-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtemplate.yaml
218 lines (204 loc) · 6.37 KB
/
template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Scan GitHub repositories with cfn-lint and store the results in DynamoDB
Parameters:
destemail:
Type: String
Description: Optional - the receiving email address for scan report emails, leave blank to disable. You need to add this email to SES prior to deployment, see readme.md for more details.
Default: [email protected]
fromemail:
Type: String
Description: Optional - the source email address for scan report emails, leave blank to disable. You need to add this email to SES prior to deployment, see readme.md for more details.
Default: [email protected]
githubtoken:
Type: String
Description: Optional but recommended - add a GitHub personal access token for GitHub API calls. You can create yours at https://github.com/settings/tokens .
Default: ''
Resources:
# lambda layer with neccesary libraries
lambdalayer:
Type: AWS::Serverless::LayerVersion
Properties:
LayerName: lambdalayer
Description: Create a layer with gitpull tools
ContentUri: lambda-layer/.
CompatibleRuntimes:
- python3.8
LicenseInfo: MIT
RetentionPolicy: Delete
Metadata:
BuildMethod: python3.8
# s3 bucket for results
resultbucket:
Type: AWS::S3::Bucket
# perform a cloudformation check on a github repo
lintlambda:
Type: AWS::Serverless::Function
Properties:
Layers:
- !Ref lambdalayer
Runtime: python3.8
Handler: lint-lambda.handler
CodeUri: ./lint-lambda
Tracing: Active
Description: Scan Github repositories and store results in DynamoDB
Policies:
- DynamoDBCrudPolicy:
TableName: !Ref scantable
- DynamoDBCrudPolicy:
TableName: !Ref metadatatable
MemorySize: 1536
Timeout: 60
Environment:
Variables:
dynamo_table_metadata: !Ref metadatatable
dynamo_table_scan: !Ref scantable
github_token: !Ref githubtoken
# scan the github profile of a user for repos
scanlambda:
Type: AWS::Serverless::Function
Properties:
MemorySize: 256
Timeout: 30
CodeUri: ./scan-lambda
Handler: scan-lambda.handler
Runtime: python3.8
Tracing: Active
Description: Get a list Github repositories
ReservedConcurrentExecutions: 1
Layers:
- !Ref lambdalayer
Environment:
Variables:
github_token: !Ref githubtoken
# generate a unique key for the scan results
tokenlambda:
Type: AWS::Serverless::Function
Properties:
Layers:
- !Ref lambdalayer
Runtime: python3.8
CodeUri: ./token-lambda
Tracing: Active
Handler: token-lambda.handler
MemorySize: 128
Timeout: 3
# retrieve the results of the github scan from dynamodb, optionally send an email
reportlambda:
Type: AWS::Serverless::Function
Properties:
Layers:
- !Ref lambdalayer
Runtime: python3.8
Handler: report-lambda.handler
CodeUri: ./report-lambda
Tracing: Active
Description: Store scan results from DynamoDB
MemorySize: 256
Timeout: 120
Environment:
Variables:
dynamo_meta_table: !Ref metadatatable
dynamo_scan_table: !Ref scantable
s3_bucket: !Ref resultbucket
dest_email: !Ref destemail
from_email: !Ref fromemail
Policies:
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- 'ses:SendEmail'
Resource: '*'
- DynamoDBCrudPolicy:
TableName: !Ref metadatatable
- DynamoDBCrudPolicy:
TableName: !Ref scantable
- S3CrudPolicy:
BucketName: !Ref resultbucket
# dynamodb table for results
scantable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: gitfile
AttributeType: S
- AttributeName: check_id
AttributeType: S
- AttributeName: scan_uuid
AttributeType: S
KeySchema:
- AttributeName: gitfile
KeyType: HASH
- AttributeName: check_id
KeyType: RANGE
BillingMode: PAY_PER_REQUEST
GlobalSecondaryIndexes:
- IndexName: scantable_uuid
KeySchema:
- AttributeName: scan_uuid
KeyType: HASH
Projection:
ProjectionType: ALL
# dynamodb table for scan metadata
metadatatable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: gituser
AttributeType: S
- AttributeName: gitrepo
AttributeType: S
- AttributeName: scan_uuid
AttributeType: S
- AttributeName: finding_count
AttributeType: N
KeySchema:
- AttributeName: gituser
KeyType: HASH
- AttributeName: gitrepo
KeyType: RANGE
BillingMode: PAY_PER_REQUEST
GlobalSecondaryIndexes:
- IndexName: metatable_scan_uuid
KeySchema:
- AttributeName: scan_uuid
KeyType: HASH
- AttributeName: finding_count
KeyType: RANGE
Projection:
ProjectionType: ALL
# s3 bucket for scan results
scanlogs:
Type: AWS::Logs::LogGroup
# state machine to coordinate the workflow
gitstatemachine:
Type: AWS::Serverless::StateMachine
Properties:
DefinitionUri: statemachine/gitscan.asl.json
DefinitionSubstitutions:
scanlambda: !GetAtt scanlambda.Arn
lintlambda: !GetAtt lintlambda.Arn
reportlambda: !GetAtt reportlambda.Arn
tokenlambda: !GetAtt tokenlambda.Arn
Policies:
- LambdaInvokePolicy:
FunctionName: !Ref scanlambda
- LambdaInvokePolicy:
FunctionName: !Ref lintlambda
- LambdaInvokePolicy:
FunctionName: !Ref reportlambda
- LambdaInvokePolicy:
FunctionName: !Ref tokenlambda
- CloudWatchFullAccess
Type: STANDARD
Logging:
Level: ALL
IncludeExecutionData: True
Destinations:
- CloudWatchLogsLogGroup:
LogGroupArn: !GetAtt scanlogs.Arn
# print the url of the state machine
Outputs:
StateMachineURL:
Value: !Sub 'https://${AWS::Region}.console.aws.amazon.com/states/home?region=${AWS::Region}#/statemachines/view/${gitstatemachine}'