Merge pull request #20 from aquasecurity/idan-SLK-100239-fix-race-and-add-base-cspm_main

SLK-100239 - Fix Race and Add Base CSPM

Author: semyonmor

README.md

@@ -98,6 +98,7 @@ Before using this module, ensure that you have the following:
 | <a name="input_aqua_volscan_api_url"></a> [aqua\_volscan\_api\_url](#input\_aqua\_volscan\_api\_url) | Aqua Volume Scanning API URL | `string` | n/a | yes |
 | <a name="input_aqua_volscan_aws_account_id"></a> [aqua\_volscan\_aws\_account\_id](#input\_aqua\_volscan\_aws\_account\_id) | Aqua Volume Scanning AWS Account ID | `string` | n/a | yes |
 | <a name="input_aqua_worker_role_arn"></a> [aqua\_worker\_role\_arn](#input\_aqua\_worker\_role\_arn) | Aqua Worker Role ARN | `string` | n/a | yes |
+| <a name="input_base_cspm"></a> [base\_cspm](#input\_base\_cspm) | Toggle for base CSPM only | `bool` | `false` | no |
 | <a name="input_create_vpcs"></a> [create\_vpcs](#input\_create\_vpcs) | Toggle to create VPCs | `bool` | `true` | no |
 | <a name="input_custom_agentless_role_name"></a> [custom\_agentless\_role\_name](#input\_custom\_agentless\_role\_name) | Custom Agentless role Name | `string` | `""` | no |
 | <a name="input_custom_bucket_name"></a> [custom\_bucket\_name](#input\_custom\_bucket\_name) | Custom bucket Name | `string` | `""` | no |
@@ -128,7 +129,6 @@ Before using this module, ensure that you have the following:
 | <a name="output_cspm_external_id"></a> [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
 | <a name="output_cspm_lambda_execution_role_arn"></a> [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
 | <a name="output_cspm_role_arn"></a> [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| <a name="output_is_already_cspm_client"></a> [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
 | <a name="output_kinesis_firehose_bucket_name"></a> [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name |
 | <a name="output_kinesis_firehose_delivery_stream_arn"></a> [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN |
 | <a name="output_kinesis_firehose_role_arn"></a> [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN |

main.tf

@@ -41,6 +41,7 @@ module "single" {
   custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name
   custom_cspm_regions                 = var.custom_cspm_regions
   volume_scanning_deployment          = var.volume_scanning_deployment
+  base_cspm                           = var.base_cspm
 }
 
 module "organization" {

modules/single/README.md

@@ -81,7 +81,6 @@ This Terraform module provisions the essential AWS infrastructure and configurat
 | <a name="output_cspm_external_id"></a> [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
 | <a name="output_cspm_lambda_execution_role_arn"></a> [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
 | <a name="output_cspm_role_arn"></a> [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| <a name="output_is_already_cspm_client"></a> [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
 | <a name="output_kinesis_firehose_bucket_name"></a> [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name |
 | <a name="output_kinesis_firehose_delivery_stream_arn"></a> [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN |
 | <a name="output_kinesis_firehose_role_arn"></a> [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN |

modules/single/main.tf

@@ -7,7 +7,7 @@ module "kinesis" {
   aqua_volscan_api_token            = var.aqua_volscan_api_token
   custom_bucket_name                = var.custom_bucket_name
   custom_processor_lambda_role_name = var.custom_processor_lambda_role_name
-  create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
+  create_vol_scan_resource          = var.volume_scanning_deployment == "true" ? true : false
 }
 
 module "lambda" {
@@ -17,16 +17,13 @@ module "lambda" {
   aqua_volscan_aws_account_id = var.aqua_volscan_aws_account_id
   aqua_api_key                = var.aqua_api_key
   aqua_api_secret             = var.aqua_api_secret
-  aqua_cspm_group_id          = var.aqua_cspm_group_id
   aqua_cspm_ipv4_address      = var.aqua_cspm_ipv4_address
   aqua_cspm_aws_account_id    = var.aqua_cspm_aws_account_id
   aqua_cspm_url               = var.aqua_cspm_url
   aqua_worker_role_arn        = var.aqua_worker_role_arn
-  aws_account_id              = local.aws_account_id
   aqua_cspm_role_prefix       = var.aqua_cspm_role_prefix
   custom_agentless_role_name  = var.custom_agentless_role_name
   custom_cspm_role_name       = var.custom_cspm_role_name
-  custom_cspm_regions         = var.custom_cspm_regions
   create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
   depends_on                  = [module.kinesis]
 }
@@ -52,20 +49,22 @@ module "stackset" {
 }
 
 module "trigger" {
-  source                 = "./modules/trigger"
-  region                 = var.region
-  aqua_api_key           = var.aqua_api_key
-  aqua_api_secret        = var.aqua_api_secret
-  aqua_autoconnect_url   = var.aqua_autoconnect_url
-  aqua_cspm_url          = var.aqua_cspm_url
-  aws_account_id         = local.aws_account_id
-  aqua_session_id        = var.aqua_session_id
-  cspm_role_arn          = module.lambda.cspm_role_arn
-  cspm_external_id       = module.lambda.cspm_external_id
-  is_already_cspm_client = module.lambda.is_already_cspm_client
-  volscan_role_arn       = module.lambda.agentless_role_arn
-  volscan_external_id    = module.lambda.volscan_external_id
-  additional_tags        = var.additional_tags
-  create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
-  depends_on             = [module.stackset]
+  source                   = "./modules/trigger"
+  region                   = var.region
+  aqua_api_key             = var.aqua_api_key
+  aqua_api_secret          = var.aqua_api_secret
+  aqua_autoconnect_url     = var.aqua_autoconnect_url
+  aqua_cspm_url            = var.aqua_cspm_url
+  aws_account_id           = local.aws_account_id
+  aqua_session_id          = var.aqua_session_id
+  cspm_role_arn            = module.lambda.cspm_role_arn
+  cspm_external_id         = module.lambda.cspm_external_id
+  volscan_role_arn         = module.lambda.agentless_role_arn
+  volscan_external_id      = module.lambda.volscan_external_id
+  additional_tags          = var.additional_tags
+  create_vol_scan_resource = var.volume_scanning_deployment == "true" ? true : false
+  cspm_group_id            = var.aqua_cspm_group_id
+  custom_cspm_regions      = var.custom_cspm_regions
+  base_cspm                = var.base_cspm
+  depends_on               = [module.stackset]
 }

modules/single/modules/lambda/README.md

@@ -66,6 +66,5 @@ No modules.
 | <a name="output_cspm_external_id"></a> [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
 | <a name="output_cspm_lambda_execution_role_arn"></a> [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
 | <a name="output_cspm_role_arn"></a> [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| <a name="output_is_already_cspm_client"></a> [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
 | <a name="output_volscan_external_id"></a> [volscan\_external\_id](#output\_volscan\_external\_id) | Aqua Volume Scanning External ID generated by the 'generate\_volscan\_external\_id\_function' Lambda function |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

modules/single/modules/lambda/data.tf

@@ -1,12 +1,5 @@
 # modules/single/modules/lambda/data.tf
 
-# Archive create_cspm_key.py into a zip file
-data "archive_file" "create_cspm_key_function" {
-  type        = "zip"
-  source_file = "${path.module}/functions/create_cspm_key.py"
-  output_path = "create_cspm_key.zip"
-}
-
 # Archive generate_external_id.py into a zip file
 data "archive_file" "generate_external_id_function" {
   type        = "zip"

modules/single/modules/lambda/functions/create_cspm_key.py

@@ -4,6 +4,8 @@
 import time
 import hmac
 
+# This Lambda isn't used currently, but it is kept for future use.
+
 def handler(event, context):
     cspm_url = event.get('ApiUrl')
     aqua_api_key = event.get('AquaApiKey')

modules/single/modules/lambda/locals.tf

@@ -4,5 +4,4 @@ locals {
   # Decode the results of Lambda function invocations
   cspm_external_id       = jsondecode(aws_lambda_invocation.generate_cspm_external_id_function.result)["ExternalId"]
   volscan_external_id    = try(jsondecode(aws_lambda_invocation.generate_volscan_external_id_function[0].result)["ExternalId"], "")
-  is_already_cspm_client = jsondecode(aws_lambda_invocation.create_cspm_key_function.result)["IsAlreadyCSPMClient"]
 }

modules/single/modules/lambda/main.tf

@@ -442,38 +442,3 @@ resource "time_sleep" "sleep" {
   }
   depends_on = [aws_iam_role.cspm_role]
 }
-
-# Create CSPM key lambda function
-resource "aws_lambda_function" "create_cspm_key_function" {
-  architectures    = ["x86_64"]
-  description      = "Trigger CSPM via CSPM Api"
-  function_name    = "aqua-autoconnect-create-cspm-key-function-${var.random_id}"
-  handler          = "create_cspm_key.handler"
-  role             = aws_iam_role.cspm_lambda_execution_role.arn
-  runtime          = "python3.12"
-  timeout          = 120
-  filename         = data.archive_file.create_cspm_key_function.output_path
-  source_code_hash = data.archive_file.create_cspm_key_function.output_base64sha256
-  tracing_config {
-    mode = "Active"
-  }
-}
-
-# Invoking CSPM key lambda function
-resource "aws_lambda_invocation" "create_cspm_key_function" {
-  function_name = aws_lambda_function.create_cspm_key_function.function_name
-  input = jsonencode({
-    ApiUrl            = var.aqua_cspm_url
-    AquaApiKey        = var.aqua_api_key
-    AquaSecretKey     = var.aqua_api_secret
-    RoleArn           = aws_iam_role.cspm_role.arn
-    ExternalId        = local.cspm_external_id
-    AccountId         = tostring(var.aws_account_id)
-    GroupId           = var.aqua_cspm_group_id
-    CustomCSPMRegions = var.custom_cspm_regions
-  })
-  triggers = {
-    always_run = timestamp()
-  }
-  depends_on = [time_sleep.sleep]
-}

modules/single/modules/lambda/outputs.tf

@@ -10,11 +10,6 @@ output "volscan_external_id" {
   value       = local.volscan_external_id
 }
 
-output "is_already_cspm_client" {
-  description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
-  value       = local.is_already_cspm_client
-}
-
 output "cspm_lambda_execution_role_arn" {
   description = "The ARN of the lambda execution IAM role created for the CSPM"
   value       = aws_iam_role.cspm_lambda_execution_role.arn