Merge pull request #22 from schubergphilis/lambda-runtime

breaking: update mcaf-lambda to latest version, allow configuration of runtime, allow configuration of Jira lambda egress

README.md

@@ -158,13 +158,13 @@ Suppress finding for specific resources:
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_eventbridge_security_hub_suppressor_role"></a> [eventbridge\_security\_hub\_suppressor\_role](#module\_eventbridge\_security\_hub\_suppressor\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.2 |
-| <a name="module_lambda_artifacts_bucket"></a> [lambda\_artifacts\_bucket](#module\_lambda\_artifacts\_bucket) | github.com/schubergphilis/terraform-aws-mcaf-s3 | v0.8.0 |
+| <a name="module_lambda_artifacts_bucket"></a> [lambda\_artifacts\_bucket](#module\_lambda\_artifacts\_bucket) | schubergphilis/mcaf-s3/aws | ~> 0.11.0 |
 | <a name="module_lambda_jira_deployment_package"></a> [lambda\_jira\_deployment\_package](#module\_lambda\_jira\_deployment\_package) | terraform-aws-modules/lambda/aws | ~> 3.3.0 |
-| <a name="module_lambda_jira_security_hub"></a> [lambda\_jira\_security\_hub](#module\_lambda\_jira\_security\_hub) | github.com/schubergphilis/terraform-aws-mcaf-lambda | v0.3.3 |
+| <a name="module_lambda_jira_security_hub"></a> [lambda\_jira\_security\_hub](#module\_lambda\_jira\_security\_hub) | schubergphilis/mcaf-lambda/aws | ~> 1.1.0 |
 | <a name="module_lambda_jira_security_hub_role"></a> [lambda\_jira\_security\_hub\_role](#module\_lambda\_jira\_security\_hub\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.2 |
 | <a name="module_lambda_security_hub_suppressor_role"></a> [lambda\_security\_hub\_suppressor\_role](#module\_lambda\_security\_hub\_suppressor\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.2 |
-| <a name="module_lambda_securityhub_events_suppressor"></a> [lambda\_securityhub\_events\_suppressor](#module\_lambda\_securityhub\_events\_suppressor) | github.com/schubergphilis/terraform-aws-mcaf-lambda | v0.3.3 |
-| <a name="module_lambda_securityhub_streams_suppressor"></a> [lambda\_securityhub\_streams\_suppressor](#module\_lambda\_securityhub\_streams\_suppressor) | github.com/schubergphilis/terraform-aws-mcaf-lambda | v0.3.3 |
+| <a name="module_lambda_securityhub_events_suppressor"></a> [lambda\_securityhub\_events\_suppressor](#module\_lambda\_securityhub\_events\_suppressor) | schubergphilis/mcaf-lambda/aws | ~> 1.1.0 |
+| <a name="module_lambda_securityhub_streams_suppressor"></a> [lambda\_securityhub\_streams\_suppressor](#module\_lambda\_securityhub\_streams\_suppressor) | schubergphilis/mcaf-lambda/aws | ~> 1.1.0 |
 | <a name="module_lambda_suppressor_deployment_package"></a> [lambda\_suppressor\_deployment\_package](#module\_lambda\_suppressor\_deployment\_package) | terraform-aws-modules/lambda/aws | ~> 3.3.0 |
 | <a name="module_servicenow_integration"></a> [servicenow\_integration](#module\_servicenow\_integration) | ./modules/servicenow/ | n/a |
 | <a name="module_step_function_security_hub_suppressor_role"></a> [step\_function\_security\_hub\_suppressor\_role](#module\_step\_function\_security\_hub\_suppressor\_role) | github.com/schubergphilis/terraform-aws-mcaf-role | v0.3.2 |
@@ -195,14 +195,13 @@ Suppress finding for specific resources:
 |------|-------------|------|---------|:--------:|
 | <a name="input_kms_key_arn"></a> [kms\_key\_arn](#input\_kms\_key\_arn) | The ARN of the KMS key used to encrypt the resources | `string` | n/a | yes |
 | <a name="input_s3_bucket_name"></a> [s3\_bucket\_name](#input\_s3\_bucket\_name) | The name for the S3 bucket which will be created for storing the function's deployment package | `string` | n/a | yes |
-| <a name="input_create_allow_all_egress_rule"></a> [create\_allow\_all\_egress\_rule](#input\_create\_allow\_all\_egress\_rule) | Whether to create a default any/any egress sg rule for lambda | `bool` | `false` | no |
 | <a name="input_dynamodb_table"></a> [dynamodb\_table](#input\_dynamodb\_table) | The DynamoDB table containing the items to be suppressed in Security Hub | `string` | `"securityhub-suppression-list"` | no |
 | <a name="input_eventbridge_suppressor_iam_role_name"></a> [eventbridge\_suppressor\_iam\_role\_name](#input\_eventbridge\_suppressor\_iam\_role\_name) | The name of the role which will be assumed by EventBridge rules | `string` | `"EventBridgeSecurityHubSuppressorRole"` | no |
-| <a name="input_jira_integration"></a> [jira\_integration](#input\_jira\_integration) | Jira integration settings | <pre>object({<br>    enabled                               = optional(bool, false)<br>    credentials_secret_arn                = string<br>    exclude_account_ids                   = optional(list(string), [])<br>    finding_severity_normalized_threshold = optional(number, 70)<br>    issue_type                            = optional(string, "Security Advisory")<br>    project_key                           = string<br>    lambda_settings = optional(object({<br>      name          = optional(string, "securityhub-jira")<br>      iam_role_name = optional(string, "LambdaJiraSecurityHubRole")<br>      log_level     = optional(string, "INFO")<br>      memory_size   = optional(number, 256)<br>      timeout       = optional(number, 60)<br>      }), {<br>      name          = "securityhub-jira"<br>      iam_role_name = "LambdaJiraSecurityHubRole"<br>      log_level     = "INFO"<br>      memory_size   = 256<br>      timeout       = 60<br>    })<br>  })</pre> | <pre>{<br>  "credentials_secret_arn": null,<br>  "enabled": false,<br>  "project_key": null<br>}</pre> | no |
-| <a name="input_lambda_events_suppressor"></a> [lambda\_events\_suppressor](#input\_lambda\_events\_suppressor) | Lambda Events Suppressor settings - Supresses the Security Hub findings in response to EventBridge Trigger | <pre>object({<br>    name        = optional(string, "securityhub-events-suppressor")<br>    log_level   = optional(string, "INFO")<br>    memory_size = optional(number, 256)<br>    timeout     = optional(number, 120)<br>  })</pre> | `{}` | no |
-| <a name="input_lambda_streams_suppressor"></a> [lambda\_streams\_suppressor](#input\_lambda\_streams\_suppressor) | Lambda Streams Suppressor settings - Supresses the Security Hub findings in response to DynamoDB streams | <pre>object({<br>    name        = optional(string, "securityhub-streams-suppressor")<br>    log_level   = optional(string, "INFO")<br>    memory_size = optional(number, 256)<br>    timeout     = optional(number, 120)<br>  })</pre> | `{}` | no |
+| <a name="input_jira_integration"></a> [jira\_integration](#input\_jira\_integration) | Jira integration settings | <pre>object({<br>    enabled                               = optional(bool, false)<br>    credentials_secret_arn                = string<br>    exclude_account_ids                   = optional(list(string), [])<br>    finding_severity_normalized_threshold = optional(number, 70)<br>    issue_type                            = optional(string, "Security Advisory")<br>    project_key                           = string<br><br>    security_group_egress_rules = optional(list(object({<br>      cidr_ipv4                    = optional(string)<br>      cidr_ipv6                    = optional(string)<br>      description                  = string<br>      from_port                    = optional(number, 0)<br>      ip_protocol                  = optional(string, "-1")<br>      prefix_list_id               = optional(string)<br>      referenced_security_group_id = optional(string)<br>      to_port                      = optional(number, 0)<br>    })), [])<br><br>    lambda_settings = optional(object({<br>      name          = optional(string, "securityhub-jira")<br>      iam_role_name = optional(string, "LambdaJiraSecurityHubRole")<br>      log_level     = optional(string, "INFO")<br>      memory_size   = optional(number, 256)<br>      runtime       = optional(string, "python3.8")<br>      timeout       = optional(number, 60)<br>      }), {<br>      name                        = "securityhub-jira"<br>      iam_role_name               = "LambdaJiraSecurityHubRole"<br>      log_level                   = "INFO"<br>      memory_size                 = 256<br>      runtime                     = "python3.8"<br>      timeout                     = 60<br>      security_group_egress_rules = []<br>    })<br>  })</pre> | <pre>{<br>  "credentials_secret_arn": null,<br>  "enabled": false,<br>  "project_key": null<br>}</pre> | no |
+| <a name="input_lambda_events_suppressor"></a> [lambda\_events\_suppressor](#input\_lambda\_events\_suppressor) | Lambda Events Suppressor settings - Supresses the Security Hub findings in response to EventBridge Trigger | <pre>object({<br>    name        = optional(string, "securityhub-events-suppressor")<br>    log_level   = optional(string, "INFO")<br>    memory_size = optional(number, 256)<br>    runtime     = optional(string, "python3.8")<br>    timeout     = optional(number, 120)<br><br>    security_group_egress_rules = optional(list(object({<br>      cidr_ipv4                    = optional(string)<br>      cidr_ipv6                    = optional(string)<br>      description                  = string<br>      from_port                    = optional(number, 0)<br>      ip_protocol                  = optional(string, "-1")<br>      prefix_list_id               = optional(string)<br>      referenced_security_group_id = optional(string)<br>      to_port                      = optional(number, 0)<br>    })), [])<br>  })</pre> | `{}` | no |
+| <a name="input_lambda_streams_suppressor"></a> [lambda\_streams\_suppressor](#input\_lambda\_streams\_suppressor) | Lambda Streams Suppressor settings - Supresses the Security Hub findings in response to DynamoDB streams | <pre>object({<br>    name        = optional(string, "securityhub-streams-suppressor")<br>    log_level   = optional(string, "INFO")<br>    memory_size = optional(number, 256)<br>    runtime     = optional(string, "python3.8")<br>    timeout     = optional(number, 120)<br><br>    security_group_egress_rules = optional(list(object({<br>      cidr_ipv4                    = optional(string)<br>      cidr_ipv6                    = optional(string)<br>      description                  = string<br>      from_port                    = optional(number, 0)<br>      ip_protocol                  = optional(string, "-1")<br>      prefix_list_id               = optional(string)<br>      referenced_security_group_id = optional(string)<br>      to_port                      = optional(number, 0)<br>    })), [])<br>  })</pre> | `{}` | no |
 | <a name="input_lambda_suppressor_iam_role_name"></a> [lambda\_suppressor\_iam\_role\_name](#input\_lambda\_suppressor\_iam\_role\_name) | The name of the role which will be assumed by both Suppressor Lambda functions | `string` | `"LambdaSecurityHubSuppressorRole"` | no |
-| <a name="input_servicenow_integration"></a> [servicenow\_integration](#input\_servicenow\_integration) | ServiceNow integration settings | <pre>object({<br>    enabled            = optional(bool, false)<br>    create_access_keys = optional(bool, false)<br>  })</pre> | <pre>{<br>  "enabled": false<br>}</pre> | no |
+| <a name="input_servicenow_integration"></a> [servicenow\_integration](#input\_servicenow\_integration) | ServiceNow integration settings | <pre>object({<br>    enabled                   = optional(bool, false)<br>    create_access_keys        = optional(bool, false)<br>    cloudwatch_retention_days = optional(number, 365)<br>  })</pre> | <pre>{<br>  "enabled": false<br>}</pre> | no |
 | <a name="input_step_function_suppressor_iam_role_name"></a> [step\_function\_suppressor\_iam\_role\_name](#input\_step\_function\_suppressor\_iam\_role\_name) | The name of the role which will be assumed by Suppressor Step function | `string` | `"StepFunctionSecurityHubSuppressorRole"` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | The subnet ids where the lambda's needs to run | `list(string)` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A mapping of tags to assign to the resources | `map(string)` | `{}` | no |

UPGRADING.md

@@ -2,6 +2,24 @@
 
 This document captures required refactoring on your part when upgrading to a module version that contains breaking changes.
 
+## Upgrading to v2.0.0
+
+### Variables
+
+The following variable has been replaced:
+
+- `create_allow_all_egress_rule` -> `jira_integration.security_group_egress_rules`, `lambda_streams_suppressor.security_group_egress_rules`, `lambda_events_suppressor.security_group_egress_rules`
+
+Instead of only being able to allow all egress or block all egress and having to rely on resources outside this module to create specific egress rules this is now supported natively by the module.
+
+The following variable defaults have been modified:
+
+- `servicenow_integration.cloudwatch_retention_days` -> default: `365` (previous hardcoded: `14`). In order to comply with AWS Security Hub control CloudWatch.16.
+
+### Behaviour
+
+The need to provide a `providers = { aws = aws }` argument has been removed, but is still allowed. E.g. when deploying this module in the audit account typically `providers = { aws = aws.audit }` is passed. 
+
 ## Upgrading to v1.0.0
 
 ### Behaviour

examples/basic/main.tf

@@ -3,6 +3,7 @@ provider "aws" {
 }
 
 resource "aws_kms_key" "default" {
+  #checkov:skip=CKV2_AWS_64: In the example no KMS key policy is defined, we do recommend creating a custom policy.
   enable_key_rotation = true
 }
 
@@ -11,8 +12,7 @@ resource "random_pet" "default" {
 }
 
 module "security_hub_manager" {
-  providers = { aws = aws }
-  source    = "../../"
+  source = "../../"
 
   kms_key_arn    = aws_kms_key.default
   s3_bucket_name = "securityhub-suppressor-artifacts-${random_pet.default.id}"

examples/jira-integration/main.tf

@@ -3,6 +3,7 @@ provider "aws" {
 }
 
 resource "aws_kms_key" "default" {
+  #checkov:skip=CKV2_AWS_64: In the example no KMS key policy is defined, we do recommend creating a custom policy.
   enable_key_rotation = true
 }
 
@@ -11,6 +12,7 @@ resource "random_pet" "default" {
 }
 
 resource "aws_secretsmanager_secret" "jira_credentials" {
+  #checkov:skip=CKV2_AWS_57: automatic rotation of the jira credentials is recommended.
   description = "Security Hub Findings Manager Jira Credentials Secret"
   kms_key_id  = aws_kms_key.default
   name        = "lambda/jira_credentials_secret"
@@ -27,8 +29,7 @@ resource "aws_secretsmanager_secret_version" "jira_credentials" {
 }
 
 module "security_hub_manager" {
-  providers = { aws = aws }
-  source    = "../../"
+  source = "../../"
 
   kms_key_arn    = aws_kms_key.default
   s3_bucket_name = "securityhub-suppressor-artifacts-${random_pet.default.id}"
@@ -38,15 +39,13 @@ module "security_hub_manager" {
     enabled                = true
     credentials_secret_arn = aws_secretsmanager_secret.jira_credentials.arn
     project_key            = "PROJECT"
-  }
-}
 
-resource "aws_security_group_rule" "lambda_jira_security_hub_to_jira" {
-  type              = "egress"
-  description       = "Allow access from lambda_jira_security_hub to Jira"
-  from_port         = 443
-  to_port           = 443
-  protocol          = "tcp"
-  cidr_blocks       = ["1.1.1.1/32"]
-  security_group_id = module.security_hub_manager.lambda_jira_security_hub_sg_id[0]
+    security_group_egress_rules = [{
+      cidr_ipv4   = "1.1.1.1/32"
+      description = "Allow access from lambda_jira_security_hub to Jira"
+      from_port   = 443
+      ip_protocol = "tcp"
+      to_port     = 443
+    }]
+  }
 }

examples/servicenow-integration/main.tf

@@ -3,6 +3,7 @@ provider "aws" {
 }
 
 resource "aws_kms_key" "default" {
+  #checkov:skip=CKV2_AWS_64: In the example no KMS key policy is defined, we do recommend creating a custom policy.
   enable_key_rotation = true
 }
 
@@ -11,8 +12,7 @@ resource "random_pet" "default" {
 }
 
 module "security_hub_manager" {
-  providers = { aws = aws }
-  source    = "../../"
+  source = "../../"
 
   kms_key_arn    = aws_kms_key.default
   s3_bucket_name = "securityhub-suppressor-artifacts-${random_pet.default.id}"

jira.tf

@@ -92,27 +92,29 @@ module "lambda_jira_deployment_package" {
 # Lambda function to create Jira ticket for Security Hub findings and set the workflow state to NOTIFIED
 module "lambda_jira_security_hub" {
   #checkov:skip=CKV_AWS_272:Code signing not used for now
-  count                        = var.jira_integration.enabled ? 1 : 0
-  providers                    = { aws.lambda = aws }
-  source                       = "github.com/schubergphilis/terraform-aws-mcaf-lambda?ref=v0.3.3"
-  name                         = var.jira_integration.lambda_settings.name
-  create_allow_all_egress_rule = var.create_allow_all_egress_rule
-  create_policy                = false
-  create_s3_dummy_object       = false
-  description                  = "Lambda to create jira ticket and set the Security Hub workflow status to notified"
-  filename                     = module.lambda_jira_deployment_package[0].local_filename
-  handler                      = "securityhub_jira.lambda_handler"
-  kms_key_arn                  = var.kms_key_arn
-  log_retention                = 365
-  memory_size                  = var.jira_integration.lambda_settings.memory_size
-  role_arn                     = module.lambda_jira_security_hub_role[0].arn
-  runtime                      = "python3.8"
-  s3_bucket                    = var.s3_bucket_name
-  s3_key                       = module.lambda_jira_deployment_package[0].s3_object.key
-  s3_object_version            = module.lambda_jira_deployment_package[0].s3_object.version_id
-  subnet_ids                   = var.subnet_ids
-  tags                         = var.tags
-  timeout                      = var.jira_integration.lambda_settings.timeout
+  count = var.jira_integration.enabled ? 1 : 0
+
+  source  = "schubergphilis/mcaf-lambda/aws"
+  version = "~> 1.1.0"
+
+  name                        = var.jira_integration.lambda_settings.name
+  create_policy               = false
+  create_s3_dummy_object      = false
+  description                 = "Lambda to create jira ticket and set the Security Hub workflow status to notified"
+  filename                    = module.lambda_jira_deployment_package[0].local_filename
+  handler                     = "securityhub_jira.lambda_handler"
+  kms_key_arn                 = var.kms_key_arn
+  log_retention               = 365
+  memory_size                 = var.jira_integration.lambda_settings.memory_size
+  role_arn                    = module.lambda_jira_security_hub_role[0].arn
+  runtime                     = var.jira_integration.lambda_settings.runtime
+  s3_bucket                   = var.s3_bucket_name
+  s3_key                      = module.lambda_jira_deployment_package[0].s3_object.key
+  s3_object_version           = module.lambda_jira_deployment_package[0].s3_object.version_id
+  security_group_egress_rules = var.jira_integration.security_group_egress_rules
+  subnet_ids                  = var.subnet_ids
+  tags                        = var.tags
+  timeout                     = var.jira_integration.lambda_settings.timeout
 
   environment = {
     EXCLUDE_ACCOUNT_FILTER      = jsonencode(var.jira_integration.exclude_account_ids)

modules/servicenow/variables.tf

@@ -1,6 +1,6 @@
 variable "cloudwatch_retention_days" {
   type        = number
-  default     = 14
+  default     = 365
   description = "Time to retain the CloudWatch Logs for the ServiceNow integration"
 }
 

servicenow.tf

@@ -3,7 +3,8 @@ module "servicenow_integration" {
   count  = var.servicenow_integration.enabled ? 1 : 0
   source = "./modules/servicenow/"
 
-  create_access_keys = var.servicenow_integration.create_access_keys
-  kms_key_arn        = var.kms_key_arn
-  tags               = var.tags
+  cloudwatch_retention_days = var.servicenow_integration.cloudwatch_retention_days
+  create_access_keys        = var.servicenow_integration.create_access_keys
+  kms_key_arn               = var.kms_key_arn
+  tags                      = var.tags
 }