First version of trend-cloudone-onboard.

.gitignore

@@ -160,3 +160,16 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
+
+# taskcat
+taskcat_outputs/
+.taskcat/
+.taskcat.secrets.yml
+# since the zips are automatically generated, we don't want to check them in
+lambda_functions/packages/
+
+# General
+.DS_Store
+
+# Ash
+aggregated_results.txt

.taskcat.yml

@@ -1,7 +1,8 @@
 project:
-  name: update-me-to-project-repo-name
-  owner: [email protected]
-  package_lambda: false
+  name: cfn-abi-trend-cloudone
+  owner: [email protected] #We need a DL for this.
+  package_lambda: true
+  shorten_stack_name: true
   regions:
   - ap-northeast-1
   - ap-northeast-2
@@ -14,20 +15,12 @@ project:
   - us-west-1
   - us-west-2
 tests:
-  sample:
+  t1:
     parameters:
-      Param1: 'Inputs to Stack'
-      # Examples: of other taskcat dynamic input parameters for more into see http://taskcat.io
-      #
-      #      AvailabilityZones: $[taskcat_genaz_3]
-      #      ByteValue: 1
-      #      PasswordA: $[taskcat_genpass_8A]
-      #      PasswordB: $[taskcat_genpass_32S]
-      #      RandomNumber: $[taskcat_random-numbers]
-      #      RandomString: $[taskcat_random-string]
-      #      StackName: TestStack
-      #      UUID: $[taskcat_genuuid]
-      #
+      CloudOneApiKey: $[taskcat_secrets_get_CloudOneApiKey]
+      VisionOneServiceToken: $[taskcat_secrets_get_VisionOneServiceToken]
+      QSS3BucketName: $[taskcat_autobucket]
+      QSS3KeyPrefix: $[taskcat_project_name]
     regions:
     - us-east-1
-    template: templates/sample-workload.template.yaml
+    template: templates/trend-cloudone-onboard/main.template.yaml

lambda_functions/source/AWSConnectorCreateLambda/app.py

@@ -0,0 +1,64 @@
+"""Custom Resource to add an AWS Account to Trend Cloud One Workload Security.
+
+Version: 1.0
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+import json
+import urllib3
+import cfnresponse
+import os
+
+def lambda_handler(event, context):
+    print(event)
+
+    status = cfnresponse.SUCCESS
+    response_data = {}
+    physicalResourceId = None
+
+    accountId = os.environ['awsaccountid']
+    externalId = os.environ['externalid']
+    crossAccountRoleArn = os.environ['crossaccountrolearn']
+    cloudOneApiKey = event['ResourceProperties']['CloudOneApiKey']
+    cloudOneRegion = event['ResourceProperties']['CloudOneRegion']
+
+    headers = {
+        'api-version': 'v1',
+        'Authorization': 'ApiKey '+cloudOneApiKey+'',
+        'Content-Type': 'application/json'
+    }
+
+    http = urllib3.PoolManager()
+
+    try:
+        if event["RequestType"] == "Create" or event["RequestType"] == "Update":
+
+            url = 'https://workload.'+cloudOneRegion+'.cloudone.trendmicro.com/api/awsconnectors'
+
+            payload = json.dumps({
+            "displayName": accountId,
+            "accountId": accountId,
+            "crossAccountRoleArn": crossAccountRoleArn                                                                                        
+            })
+
+            encoded_payload = payload.encode("utf-8")
+            response = http.request("POST", url=url, headers=headers, body=encoded_payload)
+
+            response_json_data = json.loads(response.data.decode("utf-8"))
+            print(response_json_data)
+            physicalResourceId = str(response_json_data["ID"]) 
+            response_data = {"ID": str(response_json_data["ID"])}
+
+        else: # if event["RequestType"] == "Delete":
+            ID = event["PhysicalResourceId"]
+
+            url = 'https://workload.'+cloudOneRegion+'.cloudone.trendmicro.com/api/awsconnectors/'+ID
+            response = http.request("DELETE", url=url, headers=headers)
+            print(response.data.decode("utf-8"))
+
+    except Exception as exception:
+        print(exception)
+        status = cfnresponse.FAILED
+
+    cfnresponse.send(event, context, status, response_data, physicalResourceId)

lambda_functions/source/AWSConnectorCreateLambda/cfnresponse.py

@@ -0,0 +1,47 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+from __future__ import print_function
+import urllib3
+import json
+
+SUCCESS = "SUCCESS"
+FAILED = "FAILED"
+
+http = urllib3.PoolManager()
+
+
+def send(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None):
+    responseUrl = event['ResponseURL']
+
+    print(responseUrl)
+
+    responseBody = {
+        'Status' : responseStatus,
+        'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
+        'PhysicalResourceId' : physicalResourceId or context.log_stream_name,
+        'StackId' : event['StackId'],
+        'RequestId' : event['RequestId'],
+        'LogicalResourceId' : event['LogicalResourceId'],
+        'NoEcho' : noEcho,
+        'Data' : responseData
+    }
+
+    json_responseBody = json.dumps(responseBody)
+
+    print("Response body:")
+    print(json_responseBody)
+
+    headers = {
+        'content-type' : '',
+        'content-length' : str(len(json_responseBody))
+    }
+
+    try:
+        response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody)
+        print("Status code:", response.status)
+
+
+    except Exception as e:
+
+        print("send(..) failed executing http.request(..):", e)

lambda_functions/source/AWSConnectorCreateLambda/requirements.txt

@@ -0,0 +1,2 @@
+# install the latest version
+crhelper

lambda_functions/source/AddAWSAccountToCloudOneFunction/app.py

@@ -0,0 +1,61 @@
+"""Custom Resource to add an AWS Account to Trend Cloud One.
+
+Version: 1.0
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+import json
+import os
+import urllib3
+import cfnresponse
+
+def lambda_handler(event, context):
+    status = cfnresponse.SUCCESS
+    response_data = {}
+    physicalResourceId = None
+    try:
+
+        cloudOneRoleArn = os.environ['CloudOneRoleArn']
+        cloudOneRegion = os.environ['CloudOneRegion']
+        cloudOneApiKey = os.environ['CloudOneApiKey']
+
+        headers = {
+            'api-version': 'v1',
+            'Authorization': 'ApiKey '+cloudOneApiKey+'',
+            'Content-Type': 'application/json'
+        }
+
+        http = urllib3.PoolManager()
+
+
+        if event["RequestType"] == "Create" or event["RequestType"] == "Update":
+
+            url = 'https://cloudaccounts.'+cloudOneRegion+'.cloudone.trendmicro.com/api/cloudaccounts/aws'
+
+            payload = json.dumps({
+                'roleARN': cloudOneRoleArn
+            })
+            encoded_payload = payload.encode("utf-8")
+            print(url)
+            response = http.request("POST", url=url, headers=headers, body=encoded_payload)
+            print(response)
+            response_json_data = json.loads(response.data.decode("utf-8"))
+            print(response_json_data)
+            physicalResourceId = response_json_data["id"] 
+            response_data = {"ID": response_json_data["id"]}
+
+        else: # if event["RequestType"] == "Delete":
+            id = event["PhysicalResourceId"]
+
+            url = 'https://cloudaccounts.'+cloudOneRegion+'.cloudone.trendmicro.com/api/cloudaccounts/aws/' + id
+
+            print(url)
+            response = http.request("DELETE", url=url, headers=headers)
+            print(response)
+
+    except Exception as exception:
+        print(exception)
+        status = cfnresponse.FAILED
+
+    cfnresponse.send(event, context, status, response_data, physicalResourceId)

lambda_functions/source/AddAWSAccountToCloudOneFunction/cfnresponse.py

@@ -0,0 +1,47 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+from __future__ import print_function
+import urllib3
+import json
+
+SUCCESS = "SUCCESS"
+FAILED = "FAILED"
+
+http = urllib3.PoolManager()
+
+
+def send(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None):
+    responseUrl = event['ResponseURL']
+
+    print(responseUrl)
+
+    responseBody = {
+        'Status' : responseStatus,
+        'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
+        'PhysicalResourceId' : physicalResourceId or context.log_stream_name,
+        'StackId' : event['StackId'],
+        'RequestId' : event['RequestId'],
+        'LogicalResourceId' : event['LogicalResourceId'],
+        'NoEcho' : noEcho,
+        'Data' : responseData
+    }
+
+    json_responseBody = json.dumps(responseBody)
+
+    print("Response body:")
+    print(json_responseBody)
+
+    headers = {
+        'content-type' : '',
+        'content-length' : str(len(json_responseBody))
+    }
+
+    try:
+        response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody)
+        print("Status code:", response.status)
+
+
+    except Exception as e:
+
+        print("send(..) failed executing http.request(..):", e)

lambda_functions/source/AddAWSAccountToCloudOneFunction/requirements.txt

@@ -0,0 +1,2 @@
+# install the latest version
+crhelper

lambda_functions/source/GetCloudOneRegionAndAccountFunction/app.py

@@ -0,0 +1,50 @@
+"""Custom Resource to get the Trend Cloud One region and account id.
+
+Version: 1.0
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+import json
+import os
+import urllib3
+import cfnresponse
+
+def lambda_handler(event, context):
+    status = cfnresponse.SUCCESS
+    response_data = {}
+    physicalResourceId = None
+    try:
+
+        if event["RequestType"] == "Create" or event["RequestType"] == "Update":
+            cloudOneApiKey = os.environ['CloudOneApiKey']
+            apiKeyId = cloudOneApiKey.split(':')[0]
+
+            url = 'https://accounts.cloudone.trendmicro.com/api/apikeys/' + apiKeyId
+
+            headers = {
+                'api-version': 'v1',
+                'Authorization': 'ApiKey '+cloudOneApiKey+'',
+                'Content-Type': 'application/json'
+            }
+
+            http = urllib3.PoolManager()
+            print(url)
+            response = http.request("GET", url=url, headers=headers)
+            print(response)
+            response_json_data = json.loads(response.data.decode("utf-8"))
+            print(response_json_data)
+            urn = response_json_data["urn"]
+            region = urn.split(":")[3]
+            accountId = urn.split(":")[4]
+            physicalResourceId = response_json_data["urn"] 
+            response_data = {"AccountId": accountId, "Region": region}
+
+        else: # if event["RequestType"] == "Delete":
+            physicalResourceId = event["PhysicalResourceId"]
+
+    except Exception as e:
+        print(e)
+        status = cfnresponse.FAILED
+
+    cfnresponse.send(event, context, status, response_data, physicalResourceId)

lambda_functions/source/GetCloudOneRegionAndAccountFunction/cfnresponse.py

@@ -0,0 +1,47 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+from __future__ import print_function
+import urllib3
+import json
+
+SUCCESS = "SUCCESS"
+FAILED = "FAILED"
+
+http = urllib3.PoolManager()
+
+
+def send(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None):
+    responseUrl = event['ResponseURL']
+
+    print(responseUrl)
+
+    responseBody = {
+        'Status' : responseStatus,
+        'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
+        'PhysicalResourceId' : physicalResourceId or context.log_stream_name,
+        'StackId' : event['StackId'],
+        'RequestId' : event['RequestId'],
+        'LogicalResourceId' : event['LogicalResourceId'],
+        'NoEcho' : noEcho,
+        'Data' : responseData
+    }
+
+    json_responseBody = json.dumps(responseBody)
+
+    print("Response body:")
+    print(json_responseBody)
+
+    headers = {
+        'content-type' : '',
+        'content-length' : str(len(json_responseBody))
+    }
+
+    try:
+        response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody)
+        print("Status code:", response.status)
+
+
+    except Exception as e:
+
+        print("send(..) failed executing http.request(..):", e)

lambda_functions/source/GetCloudOneRegionAndAccountFunction/requirements.txt

@@ -0,0 +1,2 @@
+# install the latest version
+crhelper