Remove default role

README.md

@@ -2,7 +2,7 @@
 
 ## Description
 
-This tool pulls findings from AWS Security Hub and outputs them for consumption by visualization tools. To use this tool, you need a cross-account role ARN that is valid for all accounts listed in the team map provided to the tool. You can also specify custom role ARNs for specific accounts if the role name is not consistent across accounts.
+This tool pulls findings from AWS Security Hub and outputs them for consumption by visualization tools. To use this tool, you need a role ARN that is valid for each account listed in the team map provided to the tool.
 
 ## Installation
 
@@ -18,24 +18,22 @@ To display a full list of CLI options, build the application and run `security-h
 
 
 You will need to create a team map file with a JSON object that describes
-your teams based on account numbers, environments and optional role ARN overrides. For example:
+your teams based on account numbers, environments and role ARN which will be used to query the account. For example:
 
 ```json
 {
   "teams": [
     {
       "accounts": [
         { "id": "000000000001", "environment": "dev" },
-        { "id": "000000000011", "environment": "test", "roleArnOverride": "arn:aws:iam::000000000011:role/CustomRole" }
+        { "id": "000000000011", "environment": "test", "roleArn": "arn:aws:iam::000000000011:role/CustomRole" }
       ],
       "name":"My Team"
     }
   ]
 }
 ```
 
-The roleArnOverride field is optional. If specified, it will be used instead of the default role ARN provided in the command line arguments for that specific account.
-
 ## Run Docker Image Locally
 
 To run the Docker image locally for testing, do the following:
@@ -50,7 +48,6 @@ To run the Docker image locally for testing, do the following:
 docker run \
 -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_ACCESS_KEY_ID -e TEAM_MAP \
 -e AWS_REGION={region}
--e ASSUME_ROLE={full role ARN} \
 -e S3_BUCKET_PATH={bucket name} \
 local-collector-test
 ```

main.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/s3"
-	"github.com/aws/aws-sdk-go/aws/arn"
 
 	"github.com/CMSGov/security-hub-collector/internal/aws/client"
 	"github.com/CMSGov/security-hub-collector/pkg/helpers"
@@ -23,7 +22,6 @@ import (
 
 // Options describes the command line options available.
 type Options struct {
-	AssumeRoleARN      string   `short:"a" long:"assume-role-arn" required:"true" description:"Default Role ARN to assume when collecting across all accounts. Can be overridden for specific accounts in the team map file."`
 	OutputFileName     string   `short:"o" long:"output" required:"false" description:"File to direct output to." default:"SecurityHub-Findings.csv"`
 	S3Region           string   `short:"s" long:"s3-region" env:"AWS_REGION" required:"false" description:"AWS region to use for s3 uploads."`
 	SecurityHubRegions []string `short:"r" long:"sechub-regions" required:"false" default:"us-east-1" default:"us-west-2" description:"AWS regions to use for Security Hub findings."`
@@ -106,10 +104,7 @@ func collectFindings(secHubRegions []string) {
 	}
 
 	for account, teamName := range accountsToTeams {
-		roleArn := options.AssumeRoleARN
-		if account.RoleARNOverride != "" {
-			roleArn = account.RoleARNOverride
-		}
+		roleArn := account.RoleARN
 
 		for _, secHubRegion := range secHubRegions {
 			log.Printf("getting findings for account %v in %v", account.ID, secHubRegion)
@@ -128,10 +123,6 @@ func main() {
 		log.Fatalf("could not parse options: %v", err)
 	}
 
-	if !arn.IsARN(options.AssumeRoleARN) {
-		log.Fatalf("invalid default role ARN format: %s input must be a valid Role ARN", options.AssumeRoleARN)
-	}
-
 	collectFindings(options.SecurityHubRegions)
 
 	if options.S3Bucket != "" {

pkg/teams/team_map_test_duplicate.json

@@ -4,11 +4,13 @@
       "accounts": [
         {
           "environment": "dev",
-          "id": "account 1"
+          "id": "account 1",
+          "roleArn": "arn:aws:iam::000000000011:role/CustomRole"
         },
         {
           "environment": "test",
-          "id": "account 11"
+          "id": "account 11",
+          "roleArn": "arn:aws:iam::000000000012:role/CustomRole"
         }
       ],
       "name": "Test Team 1"
@@ -17,11 +19,13 @@
       "accounts": [
         {
           "environment": "impl",
-          "id": "account 2"
+          "id": "account 2",
+          "roleArn": "arn:aws:iam::000000000013:role/CustomRole"
         },
         {
           "environment": "prod",
-          "id": "account 11"
+          "id": "account 11",
+          "roleArn": "arn:aws:iam::000000000014:role/CustomRole"
         }
       ],
       "name": "Test Team 2"

pkg/teams/team_map_test_invalid_arn.json

@@ -5,7 +5,7 @@
         {
           "environment": "dev",
           "id": "account 1",
-          "roleArnOverride": "invalid:arn:format"
+          "roleArn": "invalid:arn:format"
         },
         {
           "environment": "prod",

pkg/teams/team_map_test_valid.json

@@ -4,11 +4,13 @@
       "accounts": [
         {
           "environment": "dev",
-          "id": "account 1"
+          "id": "account 1",
+          "roleArn": "arn:aws:iam::000000000011:role/CustomRole"
         },
         {
           "environment": "test",
-          "id": "account 11"
+          "id": "account 11",
+          "roleArn": "arn:aws:iam::000000000012:role/CustomRole"
         }
       ],
       "name": "Test Team 1"
@@ -17,11 +19,13 @@
       "accounts": [
         {
           "environment": "impl",
-          "id": "account 2"
+          "id": "account 2",
+          "roleArn": "arn:aws:iam::000000000013:role/CustomRole"
         },
         {
           "environment": "prod",
-          "id": "account 22"
+          "id": "account 22",
+          "roleArn": "arn:aws:iam::000000000014:role/CustomRole"
         }
       ],
       "name": "Test Team 2"

pkg/teams/teams.go

@@ -36,7 +36,7 @@ type Team struct {
 type Account struct {
 	ID              string `json:"id"`
 	Environment     string `json:"environment"`
-	RoleARNOverride string `json:"roleArnOverride,omitempty"`
+	RoleARN string `json:"roleArn"`
 }
 
 // ParseTeamMap takes a path to a team mapping JSON file, reads the file, and returns a Go map of Accounts to team names
@@ -105,10 +105,8 @@ func (t *Teams) accountsToTeamNames() (map[Account]string, error) {
 				}
 			}
 
-			if account.RoleARNOverride != "" {
-				if !arn.IsARN(account.RoleARNOverride) {
-					return nil, fmt.Errorf("invalid role ARN override for account %s: %s Input must be a valid Role ARN", account.ID, account.RoleARNOverride)
-				}
+			if !arn.IsARN(account.RoleARN) {
+				return nil, fmt.Errorf("invalid role ARN override for account %s: %s Input must be a valid Role ARN", account.ID, account.RoleARN)
 			}
 			a[account] = team.Name
 		}

pkg/teams/teams_test.go

@@ -9,10 +9,10 @@ import (
 )
 
 var expectedAccountsToTeams = map[Account]string{
-	{ID: "account 1", Environment: "dev"}:   "Test Team 1",
-	{ID: "account 11", Environment: "test"}: "Test Team 1",
-	{ID: "account 2", Environment: "impl"}:  "Test Team 2",
-	{ID: "account 22", Environment: "prod"}: "Test Team 2",
+	{ID: "account 1", Environment: "dev", RoleARN: "arn:aws:iam::000000000011:role/CustomRole"}:   "Test Team 1",
+	{ID: "account 11", Environment: "test", RoleARN: "arn:aws:iam::000000000012:role/CustomRole"}: "Test Team 1",
+	{ID: "account 2", Environment: "impl", RoleARN: "arn:aws:iam::000000000013:role/CustomRole"}:  "Test Team 2",
+	{ID: "account 22", Environment: "prod", RoleARN: "arn:aws:iam::000000000014:role/CustomRole"}: "Test Team 2",
 }
 
 func TestParseTeamMap(t *testing.T) {
@@ -33,11 +33,11 @@ func TestParseTeamMap(t *testing.T) {
 		t.Error("ERROR: didn't get expected error for duplicate account ID", err)
 	}
 
-	// Test invalid ARN override
+	// Test invalid ARN
 	_, err = ParseTeamMap("team_map_test_invalid_arn.json")
 	if err == nil {
-		t.Error("ERROR: expected error for invalid ARN override, but got nil")
-	} else if !strings.Contains(err.Error(), "invalid role ARN override for account") {
+		t.Error("ERROR: expected error for invalid ARN, but got nil")
+	} else if !strings.Contains(err.Error(), "invalid role ARN for account") {
 		t.Errorf("ERROR: unexpected error message for invalid ARN: %s", err)
 	}
 }

terraform/collector/main.tf

@@ -81,7 +81,7 @@ module "security_hub_collector_runner" {
   task_name      = "scheduled-collector"
   repo_arn       = "arn:aws:ecr:us-east-1:037370603820:repository/security-hub-collector"
   repo_url       = "037370603820.dkr.ecr.us-east-1.amazonaws.com/security-hub-collector"
-  repo_tag       = "latest"
+  repo_tag       = "36fbe72"
   ecs_vpc_id     = var.ecs_vpc_id
   ecs_subnet_ids = var.ecs_subnet_ids
   schedule_task_expression  = var.schedule_task_expression
@@ -94,15 +94,16 @@ module "security_hub_collector_runner" {
   assign_public_ip  = var.assign_public_ip
   role_path         = "/delegatedadmin/developer/"
   permissions_boundary = "arn:aws:iam::037370603820:policy/cms-cloud-admin/developer-boundary-policy"
-  scheduled_task_enabled = false
-  team_map = base64encode(jsonencode({
-    teams = [
-      {
-        accounts = [
-          { id = "116229642442", environment = "dev" }
-        ],
-        name = "My Team"
-      }
-    ]
-  }))
+  scheduled_task_enabled = true
+  team_map = base64encode(file("${path.module}/team_map.json"))
+  #team_map = base64encode(jsonencode({
+  #  teams = [
+  #    {
+  #      accounts = [
+  #        { id = "116229642442", environment = "dev", "roleArn": "arn:aws:iam::116229642442:role/security-hub-collector"}
+  #      ],
+  #      name = "My Team"
+  #    }
+  #  ]
+  #}))
 }