Merge pull request #56 from 1Password/amanda/events-api-lambda

moving the golang lamba here

Author: accraw

reporting/beta/golang-lambda-deployment/README.md

@@ -0,0 +1,81 @@
+# 1Password Events API Base Golang Lambda Script
+
+This folder contains the necessary components for getting starting piping events from the 1Password Event API into Cloudwatch Logs using a Lambda. If you like the region and the names of variables, you can use the AWS UI to create a few things and then upload bootstrap.zip as is.
+
+If you need to make changes to the region or other parts of the script, you will need to recompile the script. See "[Build From Code](#build-from-code)" for guidance on recompiling. 
+
+## Resources
+
+[Events API Documentation](https://developer.1password.com/docs/events-api/)
+
+## Using as-is
+
+1. Setup the Events Reporting integration in 1Password using [these instructions](https://support.1password.com/events-reporting/#step-1-set-up-an-events-reporting-integration) and selecting `Other`. The only event types in the current script are Sign-In events.
+2. Log into the us-east-1 region in AWS and create the following:
+   - In AWS Secrets Manager, create a secret called `op-events-api-token`
+     - Secret Type: Other type of secret
+     - Key/value pairs: Plaintext -> paste in the bearer token
+     - Everything else can be left as default
+   - In AWS Systems Manager -> Parameter Store, create a secret called `op-events-api-cursor`
+     - Tier: Standard
+     - Type: String
+     - Data Type: text
+     - Value: first_run
+   - In AWS CloudWatch, create a log group called `op-events-api-signins`, leaving everything else as default. Add a log stream to this log group call `op-events-api-signins-stream`
+   - In AWS Lambda, create a new function called `op-events-api-signins-lambda`
+     - Runtime: Amazon Linux 2
+     - Architecture: arm64
+     - Create a new role with basic Lambda permissions
+3. After the lambda is created, go to AWS IAM -> Roles and click on `op-events-api-signins-lambda-role-#####` (###### just represents some random characters) and edit the json under the policy `AWSLambdaBasicExecutionRole-#####` to be:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogGroup",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "ssm:GetParameter",
+        "ssm:PutParameter"
+      ],
+      "Resource": "arn:aws:logs:us-east-1:<account>:*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "logs:CreateLogStream",
+        "logs:PutLogEvents",
+        "secretsmanager:DescribeSecret",
+        "secretsmanager:GetSecretValue",
+        "ssm:GetParameter",
+        "ssm:PutParameter"
+      ],
+      "Resource": [
+        "arn:aws:logs:us-east-1:<account>:log-group:/aws/lambda/op-events-api-signins-lambda:*"
+      ]
+    }
+  ]
+}
+```
+
+and then Add permissions -> attach policies, then add the policies `AmazonSSMFullAccess` and `SecretsManagerReadWrite`  
+4. Return to the lambda function and on the right, select Upload from -> zip file and then navigate to and find bootstrap.zip from this folder.  
+5. Navigate to test and then click the orange `Test` button, and you should get a success, and when you check the cloudwatch group and stream, there should be a new entry.  
+6. Add a trigger for how frequently you would like this to run. For example, EventBridge, new rule with expression `rate(10 minutes)`
+
+## Notes
+
+- This is very much still in beta and has not been tested extensively
+- This is not optimized yet - it's a first pass to get it working, there are definitely smarter ways to do this
+- This starts with the last 24 hours of data, and does not currently load any events before then
+
+
+## Build from code
+If you need to make changes to the script to fit your environment or specifications, you will need to recompile the script. Once you've made your changes, use the following command to compile. Once compiled, you may follow the [deployment directions](#using-as-is), using the newly-compiled boostrap.zip. 
+
+```bash
+GOOS=linux GOARCH=arm64 go build -tags lambda.norpc -o bootstrap main.go && zip bootstrap.zip bootstrap
+```

reporting/beta/golang-lambda-deployment/bootstrap

@@ -0,0 +1,30 @@
+module amanda-lambda
+
+go 1.21.6
+
+require (
+	github.com/aws/aws-lambda-go v1.46.0
+	github.com/aws/aws-sdk-go-v2 v1.24.1
+	github.com/aws/aws-sdk-go-v2/config v1.26.6
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.26.2
+)
+
+require (
+	github.com/aws/aws-sdk-go v1.50.15 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.16 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.32.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+)

reporting/beta/golang-lambda-deployment/bootstrap.zip

@@ -0,0 +1,55 @@
+github.com/aws/aws-lambda-go v1.46.0 h1:UWVnvh2h2gecOlFhHQfIPQcD8pL/f7pVCutmFl+oXU8=
+github.com/aws/aws-lambda-go v1.46.0/go.mod h1:dpMpZgvWx5vuQJfBt0zqBha60q7Dd7RfgJv23DymV8A=
+github.com/aws/aws-sdk-go v1.50.15 h1:wEMnPfEQQFaoIJwuO18zq/vtG4Ft7NxQ3r9xlEi/8zg=
+github.com/aws/aws-sdk-go v1.50.15/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
+github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
+github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 h1:OCs21ST2LrepDfD3lwlQiOqIGp6JiEUqG84GzTDoyJs=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4/go.mod h1:usURWEKSNNAcAZuzRn/9ZYPT8aZQkR7xcCtunK/LkJo=
+github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o=
+github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
+github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.32.0 h1:VdKYfVPIDzmfSQk5gOQ5uueKiuKMkJuB/KOXmQ9Ytag=
+github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs v1.32.0/go.mod h1:jZNaJEtn9TLi3pfxycLz79HVkKxP8ZdYm92iaNFgBsA=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.26.2 h1:A5sGOT/mukuU+4At1vkSIWAN8tPwPCoYZBp7aruR540=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.26.2/go.mod h1:qutL00aW8GSo2D0I6UEOqMvRS3ZyuBrOC1BLe5D2jPc=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 h1:a8HvP/+ew3tKwSXqL3BCSjiuicr+XTU2eFYeogV9GJE=
+github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7/go.mod h1:Q7XIWsMo0JcMpI/6TGD6XXcXcV1DbTj6e9BKNntIMIM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
+github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
+github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
+github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.7.2 h1:4jaiDzPyXQvSd7D0EjG45355tLlV3VOECpq10pLC+8s=
+github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

reporting/beta/golang-lambda-deployment/go.mod

@@ -0,0 +1,215 @@
+package main
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"time"
+
+	"context"
+
+	"github.com/aws/aws-lambda-go/lambda"
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
+	"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types"
+	"github.com/aws/aws-sdk-go-v2/service/secretsmanager"
+	"github.com/aws/aws-sdk-go-v2/service/ssm"
+)
+
+type Signins struct {
+	Cursor   string `json:"cursor"`
+	Has_more bool   `json:"has_more"`
+	Items    []Item `json:"items"`
+}
+
+type TargetUser struct {
+	UUID  string `json:"uuid"`
+	Name  string `json:"name"`
+	Email string `json:"email"`
+}
+
+type Client struct {
+	AppName         string `json:"app_name"`
+	AppVersion      string `json:"app_version"`
+	PlatformName    string `json:"platform_name"`
+	PlatformVersion string `json:"platform_version"`
+	OSName          string `json:"os_name"`
+	OSVersion       string `json:"os_version"`
+	IPAddress       string `json:"ip_address"`
+}
+
+type Location struct {
+	Country   string  `json:"country"`
+	Region    string  `json:"region"`
+	City      string  `json:"city"`
+	Latitude  float64 `json:"latitude"`
+	Longitude float64 `json:"longitude"`
+}
+
+type Item struct {
+	UUID        string     `json:"uuid"`
+	SessionUUID string     `json:"session_uuid"`
+	Timestamp   time.Time  `json:"timestamp"`
+	Country     string     `json:"country"`
+	Category    string     `json:"category"`
+	Type        string     `json:"type"`
+	Details     string     `json:"details"`
+	TargetUser  TargetUser `json:"target_user"`
+	Client      Client     `json:"client"`
+	Location    Location   `json:"location"`
+}
+
+var (
+	eventAPIurl        string = "https://events.1password.com"
+	region             string = "us-east-1"
+	secretName         string = "op-events-api-token"
+	parameterName      string = "op-events-api-cursor"
+	cloudwatchLogGroup string = "op-events-api-signins"
+	cloudwatchStream   string = "op-events-api-signins-stream"
+)
+
+func main() {
+	lambda.Start(getSignInEvents)
+}
+
+// Retrieves data from the sign-in events endpoint. 
+// Depending on your implementation you may want to create functions for each of the three endpoints, 
+// or refactor this function to accept an endpoint and any other required properties, calling it once for each of the three endpoints. 
+func getSignInEvents() {
+	api_token := loadToken()
+	start_time := time.Now().AddDate(0, 0, -1)
+
+	currCursor := getCursor()
+
+	var payload []byte
+	if currCursor == "first_run" || currCursor == "" {
+		payload = []byte(fmt.Sprintf(`{
+			"limit": 1000,
+			"start_time": "%s"
+		}`, start_time.Format(time.RFC3339)))
+	} else {
+		payload = []byte(fmt.Sprintf(`{
+			"cursor": "%s"
+		}`, currCursor))
+	}
+
+	client := &http.Client{}
+
+	signinsRequest, _ := http.NewRequest("POST", fmt.Sprintf("%s/api/v1/signinattempts", eventAPIurl), bytes.NewBuffer(payload))
+	signinsRequest.Header.Set("Content-Type", "application/json")
+	signinsRequest.Header.Set("Authorization", "Bearer "+api_token)
+	signinsResponse, signinsError := client.Do(signinsRequest)
+	if signinsError != nil {
+		panic(signinsError)
+	}
+	defer signinsResponse.Body.Close()
+	signinsBody, _ := io.ReadAll(signinsResponse.Body)
+
+	var results Signins
+	json.Unmarshal(signinsBody, &results)
+
+	if len(results.Items) != 0 {
+		writeLogs(results.Items)
+		setCursor(results.Cursor)
+	}
+
+	if results.Has_more {
+		getSignInEvents()
+	}
+}
+
+func loadConfig() aws.Config {
+	config, err := config.LoadDefaultConfig(context.TODO(), config.WithRegion(region))
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	return config
+}
+
+func loadToken() string {
+	// Create Secrets Manager client
+	svc := secretsmanager.NewFromConfig(loadConfig())
+
+	input := &secretsmanager.GetSecretValueInput{
+		SecretId:     aws.String(secretName),
+		VersionStage: aws.String("AWSCURRENT"), // VersionStage defaults to AWSCURRENT if unspecified
+	}
+
+	result, err := svc.GetSecretValue(context.TODO(), input)
+	if err != nil {
+		// For a list of exceptions thrown, see
+		// https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
+		log.Fatal(err.Error())
+	}
+
+	// Decrypts secret using the associated KMS key.
+	return *result.SecretString
+
+}
+
+// Get API cursor from ParameterStore. Could be refactored to take an endpoint as 
+// an argument and fetch the corresponding cursor.
+func getCursor() string {
+	paramInput := ssm.GetParameterInput{
+		Name: aws.String(parameterName),
+	}
+	paramStore := ssm.NewFromConfig(loadConfig())
+	output, err := paramStore.GetParameter(context.TODO(), &paramInput)
+	if err != nil {
+		log.Print(err)
+		return ""
+	}
+
+	return *output.Parameter.Value
+}
+
+// Writes new cursor to parameter store. Could be refactored to take an endpoint as 
+// an argument and fetch the corresponding cursor.
+func setCursor(cursor string) {
+	paramInput := ssm.PutParameterInput{
+		Name:      aws.String(parameterName),
+		Value:     &cursor,
+		Overwrite: aws.Bool(true),
+	}
+	paramStore := ssm.NewFromConfig(loadConfig())
+
+	paramStore.PutParameter(context.TODO(), &paramInput)
+}
+
+// Write logs to destination. In this case CloudWatch, but would require refactoring
+// for your specific implementation and destination. 
+func writeLogs(logItems []Item) {
+	// Create a CloudWatchLogs client with additional configuration
+	svc := cloudwatchlogs.NewFromConfig(loadConfig())
+
+	// Each array of InputLogEvent's needs to be within a 24-hour window
+	// In theory, this is only an issue on first call
+	var events []types.InputLogEvent
+	for _, item := range logItems {
+		timestamp := item.Timestamp.UnixMilli()
+		itemByte, _ := json.Marshal(item)
+		itemString := string(itemByte)
+		event := types.InputLogEvent{
+			Message:   &itemString,
+			Timestamp: &timestamp,
+		}
+
+		events = append(events, event)
+	}
+
+	logEvent := cloudwatchlogs.PutLogEventsInput{
+		LogEvents:     events,
+		LogGroupName:  &cloudwatchLogGroup,
+		LogStreamName: &cloudwatchStream,
+	}
+
+	_, err := svc.PutLogEvents(context.TODO(), &logEvent)
+
+	// log.Println("writeLogs error:")
+	log.Println(err)
+}