Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

threat_intel_downloader module now uses tf_lambda module #1074

Merged
merged 3 commits into from
Jan 30, 2020
Merged

threat_intel_downloader module now uses tf_lambda module #1074

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
4159b57
threat intel downloader terraform module now uses tf_lambda
GarretReece Jan 6, 2020
b715410
small cleanups make for happier linters
GarretReece Jan 7, 2020
b57dad2
fixed some stale references in the threat_intel_downloader terraform …
GarretReece Jan 7, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions streamalert/shared/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,5 +5,6 @@
CLASSIFIER_FUNCTION_NAME = 'classifier'
RULES_ENGINE_FUNCTION_NAME = 'rules_engine'
RULE_PROMOTION_NAME = 'rule_promotion'
THREAT_INTEL_DOWNLOADER_NAME = 'threat_intel_downloader'

CLUSTERED_FUNCTIONS = {CLASSIFIER_FUNCTION_NAME}
49 changes: 33 additions & 16 deletions streamalert_cli/terraform/threat_intel_downloader.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,10 @@
See the License for the specific language governing permissions and
limitations under the License.
"""
from streamalert.shared import THREAT_INTEL_DOWNLOADER_NAME
from streamalert_cli.manage_lambda.package import ThreatIntelDownloaderPackage
from streamalert_cli.terraform.common import infinitedict, monitoring_topic_name
from streamalert_cli.terraform.lambda_module import generate_lambda


def generate_threat_intel_downloader(config):
Expand All @@ -29,24 +31,39 @@ def generate_threat_intel_downloader(config):
# Use the monitoring topic as a dead letter queue
dlq_topic = monitoring_topic_name(config)

prefix = config['global']['account']['prefix']

# Threat Intel Downloader module
ti_downloader_config = config['lambda']['threat_intel_downloader_config']
ti_downloader_dict = infinitedict()
ti_downloader_dict['module']['threat_intel_downloader'] = {
tid_config = config['lambda']['threat_intel_downloader_config']

# old format of config used interval, but tf_lambda expects 'schedule_expression'
if 'schedule_expression' not in tid_config:
tid_config['schedule_expression'] = tid_config.get('interval', 'rate(1 day)')

result = infinitedict()

# Set variables for the threat intel downloader configuration
result['module']['threat_intel_downloader_iam'] = {
'source': './modules/tf_threat_intel_downloader',
'account_id': config['global']['account']['aws_account_id'],
'region': config['global']['account']['region'],
'source': './modules/tf_threat_intel_downloader',
'lambda_handler': ThreatIntelDownloaderPackage.lambda_handler,
'lambda_memory': ti_downloader_config.get('memory', '128'),
'lambda_timeout': ti_downloader_config.get('timeout', '60'),
'lambda_log_level': ti_downloader_config.get('log_level', 'info'),
'interval': ti_downloader_config.get('interval', 'rate(1 day)'),
'prefix': config['global']['account']['prefix'],
'prefix': prefix,
'function_role_id': '${module.threat_intel_downloader.role_id}',
'function_alias_arn': '${module.threat_intel_downloader.function_alias_arn}',
'function_cloudwatch_log_group_name': '${module.threat_intel_downloader.log_group_name}',
'monitoring_sns_topic': dlq_topic,
'table_rcu': ti_downloader_config.get('table_rcu', '10'),
'table_wcu': ti_downloader_config.get('table_wcu', '10'),
'max_read_capacity': ti_downloader_config.get('max_read_capacity', '5'),
'min_read_capacity': ti_downloader_config.get('min_read_capacity', '5'),
'target_utilization': ti_downloader_config.get('target_utilization', '70')
'table_rcu': tid_config.get('table_rcu', '10'),
'table_wcu': tid_config.get('table_wcu', '10'),
'max_read_capacity': tid_config.get('max_read_capacity', '5'),
'min_read_capacity': tid_config.get('min_read_capacity', '5'),
'target_utilization': tid_config.get('target_utilization', '70')
}
return ti_downloader_dict

result['module']['threat_intel_downloader'] = generate_lambda(
'{}_streamalert_{}'.format(prefix, THREAT_INTEL_DOWNLOADER_NAME),
ThreatIntelDownloaderPackage.package_name + '.zip',
ThreatIntelDownloaderPackage.lambda_handler,
tid_config,
config,
)
return result
40 changes: 8 additions & 32 deletions terraform/modules/tf_threat_intel_downloader/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,7 @@
// IAM Role: Execution Role
resource "aws_iam_role" "threat_intel_downloader" {
name = "${var.prefix}_threat_intel_downloader"
path = "/streamalert/"
assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json

tags = {
Name = "StreamAlert"
}
}

// IAM Policy Doc: Generic Lambda AssumeRole
data "aws_iam_policy_document" "lambda_assume_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}

// IAM Role Policy: Allow lambda function to invoke the Lambda Function
resource "aws_iam_role_policy" "threat_intel_downloader" {
name = "InvokeLambda"
role = aws_iam_role.threat_intel_downloader.id
role = var.function_role_id
policy = data.aws_iam_policy_document.invoke_lambda_function.json
}

Expand All @@ -39,15 +15,15 @@ data "aws_iam_policy_document" "invoke_lambda_function" {
]

resources = [
aws_lambda_function.threat_intel_downloader.arn,
var.function_alias_arn
]
}
}

// IAM Role Policy: Allow the lambda function to create/update CloudWatch logs
resource "aws_iam_role_policy" "cloudwatch_logs" {
name = "WriteToCloudwatchLogs"
role = aws_iam_role.threat_intel_downloader.id
role = var.function_role_id
policy = data.aws_iam_policy_document.cloudwatch_logs_policy.json
}

Expand All @@ -61,7 +37,7 @@ data "aws_iam_policy_document" "cloudwatch_logs_policy" {
]

resources = [
aws_cloudwatch_log_group.threat_intel_downloader.arn,
var.function_cloudwatch_log_group_name
]
}

Expand All @@ -74,15 +50,15 @@ data "aws_iam_policy_document" "cloudwatch_logs_policy" {
]

resources = [
"arn:aws:logs:${var.region}:${var.account_id}:log-group:${aws_cloudwatch_log_group.threat_intel_downloader.name}:log-stream:*",
"arn:aws:logs:${var.region}:${var.account_id}:log-group:${var.function_cloudwatch_log_group_name}:log-stream:*",
]
}
}

// IAM role policy: Allow lambda function to read/write data from DynamoDB
resource "aws_iam_role_policy" "read_write_dynamodb" {
name = "ReadDynamoDB"
role = aws_iam_role.threat_intel_downloader.id
role = var.function_role_id
policy = data.aws_iam_policy_document.read_write_dynamodb.json
}

Expand All @@ -107,7 +83,7 @@ data "aws_iam_policy_document" "read_write_dynamodb" {
// IAM role policy: Allow lambda function to read from parameter store
resource "aws_iam_role_policy" "get_api_creds_from_ssm" {
name = "GetSSMParams"
role = aws_iam_role.threat_intel_downloader.id
role = var.function_role_id
policy = data.aws_iam_policy_document.get_api_creds_from_ssm.json
}

Expand All @@ -129,7 +105,7 @@ data "aws_iam_policy_document" "get_api_creds_from_ssm" {
// IAM Role Policy: Allow the Threat Intel Downloader function to publish sns (used for DLQ)
resource "aws_iam_role_policy" "theat_intel_downloader_publish_sns" {
name = "PublishToSNS"
role = aws_iam_role.threat_intel_downloader.id
role = var.function_role_id
policy = data.aws_iam_policy_document.theat_intel_downloader_publish_sns.json
}

Expand Down
86 changes: 0 additions & 86 deletions terraform/modules/tf_threat_intel_downloader/main.tf
View file
Open in desktop

This file was deleted.

42 changes: 10 additions & 32 deletions terraform/modules/tf_threat_intel_downloader/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,37 +10,27 @@ variable "prefix" {
type = string
}

variable "lambda_handler" {
variable "function_role_id" {
description = "Threat Intel Downloader function IAM Role ID, exported from the tf_lambda module"
}

variable "lambda_memory" {
type = string
default = "128"
variable "function_alias_arn" {
description = "Threat Intel Downloader function alias arn, exported from the tf_lambda module"
}

variable "lambda_timeout" {
type = string
default = "120"
}

variable "filename" {
type = string
default = "threat_intel_downloader.zip"
variable "function_cloudwatch_log_group_name" {
description = "Threat Intel Downloader function cloudwatch log group name, exported from the tf_lambda module"
}

variable "lambda_log_level" {
variable "parameter_name" {
default = "threat_intel_downloader_api_creds"
type = string
default = "info"
}

variable "enable_metrics" {
default = false
variable "monitoring_sns_topic" {
}

variable "interval" {
type = string
default = "rate(1 day)"
}
// ***** DynamoDB Table configuration *****

variable "table_rcu" {
default = 10
Expand All @@ -50,18 +40,6 @@ variable "table_wcu" {
default = 10
}

variable "parameter_name" {
default = "threat_intel_downloader_api_creds"
type = string
}

variable "monitoring_sns_topic" {
}

variable "log_retention" {
default = 14
}

variable "max_read_capacity" {
default = 5
}
Expand Down