Release/module v1 (#1)

iKnowJavaScript · web-flow · commit 36c342e4922b · 2025-01-14T14:56:54.000+01:00
* feat: update mabda parameter and payload

* feat: update variables

* chore: update readme vars and types
diff --git a/README.md b/README.md
@@ -32,6 +32,7 @@ module "remediation" {
   aws_region       = "us-east-1"
   account_id       = "2123232323"
   lambda_log_group = "/aws/lambda/vulne-soldier-compliance-remediate"
+  lambda_zip       = "lambda.zip"
   remediation_options = {
     region                                     = "us-east-1"
     reboot_option                              = "NoReboot"
@@ -56,13 +57,14 @@ provider "aws" {
 | `aws_region`                             | AWS region where the resources will be created                              | `string`      | n/a                                        | yes      |
 | `account_id`                             | AWS account ID                                                              | `string`      | n/a                                        | yes      |
 | `lambda_log_group`                       | Name of the CloudWatch Log Group for the Lambda function                    | `string`      | n/a                                        | yes      |
+| `lambda_zip`                             | File location of the lambda zip file for remediation                                                              | `string`      | `lambda.zip`                                        | yes      |
 | `remediation_options`                    | Options for the remediation document                                        | `object`      | n/a                                        | yes      |
 | `remediation_options.region`             | The region to use                                                           | `string`      | `us-east-1`                                | no       |
 | `remediation_options.reboot_option`      | Reboot option for patching                                                  | `string`      | `NoReboot`                                 | no       |
 | `remediation_options.target_ec2_tag_name`| The tag name to filter EC2 instances                                        | `string`      | `AmazonECSManaged`                         | no       |
 | `remediation_options.target_ec2_tag_value`| The tag value to filter EC2 instances                                       | `string`      | `true`                                     | no       |
-| `remediation_options.vulnerability_severities`| List of vulnerability severities to filter findings                        | `list(string)`| `["CRITICAL, HIGH"]`                       | no       |
-| `remediation_options.override_findings_for_target_instances_ids`| List of instance IDs to override findings for target instances              | `list(string)`| `[]`                                       | no       |
+| `remediation_options.vulnerability_severities`| Comma separated list of vulnerability severities to filter findings                        | `string`| `"CRITICAL, HIGH"`                       | no       |
+| `remediation_options.override_findings_for_target_instances_ids`| Comma separated list of instance IDs to override findings for target instances              | `string`| `""`                                       | no       |
 
 ## Outputs
 
diff --git a/examples/basic/README.md b/examples/basic/README.md
@@ -19,6 +19,7 @@ module "remediation" {
   aws_region       = "us-east-1"
   account_id       = "2324334432"
   lambda_log_group = "/aws/lambda/vulne-soldier-compliance-remediate"
+  lambda_zip       = "lambda.zip"
   remediation_options = {
     region                                     = "us-east-1"
     reboot_option                              = "NoReboot"
@@ -43,13 +44,14 @@ provider "aws" {
 | `aws_region`                             | AWS region where the resources will be created                              | `string`      | n/a                                        | yes      |
 | `account_id`                             | AWS account ID                                                              | `string`      | n/a                                        | yes      |
 | `lambda_log_group`                       | Name of the CloudWatch Log Group for the Lambda function                    | `string`      | n/a                                        | yes      |
+| `lambda_zip`                             | File location of the lambda zip file for remediation                                                              | `string`      | `lambda.zip`                                        | yes      |
 | `remediation_options`                    | Options for the remediation document                                        | `object`      | n/a                                        | yes      |
 | `remediation_options.region`             | The region to use                                                           | `string`      | `us-east-1`                                | no       |
 | `remediation_options.reboot_option`      | Reboot option for patching                                                  | `string`      | `NoReboot`                                 | no       |
 | `remediation_options.target_ec2_tag_name`| The tag name to filter EC2 instances                                        | `string`      | `AmazonECSManaged`                         | no       |
 | `remediation_options.target_ec2_tag_value`| The tag value to filter EC2 instances                                       | `string`      | `true`                                     | no       |
-| `remediation_options.vulnerability_severities`| List of vulnerability severities to filter findings                        | `list(string)`| `["CRITICAL, HIGH"]`                       | no       |
-| `remediation_options.override_findings_for_target_instances_ids`| List of instance IDs to override findings for target instances              | `list(string)`| `[]`                                       | no       |
+| `remediation_options.vulnerability_severities`| Comma separated list of vulnerability severities to filter findings                        | `string`| `"CRITICAL, HIGH"`                       | no       |
+| `remediation_options.override_findings_for_target_instances_ids`| Comma separated list of instance IDs to override findings for target instances              | `string`| `""`                                       | no       |
 
 ### Outputs
 
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -4,14 +4,15 @@ module "remediation" {
   name             = "vulne-soldier-compliance-remediate"
   environment      = "dev"
   aws_region       = "us-east-1"
-  account_id       = "2132323212"
+  account_id       = "2132323212_dummmmy"
   lambda_log_group = "/aws/lambda/vulne-soldier-compliance-remediate"
+  lambda_zip       = "../../lambda.zip"
   remediation_options = {
     region                                     = "us-east-1"
     reboot_option                              = "NoReboot"
     target_ec2_tag_name                        = "AmazonECSManaged"
     target_ec2_tag_value                       = "true"
-    vulnerability_severities                   = ["CRITICAL, HIGH"]
-    override_findings_for_target_instances_ids = []
+    vulnerability_severities                   = "CRITICAL, HIGH"
+    override_findings_for_target_instances_ids = ""
   }
 }
diff --git a/lambda/index.js b/lambda/index.js
@@ -1,14 +1,15 @@
-import { logger } from './logger';
+const AWS = require("aws-sdk");
+const logger = require('./logger');
 
 exports.handler = async (event) => {
   const REGION = event.region || 'us-east-1';
   const REBOOT_OPTION = event.reboot_option || "NoReboot";
   const TARGET_EC2_TAG_NAME = event.target_ec2_tag_name;
   const TARGET_EC2_TAG_VALUE = event.target_ec2_tag_value;
-  const VULNERABILITY_SEVERITIES = event.vulnerability_severities 
-        && event.vulnerability_severities.split(',').map(a => a.trim().toUpperCase());
-  const OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS = event.override_findings_for_target_instances_ids 
-        && event.override_findings_for_target_instances_ids.split(',').map(a => a.trim());
+  const VULNERABILITY_SEVERITIES = (event.vulnerability_severities 
+        && event.vulnerability_severities?.split(',')?.map(a => a.trim().toUpperCase())) || [];
+  const OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS = (event.override_findings_for_target_instances_ids 
+        && event.override_findings_for_target_instances_ids?.split(',')?.map(a => a.trim())) || [];
 
   logger.info("Region is ", REGION);
   logger.info("Reboot option is ", REBOOT_OPTION);
@@ -18,9 +19,14 @@ exports.handler = async (event) => {
   logger.info("Override findings for target instances IDs are ", OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS);
 
   try {
-    const ecsManagedInstanceIds = await getECSManagedInstances(REGION, TARGET_EC2_TAG_NAME, TARGET_EC2_TAG_VALUE);
+    let ecsManagedInstanceIds = [];
+    if (OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS && OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS.length > 0) {
+      ecsManagedInstanceIds = OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS;
+    } else {
+      ecsManagedInstanceIds = await getECSManagedInstances(REGION, TARGET_EC2_TAG_NAME, TARGET_EC2_TAG_VALUE);
+    }
 
-    const { targetInstances, totalFindings } = await manageInstanceFindings(ecsManagedInstanceIds, REGION, VULNERABILITY_SEVERITIES, OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS);
+    const { targetInstances, totalFindings } = await manageInstanceFindings(ecsManagedInstanceIds, REGION, VULNERABILITY_SEVERITIES);
 
     if (!targetInstances.length) {
       return {
@@ -31,12 +37,15 @@ exports.handler = async (event) => {
     }
 
     const ssm = new AWS.SSM({ region: REGION });
+    const logConfig = process.env.LAMBDA_LOG_GROUP ? {
+      CloudWatchOutputConfig: {
+        CloudWatchLogGroupName: process.env.LAMBDA_LOG_GROUP,
+        CloudWatchOutputEnabled: true
+      }
+    } : {};
     const patchResult = await ssm
       .sendCommand({
-        CloudWatchOutputConfig: {
-          CloudWatchLogGroupName: process.env.LAMBDA_LOG_GROUP || '',
-          CloudWatchOutputEnabled: true
-        },
+        ...logConfig,
         Comment: 'Lambda function trigger operation for inspector finding auto-remediation',
         DocumentName: "AWS-RunPatchBaseline",
         DocumentVersion: "1",
@@ -120,7 +129,7 @@ async function getInstanceInspectorFindings(instanceId, region, severities) {
   return data.findings;
 }
 
-async function manageInstanceFindings(ecsManagedInstanceIds, region, severities, overrideInstanceIds) {
+async function manageInstanceFindings(ecsManagedInstanceIds, region, severities) {
   const targetInstances = [];
   let totalFindings = 0;
 
@@ -136,12 +145,12 @@ async function manageInstanceFindings(ecsManagedInstanceIds, region, severities,
     findings = findings.filter((finding) => !(skippingTitles.includes(finding.title)))
     logger.info('Total findings for instanceID ' + instanceId + ' after title check is ' + findings.length);
 
-    totalFindings = totalFindings += findings.length;
-
+    
     const resource = findings[0].resources[0];
-
+    
     // Check resource type to match expected remediation action:
     if (resource.type === "AWS_EC2_INSTANCE") {
+      totalFindings = totalFindings += findings.length;
       targetInstances.push(instanceId);
     }
   }
diff --git a/lambda/logger.js b/lambda/logger.js
@@ -7,7 +7,9 @@ const LogLevel = {
 };
 
 class Logger {
-  constructor(logLevel) {}
+  constructor(logLevel) {
+    this.logLevel = logLevel;
+  }
 
   error(...args) {
     if (this.logLevel >= LogLevel.error) {
@@ -32,5 +34,5 @@ const logLevel =
     INFO: LogLevel.info,
     DEBUG: LogLevel.debug,
   }[process.env.LOG_LEVEL ?? "NONE"] ?? LogLevel.none;
-  
-export let logger = new Logger(logLevel);
+
+module.exports = new Logger(logLevel);
diff --git a/main.tf b/main.tf
@@ -5,6 +5,7 @@ provider "aws" {
 locals {
   function_name     = "${var.name}-${var.environment}"
   ssm_document_name = "${var.name}-inspector-findings-${var.environment}"
+  lambda_zip        = var.lambda_zip
 }
 
 resource "aws_ssm_document" "remediation_document" {
@@ -21,29 +22,29 @@ resource "aws_ssm_document" "remediation_document" {
       "description": "(Required) The region to use.",
       "default": "${var.remediation_options.region}"
     },
-    "reboot_option": {
+    "rebootOption": {
       "type": "String",
       "description": "(Optional) Reboot option for patching. Allowed values: NoReboot, RebootIfNeeded, AlwaysReboot",
       "default": "${var.remediation_options.reboot_option}"
     },
-    "target_ec2_tag_name": {
+    "targetEC2TagName": {
       "type": "String",
       "description": "The tag name to filter EC2 instances.",
       "default": "${var.remediation_options.target_ec2_tag_name}"
     },
-    "target_ec2_tag_value": {
+    "targetEC2TagValue": {
       "type": "String",
       "description": "The tag value to filter EC2 instances.",
       "default": "${var.remediation_options.target_ec2_tag_value}"
     },
-    "vulnerability_severities": {
-      "type": "StringList",
-      "description": "(Optional) List of vulnerability severities to filter findings. Allowed values are comma separated list of : CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL",
+    "vulnerabilitySeverities": {
+      "type": "String",
+      "description": "(Optional) Comma separated list of vulnerability severities to filter findings. Allowed values are comma separated list of : CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL",
       "default": "${var.remediation_options.vulnerability_severities}"
     },
-    "override_findings_for_target_instances_ids": {
-      "type": "StringList",
-      "description": "(Optional) List of instance IDs to override findings for target instances. If not provided, all matched findings will be remediated. Values are in comma separated list of instance IDs.",
+    "overrideFindingsForTargetInstancesIDs": {
+      "type": "String",
+      "description": "(Optional) Comma separated list of instance IDs to override findings for target instances. If not provided, all matched findings will be remediated. Values are in comma separated list of instance IDs.",
       "default": "${var.remediation_options.override_findings_for_target_instances_ids}"
     }
   },
@@ -53,7 +54,7 @@ resource "aws_ssm_document" "remediation_document" {
       "action": "aws:invokeLambdaFunction",
       "inputs": {
         "FunctionName": "arn:aws:lambda:${var.aws_region}:${var.account_id}:function:${local.function_name}",
-        "Payload": "{ \"region\": \"{{ region }}\", \"reboot_option\": \"{{ reboot_option }}\", \"target_ec2_tag_name\": \"{{ target_ec2_tag_name }}\", \"target_ec2_tag_value\": \"{{ target_ec2_tag_value }}\", \"vulnerability_severities\": \"{{ vulnerability_severities }}\", \"override_findings_for_target_instances_ids\": \"{{ override_findings_for_target_instances_ids }}\" }"
+        "Payload": "{ \"region\": \"{{ region }}\", \"reboot_option\": \"{{ rebootOption }}\", \"target_ec2_tag_name\": \"{{ targetEC2TagName }}\", \"target_ec2_tag_value\": \"{{ targetEC2TagValue }}\", \"vulnerability_severities\": \"{{ vulnerabilitySeverities }}\", \"override_findings_for_target_instances_ids\": \"{{ overrideFindingsForTargetInstancesIDs }}\" }"
       }
     }
   ]
@@ -200,12 +201,12 @@ resource "aws_iam_role_policy" "lambda_policy" {
 
 
 resource "aws_lambda_function" "inspector_remediation" {
-  filename         = "../../lambda.zip" # You should zip your lambda_function.js before deploying
+  filename         = local.lambda_zip # You should zip your lambda_function.js before deploying
   function_name    = local.function_name
   role             = aws_iam_role.lambda_execution_role.arn
-  handler          = "findings-remediate.handler"
+  handler          = "index.handler"
   runtime          = "nodejs18.x"
-  source_code_hash = filebase64sha256("./lambda.zip")
+  source_code_hash = filebase64sha256(local.lambda_zip)
 
   timeout = 300
 
diff --git a/variables.tf b/variables.tf
@@ -23,22 +23,28 @@ variable "lambda_log_group" {
   type        = string
 }
 
+variable "lambda_zip" {
+  description = "File location of the lambda zip file for remediation."
+  type        = string
+  default     = null
+}
+
 variable "remediation_options" {
   description = "Options for the remediation document"
   type = object({
     region                                     = string
     reboot_option                              = string
     target_ec2_tag_name                        = string
     target_ec2_tag_value                       = string
-    vulnerability_severities                   = list(string)
-    override_findings_for_target_instances_ids = list(string)
+    vulnerability_severities                   = string
+    override_findings_for_target_instances_ids = string
   })
   default = {
     region                                     = "us-east-1"
     reboot_option                              = "NoReboot"
     target_ec2_tag_name                        = "AmazonECSManaged"
     target_ec2_tag_value                       = "true"
-    vulnerability_severities                   = ["CRITICAL, HIGH"]
-    override_findings_for_target_instances_ids = []
+    vulnerability_severities                   = "CRITICAL, HIGH"
+    override_findings_for_target_instances_ids = null
   }
 }
