Revert lambda and add S3 for portal lambda

base/customer_portal_lambda/README.md

@@ -1,3 +1,3 @@
 # Customer Portal Lambda
 
-Note there is a dependence in 005-iam for the PassRole action for the portal role.
+NOTE: There is a dependence in 005-iam (submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf) for the PassRole action for the role. There is also a dependency on the Vault containing the correct values.

base/customer_portal_lambda/s3.tf

@@ -1,89 +1,97 @@
-# # TO BE IMPLEMENTED AT A LATER DATE!
-# resource "aws_s3_bucket" "bucket" {
-#   bucket        = "xdr-portal-lambda-${var.environment}"
-#   force_destroy = true
-#   acl           = "private"
+resource "aws_s3_bucket" "bucket" {
+  bucket        = "xdr-portal-lambda-${var.environment}"
+  force_destroy = true
+  acl           = "private"
 
-#   server_side_encryption_configuration {
-#     rule {
-#       apply_server_side_encryption_by_default {
-#         kms_master_key_id = aws_kms_key.key.arn
-#         sse_algorithm     = "aws:kms"
-#       }
-#     }
-#   }
-# }
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.key.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
 
-# resource "aws_s3_bucket_public_access_block" "public_access_block" {
-#   bucket                  = aws_s3_bucket.bucket.id
-#   block_public_acls       = true
-#   block_public_policy     = true
-#   ignore_public_acls      = true
-#   restrict_public_buckets = true
+resource "aws_s3_bucket_public_access_block" "public_access_block" {
+  bucket                  = aws_s3_bucket.bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
 
-#   # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
-#   # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
-#   depends_on = [aws_s3_bucket_policy.policy]
-# }
+  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
+  depends_on = [aws_s3_bucket_policy.policy]
+}
 
-# resource "aws_s3_bucket_policy" "policy" {
-#   bucket = aws_s3_bucket.bucket.id
-#   policy = data.aws_iam_policy_document.policy_document.json
-# }
+data "aws_iam_policy_document" "s3_policy_document" {
+  statement {
+    sid = "AllowS3Access"
+    actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
+    effect = "Allow"
+    resources = [
+        "${aws_s3_bucket.bucket.arn}",
+        "${aws_s3_bucket.bucket.arn}/*"
+      ]
+    principals {
+      type = "AWS"
+      identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
+    }
+  }
+}
 
-# data "aws_iam_policy_document" "policy_document" {
-#   statement {
-#     sid = "AllowS3Access"
-#     actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
-#     effect = "Allow"
-#     resources = [
-#         "${aws_s3_bucket.bucket.arn}",
-#         "${aws_s3_bucket.bucket.arn}/*"
-#       ]
-#     principals {
-#       type = "AWS"
-#       identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
-#     }
-#   }
-# }
+resource "aws_s3_bucket_policy" "policy" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.s3_policy_document.json
+}
 
-# resource "aws_kms_key" "key" {
-#   description             = "Encryption of S3 code for portal-scheduler"
-#   policy                  = data.aws_iam_policy_document.kms_policy_document.json
-#   enable_key_rotation     = true
-#   tags                    = merge(var.standard_tags, var.tags)
-# }
 
-# data "aws_iam_policy_document" "kms_policy_document" {
-#   statement {
-#     sid = "AllowServices"
-#     effect = "Allow"
-#     principals {
-#       type = "AWS"
-#       identifiers = [ 
-#         "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
-#         "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
-#         ]
-#     }
-#     actions   = [ "kms:*" ]
-#     resources = [ "*" ]
-#   }
-#   # allow account to modify/manage key
-#   statement {
-#     sid = "AllowThisAccount"
-#     effect = "Allow"
-#     principals {
-#       identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
-#       type = "AWS"
-#     }
-#     actions = [
-#       "kms:*"
-#     ]
-#     resources = ["*"]
-#   }
-# }
+resource "aws_kms_key" "key" {
+  description             = "Encryption of S3 code for portal-scheduler"
+  policy                  = data.aws_iam_policy_document.kms_policy_document.json
+  enable_key_rotation     = true
+  tags                    = merge(var.standard_tags, var.tags)
+}
 
-# resource "aws_kms_alias" "key_alias" {
-#   name          = "alias/portal-s3-key"
-#   target_key_id = aws_kms_key.key.key_id
-# }
+data "aws_iam_policy_document" "kms_policy_document" {
+  statement {
+    sid = "AllowServices"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [ 
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
+        ]
+    }
+    actions   = [ "kms:*" ]
+    resources = [ "*" ]
+  }
+  # allow account to modify/manage key
+  statement {
+    sid = "AllowThisAccount"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
+      type = "AWS"
+    }
+    actions = [
+      "kms:*"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_alias" "key_alias" {
+  name          = "alias/portal-s3-key"
+  target_key_id = aws_kms_key.key.key_id
+}
+
+#upload the initial code as a placeholder
+resource "aws_s3_bucket_object" "object" {
+  bucket = aws_s3_bucket.bucket.id
+  key    = "code.zip"
+  source = "code.zip"
+  etag = filemd5("code.zip")
+}

base/vault-configuration/engines.tf

@@ -50,11 +50,11 @@ resource "vault_mount" "portal" {
   description = "portal"
 }
 
-resource "vault_mount" "threatq-lambda" {
-  path        = "threatq-lambda"
-  type        = "kv-v2"
-  description = "threatq-lambda"
-}
+# resource "vault_mount" "threatq-lambda" {
+#   path        = "threatq-lambda"
+#   type        = "kv-v2"
+#   description = "threatq-lambda"
+# }
 
 resource "vault_mount" "phantom" {
   path        = "phantom"

base/vault-configuration/main.tf

@@ -114,16 +114,16 @@ resource "vault_aws_auth_backend_role" "portal-data-sync-lambda-role" {
   token_policies                  = ["portal"]
 }
 
-resource "vault_aws_auth_backend_role" "threatq-data-sync-lambda-role" {
-  backend                         = vault_auth_backend.aws.path
-  role                            = "threatq-data-sync-lambda-role"
-  auth_type                       = "iam"
-  bound_iam_principal_arns        = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/threatq-data-sync-lambda-role"]
-  #inferred_aws_region             = "us-gov-east-1"
-  token_ttl                       = 60
-  token_max_ttl                   = 86400
-  token_policies                  = ["threatq"]
-}
+# resource "vault_aws_auth_backend_role" "threatq-data-sync-lambda-role" {
+#   backend                         = vault_auth_backend.aws.path
+#   role                            = "threatq-data-sync-lambda-role"
+#   auth_type                       = "iam"
+#   bound_iam_principal_arns        = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/threatq-data-sync-lambda-role"]
+#   #inferred_aws_region             = "us-gov-east-1"
+#   token_ttl                       = 60
+#   token_max_ttl                   = 86400
+#   token_policies                  = ["threatq"]
+# }
 
 
 #----------------------------------------------------------------------------

base/vault-configuration/policies.tf

@@ -82,19 +82,19 @@ resource "vault_policy" "portal" {
   policy = data.vault_policy_document.portal.hcl
 }
 
-#threatq
-data "vault_policy_document" "threatq" {
-  rule {
-    path         = "threatq-lambda*"
-    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-    description  = "threatq-lambda"
-  }
-}
-
-resource "vault_policy" "threatq" {
-  name   = "threatq"
-  policy = data.vault_policy_document.threatq.hcl
-}
+# #threatq
+# data "vault_policy_document" "threatq" {
+#   rule {
+#     path         = "threatq-lambda*"
+#     capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+#     description  = "threatq-lambda"
+#   }
+# }
+
+# resource "vault_policy" "threatq" {
+#   name   = "threatq"
+#   policy = data.vault_policy_document.threatq.hcl
+# }
 
 #salt-master should be able to only create tokens
 data "vault_policy_document" "salt-master" {

submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf

@@ -41,7 +41,6 @@ data "aws_iam_policy_document" "mdr_terraformer" {
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/salt-master-instance-role",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-instance-role",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-data-sync-lambda-role",
-			"arn:${local.aws_partition}:iam::${local.aws_account}:role/threatq-data-sync-lambda-role",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/msoc-default-instance-role",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/ecsFargateTaskExecutionRole",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/dlm-lifecycle-role",