_image:ecs_service_0-image LogGroup: aws:log_group:ecs_service_0-log-group Memory: "512" @@ -46,12 +46,12 @@ resources: Region: aws:region:region-0 RequiresCompatibilities: - FARGATE - TaskRole: aws:iam_role:ecs_service_0-execution-role + TaskRole: aws:iam_role:ecs_service_0-rds-instance-2 aws:ecr_image:ecs_service_0-image: Context: . Dockerfile: ecs_service_0-image.Dockerfile Repo: aws:ecr_repo:ecr_repo-0 - aws:iam_role:ecs_service_0-execution-role: + aws:iam_role:ecs_service_0-rds-instance-2: AssumeRolePolicyDoc: Statement: - Action: @@ -78,27 +78,14 @@ resources: RetentionInDays: 5 aws:ecr_repo:ecr_repo-0: ForceDelete: true - aws:availability_zone:region-0:availability_zone-0: - Index: 0 - Region: aws:region:region-0 - aws:availability_zone:region-0:availability_zone-1: - Index: 1 - Region: aws:region:region-0 - aws:availability_zone:region-0:availability_zone-2: - Index: 2 - Region: aws:region:region-0 - aws:availability_zone:region-0:availability_zone-3: - Index: 3 - Region: aws:region:region-0 - aws:region:region-0: aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-0-0-0-0: aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-1-1-1-1: aws:nat_gateway:subnet-2:nat_gateway-route_table-subnet-0-0-0: ElasticIp: aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-0-0-0-0 Subnet: aws:subnet:vpc-0:subnet-2 aws:subnet:vpc-0:subnet-2: - AvailabilityZone: aws:availability_zone:region-0:availability_zone-2 - CidrBlock: "" + AvailabilityZone: aws:availability_zone:region-0:availability_zone-0 + CidrBlock: 10.0.0.0/18 MapPublicIpOnLaunch: false RouteTable: aws:route_table:route_table-subnet-2-2 Type: public @@ -111,14 +98,17 @@ resources: - CidrBlock: 0.0.0.0/0 Gateway: aws:internet_gateway:vpc-0:internet_gateway-0 Vpc: aws:vpc:vpc-0 + aws:availability_zone:region-0:availability_zone-0: + Index: 0 + Region: aws:region:region-0 aws:internet_gateway:vpc-0:internet_gateway-0: Vpc: aws:vpc:vpc-0 aws:nat_gateway:subnet-3:nat_gateway-route_table-subnet-1-1-1: ElasticIp: aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-1-1-1-1 Subnet: aws:subnet:vpc-0:subnet-3 aws:subnet:vpc-0:subnet-3: - AvailabilityZone: aws:availability_zone:region-0:availability_zone-3 - CidrBlock: "" + AvailabilityZone: aws:availability_zone:region-0:availability_zone-1 + CidrBlock: 10.0.64.0/18 MapPublicIpOnLaunch: false RouteTable: aws:route_table:route_table-subnet-3-3 Type: public @@ -131,6 +121,10 @@ resources: - CidrBlock: 0.0.0.0/0 Gateway: aws:internet_gateway:vpc-0:internet_gateway-0 Vpc: aws:vpc:vpc-0 + aws:availability_zone:region-0:availability_zone-1: + Index: 1 + Region: aws:region:region-0 + aws:region:region-0: aws:rds_instance:rds-instance-2: AllocatedStorage: 20 DatabaseName: main @@ -175,11 +169,6 @@ resources: Protocol: "-1" ToPort: 0 IngressRules: - - Description: Allow ingress traffic from within the same security group - FromPort: 0 - Protocol: "-1" - Self: true - ToPort: 0 - CidrBlocks: - 10.0.128.0/18 Description: Allow ingress traffic from ip addresses within the subnet subnet-0 @@ -192,6 +181,11 @@ resources: FromPort: 0 Protocol: "-1" ToPort: 0 + - Description: Allow ingress traffic from within the same security group + FromPort: 0 + Protocol: "-1" + Self: true + ToPort: 0 Vpc: aws:vpc:vpc-0 aws:route_table:route_table-subnet-0-0: Routes: @@ -215,34 +209,32 @@ edges: aws:ecs_service:ecs_service_0 -> aws:subnet:vpc-0:subnet-0: aws:ecs_service:ecs_service_0 -> aws:subnet:vpc-0:subnet-1: aws:ecs_task_definition:ecs_service_0 -> aws:ecr_image:ecs_service_0-image: - aws:ecs_task_definition:ecs_service_0 -> aws:iam_role:ecs_service_0-execution-role: + aws:ecs_task_definition:ecs_service_0 -> aws:iam_role:ecs_service_0-rds-instance-2: aws:ecs_task_definition:ecs_service_0 -> aws:log_group:ecs_service_0-log-group: aws:ecs_task_definition:ecs_service_0 -> aws:region:region-0: aws:ecr_image:ecs_service_0-image -> aws:ecr_repo:ecr_repo-0: - aws:iam_role:ecs_service_0-execution-role -> aws:rds_instance:rds-instance-2: - aws:availability_zone:region-0:availability_zone-0 -> aws:region:region-0: - aws:availability_zone:region-0:availability_zone-1 -> aws:region:region-0: - aws:availability_zone:region-0:availability_zone-2 -> aws:region:region-0: - aws:availability_zone:region-0:availability_zone-3 -> aws:region:region-0: + aws:iam_role:ecs_service_0-rds-instance-2 -> aws:rds_instance:rds-instance-2: ? aws:nat_gateway:subnet-2:nat_gateway-route_table-subnet-0-0-0 -> aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-0-0-0-0 : aws:nat_gateway:subnet-2:nat_gateway-route_table-subnet-0-0-0 -> aws:subnet:vpc-0:subnet-2: - aws:subnet:vpc-0:subnet-2 -> aws:availability_zone:region-0:availability_zone-2: + aws:subnet:vpc-0:subnet-2 -> aws:availability_zone:region-0:availability_zone-0: aws:subnet:vpc-0:subnet-2 -> aws:route_table_association:subnet-2-route_table-subnet-2-2: aws:subnet:vpc-0:subnet-2 -> aws:vpc:vpc-0: aws:route_table_association:subnet-2-route_table-subnet-2-2 -> aws:route_table:route_table-subnet-2-2: aws:route_table:route_table-subnet-2-2 -> aws:internet_gateway:vpc-0:internet_gateway-0: aws:route_table:route_table-subnet-2-2 -> aws:vpc:vpc-0: + aws:availability_zone:region-0:availability_zone-0 -> aws:region:region-0: aws:internet_gateway:vpc-0:internet_gateway-0 -> aws:vpc:vpc-0: ? aws:nat_gateway:subnet-3:nat_gateway-route_table-subnet-1-1-1 -> aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-1-1-1-1 : aws:nat_gateway:subnet-3:nat_gateway-route_table-subnet-1-1-1 -> aws:subnet:vpc-0:subnet-3: - aws:subnet:vpc-0:subnet-3 -> aws:availability_zone:region-0:availability_zone-3: + aws:subnet:vpc-0:subnet-3 -> aws:availability_zone:region-0:availability_zone-1: aws:subnet:vpc-0:subnet-3 -> aws:route_table_association:subnet-3-route_table-subnet-3-3: aws:subnet:vpc-0:subnet-3 -> aws:vpc:vpc-0: aws:route_table_association:subnet-3-route_table-subnet-3-3 -> aws:route_table:route_table-subnet-3-3: aws:route_table:route_table-subnet-3-3 -> aws:internet_gateway:vpc-0:internet_gateway-0: aws:route_table:route_table-subnet-3-3 -> aws:vpc:vpc-0: + aws:availability_zone:region-0:availability_zone-1 -> aws:region:region-0: aws:rds_instance:rds-instance-2 -> aws:rds_subnet_group:rds_subnet_group-0: aws:rds_subnet_group:rds_subnet_group-0 -> aws:subnet:vpc-0:subnet-0: aws:rds_subnet_group:rds_subnet_group-0 -> aws:subnet:vpc-0:subnet-1: diff --git a/pkg/engine2/testdata/ecs_rds.iac-viz.yaml b/pkg/engine2/testdata/ecs_rds.iac-viz.yaml index cbe83a876..8faa223f6 100755 --- a/pkg/engine2/testdata/ecs_rds.iac-viz.yaml +++ b/pkg/engine2/testdata/ecs_rds.iac-viz.yaml @@ -23,12 +23,6 @@ resources: aws:subnet:vpc-0/subnet-1 -> aws:security_group:vpc-0/security_group-rds-instance-2-1: aws:subnet:vpc-0/subnet-1 -> vpc/vpc-0: - aws:availability_zone:region-0/availability_zone-3: - aws:availability_zone:region-0/availability_zone-3 -> region/region-0: - - aws:availability_zone:region-0/availability_zone-2: - aws:availability_zone:region-0/availability_zone-2 -> region/region-0: - rds_subnet_group/rds_subnet_group-0: rds_subnet_group/rds_subnet_group-0 -> aws:subnet:vpc-0/subnet-0: rds_subnet_group/rds_subnet_group-0 -> aws:subnet:vpc-0/subnet-1: @@ -36,13 +30,13 @@ resources: elastic_ip/elastic_ip-nat_gateway-route_table-subnet-1-1-1-1: aws:subnet:vpc-0/subnet-3: - aws:subnet:vpc-0/subnet-3 -> aws:availability_zone:region-0/availability_zone-3: + aws:subnet:vpc-0/subnet-3 -> aws:availability_zone:region-0/availability_zone-1: aws:subnet:vpc-0/subnet-3 -> vpc/vpc-0: elastic_ip/elastic_ip-nat_gateway-route_table-subnet-0-0-0-0: aws:subnet:vpc-0/subnet-2: - aws:subnet:vpc-0/subnet-2 -> aws:availability_zone:region-0/availability_zone-2: + aws:subnet:vpc-0/subnet-2 -> aws:availability_zone:region-0/availability_zone-0: aws:subnet:vpc-0/subnet-2 -> vpc/vpc-0: ecr_repo/ecr_repo-0: @@ -65,8 +59,8 @@ resources: ecr_image/ecs_service_0-image: ecr_image/ecs_service_0-image -> ecr_repo/ecr_repo-0: - iam_role/ecs_service_0-execution-role: - iam_role/ecs_service_0-execution-role -> rds_instance/rds-instance-2: + iam_role/ecs_service_0-rds-instance-2: + iam_role/ecs_service_0-rds-instance-2 -> rds_instance/rds-instance-2: log_group/ecs_service_0-log-group: @@ -90,7 +84,7 @@ resources: ecs_task_definition/ecs_service_0: ecs_task_definition/ecs_service_0 -> ecr_image/ecs_service_0-image: - ecs_task_definition/ecs_service_0 -> iam_role/ecs_service_0-execution-role: + ecs_task_definition/ecs_service_0 -> iam_role/ecs_service_0-rds-instance-2: ecs_task_definition/ecs_service_0 -> log_group/ecs_service_0-log-group: ecs_task_definition/ecs_service_0 -> region/region-0: diff --git a/pkg/engine2/testdata/k8s_api.dataflow-viz.yaml b/pkg/engine2/testdata/k8s_api.dataflow-viz.yaml index 4ac49e5ff..d6e6c3931 100755 --- a/pkg/engine2/testdata/k8s_api.dataflow-viz.yaml +++ b/pkg/engine2/testdata/k8s_api.dataflow-viz.yaml @@ -8,7 +8,7 @@ resources: parent: vpc/vpc-0 load_balancer/rest-api-4-integbcc77100 -> kubernetes:pod:eks_cluster-0/pod2: - path: aws:load_balancer_listener:rest_api_4_integration_0-pod2,aws:target_group:rest-api-4-integbcc77100,kubernetes:target_group_binding:eks_cluster-0:restapi4integration0-pod2,kubernetes:service:restapi4integration0-pod2 + path: aws:load_balancer_listener:rest_api_4_integration_0-pod2,aws:target_group:rest-api-4-integbcc77100,kubernetes:target_group_binding:restapi4integration0-pod2,kubernetes:service:restapi4integration0-pod2 kubernetes:helm_chart:eks_cluster-0/metricsserver: diff --git a/pkg/engine2/testdata/k8s_api.expect.yaml b/pkg/engine2/testdata/k8s_api.expect.yaml index e949f5943..b3f245a10 100755 --- a/pkg/engine2/testdata/k8s_api.expect.yaml +++ b/pkg/engine2/testdata/k8s_api.expect.yaml @@ -120,8 +120,8 @@ resources: aws:load_balancer:rest-api-4-integbcc77100: Scheme: internal Subnets: - - aws:subnet:vpc-0:subnet-1 - aws:subnet:vpc-0:subnet-0 + - aws:subnet:vpc-0:subnet-1 Type: network aws:load_balancer_listener:rest_api_4_integration_0-pod2: DefaultActions: @@ -143,8 +143,7 @@ resources: Protocol: TCP TargetType: ip Vpc: aws:vpc:vpc-0 - kubernetes:target_group_binding:eks_cluster-0:restapi4integration0-pod2: - Cluster: aws:eks_cluster:eks_cluster-0 + kubernetes:target_group_binding:restapi4integration0-pod2: Object: apiVersion: elbv2.k8s.aws/v1beta1 kind: TargetGroupBinding @@ -286,12 +285,12 @@ resources: - ec2.amazonaws.com Version: "2012-10-17" ManagedPolicies: + - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - arn:aws:iam::aws:policy/AWSCloudMapFullAccess - arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy - arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore - - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy aws:iam_role:pod2: AssumeRolePolicyDoc: Statement: @@ -453,19 +452,6 @@ resources: - sts.amazonaws.com Cluster: aws:eks_cluster:eks_cluster-0 Region: aws:region:region-0 - aws:availability_zone:region-0:availability_zone-0: - Index: 0 - Region: aws:region:region-0 - aws:availability_zone:region-0:availability_zone-1: - Index: 1 - Region: aws:region:region-0 - aws:availability_zone:region-0:availability_zone-2: - Index: 2 - Region: aws:region:region-0 - aws:availability_zone:region-0:availability_zone-3: - Index: 3 - Region: aws:region:region-0 - aws:region:region-0: aws:eks_cluster:eks_cluster-0: ClusterRole: aws:iam_role:ClusterRole-eks_cluster-0 KubeConfig: kubernetes:kube_config:kube_config-eks_cluster-0-0 @@ -516,17 +502,6 @@ resources: Protocol: "-1" ToPort: 0 IngressRules: - - CidrBlocks: - - 0.0.0.0/0 - Description: Allows ingress traffic from the EKS control plane - FromPort: 9443 - Protocol: TCP - ToPort: 9443 - - Description: Allow ingress traffic from within the same security group - FromPort: 0 - Protocol: "-1" - Self: true - ToPort: 0 - CidrBlocks: - 10.0.128.0/18 Description: Allow ingress traffic from ip addresses within the subnet subnet-0 @@ -539,6 +514,17 @@ resources: FromPort: 0 Protocol: "-1" ToPort: 0 + - CidrBlocks: + - 0.0.0.0/0 + Description: Allows ingress traffic from the EKS control plane + FromPort: 9443 + Protocol: TCP + ToPort: 9443 + - Description: Allow ingress traffic from within the same security group + FromPort: 0 + Protocol: "-1" + Self: true + ToPort: 0 Vpc: aws:vpc:vpc-0 aws:route_table:route_table-subnet-0-0: Routes: @@ -558,23 +544,29 @@ resources: Subnet: aws:subnet:vpc-0:subnet-3 aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-0-0-0-0: aws:subnet:vpc-0:subnet-2: - AvailabilityZone: aws:availability_zone:region-0:availability_zone-2 - CidrBlock: "" + AvailabilityZone: aws:availability_zone:region-0:availability_zone-0 + CidrBlock: 10.0.0.0/18 MapPublicIpOnLaunch: false RouteTable: aws:route_table:route_table-subnet-2-2 Type: public Vpc: aws:vpc:vpc-0 aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-1-1-1-1: aws:subnet:vpc-0:subnet-3: - AvailabilityZone: aws:availability_zone:region-0:availability_zone-3 - CidrBlock: "" + AvailabilityZone: aws:availability_zone:region-0:availability_zone-1 + CidrBlock: 10.0.64.0/18 MapPublicIpOnLaunch: false RouteTable: aws:route_table:route_table-subnet-3-3 Type: public Vpc: aws:vpc:vpc-0 + aws:availability_zone:region-0:availability_zone-0: + Index: 0 + Region: aws:region:region-0 aws:route_table_association:subnet-2-route_table-subnet-2-2: RouteTable: aws:route_table:route_table-subnet-2-2 Subnet: aws:subnet:vpc-0:subnet-2 + aws:availability_zone:region-0:availability_zone-1: + Index: 1 + Region: aws:region:region-0 aws:route_table_association:subnet-3-route_table-subnet-3-3: RouteTable: aws:route_table:route_table-subnet-3-3 Subnet: aws:subnet:vpc-0:subnet-3 @@ -583,6 +575,7 @@ resources: - CidrBlock: 0.0.0.0/0 Gateway: aws:internet_gateway:vpc-0:internet_gateway-0 Vpc: aws:vpc:vpc-0 + aws:region:region-0: aws:route_table:route_table-subnet-3-3: Routes: - CidrBlock: 0.0.0.0/0 @@ -622,11 +615,10 @@ edges: aws:load_balancer:rest-api-4-integbcc77100 -> aws:subnet:vpc-0:subnet-0: aws:load_balancer:rest-api-4-integbcc77100 -> aws:subnet:vpc-0:subnet-1: aws:load_balancer_listener:rest_api_4_integration_0-pod2 -> aws:target_group:rest-api-4-integbcc77100: - aws:target_group:rest-api-4-integbcc77100 -> kubernetes:target_group_binding:eks_cluster-0:restapi4integration0-pod2: - kubernetes:target_group_binding:eks_cluster-0:restapi4integration0-pod2 -> aws:eks_cluster:eks_cluster-0: - ? kubernetes:target_group_binding:eks_cluster-0:restapi4integration0-pod2 -> kubernetes:helm_chart:eks_cluster-0:aws-load-balancer-controller - : - kubernetes:target_group_binding:eks_cluster-0:restapi4integration0-pod2 -> kubernetes:service:restapi4integration0-pod2: + aws:target_group:rest-api-4-integbcc77100 -> kubernetes:target_group_binding:restapi4integration0-pod2: + kubernetes:target_group_binding:restapi4integration0-pod2 -> aws:eks_cluster:eks_cluster-0: + kubernetes:target_group_binding:restapi4integration0-pod2 -> kubernetes:helm_chart:eks_cluster-0:aws-load-balancer-controller: + kubernetes:target_group_binding:restapi4integration0-pod2 -> kubernetes:service:restapi4integration0-pod2: kubernetes:helm_chart:eks_cluster-0:aws-load-balancer-controller -> aws:eks_cluster:eks_cluster-0: kubernetes:helm_chart:eks_cluster-0:aws-load-balancer-controller -> aws:region:region-0: ? kubernetes:helm_chart:eks_cluster-0:aws-load-balancer-controller -> kubernetes:service_account:eks_cluster-0:aws-load-balancer-controller @@ -652,10 +644,6 @@ edges: aws:iam_role:pod2 -> aws:iam_oidc_provider:eks_cluster-0: aws:iam_oidc_provider:eks_cluster-0 -> aws:eks_cluster:eks_cluster-0: aws:iam_oidc_provider:eks_cluster-0 -> aws:region:region-0: - aws:availability_zone:region-0:availability_zone-0 -> aws:region:region-0: - aws:availability_zone:region-0:availability_zone-1 -> aws:region:region-0: - aws:availability_zone:region-0:availability_zone-2 -> aws:region:region-0: - aws:availability_zone:region-0:availability_zone-3 -> aws:region:region-0: aws:eks_cluster:eks_cluster-0 -> aws:iam_role:ClusterRole-eks_cluster-0: aws:eks_cluster:eks_cluster-0 -> aws:subnet:vpc-0:subnet-0: aws:eks_cluster:eks_cluster-0 -> aws:subnet:vpc-0:subnet-1: @@ -682,13 +670,15 @@ edges: ? aws:nat_gateway:subnet-3:nat_gateway-route_table-subnet-1-1-1 -> aws:elastic_ip:elastic_ip-nat_gateway-route_table-subnet-1-1-1-1 : aws:nat_gateway:subnet-3:nat_gateway-route_table-subnet-1-1-1 -> aws:subnet:vpc-0:subnet-3: - aws:subnet:vpc-0:subnet-2 -> aws:availability_zone:region-0:availability_zone-2: + aws:subnet:vpc-0:subnet-2 -> aws:availability_zone:region-0:availability_zone-0: aws:subnet:vpc-0:subnet-2 -> aws:route_table_association:subnet-2-route_table-subnet-2-2: aws:subnet:vpc-0:subnet-2 -> aws:vpc:vpc-0: - aws:subnet:vpc-0:subnet-3 -> aws:availability_zone:region-0:availability_zone-3: + aws:subnet:vpc-0:subnet-3 -> aws:availability_zone:region-0:availability_zone-1: aws:subnet:vpc-0:subnet-3 -> aws:route_table_association:subnet-3-route_table-subnet-3-3: aws:subnet:vpc-0:subnet-3 -> aws:vpc:vpc-0: + aws:availability_zone:region-0:availability_zone-0 -> aws:region:region-0: aws:route_table_association:subnet-2-route_table-subnet-2-2 -> aws:route_table:route_table-subnet-2-2: + aws:availability_zone:region-0:availability_zone-1 -> aws:region:region-0: aws:route_table_association:subnet-3-route_table-subnet-3-3 -> aws:route_table:route_table-subnet-3-3: aws:route_table:route_table-subnet-2-2 -> aws:internet_gateway:vpc-0:internet_gateway-0: aws:route_table:route_table-subnet-2-2 -> aws:vpc:vpc-0: diff --git a/pkg/engine2/testdata/k8s_api.iac-viz.yaml b/pkg/engine2/testdata/k8s_api.iac-viz.yaml index 1acc114f8..7800756cb 100755 --- a/pkg/engine2/testdata/k8s_api.iac-viz.yaml +++ b/pkg/engine2/testdata/k8s_api.iac-viz.yaml @@ -45,12 +45,6 @@ resources: iam_role/pod2: iam_role/pod2 -> iam_oidc_provider/eks_cluster-0: - aws:availability_zone:region-0/availability_zone-3: - aws:availability_zone:region-0/availability_zone-3 -> region/region-0: - - aws:availability_zone:region-0/availability_zone-2: - aws:availability_zone:region-0/availability_zone-2 -> region/region-0: - aws:api_resource:rest_api_4/api_resource-0: aws:api_resource:rest_api_4/api_resource-0 -> rest_api/rest_api_4: @@ -77,13 +71,13 @@ resources: elastic_ip/elastic_ip-nat_gateway-route_table-subnet-1-1-1-1: aws:subnet:vpc-0/subnet-3: - aws:subnet:vpc-0/subnet-3 -> aws:availability_zone:region-0/availability_zone-3: + aws:subnet:vpc-0/subnet-3 -> aws:availability_zone:region-0/availability_zone-1: aws:subnet:vpc-0/subnet-3 -> vpc/vpc-0: elastic_ip/elastic_ip-nat_gateway-route_table-subnet-0-0-0-0: aws:subnet:vpc-0/subnet-2: - aws:subnet:vpc-0/subnet-2 -> aws:availability_zone:region-0/availability_zone-2: + aws:subnet:vpc-0/subnet-2 -> aws:availability_zone:region-0/availability_zone-0: aws:subnet:vpc-0/subnet-2 -> vpc/vpc-0: aws:api_method:rest_api_4/rest_api_4_integration_0_method: @@ -161,11 +155,11 @@ resources: aws:api_deployment:rest_api_4/api_deployment-0 -> aws:api_method:rest_api_4/rest_api_4_integration_0_method: aws:api_deployment:rest_api_4/api_deployment-0 -> rest_api/rest_api_4: - kubernetes:target_group_binding:eks_cluster-0/restapi4integration0-pod2: - kubernetes:target_group_binding:eks_cluster-0/restapi4integration0-pod2 -> eks_cluster/eks_cluster-0: - kubernetes:target_group_binding:eks_cluster-0/restapi4integration0-pod2 -> target_group/rest-api-4-integbcc77100: - kubernetes:target_group_binding:eks_cluster-0/restapi4integration0-pod2 -> kubernetes:helm_chart:eks_cluster-0/aws-load-balancer-controller: - kubernetes:target_group_binding:eks_cluster-0/restapi4integration0-pod2 -> kubernetes:service/restapi4integration0-pod2: + kubernetes:target_group_binding/restapi4integration0-pod2: + kubernetes:target_group_binding/restapi4integration0-pod2 -> eks_cluster/eks_cluster-0: + kubernetes:target_group_binding/restapi4integration0-pod2 -> target_group/rest-api-4-integbcc77100: + kubernetes:target_group_binding/restapi4integration0-pod2 -> kubernetes:helm_chart:eks_cluster-0/aws-load-balancer-controller: + kubernetes:target_group_binding/restapi4integration0-pod2 -> kubernetes:service/restapi4integration0-pod2: kubernetes:manifest/fluent-bit: kubernetes:manifest/fluent-bit -> eks_cluster/eks_cluster-0: diff --git a/pkg/knowledge_base2/operational_rule.go b/pkg/knowledge_base2/operational_rule.go index 620cb1cca..133e9d74a 100644 --- a/pkg/knowledge_base2/operational_rule.go +++ b/pkg/knowledge_base2/operational_rule.go @@ -68,6 +68,9 @@ type ( ResourceSelector struct { Selector string `json:"selector" yaml:"selector"` Properties map[string]any `json:"properties" yaml:"properties"` + // NumPreferred defines the amount of resources that should be preferred to satisfy the selector. + // This number is only used if num needed on the step is not met + NumPreferred int `json:"num_preferred" yaml:"num_preferred"` // Classifications defines the classifications that the rule should be enforced on. Classifications must be specified if resource types is not specified Classifications []string `json:"classifications" yaml:"classifications"` } diff --git a/pkg/knowledge_base2/resource_template.go b/pkg/knowledge_base2/resource_template.go index 62cd3e1c7..5bf1a07a3 100644 --- a/pkg/knowledge_base2/resource_template.go +++ b/pkg/knowledge_base2/resource_template.go @@ -292,14 +292,25 @@ FIELDS: } found = true if len(fields) == i+1 { - return property + // use a clone resource so we can modify the name in case anywhere in the path + // has index strings or map keys + clone := property.Clone() + details := clone.Details() + details.Path = path + return clone } else { properties = property.SubProperties() if len(properties) == 0 { if mp, ok := property.(MapProperty); ok { - return mp.Value() + clone := mp.Value().Clone() + details := clone.Details() + details.Path = path + return clone } else if cp, ok := property.(CollectionProperty); ok { - return cp.Item() + clone := cp.Item().Clone() + details := clone.Details() + details.Path = path + return clone } } } diff --git a/pkg/templates/aws/resources/api_integration.yaml b/pkg/templates/aws/resources/api_integration.yaml index c6c2b9608..24bc6348e 100644 --- a/pkg/templates/aws/resources/api_integration.yaml +++ b/pkg/templates/aws/resources/api_integration.yaml @@ -37,7 +37,7 @@ properties: RequestParameters: type: map(string,string) operational_rule: - Value: | + value: | {{ $params := split (fieldValue "Route" .Self) "/" | filterMatch "^{\\w+\\+?}$" }} {{ zipToMap ($params | mapString "{([^+}]*)\\+?}" "integration.request.path.$1") diff --git a/pkg/templates/aws/resources/eks_cluster.yaml b/pkg/templates/aws/resources/eks_cluster.yaml index 3505e5115..c2877487a 100644 --- a/pkg/templates/aws/resources/eks_cluster.yaml +++ b/pkg/templates/aws/resources/eks_cluster.yaml @@ -22,16 +22,9 @@ properties: operational_rule: step: direction: downstream - num_needed: 4 + num_needed: 2 resources: - selector: aws:subnet - properties: - Type: private - preferred: 2 - - selector: aws:subnet - properties: - Type: public - preferred: 2 SecurityGroups: type: list(resource(aws:security_group)) operational_rule: