Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create a shared layer for reusable code within the lambdas #86

Merged
merged 31 commits into from
Dec 16, 2024
Merged

Create a shared layer for reusable code within the lambdas #86

Show file tree
Hide file tree
Changes from 30 commits
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
b30e908
feat(layers): added layers to build script
TylerTMizuyabu Nov 13, 2024
a7d9e26
added common layer
TylerTMizuyabu Nov 13, 2024
bf6bf10
added layer to prerequisites
TylerTMizuyabu Nov 13, 2024
3b01c1f
modified get client function
TylerTMizuyabu Nov 13, 2024
55a65b2
added logger and fixed library imports
TylerTMizuyabu Nov 13, 2024
6f1b159
added regex import
TylerTMizuyabu Nov 13, 2024
76ba908
updated gc02_check_account_mgmt_plan code to use layer
TylerTMizuyabu Nov 13, 2024
3fcfe38
added layer to function cloud formation
TylerTMizuyabu Nov 13, 2024
82799fa
added intellisense
TylerTMizuyabu Nov 13, 2024
172779d
Post-rebase cleanup
david-dearden-ssc Dec 11, 2024
8d315a3
Fix part 1 template
david-dearden-ssc Dec 11, 2024
095c9d8
Fix folder structure for shared packages
david-dearden-ssc Dec 11, 2024
10d5308
Create utils shared package
david-dearden-ssc Dec 11, 2024
8c38bf7
Added the submit_evaluations helper
david-dearden-ssc Dec 11, 2024
0c134d0
Update config helpers
david-dearden-ssc Dec 11, 2024
668f7ce
Update GC02CheckAccountManagementPlanLambda
david-dearden-ssc Dec 11, 2024
dc76f1e
Fix check_s3_object_exists
david-dearden-ssc Dec 11, 2024
e0024d4
Add final eval status log to GC02CheckAccountManagementPlanLambda
david-dearden-ssc Dec 11, 2024
10b7d2c
Add make target update-layers
david-dearden-ssc Dec 11, 2024
4c9c638
Add extension recommendations and some more vscode settings
david-dearden-ssc Dec 12, 2024
8b8083f
Testing different ways to get the arn
david-dearden-ssc Dec 12, 2024
7e2ab5a
Setup shared layer in main and pass parameters to the audit account p…
david-dearden-ssc Dec 13, 2024
15fa6e7
Add the shared layer to all the guardrail lambda resources
david-dearden-ssc Dec 13, 2024
7fb279b
Apply formatting to yaml parts
david-dearden-ssc Dec 13, 2024
18efafb
Update shared layer and apply changes to GC02CheckIAMPasswordPolicyLa…
david-dearden-ssc Dec 13, 2024
bd28e38
Switch to copies of the layer for each part
david-dearden-ssc Dec 16, 2024
cb09975
Misc adjustments
david-dearden-ssc Dec 16, 2024
2c1a94b
Build out more shared code in the layers
david-dearden-ssc Dec 16, 2024
b27dcd0
Refactor GC12CheckMarketplacesLambda
david-dearden-ssc Dec 16, 2024
f2a8391
Refactor GC01CheckAlertsFlagMisuseLambda
david-dearden-ssc Dec 16, 2024
4ef0a4a
Cleanup
david-dearden-ssc Dec 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions .vscode/extensions.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"recommendations": [
"amazonwebservices.aws-toolkit-vscode",
"Boto3typed.boto3-ide",
"esbenp.prettier-vscode",
"foxundermoon.shell-format",
"mark-tucker.aws-cli-configure",
"ms-python.black-formatter",
"ms-python.debugpy",
"ms-python.python",
"ms-python.vscode-pylance",
"nextfaze.json-parse-stringify",
"redhat.vscode-yaml",
"streetsidesoftware.code-spell-checker",
"yzhang.markdown-all-in-one"
]
}
62 changes: 62 additions & 0 deletions .vscode/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
{
"[yaml]": {
"editor.defaultFormatter": "esbenp.prettier-vscode"
},
"[python]": {
"editor.formatOnType": true
},
"[shellscript]": {
"editor.defaultFormatter": "foxundermoon.shell-format",
"editor.formatOnSave": true
},
"[markdown]": {
"editor.defaultFormatter": "esbenp.prettier-vscode",
"editor.formatOnSave": true
},

"black-formatter.args": ["--line-length", "120"],
"aws.telemetry": false,

"json.schemas": [
{
"fileMatch": ["*-template.json", "**/templates/*.yaml"],
"url": "https://s3.amazonaws.com/cfn-resource-specifications-us-east-1-prod/schemas/2.15.0/all-spec.json"
}
],
"yaml.schemas": {
"https://s3.amazonaws.com/cfn-resource-specifications-us-east-1-prod/schemas/2.15.0/all-spec.json": [
"*-template.json",
"**/templates/*.yaml"
]
},
"yaml.customTags": [
"!And scalar",
"!Base64",
"!Cidr",
"!Equals scalar",
"!Equals sequence",
"!FindInMap scalar",
"!GetAtt sequence",
"!GetAtt",
"!GetAZs",
"!If scalar",
"!If sequence",
"!ImportValue sequence",
"!ImportValue",
"!Join sequence",
"!Not",
"!Or scalar",
"!Ref",
"!Select sequence",
"!Split sequence",
"!Sub sequence",
"!Sub"
],

"python.autoComplete.extraPaths": [
"./src/layer/cloud_guardrails/lib/python3.12/site-packages"
],
"python.analysis.extraPaths": [
"./src/layer/cloud_guardrails/lib/python3.12/site-packages"
]
}
25 changes: 21 additions & 4 deletions arch/templates/AuditAccountPreRequisitesPart1.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,8 @@ Parameters:
Description: The Accelerator role prefix for privileged access
PythonRuntime:
Type: String
Default: 'python3.12'
Description:
The python runtime to use for the compliance dashboard
Default: "python3.12"
Description: The python runtime to use for the compliance dashboard

Conditions:
GenerateEvidenceBucketName: !Equals
Expand All @@ -46,6 +45,14 @@ Conditions:
- !Ref AuditAccountID

Resources:
CloudGuardrailsCommonLayer:
Type: AWS::Lambda::LayerVersion
Properties:
LayerName: CloudGuardrailsCommonLayerPart1
CompatibleRuntimes:
- python3.12
Content: "../../src/layer/cloud_guardrails/build/CloudGuardrailsCommonLayer/"

BucketSetupLambdaExecutionRolePolicy:
Condition: IsAuditAccount
Type: AWS::IAM::Policy
Expand Down Expand Up @@ -133,7 +140,11 @@ Resources:
EvidenceBucketName:
!If [GenerateEvidenceBucketName, AWS::NoValue, !Ref EvidenceBucketName]
AWSConfigBucketName:
!If [GenerateAWSConfigConformsBucketName, AWS::NoValue, !Ref AWSConfigConformsBucketName]
!If [
GenerateAWSConfigConformsBucketName,
AWS::NoValue,
!Ref AWSConfigConformsBucketName,
]
StaticWebSiteURL: "http://localhost:8000"
DependsOn:
- BucketsSetupLambda
Expand Down Expand Up @@ -392,6 +403,8 @@ Resources:
Role: !GetAtt GCDefaultLambdaExecutionRole.Arn
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -407,6 +420,8 @@ Resources:
Role: !GetAtt GCDefaultLambdaExecutionRole.Arn
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -421,6 +436,8 @@ Resources:
Role: !GetAtt GCDefaultLambdaExecutionRole.Arn
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
38 changes: 35 additions & 3 deletions arch/templates/AuditAccountPreRequisitesPart2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,16 +15,23 @@ Parameters:
Description: prefix for roles created by this template
PythonRuntime:
Type: String
Default: 'python3.12'
Description:
The python runtime to use for the compliance dashboard
Default: "python3.12"
Description: The python runtime to use for the compliance dashboard

Conditions:
IsAuditAccount: !Equals
- !Ref AWS::AccountId
- !Ref AuditAccountID

Resources:
CloudGuardrailsCommonLayer:
Type: AWS::Lambda::LayerVersion
Properties:
LayerName: CloudGuardrailsCommonLayerPart2
CompatibleRuntimes:
- python3.12
Content: "../../src/layer/cloud_guardrails/build/CloudGuardrailsCommonLayer/"

## GC01
GC01CheckIAMUsersMFALambda:
Condition: IsAuditAccount
Expand All @@ -36,6 +43,11 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 180
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"

GC01CheckDedicatedAdminAccountLambda:
Condition: IsAuditAccount
Expand All @@ -47,6 +59,11 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 180
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"

## GC02
GC02CheckIAMPasswordPolicyLambda:
Expand All @@ -59,6 +76,11 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 180
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"

GC02CheckGroupAccessConfigurationLambda:
Condition: IsAuditAccount
Expand All @@ -70,6 +92,11 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 180
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"

GC02CheckPrivilegedRolesReviewLambda:
Condition: IsAuditAccount
Expand All @@ -81,3 +108,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 180
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
33 changes: 29 additions & 4 deletions arch/templates/AuditAccountPreRequisitesPart3.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,23 @@ Parameters:
The prefix to apply to generated role names, in ASEA this is generally ASEA- for lza this could be cdk-accel etc
PythonRuntime:
Type: String
Default: 'python3.12'
Description:
The python runtime to use for the compliance dashboard
Default: "python3.12"
Description: The python runtime to use for the compliance dashboard

Conditions:
IsAuditAccount: !Equals
- !Ref AWS::AccountId
- !Ref AuditAccountID

Resources:
CloudGuardrailsCommonLayer:
Type: AWS::Lambda::LayerVersion
Properties:
LayerName: CloudGuardrailsCommonLayerPart3
CompatibleRuntimes:
- python3.12
Content: "../../src/layer/cloud_guardrails/build/CloudGuardrailsCommonLayer/"

#############################################
# Part 2 - Continued
#############################################
Expand All @@ -42,6 +49,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -57,6 +66,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -71,6 +82,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -85,6 +98,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -100,6 +115,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -114,6 +131,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -129,6 +148,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -143,6 +164,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
Expand All @@ -158,6 +181,8 @@ Resources:
Role: !Sub "arn:aws:iam::${AuditAccountID}:role/${RolePrefix}default_assessment_role"
Runtime: !Ref PythonRuntime
Timeout: 90
Layers:
- !Ref CloudGuardrailsCommonLayer
LoggingConfig:
LogGroup: !Sub "${OrganizationName}gc_guardrails"
LogFormat: "JSON"
LogFormat: "JSON"
Loading
Loading