Initial Commit to add Threatq_lambda

base/threatquotient_lambda/cloudwatch.tf

@@ -0,0 +1,36 @@
+resource "aws_cloudwatch_log_group" "function" {
+  name              = "/aws/lambda/${aws_lambda_function.function.function_name}"
+  retention_in_days = 14
+  tags = merge(var.standard_tags, var.tags)
+}
+
+
+###
+### Trigger Portal Sync Lambda with Rules and Targets
+###
+
+### Time-based rules for portal sync:
+resource "aws_cloudwatch_event_rule" "event_rule" {
+  name = "threatq-lambda-data-sync"
+  description = "Rule for threatq data sync lambda function - every 20 minutes"
+  schedule_expression = "rate(20 minutes)"
+  is_enabled = var.environment == "test" ? false : true
+  tags = merge(var.standard_tags, var.tags)
+}
+
+### Time-based targets for portal sync:
+resource "aws_cloudwatch_event_target" "event_target" {
+  target_id = "ThreatQSync"
+  rule = aws_cloudwatch_event_rule.event_rule.name
+  arn  = aws_lambda_function.function.arn
+}
+
+### Invoke permissions for Time-based rules for portal sync:
+resource "aws_lambda_permission" "permission" {
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.function.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.event_rule.arn
+}
+

base/threatquotient_lambda/iam.tf

@@ -0,0 +1,49 @@
+data "aws_iam_policy_document" "policy_document" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ec2:CreateNetworkInterface",
+      "logs:CreateLogStream",
+      "ec2:DescribeNetworkInterfaces",
+      "logs:DescribeLogStreams",
+      "ec2:DeleteNetworkInterface",
+      "logs:PutRetentionPolicy",
+      "logs:CreateLogGroup",
+      "logs:PutLogEvents",
+    ]
+    resources = ["*"]
+  }
+}
+
+resource "aws_iam_policy" "policy" {
+  name        = "threatq_data_sync_lambda"
+  path        = "/"
+  policy      = data.aws_iam_policy_document.policy_document.json
+  description = "IAM policy for threatq_data_sync_lambda"
+}
+
+resource "aws_iam_role" "role" {
+  name     = "threatq-data-sync-lambda-role"
+  assume_role_policy = <<EOF
+{
+"Version": "2012-10-17",
+"Statement": [
+    { 
+    "Sid": "",
+    "Effect": "Allow",
+    "Principal": {
+        "Service": [
+        "lambda.amazonaws.com"
+        ]
+    },
+    "Action": "sts:AssumeRole"
+    }
+]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "policy_attachment" {
+  role       = aws_iam_role.role.name
+  policy_arn = aws_iam_policy.policy.arn
+}

base/threatquotient_lambda/main.tf

@@ -0,0 +1,67 @@
+locals {
+  environment_vars = {
+      "HTTP_PROXY"             = "http://${var.proxy}"
+      "HTTPS_PROXY"            = "http://${var.proxy}"
+      "NO_PROXY"               = "${var.dns_info["legacy_private"]["zone"]},${var.dns_info["private"]["zone"]}"
+      "VAULT_HOST"             = "vault.${var.dns_info["private"]["zone"]}"
+      "VAULT_PATH"             = "threatq-lambda/data/lambda_sync_env"
+      "PYTHONWARNINGS"         = "ignore:Unverified HTTPS request"
+  }
+}
+
+####
+#
+#Security Group
+#
+####
+data "aws_security_group" "typical-host" {
+  name   = "typical-host"
+  vpc_id = var.vpc_id
+}
+
+resource "aws_security_group" "threatq_lambda_splunk_sg" {
+  vpc_id      = var.vpc_id
+  name        = "threatq-data-sync-lambda-splunk-sg"
+  description = "Allow Lambda access to Splunk"
+}
+
+resource "aws_security_group_rule" "threatq_lambda_splunk_out" {
+  type              = "egress"
+  from_port         = 8089
+  to_port           = 8089
+  protocol          = "tcp"
+  cidr_blocks       = ["10.0.0.0/8"]
+  description       = "All Splunk SH"
+  security_group_id = aws_security_group.threatq_lambda_splunk_sg.id
+}
+
+# Env variables for bootstrap only; true secrets should be in vault
+resource "aws_lambda_function" "function" {
+  description      = "Sync data between ThreatQ and Splunk"
+  filename         = "code.zip"
+  source_code_hash = filebase64sha256("code.zip")
+  function_name    = "threatq_data_sync"
+  role             = aws_iam_role.role.arn
+  handler          = "lambda_function.lambda_handler"
+  runtime          = "python3.8"
+  timeout          = "900"
+  vpc_config {
+    subnet_ids          = var.subnets
+    security_group_ids  = [ data.aws_security_group.typical-host.id, aws_security_group.threatq_lambda_splunk_sg.id ]
+  }
+  environment { 
+    variables = merge(local.environment_vars)
+  }
+  tags = merge(var.standard_tags, var.tags)
+
+  lifecycle {
+    # Ignoring changes to the code of the function so that we won't
+    # overlay changes to the function made outside of terraform.  Installing
+    # new versions of a lambda should not be a terraform-ish action we don't think
+    ignore_changes = [
+      last_modified,
+      source_code_hash
+    ]
+  }
+
+}

base/threatquotient_lambda/vars.tf

@@ -0,0 +1,16 @@
+variable "tags" { type = map }
+variable "dns_info" { type = map }
+variable "cidr_map" { type = map }
+variable "instance_termination_protection" { type = bool }
+variable "standard_tags" { type = map }
+variable "environment" { type = string }
+variable "trusted_ips" { type = list }
+variable "aws_region" { type = string }
+variable "aws_partition" { type = string }
+variable "aws_partition_alias" { type = string }
+variable "aws_account_id" { type = string }
+variable "common_services_account" { type = string }
+variable "vpc_id" { type = string }
+variable "subnets" { type = list(string) }
+variable "proxy" { type = string }
+   

base/vault-configuration/engines.tf

@@ -50,6 +50,12 @@ resource "vault_mount" "portal" {
   description = "portal"
 }
 
+resource "vault_mount" "threatq-lambda" {
+  path        = "threatq-lambda"
+  type        = "kv-v2"
+  description = "threatq-lambda"
+}
+
 resource "vault_mount" "phantom" {
   path        = "phantom"
   type        = "kv-v2"

base/vault-configuration/main.tf

@@ -114,6 +114,17 @@ resource "vault_aws_auth_backend_role" "portal-data-sync-lambda-role" {
   token_policies                  = ["portal"]
 }
 
+resource "vault_aws_auth_backend_role" "threatq-data-sync-lambda-role" {
+  backend                         = vault_auth_backend.aws.path
+  role                            = "threatq-data-sync-lambda-role"
+  auth_type                       = "iam"
+  bound_iam_principal_arns        = ["arn:${var.aws_partition}:iam::${var.aws_account_id}:role/threatq-data-sync-lambda-role"]
+  #inferred_aws_region             = "us-gov-east-1"
+  token_ttl                       = 60
+  token_max_ttl                   = 86400
+  token_policies                  = ["threatq"]
+}
+
 
 #----------------------------------------------------------------------------
 # AppRole Auth

base/vault-configuration/policies.tf

@@ -82,6 +82,20 @@ resource "vault_policy" "portal" {
   policy = data.vault_policy_document.portal.hcl
 }
 
+#threatq
+data "vault_policy_document" "threatq" {
+  rule {
+    path         = "threatq-lambda*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+    description  = "threatq-lambda"
+  }
+}
+
+resource "vault_policy" "threatq" {
+  name   = "threatq"
+  policy = data.vault_policy_document.threatq.hcl
+}
+
 #salt-master should be able to only create tokens
 data "vault_policy_document" "salt-master" {
   rule {

submodules/iam/standard_iam_policies/policy-mdr_terraformer.tf

@@ -41,6 +41,7 @@ data "aws_iam_policy_document" "mdr_terraformer" {
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/salt-master-instance-role",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-instance-role",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-data-sync-lambda-role",
+			"arn:${local.aws_partition}:iam::${local.aws_account}:role/threatq-data-sync-lambda-role",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/msoc-default-instance-role",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/ecsFargateTaskExecutionRole",
 			"arn:${local.aws_partition}:iam::${local.aws_account}:role/dlm-lifecycle-role",