AWS SRA Terraform Edition

.gitignore

@@ -508,3 +508,13 @@ $RECYCLE.BIN/
 **/sra_staging_manual_upload/*
 **/dist-*/*
 poetry.lock
+
+# Ignore packages generated by TF
+**/aws_sra_examples/terraform/**/lambda/
+**.terraform
+*.tfstate
+*.tfstate.*
+*.tfvars*
+**./terraform
+*.hcl
+

aws_sra_examples/solutions/cloudtrail/cloudtrail_org/lambda/src/app.py

@@ -358,3 +358,21 @@ def lambda_handler(event: CloudFormationCustomResourceEvent, context: Context) -
     except Exception:
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None
+
+
+def terraform_handler(event: CloudFormationCustomResourceEvent, context: Context) -> None:
+    """Lambda Handler.
+
+    Args:
+        event: event data
+        context: runtime information
+
+    Raises:
+        ValueError: Unexpected error executing Lambda function
+
+    """
+    try:
+        process_event(event, context)
+    except Exception:
+        LOGGER.exception(UNEXPECTED)
+        raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None

aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-bucket.yaml

@@ -227,7 +227,7 @@ Resources:
     Properties:
       Name: sra/cloudtrail_org_s3_bucket
       Description: Organization CloudTrail S3 Bucket
-      SecretString: !Sub '{"OrganizationCloudTrailS3Bucket":"${rOrgTrailBucket}"}' # checkov:skip=CKV_SECRET_6
+      SecretString: !Sub '{"OrganizationCloudTrailS3Bucket":"${rOrgTrailBucket}"}'  # checkov:skip=CKV_SECRET_6
       KmsKeyId: !Ref pSRASecretsKeyAliasArn
       Tags:
         - Key: sra-solution

aws_sra_examples/solutions/cloudtrail/cloudtrail_org/templates/sra-cloudtrail-org-kms.yaml

@@ -160,7 +160,7 @@ Resources:
     Properties:
       Name: sra/cloudtrail_org_key_arn
       Description: Organization CloudTrail KMS Key ARN
-      SecretString: !Sub '{"OrganizationCloudTrailKeyArn":"${rOrganizationCloudTrailKey.Arn}"}' # checkov:skip=CKV_SECRET_6
+      SecretString: !Sub '{"OrganizationCloudTrailKeyArn":"${rOrganizationCloudTrailKey.Arn}"}'  # checkov:skip=CKV_SECRET_6
       KmsKeyId: !Ref pSRASecretsKeyAliasArn
       Tags:
         - Key: sra-solution

aws_sra_examples/solutions/common/common_prerequisites/lambda/src/app.py

@@ -494,3 +494,25 @@ def lambda_handler(event: CloudFormationCustomResourceEvent, context: Context) -
     except Exception:
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"See the details in CloudWatch Log Stream: '{context.log_group_name}'") from None
+
+
+def terraform_handler(event: dict, context: Context) -> dict:
+    """Lambda Handler.
+
+    Args:
+        event: event data
+        context: runtime information
+
+    Raises:
+        ValueError: Unexpected error executing Lambda function
+
+    Returns:
+        dict: status code
+    """
+    try:
+        create_update_event(event, context)
+        response = {"event": event, "statusCode": 200}
+        return response
+    except Exception as error_msg:
+        LOGGER.exception(UNEXPECTED)
+        raise ValueError(f"See the details in CloudWatch Log Stream: '{context.log_group_name}' Error Message: {error_msg}") from None

aws_sra_examples/solutions/common/common_register_delegated_administrator/lambda/src/app.py

@@ -263,3 +263,28 @@ def lambda_handler(
     except Exception:
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None
+
+
+def terraform_handler(event: dict, context: Context) -> None:
+    """Lambda Handler.
+
+    Args:
+        event: event data
+        context: runtime information
+
+    Raises:
+        ValueError: Unexpected error executing Lambda function
+    """
+    LOGGER.info("....Lambda Handler Started....")
+    event_info = {"Event": event}
+    LOGGER.info(event_info)
+    try:
+        request_type = event["RequestType"]
+
+        if request_type == "Create":
+            create(event, context)
+        elif request_type == "Delete":
+            delete(event, context)
+    except Exception:
+        LOGGER.exception(UNEXPECTED)
+        raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None

aws_sra_examples/solutions/config/config_org/templates/sra-config-org-delivery-kms-key.yaml

@@ -142,7 +142,7 @@ Resources:
     Properties:
       Name: sra/config_org_delivery_key_arn
       Description: Config Delivery KMS Key ARN
-      SecretString: !Sub '{"ConfigDeliveryKeyArn":"${rConfigDeliveryKey.Arn}"}' # checkov:skip=CKV_SECRET_6
+      SecretString: !Sub '{"ConfigDeliveryKeyArn":"${rConfigDeliveryKey.Arn}"}'  # checkov:skip=CKV_SECRET_6
       KmsKeyId: !Ref pSRASecretsKeyAliasArn
       Tags:
         - Key: sra-solution

aws_sra_examples/solutions/guardduty/guardduty_org/lambda/src/app.py

@@ -302,3 +302,30 @@ def lambda_handler(event: Dict[str, Any], context: Context) -> None:
     except Exception:
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None
+
+
+def terraform_handler(event: Dict[str, Any], context: Context) -> None:
+    """Lambda Handler.
+
+    Args:
+        event: event data
+        context: runtime information
+
+    Raises:
+        ValueError: Unexpected error executing Lambda function
+    """
+    LOGGER.info("....Lambda Handler Started....")
+    event_info = {"Event": event}
+    LOGGER.info(event_info)
+    try:
+        if "Records" not in event and "RequestType" not in event and ("source" not in event and event["source"] != "aws.controltower"):
+            raise ValueError(
+                f"The event did not include Records or RequestType. Review CloudWatch logs '{context.log_group_name}' for details."
+            ) from None
+        elif "Records" in event and event["Records"][0]["EventSource"] == "aws:sns":
+            process_sns_records(event["Records"])
+        elif "RequestType" in event:
+            process_cloudformation_event(event, context)
+    except Exception:
+        LOGGER.exception(UNEXPECTED)
+        raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None

aws_sra_examples/solutions/guardduty/guardduty_org/templates/sra-guardduty-org-delivery-kms-key.yaml

@@ -142,7 +142,7 @@ Resources:
     Properties:
       Name: sra/guardduty_org_delivery_key_arn
       Description: GuardDuty Delivery KMS Key ARN
-      SecretString: !Sub '{"GuardDutyDeliveryKeyArn":"${rGuardDutyDeliveryKey.Arn}"}' # checkov:skip=CKV_SECRET_6
+      SecretString: !Sub '{"GuardDutyDeliveryKeyArn":"${rGuardDutyDeliveryKey.Arn}"}'  # checkov:skip=CKV_SECRET_6
       KmsKeyId: !Ref pSRASecretsKeyAliasArn
       Tags:
         - Key: sra-solution

aws_sra_examples/solutions/iam/iam_password_policy/lambda/src/app.py

@@ -153,7 +153,10 @@ def lambda_handler(event: CloudFormationCustomResourceEvent, context: Context) -
 
     """
     try:
-        helper(event, context)
+        if event.get("ResourceType") == "Terraform":
+            process_cloudformation_event(event, context)
+        else:
+            helper(event, context)
     except Exception:
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None

aws_sra_examples/solutions/inspector/inspector_org/lambda/src/app.py

@@ -88,8 +88,14 @@ def process_event(event: dict) -> None:
     excluded_accounts: list = [params["DELEGATED_ADMIN_ACCOUNT_ID"]]
     accounts = common.get_active_organization_accounts(excluded_accounts)
     regions = common.get_enabled_regions(params["ENABLED_REGIONS"], params["CONTROL_TOWER_REGIONS_ONLY"] == "true")
-
-    process_add_update_event(params, regions, accounts)
+    if event.get("ResourceType") == "Terraform" and event.get("tf", {}).get("action") == "delete":
+        LOGGER.info("...Disable Inspector from Terraform")
+        disabled_inspector_service(params, regions)
+    elif event.get("RequestType") == "Delete":
+        LOGGER.info("...Disable Inspector via process_event")
+        disabled_inspector_service(params, regions)
+    else:
+        process_add_update_event(params, regions, accounts)
 
 
 def parameter_pattern_validator(parameter_name: str, parameter_value: Optional[str], pattern: str, is_optional: bool = False) -> dict:
@@ -314,10 +320,14 @@ def disabled_inspector_service(params: dict, regions: list) -> None:
         params: Configuration Parameters
         regions: list of regions
     """
+    scan_components = params["SCAN_COMPONENTS"].split(",")
     LOGGER.info("Remove inspector")
-    LOGGER.info(f"disabled_inspector_service: ALL_INSPECTOR_SCAN_COMPONENTS as ({ALL_INSPECTOR_SCAN_COMPONENTS})")
+    LOGGER.info(f"disabled_inspector_service: scan_components as ({scan_components})")
     inspector.disable_inspector_in_associated_member_accounts(
-        params["DELEGATED_ADMIN_ACCOUNT_ID"], params["CONFIGURATION_ROLE_NAME"], regions, ALL_INSPECTOR_SCAN_COMPONENTS
+        params["DELEGATED_ADMIN_ACCOUNT_ID"],
+        params["CONFIGURATION_ROLE_NAME"],
+        regions,
+        scan_components,
     )
 
     inspector.disable_auto_scanning_in_org(params["DELEGATED_ADMIN_ACCOUNT_ID"], params["CONFIGURATION_ROLE_NAME"], regions)
@@ -329,7 +339,8 @@ def disabled_inspector_service(params: dict, regions: list) -> None:
         params["CONFIGURATION_ROLE_NAME"],
         params["MANAGEMENT_ACCOUNT_ID"],
         params["DELEGATED_ADMIN_ACCOUNT_ID"],
-        ALL_INSPECTOR_SCAN_COMPONENTS,
+        # ALL_INSPECTOR_SCAN_COMPONENTS,
+        scan_components,
     )
 
     deregister_delegated_administrator(params["DELEGATED_ADMIN_ACCOUNT_ID"], SERVICE_NAME)
@@ -540,8 +551,12 @@ def orchestrator(event: Dict[str, Any], context: Any) -> None:
         context: runtime information
     """
     if event.get("RequestType"):
-        LOGGER.info("...calling helper...")
-        helper(event, context)
+        if event.get("ResourceType") and event["ResourceType"] == "Terraform":
+            LOGGER.info("...calling process_event from Terraform...")
+            process_event(event)
+        else:
+            LOGGER.info("...calling helper...")
+            helper(event, context)
     elif event.get("Records") and event["Records"][0]["EventSource"] == "aws:sns":
         LOGGER.info("...aws:sns record...")
         process_event_sns(event)

aws_sra_examples/solutions/macie/macie_org/lambda/src/app.py

@@ -220,3 +220,30 @@ def lambda_handler(event: Dict[str, Any], context: Context) -> None:
     except Exception:
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None
+
+
+def terraform_handler(event: Dict[str, Any], context: Context) -> None:
+    """Lambda Handler.
+
+    Args:
+        event: event data
+        context: runtime information
+
+    Raises:
+        ValueError: Unexpected error executing Lambda function
+    """
+    LOGGER.info("....Terraform Lambda Handler Started....")
+    event_info = {"Event": event}
+    LOGGER.info(event_info)
+    try:
+        if "Records" not in event and "RequestType" not in event and ("source" not in event and event["source"] != "aws.controltower"):
+            raise ValueError(
+                f"The event did not include Records, RequestType, or source. Review CloudWatch logs '{context.log_group_name}' for details."
+            ) from None
+        elif "Records" in event and event["Records"][0]["EventSource"] == "aws:sns":
+            process_sns_records(event["Records"])
+        elif "RequestType" in event:
+            process_cloudformation_event(event, context)
+    except Exception:
+        LOGGER.exception(UNEXPECTED)
+        raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None

aws_sra_examples/solutions/macie/macie_org/templates/sra-macie-org-delivery-kms-key.yaml

@@ -148,7 +148,7 @@ Resources:
     Properties:
       Name: sra/macie_org_delivery_key_arn
       Description: Macie Delivery KMS Key ARN
-      SecretString: !Sub '{"MacieOrgDeliveryKeyArn":"${rMacieOrgDeliveryKey.Arn}"}' # checkov:skip=CKV_SECRET_6
+      SecretString: !Sub '{"MacieOrgDeliveryKeyArn":"${rMacieOrgDeliveryKey.Arn}"}'  # checkov:skip=CKV_SECRET_6
       KmsKeyId: !Ref pSRASecretsKeyAliasArn
       Tags:
         - Key: sra-solution

aws_sra_examples/solutions/securityhub/securityhub_org/lambda/src/app.py

@@ -436,3 +436,34 @@ def lambda_handler(event: Dict[str, Any], context: Any) -> None:
     except Exception:
         LOGGER.exception(UNEXPECTED)
         raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None
+
+
+def terraform_handler(event: Dict[str, Any], context: Context) -> None:
+    """Lambda Handler.
+
+    Args:
+        event: event data
+        context: runtime information
+
+    Raises:
+        ValueError: Unexpected error executing Lambda function
+    """
+    LOGGER.info("....Lambda Handler Started....")
+    event_info = {"Event": event}
+    LOGGER.info(event_info)
+    try:
+        if "Records" not in event and "RequestType" not in event and ("source" not in event and event["source"] != "aws.controltower"):
+            raise ValueError(
+                f"The event did not include Records or RequestType. Review CloudWatch logs '{context.log_group_name}' for details."
+            ) from None
+        elif event.get("source") == "aws.controltower":
+            process_event_lifecycle(event)
+        elif event.get("source") == "aws.organizations":
+            process_event_organizations(event)
+        elif event.get("Records") and event["Records"][0]["EventSource"] == "aws:sns":
+            process_event_sns(event)
+        else:
+            process_event(event)
+    except Exception:
+        LOGGER.exception(UNEXPECTED)
+        raise ValueError(f"Unexpected error executing Lambda function. Review CloudWatch logs '{context.log_group_name}' for details.") from None