Update AWS EC2 keypair sync to use the new data model (#1424)

### Summary
> Describe your changes.

Updates EC2 key pair sync to use the data model.

Fixes an issue that created duplicate key pairs because the older
version of the key pair sync had extra node labels but the
EC2KeyPairInstance model did not:

![image](https://github.com/user-attachments/assets/b9a004bc-de4a-458d-a7d1-9c6728548ba8)

### Checklist

Provide proof that this works (this makes reviews move faster). Please
perform one or more of the following:
- [x] Update/add unit or integration tests.
- [ ] Include a screenshot showing what the graph looked like before and
after your changes.
- [ ] Include console log trace showing what happened before and after
your changes.

If you are changing a node or relationship:
- [ ] Update the
[schema](https://github.com/lyft/cartography/tree/master/docs/root/modules)
and
[readme](https://github.com/lyft/cartography/blob/master/docs/schema/README.md).

If you are implementing a new intel module:
- [x] Use the NodeSchema [data
model](https://cartography-cncf.github.io/cartography/dev/writing-intel-modules.html#defining-a-node).

---------

Signed-off-by: Alex Chantavy <[email protected]>

Author: achantavy

cartography/intel/aws/ec2/instances.py

@@ -13,7 +13,7 @@
 from cartography.intel.aws.ec2.util import get_botocore_config
 from cartography.models.aws.ec2.auto_scaling_groups import EC2InstanceAutoScalingGroupSchema
 from cartography.models.aws.ec2.instances import EC2InstanceSchema
-from cartography.models.aws.ec2.keypairs import EC2KeyPairSchema
+from cartography.models.aws.ec2.keypair_instance import EC2KeyPairInstanceSchema
 from cartography.models.aws.ec2.networkinterface_instance import EC2NetworkInterfaceInstanceSchema
 from cartography.models.aws.ec2.reservations import EC2ReservationSchema
 from cartography.models.aws.ec2.securitygroup_instance import EC2SecurityGroupInstanceSchema
@@ -193,16 +193,17 @@ def load_ec2_subnets(
 
 
 @timeit
-def load_ec2_key_pairs(
+def load_ec2_keypair_instances(
         neo4j_session: neo4j.Session,
         key_pair_list: List[Dict[str, Any]],
         region: str,
         current_aws_account_id: str,
         update_tag: int,
 ) -> None:
+    # Load EC2 keypairs as known by describe-instances.
     load(
         neo4j_session,
-        EC2KeyPairSchema(),
+        EC2KeyPairInstanceSchema(),
         key_pair_list,
         Region=region,
         AWS_ID=current_aws_account_id,
@@ -299,7 +300,7 @@ def load_ec2_instance_data(
     load_ec2_instance_nodes(neo4j_session, instance_list, region, current_aws_account_id, update_tag)
     load_ec2_subnets(neo4j_session, subnet_list, region, current_aws_account_id, update_tag)
     load_ec2_security_groups(neo4j_session, sg_list, region, current_aws_account_id, update_tag)
-    load_ec2_key_pairs(neo4j_session, key_pair_list, region, current_aws_account_id, update_tag)
+    load_ec2_keypair_instances(neo4j_session, key_pair_list, region, current_aws_account_id, update_tag)
     load_ec2_network_interfaces(neo4j_session, nic_list, region, current_aws_account_id, update_tag)
     load_ec2_instance_ebs_volumes(neo4j_session, ebs_volumes_list, region, current_aws_account_id, update_tag)
 

cartography/intel/aws/ec2/key_pairs.py

@@ -1,13 +1,14 @@
 import logging
+from typing import Any
 from typing import Dict
-from typing import List
 
 import boto3
 import neo4j
 
-from .util import get_botocore_config
+from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
-from cartography.models.aws.ec2.keypairs import EC2KeyPairSchema
+from cartography.intel.aws.ec2.util import get_botocore_config
+from cartography.models.aws.ec2.keypair import EC2KeyPairSchema
 from cartography.util import aws_handle_regions
 from cartography.util import timeit
 
@@ -16,42 +17,45 @@
 
 @timeit
 @aws_handle_regions
-def get_ec2_key_pairs(boto3_session: boto3.session.Session, region: str) -> List[Dict]:
+def get_ec2_key_pairs(boto3_session: boto3.session.Session, region: str) -> list[dict[str, Any]]:
     client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
     return client.describe_key_pairs()['KeyPairs']
 
 
+def transform_ec2_key_pairs(
+        key_pairs: list[dict[str, Any]],
+        region: str,
+        current_aws_account_id: str,
+) -> list[dict[str, Any]]:
+    transformed_key_pairs = []
+    for key_pair in key_pairs:
+        key_name = key_pair["KeyName"]
+        transformed_key_pairs.append({
+            'KeyPairArn': f'arn:aws:ec2:{region}:{current_aws_account_id}:key-pair/{key_name}',
+            'KeyName': key_name,
+            'KeyFingerprint': key_pair.get("KeyFingerprint"),
+        })
+    return transformed_key_pairs
+
+
 @timeit
 def load_ec2_key_pairs(
-    neo4j_session: neo4j.Session, data: List[Dict], region: str, current_aws_account_id: str,
-    update_tag: int,
+        neo4j_session: neo4j.Session,
+        data: list[dict[str, Any]],
+        region: str,
+        current_aws_account_id: str,
+        update_tag: int,
 ) -> None:
-    ingest_key_pair = """
-    MERGE (keypair:KeyPair:EC2KeyPair{arn: $ARN, id: $ARN})
-    ON CREATE SET keypair.firstseen = timestamp()
-    SET keypair.keyname = $KeyName, keypair.keyfingerprint = $KeyFingerprint, keypair.region = $Region,
-    keypair.lastupdated = $update_tag
-    WITH keypair
-    MATCH (aa:AWSAccount{id: $AWS_ACCOUNT_ID})
-    MERGE (aa)-[r:RESOURCE]->(keypair)
-    ON CREATE SET r.firstseen = timestamp()
-    SET r.lastupdated = $update_tag
-    """
-
-    for key_pair in data:
-        key_name = key_pair["KeyName"]
-        key_fingerprint = key_pair.get("KeyFingerprint")
-        key_pair_arn = f'arn:aws:ec2:{region}:{current_aws_account_id}:key-pair/{key_name}'
-
-        neo4j_session.run(
-            ingest_key_pair,
-            ARN=key_pair_arn,
-            KeyName=key_name,
-            KeyFingerprint=key_fingerprint,
-            AWS_ACCOUNT_ID=current_aws_account_id,
-            Region=region,
-            update_tag=update_tag,
-        )
+    # Load EC2 keypairs as known by describe-key-pairs
+    logger.info(f"Loading {len(data)} EC2 keypairs for region '{region}' into graph.")
+    load(
+        neo4j_session,
+        EC2KeyPairSchema(),
+        data,
+        Region=region,
+        AWS_ID=current_aws_account_id,
+        lastupdated=update_tag,
+    )
 
 
 @timeit
@@ -61,11 +65,16 @@ def cleanup_ec2_key_pairs(neo4j_session: neo4j.Session, common_job_parameters: D
 
 @timeit
 def sync_ec2_key_pairs(
-    neo4j_session: neo4j.Session, boto3_session: boto3.session.Session, regions: List[str], current_aws_account_id: str,
-    update_tag: int, common_job_parameters: Dict,
+    neo4j_session: neo4j.Session,
+    boto3_session: boto3.session.Session,
+    regions: list[str],
+    current_aws_account_id: str,
+    update_tag: int,
+    common_job_parameters: dict[str, Any],
 ) -> None:
     for region in regions:
         logger.info("Syncing EC2 key pairs for region '%s' in account '%s'.", region, current_aws_account_id)
         data = get_ec2_key_pairs(boto3_session, region)
-        load_ec2_key_pairs(neo4j_session, data, region, current_aws_account_id, update_tag)
+        transformed_data = transform_ec2_key_pairs(data, region, current_aws_account_id)
+        load_ec2_key_pairs(neo4j_session, transformed_data, region, current_aws_account_id, update_tag)
     cleanup_ec2_key_pairs(neo4j_session, common_job_parameters)

cartography/models/aws/ec2/keypairs.py renamed to cartography/models/aws/ec2/keypair.py

@@ -3,19 +3,23 @@
 from cartography.models.core.common import PropertyRef
 from cartography.models.core.nodes import CartographyNodeProperties
 from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
 from cartography.models.core.relationships import CartographyRelProperties
 from cartography.models.core.relationships import CartographyRelSchema
 from cartography.models.core.relationships import LinkDirection
 from cartography.models.core.relationships import make_target_node_matcher
-from cartography.models.core.relationships import OtherRelationships
 from cartography.models.core.relationships import TargetNodeMatcher
 
 
 @dataclass(frozen=True)
 class EC2KeyPairNodeProperties(CartographyNodeProperties):
+    """
+    Properties for EC2 keypairs from describe-key-pairs
+    """
     id: PropertyRef = PropertyRef('KeyPairArn')
     arn: PropertyRef = PropertyRef('KeyPairArn', extra_index=True)
     keyname: PropertyRef = PropertyRef('KeyName')
+    keyfingerprint: PropertyRef = PropertyRef('KeyFingerprint')
     region: PropertyRef = PropertyRef('Region', set_in_kwargs=True)
     lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
 
@@ -27,38 +31,24 @@ class EC2KeyPairToAwsAccountRelProperties(CartographyRelProperties):
 
 @dataclass(frozen=True)
 class EC2KeyPairToAWSAccount(CartographyRelSchema):
+    """
+    Relationship schema for EC2 keypairs to AWS Accounts
+    """
     target_node_label: str = 'AWSAccount'
     target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
         {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
     )
     direction: LinkDirection = LinkDirection.INWARD
-    rel_label: str = "RESOURCE"
+    rel_label: str = 'RESOURCE'
     properties: EC2KeyPairToAwsAccountRelProperties = EC2KeyPairToAwsAccountRelProperties()
 
 
-@dataclass(frozen=True)
-class EC2KeyPairToEC2InstanceRelProperties(CartographyRelProperties):
-    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
-
-
-@dataclass(frozen=True)
-class EC2KeyPairToEC2Instance(CartographyRelSchema):
-    target_node_label: str = 'EC2Instance'
-    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
-        {'id': PropertyRef('InstanceId')},
-    )
-    direction: LinkDirection = LinkDirection.OUTWARD
-    rel_label: str = "SSH_LOGIN_TO"
-    properties: EC2KeyPairToEC2InstanceRelProperties = EC2KeyPairToEC2InstanceRelProperties()
-
-
 @dataclass(frozen=True)
 class EC2KeyPairSchema(CartographyNodeSchema):
+    """
+    Schema for EC2 keypairs from describe-key-pairs
+    """
     label: str = 'EC2KeyPair'
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(['KeyPair'])
     properties: EC2KeyPairNodeProperties = EC2KeyPairNodeProperties()
     sub_resource_relationship: EC2KeyPairToAWSAccount = EC2KeyPairToAWSAccount()
-    other_relationships: OtherRelationships = OtherRelationships(
-        [
-            EC2KeyPairToEC2Instance(),
-        ],
-    )

cartography/models/aws/ec2/keypair_instance.py

@@ -0,0 +1,69 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.nodes import ExtraNodeLabels
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class EC2KeyPairInstanceNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('KeyPairArn')
+    arn: PropertyRef = PropertyRef('KeyPairArn', extra_index=True)
+    keyname: PropertyRef = PropertyRef('KeyName')
+    region: PropertyRef = PropertyRef('Region', set_in_kwargs=True)
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class EC2KeyPairInstanceToAwsAccountRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class EC2KeyPairInstanceToAWSAccount(CartographyRelSchema):
+    target_node_label: str = 'AWSAccount'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('AWS_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "RESOURCE"
+    properties: EC2KeyPairInstanceToAwsAccountRelProperties = EC2KeyPairInstanceToAwsAccountRelProperties()
+
+
+@dataclass(frozen=True)
+class EC2KeyPairInstanceToEC2InstanceRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class EC2KeyPairInstanceToEC2Instance(CartographyRelSchema):
+    target_node_label: str = 'EC2Instance'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('InstanceId')},
+    )
+    direction: LinkDirection = LinkDirection.OUTWARD
+    rel_label: str = "SSH_LOGIN_TO"
+    properties: EC2KeyPairInstanceToEC2InstanceRelProperties = EC2KeyPairInstanceToEC2InstanceRelProperties()
+
+
+@dataclass(frozen=True)
+class EC2KeyPairInstanceSchema(CartographyNodeSchema):
+    """
+    EC2 keypairs as known by describe-instances.
+    """
+    label: str = 'EC2KeyPair'
+    extra_node_labels: ExtraNodeLabels = ExtraNodeLabels(['KeyPair'])
+    properties: EC2KeyPairInstanceNodeProperties = EC2KeyPairInstanceNodeProperties()
+    sub_resource_relationship: EC2KeyPairInstanceToAWSAccount = EC2KeyPairInstanceToAWSAccount()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            EC2KeyPairInstanceToEC2Instance(),
+        ],
+    )

tests/integration/cartography/intel/aws/ec2/test_ec2_key_pairs.py

@@ -1,5 +1,9 @@
+from unittest.mock import MagicMock
+from unittest.mock import patch
+
 import cartography.intel.aws.ec2
 import tests.data.aws.ec2.key_pairs
+from cartography.intel.aws.ec2.key_pairs import sync_ec2_key_pairs
 from cartography.util import run_analysis_job
 
 
@@ -8,15 +12,26 @@
 TEST_UPDATE_TAG = 123456789
 
 
-def test_load_ec2_key_pairs(neo4j_session, *args):
-    data = tests.data.aws.ec2.key_pairs.DESCRIBE_KEY_PAIRS['KeyPairs']
-    cartography.intel.aws.ec2.key_pairs.load_ec2_key_pairs(
+@patch.object(
+    cartography.intel.aws.ec2.key_pairs,
+    'get_ec2_key_pairs',
+    return_value=tests.data.aws.ec2.key_pairs.DESCRIBE_KEY_PAIRS['KeyPairs'],
+)
+def test_sync_ec2_key_pairs(mock_key_pairs, neo4j_session):
+    # Arrange
+    boto3_session = MagicMock()
+
+    # Act
+    sync_ec2_key_pairs(
         neo4j_session,
-        data,
-        TEST_REGION,
+        boto3_session,
+        [TEST_REGION],
         TEST_ACCOUNT_ID,
         TEST_UPDATE_TAG,
+        {'UPDATE_TAG': TEST_UPDATE_TAG, 'AWS_ID': TEST_ACCOUNT_ID},
     )
+
+    # Assert
     expected_nodes = {
         (
             "arn:aws:ec2:us-east-1:000000000000:key-pair/sample_key_pair_1",
@@ -51,20 +66,31 @@ def test_load_ec2_key_pairs(neo4j_session, *args):
     assert actual_nodes == expected_nodes
 
 
-def test_ec2_key_pairs_analysis_job(neo4j_session, *args):
-    data = tests.data.aws.ec2.key_pairs.DESCRIBE_KEY_PAIRS['KeyPairs']
-    cartography.intel.aws.ec2.key_pairs.load_ec2_key_pairs(
+@patch.object(
+    cartography.intel.aws.ec2.key_pairs,
+    'get_ec2_key_pairs',
+    return_value=tests.data.aws.ec2.key_pairs.DESCRIBE_KEY_PAIRS['KeyPairs'],
+)
+def test_ec2_key_pairs_analysis_job(mock_key_pairs, neo4j_session):
+    # Arrange
+    boto3_session = MagicMock()
+    sync_ec2_key_pairs(
         neo4j_session,
-        data,
-        TEST_REGION,
+        boto3_session,
+        [TEST_REGION],
         TEST_ACCOUNT_ID,
         TEST_UPDATE_TAG,
+        {'UPDATE_TAG': TEST_UPDATE_TAG, 'AWS_ID': TEST_ACCOUNT_ID},
     )
+
+    # Act
     run_analysis_job(
         'aws_ec2_keypair_analysis.json',
         neo4j_session,
         {'UPDATE_TAG': TEST_UPDATE_TAG},
     )
+
+    # Assert
     expected_nodes = {
         (
             "arn:aws:ec2:us-east-1:000000000000:key-pair/sample_key_pair_4",