Patch: Merge pull request #47 from reflexivesecurity/automated-multia…

…ccount-refactor Automated - Multi Account Update
reflexivesecurity · Oct 4, 2020 · f4261e7 · f4261e7
2 parents a68e334 + 17ae48d
commit f4261e7
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ rules:
 or add it directly to your Terraform:  
 ```
 module "config-rule-deleted" {
-  source            = "git::https://github.com/cloudmitigator/reflex-aws-config-rule-deleted.git?ref=latest"
+  source            = "git::https://github.com/reflexivesecurity/reflex-aws-config-rule-deleted.git?ref=latest"
   sns_topic_arn     = module.central-sns-topic.arn
   reflex_kms_key_id = module.reflex-kms-key.key_id
 }
@@ -33,4 +33,4 @@ This rule has no configuration options.
 If you are interested in contributing, please review [our contribution guide](https://docs.cloudmitigator.com/about/contributing.html).
 
 ## License
-This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/cloudmitigator/reflex-aws-config-rule-deleted/blob/master/LICENSE)
+This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/reflexivesecurity/reflex-aws-config-rule-deleted/blob/master/LICENSE)
diff --git a/source/reflex_aws_config_rule_deleted.py b/source/reflex_aws_config_rule_deleted.py
@@ -2,7 +2,7 @@
 
 import json
 
-from reflex_core import AWSRule
+from reflex_core import AWSRule, subscription_confirmation
 
 
 class ConfigRuleDeleted(AWSRule):
@@ -33,5 +33,10 @@ def get_remediation_message(self):
 
 def lambda_handler(event, _):
     """ Handles the incoming event """
-    rule = ConfigRuleDeleted(json.loads(event["Records"][0]["body"]))
+    print(event)
+    event_payload = json.loads(event["Records"][0]["body"])
+    if subscription_confirmation.is_subscription_confirmation(event_payload):
+        subscription_confirmation.confirm_subscription(event_payload)
+        return
+    rule = ConfigRuleDeleted(event_payload)
     rule.run_compliance_rule()
diff --git a/terraform/assume_role/assume_role.tf b/terraform/assume_role/assume_role.tf
@@ -0,0 +1,8 @@
+data "aws_caller_identity" "current" {}
+module "assume_role" {
+  source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda/modules/iam_assume_role?ref=v2.1.0"
+
+  function_name             = "ConfigRuleDeleted"
+  lambda_execution_role_arn = "arn:aws:iam::${var.parent_account}:role/ReflexConfigRuleDeletedLambdaExecution"
+
+}
diff --git a/terraform/assume_role/variables.tf b/terraform/assume_role/variables.tf
@@ -0,0 +1,5 @@
+variable "parent_account" {
+  description = "Account id of parent forwarded account."
+  type        = string
+}
+
diff --git a/terraform/cwe/main.tf b/terraform/cwe/main.tf
@@ -1,5 +1,5 @@
 module "cwe" {
-  source      = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/cwe?ref=v2.0.1"
+  source      = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/cwe?ref=v2.1.0"
   name        = "ConfigRuleDeleted"
   description = "Detects the deletion of AWS Config Rules"
 

diff --git a/terraform/sqs_lambda/sqs_lambda.tf b/terraform/sqs_lambda/sqs_lambda.tf
@@ -1,5 +1,5 @@
 module "sqs_lambda" {
-  source = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/sqs_lambda?ref=v2.0.1"
+  source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda?ref=v2.1.0"
 
   cloudwatch_event_rule_id  = var.cloudwatch_event_rule_id
   cloudwatch_event_rule_arn = var.cloudwatch_event_rule_arn