aws-ia · kkvinjam · May 2, 2023 · Apr 6, 2023 · Apr 11, 2023 · Apr 11, 2023
diff --git a/.gitignore b/.gitignore
@@ -164,7 +164,6 @@ cython_debug/
 # taskcat
 taskcat_outputs/
 .taskcat/
-.taskcat.secrets.yml
 
 # since the zips are automatically generated, we don't want to check them in
 lambda_functions/packages/
@@ -174,4 +173,3 @@ lambda_functions/packages/
 
 # Ash
 aggregated_results.txt
-
diff --git a/.taskcat.yml b/.taskcat.yml
@@ -1,13 +1,23 @@
 project:
-  name: cfn-abi-trend-cloudone-ws-ssm-deployment
-  owner: justin_perkins@trendmicro.com
-  package_lambda: false
+  name: cfn-abi-trend-cloudone
+  owner: raphael_bottino@trendmicro.com #We need a DL for this.
+  package_lambda: true
   shorten_stack_name: true
   regions:
   - us-east-1
 
 tests:
-  examination1:
+  t1:
+    parameters:
+      CloudOneApiKey: $[taskcat_ssm_/trend/cloudone_svc_apikey]
+      VisionOneAuthenticationToken: $[taskcat_ssm_/trend/visionone_authentication_token]
+      QSS3BucketName: $[taskcat_autobucket]
+      QSS3KeyPrefix: $[taskcat_project_name]
+      ExistingOrganizationalCloudtrailBucketName: $[taskcat_ssm_/trend/existing_organizational_cloudtrail_bucket_name]
+    regions:
+    - us-east-1
+    template: templates/trend-cloudone-onboard/main.template.yaml
+  ws-ssm-deployment:
     parameters:
       DeploymentTargets: 'ou-br9h-5q1xhx7c,ou-br9h-pna1itsq'
       dsActivationUrl: $[taskcat_ssm_/trend/activation_url]
@@ -18,4 +28,3 @@ tests:
     regions:
     - us-east-1
     template: templates/trend-cloudone-ws-ssm-association/c1ws-ssm-orgs.template.yaml
-
diff --git a/images/cloudtrail-integration.png b/images/cloudtrail-integration.png
diff --git a/lambda_functions/source/AWSConnectorCreateLambda/app.py b/lambda_functions/source/AWSConnectorCreateLambda/app.py
@@ -0,0 +1,64 @@
+"""Custom Resource to add an AWS Account to Trend Cloud One Workload Security.
+
+Version: 1.0
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+import json
+import urllib3
+import cfnresponse
+import os
+import boto3
+
+def lambda_handler(event, context):
+
+    status = cfnresponse.SUCCESS
+    response_data = {}
+    physicalResourceId = None
+
+    accountId = os.environ['awsaccountid']
+    crossAccountRoleArn = os.environ['crossaccountrolearn']
+    sm = boto3.client('secretsmanager')
+    cloudOneApiKey = sm.get_secret_value(SecretId=event['ResourceProperties']['CloudOneApiKeySecret'])['SecretString']
+    cloudOneRegion = event['ResourceProperties']['CloudOneRegion']
+
+    headers = {
+        'api-version': 'v1',
+        'Authorization': 'ApiKey '+cloudOneApiKey+'',
+        'Content-Type': 'application/json'
+    }
+
+    http = urllib3.PoolManager()
+
+    try:
+        if event["RequestType"] == "Create" or event["RequestType"] == "Update":
+
+            url = 'https://workload.'+cloudOneRegion+'.cloudone.trendmicro.com/api/awsconnectors'
+
+            payload = json.dumps({
+            "displayName": accountId,
+            "accountId": accountId,
+            "crossAccountRoleArn": crossAccountRoleArn                                                                                        
+            })
+
+            encoded_payload = payload.encode("utf-8")
+            response = http.request("POST", url=url, headers=headers, body=encoded_payload)
+
+            response_json_data = json.loads(response.data.decode("utf-8"))
+            print(response_json_data)
+            physicalResourceId = str(response_json_data["ID"]) 
+            response_data = {"ID": str(response_json_data["ID"])}
+
+        else: # if event["RequestType"] == "Delete":
+            ID = event["PhysicalResourceId"]
+
+            url = 'https://workload.'+cloudOneRegion+'.cloudone.trendmicro.com/api/awsconnectors/'+ID
+            response = http.request("DELETE", url=url, headers=headers)
+            print(response.data.decode("utf-8"))
+
+    except Exception as exception:
+        print(exception)
+        status = cfnresponse.FAILED
+
+    cfnresponse.send(event, context, status, response_data, physicalResourceId)
diff --git a/lambda_functions/source/AWSConnectorCreateLambda/cfnresponse.py b/lambda_functions/source/AWSConnectorCreateLambda/cfnresponse.py
@@ -0,0 +1,47 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+from __future__ import print_function
+import urllib3
+import json
+
+SUCCESS = "SUCCESS"
+FAILED = "FAILED"
+
+http = urllib3.PoolManager()
+
+
+def send(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None):
+    responseUrl = event['ResponseURL']
+
+    print(responseUrl)
+
+    responseBody = {
+        'Status' : responseStatus,
+        'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
+        'PhysicalResourceId' : physicalResourceId or context.log_stream_name,
+        'StackId' : event['StackId'],
+        'RequestId' : event['RequestId'],
+        'LogicalResourceId' : event['LogicalResourceId'],
+        'NoEcho' : noEcho,
+        'Data' : responseData
+    }
+
+    json_responseBody = json.dumps(responseBody)
+
+    print("Response body:")
+    print(json_responseBody)
+
+    headers = {
+        'content-type' : '',
+        'content-length' : str(len(json_responseBody))
+    }
+
+    try:
+        response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody)
+        print("Status code:", response.status)
+
+
+    except Exception as e:
+
+        print("send(..) failed executing http.request(..):", e)
diff --git a/lambda_functions/source/AWSConnectorCreateLambda/requirements.txt b/lambda_functions/source/AWSConnectorCreateLambda/requirements.txt
@@ -0,0 +1 @@
+# install the latest version
diff --git a/lambda_functions/source/AddAWSAccountToCloudOneFunction/app.py b/lambda_functions/source/AddAWSAccountToCloudOneFunction/app.py
@@ -0,0 +1,63 @@
+"""Custom Resource to add an AWS Account to Trend Cloud One.
+
+Version: 1.0
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+import json
+import os
+import urllib3
+import cfnresponse
+import boto3
+
+def lambda_handler(event, context):
+    status = cfnresponse.SUCCESS
+    response_data = {}
+    physicalResourceId = None
+    try:
+
+        cloudOneRoleArn = os.environ['CloudOneRoleArn']
+        cloudOneRegion = os.environ['CloudOneRegion']
+        sm = boto3.client('secretsmanager')
+        cloudOneApiKey = sm.get_secret_value(SecretId=os.environ['CloudOneApiKeySecret'])['SecretString']
+
+        headers = {
+            'api-version': 'v1',
+            'Authorization': 'ApiKey '+cloudOneApiKey+'',
+            'Content-Type': 'application/json'
+        }
+
+        http = urllib3.PoolManager()
+
+
+        if event["RequestType"] == "Create" or event["RequestType"] == "Update":
+
+            url = 'https://cloudaccounts.'+cloudOneRegion+'.cloudone.trendmicro.com/api/cloudaccounts/aws'
+
+            payload = json.dumps({
+                'roleARN': cloudOneRoleArn
+            })
+            encoded_payload = payload.encode("utf-8")
+            print(url)
+            response = http.request("POST", url=url, headers=headers, body=encoded_payload)
+            print(response)
+            response_json_data = json.loads(response.data.decode("utf-8"))
+            print(response_json_data)
+            physicalResourceId = response_json_data["id"] 
+            response_data = {"ID": response_json_data["id"]}
+
+        else: # if event["RequestType"] == "Delete":
+            id = event["PhysicalResourceId"]
+
+            url = 'https://cloudaccounts.'+cloudOneRegion+'.cloudone.trendmicro.com/api/cloudaccounts/aws/' + id
+
+            print(url)
+            response = http.request("DELETE", url=url, headers=headers)
+            print(response)
+
+    except Exception as exception:
+        print(exception)
+        status = cfnresponse.FAILED
+
+    cfnresponse.send(event, context, status, response_data, physicalResourceId)
diff --git a/lambda_functions/source/AddAWSAccountToCloudOneFunction/cfnresponse.py b/lambda_functions/source/AddAWSAccountToCloudOneFunction/cfnresponse.py
@@ -0,0 +1,47 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+from __future__ import print_function
+import urllib3
+import json
+
+SUCCESS = "SUCCESS"
+FAILED = "FAILED"
+
+http = urllib3.PoolManager()
+
+
+def send(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None):
+    responseUrl = event['ResponseURL']
+
+    print(responseUrl)
+
+    responseBody = {
+        'Status' : responseStatus,
+        'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
+        'PhysicalResourceId' : physicalResourceId or context.log_stream_name,
+        'StackId' : event['StackId'],
+        'RequestId' : event['RequestId'],
+        'LogicalResourceId' : event['LogicalResourceId'],
+        'NoEcho' : noEcho,
+        'Data' : responseData
+    }
+
+    json_responseBody = json.dumps(responseBody)
+
+    print("Response body:")
+    print(json_responseBody)
+
+    headers = {
+        'content-type' : '',
+        'content-length' : str(len(json_responseBody))
+    }
+
+    try:
+        response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody)
+        print("Status code:", response.status)
+
+
+    except Exception as e:
+
+        print("send(..) failed executing http.request(..):", e)
diff --git a/lambda_functions/source/AddAWSAccountToCloudOneFunction/requirements.txt b/lambda_functions/source/AddAWSAccountToCloudOneFunction/requirements.txt
@@ -0,0 +1 @@
+# install the latest version
diff --git a/lambda_functions/source/GetCloudOneRegionAndAccountFunction/app.py b/lambda_functions/source/GetCloudOneRegionAndAccountFunction/app.py
@@ -0,0 +1,52 @@
+"""Custom Resource to get the Trend Cloud One region and account id.
+
+Version: 1.0
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+import json
+import os
+import urllib3
+import cfnresponse
+import boto3
+
+def lambda_handler(event, context):
+    status = cfnresponse.SUCCESS
+    response_data = {}
+    physicalResourceId = None
+    try:
+
+        if event["RequestType"] == "Create" or event["RequestType"] == "Update":
+            sm = boto3.client('secretsmanager')
+            cloudOneApiKey = sm.get_secret_value(SecretId=os.environ['CloudOneApiKeySecret'])['SecretString']
+            apiKeyId = cloudOneApiKey.split(':')[0]
+
+            url = 'https://accounts.cloudone.trendmicro.com/api/apikeys/' + apiKeyId
+
+            headers = {
+                'api-version': 'v1',
+                'Authorization': 'ApiKey '+cloudOneApiKey+'',
+                'Content-Type': 'application/json'
+            }
+
+            http = urllib3.PoolManager()
+            print(url)
+            response = http.request("GET", url=url, headers=headers)
+            print(response)
+            response_json_data = json.loads(response.data.decode("utf-8"))
+            print(response_json_data)
+            urn = response_json_data["urn"]
+            region = urn.split(":")[3]
+            accountId = urn.split(":")[4]
+            physicalResourceId = response_json_data["urn"] 
+            response_data = {"AccountId": accountId, "Region": region}
+
+        else: # if event["RequestType"] == "Delete":
+            physicalResourceId = event["PhysicalResourceId"]
+
+    except Exception as e:
+        print(e)
+        status = cfnresponse.FAILED
+
+    cfnresponse.send(event, context, status, response_data, physicalResourceId)
diff --git a/lambda_functions/source/GetCloudOneRegionAndAccountFunction/cfnresponse.py b/lambda_functions/source/GetCloudOneRegionAndAccountFunction/cfnresponse.py
@@ -0,0 +1,47 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+from __future__ import print_function
+import urllib3
+import json
+
+SUCCESS = "SUCCESS"
+FAILED = "FAILED"
+
+http = urllib3.PoolManager()
+
+
+def send(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None):
+    responseUrl = event['ResponseURL']
+
+    print(responseUrl)
+
+    responseBody = {
+        'Status' : responseStatus,
+        'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
+        'PhysicalResourceId' : physicalResourceId or context.log_stream_name,
+        'StackId' : event['StackId'],
+        'RequestId' : event['RequestId'],
+        'LogicalResourceId' : event['LogicalResourceId'],
+        'NoEcho' : noEcho,
+        'Data' : responseData
+    }
+
+    json_responseBody = json.dumps(responseBody)
+
+    print("Response body:")
+    print(json_responseBody)
+
+    headers = {
+        'content-type' : '',
+        'content-length' : str(len(json_responseBody))
+    }
+
+    try:
+        response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody)
+        print("Status code:", response.status)
+
+
+    except Exception as e:
+
+        print("send(..) failed executing http.request(..):", e)
diff --git a/lambda_functions/source/GetCloudOneRegionAndAccountFunction/requirements.txt b/lambda_functions/source/GetCloudOneRegionAndAccountFunction/requirements.txt
@@ -0,0 +1 @@
+# install the latest version