use role path

Enterprise-CMCS · Dec 19, 2024 · c6515a4 · c6515a4
1 parent d430fde
commit c6515a4
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -37,7 +37,7 @@ To run the Docker image locally for testing, do the following:
    -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_ACCESS_KEY_ID \
    -e ATHENA_TEAMS_TABLE=athenacurcfn_cms_cloud_cur_monthly.teams \
    -e QUERY_OUTPUT_LOCATION=s3://cms-macbis-cost-analysis/professor-mac/teams-query/ \
-   -e COLLECTOR_ROLE_ARN=arn:aws:iam::037370603820:role/delegatedadmin/developer/security-hub-collector \
+   -e COLLECTOR_ROLE_PATH=delegatedadmin/developer/security-hub-collector \
    -e AWS_REGION=us-east-1 \
    -e S3_BUCKET=my-bucket \
    local-collector-test

diff --git a/main.go b/main.go
@@ -32,7 +32,7 @@ type Options struct {
 	Base64TeamMap       string   `short:"m" long:"team-map" required:"false" env:"BASE64_TEAM_MAP" description:"Base64 encoded JSON containing team to account mappings."`
 	TeamsTable          string   `short:"t" long:"teams-table" required:"false" env:"ATHENA_TEAMS_TABLE" description:"Athena table containing team to account mappings"`
 	QueryOutputLocation string   `long:"query-output" required:"false" env:"QUERY_OUTPUT_LOCATION" description:"S3 location for Athena query output"`
-	CollectorRoleARN    string   `long:"role-path" required:"false" env:"COLLECTOR_ROLE_ARN" description:"ARN of the AWS IAM role that allows the Collector to access Security Hub"`
+	CollectorRolePath   string   `long:"role-path" required:"false" env:"COLLECTOR_ROLE_PATH" description:"Path of the AWS IAM cross-account role that allows the Collector to access Security Hub"`
 }
 
 var options Options
@@ -98,8 +98,8 @@ func collectFindings(secHubRegions []string) error {
 	if options.Base64TeamMap != "" && options.TeamsTable != "" {
 		return fmt.Errorf("both team map file and Athena teams table specified; please use only one source of team map data")
 	}
-	if options.TeamsTable != "" && (options.CollectorRoleARN == "" || options.QueryOutputLocation == "") {
-		return fmt.Errorf("collector role ARN and query output location are required when using Athena teams table")
+	if options.TeamsTable != "" && (options.CollectorRolePath == "" || options.QueryOutputLocation == "") {
+		return fmt.Errorf("collector role path and query output location are required when using Athena teams table")
 	}
 
 	h := securityhubcollector.HubCollector{}
@@ -131,7 +131,7 @@ func collectFindings(secHubRegions []string) error {
 			log.Fatalf("could not parse team map file: %v", err)
 		}
 	} else {
-		accountsToTeams, err = teams.GetTeamsFromAthena(sess, options.TeamsTable, options.QueryOutputLocation, options.CollectorRoleARN)
+		accountsToTeams, err = teams.GetTeamsFromAthena(sess, options.TeamsTable, options.QueryOutputLocation, options.CollectorRolePath)
 		if err != nil {
 			log.Fatalf("could not load teams from Athena: %v", err)
 		}

diff --git a/pkg/teams/teams.go b/pkg/teams/teams.go
@@ -78,7 +78,7 @@ func ParseTeamMap(base64Str string) (accountsToTeams map[Account]string, err err
 }
 
 // GetTeamsFromAthena loads a map of Accounts to team names from an Athena table
-func GetTeamsFromAthena(sess *session.Session, teamsTable, queryOutputLocation, roleARN string) (map[Account]string, error) {
+func GetTeamsFromAthena(sess *session.Session, teamsTable, queryOutputLocation, rolePath string) (map[Account]string, error) {
 	accounts, err := athenalib.LoadTeams(sess, teamsTable, queryOutputLocation)
 	if err != nil {
 		return nil, fmt.Errorf("failed to load teams from Athena: %w", err)
@@ -107,7 +107,7 @@ func GetTeamsFromAthena(sess *session.Session, teamsTable, queryOutputLocation,
 		account := Account{
 			ID:          acct.AWSAccountID,
 			Environment: acct.Alias, // Use the alias as the environment value for compatibility with existing QuickSight dashboard
-			RoleARN:     roleARN,
+			RoleARN:     fmt.Sprintf("arn:aws:iam::%s:role/%s", acct.AWSAccountID, rolePath),
 		}
 
 		accountsToTeams[account] = acct.Team

diff --git a/terraform/collector/main.tf b/terraform/collector/main.tf
@@ -155,7 +155,7 @@ resource "aws_ecs_cluster" "security_hub_collector_runner" {
 
 ########## Use the securityhub collector runner module ##########
 module "security_hub_collector_runner" {
-  source                    = "github.com/CMSgov/security-hub-collector-ecs-runner?ref=06fde49a2291cfc292774799bcb89c536e17e1e7"
+  source                    = "github.com/CMSgov/security-hub-collector-ecs-runner?ref=9baaaa265e2cbc53028325752318654b0f96db93"
   app_name                  = "security-hub"
   environment               = "dev"
   task_name                 = "scheduled-collector"
@@ -167,12 +167,10 @@ module "security_hub_collector_runner" {
   schedule_task_expression  = var.schedule_task_expression
   logs_cloudwatch_group_arn = aws_cloudwatch_log_group.aws-scanner-inspec.arn
   ecs_cluster_arn           = aws_ecs_cluster.security_hub_collector_runner.arn
-  output_path               = var.output_path //optional
   s3_results_bucket         = var.security_hub_collector_results_bucket_name
-  s3_key                    = var.s3_key //optional
   assign_public_ip          = var.assign_public_ip
   role_path                 = "/delegatedadmin/developer/"
   permissions_boundary      = "arn:aws:iam::037370603820:policy/cms-cloud-admin/developer-boundary-policy"
-  team_config               = { athena : { teams_table : "athenacurcfn_cms_cloud_cur_monthly.teams", collector_role_arn : "arn:aws:iam::037370603820:role/delegatedadmin/developer/security-hub-collector", query_output_location : "s3://cms-macbis-cost-analysis/professor-mac/teams-query/" } }
+  team_config               = { athena : { teams_table : "athenacurcfn_cms_cloud_cur_monthly.teams", collector_role_path : "arn:aws:iam::037370603820:role/delegatedadmin/developer/security-hub-collector", query_output_location : "s3://cms-macbis-cost-analysis/professor-mac/teams-query" } }
   scheduled_task_state      = "ENABLED" #Set to DISABLED to stop scheduled execution
 }
diff --git a/terraform/collector/terraform.tfvars b/terraform/collector/terraform.tfvars
@@ -1,9 +1,7 @@
 ecs_vpc_id                                 = "vpc-07f4de56f6970729d"
 ecs_subnet_ids                             = ["subnet-06bbdc0b680091dd1", "subnet-02d08271e8ac413b0"]
 security_hub_collector_results_bucket_name = "securityhub-collector-results-037370603820s"
-schedule_task_expression                   = "cron(30 11 ? * 2,4,6 *)"
-output_path                                = ""
-s3_key                                     = ""
+schedule_task_expression                   = "cron(42 * ? * * *)"
 aws_cloudwatch_log_group_name              = "security_hub_collector"
 assign_public_ip                           = true
-repo_tag                                   = "92dc46c"
+repo_tag                                   = "d430fde"
diff --git a/terraform/collector/variables.tf b/terraform/collector/variables.tf
@@ -18,16 +18,6 @@ variable "schedule_task_expression" {
   type        = string
 }
 
-variable "output_path" {
-  description = "The path where output files will be saved"
-  type        = string
-}
-
-variable "s3_key" {
-  description = "The S3 key (path) where files will be stored in the S3 bucket"
-  type        = string
-}
-
 variable "aws_cloudwatch_log_group_name" {
   description = "The name of the CloudWatch log group where ECS task logs will be sent"
   type        = string