Removes threatq lambda

base/customer_portal_lambda/README.md

@@ -1,3 +1,7 @@
 # Customer Portal Lambda
 
-NOTE: There is a dependence in 005-iam (submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf) for the PassRole action for the role. There is also a dependency on the Vault containing the correct values.
+NOTE: There is a dependence in 005-iam (submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf) for the PassRole action for the role. There is also a dependency on the Vault containing the correct values.
+
+The customer portal lambda is made up of two lambda functions. One is the scheduler and one actually runs the code. 
+
+Please note this lambda function has been updated to include the ThreatQ lambda. The threatq lambda does not add an additional AWS lambda, instead it is just added in the python code and piggy backs off the lambdas in this module. 

base/customer_portal_lambda/s3.tf

@@ -87,11 +87,3 @@ resource "aws_kms_alias" "key_alias" {
   name          = "alias/portal-s3-key"
   target_key_id = aws_kms_key.key.key_id
 }
-
-#upload the initial code as a placeholder
-resource "aws_s3_bucket_object" "object" {
-  bucket = aws_s3_bucket.bucket.id
-  key    = "code.zip"
-  source = "code.zip"
-  etag = filemd5("code.zip")
-}

base/threatquotient_lambda/README.md

@@ -1,4 +0,0 @@
-# Threatquotient_lambda
-
-Note, this lambda function creates the threatq-data-sync-lambda-role. There is a dependence in 005-iam for the PassRole action for the role. There is also a dependency on the Vault containing the correct values. 
-

base/threatquotient_lambda/cloudwatch.tf

@@ -1,36 +0,0 @@
-resource "aws_cloudwatch_log_group" "function" {
-  name              = "/aws/lambda/${aws_lambda_function.function.function_name}"
-  retention_in_days = 14
-  tags = merge(var.standard_tags, var.tags)
-}
-
-
-###
-### Trigger Portal Sync Lambda with Rules and Targets
-###
-
-### Time-based rules for portal sync:
-resource "aws_cloudwatch_event_rule" "event_rule" {
-  name = "threatq-lambda-data-sync"
-  description = "Rule for threatq data sync lambda function - every 20 minutes"
-  schedule_expression = "rate(20 minutes)"
-  is_enabled = var.environment == "test" ? false : true
-  tags = merge(var.standard_tags, var.tags)
-}
-
-### Time-based targets for portal sync:
-resource "aws_cloudwatch_event_target" "event_target" {
-  target_id = "ThreatQSync"
-  rule = aws_cloudwatch_event_rule.event_rule.name
-  arn  = aws_lambda_function.function.arn
-}
-
-### Invoke permissions for Time-based rules for portal sync:
-resource "aws_lambda_permission" "permission" {
-  statement_id  = "AllowExecutionFromCloudWatch"
-  action        = "lambda:InvokeFunction"
-  function_name = aws_lambda_function.function.function_name
-  principal     = "events.amazonaws.com"
-  source_arn    = aws_cloudwatch_event_rule.event_rule.arn
-}
-

base/threatquotient_lambda/iam.tf

@@ -1,57 +0,0 @@
-data "aws_iam_policy_document" "policy_document" {
-  statement {
-    effect = "Allow"
-    actions = [
-      "ec2:CreateNetworkInterface",
-      "logs:CreateLogStream",
-      "ec2:DescribeNetworkInterfaces",
-      "logs:DescribeLogStreams",
-      "ec2:DeleteNetworkInterface",
-      "logs:PutRetentionPolicy",
-      "logs:CreateLogGroup",
-      "logs:PutLogEvents",
-    ]
-    resources = ["*"]
-  }
-  statement {
-    effect = "Allow"
-    actions = [ "s3:*", ]
-    resources = [ 
-    "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket.arn}",
-    "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket.arn}/*",
-    ]
-  }
-}
-
-resource "aws_iam_policy" "policy" {
-  name        = "threatq_data_sync_lambda"
-  path        = "/"
-  policy      = data.aws_iam_policy_document.policy_document.json
-  description = "IAM policy for threatq_data_sync_lambda"
-}
-
-resource "aws_iam_role" "role" {
-  name     = "threatq-data-sync-lambda-role"
-  assume_role_policy = <<EOF
-{
-"Version": "2012-10-17",
-"Statement": [
-    { 
-    "Sid": "",
-    "Effect": "Allow",
-    "Principal": {
-        "Service": [
-        "lambda.amazonaws.com"
-        ]
-    },
-    "Action": "sts:AssumeRole"
-    }
-]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "policy_attachment" {
-  role       = aws_iam_role.role.name
-  policy_arn = aws_iam_policy.policy.arn
-}

base/threatquotient_lambda/main.tf

@@ -1,69 +0,0 @@
-locals {
-  environment_vars = {
-      "HTTP_PROXY"             = "http://${var.proxy}"
-      "HTTPS_PROXY"            = "http://${var.proxy}"
-      "NO_PROXY"               = "${var.dns_info["legacy_private"]["zone"]},${var.dns_info["private"]["zone"]}"
-      "VAULT_HOST"             = "vault.${var.dns_info["private"]["zone"]}"
-      "VAULT_PATH"             = "threatq-lambda/data/lambda_sync_env"
-      "PYTHONWARNINGS"         = "ignore:Unverified HTTPS request"
-  }
-}
-
-####
-#
-#Security Group
-#
-####
-data "aws_security_group" "typical-host" {
-  name   = "typical-host"
-  vpc_id = var.vpc_id
-}
-
-resource "aws_security_group" "threatq_lambda_splunk_sg" {
-  vpc_id      = var.vpc_id
-  name        = "threatq-data-sync-lambda-splunk-sg"
-  description = "Allow Lambda access to Splunk"
-}
-
-resource "aws_security_group_rule" "threatq_lambda_splunk_out" {
-  type              = "egress"
-  from_port         = 8089
-  to_port           = 8089
-  protocol          = "tcp"
-  cidr_blocks       = ["10.0.0.0/8"]
-  description       = "All Splunk SH"
-  security_group_id = aws_security_group.threatq_lambda_splunk_sg.id
-}
-
-# Env variables for bootstrap only; true secrets should be in vault
-resource "aws_lambda_function" "function" {
-  description      = "Sync data between ThreatQ and Splunk"
-  #filename         = "code.zip"
-  #source_code_hash = filebase64sha256("code.zip")
-  s3_bucket        = aws_s3_bucket.bucket.id
-  s3_key           = "code.zip"
-  function_name    = "threatq_data_sync"
-  role             = aws_iam_role.role.arn
-  handler          = "lambda_function.lambda_handler"
-  runtime          = "python3.8"
-  timeout          = "900"
-  vpc_config {
-    subnet_ids          = var.subnets
-    security_group_ids  = [ data.aws_security_group.typical-host.id, aws_security_group.threatq_lambda_splunk_sg.id ]
-  }
-  environment { 
-    variables = merge(local.environment_vars)
-  }
-  tags = merge(var.standard_tags, var.tags)
-
-  lifecycle {
-    # Ignoring changes to the code of the function so that we won't
-    # overlay changes to the function made outside of terraform.  Installing
-    # new versions of a lambda should not be a terraform-ish action we don't think
-    ignore_changes = [
-      last_modified,
-      source_code_hash
-    ]
-  }
-
-}

base/threatquotient_lambda/s3.tf

@@ -1,96 +0,0 @@
-resource "aws_s3_bucket" "bucket" {
-  bucket        = "xdr-threatq-lambda-${var.environment}"
-  force_destroy = true
-  acl           = "private"
-
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        kms_master_key_id = aws_kms_key.key.arn
-        sse_algorithm     = "aws:kms"
-      }
-    }
-  }
-}
-
-resource "aws_s3_bucket_public_access_block" "public_access_block" {
-  bucket                  = aws_s3_bucket.bucket.id
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-
-  # Not technically dependent, but prevents a "Conflicting conditional operation" conflict.
-  # See https://github.com/hashicorp/terraform-provider-aws/issues/7628
-  depends_on = [aws_s3_bucket_policy.policy]
-}
-
-data "aws_iam_policy_document" "s3_policy_document" {
-  statement {
-    sid = "AllowS3Access"
-    actions = [ "s3:GetObject", "s3:GetObjectVersion" ]
-    effect = "Allow"
-    resources = [
-        "${aws_s3_bucket.bucket.arn}",
-        "${aws_s3_bucket.bucket.arn}/*"
-      ]
-    principals {
-      type = "AWS"
-      identifiers = [ "arn:${var.aws_partition}:iam::${var.aws_account_id}:root" ]
-    }
-  }
-}
-
-resource "aws_s3_bucket_policy" "policy" {
-  bucket = aws_s3_bucket.bucket.id
-  policy = data.aws_iam_policy_document.s3_policy_document.json
-}
-
-resource "aws_kms_key" "key" {
-  description             = "Encryption of lambda code in S3"
-  policy                  = data.aws_iam_policy_document.kms_policy_document.json
-  enable_key_rotation     = true
-  tags                    = merge(var.standard_tags, var.tags)
-}
-
-data "aws_iam_policy_document" "kms_policy_document" {
-  statement {
-    sid = "AllowServices"
-    effect = "Allow"
-    principals {
-      type = "AWS"
-      identifiers = [ 
-        "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/user/mdr_terraformer",
-        "arn:${var.aws_partition}:iam::${var.aws_account_id}:user/MDRAdmin"
-        ]
-    }
-    actions   = [ "kms:*" ]
-    resources = [ "*" ]
-  }
-  # allow account to modify/manage key
-  statement {
-    sid = "AllowThisAccount"
-    effect = "Allow"
-    principals {
-      identifiers = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:root"]
-      type = "AWS"
-    }
-    actions = [
-      "kms:*"
-    ]
-    resources = ["*"]
-  }
-}
-
-resource "aws_kms_alias" "key_alias" {
-  name          = "alias/threatq-lambda-s3-key"
-  target_key_id = aws_kms_key.key.key_id
-}
-
-#upload the initial code as a placeholder
-resource "aws_s3_bucket_object" "object" {
-  bucket = aws_s3_bucket.bucket.id
-  key    = "code.zip"
-  source = "code.zip"
-  etag = filemd5("code.zip")
-}

base/threatquotient_lambda/vars.tf

@@ -1,16 +0,0 @@
-variable "tags" { type = map }
-variable "dns_info" { type = map }
-variable "cidr_map" { type = map }
-variable "instance_termination_protection" { type = bool }
-variable "standard_tags" { type = map }
-variable "environment" { type = string }
-variable "trusted_ips" { type = list }
-variable "aws_region" { type = string }
-variable "aws_partition" { type = string }
-variable "aws_partition_alias" { type = string }
-variable "aws_account_id" { type = string }
-variable "common_services_account" { type = string }
-variable "vpc_id" { type = string }
-variable "subnets" { type = list(string) }
-variable "proxy" { type = string }
-