From ed83dbbc204629aa8f1ab818af8f4277f3a8bf7d Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Mon, 15 Jul 2019 16:01:10 +0530 Subject: [PATCH 01/34] Updated with Terraform templates for DDB and Identification. Updated with Terraform templates for DDB and Identification. --- deployment/terraform/modules/ddb/ddb.tf | 10 +- .../modules/identification/identification.tf | 34 +-- .../tf_templates/ddb/ddb_template.tf | 284 ++++++++++++++++++ .../terraform/tf_templates/ddb/input.tf | 6 + .../identification_nested_template.tf | 191 ++++++++++++ .../identification/identification_template.tf | 194 ++++++++++++ .../tf_templates/identification/input.tf | 6 + 7 files changed, 690 insertions(+), 35 deletions(-) create mode 100644 deployment/terraform/tf_templates/ddb/ddb_template.tf create mode 100644 deployment/terraform/tf_templates/ddb/input.tf create mode 100644 deployment/terraform/tf_templates/identification/identification_nested_template.tf create mode 100644 deployment/terraform/tf_templates/identification/identification_template.tf create mode 100644 deployment/terraform/tf_templates/identification/input.tf diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index cea510fa..c503ba8e 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -1,11 +1,9 @@ -resource "aws_cloudformation_stack" "hammer_ddb" { - name = "hammer-ddb-creation" - +module "hammer_ddb" { + source = "tf_templates/ddb" tags = "${var.tags}" - parameters { ResourcesPrefix = "${var.resources-prefix}" + } +} - template_url = "https://${var.s3bucket}.s3.amazonaws.com/${aws_s3_bucket_object.ddb-cfn.id}" -} \ No newline at end of file diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index d63a2aa0..ea98f51f 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -1,32 +1,9 @@ -resource "aws_cloudformation_stack" "identification" { - name = "hammer-identification-main" - depends_on = [ - "aws_s3_bucket_object.identification-cfn", - "aws_s3_bucket_object.identification-nested-cfn", - "aws_s3_bucket_object.logs-forwarder", - "aws_s3_bucket_object.ddb-tables-backup", - "aws_s3_bucket_object.sg-issues-identification", - "aws_s3_bucket_object.s3-acl-issues-identification", - "aws_s3_bucket_object.s3-policy-issues-identification", - "aws_s3_bucket_object.iam-keyrotation-issues-identification", - "aws_s3_bucket_object.iam-user-inactive-keys-identification", - "aws_s3_bucket_object.cloudtrails-issues-identification", - "aws_s3_bucket_object.ebs-unencrypted-volume-identification", - "aws_s3_bucket_object.ebs-public-snapshots-identification", - "aws_s3_bucket_object.ami-public-access-issues-identification", - "aws_s3_bucket_object.sqs-public-policy-identification", - "aws_s3_bucket_object.s3-unencrypted-bucket-issues-identification", - "aws_s3_bucket_object.rds-unencrypted-instance-identification", - "aws_s3_bucket_object.ecs-privileged-access-issues-identification", - "aws_s3_bucket_object.ecs-logging-issues-identification" - ] - +module "hammer_id_main" { + source = "tf_templates/identiifcation/identification_template.tf" tags = "${var.tags}" - parameters { SourceS3Bucket = "${var.s3bucket}" - NestedStackTemplate = "https://${var.s3bucket}.s3.amazonaws.com/${aws_s3_bucket_object.identification-nested-cfn.id}" - ResourcesPrefix = "${var.resources-prefix}" + ResourcesPrefix = "${var.resources-prefix}" IdentificationIAMRole = "${var.identificationIAMRole}" IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" LambdaSubnets = "${var.lambdaSubnets}" @@ -48,7 +25,6 @@ resource "aws_cloudformation_stack" "identification" { SourceIdentificationRDSEncryption = "${aws_s3_bucket_object.rds-unencrypted-instance-identification.id}" SourceIdentificationECSPrivilegedAccess = "${aws_s3_bucket_object.ecs-privileged-access-issues-identification.id}" SourceIdentificationECSLogging = "${aws_s3_bucket_object.ecs-logging-issues-identification.id}" - } - template_url = "https://${var.s3bucket}.s3.amazonaws.com/${aws_s3_bucket_object.identification-cfn.id}" -} \ No newline at end of file + } +} diff --git a/deployment/terraform/tf_templates/ddb/ddb_template.tf b/deployment/terraform/tf_templates/ddb/ddb_template.tf new file mode 100644 index 00000000..f50fb9bf --- /dev/null +++ b/deployment/terraform/tf_templates/ddb/ddb_template.tf @@ -0,0 +1,284 @@ +resource "aws_dynamodb_table" "credentials" { + + name = "${var.resource_prefix}credentials" + read_capacity = 25 + write_capacity = 2 + hash_key = "service" + + attribute { + name = "service" + type = "S" + } + + server_side_encryption { + enabled = true + } +} + +resource "aws_dynamodb_table" "cloudtrails" { + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}cloudtrails" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "insecure-sg-dynamodb-table" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}security-groups-unrestricted" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "s3-public-bucket-acl" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}s3-public-bucket-acl" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "s3-public-bucket-policy" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}s3-public-bucket-policy" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "iam-user-keys-rotation" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}iam-user-keys-rotation" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "iam-user-keys-inactive" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}iam-user-keys-inactive" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "ebs-volumes-unencrypted" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}ebs-volumes-unencrypted" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "rds-public-snapshots" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}rds-public-snapshots" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "sqs-public-access" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}sqs-public-access" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "s3-unencrypted" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}s3-unencrypted" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "rds-unencrypted" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}rds-unencrypted" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "ec2-public-ami" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}ec2-public-ami" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + + +resource "aws_dynamodb_table" "api-requests" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}api-requests" + read_capacity = 20 + write_capacity = 4 + hash_key = "request_id" + + attribute { + name = "issue_id" + type = "S" + } +} + diff --git a/deployment/terraform/tf_templates/ddb/input.tf b/deployment/terraform/tf_templates/ddb/input.tf new file mode 100644 index 00000000..570dd6c5 --- /dev/null +++ b/deployment/terraform/tf_templates/ddb/input.tf @@ -0,0 +1,6 @@ +variable "resources-prefix" {} + +variable "tags" { + type = "map" + default = {} +} \ No newline at end of file diff --git a/deployment/terraform/tf_templates/identification/identification_nested_template.tf b/deployment/terraform/tf_templates/identification/identification_nested_template.tf new file mode 100644 index 00000000..eba84d95 --- /dev/null +++ b/deployment/terraform/tf_templates/identification/identification_nested_template.tf @@ -0,0 +1,191 @@ +resource "aws_lambda_function" "lambda-initiate" { + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-initiate, + ] + function_name = "${var.InitiateLambdaName}" + + s3_bucket = "${var.SourceS3Bucket}" + s3_key = "${var.IdentificationLambdaSource}" + + description = ${var.InitiateLambdaDescription} + role = "${var.IdentificationIAMRole}" + handler = "${var.InitiateLambdaHandler}" + runtime = "python3.6" + timeout = "300" + memory_size = "128" + + +} + +resource "aws_cloudwatch_log_group" "log-group-lambda-initiate" { + name = "/aws/lambda/${var.InitiateLambdaName}" + retention_in_days = 7 +} + +resource "aws_cloudwatch_log_subscription_filter" "lambda_initiate_logfilter" { + + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-initiate, + ] + log_group_name = aws_cloudwatch_log_group.log-group-lambda-initiate.name + filter_pattern = "[level != START && level != END && level != DEBUG, ...]" + destination_arn = "${var.LambdaLogsForwarderArn}" +} + +resource "aws_lambda_function" "lambda-evaluate" { + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-evaluate, + ] + function_name = "${var.EvaluateLambdaName}" + + s3_bucket = "${var.SourceS3Bucket}" + s3_key = "${var.EdentificationLambdaSource}" + + description = ${var.EvaluateLambdaDescription} + role = "${var.EdentificationIAMRole}" + handler = "${var.EvaluateLambdaHandler}" + runtime = "python3.6" + timeout = "300" + memory_size = "${var.EvaluateLambdaMemorySize}" + + vpc_config { + subnet_ids = "${[] ? var.LambdaSubnetsEmpty : [split(",", var.LambdaSubnets)]}" + security_group_ids = "${[] ? var.LambdaSecurityGroupsEmpty : [split(",", var.LambdaSecurityGroups)]}" + } + +} + +resource "aws_cloudwatch_log_group" "log-group-lambda-logs-forwarder" { + name = "/aws/lambda/${var.EvaluateLambdaName}" + retention_in_days = 7 +} + +resource "aws_cloudwatch_log_subscription_filter" "lambda_evaluate_logfilter" { + + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-evaluate + ] + log_group_name = aws_cloudwatch_log_group.log-group-lambda-evaluate.name + filter_pattern = "[level != START && level != END && level != DEBUG, ...]" + destination_arn = "${var.LambdaLogsForwarderArn}" +} + +resource "aws_cloudwatch_event_rule" "eventInitiateEvaluation" { + + depends_on = [ + aws_lambda_function.lambda-initiate, + ] + + name = "${var.EventRuleName}" + description = "${var.EventRuleDescription}" + schedule_expression = "${var.IdentificationCheckRateExpression}" +} + +resource "aws_cloudwatch_event_target" "event-initiate-evaluation" { + depends_on = [ + aws_cloudwatch_event_rule.eventInitiateEvaluation, + ] + + rule = "${aws_cloudwatch_event_rule.eventInitiateEvaluation.name}" + target_id = "lambda-initiate" + arn = "${aws_lambda_function.lambda-initiate.arn}" +} + +resource "aws_lambda_permission" "allow_cloudwatch_to_call_initiate_lambda" { + depends_on = [ + aws_lambda_function.lambda-initiate,aws_cloudwatch_event_rule.eventInitiateEvaluation + ] + + statement_id = "AllowExecutionFromCloudWatch" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.lambda-initiate.function_name}" + principal = "events.amazonaws.com" + source_arn = "${aws_cloudwatch_event_rule.eventInitiateEvaluation.arn}" +} + + +resource "aws_sns_topic" "sns-notiify-lambda-evaluate" { + depends_on = [ + aws_lambda_function.lambda-evaluate + ] + + name = "${var.SNSDisplayName}" + display_name = "${var.SNSTopicName}" +} + +resource "aws_sns_topic_subscription" "lambda" { + depends_on = [ + aws_sns_topic.sns-notiify-lambda-evaluate, + ] + topic_arn = "${aws_sns_topic.sns-notiify-lambda-evaluate.arn}" + protocol = "lambda" + endpoint = "${aws_lambda_function.lambda-evaluate.arn}" +} + +resource "aws_lambda_permission" "with_sns" { + depends_on = [ + aws_sns_topic_subscription.lambda, + ] + + statement_id = "AllowExecutionFromSNS" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.lambda-evaluate.function_name}" + principal = "sns.amazonaws.com" + source_arn = "${aws_sns_topic.sns-notiify-lambda-evaluate.arn}" +} + +resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-initiate-evaluation" { + depends_on = [ + aws_lambda_function.lambda-initiate, + ] + alarm_name = "/${aws_lambda_function.lambda-initiate.function_name}LambdaError" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = "1" + metric_name = "Errors" + namespace = "AWS/Lambda" + period = "3600" + statistic = "Maximum" + threshold = 0 + treat_missing_data = "notBreaching" + + + alarm_actions = [ + "${var.SNSIdentificationErrors}", + ] + + ok_actions = [ + "${var.SNSIdentificationErrors}", + ] + + dimensions { + FunctionName = "${aws_lambda_function.lambda-initiate.function_name}" + } +} + +resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-evaluate-evaluation" { + depends_on = [ + aws_lambda_function.lambda-evaluate, + ] + alarm_name = "/${aws_lambda_function.lambda-evaluate.function_name}LambdaError" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = "1" + metric_name = "Errors" + namespace = "AWS/Lambda" + period = "3600" + statistic = "Maximum" + threshold = 0 + treat_missing_data = "notBreaching" + + + alarm_actions = [ + "${var.SNSIdentificationErrors}", + ] + + ok_actions = [ + "${var.SNSIdentificationErrors}", + ] + + dimensions { + FunctionName = "${aws_lambda_function.lambda-evaluate.function_name}" + } +} \ No newline at end of file diff --git a/deployment/terraform/tf_templates/identification/identification_template.tf b/deployment/terraform/tf_templates/identification/identification_template.tf new file mode 100644 index 00000000..bf87f2d8 --- /dev/null +++ b/deployment/terraform/tf_templates/identification/identification_template.tf @@ -0,0 +1,194 @@ + +resource "aws_lambda_function" "lambda-logs-forwarder" { + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-evaluate + ] + function_name = "${var.resources-prefix}logs-forwarder" + + s3_bucket = "${var.SourceS3Bucket}" + s3_key = "${var.SourceLogsForwarder}" + + description = "Lambda function for parsing logs" + role = "${var.IdentificationIAMRole}" + handler = "logs_forwarder.lambda_handler" + runtime = "python3.6" + timeout = "300" + memory_size = "256" + +} + +resource "aws_cloudwatch_log_group" "log-group-lambda-evaluate" { + name = "/aws/lambda/${var.resources-prefix}logs-forwarder" + retention_in_days = 7 +} + +resource "aws_lambda_function" "lambda-backup-ddb" { + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-backup-ddb + ] + function_name = "${var.resources-prefix}backup-ddb" + + s3_bucket = "${var.SourceS3Bucket}" + s3_key = "${var.SourceLogsForwarder}" + + description = "Lambda function for parsing logs" + role = "${var.IdentificationIAMRole}" + handler = "ddb_tables_backup.lambda_handler" + runtime = "python3.6" + timeout = "300" + memory_size = "256" + +} + +resource "aws_cloudwatch_log_group" "log-group-lambda-backup-ddb" { + name = "/aws/lambda/${var.resources-prefix}backup-ddb" + retention_in_days = 7 +} + + +resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-backup-ddb" { + + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-backup-ddb, aws_lambda_permission. , + aws_lambda_function.lambda-logs-forwarder + ] + log_group_name = aws_cloudwatch_log_group.log-group-lambda-evaluate.name + filter_pattern = "[level != START && level != END && level != DEBUG, ...]" + destination_arn = "${var.LambdaLogsForwarderArn}" +} + +resource "aws_cloudwatch_event_rule" "event-backup-ddb" { + + depends_on = [ + aws_lambda_function.lambda-backup-ddb, + ] + + name = "${var.resources-prefix}BackupDDB" + description = "Hammer ScheduledRule for DDB tables backup" + schedule_expression = "rate(1 day)" +} + +resource "aws_cloudwatch_event_target" "check-backup-ddb" { + depends_on = [ + aws_cloudwatch_event_rule.event-backup-ddb, + ] + + rule = "${aws_cloudwatch_event_rule.event-backup-ddb.name}" + target_id = "lambda-backup-ddb" + arn = "${aws_lambda_function.lambda-backup-ddb.arn}" +} + +resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-logs-forwarder" { + depends_on = [ + aws_lambda_function.lambda-logs-forwarder + ] + + statement_id = "AllowExecutionFromCloudWatch" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.lambda-logs-forwarder.function_name}" + principal = "logs.${var.region}.amazonaws.com" + source_arn = "arn:aws:logs:${var.region}:${var.account_id}:log-group:*" + +} + +resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-backup-ddb" { + depends_on = [ + aws_lambda_function.lambda-backup-ddb, event-backup-ddb + ] + + statement_id = "AllowExecutionFromCloudWatch" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.lambda-backup-ddb.function_name}" + principal = "events.amazonaws.com" + source_arn = "${aws_cloudwatch_event_rule.event-backup-ddb.arn}" + +} + + +resource "aws_sns_topic" "sns-identification-errors" { + depends_on = [ + + name = "${var.resources-prefix}identification-errors" +} + +resource "aws_sns_topic_subscription" "lambda" { + depends_on = [ + aws_sns_topic.sns-identification-errors, aws_lambda_function.lambda-logs-forwarder + ] + topic_arn = "${aws_sns_topic.sns-identification-errors.arn}" + protocol = "lambda" + endpoint = "${aws_lambda_function.lambda-logs-forwarder.arn}" +} + +resource "aws_lambda_permission" "with_sns" { + depends_on = [ + aws_sns_topic.sns-identification-errors, aws_lambda_function.lambda-logs-forwarder + ] + + statement_id = "AllowExecutionFromSNS" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.lambda-logs-forwarder.function_name}" + principal = "sns.amazonaws.com" + source_arn = "${aws_sns_topic.sns-identification-errors.arn}" +} + +resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { + depends_on = [ + aws_lambda_function.lambda-backup-ddb, aws_sns_topic.sns-identification-errors, + ] + alarm_name = "/${aws_lambda_function.lambda-backup-ddb.function_name}LambdaError" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = "1" + metric_name = "Errors" + namespace = "AWS/Lambda" + period = "3600" + statistic = "Maximum" + threshold = 0 + treat_missing_data = "notBreaching" + + + alarm_actions = [ + "aws_sns_topic.sns-identification-errors.function_name", + ] + + ok_actions = [ + "aws_sns_topic.sns-identification-errors.function_name", + ] + + dimensions { + FunctionName = "${aws_lambda_function.lambda-backup-ddb.arn}" + } +} + + + + +module "hammer_id_nested" { + source = "tf_templates/identiifcation/identification_nested_template.tf" + tags = "${var.tags}" + parameters { + ResourcesPrefix = "${var.resources-prefix}" + IdentificationIAMRole = "${var.identificationIAMRole}" + IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}", + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}", + SourceIdentificationSG = "${aws_s3_bucket_object.sg-issues-identification.id}" + SourceIdentificationS3ACL = "${aws_s3_bucket_object.s3-acl-issues-identification.id}" + SourceIdentificationS3Policy = "${aws_s3_bucket_object.s3-policy-issues-identification.id}" + SourceIdentificationIAMUserKeysRotation = "${aws_s3_bucket_object.iam-keyrotation-issues-identification.id}" + SourceIdentificationIAMUserInactiveKeys = "${aws_s3_bucket_object.iam-user-inactive-keys-identification.id}" + SourceIdentificationCloudTrails = "${aws_s3_bucket_object.cloudtrails-issues-identification.id}" + SourceIdentificationEBSVolumes = "${aws_s3_bucket_object.ebs-unencrypted-volume-identification.id}" + SourceIdentificationEBSSnapshots = "${aws_s3_bucket_object.ebs-public-snapshots-identification.id}" + SourceIdentificationRDSSnapshots = "${aws_s3_bucket_object.rds-public-snapshots-identification.id}" + SourceIdentificationAMIPublicAccess = "${aws_s3_bucket_object.ami-public-access-issues-identification.id}" + SourceIdentificationSQSPublicPolicy = "${aws_s3_bucket_object.sqs-public-policy-identification.id}" + SourceIdentificationS3Encryption = "${aws_s3_bucket_object.s3-unencrypted-bucket-issues-identification.id}" + SourceIdentificationRDSEncryption = "${aws_s3_bucket_object.rds-unencrypted-instance-identification.id}" + + } +} + + diff --git a/deployment/terraform/tf_templates/identification/input.tf b/deployment/terraform/tf_templates/identification/input.tf new file mode 100644 index 00000000..570dd6c5 --- /dev/null +++ b/deployment/terraform/tf_templates/identification/input.tf @@ -0,0 +1,6 @@ +variable "resources-prefix" {} + +variable "tags" { + type = "map" + default = {} +} \ No newline at end of file From 1c8890c50b4979345085b1983533b9385a3c4b47 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Mon, 15 Jul 2019 17:24:22 +0530 Subject: [PATCH 02/34] Updated with deployment issue changes. Updated with deployment issue changes. --- deployment/terraform/modules/ddb/ddb.tf | 2 +- deployment/terraform/modules/identification/identification.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index c503ba8e..3425a615 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -1,5 +1,5 @@ module "hammer_ddb" { - source = "tf_templates/ddb" + source = "../tf_templates/ddb" tags = "${var.tags}" parameters { ResourcesPrefix = "${var.resources-prefix}" diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index ea98f51f..ce52706c 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -1,5 +1,5 @@ module "hammer_id_main" { - source = "tf_templates/identiifcation/identification_template.tf" + source = "../tf_templates/identiifcation/identification_template.tf" tags = "${var.tags}" parameters { SourceS3Bucket = "${var.s3bucket}" From eaebee877fc3c5de8488f2e50bae5476809dc04f Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Mon, 15 Jul 2019 17:29:15 +0530 Subject: [PATCH 03/34] Updated with path issues. Updated with path issues. --- deployment/terraform/modules/ddb/ddb.tf | 2 +- deployment/terraform/modules/identification/identification.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index 3425a615..12519551 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -1,5 +1,5 @@ module "hammer_ddb" { - source = "../tf_templates/ddb" + source = "..//tf_templates/ddb" tags = "${var.tags}" parameters { ResourcesPrefix = "${var.resources-prefix}" diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index ce52706c..6105df32 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -1,5 +1,5 @@ module "hammer_id_main" { - source = "../tf_templates/identiifcation/identification_template.tf" + source = "..//tf_templates/identiifcation/identification_template.tf" tags = "${var.tags}" parameters { SourceS3Bucket = "${var.s3bucket}" From eded302abce667b29b0c576465cf75a95641107b Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Mon, 15 Jul 2019 19:28:09 +0530 Subject: [PATCH 04/34] Updated with path issue changes. Updated with path issue changes. --- deployment/terraform/modules/ddb/ddb.tf | 2 +- deployment/terraform/modules/identification/identification.tf | 2 +- .../tf_templates/identification/identification_template.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index 12519551..4cd58669 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -1,5 +1,5 @@ module "hammer_ddb" { - source = "..//tf_templates/ddb" + source = "../../../tf_templates/ddb" tags = "${var.tags}" parameters { ResourcesPrefix = "${var.resources-prefix}" diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 6105df32..fef4819f 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -1,5 +1,5 @@ module "hammer_id_main" { - source = "..//tf_templates/identiifcation/identification_template.tf" + source = "../../../tf_templates/identiifcation/identification_template.tf" tags = "${var.tags}" parameters { SourceS3Bucket = "${var.s3bucket}" diff --git a/deployment/terraform/tf_templates/identification/identification_template.tf b/deployment/terraform/tf_templates/identification/identification_template.tf index bf87f2d8..61f7ff2c 100644 --- a/deployment/terraform/tf_templates/identification/identification_template.tf +++ b/deployment/terraform/tf_templates/identification/identification_template.tf @@ -164,7 +164,7 @@ resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { module "hammer_id_nested" { - source = "tf_templates/identiifcation/identification_nested_template.tf" + source = "identification_nested_template.tf" tags = "${var.tags}" parameters { ResourcesPrefix = "${var.resources-prefix}" From ff045d32d2cd1742e5fdbde36f9bbb3ac086e7d5 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Mon, 15 Jul 2019 19:36:41 +0530 Subject: [PATCH 05/34] Updated deployment issues fixes. Updated deployment issues fixes. --- deployment/terraform/modules/ddb/ddb.tf | 2 +- deployment/terraform/modules/identification/identification.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index 4cd58669..59ad2325 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -1,5 +1,5 @@ module "hammer_ddb" { - source = "../../../tf_templates/ddb" + source = "../../../../tf_templates/ddb" tags = "${var.tags}" parameters { ResourcesPrefix = "${var.resources-prefix}" diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index fef4819f..66f230ef 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -1,5 +1,5 @@ module "hammer_id_main" { - source = "../../../tf_templates/identiifcation/identification_template.tf" + source = "../../../../tf_templates/identiifcation/identification_template.tf" tags = "${var.tags}" parameters { SourceS3Bucket = "${var.s3bucket}" From f2f51b440834663e23e280d49ec23365e4031ed1 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Mon, 15 Jul 2019 20:21:46 +0530 Subject: [PATCH 06/34] Updated with deployment issue fixes. Updated with deployment issue fixes. --- deployment/terraform/modules/ddb/ddb.tf | 285 +++++++++++++++++- .../modules/identification/identification.tf | 34 ++- 2 files changed, 308 insertions(+), 11 deletions(-) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index 59ad2325..f50fb9bf 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -1,9 +1,284 @@ -module "hammer_ddb" { - source = "../../../../tf_templates/ddb" - tags = "${var.tags}" - parameters { - ResourcesPrefix = "${var.resources-prefix}" +resource "aws_dynamodb_table" "credentials" { + name = "${var.resource_prefix}credentials" + read_capacity = 25 + write_capacity = 2 + hash_key = "service" + + attribute { + name = "service" + type = "S" + } + + server_side_encryption { + enabled = true + } +} + +resource "aws_dynamodb_table" "cloudtrails" { + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}cloudtrails" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "insecure-sg-dynamodb-table" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}security-groups-unrestricted" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "s3-public-bucket-acl" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}s3-public-bucket-acl" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "s3-public-bucket-policy" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}s3-public-bucket-policy" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "iam-user-keys-rotation" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}iam-user-keys-rotation" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "iam-user-keys-inactive" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}iam-user-keys-inactive" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "ebs-volumes-unencrypted" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}ebs-volumes-unencrypted" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "rds-public-snapshots" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}rds-public-snapshots" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "sqs-public-access" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}sqs-public-access" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "s3-unencrypted" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}s3-unencrypted" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "rds-unencrypted" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}rds-unencrypted" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "ec2-public-ami" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}ec2-public-ami" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + + +resource "aws_dynamodb_table" "api-requests" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resource_prefix}api-requests" + read_capacity = 20 + write_capacity = 4 + hash_key = "request_id" + + attribute { + name = "issue_id" + type = "S" } } diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 66f230ef..36f95541 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -1,9 +1,31 @@ -module "hammer_id_main" { - source = "../../../../tf_templates/identiifcation/identification_template.tf" +resource "aws_cloudformation_stack" "identification" { + name = "hammer-identification-main" + depends_on = [ + "aws_s3_bucket_object.identification-cfn", + "aws_s3_bucket_object.identification-nested-cfn", + "aws_s3_bucket_object.logs-forwarder", + "aws_s3_bucket_object.ddb-tables-backup", + "aws_s3_bucket_object.sg-issues-identification", + "aws_s3_bucket_object.s3-acl-issues-identification", + "aws_s3_bucket_object.s3-policy-issues-identification", + "aws_s3_bucket_object.iam-keyrotation-issues-identification", + "aws_s3_bucket_object.iam-user-inactive-keys-identification", + "aws_s3_bucket_object.cloudtrails-issues-identification", + "aws_s3_bucket_object.ebs-unencrypted-volume-identification", + "aws_s3_bucket_object.ebs-public-snapshots-identification", + "aws_s3_bucket_object.ami-public-access-issues-identification", + "aws_s3_bucket_object.sqs-public-policy-identification", + "aws_s3_bucket_object.s3-unencrypted-bucket-issues-identification", + "aws_s3_bucket_object.rds-unencrypted-instance-identification", + "aws_s3_bucket_object.ecs-privileged-access-issues-identification" + ] + tags = "${var.tags}" + parameters { SourceS3Bucket = "${var.s3bucket}" - ResourcesPrefix = "${var.resources-prefix}" + NestedStackTemplate = "https://${var.s3bucket}.s3.amazonaws.com/${aws_s3_bucket_object.identification-nested-cfn.id}" + ResourcesPrefix = "${var.resources-prefix}" IdentificationIAMRole = "${var.identificationIAMRole}" IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" LambdaSubnets = "${var.lambdaSubnets}" @@ -24,7 +46,7 @@ module "hammer_id_main" { SourceIdentificationS3Encryption = "${aws_s3_bucket_object.s3-unencrypted-bucket-issues-identification.id}" SourceIdentificationRDSEncryption = "${aws_s3_bucket_object.rds-unencrypted-instance-identification.id}" SourceIdentificationECSPrivilegedAccess = "${aws_s3_bucket_object.ecs-privileged-access-issues-identification.id}" - SourceIdentificationECSLogging = "${aws_s3_bucket_object.ecs-logging-issues-identification.id}" - } -} + + template_url = "https://${var.s3bucket}.s3.amazonaws.com/${aws_s3_bucket_object.identification-cfn.id}" +} \ No newline at end of file From 94dd00670c314704ca7730fce56f006e2aecdaba Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Tue, 16 Jul 2019 20:44:23 +0530 Subject: [PATCH 07/34] Updated with deployment issue fixes. Updated with deployment issue fixes. --- deployment/terraform/modules/ddb/ddb.tf | 28 ++++++++++++------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index f50fb9bf..f6c82684 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -1,6 +1,6 @@ resource "aws_dynamodb_table" "credentials" { - name = "${var.resource_prefix}credentials" + name = "${var.resources-prefix}credentials" read_capacity = 25 write_capacity = 2 hash_key = "service" @@ -18,7 +18,7 @@ resource "aws_dynamodb_table" "credentials" { resource "aws_dynamodb_table" "cloudtrails" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}cloudtrails" + name = "${var.resources-prefix}cloudtrails" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -39,7 +39,7 @@ resource "aws_dynamodb_table" "insecure-sg-dynamodb-table" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}security-groups-unrestricted" + name = "${var.resources-prefix}security-groups-unrestricted" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -60,7 +60,7 @@ resource "aws_dynamodb_table" "s3-public-bucket-acl" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}s3-public-bucket-acl" + name = "${var.resources-prefix}s3-public-bucket-acl" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -81,7 +81,7 @@ resource "aws_dynamodb_table" "s3-public-bucket-policy" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}s3-public-bucket-policy" + name = "${var.resources-prefix}s3-public-bucket-policy" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -102,7 +102,7 @@ resource "aws_dynamodb_table" "iam-user-keys-rotation" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}iam-user-keys-rotation" + name = "${var.resources-prefix}iam-user-keys-rotation" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -123,7 +123,7 @@ resource "aws_dynamodb_table" "iam-user-keys-inactive" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}iam-user-keys-inactive" + name = "${var.resources-prefix}iam-user-keys-inactive" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -144,7 +144,7 @@ resource "aws_dynamodb_table" "ebs-volumes-unencrypted" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}ebs-volumes-unencrypted" + name = "${var.resources-prefix}ebs-volumes-unencrypted" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -165,7 +165,7 @@ resource "aws_dynamodb_table" "rds-public-snapshots" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}rds-public-snapshots" + name = "${var.resources-prefix}rds-public-snapshots" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -186,7 +186,7 @@ resource "aws_dynamodb_table" "sqs-public-access" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}sqs-public-access" + name = "${var.resources-prefix}sqs-public-access" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -207,7 +207,7 @@ resource "aws_dynamodb_table" "s3-unencrypted" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}s3-unencrypted" + name = "${var.resources-prefix}s3-unencrypted" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -228,7 +228,7 @@ resource "aws_dynamodb_table" "rds-unencrypted" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}rds-unencrypted" + name = "${var.resources-prefix}rds-unencrypted" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -249,7 +249,7 @@ resource "aws_dynamodb_table" "ec2-public-ami" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}ec2-public-ami" + name = "${var.resources-prefix}ec2-public-ami" read_capacity = 20 write_capacity = 4 hash_key = "account_id" @@ -271,7 +271,7 @@ resource "aws_dynamodb_table" "api-requests" { depends_on = ["aws_dynamodb_table.credentials" ] - name = "${var.resource_prefix}api-requests" + name = "${var.resources-prefix}api-requests" read_capacity = 20 write_capacity = 4 hash_key = "request_id" From 4439ebe0104e3497322e5c14e815980cb4bc10ee Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Tue, 16 Jul 2019 21:08:31 +0530 Subject: [PATCH 08/34] Updated with deployment issue fixes. Updated with deployment issue fixes. --- deployment/terraform/modules/ddb/ddb.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index f6c82684..1fbb2e5f 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -277,7 +277,7 @@ resource "aws_dynamodb_table" "api-requests" { hash_key = "request_id" attribute { - name = "issue_id" + name = "request_id" type = "S" } } From fd9264356d414a03a008683a63faa620de6e79dc Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 18:16:12 +0530 Subject: [PATCH 09/34] Updated with deployment template changes. Updated with deployment template changes. --- .../modules/identification/identification.tf | 226 ++++++++++++++---- .../identification_nested_template.tf | 6 +- .../modules/identification/variables.tf | 17 ++ .../identification/identification_template.tf | 58 ++--- 4 files changed, 237 insertions(+), 70 deletions(-) rename deployment/terraform/{tf_templates => modules}/identification/identification_nested_template.tf (97%) create mode 100644 deployment/terraform/modules/identification/variables.tf diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 36f95541..a5ad0c6d 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -1,30 +1,176 @@ -resource "aws_cloudformation_stack" "identification" { - name = "hammer-identification-main" +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} + +resource "aws_lambda_function" "lambda-logs-forwarder" { + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-evaluate + ] + function_name = "${var.resources-prefix}logs-forwarder" + + s3_bucket = "${var.s3bucket}" + s3_key = "${aws_s3_bucket_object.logs-forwarder.id}" + + description = "Lambda function for parsing logs" + role = "${var.identificationIAMRole}" + handler = "logs_forwarder.lambda_handler" + runtime = "python3.6" + timeout = "300" + memory_size = "256" + +} + +resource "aws_cloudwatch_log_group" "log-group-lambda-evaluate" { + name = "/aws/lambda/${var.resources-prefix}logs-forwarder" + retention_in_days = 7 +} + +resource "aws_lambda_function" "lambda-backup-ddb" { + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-backup-ddb + ] + function_name = "${var.resources-prefix}backup-ddb" + + s3_bucket = "${var.s3bucket}" + s3_key = "${aws_s3_bucket_object.logs-forwarder.id}" + + description = "Lambda function for parsing logs" + role = "${var.identificationIAMRole}" + handler = "ddb_tables_backup.lambda_handler" + runtime = "python3.6" + timeout = "300" + memory_size = "256" + +} + +resource "aws_cloudwatch_log_group" "log-group-lambda-backup-ddb" { + name = "/aws/lambda/${var.resources-prefix}backup-ddb" + retention_in_days = 7 +} + + +resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-backup-ddb" { + + depends_on = [ + aws_cloudwatch_log_group.log-group-lambda-backup-ddb, aws_lambda_permission. , + aws_lambda_function.lambda-logs-forwarder + ] + log_group_name = aws_cloudwatch_log_group.log-group-lambda-evaluate.name + filter_pattern = "[level != START && level != END && level != DEBUG, ...]" + destination_arn = aws_lambda_function.lambda-logs-forwarder.arn +} + +resource "aws_cloudwatch_event_rule" "event-backup-ddb" { + depends_on = [ - "aws_s3_bucket_object.identification-cfn", - "aws_s3_bucket_object.identification-nested-cfn", - "aws_s3_bucket_object.logs-forwarder", - "aws_s3_bucket_object.ddb-tables-backup", - "aws_s3_bucket_object.sg-issues-identification", - "aws_s3_bucket_object.s3-acl-issues-identification", - "aws_s3_bucket_object.s3-policy-issues-identification", - "aws_s3_bucket_object.iam-keyrotation-issues-identification", - "aws_s3_bucket_object.iam-user-inactive-keys-identification", - "aws_s3_bucket_object.cloudtrails-issues-identification", - "aws_s3_bucket_object.ebs-unencrypted-volume-identification", - "aws_s3_bucket_object.ebs-public-snapshots-identification", - "aws_s3_bucket_object.ami-public-access-issues-identification", - "aws_s3_bucket_object.sqs-public-policy-identification", - "aws_s3_bucket_object.s3-unencrypted-bucket-issues-identification", - "aws_s3_bucket_object.rds-unencrypted-instance-identification", - "aws_s3_bucket_object.ecs-privileged-access-issues-identification" - ] + aws_lambda_function.lambda-backup-ddb, + ] - tags = "${var.tags}" + name = "${var.resources-prefix}BackupDDB" + description = "Hammer ScheduledRule for DDB tables backup" + schedule_expression = "rate(1 day)" +} + +resource "aws_cloudwatch_event_target" "check-backup-ddb" { + depends_on = [ + aws_cloudwatch_event_rule.event-backup-ddb, + ] + + rule = "${aws_cloudwatch_event_rule.event-backup-ddb.name}" + target_id = "lambda-backup-ddb" + arn = "${aws_lambda_function.lambda-backup-ddb.arn}" +} + +resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-logs-forwarder" { + depends_on = [ + aws_lambda_function.lambda-logs-forwarder + ] + + statement_id = "AllowExecutionFromCloudWatch" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.lambda-logs-forwarder.function_name}" + principal = "logs.${data.aws_region.current.name}.amazonaws.com" + source_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*" +}aws_region + +resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-backup-ddb" { + depends_on = [ + aws_lambda_function.lambda-backup-ddb, event-backup-ddb + ] + + statement_id = "AllowExecutionFromCloudWatch" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.lambda-backup-ddb.function_name}" + principal = "events.amazonaws.com" + source_arn = "${aws_cloudwatch_event_rule.event-backup-ddb.arn}" + +} + + +resource "aws_sns_topic" "sns-identification-errors" { + depends_on = [ + + name = "${var.resources-prefix}identification-errors" +} + +resource "aws_sns_topic_subscription" "lambda" { + depends_on = [ + aws_sns_topic.sns-identification-errors, aws_lambda_function.lambda-logs-forwarder + ] + topic_arn = "${aws_sns_topic.sns-identification-errors.arn}" + protocol = "lambda" + endpoint = "${aws_lambda_function.lambda-logs-forwarder.arn}" +} + +resource "aws_lambda_permission" "with_sns" { + depends_on = [ + aws_sns_topic.sns-identification-errors, aws_lambda_function.lambda-logs-forwarder + ] + + statement_id = "AllowExecutionFromSNS" + action = "lambda:InvokeFunction" + function_name = "${aws_lambda_function.lambda-logs-forwarder.function_name}" + principal = "sns.amazonaws.com" + source_arn = "${aws_sns_topic.sns-identification-errors.arn}" +} + +resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { + depends_on = [ + aws_lambda_function.lambda-backup-ddb, aws_sns_topic.sns-identification-errors, + ] + alarm_name = "/${aws_lambda_function.lambda-backup-ddb.function_name}LambdaError" + comparison_operator = "GreaterThanThreshold" + evaluation_periods = "1" + metric_name = "Errors" + namespace = "AWS/Lambda" + period = "3600" + statistic = "Maximum" + threshold = 0 + treat_missing_data = "notBreaching" + + + alarm_actions = [ + "aws_sns_topic.sns-identification-errors.function_name", + ] + + ok_actions = [ + "aws_sns_topic.sns-identification-errors.function_name", + ] + + dimensions { + FunctionName = "${aws_lambda_function.lambda-backup-ddb.arn}" + } +} + + + + +module "hammer_id_nested_sg" { + + depends_on + source = "identification_nested_template.tf" + tags = "${var.tags}" parameters { - SourceS3Bucket = "${var.s3bucket}" - NestedStackTemplate = "https://${var.s3bucket}.s3.amazonaws.com/${aws_s3_bucket_object.identification-nested-cfn.id}" ResourcesPrefix = "${var.resources-prefix}" IdentificationIAMRole = "${var.identificationIAMRole}" IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" @@ -32,21 +178,21 @@ resource "aws_cloudformation_stack" "identification" { LambdaSecurityGroups = "${var.lambdaSecurityGroups}" SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}", SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}", - SourceIdentificationSG = "${aws_s3_bucket_object.sg-issues-identification.id}" - SourceIdentificationS3ACL = "${aws_s3_bucket_object.s3-acl-issues-identification.id}" - SourceIdentificationS3Policy = "${aws_s3_bucket_object.s3-policy-issues-identification.id}" - SourceIdentificationIAMUserKeysRotation = "${aws_s3_bucket_object.iam-keyrotation-issues-identification.id}" - SourceIdentificationIAMUserInactiveKeys = "${aws_s3_bucket_object.iam-user-inactive-keys-identification.id}" - SourceIdentificationCloudTrails = "${aws_s3_bucket_object.cloudtrails-issues-identification.id}" - SourceIdentificationEBSVolumes = "${aws_s3_bucket_object.ebs-unencrypted-volume-identification.id}" - SourceIdentificationEBSSnapshots = "${aws_s3_bucket_object.ebs-public-snapshots-identification.id}" - SourceIdentificationRDSSnapshots = "${aws_s3_bucket_object.rds-public-snapshots-identification.id}" - SourceIdentificationAMIPublicAccess = "${aws_s3_bucket_object.ami-public-access-issues-identification.id}" - SourceIdentificationSQSPublicPolicy = "${aws_s3_bucket_object.sqs-public-policy-identification.id}" - SourceIdentificationS3Encryption = "${aws_s3_bucket_object.s3-unencrypted-bucket-issues-identification.id}" - SourceIdentificationRDSEncryption = "${aws_s3_bucket_object.rds-unencrypted-instance-identification.id}" - SourceIdentificationECSPrivilegedAccess = "${aws_s3_bucket_object.ecs-privileged-access-issues-identification.id}" + IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" + InitiateLambdaName = ${var.initiateSecurityGroupLambdaFunctionName} + SourceS3Bucket = "${var.s3bucket}" + InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" + InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" + SourceIdentificationSG = "${aws_s3_bucket_object.sg-issues-identification.id}" + LambdaLogsForwarderArn = aws_lambda_function.lambda-logs-forwarder.arn + EvaluateLambdaName = ${var.identifySecurityGroupLambdaFunctionName} + EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." + EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" + EvaluateLambdaMemorySize = 512 + EventRuleName = ${var.resources-prefix}SourceIdentificationSG + EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" + SNSDisplayName = ${var.resources-prefix}${var.snsDisplayNameSecurityGroups} + SNSTopicName = ${var.resources-prefix}${var.snsTopicNameSecurityGroups} + SNSIdentificationErrors = aws_sns_topic.sns-identification-errors.name } - - template_url = "https://${var.s3bucket}.s3.amazonaws.com/${aws_s3_bucket_object.identification-cfn.id}" -} \ No newline at end of file +} diff --git a/deployment/terraform/tf_templates/identification/identification_nested_template.tf b/deployment/terraform/modules/identification/identification_nested_template.tf similarity index 97% rename from deployment/terraform/tf_templates/identification/identification_nested_template.tf rename to deployment/terraform/modules/identification/identification_nested_template.tf index eba84d95..1709e979 100644 --- a/deployment/terraform/tf_templates/identification/identification_nested_template.tf +++ b/deployment/terraform/modules/identification/identification_nested_template.tf @@ -5,7 +5,7 @@ resource "aws_lambda_function" "lambda-initiate" { function_name = "${var.InitiateLambdaName}" s3_bucket = "${var.SourceS3Bucket}" - s3_key = "${var.IdentificationLambdaSource}" + s3_key = "${var.SourceIdentificationSG}" description = ${var.InitiateLambdaDescription} role = "${var.IdentificationIAMRole}" @@ -39,10 +39,10 @@ resource "aws_lambda_function" "lambda-evaluate" { function_name = "${var.EvaluateLambdaName}" s3_bucket = "${var.SourceS3Bucket}" - s3_key = "${var.EdentificationLambdaSource}" + s3_key = "${var.SourceIdentificationSG}" description = ${var.EvaluateLambdaDescription} - role = "${var.EdentificationIAMRole}" + role = "${var.IdentificationIAMRole}" handler = "${var.EvaluateLambdaHandler}" runtime = "python3.6" timeout = "300" diff --git a/deployment/terraform/modules/identification/variables.tf b/deployment/terraform/modules/identification/variables.tf new file mode 100644 index 00000000..5a55367f --- /dev/null +++ b/deployment/terraform/modules/identification/variables.tf @@ -0,0 +1,17 @@ +variable "snsDisplayNameSecurityGroups" { + default = "describe-security-groups-sns" +} + +variable "snsTopicNameSecurityGroups" { + default = "describe-security-groups-lambda" +} + +variable "identifySecurityGroupLambdaFunctionName" { + default = "describe-security-groups" +} + +variable "initiateSecurityGroupLambdaFunctionName" { + default = "initiate-security-groups" +} + + diff --git a/deployment/terraform/tf_templates/identification/identification_template.tf b/deployment/terraform/tf_templates/identification/identification_template.tf index 61f7ff2c..a5ad0c6d 100644 --- a/deployment/terraform/tf_templates/identification/identification_template.tf +++ b/deployment/terraform/tf_templates/identification/identification_template.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} resource "aws_lambda_function" "lambda-logs-forwarder" { depends_on = [ @@ -5,11 +7,11 @@ resource "aws_lambda_function" "lambda-logs-forwarder" { ] function_name = "${var.resources-prefix}logs-forwarder" - s3_bucket = "${var.SourceS3Bucket}" - s3_key = "${var.SourceLogsForwarder}" + s3_bucket = "${var.s3bucket}" + s3_key = "${aws_s3_bucket_object.logs-forwarder.id}" description = "Lambda function for parsing logs" - role = "${var.IdentificationIAMRole}" + role = "${var.identificationIAMRole}" handler = "logs_forwarder.lambda_handler" runtime = "python3.6" timeout = "300" @@ -28,11 +30,11 @@ resource "aws_lambda_function" "lambda-backup-ddb" { ] function_name = "${var.resources-prefix}backup-ddb" - s3_bucket = "${var.SourceS3Bucket}" - s3_key = "${var.SourceLogsForwarder}" + s3_bucket = "${var.s3bucket}" + s3_key = "${aws_s3_bucket_object.logs-forwarder.id}" description = "Lambda function for parsing logs" - role = "${var.IdentificationIAMRole}" + role = "${var.identificationIAMRole}" handler = "ddb_tables_backup.lambda_handler" runtime = "python3.6" timeout = "300" @@ -54,7 +56,7 @@ resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-ba ] log_group_name = aws_cloudwatch_log_group.log-group-lambda-evaluate.name filter_pattern = "[level != START && level != END && level != DEBUG, ...]" - destination_arn = "${var.LambdaLogsForwarderArn}" + destination_arn = aws_lambda_function.lambda-logs-forwarder.arn } resource "aws_cloudwatch_event_rule" "event-backup-ddb" { @@ -86,10 +88,10 @@ resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-logs-forwarder statement_id = "AllowExecutionFromCloudWatch" action = "lambda:InvokeFunction" function_name = "${aws_lambda_function.lambda-logs-forwarder.function_name}" - principal = "logs.${var.region}.amazonaws.com" - source_arn = "arn:aws:logs:${var.region}:${var.account_id}:log-group:*" + principal = "logs.${data.aws_region.current.name}.amazonaws.com" + source_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*" -} +}aws_region resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-backup-ddb" { depends_on = [ @@ -163,7 +165,9 @@ resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { -module "hammer_id_nested" { +module "hammer_id_nested_sg" { + + depends_on source = "identification_nested_template.tf" tags = "${var.tags}" parameters { @@ -174,21 +178,21 @@ module "hammer_id_nested" { LambdaSecurityGroups = "${var.lambdaSecurityGroups}" SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}", SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}", - SourceIdentificationSG = "${aws_s3_bucket_object.sg-issues-identification.id}" - SourceIdentificationS3ACL = "${aws_s3_bucket_object.s3-acl-issues-identification.id}" - SourceIdentificationS3Policy = "${aws_s3_bucket_object.s3-policy-issues-identification.id}" - SourceIdentificationIAMUserKeysRotation = "${aws_s3_bucket_object.iam-keyrotation-issues-identification.id}" - SourceIdentificationIAMUserInactiveKeys = "${aws_s3_bucket_object.iam-user-inactive-keys-identification.id}" - SourceIdentificationCloudTrails = "${aws_s3_bucket_object.cloudtrails-issues-identification.id}" - SourceIdentificationEBSVolumes = "${aws_s3_bucket_object.ebs-unencrypted-volume-identification.id}" - SourceIdentificationEBSSnapshots = "${aws_s3_bucket_object.ebs-public-snapshots-identification.id}" - SourceIdentificationRDSSnapshots = "${aws_s3_bucket_object.rds-public-snapshots-identification.id}" - SourceIdentificationAMIPublicAccess = "${aws_s3_bucket_object.ami-public-access-issues-identification.id}" - SourceIdentificationSQSPublicPolicy = "${aws_s3_bucket_object.sqs-public-policy-identification.id}" - SourceIdentificationS3Encryption = "${aws_s3_bucket_object.s3-unencrypted-bucket-issues-identification.id}" - SourceIdentificationRDSEncryption = "${aws_s3_bucket_object.rds-unencrypted-instance-identification.id}" - + IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" + InitiateLambdaName = ${var.initiateSecurityGroupLambdaFunctionName} + SourceS3Bucket = "${var.s3bucket}" + InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" + InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" + SourceIdentificationSG = "${aws_s3_bucket_object.sg-issues-identification.id}" + LambdaLogsForwarderArn = aws_lambda_function.lambda-logs-forwarder.arn + EvaluateLambdaName = ${var.identifySecurityGroupLambdaFunctionName} + EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." + EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" + EvaluateLambdaMemorySize = 512 + EventRuleName = ${var.resources-prefix}SourceIdentificationSG + EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" + SNSDisplayName = ${var.resources-prefix}${var.snsDisplayNameSecurityGroups} + SNSTopicName = ${var.resources-prefix}${var.snsTopicNameSecurityGroups} + SNSIdentificationErrors = aws_sns_topic.sns-identification-errors.name } } - - From 15c1112267a236d99b8a57541b9c54755556c15c Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 18:18:49 +0530 Subject: [PATCH 10/34] Updated with deployment template changes. Updated with deployment template changes. --- deployment/terraform/modules/identification/identification.tf | 2 +- .../modules/identification/identification_nested_template.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index a5ad0c6d..69cb7494 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -183,7 +183,7 @@ module "hammer_id_nested_sg" { SourceS3Bucket = "${var.s3bucket}" InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" - SourceIdentificationSG = "${aws_s3_bucket_object.sg-issues-identification.id}" + SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" LambdaLogsForwarderArn = aws_lambda_function.lambda-logs-forwarder.arn EvaluateLambdaName = ${var.identifySecurityGroupLambdaFunctionName} EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." diff --git a/deployment/terraform/modules/identification/identification_nested_template.tf b/deployment/terraform/modules/identification/identification_nested_template.tf index 1709e979..5709402c 100644 --- a/deployment/terraform/modules/identification/identification_nested_template.tf +++ b/deployment/terraform/modules/identification/identification_nested_template.tf @@ -5,7 +5,7 @@ resource "aws_lambda_function" "lambda-initiate" { function_name = "${var.InitiateLambdaName}" s3_bucket = "${var.SourceS3Bucket}" - s3_key = "${var.SourceIdentificationSG}" + s3_key = "${var.SourceIdentification}" description = ${var.InitiateLambdaDescription} role = "${var.IdentificationIAMRole}" @@ -39,7 +39,7 @@ resource "aws_lambda_function" "lambda-evaluate" { function_name = "${var.EvaluateLambdaName}" s3_bucket = "${var.SourceS3Bucket}" - s3_key = "${var.SourceIdentificationSG}" + s3_key = "${var.SourceIdentification}" description = ${var.EvaluateLambdaDescription} role = "${var.IdentificationIAMRole}" From 27f2f0acde1ee593f4c9576f0b81ed05c061243b Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 18:39:53 +0530 Subject: [PATCH 11/34] Updated with deployment template changes. Updated with deployment template changes. --- .../modules/identification/identification.tf | 27 +++++++++---------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 69cb7494..60b7015c 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -3,7 +3,7 @@ data "aws_region" "current" {} resource "aws_lambda_function" "lambda-logs-forwarder" { depends_on = [ - aws_cloudwatch_log_group.log-group-lambda-evaluate + "aws_cloudwatch_log_group.log-group-lambda-evaluate" ] function_name = "${var.resources-prefix}logs-forwarder" @@ -26,7 +26,7 @@ resource "aws_cloudwatch_log_group" "log-group-lambda-evaluate" { resource "aws_lambda_function" "lambda-backup-ddb" { depends_on = [ - aws_cloudwatch_log_group.log-group-lambda-backup-ddb + "aws_cloudwatch_log_group.log-group-lambda-backup-ddb" ] function_name = "${var.resources-prefix}backup-ddb" @@ -54,7 +54,7 @@ resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-ba aws_cloudwatch_log_group.log-group-lambda-backup-ddb, aws_lambda_permission. , aws_lambda_function.lambda-logs-forwarder ] - log_group_name = aws_cloudwatch_log_group.log-group-lambda-evaluate.name + log_group_name = "aws_cloudwatch_log_group.log-group-lambda-evaluate.name" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" destination_arn = aws_lambda_function.lambda-logs-forwarder.arn } @@ -62,7 +62,7 @@ resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-ba resource "aws_cloudwatch_event_rule" "event-backup-ddb" { depends_on = [ - aws_lambda_function.lambda-backup-ddb, + "aws_lambda_function.lambda-backup-ddb" ] name = "${var.resources-prefix}BackupDDB" @@ -72,7 +72,7 @@ resource "aws_cloudwatch_event_rule" "event-backup-ddb" { resource "aws_cloudwatch_event_target" "check-backup-ddb" { depends_on = [ - aws_cloudwatch_event_rule.event-backup-ddb, + "aws_cloudwatch_event_rule.event-backup-ddb" ] rule = "${aws_cloudwatch_event_rule.event-backup-ddb.name}" @@ -82,7 +82,7 @@ resource "aws_cloudwatch_event_target" "check-backup-ddb" { resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-logs-forwarder" { depends_on = [ - aws_lambda_function.lambda-logs-forwarder + "aws_lambda_function.lambda-logs-forwarder" ] statement_id = "AllowExecutionFromCloudWatch" @@ -95,7 +95,7 @@ resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-logs-forwarder resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-backup-ddb" { depends_on = [ - aws_lambda_function.lambda-backup-ddb, event-backup-ddb + "aws_lambda_function.lambda-backup-ddb", "aws_cloudwatch_event_rule.event-backup-ddb" ] statement_id = "AllowExecutionFromCloudWatch" @@ -108,14 +108,12 @@ resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-backup-ddb" { resource "aws_sns_topic" "sns-identification-errors" { - depends_on = [ - name = "${var.resources-prefix}identification-errors" } resource "aws_sns_topic_subscription" "lambda" { depends_on = [ - aws_sns_topic.sns-identification-errors, aws_lambda_function.lambda-logs-forwarder + "aws_sns_topic.sns-identification-errors", "aws_lambda_function.lambda-logs-forwarder" ] topic_arn = "${aws_sns_topic.sns-identification-errors.arn}" protocol = "lambda" @@ -124,7 +122,7 @@ resource "aws_sns_topic_subscription" "lambda" { resource "aws_lambda_permission" "with_sns" { depends_on = [ - aws_sns_topic.sns-identification-errors, aws_lambda_function.lambda-logs-forwarder + "aws_sns_topic.sns-identification-errors", "aws_lambda_function.lambda-logs-forwarder" ] statement_id = "AllowExecutionFromSNS" @@ -136,7 +134,7 @@ resource "aws_lambda_permission" "with_sns" { resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { depends_on = [ - aws_lambda_function.lambda-backup-ddb, aws_sns_topic.sns-identification-errors, + "aws_lambda_function.lambda-backup-ddb", "aws_sns_topic.sns-identification-errors" ] alarm_name = "/${aws_lambda_function.lambda-backup-ddb.function_name}LambdaError" comparison_operator = "GreaterThanThreshold" @@ -167,8 +165,7 @@ resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { module "hammer_id_nested_sg" { - depends_on - source = "identification_nested_template.tf" + source = "../identification_nested_template.tf" tags = "${var.tags}" parameters { ResourcesPrefix = "${var.resources-prefix}" @@ -184,7 +181,7 @@ module "hammer_id_nested_sg" { InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" - LambdaLogsForwarderArn = aws_lambda_function.lambda-logs-forwarder.arn + LambdaLogsForwarderArn = ${aws_lambda_function.lambda-logs-forwarder.arn} EvaluateLambdaName = ${var.identifySecurityGroupLambdaFunctionName} EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" From 66a06076ddd99992d03df60da0d6ffcd5de61e6a Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 18:45:46 +0530 Subject: [PATCH 12/34] Updated with Identification Terraform template changes. Updated with Identification Terraform template changes. --- .../modules/identification/identification.tf | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 60b7015c..8a112684 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -51,12 +51,13 @@ resource "aws_cloudwatch_log_group" "log-group-lambda-backup-ddb" { resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-backup-ddb" { depends_on = [ - aws_cloudwatch_log_group.log-group-lambda-backup-ddb, aws_lambda_permission. , - aws_lambda_function.lambda-logs-forwarder + "aws_cloudwatch_log_group.log-group-lambda-backup-ddb", + "aws_lambda_permission.allow-cloudwatch-to-call-lambda-backup-ddb", + "aws_lambda_function.lambda-logs-forwarder" ] - log_group_name = "aws_cloudwatch_log_group.log-group-lambda-evaluate.name" + log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-evaluate.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" - destination_arn = aws_lambda_function.lambda-logs-forwarder.arn + destination_arn = "${aws_lambda_function.lambda-logs-forwarder.arn}" } resource "aws_cloudwatch_event_rule" "event-backup-ddb" { @@ -181,7 +182,7 @@ module "hammer_id_nested_sg" { InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" - LambdaLogsForwarderArn = ${aws_lambda_function.lambda-logs-forwarder.arn} + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" EvaluateLambdaName = ${var.identifySecurityGroupLambdaFunctionName} EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" @@ -190,6 +191,6 @@ module "hammer_id_nested_sg" { EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" SNSDisplayName = ${var.resources-prefix}${var.snsDisplayNameSecurityGroups} SNSTopicName = ${var.resources-prefix}${var.snsTopicNameSecurityGroups} - SNSIdentificationErrors = aws_sns_topic.sns-identification-errors.name + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.name}" } } From 13aed64e02514dc30011ec5823173a738884460c Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 20:40:33 +0530 Subject: [PATCH 13/34] Updated with terraform template changes. Updated with terraform template changes. --- .../terraform/modules/identification/identification.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 8a112684..f2660f30 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -177,20 +177,20 @@ module "hammer_id_nested_sg" { SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}", SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}", IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" - InitiateLambdaName = ${var.initiateSecurityGroupLambdaFunctionName} + InitiateLambdaName = "${var.initiateSecurityGroupLambdaFunctionName}" SourceS3Bucket = "${var.s3bucket}" InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" - EvaluateLambdaName = ${var.identifySecurityGroupLambdaFunctionName} + EvaluateLambdaName = "${var.identifySecurityGroupLambdaFunctionName}" EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" EvaluateLambdaMemorySize = 512 - EventRuleName = ${var.resources-prefix}SourceIdentificationSG + EventRuleName = "${var.resources-prefix}SourceIdentificationSG" EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" - SNSDisplayName = ${var.resources-prefix}${var.snsDisplayNameSecurityGroups} - SNSTopicName = ${var.resources-prefix}${var.snsTopicNameSecurityGroups} + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameSecurityGroups}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameSecurityGroups}" SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.name}" } } From 80f4c87151e162b0d9bcb04b7c20e7f3f0c08360 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 21:20:39 +0530 Subject: [PATCH 14/34] Updated with terraform template changes. Updated with terraform template changes. --- .../identification_nested_template.tf | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/deployment/terraform/modules/identification/identification_nested_template.tf b/deployment/terraform/modules/identification/identification_nested_template.tf index 5709402c..02a47d3a 100644 --- a/deployment/terraform/modules/identification/identification_nested_template.tf +++ b/deployment/terraform/modules/identification/identification_nested_template.tf @@ -1,6 +1,6 @@ resource "aws_lambda_function" "lambda-initiate" { depends_on = [ - aws_cloudwatch_log_group.log-group-lambda-initiate, + "aws_cloudwatch_log_group.log-group-lambda-initiate" ] function_name = "${var.InitiateLambdaName}" @@ -25,16 +25,16 @@ resource "aws_cloudwatch_log_group" "log-group-lambda-initiate" { resource "aws_cloudwatch_log_subscription_filter" "lambda_initiate_logfilter" { depends_on = [ - aws_cloudwatch_log_group.log-group-lambda-initiate, + "aws_cloudwatch_log_group.log-group-lambda-initiate" ] - log_group_name = aws_cloudwatch_log_group.log-group-lambda-initiate.name + log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-initiate.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" destination_arn = "${var.LambdaLogsForwarderArn}" } resource "aws_lambda_function" "lambda-evaluate" { depends_on = [ - aws_cloudwatch_log_group.log-group-lambda-evaluate, + "aws_cloudwatch_log_group.log-group-lambda-evaluate" ] function_name = "${var.EvaluateLambdaName}" @@ -49,8 +49,8 @@ resource "aws_lambda_function" "lambda-evaluate" { memory_size = "${var.EvaluateLambdaMemorySize}" vpc_config { - subnet_ids = "${[] ? var.LambdaSubnetsEmpty : [split(",", var.LambdaSubnets)]}" - security_group_ids = "${[] ? var.LambdaSecurityGroupsEmpty : [split(",", var.LambdaSecurityGroups)]}" + subnet_ids = "${[split(",", var.LambdaSubnets)]}" + security_group_ids = "${[split(",", var.LambdaSecurityGroups)]}" } } @@ -63,9 +63,9 @@ resource "aws_cloudwatch_log_group" "log-group-lambda-logs-forwarder" { resource "aws_cloudwatch_log_subscription_filter" "lambda_evaluate_logfilter" { depends_on = [ - aws_cloudwatch_log_group.log-group-lambda-evaluate + "aws_cloudwatch_log_group.log-group-lambda-evaluate" ] - log_group_name = aws_cloudwatch_log_group.log-group-lambda-evaluate.name + log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-evaluate.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" destination_arn = "${var.LambdaLogsForwarderArn}" } @@ -73,7 +73,7 @@ resource "aws_cloudwatch_log_subscription_filter" "lambda_evaluate_logfilter" { resource "aws_cloudwatch_event_rule" "eventInitiateEvaluation" { depends_on = [ - aws_lambda_function.lambda-initiate, + "aws_lambda_function.lambda-initiate" ] name = "${var.EventRuleName}" @@ -83,7 +83,7 @@ resource "aws_cloudwatch_event_rule" "eventInitiateEvaluation" { resource "aws_cloudwatch_event_target" "event-initiate-evaluation" { depends_on = [ - aws_cloudwatch_event_rule.eventInitiateEvaluation, + "aws_cloudwatch_event_rule.eventInitiateEvaluation" ] rule = "${aws_cloudwatch_event_rule.eventInitiateEvaluation.name}" @@ -93,7 +93,7 @@ resource "aws_cloudwatch_event_target" "event-initiate-evaluation" { resource "aws_lambda_permission" "allow_cloudwatch_to_call_initiate_lambda" { depends_on = [ - aws_lambda_function.lambda-initiate,aws_cloudwatch_event_rule.eventInitiateEvaluation + "aws_lambda_function.lambda-initiate" , "aws_cloudwatch_event_rule.eventInitiateEvaluation" ] statement_id = "AllowExecutionFromCloudWatch" @@ -106,7 +106,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_initiate_lambda" { resource "aws_sns_topic" "sns-notiify-lambda-evaluate" { depends_on = [ - aws_lambda_function.lambda-evaluate + "aws_lambda_function.lambda-evaluate" ] name = "${var.SNSDisplayName}" @@ -115,7 +115,7 @@ resource "aws_sns_topic" "sns-notiify-lambda-evaluate" { resource "aws_sns_topic_subscription" "lambda" { depends_on = [ - aws_sns_topic.sns-notiify-lambda-evaluate, + "aws_sns_topic.sns-notiify-lambda-evaluate" ] topic_arn = "${aws_sns_topic.sns-notiify-lambda-evaluate.arn}" protocol = "lambda" @@ -124,7 +124,7 @@ resource "aws_sns_topic_subscription" "lambda" { resource "aws_lambda_permission" "with_sns" { depends_on = [ - aws_sns_topic_subscription.lambda, + "aws_sns_topic_subscription.lambda" ] statement_id = "AllowExecutionFromSNS" @@ -136,7 +136,7 @@ resource "aws_lambda_permission" "with_sns" { resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-initiate-evaluation" { depends_on = [ - aws_lambda_function.lambda-initiate, + "aws_lambda_function.lambda-initiate" ] alarm_name = "/${aws_lambda_function.lambda-initiate.function_name}LambdaError" comparison_operator = "GreaterThanThreshold" @@ -164,7 +164,7 @@ resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-initiate-evaluation" resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-evaluate-evaluation" { depends_on = [ - aws_lambda_function.lambda-evaluate, + "aws_lambda_function.lambda-evaluate" ] alarm_name = "/${aws_lambda_function.lambda-evaluate.function_name}LambdaError" comparison_operator = "GreaterThanThreshold" From 67845a3a763d879e9bfad159bc3842a4a2240fc3 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 22:56:09 +0530 Subject: [PATCH 15/34] Updated with deployment template changes. Updated with deployment template changes. --- .../modules/identification/identification_nested_template.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/terraform/modules/identification/identification_nested_template.tf b/deployment/terraform/modules/identification/identification_nested_template.tf index 02a47d3a..6cbd3bd9 100644 --- a/deployment/terraform/modules/identification/identification_nested_template.tf +++ b/deployment/terraform/modules/identification/identification_nested_template.tf @@ -7,7 +7,7 @@ resource "aws_lambda_function" "lambda-initiate" { s3_bucket = "${var.SourceS3Bucket}" s3_key = "${var.SourceIdentification}" - description = ${var.InitiateLambdaDescription} + description = "${var.InitiateLambdaDescription}" role = "${var.IdentificationIAMRole}" handler = "${var.InitiateLambdaHandler}" runtime = "python3.6" @@ -41,7 +41,7 @@ resource "aws_lambda_function" "lambda-evaluate" { s3_bucket = "${var.SourceS3Bucket}" s3_key = "${var.SourceIdentification}" - description = ${var.EvaluateLambdaDescription} + description = "${var.EvaluateLambdaDescription}" role = "${var.IdentificationIAMRole}" handler = "${var.EvaluateLambdaHandler}" runtime = "python3.6" From 2eed883cfff3381a31604427f6367c80ca981798 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 23:17:17 +0530 Subject: [PATCH 16/34] Updated with template deployment changes. Updated with template deployment changes. --- .../modules/identification/identification_nested_template.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/terraform/modules/identification/identification_nested_template.tf b/deployment/terraform/modules/identification/identification_nested_template.tf index 6cbd3bd9..c515f56f 100644 --- a/deployment/terraform/modules/identification/identification_nested_template.tf +++ b/deployment/terraform/modules/identification/identification_nested_template.tf @@ -55,7 +55,7 @@ resource "aws_lambda_function" "lambda-evaluate" { } -resource "aws_cloudwatch_log_group" "log-group-lambda-logs-forwarder" { +resource "aws_cloudwatch_log_group" "log-group-lambda-evaluate" { name = "/aws/lambda/${var.EvaluateLambdaName}" retention_in_days = 7 } From c30866c18886faca2886b12f098e937cd1dc9516 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 23:35:06 +0530 Subject: [PATCH 17/34] Updated with terraform deployment changes. Updated with terraform deployment changes. --- deployment/terraform/modules/identification/identification.tf | 2 +- .../modules/identification/identification_nested_template.tf | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index f2660f30..1682d606 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -92,7 +92,7 @@ resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-logs-forwarder principal = "logs.${data.aws_region.current.name}.amazonaws.com" source_arn = "arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:*" -}aws_region +} resource "aws_lambda_permission" "allow-cloudwatch-to-call-lambda-backup-ddb" { depends_on = [ diff --git a/deployment/terraform/modules/identification/identification_nested_template.tf b/deployment/terraform/modules/identification/identification_nested_template.tf index c515f56f..736ca166 100644 --- a/deployment/terraform/modules/identification/identification_nested_template.tf +++ b/deployment/terraform/modules/identification/identification_nested_template.tf @@ -49,8 +49,8 @@ resource "aws_lambda_function" "lambda-evaluate" { memory_size = "${var.EvaluateLambdaMemorySize}" vpc_config { - subnet_ids = "${[split(",", var.LambdaSubnets)]}" - security_group_ids = "${[split(",", var.LambdaSecurityGroups)]}" + subnet_ids = "${var.LambdaSubnets}" + security_group_ids = "${var.LambdaSecurityGroups}" } } From 83e66582849e0a1121a32ea47b01d97a88216d49 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Wed, 17 Jul 2019 23:40:42 +0530 Subject: [PATCH 18/34] Updated with terraform deployment changes. Updated with terraform deployment changes. --- deployment/terraform/modules/identification/identification.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 1682d606..6dca7f71 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -166,7 +166,7 @@ resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { module "hammer_id_nested_sg" { - source = "../identification_nested_template.tf" + source = "identification_nested_template.tf" tags = "${var.tags}" parameters { ResourcesPrefix = "${var.resources-prefix}" From 505c5891b4242e6c8aa3a2d9dd4b19df992a391f Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 00:32:33 +0530 Subject: [PATCH 19/34] Updated with identification terraform changes. Updated with terraform id template changes. --- .../identification_nested_template.tf | 2 + .../modules/identification-nested/input.tf | 24 +++++++++ .../modules/identification/identification.tf | 52 ++++++++----------- 3 files changed, 49 insertions(+), 29 deletions(-) rename deployment/terraform/modules/{identification => identification-nested}/identification_nested_template.tf (97%) create mode 100644 deployment/terraform/modules/identification-nested/input.tf diff --git a/deployment/terraform/modules/identification/identification_nested_template.tf b/deployment/terraform/modules/identification-nested/identification_nested_template.tf similarity index 97% rename from deployment/terraform/modules/identification/identification_nested_template.tf rename to deployment/terraform/modules/identification-nested/identification_nested_template.tf index 736ca166..e81b4049 100644 --- a/deployment/terraform/modules/identification/identification_nested_template.tf +++ b/deployment/terraform/modules/identification-nested/identification_nested_template.tf @@ -27,6 +27,7 @@ resource "aws_cloudwatch_log_subscription_filter" "lambda_initiate_logfilter" { depends_on = [ "aws_cloudwatch_log_group.log-group-lambda-initiate" ] + name = "${aws_cloudwatch_log_group.log-group-lambda-initiate.name}" log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-initiate.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" destination_arn = "${var.LambdaLogsForwarderArn}" @@ -65,6 +66,7 @@ resource "aws_cloudwatch_log_subscription_filter" "lambda_evaluate_logfilter" { depends_on = [ "aws_cloudwatch_log_group.log-group-lambda-evaluate" ] + name = "${aws_cloudwatch_log_group.log-group-lambda-evaluate.name}" log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-evaluate.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" destination_arn = "${var.LambdaLogsForwarderArn}" diff --git a/deployment/terraform/modules/identification-nested/input.tf b/deployment/terraform/modules/identification-nested/input.tf new file mode 100644 index 00000000..6e84ec22 --- /dev/null +++ b/deployment/terraform/modules/identification-nested/input.tf @@ -0,0 +1,24 @@ +variable "InitiateLambdaName" {} +variable "SourceS3Bucket" {} +variable "SourceIdentification" {} +variable "InitiateLambdaDescription" {} +variable "IdentificationIAMRole" {} +variable "InitiateLambdaHandler" {} +variable "LambdaLogsForwarderArn" {} +variable "EvaluateLambdaName" {} +variable "EvaluateLambdaDescription" {} +variable "EvaluateLambdaHandler" {} +variable "EvaluateLambdaMemorySize" {} +variable "LambdaSubnets" {} +variable "LambdaSecurityGroups" {} +variable "EventRuleName" {} +variable "EventRuleDescription" {} +variable "IdentificationCheckRateExpression" {} +variable "SNSDisplayName" {} +variable "SNSTopicName" {} +variable "SNSIdentificationErrors" {} + +variable "tags" { + type = "map" + default = {} +} \ No newline at end of file diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 6dca7f71..b39229aa 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -161,36 +161,30 @@ resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { } } - - - module "hammer_id_nested_sg" { - source = "identification_nested_template.tf" + source = "../identification-nested" tags = "${var.tags}" - parameters { - ResourcesPrefix = "${var.resources-prefix}" - IdentificationIAMRole = "${var.identificationIAMRole}" - IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" - LambdaSubnets = "${var.lambdaSubnets}" - LambdaSecurityGroups = "${var.lambdaSecurityGroups}" - SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}", - SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}", - IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" - InitiateLambdaName = "${var.initiateSecurityGroupLambdaFunctionName}" - SourceS3Bucket = "${var.s3bucket}" - InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" - InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" - SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" - LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" - EvaluateLambdaName = "${var.identifySecurityGroupLambdaFunctionName}" - EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." - EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" - EvaluateLambdaMemorySize = 512 - EventRuleName = "${var.resources-prefix}SourceIdentificationSG" - EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" - SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameSecurityGroups}" - SNSTopicName = "${var.resources-prefix}${var.snsTopicNameSecurityGroups}" - SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.name}" - } + IdentificationIAMRole = "${var.identificationIAMRole}" + IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}", + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}", + IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" + InitiateLambdaName = "${var.initiateSecurityGroupLambdaFunctionName}" + SourceS3Bucket = "${var.s3bucket}" + InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" + InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" + SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaName = "${var.identifySecurityGroupLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." + EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" + EvaluateLambdaMemorySize = 512 + EventRuleName = "${var.resources-prefix}SourceIdentificationSG" + EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameSecurityGroups}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameSecurityGroups}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.name}" } From c7a3ab5f6c5a1b28cc73ebb4b22d96e3c6044055 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 00:44:16 +0530 Subject: [PATCH 20/34] Updated with terraform template changes. Updated with terraform template changes. --- deployment/terraform/modules/identification-nested/input.tf | 3 +++ deployment/terraform/modules/identification/identification.tf | 4 ++-- deployment/terraform/modules/identification/output.tf | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/deployment/terraform/modules/identification-nested/input.tf b/deployment/terraform/modules/identification-nested/input.tf index 6e84ec22..a2a77411 100644 --- a/deployment/terraform/modules/identification-nested/input.tf +++ b/deployment/terraform/modules/identification-nested/input.tf @@ -17,6 +17,9 @@ variable "IdentificationCheckRateExpression" {} variable "SNSDisplayName" {} variable "SNSTopicName" {} variable "SNSIdentificationErrors" {} +variable "SourceLogsForwarder" {} +variable "SourceBackupDDB" {} +variable "IdentificationLambdaSource" {} variable "tags" { type = "map" diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index b39229aa..11acdd19 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -169,8 +169,8 @@ module "hammer_id_nested_sg" { IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" LambdaSubnets = "${var.lambdaSubnets}" LambdaSecurityGroups = "${var.lambdaSecurityGroups}" - SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}", - SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}", + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" InitiateLambdaName = "${var.initiateSecurityGroupLambdaFunctionName}" SourceS3Bucket = "${var.s3bucket}" diff --git a/deployment/terraform/modules/identification/output.tf b/deployment/terraform/modules/identification/output.tf index 87c62149..7d640a68 100755 --- a/deployment/terraform/modules/identification/output.tf +++ b/deployment/terraform/modules/identification/output.tf @@ -1,3 +1,3 @@ output "lambdaLogsForwarderArn" { - value = "${lookup(aws_cloudformation_stack.identification.outputs, "LambdaLogsForwarderArn", "not_present_yet")}" + value = "${aws_lambda_function.lambda-logs-forwarder.arn}" } \ No newline at end of file From d74cbd222f0ed2d6358b1b1703b0e5b014bed9b7 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 00:57:40 +0530 Subject: [PATCH 21/34] Updated with nested terraform template changes. Updated with nested terraform template changes. --- .../identification-nested/identification_nested_template.tf | 4 ++-- .../terraform/modules/identification/identification.tf | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/deployment/terraform/modules/identification-nested/identification_nested_template.tf b/deployment/terraform/modules/identification-nested/identification_nested_template.tf index e81b4049..ce193bc4 100644 --- a/deployment/terraform/modules/identification-nested/identification_nested_template.tf +++ b/deployment/terraform/modules/identification-nested/identification_nested_template.tf @@ -50,8 +50,8 @@ resource "aws_lambda_function" "lambda-evaluate" { memory_size = "${var.EvaluateLambdaMemorySize}" vpc_config { - subnet_ids = "${var.LambdaSubnets}" - security_group_ids = "${var.LambdaSecurityGroups}" + subnet_ids = ["${split(",", var.LambdaSubnets)}"] + security_group_ids = ["${split(",", var.LambdaSecurityGroups)}"] } } diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 11acdd19..a05d25d3 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -55,6 +55,7 @@ resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-ba "aws_lambda_permission.allow-cloudwatch-to-call-lambda-backup-ddb", "aws_lambda_function.lambda-logs-forwarder" ] + name = "${aws_cloudwatch_log_group.log-group-lambda-evaluate.name}" log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-evaluate.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" destination_arn = "${aws_lambda_function.lambda-logs-forwarder.arn}" @@ -149,11 +150,11 @@ resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { alarm_actions = [ - "aws_sns_topic.sns-identification-errors.function_name", + "${aws_sns_topic.sns-identification-errors.name}" ] ok_actions = [ - "aws_sns_topic.sns-identification-errors.function_name", + "${aws_sns_topic.sns-identification-errors.name}" ] dimensions { From e40143d7f47c88537d191b66269bb5f76f533ee1 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 01:17:37 +0530 Subject: [PATCH 22/34] Updated with terraform template changes. Updated with terraform template chagnes. --- .../terraform/modules/identification/identification.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index a05d25d3..2197cb33 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -150,11 +150,11 @@ resource "aws_cloudwatch_metric_alarm" "alarm-errors-lambda-backup-ddb" { alarm_actions = [ - "${aws_sns_topic.sns-identification-errors.name}" + "${aws_sns_topic.sns-identification-errors.arn}" ] ok_actions = [ - "${aws_sns_topic.sns-identification-errors.name}" + "${aws_sns_topic.sns-identification-errors.arn}" ] dimensions { @@ -187,5 +187,5 @@ module "hammer_id_nested_sg" { EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameSecurityGroups}" SNSTopicName = "${var.resources-prefix}${var.snsTopicNameSecurityGroups}" - SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.name}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" } From 7dabf77f7690d12150e5fa72ff2005323bc7115c Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 01:29:26 +0530 Subject: [PATCH 23/34] Updated with terraform template updates. Updated with terraform updates. --- .../terraform/modules/identification/identification.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 2197cb33..4658d353 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -11,7 +11,7 @@ resource "aws_lambda_function" "lambda-logs-forwarder" { s3_key = "${aws_s3_bucket_object.logs-forwarder.id}" description = "Lambda function for parsing logs" - role = "${var.identificationIAMRole}" + role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" handler = "logs_forwarder.lambda_handler" runtime = "python3.6" timeout = "300" @@ -34,7 +34,7 @@ resource "aws_lambda_function" "lambda-backup-ddb" { s3_key = "${aws_s3_bucket_object.logs-forwarder.id}" description = "Lambda function for parsing logs" - role = "${var.identificationIAMRole}" + role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" handler = "ddb_tables_backup.lambda_handler" runtime = "python3.6" timeout = "300" @@ -166,7 +166,7 @@ module "hammer_id_nested_sg" { source = "../identification-nested" tags = "${var.tags}" - IdentificationIAMRole = "${var.identificationIAMRole}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" LambdaSubnets = "${var.lambdaSubnets}" LambdaSecurityGroups = "${var.lambdaSecurityGroups}" From 5dfe66fbd5c918386127185ce18003f8f2621a43 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 01:57:08 +0530 Subject: [PATCH 24/34] Updated with terraform changes. Updated with terraform changes. --- .../terraform/modules/identification/identification.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 4658d353..0a79e535 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -55,10 +55,10 @@ resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-ba "aws_lambda_permission.allow-cloudwatch-to-call-lambda-backup-ddb", "aws_lambda_function.lambda-logs-forwarder" ] - name = "${aws_cloudwatch_log_group.log-group-lambda-evaluate.name}" - log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-evaluate.name}" + name = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.name}" + log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" - destination_arn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + destination_arn = "${aws_lambda_function.lambda-backup-ddb.arn}" } resource "aws_cloudwatch_event_rule" "event-backup-ddb" { @@ -167,7 +167,7 @@ module "hammer_id_nested_sg" { source = "../identification-nested" tags = "${var.tags}" IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" - IdentificationCheckRateExpression = "${var.identificationCheckRateExpression}" + IdentificationCheckRateExpression = "cron(35, ${var.identificationCheckRateExpression})" LambdaSubnets = "${var.lambdaSubnets}" LambdaSecurityGroups = "${var.lambdaSecurityGroups}" SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" From 6b0c72f869d3e7dd5af1571516f56a5fdd0ac6e6 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 02:09:45 +0530 Subject: [PATCH 25/34] Updated with terraform deployment changes. Updated with terraform deployment changes. --- deployment/terraform/modules/identification/identification.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 0a79e535..7eedcab1 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -31,7 +31,7 @@ resource "aws_lambda_function" "lambda-backup-ddb" { function_name = "${var.resources-prefix}backup-ddb" s3_bucket = "${var.s3bucket}" - s3_key = "${aws_s3_bucket_object.logs-forwarder.id}" + s3_key = "${aws_s3_bucket_object.ddb-tables-backup.id}" description = "Lambda function for parsing logs" role = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" From 552e4c4515247d8c9cca61a45aa24ea8ef87a16f Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 02:16:52 +0530 Subject: [PATCH 26/34] Updated with deployment issue fixes. Updated with deployment issue fixes. --- deployment/terraform/modules/identification/identification.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 7eedcab1..5ab9c349 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -58,7 +58,7 @@ resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-ba name = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.name}" log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" - destination_arn = "${aws_lambda_function.lambda-backup-ddb.arn}" + destination_arn = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.arn}" } resource "aws_cloudwatch_event_rule" "event-backup-ddb" { From df8484b9414fcd48cb07acd3c4e17a45ef4b2994 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 02:32:52 +0530 Subject: [PATCH 27/34] Updated with terraform template changes. Updated with terraform template changes. --- .../terraform/modules/identification/identification.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 5ab9c349..9fc4501b 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -3,7 +3,7 @@ data "aws_region" "current" {} resource "aws_lambda_function" "lambda-logs-forwarder" { depends_on = [ - "aws_cloudwatch_log_group.log-group-lambda-evaluate" + "aws_cloudwatch_log_group.log-group-lambda-forwarder" ] function_name = "${var.resources-prefix}logs-forwarder" @@ -19,7 +19,7 @@ resource "aws_lambda_function" "lambda-logs-forwarder" { } -resource "aws_cloudwatch_log_group" "log-group-lambda-evaluate" { +resource "aws_cloudwatch_log_group" "log-group-lambda-forwarder" { name = "/aws/lambda/${var.resources-prefix}logs-forwarder" retention_in_days = 7 } @@ -58,7 +58,7 @@ resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-ba name = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.name}" log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" - destination_arn = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.arn}" + destination_arn = "${aws_cloudwatch_log_group.log-group-lambda-forwarder.arn}" } resource "aws_cloudwatch_event_rule" "event-backup-ddb" { From 980b22cdf297c6c3d1c7126ae5bbdb475c7b3a16 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 02:37:57 +0530 Subject: [PATCH 28/34] Updated with terraform template changes. Updated with terraform template changes. --- deployment/terraform/modules/identification/identification.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 9fc4501b..4c3bfba8 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -173,13 +173,13 @@ module "hammer_id_nested_sg" { SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" - InitiateLambdaName = "${var.initiateSecurityGroupLambdaFunctionName}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateSecurityGroupLambdaFunctionName}" SourceS3Bucket = "${var.s3bucket}" InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" - EvaluateLambdaName = "${var.identifySecurityGroupLambdaFunctionName}" + EvaluateLambdaName = "${var.resources-prefix}${var.identifySecurityGroupLambdaFunctionName}" EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" EvaluateLambdaMemorySize = 512 From fe5e1f5473f834db1b31f94dcf3f63384a47e408 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 02:55:16 +0530 Subject: [PATCH 29/34] Updated with terraform template changes. Updated with terraform template changes. --- deployment/terraform/modules/identification/identification.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 4c3bfba8..952adfb0 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -52,13 +52,13 @@ resource "aws_cloudwatch_log_subscription_filter" "subscription-filter-lambda-ba depends_on = [ "aws_cloudwatch_log_group.log-group-lambda-backup-ddb", - "aws_lambda_permission.allow-cloudwatch-to-call-lambda-backup-ddb", + "aws_lambda_permission.allow-cloudwatch-to-call-lambda-logs-forwarder", "aws_lambda_function.lambda-logs-forwarder" ] name = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.name}" log_group_name = "${aws_cloudwatch_log_group.log-group-lambda-backup-ddb.name}" filter_pattern = "[level != START && level != END && level != DEBUG, ...]" - destination_arn = "${aws_cloudwatch_log_group.log-group-lambda-forwarder.arn}" + destination_arn = "${aws_lambda_function.lambda-logs-forwarder.arn}" } resource "aws_cloudwatch_event_rule" "event-backup-ddb" { From b8a491a575023c66907db3bc4c7ec3f5008508c1 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 11:44:40 +0530 Subject: [PATCH 30/34] Updated with environment variables setting. Updated with environment variables setting. --- .../identification-nested/identification_nested_template.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/deployment/terraform/modules/identification-nested/identification_nested_template.tf b/deployment/terraform/modules/identification-nested/identification_nested_template.tf index ce193bc4..44a09c40 100644 --- a/deployment/terraform/modules/identification-nested/identification_nested_template.tf +++ b/deployment/terraform/modules/identification-nested/identification_nested_template.tf @@ -14,6 +14,11 @@ resource "aws_lambda_function" "lambda-initiate" { timeout = "300" memory_size = "128" + environment { + variables = { + SNS_ARN = "${aws_sns_topic.sns-notiify-lambda-evaluate.arn}" + } + } } From b9e7f5535ef5b740db2e511b28817a46cddbc7db Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 12:19:26 +0530 Subject: [PATCH 31/34] Added S3acl terraform deployment changes. Added S3acl terraform deployment changes. --- .../modules/identification/identification.tf | 30 ++++++++++++++++++- .../modules/identification/variables.tf | 15 ++++++++++ 2 files changed, 44 insertions(+), 1 deletion(-) diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index 952adfb0..ecb4ca34 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -183,9 +183,37 @@ module "hammer_id_nested_sg" { EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" EvaluateLambdaMemorySize = 512 - EventRuleName = "${var.resources-prefix}SourceIdentificationSG" + EventRuleName = "${var.resources-prefix}InitiateEvaluationSG" EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameSecurityGroups}" SNSTopicName = "${var.resources-prefix}${var.snsTopicNameSecurityGroups}" SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" } + +module "hammer_id_nested_s3_acl" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateS3ACLLambdaFunctionName}" + SourceS3Bucket = "${var.s3bucket}" + InitiateLambdaDescription = "Lambda function for initiate to identify public s3 buckets." + InitiateLambdaHandler = "initiate_to_desc_s3_bucket_acl.lambda_handler" + SourceIdentification = "${aws_s3_bucket_object.s3-acl-issues-identification.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyS3ACLLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe public s3 buckets." + EvaluateLambdaHandler = "describe_s3_bucket_acl.lambda_handler" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationS3ACL" + EventRuleDescription = "Hammer ScheduledRule to initiate S3 ACL evaluations" + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameS3ACL}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameS3ACL}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} diff --git a/deployment/terraform/modules/identification/variables.tf b/deployment/terraform/modules/identification/variables.tf index 5a55367f..c94f5635 100644 --- a/deployment/terraform/modules/identification/variables.tf +++ b/deployment/terraform/modules/identification/variables.tf @@ -6,6 +6,14 @@ variable "snsTopicNameSecurityGroups" { default = "describe-security-groups-lambda" } +variable "snsDisplayNameS3ACL" { + default = "describe-s3-acl-sns" +} + +variable "snsTopicNameS3ACL" { + default = "describe-s3-acl-lambda" +} + variable "identifySecurityGroupLambdaFunctionName" { default = "describe-security-groups" } @@ -14,4 +22,11 @@ variable "initiateSecurityGroupLambdaFunctionName" { default = "initiate-security-groups" } +variable "identifyS3ACLLambdaFunctionName" { + default = "describe-s3-acl" +} + +variable "initiateS3ACLLambdaFunctionName" { + default = "initiate-s3-acl" +} From ee3e53a24a1c3a257c9dff558b7e089d626e55b4 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 17:56:29 +0530 Subject: [PATCH 32/34] Updated with nested template changes. Updated with nested template changes. --- .../modules/identification-nested/input.tf | 1 - .../modules/identification/identification.tf | 372 +++++++++++++++++- .../modules/identification/variables.tf | 207 ++++++++++ 3 files changed, 569 insertions(+), 11 deletions(-) diff --git a/deployment/terraform/modules/identification-nested/input.tf b/deployment/terraform/modules/identification-nested/input.tf index a2a77411..a2ce2a19 100644 --- a/deployment/terraform/modules/identification-nested/input.tf +++ b/deployment/terraform/modules/identification-nested/input.tf @@ -19,7 +19,6 @@ variable "SNSTopicName" {} variable "SNSIdentificationErrors" {} variable "SourceLogsForwarder" {} variable "SourceBackupDDB" {} -variable "IdentificationLambdaSource" {} variable "tags" { type = "map" diff --git a/deployment/terraform/modules/identification/identification.tf b/deployment/terraform/modules/identification/identification.tf index ecb4ca34..5e0484a5 100755 --- a/deployment/terraform/modules/identification/identification.tf +++ b/deployment/terraform/modules/identification/identification.tf @@ -170,18 +170,17 @@ module "hammer_id_nested_sg" { IdentificationCheckRateExpression = "cron(35, ${var.identificationCheckRateExpression})" LambdaSubnets = "${var.lambdaSubnets}" LambdaSecurityGroups = "${var.lambdaSecurityGroups}" - SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" - IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" - InitiateLambdaName = "${var.resources-prefix}${var.initiateSecurityGroupLambdaFunctionName}" SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateSecurityGroupLambdaFunctionName}" InitiateLambdaDescription = "Lambda function for initiate to identify bad security groups" InitiateLambdaHandler = "initiate_to_desc_sec_grps.lambda_handler" - SourceIdentification = "${aws_s3_bucket_object.sg-issues-identification.id}" - LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" EvaluateLambdaName = "${var.resources-prefix}${var.identifySecurityGroupLambdaFunctionName}" EvaluateLambdaDescription = "Lambda function to describe security groups unrestricted access." EvaluateLambdaHandler = "describe_sec_grps_unrestricted_access.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" EvaluateLambdaMemorySize = 512 EventRuleName = "${var.resources-prefix}InitiateEvaluationSG" EventRuleDescription = "Hammer ScheduledRule to initiate Security Groups evaluations" @@ -190,6 +189,34 @@ module "hammer_id_nested_sg" { SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" } +module "hammer_id_nested_cloudtrails" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(15, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.cloudtrails-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateCloudTrailsLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate identification of CloudTrail issues." + InitiateLambdaHandler = "initiate_to_desc_cloudtrails.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyCloudTrailsLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function for describe of CloudTrail issues." + EvaluateLambdaHandler = "describe_cloudtrails.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 256 + EventRuleName = "${var.resources-prefix}InitiateEvaluationCloudTrails" + EventRuleDescription = "Hammer ScheduledRule to initiate cloud trails evaluations" + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameCloudTrails}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameCloudTrails}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + + module "hammer_id_nested_s3_acl" { source = "../identification-nested" @@ -198,18 +225,17 @@ module "hammer_id_nested_s3_acl" { IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" LambdaSubnets = "${var.lambdaSubnets}" LambdaSecurityGroups = "${var.lambdaSecurityGroups}" - SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" - IdentificationLambdaSource = "${aws_s3_bucket_object.sg-issues-identification.id}" - InitiateLambdaName = "${var.resources-prefix}${var.initiateS3ACLLambdaFunctionName}" SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.s3-acl-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateS3ACLLambdaFunctionName}" InitiateLambdaDescription = "Lambda function for initiate to identify public s3 buckets." InitiateLambdaHandler = "initiate_to_desc_s3_bucket_acl.lambda_handler" - SourceIdentification = "${aws_s3_bucket_object.s3-acl-issues-identification.id}" - LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" EvaluateLambdaName = "${var.resources-prefix}${var.identifyS3ACLLambdaFunctionName}" EvaluateLambdaDescription = "Lambda function to describe public s3 buckets." EvaluateLambdaHandler = "describe_s3_bucket_acl.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" EvaluateLambdaMemorySize = 128 EventRuleName = "${var.resources-prefix}InitiateEvaluationS3ACL" EventRuleDescription = "Hammer ScheduledRule to initiate S3 ACL evaluations" @@ -217,3 +243,329 @@ module "hammer_id_nested_s3_acl" { SNSTopicName = "${var.resources-prefix}${var.snsTopicNameS3ACL}" SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" } + +module "hammer_id_nested_s3_policy" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.s3-policy-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateS3PolicyLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify public s3 buckets." + InitiateLambdaHandler = "initiate_to_desc_s3_bucket_policy.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyS3PolicyLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe public s3 buckets." + EvaluateLambdaHandler = "describe_s3_bucket_policy.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationS3Policy" + EventRuleDescription = "Hammer ScheduledRule to initiate S3 Policy evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameS3Policy}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameS3Policy}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + + +module "hammer_id_nested_iam_user_keys_rotation" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.iam-keyrotation-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateIAMUserKeysRotationLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify IAM user keys which to be rotated." + InitiateLambdaHandler = "initiate_to_desc_iam_users_key_rotation.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyIAMUserKeysRotationLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe IAM user keys to be rotated." + EvaluateLambdaHandler = "describe_iam_key_rotation.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationIAMUserKeysRotation" + EventRuleDescription = "Hammer ScheduledRule to initiate IAM user keys rotation evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameIAMUserKeysRotation}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameIAMUserKeysRotation}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_iam_user_inactive_keys" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.iam-user-inactive-keys-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateIAMUserInactiveKeysLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify IAM user keys which last used." + InitiateLambdaHandler = "initiate_to_desc_iam_access_keys.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyIAMUserInactiveKeysLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe IAM user keys last used." + EvaluateLambdaHandler = "describe_iam_accesskey_details.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationIAMUserInactiveKeys" + EventRuleDescription = "Hammer ScheduledRule to initiate IAM user inactive keys evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameIAMUserInactiveKeys}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameIAMUserInactiveKeys}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + + +module "hammer_id_nested_unencrypted_ebs_volumes" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.ebs-unencrypted-volume-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateEBSVolumesLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify unencrypted EBS volumes." + InitiateLambdaHandler = "initiate_to_desc_ebs_unencrypted_volumes.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyEBSVolumesLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe unencrypted ebs volumes." + EvaluateLambdaHandler = "describe_ebs_unencrypted_volumes.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationEBSVolumes" + EventRuleDescription = "Hammer ScheduledRule to initiate EBS volumes evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameEBSVolumes}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameEBSVolumes}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_public_ebs_snapshots" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.ebs-public-snapshots-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateEBSSnapshotsLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify public EBS snapshots." + InitiateLambdaHandler = "initiate_to_desc_ebs_public_snapshots.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyEBSSnapshotsLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe public ebs snapshots." + EvaluateLambdaHandler = "describe_ebs_public_snapshots.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationEBSSnapshots" + EventRuleDescription = "Hammer ScheduledRule to initiate ebs snapshots evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameEBSSnapshots}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameEBSSnapshots}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_public_rds_snapshots" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.rds-public-snapshots-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateRDSSnapshotsLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify public RDS snapshots." + InitiateLambdaHandler = "initiate_to_desc_rds_public_snapshots.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyRDSSnapshotsLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe public RDS snapshots." + EvaluateLambdaHandler = "describe_rds_public_snapshots.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationRDSSnapshots" + EventRuleDescription = "Hammer ScheduledRule to initiate RDS snapshots evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameRDSSnapshots}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameRDSSnapshots}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_sqs_public_policy" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.sqs-public-policy-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateSQSPublicPolicyLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify public SQS queues." + InitiateLambdaHandler = "initiate_to_desc_sqs_public_policy.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifySQSPublicPolicyLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe public SQS queues." + EvaluateLambdaHandler = "describe_sqs_public_policy.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationSQSPublicPolicy" + EventRuleDescription = "Hammer ScheduledRule to initiate SQS queue evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameSQSPublicPolicy}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameSQSPublicPolicy}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_s3_encryption" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.s3-unencrypted-bucket-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateS3EncryptionLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify S3 unencrypted buckets." + InitiateLambdaHandler = "initiate_to_desc_s3_encryption.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyS3EncryptionLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe un-encrypted S3 buckets." + EvaluateLambdaHandler = "describe_s3_encryption.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationS3Encryption" + EventRuleDescription = "Hammer ScheduledRule to initiate S3 encryption evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameS3Encryption}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameS3Encryption}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_rds_encryption" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.rds-unencrypted-instance-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateRDSEncryptionLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify unencrypted RDS instances." + InitiateLambdaHandler = "initiate_to_desc_rds_instance_encryption.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyRDSEncryptionLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe un-encrypted RDS instances." + EvaluateLambdaHandler = "describe_rds_instance_encryption.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationRDSEncryption" + EventRuleDescription = "Hammer ScheduledRule to initiate RDS encryption evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameRDSEncryption}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameRDSEncryption}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_ami_public_access" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.ami-public-access-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateAMIPublicAccessLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify public AMI access issues." + InitiateLambdaHandler = "initiate_to_desc_public_ami_issues.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyAMIPublicAccessLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe public AMI issues." + EvaluateLambdaHandler = "describe_public_ami_issues.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationAmiPublicAccess" + EventRuleDescription = "Hammer ScheduledRule to initiate Ami public access evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameAMIPublicAccess}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameAMIPublicAccess}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_ecs_privileged_access" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.ecs-privileged-access-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateECSPrivilegedAccessLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify ECS privileged access issues." + InitiateLambdaHandler = "initiate_to_desc_ecs_privileged_access_issues.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyECSPrivilegedAccessLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe ECS privileged access issues." + EvaluateLambdaHandler = "describe_ecs_privileged_access_issues.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationECSPrivilegedAccess" + EventRuleDescription = "Hammer ScheduledRule to initiate ECS privileged access evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameECSPrivilegedAccess}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameECSPrivilegedAccess}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} + +module "hammer_id_nested_ecs_logging" { + + source = "../identification-nested" + tags = "${var.tags}" + IdentificationIAMRole = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/${var.resources-prefix}${var.identificationIAMRole}" + IdentificationCheckRateExpression = "cron(10, ${var.identificationCheckRateExpression})" + LambdaSubnets = "${var.lambdaSubnets}" + LambdaSecurityGroups = "${var.lambdaSecurityGroups}" + SourceBackupDDB = "${aws_s3_bucket_object.ddb-tables-backup.id}" + SourceS3Bucket = "${var.s3bucket}" + SourceIdentification = "${aws_s3_bucket_object.ecs-logging-issues-identification.id}" + InitiateLambdaName = "${var.resources-prefix}${var.initiateECSLoggingLambdaFunctionName}" + InitiateLambdaDescription = "Lambda function for initiate to identify ECS logging enabled or not." + InitiateLambdaHandler = "initiate_to_desc_ecs_logging_issues.lambda_handler" + EvaluateLambdaName = "${var.resources-prefix}${var.identifyECSLoggingLambdaFunctionName}" + EvaluateLambdaDescription = "Lambda function to describe ECS logging enabled or not." + EvaluateLambdaHandler = "describe_ecs_logging_issues.lambda_handler" + SourceLogsForwarder = "${aws_s3_bucket_object.logs-forwarder.id}" + LambdaLogsForwarderArn = "${aws_lambda_function.lambda-logs-forwarder.arn}" + EvaluateLambdaMemorySize = 128 + EventRuleName = "${var.resources-prefix}InitiateEvaluationECSLogging" + EventRuleDescription = "Hammer ScheduledRule to initiate ECS logging evaluations." + SNSDisplayName = "${var.resources-prefix}${var.snsDisplayNameECSLogging}" + SNSTopicName = "${var.resources-prefix}${var.snsTopicNameECSLogging}" + SNSIdentificationErrors = "${aws_sns_topic.sns-identification-errors.arn}" +} diff --git a/deployment/terraform/modules/identification/variables.tf b/deployment/terraform/modules/identification/variables.tf index c94f5635..1d1a09f5 100644 --- a/deployment/terraform/modules/identification/variables.tf +++ b/deployment/terraform/modules/identification/variables.tf @@ -14,6 +14,110 @@ variable "snsTopicNameS3ACL" { default = "describe-s3-acl-lambda" } +variable "snsDisplayNameCloudTrails" { + default = "describe-cloudtrails-sns" +} + +variable "snsTopicNameCloudTrails" { + default = "describe-cloudtrails-lambda" +} + +variable "snsDisplayNameS3Policy" { + default = "describe-s3-policy-sns" +} + +variable "snsTopicNameS3Policy" { + default = "describe-s3-policy-lambda" +} + +variable "snsDisplayNameIAMUserKeysRotation" { + default = "describe-iam-key-rotation-sns" +} + +variable "snsTopicNameIAMUserKeysRotation" { + default = "describe-iam-key-rotation-lambda" +} + +variable "snsDisplayNameIAMUserInactiveKeys" { + default = "describe-iam-user-inactive-keys-sns" +} + +variable "snsTopicNameIAMUserInactiveKeys" { + default = "describe-iam-user-inactive-keys-lambda" +} + +variable "snsDisplayNameEBSVolumes" { + default = "describe-ebs-volumes-sns" +} + +variable "snsTopicNameEBSVolumes" { + default = "describe-ebs-unencrypted-volumes-lambda" +} + +variable "snsDisplayNameEBSSnapshots" { + default = "describe-ebs-snapshots-sns" +} + +variable "snsTopicNameEBSSnapshots" { + default = "describe-ebs-public-snapshots-lambda" +} + +variable "snsDisplayNameRDSSnapshots" { + default = "describe-rds-snapshots-sns" +} + +variable "snsTopicNameRDSSnapshots" { + default = "describe-rds-public-snapshots-lambda" +} + +variable "snsDisplayNameAMIPublicAccess" { + default = "describe-ami-public-access-sns" +} + +variable "snsTopicNameAMIPublicAccess" { + default = "describe-ami-public-access-lambda" +} + +variable "snsDisplayNameSQSPublicPolicy" { + default = "describe-sqs-public-policy-sns" +} + +variable "snsTopicNameSQSPublicPolicy" { + default = "describe-sqs-public-policy-lambda" +} + +variable "snsDisplayNameS3Encryption" { + default = "describe-s3-encryption-sns" +} + +variable "snsTopicNameS3Encryption" { + default = "describe-s3-encryption-lambda" +} + +variable "snsDisplayNameRDSEncryption" { + default = "describe-rds-encryption-sns" +} + +variable "snsTopicNameRDSEncryption" { + default = "describe-rds-encryption-lambda" +} + +variable "snsDisplayNameECSPrivilegedAccess" { + default = "describe-ecs-privileged-access-sns" +} + +variable "snsTopicNameECSPrivilegedAccess" { + default = "describe-ecs-privileged-access-lambda" +} + +variable "snsDisplayNameECSLogging" { + default = "describe-ecs-logging-sns" +} + +variable "snsTopicNameECSLogging" { + default = "describe-ecs-logging-lambda" +} + variable "identifySecurityGroupLambdaFunctionName" { default = "describe-security-groups" } @@ -30,3 +134,106 @@ variable "initiateS3ACLLambdaFunctionName" { default = "initiate-s3-acl" } +variable "identifyCloudTrailsLambdaFunctionName" { + default = "describe-cloudtrails" +} + +variable "initiateCloudTrailsLambdaFunctionName" { + default = "initiate-cloudtrails" +} + +variable "identifyS3PolicyLambdaFunctionName" { + default = "describe-s3-policy" +} + +variable "initiateS3PolicyLambdaFunctionName" { + default = "initiate-s3-policy" +} + +variable "identifyIAMUserKeysRotationLambdaFunctionName" { + default = "describe-iam-key-ratation" +} + +variable "initiateIAMUserKeysRotationLambdaFunctionName" { + default = "initiate-iam-key-ratation" +} + +variable "initiateAMIPublicAccessLambdaFunctionName" { + default = "initiate-ami-public-access" +} + +variable "identifyAMIPublicAccessLambdaFunctionName" { + default = "describe-ami-public-access" +} + +variable "initiateSQSPublicPolicyLambdaFunctionName" { + default = "initiate-sqs-public-policy" +} + +variable "identifySQSPublicPolicyLambdaFunctionName" { + default = "describe-sqs-public-policy" +} + +variable "initiateRDSSnapshotsLambdaFunctionName" { + default = "initiate-rds-public-snapshots" +} + +variable "identifyRDSSnapshotsLambdaFunctionName" { + default = "describe-rds-public-snapshots" +} + +variable "initiateS3EncryptionLambdaFunctionName" { + default = "initiate-s3-encryption" +} + +variable "identifyS3EncryptionLambdaFunctionName" { + default = "describe-s3-encryption" +} + +variable "initiateRDSEncryptionLambdaFunctionName" { + default = "initiate-rds-encryption" +} + +variable "identifyRDSEncryptionLambdaFunctionName" { + default = "describe-rds-encryption" +} + +variable "initiateECSPrivilegedAccessLambdaFunctionName" { + default = "initiate-ecs-privileged-access" +} + +variable "identifyECSPrivilegedAccessLambdaFunctionName" { + default = "describe-ecs-privileged-access" +} + +variable "initiateECSLoggingLambdaFunctionName" { + default = "initiate-ecs-logging" +} + +variable "identifyECSLoggingLambdaFunctionName" { + default = "describe-ecs-logging" +} + +variable "initiateEBSSnapshotsLambdaFunctionName" { + default = "initiate-ebs-public-snapshots" +} + +variable "identifyEBSSnapshotsLambdaFunctionName" { + default = "describe-ebs-public-snapshots" +} + +variable "initiateEBSVolumesLambdaFunctionName" { + default = "initiate-ebs-unencrypted-volumes" +} + +variable "identifyEBSVolumesLambdaFunctionName" { + default = "describe-ebs-unencrypted-volumes" +} + +variable "initiateIAMUserInactiveKeysLambdaFunctionName" { + default = "initiate-iam-user-inactive-keys" +} + +variable "identifyIAMUserInactiveKeysLambdaFunctionName" { + default = "describe-iam-user-inactive-keys" +} From 8b644f4a116048e67b097a62deb6c1756bccf342 Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 18:28:05 +0530 Subject: [PATCH 33/34] Updated with ddb changes. Updated with ddb changes. --- deployment/terraform/modules/ddb/ddb.tf | 41 +++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index 1fbb2e5f..4f08cb8b 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -282,3 +282,44 @@ resource "aws_dynamodb_table" "api-requests" { } } +resource "aws_dynamodb_table" "ecs-privileged-access" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resources-prefix}ecs-privileged-access" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + +resource "aws_dynamodb_table" "ecs-logging" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resources-prefix}ecs-logging" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} From 83a6524dff767c4591f2e1df60431f91326a1b9b Mon Sep 17 00:00:00 2001 From: vigneswararaomacharla Date: Thu, 18 Jul 2019 18:33:05 +0530 Subject: [PATCH 34/34] Updated with ddb table changes. Updated with ddb table changes. --- deployment/terraform/modules/ddb/ddb.tf | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/deployment/terraform/modules/ddb/ddb.tf b/deployment/terraform/modules/ddb/ddb.tf index 4f08cb8b..8b1fc238 100755 --- a/deployment/terraform/modules/ddb/ddb.tf +++ b/deployment/terraform/modules/ddb/ddb.tf @@ -161,6 +161,27 @@ resource "aws_dynamodb_table" "ebs-volumes-unencrypted" { } } +resource "aws_dynamodb_table" "ebs-snapshots-public" { + + depends_on = ["aws_dynamodb_table.credentials" ] + + name = "${var.resources-prefix}ebs-snapshots-public" + read_capacity = 20 + write_capacity = 4 + hash_key = "account_id" + range_key = "issue_id" + + attribute { + name = "account_id" + type = "S" + } + + attribute { + name = "issue_id" + type = "S" + } +} + resource "aws_dynamodb_table" "rds-public-snapshots" { depends_on = ["aws_dynamodb_table.credentials" ] @@ -266,7 +287,6 @@ resource "aws_dynamodb_table" "ec2-public-ami" { } } - resource "aws_dynamodb_table" "api-requests" { depends_on = ["aws_dynamodb_table.credentials" ]