Patch: Merge pull request #49 from reflexivesecurity/automated-multia…

…ccount-refactor

Automated - Multi Account Update

README.md

@@ -18,7 +18,7 @@ rules:
 or add it directly to your Terraform: 
 ```
 module "rds-deletion-protection-disabled" {
- source = "git::https://github.com/cloudmitigator/reflex-aws-rds-deletion-protection-disabled.git?ref=latest"
+ source = "git::https://github.com/reflexivesecurity/reflex-aws-rds-deletion-protection-disabled.git?ref=latest"
  sns_topic_arn = module.central-sns-topic.arn
  reflex_kms_key_id = module.reflex-kms-key.key_id
 }
@@ -33,4 +33,4 @@ This rule has no configuration options.
 If you are interested in contributing, please review [our contribution guide](https://docs.cloudmitigator.com/about/contributing.html).
 
 ## License
-This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/cloudmitigator/reflex-aws-rds-deletion-protection-disabled/blob/master/LICENSE) 
+This Reflex rule is made available under the MPL 2.0 license. For more information view the [LICENSE](https://github.com/reflexivesecurity/reflex-aws-rds-deletion-protection-disabled/blob/master/LICENSE) 

source/reflex_aws_rds_deletion_protection_disabled.py

@@ -4,7 +4,7 @@
 import os
 
 import boto3
-from reflex_core import AWSRule
+from reflex_core import AWSRule, subscription_confirmation
 
 
 class RDSDeletionProtectionDisabled(AWSRule):
@@ -15,8 +15,12 @@ def __init__(self, event):
 
  def extract_event_data(self, event):
  """ Extract required event data """
- self.db_instance_id = event["detail"]["requestParameters"]["dBInstanceIdentifier"]
- self.deletion_protection = event["detail"]["requestParameters"]["deletionProtection"]
+ self.db_instance_id = event["detail"]["requestParameters"][
+ "dBInstanceIdentifier"
+ ]
+ self.deletion_protection = event["detail"]["requestParameters"][
+ "deletionProtection"
+ ]
 
  def resource_compliant(self):
  """
@@ -33,5 +37,10 @@ def get_remediation_message(self):
 
 def lambda_handler(event, _):
  """ Handles the incoming event """
- rule = RDSDeletionProtectionDisabled(json.loads(event["Records"][0]["body"]))
+ print(event)
+ event_payload = json.loads(event["Records"][0]["body"])
+ if subscription_confirmation.is_subscription_confirmation(event_payload):
+ subscription_confirmation.confirm_subscription(event_payload)
+ return
+ rule = RDSDeletionProtectionDisabled(event_payload)
  rule.run_compliance_rule()

terraform/assume_role/assume_role.tf

@@ -0,0 +1,8 @@
+data "aws_caller_identity" "current" {}
+module "assume_role" {
+ source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda/modules/iam_assume_role?ref=v2.1.0"
+
+ function_name = "RdsDeletionProtectionDisabled"
+ lambda_execution_role_arn = "arn:aws:iam::${var.parent_account}:role/ReflexRdsDeletionProtectionDisabledLambdaExecution"
+
+}

terraform/assume_role/variables.tf

@@ -0,0 +1,5 @@
+variable "parent_account" {
+ description = "Account id of parent forwarded account."
+ type = string
+}
+

terraform/cwe/main.tf

@@ -1,5 +1,5 @@
 module "cwe" {
- source = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/cwe?ref=v2.0.1"
+ source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/cwe?ref=v2.1.0"
  name = "RdsDeletionProtectionDisabled"
  description = "Rule to detect if deletion protection is disabled for RDS Instance."
 

terraform/sqs_lambda/sqs_lambda.tf

@@ -1,5 +1,5 @@
 module "sqs_lambda" {
- source = "git::https://github.com/cloudmitigator/reflex-engine.git//modules/sqs_lambda?ref=v2.0.1"
+ source = "git::https://github.com/reflexivesecurity/reflex-engine.git//modules/sqs_lambda?ref=v2.1.0"
 
  cloudwatch_event_rule_id = var.cloudwatch_event_rule_id
  cloudwatch_event_rule_arn = var.cloudwatch_event_rule_arn