feat: added CloudformationPolicyCollector

package.json

@@ -30,6 +30,7 @@
   "dependencies": {
     "@aws-sdk/client-api-gateway": "^3.58.0",
     "@aws-sdk/client-backup": "^3.58.0",
+    "@aws-sdk/client-cloudformation": "^3.58.0",
     "@aws-sdk/client-cloudwatch-logs": "^3.58.0",
     "@aws-sdk/client-codeartifact": "^3.58.0",
     "@aws-sdk/client-codebuild": "^3.58.0",

src/cloudformation/index.ts

@@ -0,0 +1,56 @@
+import {
+  CloudFormationClient,
+  CloudFormationClientConfig,
+  GetStackPolicyCommand,
+  paginateListStacks,
+} from '@aws-sdk/client-cloudformation';
+import { BasePolicyCollector, ServicePoliciesResult } from '../core';
+
+export class CloudformationPolicyCollector extends BasePolicyCollector {
+  private client: CloudFormationClient;
+
+  constructor(clientConfig?: CloudFormationClientConfig) {
+    super({ serviceName: 'cloudformation' });
+    this.client = new CloudFormationClient(clientConfig || {});
+  }
+
+  private async listStacks() {
+    const paginator = paginateListStacks({ client: this.client }, {});
+    const stacks = [];
+    for await (const page of paginator) {
+      stacks.push(...(page.StackSummaries || []));
+    }
+    return stacks;
+  }
+
+  private async getStackPolicy(stackName: string) {
+    const response = await this.client.send(
+      new GetStackPolicyCommand({
+        StackName: stackName,
+      }),
+    );
+    return response.StackPolicyBody;
+  }
+
+  public async run(): Promise<ServicePoliciesResult> {
+    const result: ServicePoliciesResult = {
+      serviceName: this.serviceName,
+      resources: [],
+    };
+    try {
+      const stacks = await this.listStacks();
+      for (const s of stacks) {
+        const stackPolicy = await this.getStackPolicy(s.StackName!);
+        if (!stackPolicy) continue;
+        result.resources.push({
+          type: 'Cloudformation::StackPolicy', // Note there is no-such CF resource type
+          id: s.StackName!,
+          policy: stackPolicy,
+        });
+      }
+    } catch (err) {
+      result.error = JSON.stringify(err);
+    }
+    return result;
+  }
+}

src/index.ts

@@ -1,5 +1,6 @@
 import { ApiGatewayPolicyCollector } from './apigateway';
 import { BackupPolicyCollector } from './backup';
+import { CloudformationPolicyCollector } from './cloudformation';
 import { CloudWatchLogsPolicyCollector } from './logs';
 import { CodeArtifactPolicyCollector } from './codeartifact';
 import { CodeBuildPolicyCollector } from './codebuild';
@@ -28,6 +29,7 @@ export const collect = async (config?: { region?: string }) => {
   const collectors = [
     new ApiGatewayPolicyCollector(config),
     new BackupPolicyCollector(config),
+    new CloudformationPolicyCollector(config),
     new CloudWatchLogsPolicyCollector(config),
     new CodeArtifactPolicyCollector(config),
     new CodeBuildPolicyCollector(config),

yarn.lock

@@ -230,6 +230,50 @@
     tslib "^2.3.1"
     uuid "^8.3.2"
 
+"@aws-sdk/client-cloudformation@^3.58.0":
+  version "3.154.0"
+  resolved "https://registry.yarnpkg.com/@aws-sdk/client-cloudformation/-/client-cloudformation-3.154.0.tgz#cd8ed0ec0956214c788e75d7946794cea0ea8659"
+  integrity sha512-Dc6bF0wqbkZUUIp6qsTKXZUsGLUg8oclMVOQrQBLdfQZGn7fyI2oEOBup+ELf+5cdmuExO5lyO1WtKpqI2Iyhg==
+  dependencies:
+    "@aws-crypto/sha256-browser" "2.0.0"
+    "@aws-crypto/sha256-js" "2.0.0"
+    "@aws-sdk/client-sts" "3.154.0"
+    "@aws-sdk/config-resolver" "3.130.0"
+    "@aws-sdk/credential-provider-node" "3.154.0"
+    "@aws-sdk/fetch-http-handler" "3.131.0"
+    "@aws-sdk/hash-node" "3.127.0"
+    "@aws-sdk/invalid-dependency" "3.127.0"
+    "@aws-sdk/middleware-content-length" "3.127.0"
+    "@aws-sdk/middleware-host-header" "3.127.0"
+    "@aws-sdk/middleware-logger" "3.127.0"
+    "@aws-sdk/middleware-recursion-detection" "3.127.0"
+    "@aws-sdk/middleware-retry" "3.127.0"
+    "@aws-sdk/middleware-serde" "3.127.0"
+    "@aws-sdk/middleware-signing" "3.130.0"
+    "@aws-sdk/middleware-stack" "3.127.0"
+    "@aws-sdk/middleware-user-agent" "3.127.0"
+    "@aws-sdk/node-config-provider" "3.127.0"
+    "@aws-sdk/node-http-handler" "3.127.0"
+    "@aws-sdk/protocol-http" "3.127.0"
+    "@aws-sdk/smithy-client" "3.142.0"
+    "@aws-sdk/types" "3.127.0"
+    "@aws-sdk/url-parser" "3.127.0"
+    "@aws-sdk/util-base64-browser" "3.109.0"
+    "@aws-sdk/util-base64-node" "3.55.0"
+    "@aws-sdk/util-body-length-browser" "3.154.0"
+    "@aws-sdk/util-body-length-node" "3.55.0"
+    "@aws-sdk/util-defaults-mode-browser" "3.142.0"
+    "@aws-sdk/util-defaults-mode-node" "3.142.0"
+    "@aws-sdk/util-user-agent-browser" "3.127.0"
+    "@aws-sdk/util-user-agent-node" "3.127.0"
+    "@aws-sdk/util-utf8-browser" "3.109.0"
+    "@aws-sdk/util-utf8-node" "3.109.0"
+    "@aws-sdk/util-waiter" "3.127.0"
+    entities "2.2.0"
+    fast-xml-parser "3.19.0"
+    tslib "^2.3.1"
+    uuid "^8.3.2"
+
 "@aws-sdk/client-cloudwatch-logs@^3.58.0":
   version "3.58.0"
   resolved "https://registry.yarnpkg.com/@aws-sdk/client-cloudwatch-logs/-/client-cloudwatch-logs-3.58.0.tgz#086184178761915b82c37f178da4776cedecfd93"
@@ -2355,6 +2399,15 @@
     "@aws-sdk/util-buffer-from" "3.55.0"
     tslib "^2.3.1"
 
+"@aws-sdk/[email protected]":
+  version "3.127.0"
+  resolved "https://registry.yarnpkg.com/@aws-sdk/util-waiter/-/util-waiter-3.127.0.tgz#3485ebb614cc417fee397daf61ba4ca3aa5bbedb"
+  integrity sha512-E5qrRpBJS8dmClqSDW1pWVMKzCG/mxabG6jVUtlW/WLHnl/znxGaOQc6tnnwKik0nEq/4DpT9fEfPUz9JiLrkw==
+  dependencies:
+    "@aws-sdk/abort-controller" "3.127.0"
+    "@aws-sdk/types" "3.127.0"
+    tslib "^2.3.1"
+
 "@aws-sdk/[email protected]":
   version "3.55.0"
   resolved "https://registry.yarnpkg.com/@aws-sdk/util-waiter/-/util-waiter-3.55.0.tgz#0e48a8ce98931f99cfbcad750222fd1f0b237fda"