Imported guardduty_slack from 0.11

saiya · saiya · commit d2ea3440e990 · 2019-09-02T17:01:51.000+09:00
diff --git a/guardduty_slack/README.md b/guardduty_slack/README.md
@@ -0,0 +1,17 @@
+# guardduty_slack
+
+This module setups:
+
+- AWS GuardDuty
+- S3 bucket to store "trusted IP address" list
+  - GuardDuty won't raise alert for trusted IPs.
+- Slack notification (AWS lambda)
+
+## Prerequisite
+
+1. Create slack channel to notify
+2. Issue slack webhook URL to post notification
+
+## Variables
+
+See [variables.tf](variables.tf) for parameters.
diff --git a/guardduty_slack/aws_region.tf b/guardduty_slack/aws_region.tf
@@ -0,0 +1 @@
+data "aws_region" "current" {}
diff --git a/guardduty_slack/aws_s3_bucket.tf b/guardduty_slack/aws_s3_bucket.tf
@@ -0,0 +1,5 @@
+resource "aws_s3_bucket" "main" {
+  bucket_prefix = "${var.s3_bucket_name}-"
+
+  acl = "private"
+}
diff --git a/guardduty_slack/aws_s3_bucket_object.tf b/guardduty_slack/aws_s3_bucket_object.tf
@@ -0,0 +1,14 @@
+locals {
+  ipset_location = "https://s3-${data.aws_region.current.name}.amazonaws.com/${aws_s3_bucket_object.trusted_ipset.bucket}/${aws_s3_bucket_object.trusted_ipset.key}"
+  trusted_ipset_content = "${join("\n", var.trusted_ip_cidr_blocks)}"
+}
+
+resource "aws_s3_bucket_object" "trusted_ipset" {
+  acl = "public-read"
+
+  bucket = "${aws_s3_bucket.main.id}"
+  key = "ipset-${sha1(local.trusted_ipset_content)}"
+
+  etag = "${md5(local.trusted_ipset_content)}"
+  content = "${local.trusted_ipset_content}"
+}
diff --git a/guardduty_slack/lambda_sns_to_slack.tf b/guardduty_slack/lambda_sns_to_slack.tf
@@ -0,0 +1,6 @@
+module "lambda_sns_to_slack" {
+  source = "./lambda_sns_to_slack"
+  
+  basename = "guardduty-sns-to-slack-${var.envname}"
+  guardduty_slack_webhook_url = "${var.guardduty_slack_webhook_url}"
+}
diff --git a/guardduty_slack/lambda_sns_to_slack/aws_iam_role.tf b/guardduty_slack/lambda_sns_to_slack/aws_iam_role.tf
@@ -0,0 +1,49 @@
+resource "aws_iam_role" "lambda_role" {
+  name = "${var.basename}"
+
+  assume_role_policy = "${data.aws_iam_policy_document.lambda_edge_assume_role.json}"
+}
+
+data "aws_iam_policy_document" "lambda_edge_assume_role" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com", "edgelambda.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "viewer_request_lambda_execution" {
+  role       = "${aws_iam_role.lambda_role.name}"
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "viewer_request_cloudwatch_logs" {
+  role       = "${aws_iam_role.lambda_role.name}"
+  policy_arn = "${aws_iam_policy.lambda_cloudwatch_logs.arn}"
+}
+
+resource "aws_iam_policy" "lambda_cloudwatch_logs" {
+  name        = "${var.basename}-logs"
+  path        = "/"
+  description = "IAM policy for logging from a lambda"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "arn:aws:logs:*:*:*",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
diff --git a/guardduty_slack/lambda_sns_to_slack/aws_lambda_function.tf b/guardduty_slack/lambda_sns_to_slack/aws_lambda_function.tf
@@ -0,0 +1,34 @@
+output "lambda_arn" {
+  value = "${aws_lambda_function.lambda.arn}"
+}
+
+resource "aws_lambda_function" "lambda" {
+  publish       = true
+  function_name = "${var.basename}"
+
+  filename         = "${substr(data.archive_file.lambda.output_path, length(path.cwd) + 1, -1)}"
+  handler          = "index.lambda_hander"
+  source_code_hash = "${data.archive_file.lambda.output_base64sha256}"
+
+  role = "${aws_iam_role.lambda_role.arn}"
+
+  runtime     = "python3.6"
+  memory_size = 128
+  timeout     = 30
+
+  environment {
+    variables = {
+      slack = "${var.guardduty_slack_webhook_url}"
+    }
+  }
+
+  lifecycle {
+    ignore_changes = ["last_modified"]
+  }
+}
+
+data "archive_file" "lambda" {
+  type        = "zip"
+  source_dir  = "${path.module}/src"
+  output_path = "${path.module}/temp/${var.basename}-dist.zip"
+}
diff --git a/guardduty_slack/lambda_sns_to_slack/src/index.py b/guardduty_slack/lambda_sns_to_slack/src/index.py
@@ -0,0 +1,39 @@
+#!/usr/bin/python
+
+from botocore.vendored import requests # https://stackoverflow.com/a/48495770
+import json
+import os
+import logging
+
+webhook_url = os.environ['slack']
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+ 
+def lambda_hander(event, context):
+    logger.info(json.dumps(event))
+
+    for record in event['Records']:
+        process_event(json.loads(record['Sns']['Message']))
+
+def process_event(event):
+    event_detail = {}
+    if 'detail' in event:
+        event_detail = event['detail']
+    event_service = {}
+    if 'service' in event_detail:
+        event_service = event_detail['service']
+    
+    message = "{title}\n{description}\nnseverity: {severity}\neventFirstSeen: {eventFirstSeen}\nregion: {region}".format(
+        title = event_detail.get('title'),
+        description = event_detail.get('description'),
+        severity = event_detail.get('severity'),
+        eventFirstSeen = event_service.get('eventFirstSeen'),
+        region = event.get('region')
+    )
+    if event['detail']['severity'] > 3.9:
+        requests.post(webhook_url, data = json.dumps({
+            'text': message,
+            'username': 'GuardDuty',
+            'icon_emoji': ':rotating_light:',
+            'link_names': 1,
+        }))
diff --git a/guardduty_slack/lambda_sns_to_slack/temp/.gitignore b/guardduty_slack/lambda_sns_to_slack/temp/.gitignore
@@ -0,0 +1 @@
+*.zip
diff --git a/guardduty_slack/lambda_sns_to_slack/variables.tf b/guardduty_slack/lambda_sns_to_slack/variables.tf
@@ -0,0 +1,3 @@
+variable "basename" {}
+
+variable "guardduty_slack_webhook_url" {}
diff --git a/guardduty_slack/regional/aws_caller_identity.tf b/guardduty_slack/regional/aws_caller_identity.tf
@@ -0,0 +1,3 @@
+data "aws_caller_identity" "current" {
+  provider = "aws.regional"
+}
diff --git a/guardduty_slack/regional/aws_cloudwatch_event_rule.tf b/guardduty_slack/regional/aws_cloudwatch_event_rule.tf
@@ -0,0 +1,24 @@
+resource "aws_cloudwatch_event_rule" "guardduty_event_notify" {
+  provider = "aws.regional"
+
+  name = "guardduty-event-notify"
+  description = "GuardDuty event"
+
+  # High (the value of the severity parameter in the GetFindings response falls within the 7.0 to 8.9 range)
+  # Medium (the value of the severity parameter in the GetFindings response falls within the 4.0 to 6.9 range)
+  # Low (the value of the severity parameter in the GetFindings response falls within the 0.1 to 3.9 range)
+  #
+  # https://devops.stackexchange.com/a/3636
+  event_pattern = <<EOF
+{
+  "source": [ "aws.guardduty" ],
+  "detail-type": [ "GuardDuty Finding" ],
+  "detail": {
+    "severity": [
+      4.0,4.1,4.2,4.3,4.4,4.5,4.6,4.7,4.8,4.9,5.0,5.1,5.2,5.3,5.4,5.5,5.6,5.7,5.8,5.9,6.0,6.1,6.2,6.3,6.4,6.5,6.6,6.7,6.8,6.9,
+      7.0,7.1,7.2,7.3,7.4,7.5,7.6,7.7,7.8,7.9,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8,8.9
+    ]
+  }
+}
+EOF
+}
diff --git a/guardduty_slack/regional/aws_cloudwatch_event_target.tf b/guardduty_slack/regional/aws_cloudwatch_event_target.tf
@@ -0,0 +1,7 @@
+resource "aws_cloudwatch_event_target" "guardduty_event_notify_to_sns" {
+  provider = "aws.regional"
+
+  target_id = "GuardDutyNotifyToSNS"
+  rule = "${aws_cloudwatch_event_rule.guardduty_event_notify.name}"
+  arn = "${aws_sns_topic.notify.arn}"
+}
diff --git a/guardduty_slack/regional/aws_guardduty_detector.tf b/guardduty_slack/regional/aws_guardduty_detector.tf
@@ -0,0 +1,5 @@
+resource "aws_guardduty_detector" "main" {
+  provider = "aws.regional"
+
+  enable = "${var.enable}"
+}
diff --git a/guardduty_slack/regional/aws_guardduty_ipset.tf b/guardduty_slack/regional/aws_guardduty_ipset.tf
@@ -0,0 +1,18 @@
+resource "aws_guardduty_ipset" "MyIPSet" {
+  provider = "aws.regional"
+
+  activate = true
+  detector_id = "${aws_guardduty_detector.main.id}"
+  format = "TXT"
+  location = "${var.ipset_location}"
+  name = "terraform-${random_id.hash.hex}"
+}
+
+resource "random_id" "hash" {
+  keepers = {
+    # Generate a new id each time we switch to a new AMI id
+    ipset_location = "${var.ipset_location}"
+  }
+
+  byte_length = 8
+}
diff --git a/guardduty_slack/regional/aws_lambda_permission.tf b/guardduty_slack/regional/aws_lambda_permission.tf
@@ -0,0 +1,8 @@
+resource "aws_lambda_permission" "notify" {
+  # This object should be in main region, not regional
+  statement_id = "guardduty_notify_${var.aws_region}"
+  action        = "lambda:InvokeFunction"
+  function_name = "${element(split(":", var.lambda_notify_to_slack_arn), length(split(":", var.lambda_notify_to_slack_arn)) - 1)}"
+  principal     = "sns.amazonaws.com"
+  source_arn    = "${aws_sns_topic.notify.arn}"
+}
diff --git a/guardduty_slack/regional/providers.tf b/guardduty_slack/regional/providers.tf
@@ -0,0 +1,5 @@
+provider "aws" {
+  alias = "regional"
+
+  region = "${var.aws_region}"
+}
diff --git a/guardduty_slack/regional/sns_topic.tf b/guardduty_slack/regional/sns_topic.tf
@@ -0,0 +1,32 @@
+resource "aws_sns_topic" "notify" {
+  provider = "aws.regional"
+
+  name = "mdl-guardduty-${var.envname}-notify"
+}
+
+resource "aws_sns_topic_subscription" "lambda_to_slack" {
+  provider = "aws.regional"
+
+  topic_arn = "${aws_sns_topic.notify.arn}"
+  protocol  = "lambda"
+  endpoint  = "${var.lambda_notify_to_slack_arn}"
+
+  depends_on = [
+    "aws_sns_topic.notify",
+  ]
+}
+
+resource "aws_sns_topic_policy" "notify" {
+  provider = "aws.regional"
+
+  arn = "${aws_sns_topic.notify.arn}"
+
+  policy = "${data.template_file.sns_topic_policy_notify.rendered}"
+}
+data "template_file" "sns_topic_policy_notify" {
+  template = "${data.aws_iam_policy_document.sns_topic_policy.json}"
+
+  vars {
+    topic_arn = "${aws_sns_topic.notify.arn}"
+  }
+}
diff --git a/guardduty_slack/regional/sns_topic_policy.tf b/guardduty_slack/regional/sns_topic_policy.tf
@@ -0,0 +1,64 @@
+# Need to replace "${topic_arn}"
+data "aws_iam_policy_document" "sns_topic_policy" {
+  policy_id = "__default_policy_ID"
+
+  statement {
+    actions = [
+      "SNS:Subscribe",
+      "SNS:SetTopicAttributes",
+      "SNS:RemovePermission",
+      "SNS:Receive",
+      "SNS:Publish",
+      "SNS:ListSubscriptionsByTopic",
+      "SNS:GetTopicAttributes",
+      "SNS:DeleteTopic",
+      "SNS:AddPermission",
+    ]
+
+    condition {
+      test = "StringEquals"
+      variable = "AWS:SourceOwner"
+
+      values = [
+        "${data.aws_caller_identity.current.account_id}",
+      ]
+    }
+
+    effect = "Allow"
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "*"
+      ]
+    }
+
+    resources = [
+      "$${topic_arn}",
+    ]
+
+    sid = "__default_statement_ID"
+  }
+
+
+  # https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/resource-based-policies-cwe.html
+  statement {
+    sid = "TrustCWEToPublishEventsToMyTopic"
+    effect = "Allow"
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "events.amazonaws.com"
+      ]
+    }
+
+    actions = [
+      "sns:Publish",
+    ]
+
+    resources = [
+      "$${topic_arn}",
+    ]
+  }
+}
diff --git a/guardduty_slack/regional/variables.tf b/guardduty_slack/regional/variables.tf
@@ -0,0 +1,10 @@
+variable "envname" {}
+
+variable "aws_region" {}
+
+variable "enable" {}
+
+variable "lambda_notify_to_slack_arn" {}
+
+
+variable "ipset_location" {}
diff --git a/guardduty_slack/regions.tf b/guardduty_slack/regions.tf
diff --git a/guardduty_slack/regions.tf.sh b/guardduty_slack/regions.tf.sh
diff --git a/guardduty_slack/variables.tf b/guardduty_slack/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+variable "basename" {}`
	`2`	`+`
	`3`	`+variable "guardduty_slack_webhook_url" {}`