feat: update mabda parameter and payload

Author: iKnowJavaScript

lambda/findings-remediate.js renamed to lambda/index.js

@@ -1,14 +1,15 @@
-import { logger } from './logger';
+const AWS = require("aws-sdk");
+const logger = require('./logger');
 
 exports.handler = async (event) => {
   const REGION = event.region || 'us-east-1';
   const REBOOT_OPTION = event.reboot_option || "NoReboot";
   const TARGET_EC2_TAG_NAME = event.target_ec2_tag_name;
   const TARGET_EC2_TAG_VALUE = event.target_ec2_tag_value;
-  const VULNERABILITY_SEVERITIES = event.vulnerability_severities 
-        && event.vulnerability_severities.split(',').map(a => a.trim().toUpperCase());
-  const OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS = event.override_findings_for_target_instances_ids 
-        && event.override_findings_for_target_instances_ids.split(',').map(a => a.trim());
+  const VULNERABILITY_SEVERITIES = (event.vulnerability_severities 
+        && event.vulnerability_severities?.split(',')?.map(a => a.trim().toUpperCase())) || [];
+  const OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS = (event.override_findings_for_target_instances_ids 
+        && event.override_findings_for_target_instances_ids?.split(',')?.map(a => a.trim())) || [];
 
   logger.info("Region is ", REGION);
   logger.info("Reboot option is ", REBOOT_OPTION);
@@ -18,9 +19,14 @@ exports.handler = async (event) => {
   logger.info("Override findings for target instances IDs are ", OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS);
 
   try {
-    const ecsManagedInstanceIds = await getECSManagedInstances(REGION, TARGET_EC2_TAG_NAME, TARGET_EC2_TAG_VALUE);
+    let ecsManagedInstanceIds = [];
+    if (OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS && OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS.length > 0) {
+      ecsManagedInstanceIds = OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS;
+    } else {
+      ecsManagedInstanceIds = await getECSManagedInstances(REGION, TARGET_EC2_TAG_NAME, TARGET_EC2_TAG_VALUE);
+    }
 
-    const { targetInstances, totalFindings } = await manageInstanceFindings(ecsManagedInstanceIds, REGION, VULNERABILITY_SEVERITIES, OVERRIDE_FINDINGS_FOR_TARGET_INSTANCES_IDS);
+    const { targetInstances, totalFindings } = await manageInstanceFindings(ecsManagedInstanceIds, REGION, VULNERABILITY_SEVERITIES);
 
     if (!targetInstances.length) {
       return {
@@ -31,12 +37,15 @@ exports.handler = async (event) => {
     }
 
     const ssm = new AWS.SSM({ region: REGION });
+    const logConfig = process.env.LAMBDA_LOG_GROUP ? {
+      CloudWatchOutputConfig: {
+        CloudWatchLogGroupName: process.env.LAMBDA_LOG_GROUP,
+        CloudWatchOutputEnabled: true
+      }
+    } : {};
     const patchResult = await ssm
       .sendCommand({
-        CloudWatchOutputConfig: {
-          CloudWatchLogGroupName: process.env.LAMBDA_LOG_GROUP || '',
-          CloudWatchOutputEnabled: true
-        },
+        ...logConfig,
         Comment: 'Lambda function trigger operation for inspector finding auto-remediation',
         DocumentName: "AWS-RunPatchBaseline",
         DocumentVersion: "1",
@@ -120,7 +129,7 @@ async function getInstanceInspectorFindings(instanceId, region, severities) {
   return data.findings;
 }
 
-async function manageInstanceFindings(ecsManagedInstanceIds, region, severities, overrideInstanceIds) {
+async function manageInstanceFindings(ecsManagedInstanceIds, region, severities) {
   const targetInstances = [];
   let totalFindings = 0;
 
@@ -136,12 +145,12 @@ async function manageInstanceFindings(ecsManagedInstanceIds, region, severities,
     findings = findings.filter((finding) => !(skippingTitles.includes(finding.title)))
     logger.info('Total findings for instanceID ' + instanceId + ' after title check is ' + findings.length);
 
-    totalFindings = totalFindings += findings.length;
-
+    
     const resource = findings[0].resources[0];
-
+    
     // Check resource type to match expected remediation action:
     if (resource.type === "AWS_EC2_INSTANCE") {
+      totalFindings = totalFindings += findings.length;
       targetInstances.push(instanceId);
     }
   }

lambda/logger.js

@@ -7,7 +7,9 @@ const LogLevel = {
 };
 
 class Logger {
-  constructor(logLevel) {}
+  constructor(logLevel) {
+    this.logLevel = logLevel;
+  }
 
   error(...args) {
     if (this.logLevel >= LogLevel.error) {
@@ -32,5 +34,5 @@ const logLevel =
     INFO: LogLevel.info,
     DEBUG: LogLevel.debug,
   }[process.env.LOG_LEVEL ?? "NONE"] ?? LogLevel.none;
-  
-export let logger = new Logger(logLevel);
+
+module.exports = new Logger(logLevel);

main.tf

@@ -5,6 +5,7 @@ provider "aws" {
 locals {
   function_name     = "${var.name}-${var.environment}"
   ssm_document_name = "${var.name}-inspector-findings-${var.environment}"
+  lambda_zip        = var.lambda_zip
 }
 
 resource "aws_ssm_document" "remediation_document" {
@@ -21,29 +22,29 @@ resource "aws_ssm_document" "remediation_document" {
       "description": "(Required) The region to use.",
       "default": "${var.remediation_options.region}"
     },
-    "reboot_option": {
+    "rebootOption": {
       "type": "String",
       "description": "(Optional) Reboot option for patching. Allowed values: NoReboot, RebootIfNeeded, AlwaysReboot",
       "default": "${var.remediation_options.reboot_option}"
     },
-    "target_ec2_tag_name": {
+    "targetEC2TagName": {
       "type": "String",
       "description": "The tag name to filter EC2 instances.",
       "default": "${var.remediation_options.target_ec2_tag_name}"
     },
-    "target_ec2_tag_value": {
+    "targetEC2TagValue": {
       "type": "String",
       "description": "The tag value to filter EC2 instances.",
       "default": "${var.remediation_options.target_ec2_tag_value}"
     },
-    "vulnerability_severities": {
-      "type": "StringList",
-      "description": "(Optional) List of vulnerability severities to filter findings. Allowed values are comma separated list of : CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL",
+    "vulnerabilitySeverities": {
+      "type": "String",
+      "description": "(Optional) Comma separated list of vulnerability severities to filter findings. Allowed values are comma separated list of : CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL",
       "default": "${var.remediation_options.vulnerability_severities}"
     },
-    "override_findings_for_target_instances_ids": {
-      "type": "StringList",
-      "description": "(Optional) List of instance IDs to override findings for target instances. If not provided, all matched findings will be remediated. Values are in comma separated list of instance IDs.",
+    "overrideFindingsForTargetInstancesIDs": {
+      "type": "String",
+      "description": "(Optional) Comma separated list of instance IDs to override findings for target instances. If not provided, all matched findings will be remediated. Values are in comma separated list of instance IDs.",
       "default": "${var.remediation_options.override_findings_for_target_instances_ids}"
     }
   },
@@ -53,7 +54,7 @@ resource "aws_ssm_document" "remediation_document" {
       "action": "aws:invokeLambdaFunction",
       "inputs": {
         "FunctionName": "arn:aws:lambda:${var.aws_region}:${var.account_id}:function:${local.function_name}",
-        "Payload": "{ \"region\": \"{{ region }}\", \"reboot_option\": \"{{ reboot_option }}\", \"target_ec2_tag_name\": \"{{ target_ec2_tag_name }}\", \"target_ec2_tag_value\": \"{{ target_ec2_tag_value }}\", \"vulnerability_severities\": \"{{ vulnerability_severities }}\", \"override_findings_for_target_instances_ids\": \"{{ override_findings_for_target_instances_ids }}\" }"
+        "Payload": "{ \"region\": \"{{ region }}\", \"reboot_option\": \"{{ rebootOption }}\", \"target_ec2_tag_name\": \"{{ targetEC2TagName }}\", \"target_ec2_tag_value\": \"{{ targetEC2TagValue }}\", \"vulnerability_severities\": \"{{ vulnerabilitySeverities }}\", \"override_findings_for_target_instances_ids\": \"{{ overrideFindingsForTargetInstancesIDs }}\" }"
       }
     }
   ]
@@ -200,12 +201,12 @@ resource "aws_iam_role_policy" "lambda_policy" {
 
 
 resource "aws_lambda_function" "inspector_remediation" {
-  filename         = "../../lambda.zip" # You should zip your lambda_function.js before deploying
+  filename         = local.lambda_zip # You should zip your lambda_function.js before deploying
   function_name    = local.function_name
   role             = aws_iam_role.lambda_execution_role.arn
-  handler          = "findings-remediate.handler"
+  handler          = "index.handler"
   runtime          = "nodejs18.x"
-  source_code_hash = filebase64sha256("./lambda.zip")
+  source_code_hash = filebase64sha256(local.lambda_zip)
 
   timeout = 300