Skip to content

Commit

Permalink
bug: fix issues with known after apply issues for s3 and lambda roles (
Browse files Browse the repository at this point in the history 
…#53)

bug: fix issues with known after apply issues for s3 and lambda roles
  • Loading branch information
@marwinbaumannsbp
marwinbaumannsbp authored Nov 11, 2024
1 parent d3f42f8 commit cfc69dd
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 73 deletions.
7 changes: 1 addition & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -133,11 +133,9 @@ Since a lambda layer is used to provide the aws-lambda-powertools if you want to
|------|--------|---------|
| <a name="module_findings_manager_bucket"></a> [findings\_manager\_bucket](#module\_findings\_manager\_bucket) | schubergphilis/mcaf-s3/aws | ~> 0.14.1 |
| <a name="module_findings_manager_events_lambda"></a> [findings\_manager\_events\_lambda](#module\_findings\_manager\_events\_lambda) | schubergphilis/mcaf-lambda/aws | ~> 1.4.1 |
| <a name="module_findings_manager_lambda_iam_role"></a> [findings\_manager\_lambda\_iam\_role](#module\_findings\_manager\_lambda\_iam\_role) | schubergphilis/mcaf-role/aws | ~> 0.4.0 |
| <a name="module_findings_manager_trigger_lambda"></a> [findings\_manager\_trigger\_lambda](#module\_findings\_manager\_trigger\_lambda) | schubergphilis/mcaf-lambda/aws | ~> 1.4.1 |
| <a name="module_jira_eventbridge_iam_role"></a> [jira\_eventbridge\_iam\_role](#module\_jira\_eventbridge\_iam\_role) | schubergphilis/mcaf-role/aws | ~> 0.3.2 |
| <a name="module_jira_lambda"></a> [jira\_lambda](#module\_jira\_lambda) | schubergphilis/mcaf-lambda/aws | ~> 1.4.1 |
| <a name="module_jira_lambda_iam_role"></a> [jira\_lambda\_iam\_role](#module\_jira\_lambda\_iam\_role) | schubergphilis/mcaf-role/aws | ~> 0.4.0 |
| <a name="module_jira_step_function_iam_role"></a> [jira\_step\_function\_iam\_role](#module\_jira\_step\_function\_iam\_role) | schubergphilis/mcaf-role/aws | ~> 0.3.2 |
| <a name="module_servicenow_integration"></a> [servicenow\_integration](#module\_servicenow\_integration) | ./modules/servicenow/ | n/a |

Expand All @@ -149,8 +147,6 @@ Since a lambda layer is used to provide the aws-lambda-powertools if you want to
| [aws_cloudwatch_event_target.findings_manager_events_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_event_target.jira_orchestrator](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
| [aws_cloudwatch_log_group.log_group_jira_orchestrator_sfn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
| [aws_iam_role_policy_attachment.findings_manager_lambda_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_iam_role_policy_attachment.jira_lambda_iam_role_vpc_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
| [aws_lambda_permission.eventbridge_invoke_findings_manager_events_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_lambda_permission.s3_invoke_findings_manager_trigger_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
| [aws_s3_bucket_notification.findings_manager_trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
Expand All @@ -172,10 +168,9 @@ Since a lambda layer is used to provide the aws-lambda-powertools if you want to
| <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the resources | `string` | n/a | yes |
| <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name for the S3 bucket which will be created for storing the function's deployment package | `string` | n/a | yes |
| <a name="input_findings_manager_events_lambda"></a> [findings\_manager\_events\_lambda](#input\_findings\_manager\_events\_lambda) | Findings Manager Lambda settings - Manage Security Hub findings in response to EventBridge events | <pre>object({<br> name = optional(string, "securityhub-findings-manager-events")<br> log_level = optional(string, "INFO")<br> memory_size = optional(number, 256)<br> timeout = optional(number, 120)<br><br> security_group_egress_rules = optional(list(object({<br> cidr_ipv4 = optional(string)<br> cidr_ipv6 = optional(string)<br> description = string<br> from_port = optional(number, 0)<br> ip_protocol = optional(string, "-1")<br> prefix_list_id = optional(string)<br> referenced_security_group_id = optional(string)<br> to_port = optional(number, 0)<br> })), [])<br> })</pre> | `{}` | no |
| <a name="input_findings_manager_lambda_iam_role_name"></a> [findings\_manager\_lambda\_iam\_role\_name](#input\_findings\_manager\_lambda\_iam\_role\_name) | The name of the role which will be assumed by both Findings Manager Lambda functions | `string` | `"SecurityHubFindingsManagerLambda"` | no |
| <a name="input_findings_manager_trigger_lambda"></a> [findings\_manager\_trigger\_lambda](#input\_findings\_manager\_trigger\_lambda) | Findings Manager Lambda settings - Manage Security Hub findings in response to S3 file upload triggers | <pre>object({<br> name = optional(string, "securityhub-findings-manager-trigger")<br> log_level = optional(string, "INFO")<br> memory_size = optional(number, 256)<br> timeout = optional(number, 120)<br><br> security_group_egress_rules = optional(list(object({<br> cidr_ipv4 = optional(string)<br> cidr_ipv6 = optional(string)<br> description = string<br> from_port = optional(number, 0)<br> ip_protocol = optional(string, "-1")<br> prefix_list_id = optional(string)<br> referenced_security_group_id = optional(string)<br> to_port = optional(number, 0)<br> })), [])<br> })</pre> | `{}` | no |
| <a name="input_jira_eventbridge_iam_role_name"></a> [jira\_eventbridge\_iam\_role\_name](#input\_jira\_eventbridge\_iam\_role\_name) | The name of the role which will be assumed by EventBridge rules for Jira integration | `string` | `"SecurityHubFindingsManagerJiraEventBridge"` | no |
| <a name="input_jira_integration"></a> [jira\_integration](#input\_jira\_integration) | Findings Manager - Jira integration settings | <pre>object({<br> enabled = optional(bool, false)<br> autoclose_enabled = optional(bool, false)<br> autoclose_comment = optional(string, "Security Hub finding has been resolved. Autoclosing the issue.")<br> autoclose_transition_name = optional(string, "Close Issue")<br> credentials_secret_arn = string<br> exclude_account_ids = optional(list(string), [])<br> finding_severity_normalized_threshold = optional(number, 70)<br> issue_custom_fields = optional(map(string), {})<br> issue_type = optional(string, "Security Advisory")<br> project_key = string<br><br> security_group_egress_rules = optional(list(object({<br> cidr_ipv4 = optional(string)<br> cidr_ipv6 = optional(string)<br> description = string<br> from_port = optional(number, 0)<br> ip_protocol = optional(string, "-1")<br> prefix_list_id = optional(string)<br> referenced_security_group_id = optional(string)<br> to_port = optional(number, 0)<br> })), [])<br><br> lambda_settings = optional(object({<br> name = optional(string, "securityhub-findings-manager-jira")<br> iam_role_name = optional(string, "SecurityHubFindingsManagerJiraLambda")<br> log_level = optional(string, "INFO")<br> memory_size = optional(number, 256)<br> timeout = optional(number, 60)<br> }), {<br> name = "securityhub-findings-manager-jira"<br> iam_role_name = "SecurityHubFindingsManagerJiraLambda"<br> log_level = "INFO"<br> memory_size = 256<br> timeout = 60<br> security_group_egress_rules = []<br> })<br><br> step_function_settings = optional(object({<br> log_level = optional(string, "ERROR")<br> retention = optional(number, 90)<br> }), {<br> log_level = "ERROR"<br> retention = 90<br> })<br><br> })</pre> | <pre>{<br> "credentials_secret_arn": null,<br> "enabled": false,<br> "project_key": null<br>}</pre> | no |
| <a name="input_jira_integration"></a> [jira\_integration](#input\_jira\_integration) | Findings Manager - Jira integration settings | <pre>object({<br> enabled = optional(bool, false)<br> autoclose_enabled = optional(bool, false)<br> autoclose_comment = optional(string, "Security Hub finding has been resolved. Autoclosing the issue.")<br> autoclose_transition_name = optional(string, "Close Issue")<br> credentials_secret_arn = string<br> exclude_account_ids = optional(list(string), [])<br> finding_severity_normalized_threshold = optional(number, 70)<br> issue_custom_fields = optional(map(string), {})<br> issue_type = optional(string, "Security Advisory")<br> project_key = string<br><br> security_group_egress_rules = optional(list(object({<br> cidr_ipv4 = optional(string)<br> cidr_ipv6 = optional(string)<br> description = string<br> from_port = optional(number, 0)<br> ip_protocol = optional(string, "-1")<br> prefix_list_id = optional(string)<br> referenced_security_group_id = optional(string)<br> to_port = optional(number, 0)<br> })), [])<br><br> lambda_settings = optional(object({<br> name = optional(string, "securityhub-findings-manager-jira")<br> log_level = optional(string, "INFO")<br> memory_size = optional(number, 256)<br> timeout = optional(number, 60)<br> }), {<br> name = "securityhub-findings-manager-jira"<br> iam_role_name = "SecurityHubFindingsManagerJiraLambda"<br> log_level = "INFO"<br> memory_size = 256<br> timeout = 60<br> security_group_egress_rules = []<br> })<br><br> step_function_settings = optional(object({<br> log_level = optional(string, "ERROR")<br> retention = optional(number, 90)<br> }), {<br> log_level = "ERROR"<br> retention = 90<br> })<br><br> })</pre> | <pre>{<br> "credentials_secret_arn": null,<br> "enabled": false,<br> "project_key": null<br>}</pre> | no |
| <a name="input_jira_step_function_iam_role_name"></a> [jira\_step\_function\_iam\_role\_name](#input\_jira\_step\_function\_iam\_role\_name) | The name of the role which will be assumed by AWS Step Function for Jira integration | `string` | `"SecurityHubFindingsManagerJiraStepFunction"` | no |
| <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | The version of Python to use for the Lambda functions | `string` | `"python3.12"` | no |
| <a name="input_rules_filepath"></a> [rules\_filepath](#input\_rules\_filepath) | Pathname to the file that stores the manager rules | `string` | `""` | no |
Expand Down
37 changes: 8 additions & 29 deletions findings_manager.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,6 @@ locals {
workflow_status_filter = var.jira_integration.autoclose_enabled ? ["NEW", "NOTIFIED", "RESOLVED"] : ["NEW", "NOTIFIED"]
}

# IAM role to be assumed by Lambda function
module "findings_manager_lambda_iam_role" {
source = "schubergphilis/mcaf-role/aws"
version = "~> 0.4.0"

name = var.findings_manager_lambda_iam_role_name
create_policy = true
principal_identifiers = ["lambda.amazonaws.com"]
principal_type = "Service"
role_policy = data.aws_iam_policy_document.findings_manager_lambda_iam_role.json
tags = var.tags
}

data "aws_iam_policy_document" "findings_manager_lambda_iam_role" {
statement {
sid = "TrustEventsToStoreLogEvent"
Expand Down Expand Up @@ -68,14 +55,6 @@ data "aws_iam_policy_document" "findings_manager_lambda_iam_role" {
}
}

# Lambda VPC Execution role policy attachment
resource "aws_iam_role_policy_attachment" "findings_manager_lambda_iam_role" {
count = var.subnet_ids != null ? 1 : 0

role = module.findings_manager_lambda_iam_role.id
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

# Push the Lambda code zip deployment package to s3
resource "aws_s3_object" "findings_manager_lambdas_deployment_package" {
bucket = module.findings_manager_bucket.id
Expand All @@ -97,21 +76,21 @@ module "findings_manager_events_lambda" {
version = "~> 1.4.1"

name = var.findings_manager_events_lambda.name
create_policy = false
create_policy = true
create_s3_dummy_object = false
description = "Lambda to manage Security Hub findings in response to an EventBridge event"
handler = "securityhub_events.lambda_handler"
kms_key_arn = var.kms_key_arn
layers = ["arn:aws:lambda:${data.aws_region.current.name}:017000801446:layer:AWSLambdaPowertoolsPythonV2:79"]
log_retention = 365
memory_size = var.findings_manager_events_lambda.memory_size
role_arn = module.findings_manager_lambda_iam_role.arn
policy = data.aws_iam_policy_document.findings_manager_lambda_iam_role.json
runtime = var.lambda_runtime
s3_bucket = module.findings_manager_bucket.name
s3_bucket = var.s3_bucket_name
s3_key = aws_s3_object.findings_manager_lambdas_deployment_package.key
s3_object_version = aws_s3_object.findings_manager_lambdas_deployment_package.version_id
source_code_hash = aws_s3_object.findings_manager_lambdas_deployment_package.checksum_sha256
security_group_egress_rules = var.findings_manager_events_lambda.security_group_egress_rules
source_code_hash = aws_s3_object.findings_manager_lambdas_deployment_package.checksum_sha256
subnet_ids = var.subnet_ids
tags = var.tags
timeout = var.findings_manager_events_lambda.timeout
Expand Down Expand Up @@ -178,21 +157,21 @@ module "findings_manager_trigger_lambda" {
version = "~> 1.4.1"

name = var.findings_manager_trigger_lambda.name
create_policy = false
create_policy = true
create_s3_dummy_object = false
description = "Lambda to manage Security Hub findings in response to S3 rules file uploads"
handler = "securityhub_trigger.lambda_handler"
kms_key_arn = var.kms_key_arn
layers = ["arn:aws:lambda:${data.aws_region.current.name}:017000801446:layer:AWSLambdaPowertoolsPythonV2:79"]
log_retention = 365
memory_size = var.findings_manager_trigger_lambda.memory_size
role_arn = module.findings_manager_lambda_iam_role.arn
policy = data.aws_iam_policy_document.findings_manager_lambda_iam_role.json
runtime = var.lambda_runtime
s3_bucket = module.findings_manager_bucket.name
s3_bucket = var.s3_bucket_name
s3_key = aws_s3_object.findings_manager_lambdas_deployment_package.key
s3_object_version = aws_s3_object.findings_manager_lambdas_deployment_package.version_id
source_code_hash = aws_s3_object.findings_manager_lambdas_deployment_package.checksum_sha256
security_group_egress_rules = var.findings_manager_trigger_lambda.security_group_egress_rules
source_code_hash = aws_s3_object.findings_manager_lambdas_deployment_package.checksum_sha256
subnet_ids = var.subnet_ids
tags = var.tags
timeout = var.findings_manager_trigger_lambda.timeout
Expand Down
31 changes: 4 additions & 27 deletions jira_lambda.tf
View file
Original file line number Diff line number Diff line change
@@ -1,18 +1,3 @@
# IAM role to be assumed by Lambda Function
module "jira_lambda_iam_role" {
count = var.jira_integration.enabled ? 1 : 0

source = "schubergphilis/mcaf-role/aws"
version = "~> 0.4.0"

name = var.jira_integration.lambda_settings.iam_role_name
create_policy = true
principal_identifiers = ["lambda.amazonaws.com"]
principal_type = "Service"
role_policy = data.aws_iam_policy_document.jira_lambda_iam_role[0].json
tags = var.tags
}

data "aws_iam_policy_document" "jira_lambda_iam_role" {
count = var.jira_integration.enabled ? 1 : 0

Expand Down Expand Up @@ -69,14 +54,6 @@ data "aws_iam_policy_document" "jira_lambda_iam_role" {
}
}

# Lambda VPC Execution role policy attachment
resource "aws_iam_role_policy_attachment" "jira_lambda_iam_role_vpc_policy_attachment" {
count = var.jira_integration.enabled && var.subnet_ids != null ? 1 : 0

role = module.jira_lambda_iam_role[0].id
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

# Upload the zip archive to S3
resource "aws_s3_object" "jira_lambda_deployment_package" {
count = var.jira_integration.enabled ? 1 : 0
Expand All @@ -98,21 +75,21 @@ module "jira_lambda" {
version = "~> 1.4.1"

name = var.jira_integration.lambda_settings.name
create_policy = false
create_policy = true
create_s3_dummy_object = false
description = "Lambda to create jira ticket and set the Security Hub workflow status to notified"
handler = "findings_manager_jira.lambda_handler"
kms_key_arn = var.kms_key_arn
layers = ["arn:aws:lambda:${data.aws_region.current.name}:017000801446:layer:AWSLambdaPowertoolsPythonV2:79"]
log_retention = 365
memory_size = var.jira_integration.lambda_settings.memory_size
role_arn = module.jira_lambda_iam_role[0].arn
policy = data.aws_iam_policy_document.jira_lambda_iam_role[0].json
runtime = var.lambda_runtime
s3_bucket = module.findings_manager_bucket.name
s3_bucket = var.s3_bucket_name
s3_key = aws_s3_object.jira_lambda_deployment_package[0].key
s3_object_version = aws_s3_object.jira_lambda_deployment_package[0].version_id
source_code_hash = aws_s3_object.jira_lambda_deployment_package[0].checksum_sha256
security_group_egress_rules = var.jira_integration.security_group_egress_rules
source_code_hash = aws_s3_object.jira_lambda_deployment_package[0].checksum_sha256
subnet_ids = var.subnet_ids
tags = var.tags
timeout = var.jira_integration.lambda_settings.timeout
Expand Down
Loading

0 comments on commit cfc69dd

Please sign in to comment.