Clean up

README.md

@@ -28,8 +28,8 @@ To run the Docker image locally for testing, do the following:
    [url "https://<username>:<personal access token>@github.com/Enterprise-CMCS/"]
 	  insteadOf = https://github.com/Enterprise-CMCS/
    ```
-2. set AWS creds in the environment (`AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN`)
-3. `docker build . -t local-collector-test`
+2. `docker build . -t local-collector-test`
+3. set AWS creds in the environment (`AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID, AWS_SESSION_TOKEN`)
 4. run the image:
    - using an Athena table
    ```bash
@@ -39,17 +39,17 @@ To run the Docker image locally for testing, do the following:
    -e QUERY_OUTPUT_LOCATION=s3://cms-macbis-cost-analysis/professor-mac/teams-query/ \
    -e COLLECTOR_ROLE_ARN=arn:aws:iam::037370603820:role/delegatedadmin/developer/security-hub-collector \
    -e AWS_REGION=us-east-1 \
-   -e S3_BUCKET=bharvey-test-distro \
+   -e S3_BUCKET=my-bucket \
    local-collector-test
    ```
    - using a team map
    ```bash
-   export TEAM_MAP=$(cat ./terraform/collector/team_map.json)
+   export BASE64_TEAM_MAP=$(cat team_map.json | base64)
    docker run \
    -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e AWS_ACCESS_KEY_ID \
-   -e TEAM_MAP \
+   -e BASE64_TEAM_MAP \
    -e AWS_REGION=us-east-1 \
-   -e S3_BUCKET=bharvey-test-distro \
+   -e S3_BUCKET=my-bucket \
    local-collector-test
    ```
 

main.go

@@ -29,7 +29,7 @@ type Options struct {
 	SecurityHubRegions  []string `short:"r" long:"sechub-regions" required:"false" default:"us-east-1" default:"us-west-2" description:"AWS regions to use for Security Hub findings."`
 	S3Bucket            string   `short:"b" long:"s3-bucket" required:"false" env:"S3_BUCKET" description:"S3 bucket to use to upload results. Optional, if not provided, results will not be uploaded to S3."`
 	S3Key               string   `short:"k" long:"s3-key" required:"false" env:"S3_KEY" description:"S3 bucket key, or path, to use to upload results."`
-	TeamMap             string   `short:"m" long:"team-map" required:"false" env:"TEAM_MAP" description:"JSON encoded string containing team to account mappings."`
+	Base64TeamMap       string   `short:"m" long:"team-map" required:"false" env:"BASE64_TEAM_MAP" description:"Base64 encoded JSON containing team to account mappings."`
 	TeamsTable          string   `short:"t" long:"teams-table" required:"false" env:"ATHENA_TEAMS_TABLE" description:"Athena table containing team to account mappings"`
 	QueryOutputLocation string   `long:"query-output" required:"false" env:"QUERY_OUTPUT_LOCATION" description:"S3 location for Athena query output"`
 	CollectorRoleARN    string   `long:"role-path" required:"false" env:"COLLECTOR_ROLE_ARN" description:"ARN of the AWS IAM role that allows the Collector to access Security Hub"`
@@ -92,10 +92,10 @@ func writeFindingsToS3() error {
 // depending on the definitions in the team map and the CLI options.
 func collectFindings(secHubRegions []string) error {
 	// Check which source to use for team data and validate required fields
-	if options.TeamMap == "" && options.TeamsTable == "" {
+	if options.Base64TeamMap == "" && options.TeamsTable == "" {
 		return fmt.Errorf("either team map file and Athena teams must be specified")
 	}
-	if options.TeamMap != "" && options.TeamsTable != "" {
+	if options.Base64TeamMap != "" && options.TeamsTable != "" {
 		return fmt.Errorf("both team map file and Athena teams table specified; please use only one source of team map data")
 	}
 	if options.TeamsTable != "" && (options.CollectorRoleARN == "" || options.QueryOutputLocation == "") {
@@ -125,8 +125,8 @@ func collectFindings(secHubRegions []string) error {
 	var accountsToTeams map[teams.Account]string
 
 	// either get the map from the team map file or from Athena, depending on the specified CLI flags
-	if options.TeamMap != "" {
-		accountsToTeams, err = teams.ParseTeamMap(options.TeamMap)
+	if options.Base64TeamMap != "" {
+		accountsToTeams, err = teams.ParseTeamMap(options.Base64TeamMap)
 		if err != nil {
 			log.Fatalf("could not parse team map file: %v", err)
 		}

pkg/teams/teams.go

@@ -1,10 +1,11 @@
 package teams
 
 import (
+	"bytes"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"slices"
-	"strings"
 
 	"github.com/Enterprise-CMCS/mac-fc-macbis-cost-analysis/pkg/athenalib"
 	"github.com/aws/aws-sdk-go/aws/arn"
@@ -55,13 +56,17 @@ type Account struct {
 }
 
 // ParseTeamMap takes a JSON encoded string and returns a Go map of Accounts to team names
-func ParseTeamMap(jsonStr string) (accountsToTeams map[Account]string, err error) {
+func ParseTeamMap(base64Str string) (accountsToTeams map[Account]string, err error) {
 	var teams Teams
-	decoder := json.NewDecoder(strings.NewReader(jsonStr))
+	b, err := base64.URLEncoding.DecodeString(base64Str)
+	if err != nil {
+		return nil, fmt.Errorf("error base64 decoding team map: %s", err)
+	}
+	decoder := json.NewDecoder(bytes.NewReader(b))
 	decoder.DisallowUnknownFields()
 	err = decoder.Decode(&teams)
 	if err != nil {
-		return nil, fmt.Errorf("error decoding team map: %s", err)
+		return nil, fmt.Errorf("error JSON decoding team map: %s", err)
 	}
 
 	accountsToTeams, err = teams.accountsToTeamNames()

terraform/collector/main.tf

@@ -155,7 +155,7 @@ resource "aws_ecs_cluster" "security_hub_collector_runner" {
 
 ########## Use the securityhub collector runner module ##########
 module "security_hub_collector_runner" {
-  source      = "github.com/CMSgov/security-hub-collector-ecs-runner?ref=795330487905a32ae3bc9420c40abdd745fff327"
+  source                    = "github.com/CMSgov/security-hub-collector-ecs-runner?ref=06fde49a2291cfc292774799bcb89c536e17e1e7"
   app_name                  = "security-hub"
   environment               = "dev"
   task_name                 = "scheduled-collector"
@@ -173,6 +173,6 @@ module "security_hub_collector_runner" {
   assign_public_ip          = var.assign_public_ip
   role_path                 = "/delegatedadmin/developer/"
   permissions_boundary      = "arn:aws:iam::037370603820:policy/cms-cloud-admin/developer-boundary-policy"
-  team_map                  = base64encode(file("${path.module}/team_map.json"))
+  team_config               = { athena : { teams_table : "athenacurcfn_cms_cloud_cur_monthly.teams", collector_role_arn : "arn:aws:iam::037370603820:role/delegatedadmin/developer/security-hub-collector", query_output_location : "s3://cms-macbis-cost-analysis/professor-mac/teams-query/" } }
   scheduled_task_state      = "ENABLED" #Set to DISABLED to stop scheduled execution
 }