add lambda best practices terraform plan policies

Signed-off-by: Chandan-DK <[email protected]>
nirmata · Oct 2, 2024 · 0f21f11 · 0f21f11
1 parent 8c717a0
commit 0f21f11
Show file tree

Hide file tree

Showing 32 changed files with 4,341 additions and 0 deletions.
diff --git a/terraform/plan/lambda-best-practices/check-dead-letter-queue-config/README.md b/terraform/plan/lambda-best-practices/check-dead-letter-queue-config/README.md
@@ -0,0 +1,73 @@
+# Check Dead Letter Queue Config
+
+Dead Letter Queues (DLQs) allow Lambda functions to be set up with an SQS queue or SNS topic to capture information about failed asynchronous requests. When a Lambda function's processing fails and the request has exhausted its retries, the Lambda service can store details of the failed request to the configured DLQ. These failed messages can then be examined to determine the cause of failures.
+
+## Policy Details:
+
+- **Policy Name:** check-dead-letter-queue-config
+- **Check Description:** This policy ensures that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
+- **Policy Category:** AWS Lambda Best Practices
+
+### Policy Validation Testing Instructions
+
+For testing this policy you will need to:
+- Make sure you have `kyverno-json` installed on the machine 
+- Properly authenticate with AWS
+
+1. **Initialize Terraform:**
+    ```bash
+    terraform init
+    ```
+
+2. **Create Binary Terraform Plan:**
+    ```bash
+    terraform plan -out tfplan.binary
+    ```
+
+3. **Convert Binary to JSON Payload:**
+    ```bash
+    terraform show -json tfplan.binary | jq > payload.json
+    ```
+
+4. **Test the Policy with Kyverno:**
+    ```
+    kyverno-json scan --payload payload.json --policy policy.yaml
+    ```
+
+    a. **Test Policy Against Valid Payload:**
+    ```
+    kyverno-json scan --payload test/good-test/good-payload-01.json --policy check-dead-letter-queue-config.yaml --bindings test/binding.yaml
+    ```
+
+    This produces the output:
+    ```
+    Loading policies ...
+    Loading bindings ...
+    - analyzer -> map[resource:map[type:terraform-plan]]
+    Loading payload ...
+    Pre processing ...
+    Running ( evaluating 1 resource against 1 policy ) ...
+    - PASSED (POLICY=check-dead-letter-queue-config, RULE=check-dead-letter-queue-config)
+    Done
+    ```
+
+    b. **Test Against Invalid Payload:**
+    ```
+    kyverno-json scan --payload test/bad-test/bad-payload-01.json --policy check-dead-letter-queue-config.yaml --bindings test/binding.yaml
+    ```
+
+    This produces the output:
+    ```
+    Loading policies ...
+    Loading bindings ...
+    - analyzer -> map[resource:map[type:terraform-plan]]
+    Loading payload ...
+    Pre processing ...
+    Running ( evaluating 1 resource against 1 policy ) ...
+    - FAILED (POLICY=check-dead-letter-queue-config, RULE=check-dead-letter-queue-config)
+    -> AWS Lambda function should be configured for a Dead Letter Queue(DLQ) (CHECK=spec.rules[0].assert.all[0])
+    -> Invalid value: false: Expected value: true (PATH=~.(planned_values.root_module.resources[?type=='aws_lambda_function'])[0].values.(dead_letter_config != `[]`))
+    Done
+    ```
+
+---
diff --git a/.../lambda-best-practices/check-dead-letter-queue-config/check-dead-letter-queue-config.yaml b/.../lambda-best-practices/check-dead-letter-queue-config/check-dead-letter-queue-config.yaml
@@ -0,0 +1,25 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-dead-letter-queue-config
+  annotations:
+    policies.kyverno.io/title: check-dead-letter-queue-config 
+    policies.kyverno.io/category: AWS Lambda Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)
+spec:
+  rules:
+    - name: check-dead-letter-queue-config
+      match:
+        all:
+        - ($analyzer.resource.type): terraform-plan
+        - (planned_values.root_module.resources[?type=='aws_lambda_function'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: AWS Lambda function should be configured for a Dead Letter Queue(DLQ)
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_lambda_function']):
+                values:
+                  (dead_letter_config != `[]`): true
+
diff --git a/terraform/plan/lambda-best-practices/check-dead-letter-queue-config/test/bad-test/bad-01.tf b/terraform/plan/lambda-best-practices/check-dead-letter-queue-config/test/bad-test/bad-01.tf
@@ -0,0 +1,45 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.32"
+    }
+  }
+}
+
+provider "aws" {
+  region = "us-west-2"
+}
+
+resource "aws_lambda_function" "example" {
+  function_name = "example_lambda"
+  handler       = "index.lambda_handler"
+  role          = aws_iam_role.lambda_exec.arn
+  runtime       = "python3.8"
+  filename      = ""
+}
+
+resource "aws_iam_role" "lambda_exec" {
+  name = "lambda_exec_role"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      },
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_exec_policy" {
+  role       = aws_iam_role.lambda_exec.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+}
+