Feature/tex 4957 certificate monitoring TF example (#231)

Author: JohnEllwoodBJSS

practices/observability.md

@@ -37,7 +37,7 @@
   * Consider using structured (i.e. Json formatted) log messages, as log aggregation systems can often perform more effective searches of these.
   * Tracing can be implemented using cloud platform-native tools like [AWS X-Ray](https://aws.amazon.com/xray/) or open source equivalents such as [OpenTracing](https://opentracing.io/docs/overview/what-is-tracing/). APM tools mentioned elsewhere also typically include tracing functionality.
 * More **things to monitor**.
-  * Monitor (and generate alerts for) the expiry dates of the SSL certificates within the service.
+  * Monitor (and generate alerts for) the expiry dates of the SSL certificates within the service. See [acm-cert-monitor](../tools/acm-cert-monitor/) for an example lambda and Terraform stack to monitor your AWS ACM certificates.
   * Subscribe to service alerts from your cloud vendors, e.g. the service-status RSS feeds for [AWS](https://status.aws.amazon.com) and [Azure](https://status.azure.com/status/).
   * Ensure you have reporting and alerting for the health of any services/components your service relies on, e.g. shared network connections or shared authentication services.
 * **Secret / sensitive data**.

tools/acm-cert-monitor/README.md

@@ -0,0 +1,17 @@
+The Terraform 0.13.6 example here deploys a stack containing:
+
+* a lambda to monitor ACM certs in the same AWS account
+* SNS topic and cloudwatch event rule for sending email notifications
+
+The lambda also sends slack notifications but you will need to:
+
+* add a secret to AWS Secrets Manager with the Slack webhook URL
+* update the Slack channel & secret id in the python script:
+
+  `"channel": "<INSERT SLACK CHANNEL>",`
+
+  `pw_response = boto3.client('secretsmanager', region_name=AWS_REGION).get_secret_value(SecretId='<INSERT SECRET ID>')`
+   
+You will also need to set the appropriate values for the variables defined in variables.tf in the .tfvars file for your environment(s)
+
+As it stands, the lambda warns when certs have 45 days left and sends a critical notification at 15 days until expiry.

tools/acm-cert-monitor/main.tf

@@ -0,0 +1,140 @@
+##################
+# Lambda
+##################
+data "archive_file" "acm_cert_monitor_zip" {
+  type        = "zip"
+  source_dir  = "${path.module}/resources"
+  output_path = "${path.module}/.terraform/archive_files/acm_cert_monitor.zip"
+}
+
+resource "aws_lambda_function" "acm_cert_monitor" {
+  filename         = data.archive_file.acm_cert_monitor_zip.output_path
+  function_name    = "${var.name_prefix}-acm-cert-monitor"
+  role             = aws_iam_role.acm_cert_monitor_role.arn
+  handler          = "acm_cert_monitor.lambda_handler"
+  source_code_hash = data.archive_file.acm_cert_monitor_zip.output_base64sha256
+  runtime          = "python3.7"
+  timeout          = "180"
+
+  environment {
+    variables = {
+      SNS_TOPIC_ARN = aws_sns_topic.acm_cert_monitor_sns.arn
+    }
+  }
+}
+
+##################
+# Event
+##################
+resource "aws_cloudwatch_event_rule" "acm_expiry_notification" {
+  name          = "${var.name_prefix}-acm-cert-expiry-monitor"
+  description   = "Event to monitor ACM expiry certs"
+  event_pattern = <<EOF
+{
+  "source": [
+    "aws.acm"
+  ],
+  "detail-type": [
+    "ACM Certificate Approaching Expiration"
+  ]
+}
+EOF
+}
+
+resource "aws_cloudwatch_event_target" "acm_cert_monitor_lambda" {
+  target_id = "SendToLambda"
+  rule      = aws_cloudwatch_event_rule.acm_expiry_notification.name
+  arn       = aws_lambda_function.acm_cert_monitor.arn
+}
+
+resource "aws_lambda_permission" "acm_cloudwatch_invoke_function" {
+  statement_id  = "AllowACMLambdaExecutionFromCloudWatchEvent"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.acm_cert_monitor.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.acm_expiry_notification.arn
+}
+
+##################
+# Notification
+##################
+resource "aws_sns_topic" "acm_cert_monitor_sns" {
+  name         = "${var.name_prefix}-acm-cert-monitor"
+  display_name = var.name_prefix
+  kms_master_key_id = "alias/aws/sns"
+}
+
+##################
+#  Role/Policies
+##################
+resource "aws_iam_role" "acm_cert_monitor_role" {
+  path = "/"
+  name = "${var.name_prefix}-acm-cert-monitor-role"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": [
+          "lambda.amazonaws.com"
+        ]
+      },
+      "Action": [
+        "sts:AssumeRole"
+      ]
+    }
+  ]
+}
+EOF
+
+}
+
+resource "aws_iam_role_policy" "acm_cert_monitor_policy" {
+  role = aws_iam_role.acm_cert_monitor_role.id
+  name = "${var.name_prefix}-acm-cert-monitor-policy"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": ["logs:*"],
+            "Resource": "arn:aws:logs:*:*:*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "acm:DescribeCertificate",
+                "acm:GetCertificate",
+                "acm:ListCertificates",
+                "acm:ListTagsForCertificate"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "SNS:Publish",
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "SecurityHub:BatchImportFindings",
+                "SecurityHub:BatchUpdateFindings",
+                "SecurityHub:DescribeHub"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "cloudwatch:ListMetrics",
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}

tools/acm-cert-monitor/providers.tf

@@ -0,0 +1,10 @@
+##################################################################################
+# PROVIDERS
+##################################################################################
+
+provider "aws" {
+  profile = var.aws_profile
+  region  = var.aws_region
+  version = "3.13.0"
+}
+

tools/acm-cert-monitor/resources/acm_cert_monitor.py

@@ -0,0 +1,121 @@
+# Copyright 2021 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this
+# software and associated documentation files (the "Software"), to deal in the Software
+# without restriction, including without limitation the rights to use, copy, modify,
+# merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+# permit persons to whom the Software is furnished to do so.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
+# PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+import json
+import urllib3
+import boto3
+import os
+from datetime import datetime, timedelta, timezone
+
+# -------------------------------------------
+# setup global data
+# -------------------------------------------
+http = urllib3.PoolManager()
+utc = timezone.utc
+date = datetime.now().date()
+today = datetime.now().replace(tzinfo=utc)
+AWS_REGION = 'eu-west-2'
+
+if os.environ.get('EXPIRY_DAYS') is None:
+    expiry_days = 45
+else:
+    expiry_days = int(os.environ['EXPIRY_DAYS'])
+
+if os.environ.get('CRITICAL_EXPIRY_DAYS') is None:
+    critical_expiry_days = 15
+else:
+    critical_expiry_days = int(os.environ['CRITICAL_EXPIRY_DAYS'])
+
+expiry_window = date + timedelta(days=expiry_days)
+critical_expiry_window = today + timedelta(days=critical_expiry_days)
+
+
+def lambda_handler(event, context):
+    # if this is coming from the ACM event, its for a single certificate
+    if event['detail-type'] == "ACM Certificate Approaching Expiration":
+        response = handle_single_cert(event)
+    return {
+        'statusCode': 200,
+        'body': response
+    }
+
+
+def handle_single_cert(event):
+    cert_client = boto3.client('acm')
+    cert_details = cert_client.describe_certificate(CertificateArn=event['resources'][0])
+    result = check_cert(cert_details)
+    return result
+
+
+def check_cert(cert_details):
+    result = 'The following certificate is expiring within '
+
+    if cert_details['Certificate']['NotAfter'].date() == expiry_window:
+        result = result + str(expiry_days) + ' days: ' + \
+                 cert_details['Certificate']['DomainName'] + \
+                 ' (' + cert_details['Certificate']['CertificateArn'] + ') '
+        send_msg_slack(result)
+        send_email(result)
+    elif cert_details['Certificate']['NotAfter'] < critical_expiry_window:
+        result = ':bomb: CRITICAL:' + result + str(critical_expiry_days) + ' days: ' + \
+                 cert_details['Certificate']['DomainName'] + \
+                 ' (' + cert_details['Certificate']['CertificateArn'] + ') '
+        send_msg_slack(result)
+        send_email(result)
+
+    return result
+
+
+def send_email(result):
+    sns_client = boto3.client('sns')
+    sns_client.publish(TopicArn=os.environ['SNS_TOPIC_ARN'], Message=result.replace(":bomb: ", ""),
+                                  Subject='Certificate Expiration Notification')
+
+
+def send_msg_slack(result):
+
+   url= get_slack_url()
+   if(url is None):
+      print ('unable to send slack message, slack url not set')
+   else:     
+      msg = {
+        "channel": "<INSERT SLACK CHANNEL>",
+        "username": "ACM_Expiry",
+        "text": result,
+        "icon_emoji": ""
+      }
+
+      encoded_msg = json.dumps(msg).encode('utf-8')
+      resp = http.request('POST', url, body=encoded_msg)
+      print({
+        "message": result,
+        "status_code": resp.status,
+        "response": resp.data
+      })
+
+def get_slack_url():
+   slack_url = None
+   pw_response = boto3.client('secretsmanager', region_name=AWS_REGION).get_secret_value(SecretId='<INSERT SECRET ID>')
+   secrets = pw_response['SecretString']
+   secret_dict= json.loads(secrets)   
+   slack_url_key = 'slack_hook_url'
+   if slack_url_key in secret_dict:
+      slack_url = secret_dict[slack_url_key]
+      print('slack hook url'+slack_url)
+   else:
+      print(slack_url_key+' not declared in AWS Secrets')
+   
+   return slack_url

tools/acm-cert-monitor/terraform.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "s3" {
+    encrypt = true
+  }
+}
+

tools/acm-cert-monitor/variables.tf

@@ -0,0 +1,18 @@
+############################
+# AWS COMMON
+############################
+variable "aws_profile" {
+  description = "The AWS profile"
+}
+
+variable "aws_region" {
+  description = "The AWS region"
+}
+
+variable "aws_account_id" {
+  description = "AWS account Number for Athena log location"
+}
+
+variable "name_prefix" {
+  description = "Prefix used for naming resources"
+}

tools/acm-cert-monitor/versions.tf

@@ -0,0 +1,4 @@
+
+terraform {
+  required_version = "= 0.13.6"
+}