Adds S3

base/threatquotient_lambda/main.tf

@@ -38,8 +38,10 @@ resource "aws_security_group_rule" "threatq_lambda_splunk_out" {
 # Env variables for bootstrap only; true secrets should be in vault
 resource "aws_lambda_function" "function" {
   description      = "Sync data between ThreatQ and Splunk"
-  filename         = "code.zip"
-  source_code_hash = filebase64sha256("code.zip")
+  #filename         = "code.zip"
+  #source_code_hash = filebase64sha256("code.zip")
+  s3_bucket        = aws_s3_bucket.bucket
+  s3_key           = "code.zip"
   function_name    = "threatq_data_sync"
   role             = aws_iam_role.role.arn
   handler          = "lambda_function.lambda_handler"

base/threatquotient_lambda/s3.tf

@@ -0,0 +1,88 @@
+resource "aws_s3_bucket" "bucket" {
+  bucket        = "xdr-threatq-lambda-${var.environment}"
+  force_destroy = true
+  acl           = "private"
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = aws_kms_key.key.arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access_block" {
+  bucket                  = aws_s3_bucket.bucket.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+
+  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
+  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
+  depends_on = [aws_s3_bucket_policy.policy]
+}
+
+resource "aws_s3_bucket_policy" "policy" {
+  bucket = aws_s3_bucket.bucket.id
+  policy = data.aws_iam_policy_document.policy_document.json
+}
+
+data "aws_iam_policy_document" "policy_document" {
+  statement {
+    sid = "AllowS3Access"
+    actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
+    effect = "Allow"
+    resources = [
+        "${aws_s3_bucket.bucket.arn}",
+        "${aws_s3_bucket.bucket.arn}/*"
+      ]
+    principals {
+      type = "AWS"
+      identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
+    }
+  }
+}
+
+resource "aws_kms_key" "key" {
+  description             = "Encryption of lambda code in S3"
+  policy                  = data.aws_iam_policy_document.kms_policy_document.json
+  enable_key_rotation     = true
+  tags                    = merge(var.standard_tags, var.tags)
+}
+
+data "aws_iam_policy_document" "kms_policy_document" {
+  statement {
+    sid = "AllowServices"
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [ 
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
+        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
+        ]
+    }
+    actions   = [ "kms:*" ]
+    resources = [ "*" ]
+  }
+  # allow account to modify/manage key
+  statement {
+    sid = "AllowThisAccount"
+    effect = "Allow"
+    principals {
+      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
+      type = "AWS"
+    }
+    actions = [
+      "kms:*"
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_kms_alias" "key_alias" {
+  name          = "alias/threatq-lambda-s3-key"
+  target_key_id = aws_kms_key.key.key_id
+}