feat: add field extraction to all extra lambdas (#215)

edersonbrilhante · web-flow · commit ea8ef289e39d · 2025-12-01T22:58:19.000+02:00
* feat: add field extraction to all extra lambdas

* fix: remove print in lambda

* feat: create field extraction forgecicd_trust_validation

* fix: replace time from session name
diff --git a/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf b/modules/integrations/splunk_cloud_conf_shared/props_cloudwatchlogs.tf
@@ -6,6 +6,7 @@ resource "splunk_configs_conf" "forgecicd_cloudwatchlogs" {
     "REPORT-forgecicd_cloudwatchlogs_lambda_tenant_fields"        = "forgecicd_cloudwatchlogs_lambda_tenant_fields"
     "REPORT-forgecicd_cloudwatchlogs_global_lambda_tenant_fields" = "forgecicd_cloudwatchlogs_global_lambda_tenant_fields"
     "REPORT-forgecicd_extra_lambda_tenant_fields"                 = "forgecicd_extra_lambda_tenant_fields"
+    "REPORT-forgecicd_trust_validation"                           = "forgecicd_trust_validation"
   }
   lifecycle {
     ignore_changes = [
diff --git a/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf b/modules/integrations/splunk_cloud_conf_shared/transforms_lambda.tf
@@ -2,7 +2,7 @@ resource "splunk_configs_conf" "forgecicd_extra_lambda_tenant_fields" {
   name = "transforms/forgecicd_extra_lambda_tenant_fields"
 
   variables = {
-    "REGEX"      = "(?<aws_region>[^:]+):\\/aws\\/lambda\\/(?<forgecicd_tenant>[a-z0-9]+)-(?<forgecicd_region_alias>[a-z0-9]+)-(?<forgecicd_vpc_alias>[a-z0-9]+)-(?<forgecicd_log_type>github-app-runner-group|github-clean-global-lock)"
+    "REGEX"      = "(?<aws_region>[^:]+):\\/aws\\/lambda\\/(?<forgecicd_tenant>[a-z0-9]+)-(?<forgecicd_region_alias>[a-z0-9]+)-(?<forgecicd_vpc_alias>[a-z0-9]+)-(?<forgecicd_log_type>register-github-app-runner-group|github-webhook-relay|clean-global-lock|job-log-archiver|job-log-dispatcher|forge-trust-validator)"
     "FORMAT"     = "aws_region::$1 forgecicd_tenant::$2 forgecicd_region_alias::$3 forgecicd_vpc_alias::$4 forgecicd_log_type::$5"
     "SOURCE_KEY" = "source"
     "CLEAN_KEYS" = "0"
@@ -29,3 +29,37 @@ resource "splunk_configs_conf" "forgecicd_extra_lambda_tenant_fields" {
     ]
   }
 }
+
+
+resource "splunk_configs_conf" "forgecicd_trust_validation" {
+  name = "transforms/forgecicd_trust_validation"
+
+  variables = {
+    REGEX      = "Validation complete:\\s*(\\[[^\\r\\n]+])"
+    FORMAT     = "forgecicd_trust_validation::$1"
+    SOURCE_KEY = "_raw"
+    CLEAN_KEYS = "0"
+  }
+
+  acl {
+    app     = var.splunk_conf.acl.app
+    owner   = var.splunk_conf.acl.owner
+    sharing = var.splunk_conf.acl.sharing
+    read    = var.splunk_conf.acl.read
+    write   = var.splunk_conf.acl.write
+  }
+  lifecycle {
+    ignore_changes = [
+      variables["CAN_OPTIMIZE"],
+      variables["DEFAULT_VALUE"],
+      variables["DEPTH_LIMIT"],
+      variables["DEST_KEY"],
+      variables["KEEP_EMPTY_VALS"],
+      variables["LOOKAHEAD"],
+      variables["MATCH_LIMIT"],
+      variables["MV_ADD"],
+      variables["WRITE_META"],
+      variables["disabled"]
+    ]
+  }
+}
diff --git a/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf b/modules/platform/forge_runners/forge_trust_validator/forge_roles.tf
@@ -2,6 +2,8 @@ data "aws_iam_role" "forge" {
   for_each = toset(var.forge_iam_roles)
 
   name = replace(each.value, "/^.*//", "")
+
+  depends_on = [module.forge_trust_validator_lambda]
 }
 
 locals {
@@ -41,7 +43,7 @@ locals {
 
   # concatenated_trust_object[arn] = full updated policy for each role
   concatenated_trust_object = {
-    for arn, trust in local.original_trust :
+    for arn, trust in local.updated_statements :
     arn => {
       Version   = try(trust.Version, "2012-10-17")
       Statement = local.updated_statements[arn]
@@ -53,14 +55,20 @@ locals {
     for arn, obj in local.concatenated_trust_object :
     arn => jsonencode(obj)
   }
+
+  original_statements_trust_json = {
+    for arn, obj in local.original_statements :
+    arn => jsonencode(obj)
+  }
 }
 
 resource "null_resource" "update_forge_role_trust" {
   for_each = data.aws_iam_role.forge
 
   triggers = {
-    role_name  = each.value.name
-    future_sha = sha1(local.concatenated_trust_json[each.key])
+    role_name    = each.value.name
+    original_sha = sha1(local.original_statements_trust_json[each.key])
+    future_sha   = sha1(local.concatenated_trust_json[each.key])
   }
 
   provisioner "local-exec" {
diff --git a/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py b/modules/platform/forge_runners/forge_trust_validator/lambda/forge_trust_validator.py
@@ -1,7 +1,6 @@
 import json
 import logging
 import os
-import time
 from typing import Any, Dict, List
 
 import boto3
@@ -109,7 +108,7 @@ def validate_forge_role_against_tenants(
         session_policy = build_session_policy_for_tenants(tenant_role_arns)
         forge_assume_resp = assume_role(
             role_arn=forge_role_arn,
-            session_name=f"ForgeValidation-{int(time.time())}",
+            session_name='ForgeValidation',
             session_policy=session_policy,
         )
         LOG.info(f"Successfully assumed Forge role: {forge_role_arn}")
@@ -133,7 +132,7 @@ def validate_forge_role_against_tenants(
             try:
                 sts_as_forge.assume_role(
                     RoleArn=tenant_arn,
-                    RoleSessionName=f"TenantValidation-Basic-{int(time.time())}",
+                    RoleSessionName='TenantValidation-Basic',
                 )
                 LOG.info(f"Basic AssumeRole successful for {tenant_arn}")
                 tenant_entry['assume_role_success'] = True
@@ -150,14 +149,13 @@ def validate_forge_role_against_tenants(
                 try:
                     tenant_resp = sts_as_forge.assume_role(
                         RoleArn=tenant_arn,
-                        RoleSessionName=f"TenantValidation-Tags-{int(time.time())}",
+                        RoleSessionName='TenantValidation-Tags',
                         Tags=[
                             {'Key': 'CreatedBy', 'Value': 'ForgeTrustValidator'},
                             {'Key': 'Validation', 'Value': 'True'}
                         ]
                     )
 
-                    # Optional: verify the tenant creds actually work
                     tenant_creds = tenant_resp['Credentials']
                     sts_as_tenant = boto3.client(
                         'sts',
@@ -239,8 +237,7 @@ def lambda_handler(event, context):
         )
         all_results.append(res)
 
-    LOG.info('Validation complete')
-    print(json.dumps(all_results, indent=2))
+    LOG.info('Validation complete: %s', json.dumps(all_results))
 
     return {
         'statusCode': 200,

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ resource "splunk_configs_conf" "forgecicd_cloudwatchlogs" {`
`6`	`6`	`"REPORT-forgecicd_cloudwatchlogs_lambda_tenant_fields" = "forgecicd_cloudwatchlogs_lambda_tenant_fields"`
`7`	`7`	`"REPORT-forgecicd_cloudwatchlogs_global_lambda_tenant_fields" = "forgecicd_cloudwatchlogs_global_lambda_tenant_fields"`
`8`	`8`	`"REPORT-forgecicd_extra_lambda_tenant_fields" = "forgecicd_extra_lambda_tenant_fields"`
	`9`	`+ "REPORT-forgecicd_trust_validation" = "forgecicd_trust_validation"`
`9`	`10`	`}`
`10`	`11`	`lifecycle {`
`11`	`12`	`ignore_changes = [`