· 4 years ago · Jun 14, 2021, 02:06 PM
1import cdk = require('@aws-cdk/core')
2import lambda = require("@aws-cdk/aws-lambda");
3import path = require('path');
4import s3 = require("@aws-cdk/aws-s3");
5import iam = require("@aws-cdk/aws-iam");
6const fs = require("fs");
7import cloudtrail = require('@aws-cdk/aws-cloudtrail');
8import logs = require('@aws-cdk/aws-logs')
9import secretsmanager = require('@aws-cdk/aws-secretsmanager');
10import kms = require('@aws-cdk/aws-kms');
11require('dotenv').config()
12
13
14
15const awsAccount = cdk.Aws.ACCOUNT_ID.toString();
16const region = cdk.Aws.REGION.toString()
17export class AccessKeyProcessAutomationStack extends cdk.Stack {
18 private readonly secretName = "zivaro-smtp-secret";
19 private readonly keyInSecretName = process.env.KEY_IN_SECRET_NAME;
20 private readonly usernameKey = process.env.USERNAME_KEY;
21 constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
22 super(scope, id, props);
23
24
25
26 const processAutomationTaggingRole = new iam.Role(this, `ZivaroProcessAutomationTaggingLambdaRole`, {
27 assumedBy: new iam.ServicePrincipal("lambda.amazonaws.com")
28 });
29 processAutomationTaggingRole.addManagedPolicy(
30 iam.ManagedPolicy.fromAwsManagedPolicyName("AdministratorAccess")
31 )
32 const processAutomationCloudWatchRole = new iam.Role(this, `ZivaroProcessAutomationCloudWatchRole`, {
33 assumedBy: new iam.ServicePrincipal('cloudtrail.amazonaws.com')
34 })
35 processAutomationCloudWatchRole.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('AdministratorAccess'))
36
37 const processAutomationBucket = new s3.Bucket(this, `ZivaroProcessAutomationBucket`,{
38 bucketName: cdk.PhysicalName.GENERATE_IF_NEEDED
39 })
40 const processAutomationCloudWatchGroup = new logs.LogGroup(this, `ZivaroProcessAutomationCloudWatchGroup`, {
41 logGroupName: cdk.PhysicalName.GENERATE_IF_NEEDED,
42 retention: logs.RetentionDays.ONE_YEAR,
43
44 })
45 const zivaroProcessAutomationTrail = new cloudtrail.Trail(this, 'ZivaroProcessAutomationTrail'
46 , {
47 bucket: processAutomationBucket,
48 cloudWatchLogGroup: processAutomationCloudWatchGroup,
49 cloudWatchLogsRetention: logs.RetentionDays.ONE_YEAR,
50 enableFileValidation: true,
51 isMultiRegionTrail: true,
52 sendToCloudWatchLogs: true,
53 trailName: 'zivaroProcessAutomationTrail'
54
55
56 });
57
58 const zivaroProcessAutomationKey = new kms.Key(this,'ZivaroProcessAutomationKey')
59
60 const zivaroProcessAutomationSmtpSecretPassword = new secretsmanager.Secret(this, 'ZivaroProcessAutomationSmtpSecretPassword', {
61 description: "zivaro_smtp_secret",
62 secretName: cdk.PhysicalName.GENERATE_IF_NEEDED,
63 encryptionKey:zivaroProcessAutomationKey,
64 generateSecretString: {
65 secretStringTemplate: JSON.stringify({"smtp-secret": this.keyInSecretName,
66 "smtp-username":this.usernameKey}),
67 generateStringKey: 'randomPassword',
68
69
70 },
71
72 });
73
74 const keyNotificationLambda = new lambda.Function(
75
76 this,
77 `ZivaroProcessAutomationKeyNotifier`,
78 {
79 role: processAutomationTaggingRole,
80 runtime: lambda.Runtime.PYTHON_3_8,
81 handler: "keyNotificationLambda.handler",
82 code: lambda.Code.fromAsset(path.join(__dirname,'../lambda/keyNotificationLambda')),
83 timeout: cdk.Duration.seconds(400),
84 environment: {
85 secretKey: `${
86 secretsmanager.Secret.fromSecretAttributes(this,'SecretKey',{
87 secretArn: zivaroProcessAutomationSmtpSecretPassword.secretArn,
88 encryptionKey:zivaroProcessAutomationKey
89
90 }).secretValue
91 }`,
92 accountId: awsAccount
93
94
95
96
97 }
98 });
99
100
101 new lambda.CfnPermission(this, `ZivaroProcessAutomationLambdaPolicy`, {
102 action: 'lambda:InvokeFunction',
103 principal: `logs.${region}.amazonaws.com`,
104 functionName: keyNotificationLambda.functionName,
105 sourceArn: processAutomationCloudWatchGroup.logGroupArn + '*',
106 sourceAccount: awsAccount
107 });
108
109
110
111 const attachUserSubscriptionFilter = new logs.CfnSubscriptionFilter(this, `ZivaroProcessAutomationAttachUserPolicy`, {
112 destinationArn: keyNotificationLambda.functionArn,
113 filterPattern: "{($.eventName=AttachUserPolicy)}",
114 logGroupName: processAutomationCloudWatchGroup.logGroupName
115 })
116
117
118 const policyDeletionLambda = new lambda.Function(
119
120 this,
121 `ZivaroProcessAutomationPolicyDeletionLambda`,
122 {
123 role: processAutomationTaggingRole,
124 runtime: lambda.Runtime.PYTHON_3_6,
125 handler: "policyDeletionLambda.handler",
126 code: lambda.Code.fromAsset(path.join(__dirname,('../lambda/policyDeletionLambda'))),
127 timeout: cdk.Duration.seconds(400),
128 environment:{
129 accountId: awsAccount
130 }
131
132 });
133
134 new lambda.CfnPermission(this, `ZivaroProcessAutomationPolicyDeletionLambdaPolicy`, {
135 action: 'lambda:InvokeFunction',
136 principal: `logs.${region}.amazonaws.com`,
137 functionName: policyDeletionLambda.functionName,
138 sourceArn: processAutomationCloudWatchGroup.logGroupArn + '*',
139 sourceAccount: awsAccount
140 });
141
142
143 const deletePolicySubscription = new logs.CfnSubscriptionFilter(this, `ZivaroProcessAutomationDeletePolicySubscription`, {
144 destinationArn: policyDeletionLambda.functionArn,
145 filterPattern: "{($.eventName=CreateAccessKey)}",
146 logGroupName: processAutomationCloudWatchGroup.logGroupName
147 })
148
149 }
150 }
151