def generate_threat_intel_downloader(config):
"""Generate Threat Intel Downloader Terrafrom
Args:
config (dict): The loaded config from the 'conf/' directory
Returns:
dict: Athena dict to be marshalled to JSON
"""
# Use the monitoring topic as a dead letter queue
dlq_topic, _ = monitoring_topic_name(config)
prefix = config['global']['account']['prefix']
# Threat Intel Downloader module
tid_config = config['lambda']['threat_intel_downloader_config']
# old format of config used interval, but tf_lambda expects 'schedule_expression'
if 'schedule_expression' not in tid_config:
tid_config['schedule_expression'] = tid_config.get(
'interval', 'rate(1 day)')
result = infinitedict()
# Set variables for the threat intel downloader configuration
result['module']['threat_intel_downloader_iam'] = {
'source': './modules/tf_threat_intel_downloader',
'account_id': config['global']['account']['aws_account_id'],
'region': config['global']['account']['region'],
'prefix': prefix,
'function_role_id': '${module.threat_intel_downloader.role_id}',
'function_alias_arn':
'${module.threat_intel_downloader.function_alias_arn}',
'function_cloudwatch_log_group_name':
'${module.threat_intel_downloader.log_group_name}',
'monitoring_sns_topic': dlq_topic,
'table_rcu': tid_config.get('table_rcu', '10'),
'table_wcu': tid_config.get('table_wcu', '10'),
'max_read_capacity': tid_config.get('max_read_capacity', '5'),
'min_read_capacity': tid_config.get('min_read_capacity', '5'),
'target_utilization': tid_config.get('target_utilization', '70')
}
result['module']['threat_intel_downloader'] = generate_lambda(
'{}_streamalert_{}'.format(prefix, THREAT_INTEL_DOWNLOADER_NAME),
'streamalert.threat_intel_downloader.main.handler',
tid_config,
config,
)
return result
def generate_threat_intel_downloader(config):
"""Generate Threat Intel Downloader Terrafrom
Args:
config (dict): The loaded config from the 'conf/' directory
Returns:
dict: Athena dict to be marshalled to JSON
"""
# Use the monitoring topic as a dead letter queue
dlq_topic, _ = monitoring_topic_name(config)
# Threat Intel Downloader module
ti_downloader_config = config['lambda']['threat_intel_downloader_config']
ti_downloader_dict = infinitedict()
ti_downloader_dict['module']['threat_intel_downloader'] = {
'account_id': config['global']['account']['aws_account_id'],
'region': config['global']['account']['region'],
'source': './modules/tf_threat_intel_downloader',
'lambda_handler': ThreatIntelDownloaderPackage.lambda_handler,
'lambda_memory': ti_downloader_config.get('memory', '128'),
'lambda_timeout': ti_downloader_config.get('timeout', '60'),
'lambda_log_level': ti_downloader_config.get('log_level', 'info'),
'interval': ti_downloader_config.get('interval', 'rate(1 day)'),
'prefix': config['global']['account']['prefix'],
'monitoring_sns_topic': dlq_topic,
'table_rcu': ti_downloader_config.get('table_rcu', '10'),
'table_wcu': ti_downloader_config.get('table_wcu', '10'),
'max_read_capacity': ti_downloader_config.get('max_read_capacity',
'5'),
'min_read_capacity': ti_downloader_config.get('min_read_capacity',
'5'),
'target_utilization': ti_downloader_config.get('target_utilization',
'70')
}
return ti_downloader_dict
def generate_main(config, init=False):
"""Generate the main.tf.json Terraform dict
Args:
config (CLIConfig): The loaded CLI config
init (bool): Terraform is running in the init phase or not (optional)
Returns:
dict: main.tf.json Terraform dict
"""
write_vars(config, region=config['global']['account']['region'])
main_dict = infinitedict()
logging_bucket, create_logging_bucket = s3_access_logging_bucket(config)
state_lock_table_name = '{}_streamalert_terraform_state_lock'.format(
config['global']['account']['prefix']
)
# Setup the Backend depending on the deployment phase.
# When first setting up StreamAlert, the Terraform statefile
# is stored locally. After the first dependencies are created,
# this moves to S3.
if init:
main_dict['terraform']['backend']['local'] = {
'path': 'terraform.tfstate',
}
else:
terraform_bucket_name, _ = terraform_state_bucket(config)
main_dict['terraform']['backend']['s3'] = {
'bucket': terraform_bucket_name,
'key': config['global'].get('terraform', {}).get(
'state_key_name',
'streamalert_state/terraform.tfstate'
),
'region': config['global']['account']['region'],
'encrypt': True,
'dynamodb_table': state_lock_table_name,
'acl': 'private',
'kms_key_id': 'alias/{}'.format(
config['global']['account'].get(
'kms_key_alias',
'{}_streamalert_secrets'.format(config['global']['account']['prefix'])
)
),
}
# Configure initial S3 buckets
main_dict['resource']['aws_s3_bucket'] = {
'streamalerts': generate_s3_bucket(
bucket=firehose_alerts_bucket(config),
logging=logging_bucket
)
}
# Configure remote state locking table
main_dict['resource']['aws_dynamodb_table'] = {
'terraform_remote_state_lock': {
'name': state_lock_table_name,
'billing_mode': 'PAY_PER_REQUEST',
'hash_key': 'LockID',
'attribute': {
'name': 'LockID',
'type': 'S'
},
'tags': {
'Name': 'StreamAlert'
}
}
}
# Create bucket for S3 access logs (if applicable)
if create_logging_bucket:
main_dict['resource']['aws_s3_bucket']['logging_bucket'] = generate_s3_bucket(
bucket=logging_bucket,
logging=logging_bucket,
acl='log-delivery-write',
lifecycle_rule={
'prefix': '/',
'enabled': True,
'transition': {
'days': 365,
'storage_class': 'GLACIER'
}
},
sse_algorithm='AES256' # SSE-KMS doesn't seem to work with access logs
)
terraform_bucket_name, create_state_bucket = terraform_state_bucket(config)
# Create bucket for Terraform state (if applicable)
if create_state_bucket:
main_dict['resource']['aws_s3_bucket']['terraform_remote_state'] = generate_s3_bucket(
bucket=terraform_bucket_name,
logging=logging_bucket
)
# Setup Firehose Delivery Streams
generate_firehose(logging_bucket, main_dict, config)
# Configure global resources like Firehose alert delivery and alerts table
main_dict['module']['globals'] = _generate_global_module(config)
# KMS Key and Alias creation
main_dict['resource']['aws_kms_key']['server_side_encryption'] = {
'enable_key_rotation': True,
'description': 'StreamAlert S3 Server-Side Encryption',
'policy': json.dumps({
'Version': '2012-10-17',
'Statement': [
{
'Sid': 'Enable IAM User Permissions',
'Effect': 'Allow',
'Principal': {
'AWS': 'arn:aws:iam::{}:root'.format(
config['global']['account']['aws_account_id']
)
},
'Action': 'kms:*',
'Resource': '*'
},
{
'Sid': 'Allow principals in the account to use the key',
'Effect': 'Allow',
'Principal': '*',
'Action': ['kms:Decrypt', 'kms:GenerateDataKey*', 'kms:Encrypt'],
'Resource': '*',
'Condition': {
'StringEquals': {
'kms:CallerAccount': config['global']['account']['aws_account_id']
}
}
}
]
})
}
main_dict['resource']['aws_kms_alias']['server_side_encryption'] = {
'name': 'alias/{}_server-side-encryption'.format(config['global']['account']['prefix']),
'target_key_id': '${aws_kms_key.server_side_encryption.key_id}'
}
main_dict['resource']['aws_kms_key']['streamalert_secrets'] = {
'enable_key_rotation': True,
'description': 'StreamAlert secret management'
}
main_dict['resource']['aws_kms_alias']['streamalert_secrets'] = {
'name': 'alias/{}'.format(
config['global']['account'].get(
'kms_key_alias',
'{}_streamalert_secrets'.format(config['global']['account']['prefix'])
)
),
'target_key_id': '${aws_kms_key.streamalert_secrets.key_id}'
}
# Global infrastructure settings
topic_name, create_topic = monitoring_topic_name(config)
if create_topic:
main_dict['resource']['aws_sns_topic']['monitoring'] = {
'name': topic_name
}
return main_dict