someengineering
diff --git a/‎plugins/aws/resoto_plugin_aws/collector.py
Lines changed: 12 additions & 3 deletions b/‎plugins/aws/resoto_plugin_aws/collector.py
Lines changed: 12 additions & 3 deletions
diff --git a/‎plugins/aws/resoto_plugin_aws/resource/apigateway.py
Lines changed: 46 additions & 7 deletions b/‎plugins/aws/resoto_plugin_aws/resource/apigateway.py
Lines changed: 46 additions & 7 deletions
diff --git a/‎plugins/aws/resoto_plugin_aws/resource/athena.py
Lines changed: 22 additions & 6 deletions b/‎plugins/aws/resoto_plugin_aws/resource/athena.py
Lines changed: 22 additions & 6 deletions
diff --git a/‎plugins/aws/resoto_plugin_aws/resource/autoscaling.py
Lines changed: 11 additions & 3 deletions b/‎plugins/aws/resoto_plugin_aws/resource/autoscaling.py
Lines changed: 11 additions & 3 deletions
diff --git a/‎plugins/aws/resoto_plugin_aws/resource/base.py
Lines changed: 12 additions & 4 deletions b/‎plugins/aws/resoto_plugin_aws/resource/base.py
Lines changed: 12 additions & 4 deletions
diff --git a/‎plugins/aws/resoto_plugin_aws/resource/cloudformation.py
Lines changed: 12 additions & 4 deletions b/‎plugins/aws/resoto_plugin_aws/resource/cloudformation.py
Lines changed: 12 additions & 4 deletions
diff --git a/‎plugins/aws/resoto_plugin_aws/resource/cloudwatch.py
Lines changed: 11 additions & 3 deletions b/‎plugins/aws/resoto_plugin_aws/resource/cloudwatch.py
Lines changed: 11 additions & 3 deletions
@@ -83,9 +83,18 @@ def called_collect_apis() -> List[AwsApiSpec]:
     """
     # list all calls here, that are not defined in any resource.
     additional_calls = [AwsApiSpec("pricing", "get-products")]
-    specs = [spec for r in all_resources for spec in r.called_apis()] + additional_calls
-    unique_specs = {f"{spec.service}::{spec.api_action}": spec for spec in specs}
-    return sorted(unique_specs.values(), key=lambda s: s.service + "::" + s.api_action)
+    specs = [spec for r in all_resources for spec in r.called_collect_apis()] + additional_calls
+    return sorted(specs, key=lambda s: s.service + "::" + s.api_action)
+
+
+def called_mutator_apis() -> List[AwsApiSpec]:
+    """
+    Return a list of all the APIs that are called to mutate resources.
+    """
+    # explicitly list all calls here, that should be allowed to mutate resources.
+    additional_calls = [AwsApiSpec("ec2", "start-instances"), AwsApiSpec("ec2", "stop-instances")]
+    specs = [spec for r in all_resources for spec in r.called_mutator_apis()] + additional_calls
+    return sorted(specs, key=lambda s: s.service + "::" + s.api_action)
 
 
 class AwsAccountCollector:
 
@@ -44,6 +44,15 @@ def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
             return False
         return False
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [
+            AwsApiSpec("apigateway", "tag-resource", override_iam_permission="apigateway:PATCH"),
+            AwsApiSpec("apigateway", "tag-resource", override_iam_permission="apigateway:POST"),
+            AwsApiSpec("apigateway", "tag-resource", override_iam_permission="apigateway:PUT"),
+            AwsApiSpec("apigateway", "untag-resource", override_iam_permission="apigateway:DELETE"),
+        ]
+
 
 @define(eq=False, slots=False)
 class AwsApiGatewayMethodResponse:
@@ -179,6 +188,10 @@ def delete_resource(self, client: AwsClient) -> bool:
         )
         return True
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [AwsApiSpec("apigateway", "delete-resource", override_iam_permission="apigateway:DELETE")]
+
 
 @define(eq=False, slots=False)
 class AwsApiGatewayAuthorizer(AwsResource):
@@ -235,6 +248,10 @@ def delete_resource(self, client: AwsClient) -> bool:
         )
         return True
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [AwsApiSpec("apigateway", "delete-authorizer", override_iam_permission="apigateway:DELETE")]
+
 
 @define(eq=False, slots=False)
 class AwsApiGatewayCanarySetting:
@@ -300,6 +317,12 @@ def delete_resource(self, client: AwsClient) -> bool:
         )
         return True
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return super().called_mutator_apis() + [
+            AwsApiSpec("apigateway", "delete-stage", override_iam_permission="apigateway:DELETE")
+        ]
+
 
 @define(eq=False, slots=False)
 class AwsApiGatewayDeployment(AwsResource):
@@ -328,6 +351,12 @@ def delete_resource(self, client: AwsClient) -> bool:
         )
         return True
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return super().called_mutator_apis() + [
+            AwsApiSpec("apigateway", "delete-deployment", override_iam_permission="apigateway:DELETE")
+        ]
+
 
 @define(eq=False, slots=False)
 class AwsApiGatewayEndpointConfiguration:
@@ -343,7 +372,9 @@ class AwsApiGatewayEndpointConfiguration:
 @define(eq=False, slots=False)
 class AwsApiGatewayRestApi(ApiGatewayTaggable, AwsResource):
     kind: ClassVar[str] = "aws_api_gateway_rest_api"
-    api_spec: ClassVar[AwsApiSpec] = AwsApiSpec("apigateway", "get-rest-apis", "items")
+    api_spec: ClassVar[AwsApiSpec] = AwsApiSpec(
+        "apigateway", "get-rest-apis", "items", override_iam_permission="apigateway:GET"
+    )
     reference_kinds: ClassVar[ModelReference] = {
         "successors": {
             "default": [
@@ -381,13 +412,19 @@ class AwsApiGatewayRestApi(ApiGatewayTaggable, AwsResource):
     api_disable_execute_api_endpoint: Optional[bool] = field(default=None)
 
     @classmethod
-    def called_apis(cls) -> List[AwsApiSpec]:
+    def called_collect_apis(cls) -> List[AwsApiSpec]:
         return [
             cls.api_spec,
-            AwsApiSpec("apigateway", "get-deployments"),
-            AwsApiSpec("apigateway", "get-stages"),
-            AwsApiSpec("apigateway", "get-authorizers"),
-            AwsApiSpec("apigateway", "get-resources"),
+            AwsApiSpec("apigateway", "get-deployments", override_iam_permission="apigateway:GET"),
+            AwsApiSpec("apigateway", "get-stages", override_iam_permission="apigateway:GET"),
+            AwsApiSpec("apigateway", "get-authorizers", override_iam_permission="apigateway:GET"),
+            AwsApiSpec("apigateway", "get-resources", override_iam_permission="apigateway:GET"),
+        ]
+
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return super().called_mutator_apis() + [
+            AwsApiSpec("apigateway", "delete-rest-api", override_iam_permission="apigateway:DELETE")
         ]
 
     @classmethod
@@ -470,7 +507,9 @@ class AwsApiGatewayMutualTlsAuthentication:
 @define(eq=False, slots=False)
 class AwsApiGatewayDomainName(ApiGatewayTaggable, AwsResource):
     kind: ClassVar[str] = "aws_api_gateway_domain_name"
-    api_spec: ClassVar[AwsApiSpec] = AwsApiSpec("apigateway", "get-domain-names", "items")
+    api_spec: ClassVar[AwsApiSpec] = AwsApiSpec(
+        "apigateway", "get-domain-names", "items", override_iam_permission="apigateway:GET"
+    )
     reference_kinds: ClassVar[ModelReference] = {
         "predecessors": {"delete": ["aws_route53_zone"]},
         "successors": {"default": ["aws_route53_zone", "aws_vpc_endpoint"], "delete": ["aws_vpc_endpoint"]},
 
@@ -85,9 +85,17 @@ class AwsAthenaWorkGroup(AwsResource):
     }
 
     @classmethod
-    def called_apis(cls) -> List[AwsApiSpec]:
+    def called_collect_apis(cls) -> List[AwsApiSpec]:
         return [cls.api_spec, AwsApiSpec("athena", "get-work-group"), AwsApiSpec("athena", "list-tags-for-resource")]
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [
+            AwsApiSpec("athena", "tag-resource"),
+            AwsApiSpec("athena", "untag-resource"),
+            AwsApiSpec("athena", "delete-work-group"),
+        ]
+
     @classmethod
     def collect(cls: Type[AwsResource], json: List[Json], builder: GraphBuilder) -> None:
         def fetch_workgroup(name: str) -> Optional[AwsAthenaWorkGroup]:
@@ -135,7 +143,7 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
     def update_resource_tag(self, client: AwsClient, key: str, value: str) -> bool:
         client.call(
             aws_service=self.api_spec.service,
-            action="tag_resource",
+            action="tag-resource",
             result_name=None,
             ResourceARN=self.arn,
             Tags=[{"Key": key, "Value": value}],
@@ -145,7 +153,7 @@ def update_resource_tag(self, client: AwsClient, key: str, value: str) -> bool:
     def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
         client.call(
             aws_service=self.api_spec.service,
-            action="untag_resource",
+            action="untag-resource",
             result_name=None,
             ResourceARN=self.arn,
             TagKeys=[key],
@@ -179,9 +187,17 @@ class AwsAthenaDataCatalog(AwsResource):
     datacatalog_parameters: Optional[Dict[str, str]] = None
 
     @classmethod
-    def called_apis(cls) -> List[AwsApiSpec]:
+    def called_collect_apis(cls) -> List[AwsApiSpec]:
         return [cls.api_spec, AwsApiSpec("athena", "get-data-catalog"), AwsApiSpec("athena", "list-tags-for-resource")]
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [
+            AwsApiSpec("athena", "tag-resource"),
+            AwsApiSpec("athena", "untag-resource"),
+            AwsApiSpec("athena", "delete-data-catalog"),
+        ]
+
     @classmethod
     def collect(cls: Type[AwsResource], json: List[Json], builder: GraphBuilder) -> None:
         def fetch_data_catalog(data_catalog_name: str) -> Optional[AwsAthenaDataCatalog]:
@@ -218,7 +234,7 @@ def add_tags(data_catalog: AwsAthenaDataCatalog) -> None:
     def update_resource_tag(self, client: AwsClient, key: str, value: str) -> bool:
         client.call(
             aws_service=self.api_spec.service,
-            action="tag_resource",
+            action="tag-resource",
             result_name=None,
             ResourceARN=self.arn,
             Tags=[{"Key": key, "Value": value}],
@@ -228,7 +244,7 @@ def update_resource_tag(self, client: AwsClient, key: str, value: str) -> bool:
     def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
         client.call(
             aws_service=self.api_spec.service,
-            action="untag_resource",
+            action="untag-resource",
             result_name=None,
             ResourceARN=self.arn,
             TagKeys=[key],
 
@@ -282,7 +282,7 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
     def update_resource_tag(self, client: AwsClient, key: str, value: str) -> bool:
         client.call(
             aws_service="autoscaling",
-            action="create_or_update_tags",
+            action="create-or-update-tags",
             result_name=None,
             Tags=[
                 {
@@ -299,7 +299,7 @@ def update_resource_tag(self, client: AwsClient, key: str, value: str) -> bool:
     def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
         client.call(
             aws_service="autoscaling",
-            action="delete_tags",
+            action="delete-tags",
             result_name=None,
             Tags=[
                 {
@@ -314,12 +314,20 @@ def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
     def delete_resource(self, client: AwsClient) -> bool:
         client.call(
             aws_service=self.api_spec.service,
-            action="delete_auto_scaling_group",
+            action="delete-auto-scaling-group",
             result_name=None,
             AutoScalingGroupName=self.name,
             ForceDelete=True,
         )
         return True
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [
+            AwsApiSpec("autoscaling", "create-or-update-tags"),
+            AwsApiSpec("autoscaling", "delete-tags"),
+            AwsApiSpec("autoscaling", "delete-auto-scaling-group"),
+        ]
+
 
 resources: List[Type[AwsResource]] = [AwsAutoScalingGroup]
@@ -53,10 +53,14 @@ class AwsApiSpec:
     result_property: Optional[str] = None
     parameter: Optional[Dict[str, Any]] = None
     expected_errors: Optional[List[str]] = None
+    override_iam_permission: Optional[str] = None  # only set if the permission can not be derived
 
-    def action_string(self) -> str:
-        action = "".join(word.title() for word in self.api_action.split("-"))
-        return f"{self.service}:{action}"
+    def iam_permission(self) -> str:
+        if self.override_iam_permission:
+            return self.override_iam_permission
+        else:
+            action = "".join(word.title() for word in self.api_action.split("-"))
+            return f"{self.service}:{action}"
 
 
 @define(eq=False, slots=False)
@@ -204,14 +208,18 @@ def collect(cls: Type[AwsResource], json: List[Json], builder: GraphBuilder) ->
             builder.add_node(instance, js)
 
     @classmethod
-    def called_apis(cls) -> List[AwsApiSpec]:
+    def called_collect_apis(cls) -> List[AwsApiSpec]:
         # The default implementation will return the defined api_spec if defined, otherwise an empty list.
         # In case your resource needs more than this api call, please override this method and return the proper list.
         if spec := cls.api_spec:
             return [spec]
         else:
             return []
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return []
+
     def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
         # Default behavior: add resource to the namespace
         pass
 
@@ -123,7 +123,7 @@ def _modify_tag(self, client: AwsClient, key: str, value: Optional[str], mode: L
         try:
             client.call(
                 aws_service="cloudformation",
-                action="update_stack",
+                action="update-stack",
                 result_name=None,
                 StackName=self.name,
                 Capabilities=["CAPABILITY_NAMED_IAM"],
@@ -161,9 +161,13 @@ def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
         return self._modify_tag(client, key, None, "delete")
 
     def delete_resource(self, client: AwsClient) -> bool:
-        client.call(aws_service=self.api_spec.service, action="delete_stack", result_name=None, StackName=self.name)
+        client.call(aws_service=self.api_spec.service, action="delete-stack", result_name=None, StackName=self.name)
         return True
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [AwsApiSpec("cloudformation", "update-stack"), AwsApiSpec("cloudformation", "delete-stack")]
+
 
 @define(eq=False, slots=False)
 class AwsCloudFormationAutoDeployment:
@@ -218,7 +222,7 @@ def _modify_tag(self, client: AwsClient, key: str, value: Optional[str], mode: L
         try:
             client.call(
                 aws_service="cloudformation",
-                action="update_stack_set",
+                action="update-stack-set",
                 result_name=None,
                 StackSetName=self.name,
                 Capabilities=["CAPABILITY_NAMED_IAM"],
@@ -245,11 +249,15 @@ def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
     def delete_resource(self, client: AwsClient) -> bool:
         client.call(
             aws_service=self.api_spec.service,
-            action="delete_stack_set",
+            action="delete-stack-set",
             result_name=None,
             StackSetName=self.name,
         )
         return True
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [AwsApiSpec("cloudformation", "update-stack-set"), AwsApiSpec("cloudformation", "delete-stack-set")]
+
 
 resources: List[Type[AwsResource]] = [AwsCloudFormationStack, AwsCloudFormationStackSet]
@@ -21,7 +21,7 @@ def update_resource_tag(self, client: AwsClient, key: str, value: str) -> bool:
             if spec := self.api_spec:
                 client.call(
                     aws_service=spec.service,
-                    action="tag_resource",
+                    action="tag-resource",
                     result_name=None,
                     ResourceARN=self.arn,
                     Tags=[{"Key": key, "Value": value}],
@@ -35,7 +35,7 @@ def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
             if spec := self.api_spec:
                 client.call(
                     aws_service=spec.service,
-                    action="untag_resource",
+                    action="untag-resource",
                     result_name=None,
                     ResourceARN=self.arn,
                     TagKeys=[key],
@@ -44,6 +44,10 @@ def delete_resource_tag(self, client: AwsClient, key: str) -> bool:
             return False
         return False
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return [AwsApiSpec("cloudwatch", "tag-resource"), AwsApiSpec("cloudwatch", "untag-resource")]
+
 
 @define(eq=False, slots=False)
 class AwsCloudwatchDimension:
@@ -185,9 +189,13 @@ def connect_in_graph(self, builder: GraphBuilder, source: Json) -> None:
             )
 
     def delete_resource(self, client: AwsClient) -> bool:
-        client.call(aws_service=self.api_spec.service, action="delete_alarms", result_name=None, AlarmNames=[self.name])
+        client.call(aws_service=self.api_spec.service, action="delete-alarms", result_name=None, AlarmNames=[self.name])
         return True
 
+    @classmethod
+    def called_mutator_apis(cls) -> List[AwsApiSpec]:
+        return super().called_mutator_apis() + [AwsApiSpec("cloudwatch", "delete-alarms")]
+
 
 @define(hash=True, frozen=True)
 class AwsCloudwatchQuery: