Report AWS operations with service identity (#258)

otterize · Dec 16, 2024 · 43dbc5b · 43dbc5b
1 parent 31229a3
commit 43dbc5b
Show file tree

Hide file tree

Showing 5 changed files with 118 additions and 26 deletions.
diff --git a/src/mapper/pkg/graph/generated/generated.go b/src/mapper/pkg/graph/generated/generated.go
diff --git a/src/mapper/pkg/graph/model/models_gen.go b/src/mapper/pkg/graph/model/models_gen.go
diff --git a/src/mapper/pkg/resolvers/schema.helpers.resolvers.go b/src/mapper/pkg/resolvers/schema.helpers.resolvers.go
@@ -249,33 +249,42 @@ func (r *Resolver) handleDNSCaptureResultsAsExternalTraffic(_ context.Context, d
 // ReportAWSOperation is the resolver for the reportAWSOperation field.
 func (r *Resolver) handleAWSOperationReport(ctx context.Context, operation model.AWSOperationResults) error {
 	for _, op := range operation {
-		logrus.Debugf("Received AWS operation: %+v", op)
-		srcPod, err := r.kubeFinder.ResolveIPToPod(ctx, op.SrcIP)
+		var serviceIdentity model.OtterizeServiceIdentity
 
-		if err != nil {
-			logrus.Errorf("could not resolve %s to pod: %s", op.SrcIP, err.Error())
-			continue
-		}
+		if op.Client != nil {
+			serviceIdentity.Name = op.Client.Name
+			serviceIdentity.Namespace = op.Client.Namespace
+		} else if op.SrcIP != nil {
+			srcPod, err := r.kubeFinder.ResolveIPToPod(ctx, *op.SrcIP)
 
-		serviceId, err := r.serviceIdResolver.ResolvePodToServiceIdentity(ctx, srcPod)
+			if err != nil {
+				logrus.Errorf("could not resolve IP %s to pod: %s", *op.SrcIP, err.Error())
+				continue
+			}
 
-		if err != nil {
-			logrus.Errorf("could not resolve pod %s to identity: %s", srcPod.Name, err.Error())
+			serviceId, err := r.serviceIdResolver.ResolvePodToServiceIdentity(ctx, srcPod)
+
+			if err != nil {
+				logrus.Errorf("could not resolve pod %s to identity: %s", srcPod.Name, err.Error())
+				continue
+			}
+
+			serviceIdentity.Name = serviceId.Name
+			serviceIdentity.Namespace = srcPod.Namespace
+		} else {
+			logrus.Error("Invalid AWS operation report: both srcIP and client are nil")
 			continue
 		}
 
 		r.awsIntentsHolder.AddIntent(awsintentsholder.AWSIntent{
-			Client: model.OtterizeServiceIdentity{
-				Name:      serviceId.Name,
-				Namespace: srcPod.Namespace,
-			},
+			Client:  serviceIdentity,
 			Actions: op.Actions,
 			ARN:     op.Resource,
 		})
 
 		logrus.
-			WithField("client", serviceId.Name).
-			WithField("namespace", srcPod.Namespace).
+			WithField("clientName", serviceIdentity.Name).
+			WithField("clientNamespace", serviceIdentity.Namespace).
 			WithField("actions", op.Actions).
 			WithField("arn", op.Resource).
 			Debug("Discovered AWS intent")

diff --git a/src/mapperclient/generated.go b/src/mapperclient/generated.go
diff --git a/src/mappergraphql/schema.graphql b/src/mappergraphql/schema.graphql
@@ -152,10 +152,16 @@ input IstioConnectionResults {
     results: [IstioConnection!]!
 }
 
+input NamespacedName {
+    name: String!
+    namespace: String!
+}
+
 input AWSOperation {
     resource: String!
     actions: [String!]!
-    srcIp: String!
+    srcIp: String
+    client: NamespacedName
 }
 
 input ServerFilter {