3 年之前 · 2e4dd1f5cd
--- a/base/customer_portal_lambda/README.md
+++ b/base/customer_portal_lambda/README.md
@@ -1 +1,3 @@
 
				 # Customer Portal Lambda
			
 
				+
			
 
				+Note there is a dependence in 005-iam for the PassRole action for the portal role.
			
--- a/base/threatquotient_lambda/README.md
+++ b/base/threatquotient_lambda/README.md
@@ -0,0 +1,4 @@
 
				+# Threatquotient_lambda
			
 
				+
			
 
				+Note, this lambda function creates the threatq-data-sync-lambda-role. There is a dependence in 005-iam for the PassRole action for the role. There is also a dependency on the Vault containing the correct values. 
			
 
				+
			
--- a/base/threatquotient_lambda/iam.tf
+++ b/base/threatquotient_lambda/iam.tf
@@ -13,6 +13,14 @@ data "aws_iam_policy_document" "policy_document" {
 
				     ]
			
 
				     resources = ["*"]
			
 
				   }
			
 
				+  statement {
			
 
				+    effect = "Allow"
			
 
				+    actions = [ "s3:*", ]
			
 
				+    resources = [ 
			
 
				+    "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket.arn}",
			
 
				+    "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket.arn}/*",
			
 
				+    ]
			
 
				+  }
			
 
				 }
			
 
				 
			
 
				 resource "aws_iam_policy" "policy" {
			
--- a/base/threatquotient_lambda/main.tf
+++ b/base/threatquotient_lambda/main.tf
@@ -38,8 +38,10 @@ resource "aws_security_group_rule" "threatq_lambda_splunk_out" {
 
				 # Env variables for bootstrap only; true secrets should be in vault
			
 
				 resource "aws_lambda_function" "function" {
			
 
				   description      = "Sync data between ThreatQ and Splunk"
			
 
				-  filename         = "code.zip"
			
 
				-  source_code_hash = filebase64sha256("code.zip")
			
 
				+  #filename         = "code.zip"
			
 
				+  #source_code_hash = filebase64sha256("code.zip")
			
 
				+  s3_bucket        = aws_s3_bucket.bucket.id
			
 
				+  s3_key           = "code.zip"
			
 
				   function_name    = "threatq_data_sync"
			
 
				   role             = aws_iam_role.role.arn
			
 
				   handler          = "lambda_function.lambda_handler"
			
--- a/base/threatquotient_lambda/s3.tf
+++ b/base/threatquotient_lambda/s3.tf
@@ -25,12 +25,7 @@ resource "aws_s3_bucket_public_access_block" "public_access_block" {
 
				   depends_on = [aws_s3_bucket_policy.policy]
			
 
				 }
			
 
				 
			
 
				-resource "aws_s3_bucket_policy" "policy" {
			
 
				-  bucket = aws_s3_bucket.bucket.id
			
 
				-  policy = data.aws_iam_policy_document.policy_document.json
			
 
				-}
			
 
				-
			
 
				-data "aws_iam_policy_document" "policy_document" {
			
 
				+data "aws_iam_policy_document" "s3_policy_document" {
			
 
				   statement {
			
 
				     sid = "AllowS3Access"
			
 
				     actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
			
@@ -46,6 +41,11 @@ data "aws_iam_policy_document" "policy_document" {
 
				   }
			
 
				 }
			
 
				 
			
 
				+resource "aws_s3_bucket_policy" "policy" {
			
 
				+  bucket = aws_s3_bucket.bucket.id
			
 
				+  policy = data.aws_iam_policy_document.s3_policy_document.json
			
 
				+}
			
 
				+
			
 
				 resource "aws_kms_key" "key" {
			
 
				   description             = "Encryption of lambda code in S3"
			
 
				   policy                  = data.aws_iam_policy_document.kms_policy_document.json
			
@@ -85,4 +85,12 @@ data "aws_iam_policy_document" "kms_policy_document" {
 
				 resource "aws_kms_alias" "key_alias" {
			
 
				   name          = "alias/threatq-lambda-s3-key"
			
 
				   target_key_id = aws_kms_key.key.key_id
			
 
				+}
			
 
				+
			
 
				+#upload the initial code as a placeholder
			
 
				+resource "aws_s3_bucket_object" "object" {
			
 
				+  bucket = aws_s3_bucket.bucket.id
			
 
				+  key    = "code.zip"
			
 
				+  source = "code.zip"
			
 
				+  etag = filemd5("code.zip")
			
 
				 }