Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implements a v2 Lambda Output with AssumeRole #1227

Merged
merged 7 commits into from
Apr 7, 2020
Merged

Implements a v2 Lambda Output with AssumeRole #1227

merged 7 commits into from
Apr 7, 2020

Conversation

Ryxias
Copy link
Contributor

@Ryxias Ryxias commented Apr 6, 2020
edited
Loading

to: @ryandeivert @blakemotl @chunyong-lin
cc: @airbnb/streamalert-maintainers

Background

We needed to be able to invoke Lambda across AWS accounts. The problem is the existing Lambda output seems to be.. wrong. It doesn't derive configs from the right place.

Instead of breaking reverse compatibility, I just added a v2 that is easier to set up and is more consistent with existing implementations. This v2 also has the ability to make sts:AssumeRole calls, in order to make Lambda invocations across accounts. However, it assumes that you already set up the IAM Policies correctly.

Testing

Tested on stage; built a test lambda and was able to invoke it.

@Ryxias Ryxias added this to the 3.2.0 milestone Apr 6, 2020
@coveralls
Copy link

coveralls commented Apr 6, 2020
edited
Loading

Coverage Status

Coverage decreased (-0.007%) to 95.425% when pulling 95e36a6 on dw--lambuh into f4c343a on release-3-2-0.

ryandeivert
ryandeivert reviewed Apr 6, 2020
View reviewed changes
conf/outputs.json
@@ -2,6 +2,9 @@
"aws-lambda": {
"sample-lambda": "function-name:qualifier"
},
"aws-lambda-v2": [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, this is not actually how this info will be written to the outputs.json config file for AWSOutput types .. see here:

streamalert/streamalert/alert_processor/outputs/aws.py

Lines 50 to 69 in 41da6b5

def format_output_config(cls, service_config, values):
"""Format the output configuration for this AWS service to be written to disk
AWS services are stored as a dictionary within the config instead of a list so
we have access to the AWS value (arn/bucket name/etc) for Terraform
Args:
service_config (dict): The actual outputs config that has been read in
values (OrderedDict): Contains all the OutputProperty items for this service
Returns:
dict{<string>: <string>}: Updated dictionary of descriptors and
values for this AWS service needed for the output configuration
NOTE: S3 requires the bucket name, not an arn, for this value.
Instead of implementing this differently in subclasses, all AWSOutput
subclasses should use a generic 'aws_value' to store the value for the
descriptor used in configuration
"""
return dict(service_config.get(cls.__service__, {}),
**{values['descriptor'].value: values['aws_value'].value})

did you confirm that this actually works as expected with the manage.py outputs new ... command?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh wow, no this is totally not gonna work. Good catch. No I didn't confirm it as I'm still testing it, but it's good to know that it's definitely wrong.

I think the easy fix is to just not inherit from this base class and just use the OutputDispatcher base class like any other sane output.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agreed - we can trend away from the AWSOutput class usage for future aws outputs now that ssm is a thing

ryandeivert
ryandeivert approved these changes Apr 6, 2020
View reviewed changes
Copy link
Contributor

@ryandeivert ryandeivert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm with one curiosity/question

@Ryxias
Copy link
Contributor Author

Ryxias commented Apr 7, 2020
edited
Loading

I got this to work with Terraform configurations that look like:

# Module for cross-account assume role policies
resource "aws_iam_role_policy" "assume_role_policy_on_alert" {
  name   = "AssumeRoleOnTestLambdaAccount"
  role   = module.alert_processor_lambda.role_id
  policy = data.aws_iam_policy_document.allow_assume_role.json
}

data "aws_iam_policy_document" "allow_assume_role" {
  statement {
    effect = "Allow"

    actions = [
      "sts:AssumeRole"
    ]

    resources = ["arn:aws:iam::999999999999:role/service-role/derek_test_func-role-k29ynxjk"]
  }
}

# Role on cross account 999999999999
resource "aws_iam_role" "test_role" {
  name   = "derek_test_func-role-k29ynxjk"
  path   = "/service-role/"
  assume_role_policy = data.aws_iam_policy_document.instance-assume-role-policy.json
}

data "aws_iam_policy_document" "instance-assume-role-policy" {
  statement {
    effect = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["lambda.amazonaws.com"]
    }
  }

  statement {
    effect = "Allow"
    actions = ["sts:AssumeRole"]

    principals {
      type = "AWS"

      # For some reason this doesn't work? You gotta grant to the **assumed** role?
      # identifiers = ["arn:aws:iam::123456789012:role/streamalert/derek20200406_streamalert_alert_processor_role"]
      identifiers = ["arn:aws:sts::123456789012:assumed-role/derek20200406_streamalert_alert_processor_role/derek20200406_streamalert_alert_processor"]
    }
  }
}

resource "aws_iam_role_policy" "invoke_test_func" {
  name   = "AssumeRoleOnTestLambdaAccount"
  role   = aws_iam_role.test_role.id
  policy = data.aws_iam_policy_document.invoke_policy.json
}

data "aws_iam_policy_document" "invoke_policy" {
  statement {
    effect = "Allow"
    actions = [
      "lambda:InvokeFunction"
    ]
    resources = [
      "arn:aws:lambda:us-east-1:123456789012:function:derek_test_func"
    ]
  }
}

@Ryxias Ryxias merged commit b552a05 into release-3-2-0 Apr 7, 2020
@Ryxias Ryxias deleted the dw--lambuh branch April 7, 2020 17:41
ryandeivert added a commit that referenced this pull request Apr 9, 2020
@ryandeivert @Ryxias @reaperhulk
official release of v3.2.0 (#1234)
4afadf5 
* bumping version to 3.2.0

* migrating Athena function to use tf_lambda module (#1217)

* rename of athena function

* updating terraform generation code to use tf_lambda module

* updating tf_athena module to remove lambda code

* updates for packaging, rollback, and deploy

* misc updates related to config path renaming, etc

* removing no-longer-used method (athena is default)

* addressing PR feedback

* adding more granular time prefix to athena client

* fixing duplicate resource issues (#1218)

* fixing duplicate resource issues

* fixing some other bugs in #1217

* fixing tf targets for athena deploy (#1220)

* adding "--config-dir" flag to CLI to support specifying path for config files (#1224)

* adding support for supplying path to config via CLI flag

* misc touchups

* updating publishers to accept configurable paths (#1223)

* moving matchers outside of rules directory

* updating rules for new matcher path

* updating unit test for consistency

* making publisher locations configurable

* fixing typo

* updating tf_lambda module to remove extra resources (#1225)

* fixing rollback for all functions, removing 'all' flag for function deploys (#1222)

* updating rollback functionality to include all funcs

* updating tests to check for rollback of all funcs

* updating docs

* fixing tf cycle and index issue (#1226)

* Add missing dependency (#1228)

* Implements a v2 Lambda Output with AssumeRole (#1227)

* First draft of aws-lambda-v2

* Tests

* Fixup

* Fixup

* Fioxup

* Fixup

* fixup

* adding terraform references for some buckets (#1229)

* adding athena terraform references instead of literals

* fixing tests

* GitHub Actions (#1231)

* port to github actions

* remove travis

* cover the 3.2 branch for now too

* initial updates to simplify lambda packaging logic (#1232)

* moving some precompiled files

* initial revamp to packaging to remove multiple pacakges

* taking out more trash

* update scheduled queries module

* updating deploy logic to suck garbage slightly less

* updates to unit tests

* addressing pr feedback

* addressing PR feedback

* small update to docs (#1233)

Co-authored-by: Ryxias <[email protected]>
Co-authored-by: Paul Kehrer <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryandeivert ryandeivert ryandeivert approved these changes

Assignees
No one assigned
Labels
alerting outputs
Projects
None yet
Milestone
3.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Ryxias @coveralls @ryandeivert