EC2 network ACL: Use get method to access dict keys to prevent exception #1392
Conversation
| 'Id': f"{network_acl['NetworkAclId']}/{direction}/{rule.get('RuleNumber')}", | ||
| 'CidrBlock': rule.get('CidrBlock'), | ||
| 'Egress': rule.get('Egress'), | ||
| 'Protocol': rule.get('Protocol'), | ||
| 'RuleAction': rule.get('RuleAction'), | ||
| 'RuleNumber': rule.get('RuleNumber'), | ||
| # Add pointer back to the nacl to create an edge |
There was a problem hiding this comment.
switching to get comes with the question: what's the default value? And what's the implication of having such broken / default data in our DB?
I think the data model for this is defined here:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html
CIDR block is indicated as "Conditional", and it looks like either this field or Ipv6CidrBlock must be present. So we should update our code here to take one or another instead.
There was a problem hiding this comment.
Probably worth reviewing the rest of the parameters too.
There was a problem hiding this comment.
I wouldn't consider this data as "broken". We trust the incoming data from the AWS ACLs API, considering the optional fields. Any required transformations or enrichments can be performed ad hoc by the client consuming this data.
There was a problem hiding this comment.
Having said that, not sure if a validator / enrichment function for to consider the edge cases (like CidrBlock not being present) will actually be valuable here. 🤔
WDYT?
There was a problem hiding this comment.
I think the question here is whether cartography should provide an accurate representation of the AWS data and its constraints.
If so, then we should adhere to what @kledo-lyft and provide some kind of validation to spot the cases where we don't get any of the two values. If not, then it's fine to just store the data as is and let the cartography consumers think about this.
I think the first option is better. Even though it can mean more maintenance work, consumers can be sure the data is as accurate as possible to AWS and it will also make easier to spot any bug when the data we're storing doesn't follow these constraints.
There was a problem hiding this comment.
@cmm-lyft Sorry for the crash and thanks for working on this. It's annoying that AWS APIs are inconsistent and sometimes leave out entire fields.
I think the data model for this is defined here:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html
CIDR block is indicated as "Conditional", and it looks like either this field or Ipv6CidrBlock must be present. So we should update our code here to take one or another instead.
@kledo-lyft - good catch. I was referring to https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_NetworkAclEntry.html when I wrote this code. It looks like the cloudformation docs are better.
This fix is simple:
- do a
.get('CidrBlock'). - do a
.get('Ipv6CidrBlock'). - leave everything else the same (unless we know there are others where the API leaves it out).
- update to have an ipv6cidrblock field
This works because the neo4j python driver treats Nones as if the field does not even exist, so assuming that the aws conditional is correct, our end result is that the node written to the graph will have either cidrblock or ipv6cidrblock but not both.
As seen here, cidrblock and ipv6cidrblock are both not id fields so it's ok for these to be None.
| 'Id': f"{network_acl['NetworkAclId']}/{direction}/{rule.get('RuleNumber')}", | ||
| 'CidrBlock': rule.get('CidrBlock'), | ||
| 'Egress': rule.get('Egress'), | ||
| 'Protocol': rule.get('Protocol'), | ||
| 'RuleAction': rule.get('RuleAction'), | ||
| 'RuleNumber': rule.get('RuleNumber'), | ||
| # Add pointer back to the nacl to create an edge |
There was a problem hiding this comment.
@cmm-lyft Sorry for the crash and thanks for working on this. It's annoying that AWS APIs are inconsistent and sometimes leave out entire fields.
I think the data model for this is defined here:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html
CIDR block is indicated as "Conditional", and it looks like either this field or Ipv6CidrBlock must be present. So we should update our code here to take one or another instead.
@kledo-lyft - good catch. I was referring to https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_NetworkAclEntry.html when I wrote this code. It looks like the cloudformation docs are better.
This fix is simple:
- do a
.get('CidrBlock'). - do a
.get('Ipv6CidrBlock'). - leave everything else the same (unless we know there are others where the API leaves it out).
- update to have an ipv6cidrblock field
This works because the neo4j python driver treats Nones as if the field does not even exist, so assuming that the aws conditional is correct, our end result is that the node written to the graph will have either cidrblock or ipv6cidrblock but not both.
As seen here, cidrblock and ipv6cidrblock are both not id fields so it's ok for these to be None.
cmm-lyft
force-pushed
the
fix_key_error
branch
from
b5ba758 to
6ede90a
Compare
|
@achantavy done! |
achantavy
changed the title
| cidrblock: PropertyRef = PropertyRef('CidrBlock') | ||
| Ipv6CidrBlock: PropertyRef = PropertyRef('Ipv6CidrBlock') | ||
| egress: PropertyRef = PropertyRef('Egress') |
There was a problem hiding this comment.
@cmm-lyft a bit late to comment but probably more consistent to use lowercase ip. If we haven't cut a release, maybe can still do a quick fix?
There was a problem hiding this comment.
oh yeah good catch. lol sorry i got too eager with the approval
…ion (cartography-cncf#1392) ### Summary Correcting error: ``` File "/code/venvs/venv/lib/python3.10/site-packages/cartography/intel/aws/ec2/network_acls.py", line 72, in transform_network_acl_data 'CidrBlock': rule['CidrBlock'], KeyError: 'CidrBlock' ``` ### Checklist Provide proof that this works (this makes reviews move faster). Please perform one or more of the following: - [ ] Update/add unit or integration tests. - [ ] Include a screenshot showing what the graph looked like before and after your changes. - [ ] Include console log trace showing what happened before and after your changes. If you are changing a node or relationship: - [ ] Update the [schema](https://github.com/lyft/cartography/tree/master/docs/root/modules) and [readme](https://github.com/lyft/cartography/blob/master/docs/schema/README.md). If you are implementing a new intel module: - [ ] Use the NodeSchema [data model](https://cartography-cncf.github.io/cartography/dev/writing-intel-modules.html#defining-a-node). Signed-off-by: cmm-lyft <[email protected]>
### Summary Fixing typo #1392 (comment) ### Related issues or links > Include links to relevant issues or other pages. - https://github.com/lyft/cartography/issues/... ### Checklist Provide proof that this works (this makes reviews move faster). Please perform one or more of the following: - [ ] Update/add unit or integration tests. - [ ] Include a screenshot showing what the graph looked like before and after your changes. - [ ] Include console log trace showing what happened before and after your changes. If you are changing a node or relationship: - [ ] Update the [schema](https://github.com/lyft/cartography/tree/master/docs/root/modules) and [readme](https://github.com/lyft/cartography/blob/master/docs/schema/README.md). If you are implementing a new intel module: - [ ] Use the NodeSchema [data model](https://cartography-cncf.github.io/cartography/dev/writing-intel-modules.html#defining-a-node). ---------
Summary
Correcting error:
Checklist
Provide proof that this works (this makes reviews move faster). Please perform one or more of the following:
If you are changing a node or relationship:
If you are implementing a new intel module: