diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..452e5c5 --- /dev/null +++ b/LICENSE @@ -0,0 +1,9 @@ +Licensed under the Apache-2.0 license. + +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: + +- Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice. + +- Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution. + +- Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..9df0d34 --- /dev/null +++ b/README.md @@ -0,0 +1,19 @@ +# Serverless Heimdall Pusher (AWS) + + + +### NOTICE + +© 2019-2021 The MITRE Corporation. + +Approved for Public Release; Distribution Unlimited. Case Number 18-3678. + +### NOTICE + +MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project. + +### NOTICE + +This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General. + +No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation. \ No newline at end of file diff --git a/build-image.sh b/build-image.sh new file mode 100755 index 0000000..194914f --- /dev/null +++ b/build-image.sh @@ -0,0 +1,6 @@ +VERSION=$(cat './version') + +docker build -t mitre/serverless-heimdall-pusher-lambda:$VERSION ./src/ +docker tag mitre/serverless-heimdall-pusher-lambda:$VERSION mitre/serverless-heimdall-pusher-lambda:latest + +# docker save mitre/serverless-heimdall-pusher-lambda:$VERSION > serverless-heimdall-pusher-lambda.tar diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..9670f84 --- /dev/null +++ b/main.tf @@ -0,0 +1,236 @@ + +## +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region +# +data "aws_region" "current" {} + +## +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity +# +data "aws_caller_identity" "current" {} + +## +# Computed local variables +# +locals { + # If image_version is not set, then default to the lastest available version + image_version = var.image_version != null ? var.image_version : file("${path.module}/version") +} + +# Elastic Container Registry for SAF deployment +# +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository +# +resource "aws_ecr_repository" "mitre_heimdall_pusher" { + name = "mitre/serverless-heimdall-pusher-lambda" + image_tag_mutability = "MUTABLE" + + image_scanning_configuration { + scan_on_push = true + } +} + +## +# The KMS key used to encrypt/decrypt HeimdallPusher's Heimdall account password +# +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key +# +resource "aws_kms_key" "HeimdallPassKmsKey" { + description = "The KMS key used to encrypt/decrypt HeimdallPusher's Heimdall account password " + deletion_window_in_days = 10 + + tags = { + Name = "HeimdallPusherPassKmsKey" + } +} + +## +# SSM SecureString parameter for the Heimdall password +# +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter +# +resource "aws_ssm_parameter" "heimdall_pass_ssm_param" { + name = "/serverless-heimdall-pusher-lambda/heimdall_pass_ssm_param" + description = "Stores the password for HeimdallPusher's Heimdall account." + type = "SecureString" + value = var.heimdall_password + key_id = aws_kms_key.HeimdallPassKmsKey.key_id +} + +## +# HeimdallPusher Role to Invoke HeimdallPusher Lambda function +# +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role +# +resource "aws_iam_role" "serverless_heimdall_pusher_lambda_role" { + name = "serverless_heimdall_pusher_lambda_role" + + # Allow execution of the lambda function + managed_policy_arns = [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole" + ] + + # Allow assume role permission for lambda + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Sid = "" + Principal = { + Service = "lambda.amazonaws.com" + } + } + ] + }) + + # Allow READ access to Heimdall password SSM parameter + inline_policy { + name = "HeimdallPassSsmReadAccess" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "ssm:GetParameter" + ] + Effect = "Allow" + Resource = aws_ssm_parameter.heimdall_pass_ssm_param.arn + } + ] + }) + } + + inline_policy { + name = "AllowHeimdallPassKmsKeyDecrypt" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "kms:Decrypt" + ] + Effect = "Allow" + Resource = aws_kms_key.HeimdallPassKmsKey.arn + } + ] + }) + } + + # Allow S3 read and write access to InSpec results bucket + inline_policy { + name = "S3ResultsAccess" + + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = [ + "s3:GetObject", + "s3:PutObject", + "s3:DeleteObject" + ] + Effect = "Allow" + Resource = "${data.aws_s3_bucket.results_bucket.arn}/*" + } + ] + }) + } +} + +resource "null_resource" "push_image" { + depends_on = [ + aws_ecr_repository.mitre_heimdall_pusher, + ] + + # Ensures this script always runs + triggers = { + always_run = timestamp() + } + + # https://www.terraform.io/docs/language/resources/provisioners/local-exec.html + provisioner "local-exec" { + command = "${path.module}/push-image.sh" + + environment = { + REPOSITORY_URL = aws_ecr_repository.mitre_heimdall_pusher.repository_url + AWS_REGION = data.aws_region.current.name + AWS_ACCOUNT_ID = data.aws_caller_identity.current.account_id + REPO_NAME = "mitre/serverless-heimdall-pusher-lambda" + IMAGE_TAG = local.image_version + } + } +} + +## +# HeimdallPusher Lambda function +# +# https://registry.terraform.io/modules/terraform-aws-modules/lambda/aws/latest +# +module "serverless-heimdall-pusher-lambda" { + source = "terraform-aws-modules/lambda/aws" + + function_name = var.lambda_name + description = "Lambda capable of pulling AWS Config data, mapping to HDF, and pushing results to Heimdall Server API." + handler = "lambda_function.lambda_handler" + runtime = "ruby2.7" + create_role = false + lambda_role = aws_iam_role.serverless_heimdall_pusher_lambda_role.arn + timeout = 900 + + vpc_subnet_ids = var.subnet_ids + vpc_security_group_ids = var.security_groups + + create_package = false + image_uri = "${aws_ecr_repository.mitre_heimdall_pusher.repository_url}:${local.image_version}" + package_type = "Image" + + environment_variables = { + HEIMDALL_URL = var.heimdall_url + HEIMDALL_API_USER = var.heimdall_user + HEIMDALL_PASS_SSM_PARAM = aws_ssm_parameter.heimdall_pass_ssm_param.name + } +} + +## +# Get bucket data for use elsewhere +# +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket +# +data "aws_s3_bucket" "results_bucket" { + bucket = var.results_bucket_id +} + +## +# Allow the bucket events to trigger the pusher lambda +# +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission +# +resource "aws_lambda_permission" "allow_bucket" { + statement_id = "AllowHeimdallPusherExecutionFromS3Bucket" + action = "lambda:InvokeFunction" + function_name = module.HeimdallPusher.lambda_function_arn + principal = "s3.amazonaws.com" + source_arn = data.aws_s3_bucket.results_bucket.arn +} + +## +# Trigger lambda when objects get placed in 'unprocessed/*' +# +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification +# +resource "aws_s3_bucket_notification" "bucket_notification" { + bucket = var.results_bucket_id + + lambda_function { + lambda_function_arn = module.HeimdallPusher.lambda_function_arn + events = ["s3:ObjectCreated:*"] + filter_prefix = "unprocessed/" + } + + depends_on = [aws_lambda_permission.allow_bucket] +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..1e08ee2 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,8 @@ + +output "function_name" { + value = module.serverless-heimdall-pusher-lambda.lambda_function_name +} + +output "function_arn" { + value = module.serverless-heimdall-pusher-lambda.lambda_function_arn +} diff --git a/push-image.sh b/push-image.sh new file mode 100644 index 0000000..d22dfbc --- /dev/null +++ b/push-image.sh @@ -0,0 +1,68 @@ +set -xe + +## +# ENV validation +# +if [ -z "$REPOSITORY_URL" ]; then + echo '$REPOSITORY_URL is a required ENV variable!' + exit 1 +fi + +if [ -z "$AWS_REGION" ]; then + echo '$AWS_REGION is a required ENV variable!' + exit 1 +fi + +if [ -z "$AWS_ACCOUNT_ID" ]; then + echo '$AWS_ACCOUNT_ID is a required ENV variable!' + exit 1 +fi + +if [ -z "$REPO_NAME" ]; then + echo '$REPO_NAME is a required ENV variable!' + exit 1 +fi + +if [ -z "$IMAGE_TAG" ]; then + echo '$IMAGE_TAG is a required ENV variable!' + exit 1 +fi + +echo "REPOSITORY_URL='$REPOSITORY_URL' AWS_REGION='$AWS_REGION' AWS_ACCOUNT_ID='$AWS_ACCOUNT_ID' REPO_NAME='$REPO_NAME' IMAGE_TAG='$IMAGE_TAG'" + +## +# Variable creation +# +IMAGE_IDENTIFIER="$REPO_NAME:$IMAGE_TAG" +IMAGE="$REPOSITORY_URL:$IMAGE_TAG" +echo $IMAGE_IDENTIFIER +echo $IMAGE + +## +# Log in to the AWS ECR registry +# +# https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ecr/get-login-password.html +# +aws ecr get-login-password \ + --region $AWS_REGION \ +| docker login \ + --username AWS \ + --password-stdin $AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com + +## +# Re-tag the image to the identifier that will be pushed up to ECR +docker tag $IMAGE_IDENTIFIER $IMAGE + +## +# Check the SHA of the local and remote images. Don't push if they are the same +# +LOCAL_SHA=$(docker images --no-trunc --quiet $IMAGE_IDENTIFIER | grep -oh 'sha256:[0-9,a-z]*') +REMOTE_SHA=$(aws ecr describe-images --repository-name $REPO_NAME --image-ids imageTag=$IMAGE_TAG --query 'imageDetails[0].imageDigest'| grep -oh 'sha256:[0-9,a-z]*' || echo 'image doesnt exist') +echo "LOCAL SHA: $LOCAL_SHA" +echo "REMOTE SHA: $REMOTE_SHA" +if [ "$LOCAL_SHA" != "$REMOTE_SHA" ]; then + docker push $IMAGE + sleep 60 +else + echo 'LOCAL AND REMOTE SHA values are identical. Skipping docker push.' +fi diff --git a/src/.ruby-version b/src/.ruby-version new file mode 100644 index 0000000..fbafd6b --- /dev/null +++ b/src/.ruby-version @@ -0,0 +1 @@ +2.7.2 \ No newline at end of file diff --git a/src/Dockerfile b/src/Dockerfile new file mode 100644 index 0000000..dc795ab --- /dev/null +++ b/src/Dockerfile @@ -0,0 +1,40 @@ +## +# Interact with the base image: +# docker run --rm -it --entrypoint bash public.ecr.aws/lambda/ruby:2.7 +# +## +# Interact with built container: +# docker run --rm -it --entrypoint bash mitre/serverless-heimdall-pusher-lambda:latest +# +# +## +# Make requests to local container: (https://docs.aws.amazon.com/lambda/latest/dg/images-test.html) +# docker run -p 9000:8080 mitre/serverless-heimdall-pusher-lambda:latest +# curl -XPOST "http://localhost:9000/2015-03-31/functions/function/invocations" -d '{}' +# +## +# +# Build the image +# docker build -t mitre/serverless-heimdall-pusher-lambda:latest . +# OR +# cd terraform/modules/inspec-lambda/; ./build-image.sh + +## +# Use Ruby from AWS lambda ECR +# +# https://gallery.ecr.aws/lambda/ruby +# +FROM public.ecr.aws/lambda/ruby:2.7 + +## +# Copy over the function code and bundle install +# +COPY lambda_function.rb Gemfile Gemfile.lock .ruby-version /var/task/ +RUN bundle install --path vendor/bundle/ + +## +# Set the handler +# +# https://docs.aws.amazon.com/lambda/latest/dg/images-create.html +# +CMD [ "lambda_function.lambda_handler" ] diff --git a/src/Gemfile b/src/Gemfile new file mode 100644 index 0000000..8b1e3ed --- /dev/null +++ b/src/Gemfile @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +source 'https://rubygems.org' + +gem 'aws-sdk-lambda', '~> 1' +gem 'aws-sdk-ssm', '~> 1' +gem 'aws-sdk-s3', '~> 1' +gem 'multipart-post' diff --git a/src/Gemfile.lock b/src/Gemfile.lock new file mode 100644 index 0000000..3b9b3ac --- /dev/null +++ b/src/Gemfile.lock @@ -0,0 +1,39 @@ +GEM + remote: https://rubygems.org/ + specs: + aws-eventstream (1.1.1) + aws-partitions (1.446.0) + aws-sdk-core (3.114.0) + aws-eventstream (~> 1, >= 1.0.2) + aws-partitions (~> 1, >= 1.239.0) + aws-sigv4 (~> 1.1) + jmespath (~> 1.0) + aws-sdk-kms (1.43.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sdk-lambda (1.39.0) + aws-sdk-core (~> 3, >= 3.71.0) + aws-sigv4 (~> 1.1) + aws-sdk-s3 (1.95.1) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sdk-kms (~> 1) + aws-sigv4 (~> 1.1) + aws-sdk-ssm (1.108.0) + aws-sdk-core (~> 3, >= 3.112.0) + aws-sigv4 (~> 1.1) + aws-sigv4 (1.2.3) + aws-eventstream (~> 1, >= 1.0.2) + jmespath (1.4.0) + multipart-post (2.1.1) + +PLATFORMS + ruby + +DEPENDENCIES + aws-sdk-lambda (~> 1) + aws-sdk-s3 (~> 1) + aws-sdk-ssm (~> 1) + multipart-post + +BUNDLED WITH + 2.2.11 diff --git a/src/lambda_function.rb b/src/lambda_function.rb new file mode 100644 index 0000000..d48feaa --- /dev/null +++ b/src/lambda_function.rb @@ -0,0 +1,224 @@ +# frozen_string_literal: true + +## +# lambda_function.rb +# +# This lambda function is for ... +# +# Heimdall Enterprise Server 2.0 GitHub: https://github.com/mitre/heimdall2 +# +# export HEIMDALL_URL='http://my-heimdall-server.com' +# export HEIMDALL_API_USER='' +# export HEIMDALL_PASS_SSM_PARAM='' +# export HEIMDALL_EVAL_TAG='' +# export HEIMDALL_PUBLIC='true' +# + +require 'aws-sdk-lambda' +require 'aws-sdk-ssm' +require 'aws-sdk-s3' +require 'json' +require 'logger' +require 'net/http' +require 'net/http/post/multipart' +require 'time' +require 'uri' + +puts "RUBY_VERSION: #{RUBY_VERSION}" +$logger = Logger.new($stdout) + +## +# The AWS lamdba entrypoint +# +# Invoking lambda from the Ruby SDK: +# https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/Lambda/Client.html#invoke_async-instance_method +# +def lambda_handler(event:, context:) + $logger.info(event) + + validate_variables(event) + + records = (event['Records'] || []) + records.each do |record| + bucket_name = record.dig('s3', 'bucket', 'name') + object_key = record.dig('s3', 'object', 'key') + process_record(event, bucket_name, object_key) + end + + $logger.info('Lambda completed successfully!') +end + +## +# Process a S3 record that was passed via the event +# +def process_record(event, bucket_name, object_key) + return if bucket_name.nil? || object_key.nil? + + record_contents = get_record_contents(bucket_name, object_key) + hdf = record_contents['data'] + filename = object_key.split('/').last + $logger.info("Processing file (#{object_key}) with filename (#{filename})") + + record_contents['eval_tags'] = record_contents['eval_tags'].nil? ? 'HeimdallPusher' : record_contents['eval_tags'] + ',HeimdallPusher' + + # Save to Heimdall + heimdall_user_password = get_heimdall_password + user_id, token = get_heimdall_api_token(heimdall_user_password) + push_to_heimdall(filename, hdf, user_id, token, record_contents['eval_tags']) + + # Save to S3 + save_results_to_bucket(record_contents, bucket_name, filename) + save_hdf_to_bucket(hdf, bucket_name, filename) + remove_unprocessed_from_bucket(bucket_name, object_key) +end + +def get_record_contents(bucket_name, object_key) + $logger.info('Fetching HDF record.') + s3_client = Aws::S3::Client.new + JSON.parse(s3_client.get_object(bucket: bucket_name, key: object_key).body.read) +end + +def save_hdf_to_bucket(hdf, bucket_name, filename) + $logger.info('Saving processed HDF to bucket.') + s3_client = Aws::S3::Client.new + s3_client.put_object({ + body: StringIO.new(hdf.to_json), + bucket: bucket_name, + key: "hdf/#{filename}", + }) +end + +def save_results_to_bucket(results, bucket_name, filename) + $logger.info('Saving processed result to bucket.') + s3_client = Aws::S3::Client.new + s3_client.put_object({ + body: StringIO.new(results.to_json), + bucket: bucket_name, + key: "processed/#{filename}", + }) +end + +def remove_unprocessed_from_bucket(bucket_name, object_key) + $logger.info('Removing unprocessed result from bucket.') + s3_client = Aws::S3::Client.new + s3_client.delete_object({ + bucket: bucket_name, + key: object_key, + }) +end + +## +# Validate all expected variables. +# +# Allow event to also provide the variables - data must be passed in the event. +# +# If expected variables are present in the event, then they will take priority. +# +def validate_variables(event) + $logger.info('Validating environment variables...') + %w[ + HEIMDALL_URL + HEIMDALL_API_USER + HEIMDALL_PASS_SSM_PARAM + ].each do |var| + ENV[var] = event[var] if !event.nil? && event.include?(var) + err_msg = "Lambda requires the environment variable #{var} be set or to be passed via the event!" + raise StandardError.new, err_msg if ENV[var].nil? || ENV[var].empty? + end + ENV['HEIMDALL_URL'] = ENV['HEIMDALL_URL'].chop if ENV['HEIMDALL_URL'].end_with?('/') + $logger.info('Validated environment variables.') +end + +## +# Get Heimdall user password from AWS SSM Parameter Store. +# +# If using within a VPC and using an interface endpoint, then +# specifying the SSM_ENDPOINT variable will allow reaching +# SSM parameter store properly. +# +def get_heimdall_password + $logger.info('Fetching Heimdall Password Secret from SSM parameter store...') + ssm_client = nil + + if ENV['SSM_ENDPOINT'].nil? + $logger.info('Using default SSM Parameter Store endpoint.') + ssm_client = Aws::SSM::Client.new + else + endpoint = "https://#{/vpce.+/.match(ENV['SSM_ENDPOINT'])[0]}" + $logger.info("Using SSM Parameter Store endpoint: #{endpoint}") + ssm_client = Aws::SSM::Client.new(endpoint: endpoint) + end + + resp = ssm_client.get_parameter({ + name: ENV['HEIMDALL_PASS_SSM_PARAM'], + with_decryption: true + }) + + resp.parameter.value +end + +## +# Get a Heimdall API Token. +# +# https://github.com/mitre/heimdall2#api-usage +# +def get_heimdall_api_token(heimdall_user_password) + $logger.info('Getting token from Heimdall Server...') + payload = { + 'email': ENV['HEIMDALL_API_USER'], + 'password': heimdall_user_password + } + resp = Net::HTTP.post( + URI("#{ENV['HEIMDALL_URL']}/authn/login"), + payload.to_json, + { 'Content-Type': 'application/json' } + ) + $logger.info(resp) + raise StandardError.new, 'Failed to get token from Heimdall Server!' unless resp.is_a?(Net::HTTPSuccess) + + $logger.info('Got token from Hemdall Server.') + token = JSON.parse(resp.body)['accessToken'] + user_id = JSON.parse(resp.body)['userID'] + + raise StandardError.new, 'Returned token is not a string!' unless token.is_a?(String) + raise StandardError.new, 'Returned user ID is not a string!' unless user_id.is_a?(String) + + [user_id, token] +end + +## +# Post HDF to Heimdall Server. +# - evaluationTags is expected to be a comma separated list of tag names. +# +# https://github.com/mitre/heimdall2#api-usage +# https://www.rubydoc.info/stdlib/net/Net%2FHTTPHeader:set_form +# https://github.com/socketry/multipart-post +# +# curl -v -F "data=@aws_config_hdf.json" \ +# -F "filename=AWS-Config-Results-2021-03-12T15:24:47Z" \ +# -F "public=true" \ +# -F "evaluationTags=my-tag,my-other-tag" \ +# -H "Authorization: Bearer " \ +# "http://my-heimdall/evaluations" +# +def push_to_heimdall(filename, hdf, user_id, token, eval_tags) + $logger.info('Pushing HDF results to Heimdall Server...') + url = URI("#{ENV['HEIMDALL_URL']}/evaluations") + payload = { + 'data': UploadIO.new(StringIO.new(hdf.to_json), 'application/json', filename), + 'filename': filename, + 'userId': user_id, + 'public': ENV['HEIMDALL_PUBLIC'] || 'true', + 'evaluationTags': eval_tags + } + request = Net::HTTP::Post::Multipart.new(url.path, payload) + request['Authorization'] = "Bearer #{token}" + response = Net::HTTP.start(url.host, url.port) do |http| + http.request(request) + end + + $logger.info(response) + raise StandardError.new, 'Failed to push results to Heimdall Server!' unless response.is_a?(Net::HTTPSuccess) + + $logger.info('Results pushed to Heimdall Server.') +end diff --git a/src/run_lambda_locally.rb b/src/run_lambda_locally.rb new file mode 100644 index 0000000..29e8b73 --- /dev/null +++ b/src/run_lambda_locally.rb @@ -0,0 +1,32 @@ +# frozen_string_literal: true + +## +# Allows running the lambda function on your local development machine for +# testing purposes. +# +# export HEIMDALL_URL='http://my-heimdall-server.com/evaluations' +# export HEIMDALL_API_USER='' +# export HEIMDALL_PASS_SECRET_NAME='' +# export HEIMDALL_EVAL_TAG='' +# +# bundle exec ruby ./run_lambda_locally.rb + +require_relative 'lambda_function' + +lambda_handler( + event: { + "Records" => [ + { + "s3" => { + "bucket" => { + "name" => "inspec-results-bucket-dev-myzr" + }, + "object" => { + "key" => "unprocessed/2021-05-27_14-14-46_ConfigToHdf.json" + } + } + } + ] + }, + context: nil +) diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..0976fcf --- /dev/null +++ b/variables.tf @@ -0,0 +1,51 @@ + +variable "heimdall_url" { + description = "The url to the Heimdall server in http://... format" + type = string +} + +variable "heimdall_user" { + description = "The Heimdall user's email used to log in" + type = string +} + +variable "heimdall_password" { + description = "The Heimdall user's password used to log in" + type = string + sensitive = true +} + +variable "results_bucket_id" { + description = "The S3 bucket id/name where results will be placed and processed" + type = string +} + +variable "subnet_ids" { + description = "The subnet ids to deploy the lambda to." + type = list(string) + default = null +} + +variable "security_groups" { + description = "The security groups to assign to the lambda." + type = list(string) + default = null +} + +variable "image_version" { + description = "The image and tag of the lambda docker image to deploy" + type = string + default = null +} + +variable "lambda_role_arn" { + description = "The ARN for the IAM role that will be assigned to the lambda" + type = string + default = "" +} + +variable "lambda_name" { + description = "The name of the lambda function" + type = string + default = "serverless-inspec-lambda" +} diff --git a/version b/version new file mode 100644 index 0000000..ceab6e1 --- /dev/null +++ b/version @@ -0,0 +1 @@ +0.1 \ No newline at end of file