From e8db416ba8761f5bdfa57f78789b38f706401080 Mon Sep 17 00:00:00 2001
From: rjulian <richard@rjulian.net>
Date: Sun, 13 Sep 2020 14:46:25 -0700
Subject: [PATCH 1/2] Semi-automated multi account push

---
 README.md                                        | 8 ++++----
 source/reflex_aws_cloudfront_logging_disabled.py | 6 +++++-
 terraform/assume_role/assume_role.tf             | 9 +++++++++
 terraform/assume_role/variables.tf               | 5 +++++
 terraform/cwe/main.tf                            | 2 +-
 terraform/sqs_lambda/sqs_lambda.tf               | 2 +-
 6 files changed, 25 insertions(+), 7 deletions(-)
 create mode 100644 terraform/assume_role/assume_role.tf
 create mode 100644 terraform/assume_role/variables.tf

diff --git a/README.md b/README.md
index ac4e1b0..08d9b4f 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ A Reflex rule to detect when CloudFront logging is disabled.
 To learn more about CloudFront logging, see [the AWS Documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/reports-and-monitoring.html).
 
 ## Getting Started
-To get started using Reflex, check out [the Reflex Documentation](https://docs.cloudmitigator.com/).
+To get started using Reflex, check out [the Reflex Documentation](https://docs.reflexivesecurity.com/).
 
 ## Usage
 To use this rule either add it to your `reflex.yaml` configuration file:  
@@ -18,7 +18,7 @@ rules:
 or add it directly to your Terraform:  
 ```
 module "cloudfront-logging-disabled" {
-  source            = "git::https://github.com/cloudmitigator/reflex-aws-cloudfront-logging-disabled.git?ref=latest"
+  source            = "git::https://github.com/reflexivesecurity/reflex-aws-cloudfront-logging-disabled.git?ref=latest"
   sns_topic_arn     = module.central-sns-topic.arn
   reflex_kms_key_id = module.reflex-kms-key.key_id
 }
@@ -30,7 +30,7 @@ Note: The `sns_topic_arn` and `reflex_kms_key_id` example values shown here assu
 This rule has no configuration options.
 
 ## Contributing
-If you are interested in contributing, please review [our contribution guide](https://docs.cloudmitigator.com/about/contributing.html).
+If you are interested in contributing, please review [our contribution guide](https://docs.reflexivesecurity.com/about/contributing.html).
 
 ## License
-This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/cloudmitigator/reflex-aws-cloudfront-logging-disabled/blob/master/LICENSE) 
+This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/reflexivesecurity/reflex-aws-cloudfront-logging-disabled/blob/master/LICENSE) 
diff --git a/source/reflex_aws_cloudfront_logging_disabled.py b/source/reflex_aws_cloudfront_logging_disabled.py
index 68188fa..a78169e 100644
--- a/source/reflex_aws_cloudfront_logging_disabled.py
+++ b/source/reflex_aws_cloudfront_logging_disabled.py
@@ -2,7 +2,7 @@
 
 import json
 
-from reflex_core import AWSRule
+from reflex_core import AWSRule, subscription_confirmation
 
 
 class CloudfrontLoggingDisabled(AWSRule):
@@ -31,5 +31,9 @@ def get_remediation_message(self):
 
 def lambda_handler(event, _):
     """ Handles the incoming event """
+    print(event)
+    if subscription_confirmation.is_subscription_confirmation(event):
+        subscription_confirmation.confirm_subscription(event)
+        return
     rule = CloudfrontLoggingDisabled(json.loads(event["Records"][0]["body"]))
     rule.run_compliance_rule()
diff --git a/terraform/assume_role/assume_role.tf b/terraform/assume_role/assume_role.tf
new file mode 100644
index 0000000..a887c8a
--- /dev/null
+++ b/terraform/assume_role/assume_role.tf
@@ -0,0 +1,9 @@
+data "aws_caller_identity" "current" {}
+module "assume_role" {
+  source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda/modules/iam_assume_role?ref=v2.1.0"
+
+  function_name = "CloudfrontLoggingDisabled"
+
+  lambda_execution_role_arn = "arn:aws:iam::${var.parent_account}:role/ReflexCloudfrontLoggingDisabledLambdaExecution"
+
+}
diff --git a/terraform/assume_role/variables.tf b/terraform/assume_role/variables.tf
new file mode 100644
index 0000000..a1a5a79
--- /dev/null
+++ b/terraform/assume_role/variables.tf
@@ -0,0 +1,5 @@
+variable "parent_account" {
+  description = "Account id of parent forwarded account."
+  type        = string
+}
+
diff --git a/terraform/cwe/main.tf b/terraform/cwe/main.tf
index 7ceedf7..5df8cb0 100644
--- a/terraform/cwe/main.tf
+++ b/terraform/cwe/main.tf
@@ -1,5 +1,5 @@
 module "cwe" {
-  source      = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/cwe?ref=v2.0.1"
+  source      = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/cwe?ref=v2.1.0"
   name        = "CloudfrontLoggingDisabled"
   description = "A reflex rule to detect when CloudFront logging is disabled."
 
diff --git a/terraform/sqs_lambda/sqs_lambda.tf b/terraform/sqs_lambda/sqs_lambda.tf
index 404d050..5061eb8 100644
--- a/terraform/sqs_lambda/sqs_lambda.tf
+++ b/terraform/sqs_lambda/sqs_lambda.tf
@@ -1,5 +1,5 @@
 module "sqs_lambda" {
-  source                    = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/sqs_lambda?ref=v2.0.1"
+  source                    = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda?ref=v2.1.0"
   cloudwatch_event_rule_id  = var.cloudwatch_event_rule_id
   cloudwatch_event_rule_arn = var.cloudwatch_event_rule_arn
   function_name             = "CloudfrontLoggingDisabled"

From 177b3caa4e259d27e04b78255a385b9e259314a9 Mon Sep 17 00:00:00 2001
From: rjulian <richard@rjulian.net>
Date: Mon, 21 Sep 2020 00:31:26 -0700
Subject: [PATCH 2/2] Fix for event payload parsing

---
 source/reflex_aws_cloudfront_logging_disabled.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/source/reflex_aws_cloudfront_logging_disabled.py b/source/reflex_aws_cloudfront_logging_disabled.py
index a78169e..52edd23 100644
--- a/source/reflex_aws_cloudfront_logging_disabled.py
+++ b/source/reflex_aws_cloudfront_logging_disabled.py
@@ -14,7 +14,9 @@ def __init__(self, event):
     def extract_event_data(self, event):
         """ Extract required event data """
         self.distribution_id = event["detail"]["responseElements"]["distribution"]["id"]
-        self.logging_enabled = event["detail"]["responseElements"]["distribution"]["distributionConfig"]["logging"]["enabled"]
+        self.logging_enabled = event["detail"]["responseElements"]["distribution"][
+            "distributionConfig"
+        ]["logging"]["enabled"]
 
     def resource_compliant(self):
         """
@@ -32,8 +34,9 @@ def get_remediation_message(self):
 def lambda_handler(event, _):
     """ Handles the incoming event """
     print(event)
-    if subscription_confirmation.is_subscription_confirmation(event):
-        subscription_confirmation.confirm_subscription(event)
+    event_payload = json.loads(event["Records"][0]["body"])
+    if subscription_confirmation.is_subscription_confirmation(event_payload):
+        subscription_confirmation.confirm_subscription(event_payload)
         return
-    rule = CloudfrontLoggingDisabled(json.loads(event["Records"][0]["body"]))
+    rule = CloudfrontLoggingDisabled(event_payload)
     rule.run_compliance_rule()