Merge pull request #7 from aquasecurity/update-credentials

feat: Trigger update credentials on API key change

Author: Noamstrauss

modules/single/main.tf

@@ -54,6 +54,8 @@ module "trigger" {
   aqua_api_key           = var.aqua_api_key
   aqua_api_secret        = var.aqua_api_secret
   aqua_autoconnect_url   = var.aqua_autoconnect_url
+  aqua_cspm_url          = var.aqua_cspm_url
+  aws_account_id         = local.aws_account_id
   aqua_session_id        = var.aqua_session_id
   cspm_role_arn          = module.lambda.cspm_role_arn
   cspm_external_id       = module.lambda.cspm_external_id

modules/single/modules/lambda/functions/create_cspm_key.py

@@ -1,4 +1,3 @@
-
 import json
 import urllib3
 import hashlib
@@ -7,7 +6,6 @@
 
 def handler(event, context):
     cspm_url = event.get('ApiUrl')
-    ac_url = event.get('AutoConnectApiUrl')
     aqua_api_key = event.get('AquaApiKey')
     aqua_secret = event.get('AquaSecretKey')
     role_arn = event.get('RoleArn')
@@ -17,38 +15,59 @@ def handler(event, context):
     aws_account_id = context.invoked_function_arn.split(":")[4]
 
     try:
-        print('creating a new cspm key')
+        cspm_key_id = get_cspm_key_id(aqua_api_key, aqua_secret, cspm_url, role_arn)
+        is_already_cspm_client = True
+        print(f'Existing CSPM key found: {cspm_key_id}')
+    except Exception as key_not_found:
+        print(f'No existing key found')
+        print('Creating new CSPM key')
         is_already_cspm_client = create_cspm_key(
-            cspm_url, ac_url, aqua_api_key, aqua_secret,
+            cspm_url, aqua_api_key, aqua_secret,
             role_arn, external_id, group, account_id, aws_account_id
         )
-        return {"IsAlreadyCSPMClient": is_already_cspm_client}
 
-    except Exception as e:
-        print(f"error: {e}")
-        return {"error": e}
+    return {"IsAlreadyCSPMClient": is_already_cspm_client}
 
 
 def get_signature(aqua_secret, tstmp, path, method, body):
     enc = tstmp + method + path + body
-    print(f'enc: {enc}')
     enc_b = bytes(enc, 'utf-8')
     secret = bytes(aqua_secret, 'utf-8')
     sig = hmac.new(secret, enc_b, hashlib.sha256).hexdigest()
     return sig
 
+
 def http_request(url, headers, method, body=None):
-    http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED')
+    if body is None:
+        body = {}
+
+    http = urllib3.PoolManager(cert_reqs='CERT_NONE')
 
     try:
         response = http.request(method, url, body=body, headers=headers)
-        data = json.loads(response.data.decode('utf-8'))
+        return response
     except Exception as e:
-        print(f'could not parse event data; {e}')
-        data = {}
-    return data
+        print('Failed to send http request; {}'.format(e))
+        return None
+
+
+def get_cspm_key_id(aqua_api_key, aqua_secret, cspm_url, role_arn):
+    tstmp = str(int(time.time() * 1000))
+    sig = get_signature(aqua_secret, tstmp, "/v2/keys", "GET", '')
+    headers = {"X-API-Key": aqua_api_key, "X-Signature": sig, "X-Timestamp": tstmp}
+
+    response = http_request(cspm_url + "/v2/keys", headers, "GET")
+    json_object = json.loads(response.data)
+    if response.status not in (200, 201):
+        raise ValueError(f"Failed to get cspm key id for {role_arn}: {response.message}")
+
+    for key in json_object['data']:
+        if key['role_arn'] == role_arn:
+            return key['id']
+    raise Exception("key not found")
+
 
-def create_cspm_key(cspm_url, ac_url, aqua_api_key, aqua_secret, role_arn, external_id, group, account_id, aws_account_id):
+def create_cspm_key(cspm_url, aqua_api_key, aqua_secret, role_arn, external_id, group, account_id, aws_account_id):
     body = {
         "name": account_id,
         "cloud": "aws",
@@ -58,7 +77,7 @@ def create_cspm_key(cspm_url, ac_url, aqua_api_key, aqua_secret, role_arn, exter
         "group_id": group
     }
 
-    print(f'body: {body}')
+    print(f'CSPM body: {body}')
     tstmp = str(int(time.time() * 1000))
     jsonbody = json.dumps(body, separators=(',', ':'))
     sig = get_signature(aqua_secret, tstmp, "/v2/keys", "POST", jsonbody)
@@ -69,12 +88,12 @@ def create_cspm_key(cspm_url, ac_url, aqua_api_key, aqua_secret, role_arn, exter
     }
 
     response = http_request(cspm_url + '/v2/keys', headers, "POST", jsonbody)
-    print(f'response: {response}')
-    if response.get('status', 0) != 200 and response.get('status', 0) != 201:
-        raise Exception(response.get('message', "Internal server error"))
+    if response.status not in (200, 201):
+        raise Exception("Failed to create cspm key id", response.data.decode("utf-8"))
 
+    print(f'CSPM response: {response.data.decode("utf-8")}')
     is_already_cspm_client = False
-    if response.get('status', 0) == 200:
+    if response.status == 200:
         is_already_cspm_client = True
 
     return is_already_cspm_client

modules/single/modules/lambda/main.tf

@@ -36,11 +36,11 @@ resource "aws_iam_role" "cspm_lambda_execution_role" {
   name                = "aqua-autoconnect-cspm-lambda-execution-role-${var.random_id}"
 }
 
-# Create generate CSPM external id lambda function
-resource "aws_lambda_function" "generate_cspm_external_id_function" {
+# Create generate Volume Scan external id lambda function
+resource "aws_lambda_function" "generate_volscan_external_id_function" {
   architectures    = ["x86_64"]
-  description      = "Generate CSPM External ID"
-  function_name    = "aqua-autoconnect-generate-cspm-external-id-function-${var.random_id}"
+  description      = "Generate Volume Scanning External ID"
+  function_name    = "aqua-autoconnect-generate-volscan-external-id-function-${var.random_id}"
   handler          = "generate_external_id.handler"
   role             = aws_iam_role.cspm_lambda_execution_role.arn
   runtime          = "python3.12"
@@ -52,22 +52,25 @@ resource "aws_lambda_function" "generate_cspm_external_id_function" {
   }
 }
 
-# Invoking generate CSPM external id lambda function
-resource "aws_lambda_invocation" "generate_cspm_external_id_function" {
-  function_name = aws_lambda_function.generate_cspm_external_id_function.function_name
+# Invoking generate Volume Scan external id lambda function
+resource "aws_lambda_invocation" "generate_volscan_external_id_function" {
+  function_name = aws_lambda_function.generate_volscan_external_id_function.function_name
   input = jsonencode({
     ApiUrl            = var.aqua_cspm_url
     AutoConnectApiUrl = var.aqua_autoconnect_url
     AquaApiKey        = var.aqua_api_key
     AquaSecretKey     = var.aqua_api_secret
   })
+  triggers = {
+    always_run = timestamp()
+  }
 }
 
-# Create generate Volume Scan external id lambda function
-resource "aws_lambda_function" "generate_volscan_external_id_function" {
+# Create generate CSPM external id lambda function
+resource "aws_lambda_function" "generate_cspm_external_id_function" {
   architectures    = ["x86_64"]
-  description      = "Generate Volume Scanning External ID"
-  function_name    = "aqua-autoconnect-generate-volscan-external-id-function-${var.random_id}"
+  description      = "Generate CSPM External ID"
+  function_name    = "aqua-autoconnect-generate-cspm-external-id-function-${var.random_id}"
   handler          = "generate_external_id.handler"
   role             = aws_iam_role.cspm_lambda_execution_role.arn
   runtime          = "python3.12"
@@ -79,15 +82,19 @@ resource "aws_lambda_function" "generate_volscan_external_id_function" {
   }
 }
 
-# Invoking generate Volume Scan external id lambda function
-resource "aws_lambda_invocation" "generate_volscan_external_id_function" {
-  function_name = aws_lambda_function.generate_volscan_external_id_function.function_name
+# Invoking generate CSPM external id lambda function
+resource "aws_lambda_invocation" "generate_cspm_external_id_function" {
+  function_name = aws_lambda_function.generate_cspm_external_id_function.function_name
   input = jsonencode({
     ApiUrl            = var.aqua_cspm_url
     AutoConnectApiUrl = var.aqua_autoconnect_url
     AquaApiKey        = var.aqua_api_key
     AquaSecretKey     = var.aqua_api_secret
   })
+  triggers = {
+    always_run = timestamp()
+  }
+  depends_on = [aws_lambda_invocation.generate_volscan_external_id_function]
 }
 
 # Create Agentless role
@@ -429,7 +436,10 @@ resource "aws_iam_role" "cspm_role" {
 # Creating a sleep for 30s between CSPM role and CSPM key lambda function
 resource "time_sleep" "sleep" {
   create_duration = "30s"
-  depends_on      = [aws_iam_role.cspm_role]
+  triggers = {
+    cspm_assume_role_policy = aws_iam_role.cspm_role.assume_role_policy
+  }
+  depends_on = [aws_iam_role.cspm_role]
 }
 
 # Create CSPM key lambda function
@@ -452,14 +462,16 @@ resource "aws_lambda_function" "create_cspm_key_function" {
 resource "aws_lambda_invocation" "create_cspm_key_function" {
   function_name = aws_lambda_function.create_cspm_key_function.function_name
   input = jsonencode({
-    ApiUrl            = var.aqua_cspm_url
-    AutoConnectApiUrl = var.aqua_autoconnect_url
-    AquaApiKey        = var.aqua_api_key
-    AquaSecretKey     = var.aqua_api_secret
-    RoleArn           = aws_iam_role.cspm_role.arn
-    ExternalId        = local.cspm_external_id
-    AccountId         = tostring(var.aws_account_id)
-    GroupId           = var.aqua_cspm_group_id
+    ApiUrl        = var.aqua_cspm_url
+    AquaApiKey    = var.aqua_api_key
+    AquaSecretKey = var.aqua_api_secret
+    RoleArn       = aws_iam_role.cspm_role.arn
+    ExternalId    = local.cspm_external_id
+    AccountId     = tostring(var.aws_account_id)
+    GroupId       = var.aqua_cspm_group_id
   })
+  triggers = {
+    always_run = timestamp()
+  }
   depends_on = [time_sleep.sleep]
-}
+}