@liflig/cdk 2.18.5 → 2.18.7

package/assets/cloudtrail-slack-integration-lambda/main.py

@@ -0,0 +1,267 @@
+#!/usr/bin/env python
+
+"""
+Transform CloudTrail events to payloads formatted for Slack's API, and send them
+directly to Slack or through an SQS FIFO queue for deduplication.
+
+The code below contains entrypoints for two Lambda functions (prefixed with `handler_`).
+"""
+
+import os
+import logging
+import json
+import urllib.request
+import re
+import boto3
+
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+def augment_strings_with_friendly_names(strings, friendly_names):
+    """A helper method for augmenting various values (e.g., AWS account ID) in
+    a list of strings with a more friendly name"""
+    # We avoid replacing values that are directly prefixed and/or suffixed with ':'
+    # as it is most likely an ARN or similiar. We don't want to replace account IDs
+    # inside ARNs as this would look messy.This is a quite basic heuristic, but it should allow
+    # us to easily replace most relevant values (e.g., principal ID, account ID, etc.) with
+    # friendly names without a complicated regex.
+    pattern = re.compile("|".join([f"(?<!:)({re.escape(key)})(?!:)" for key in friendly_names]))
+    return [pattern.sub(lambda m: m[0] + f" ({friendly_names[m.string[m.start():m.end()]]})", s) for s in strings]
+
+
+def get_slack_payload_for_assume_role_event(event, friendly_names):
+    """Parse a CloudTrail event related to the API call sts:AssumeRole,
+    and return a Slack-formatted attachment"""
+    event_detail = event["detail"]
+    recipient_account_id = event_detail["recipientAccountId"]
+    request_parameters = event_detail.get("requestParameters", {}) or {}
+
+    timestamp = event_detail["eventTime"]
+    user_identity = event_detail["userIdentity"]
+    principal_id = user_identity["principalId"]
+    principal_account_id = user_identity["accountId"]
+    source_identity = request_parameters.get("sourceIdentity", "")
+    source_ip = event_detail.get("sourceIPAddress", "")
+    role_arn = request_parameters.get("roleArn", "")
+
+    fallback = f"Sensitive role accessed in '{recipient_account_id}'"
+    pretext_messages = [f":warning: Sensitive role in `{recipient_account_id}` assumed by"]
+    if principal_id.startswith("AIDA"):
+        pretext_messages.append("IAM user")
+    elif principal_id.startswith("AROA"):
+        # The other part of the principal ID for a role is the name of the session
+        principal_id = principal_id.split(":")[0]
+        pretext_messages.append(f"IAM role")
+    else:
+        pretext_messages.append("principal")
+    pretext_messages.append(f"in `{principal_account_id}`")
+    pretext = " ".join(pretext_messages)
+
+    text = [
+        f"*Role ARN:* `{role_arn}`",
+        f"*Principal Account ID:* `{principal_account_id}`",
+        f"*Principal ID:* `{principal_id}`",
+        f"*Source IP:* `{source_ip}`",
+        f"*Source Identity:* `{source_identity}`" if source_identity else "",
+        f"*Timestamp:* `{timestamp}`",
+    ]
+    text = "\n".join(line for line in text if line)
+
+    try:
+        pretext, fallback, text = augment_strings_with_friendly_names([pretext, fallback, text], friendly_names)
+    except:
+        logger.exception("Failed to augment strings with friendly names")
+    return {
+        "attachments": [
+            {
+                "pretext": pretext,
+                "color": "warning",
+                "text": text,
+                "fallback": fallback,
+                "mrkdwn_in": ["pretext", "text"],
+            }
+        ]
+    }
+
+
+def get_fallback_slack_payload_for_event(
+    event, friendly_names, fallback_parse_behavior=""
+):
+    """Parse a generic CloudTrail event related to an API call
+    and return a Slack-formatted attachment"""
+    event_detail = event["detail"]
+    event_name = event_detail["eventName"]
+    event_type = event_detail["eventType"]
+    event_time = event_detail["eventTime"]
+    recipient_account_id = event_detail["recipientAccountId"]
+    pretext = f":warning: CloudTrail event in account `{recipient_account_id}`"
+    fallback = f"CloudTrail event in account '{recipient_account_id}'"
+    if fallback_parse_behavior == "DUMP_EVENT":
+        text = "\n".join(
+            ["*Event:*", "```", json.dumps(event, sort_keys=True, indent=2), "```"]
+        )
+    else:
+        error_message = event_detail.get("errorMessage", "")
+        # This may be None, in which case we force it to an empty dict instead
+        response_element = (event_detail.get("responseElements", {}) or {}).get(
+            event_name, ""
+        )
+        user_identity = event_detail["userIdentity"]
+        principal_id = user_identity.get("principalId", "")
+        principal_type = user_identity.get("type", "")
+        principal_account_id = user_identity.get("accountId", "")
+        principal_arn = user_identity.get("arn", "")
+        source_ip = event_detail.get("sourceIPAddress", "")
+        resources = event_detail.get("resources", []) or []
+        text = [
+            f"*Event Type:* `{event_type}`",
+            f"*Event Name:* `{event_name}`",
+            f"*Event Time:* `{event_time}`",
+            f"*Error Message:* `{error_message}`" if error_message else "",
+            f"*Response Code:* `{response_element}`" if response_element else "",
+            f"*Principal Type:* `{principal_type}`" if principal_type else "",
+            f"*Principal Account ID:* `{principal_account_id}`"
+            if principal_account_id
+            else "",
+            f"*Principal ARN:* `{principal_arn}`" if principal_arn else "",
+            f"*Principal ID:* `{principal_id}`" if principal_id else "",
+            f"*Source IP:* `{source_ip}`" if source_ip else "",
+            f"*Resources:*\n```{json.dumps(resources, indent=2, sort_keys=True)}\n```"
+            if len(resources)
+            else "",
+        ]
+        # Filter out empty strings
+        text = "\n".join(line for line in text if line)
+
+    try:
+        pretext, fallback, text = augment_strings_with_friendly_names([pretext, fallback, text], friendly_names)
+    except:
+        logger.exception("Failed to augment strings with friendly names")
+
+    return {
+        "attachments": [
+            {
+                "pretext": pretext,
+                "color": "warning",
+                "text": text,
+                "fallback": fallback,
+                "mrkdwn_in": ["pretext", "text"],
+            }
+        ]
+    }
+
+
+def get_augmented_friendly_names(event, friendly_names):
+    """Return an augmented dictionary containing the alias of the current
+    AWS account as a friendly name for the current account ID if relevant"""
+    augmented_friendly_names = {**friendly_names}
+    try:
+        event_account_id = event["account"]
+        event_detail = event["detail"]
+        recipient_account_id = event_detail["recipientAccountId"]
+        if (
+            not friendly_names.get(event_account_id, "")
+            and event_account_id == recipient_account_id
+        ):
+            logger.info(
+                "No friendly name was supplied for current account '%s', so looking up account alias",
+                event_account_id,
+            )
+            iam = boto3.client("iam")
+            aliases = iam.list_account_aliases()["AccountAliases"]
+            if len(aliases):
+                augmented_friendly_names[event_account_id] = aliases[0]
+    except:
+        logger.exception("Failed to look up alias of current AWS account")
+
+    return augmented_friendly_names
+
+
+def post_to_slack(slack_payload, slack_webhook_url):
+    """Post a payload to Slack's webhook API"""
+    encoded_slack_payload = json.dumps(slack_payload).encode("utf-8")
+    try:
+        slack_request = urllib.request.Request(
+            slack_webhook_url,
+            data=encoded_slack_payload,
+            headers={"Content-Type": "application/json"},
+        )
+        urllib.request.urlopen(slack_request)
+    except:
+        logger.exception("Failed to post to Slack")
+        raise
+
+
+def handler_event_transformer(event, context):
+    """Lambda handler for the event transformer Lambda"""
+    logger.info("Triggered with event: %s", json.dumps(event, indent=2))
+
+    friendly_names = json.loads(os.environ["FRIENDLY_NAMES"])
+    slack_webhook_url = os.environ["SLACK_WEBHOOK_URL"]
+    slack_channel = os.environ["SLACK_CHANNEL"]
+    sqs_queue_url = os.environ.get("SQS_QUEUE_URL", "")
+    fallback_parse_behavior = os.environ.get("FALLBACK_PARSE_BEHAVIOR", "")
+    deduplicate_events = os.environ.get("DEDUPLICATE_EVENTS", "false") == "true"
+
+    friendly_names = get_augmented_friendly_names(
+        event, friendly_names
+    )
+
+    if not event["detail-type"].endswith("via CloudTrail"):
+        logger.warn("Invalid event received")
+        return
+
+    slack_payload = {}
+    try:
+        if event["detail"]["eventName"] == "AssumeRole":
+            slack_payload = get_slack_payload_for_assume_role_event(
+                event, friendly_names
+            )
+    except:
+        logger.exception("Failed to parse event using predefined schema")
+    if not slack_payload:
+        logger.warn("Using a fallback schema to parse event")
+        slack_payload = get_fallback_slack_payload_for_event(
+            event,
+            friendly_names,
+            fallback_parse_behavior=fallback_parse_behavior,
+        )
+    slack_payload = {**slack_payload, "channel": slack_channel}
+
+    if deduplicate_events and sqs_queue_url:
+        logger.info("Sending message to SQS for deduplication")
+        deduplication_id = (
+            event["detail"].get("requestID", "")
+            or event["detail"].get("eventID", "")
+            or event["id"]
+        )
+        body = {
+            "slackWebhookUrl": slack_webhook_url,
+            "slackPayload": slack_payload,
+        }
+
+        sqs = boto3.client("sqs")
+        sqs.send_message(
+            QueueUrl=sqs_queue_url,
+            MessageBody=json.dumps(body),
+            MessageDeduplicationId=deduplication_id,
+            MessageGroupId=deduplication_id,
+        )
+    else:
+        logger.info("Sending message directly to Slack")
+        post_to_slack(slack_payload, slack_webhook_url)
+
+
+def handler_slack_forwarder(event, context):
+    """Lambda handler for the Slack forwarder Lambda"""
+    logger.info("Triggered with event: %s", json.dumps(event, indent=2))
+    records = event["Records"]
+    for record in records:
+        body = json.loads(record["body"])
+        slack_channel = body.get("slackChannel", "")
+        slack_webhook_url = body.get("slackWebhookUrl", "")
+        slack_payload = {
+            **body["slackPayload"],
+            **({"channel": slack_channel} if slack_channel else {}),
+        }
+        post_to_slack(slack_payload, slack_webhook_url)

package/assets/pipeline-slack-notification-lambda/index.py

@@ -0,0 +1,300 @@
+import json
+import logging
+import os
+import typing as t
+from urllib.error import HTTPError, URLError
+from urllib.parse import quote
+from urllib.request import Request, urlopen
+
+import boto3
+
+client = boto3.client("codepipeline")
+s3 = boto3.client("s3")
+secrets_manager = boto3.client("secretsmanager")
+
+ACCOUNT_FRIENDLY_NAME = os.getenv("ACCOUNT_FRIENDLY_NAME", None)
+SLACK_URL_SECRET_NAME = os.getenv("SLACK_URL_SECRET_NAME", None)
+NOTIFICATION_LEVEL = os.getenv("NOTIFICATION_LEVEL", "WARN")
+
+# Example event:
+#
+# {
+#   version: '0',
+#   id: '01896665-9ef2-b417-cccd-333acf6a9320',
+#   'detail-type': 'CodePipeline Pipeline Execution State Change',
+#   source: 'aws.codepipeline',
+#   account: '123456789123',
+#   time: '2021-06-11T23:02:20Z',
+#   region: 'eu-west-1',
+#   resources: [
+#     'arn:aws:codepipeline:eu-west-1:123456789123:hst-tester-pipeline-PipelineC660917D-OLEMKURBGPBG'
+#   ],
+#   detail: {
+#     pipeline: 'hst-tester-pipeline-PipelineC660917D-OLEMKURBGPBG',
+#     'execution-id': '91daefbf-658a-4c6f-ad9e-13de7df5eaeb',
+#     state: 'SUCCEEDED',
+#     version: 3
+#   }
+# }
+
+STYLES = {
+    "FAILED": {"emoji_prefix": ":x:", "message_color": "#ff0000"},
+    "SUCCEEDED": {"emoji_prefix": ":white_check_mark:", "message_color": "#008000"},
+    "STARTED": {"emoji_prefix": ":rocket:", "message_color": "#00bfff"},
+    "SUPERSEDED": {"emoji_prefix": ":arrow_heading_down:", "message_color": "#373737"},
+}
+
+
+class TriggerMetadataVcs(t.TypedDict):
+    branchName: str
+    commitAuthor: str
+    commitHash: str
+    repositoryName: str
+    repositoryOwner: str
+
+
+class TriggerMetadataCi(t.TypedDict):
+    type: t.Literal["JENKINS", "GITHUB_ACTIONS"]
+    triggeredBy: str
+
+
+class TriggerMetadata(t.TypedDict):
+    version: t.Literal["0.1"]
+    ci: TriggerMetadataCi
+    vcs: TriggerMetadataVcs
+
+
+def get_masked_slack_webhook_url(slack_webhook_url: str):
+    """
+    Return a string that masks the final path segment of a Slack webhook URL.
+    The URL is typically formatted as such: https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
+    """
+    trimmed_url = slack_webhook_url.rstrip("/")
+    [*url, final_path_segment] = trimmed_url.split("/")
+    return "/".join(url + [len(final_path_segment) * "*"])
+
+
+def get_previous_pipeline_execution(
+    pipeline_name: str, execution_id: str
+) -> dict | None:
+    """Return the newest past execution that either succeeded or failed"""
+
+    pipeline_executions = client.list_pipeline_executions(
+        pipelineName=pipeline_name,
+    )["pipelineExecutionSummaries"]
+
+    is_next = False
+
+    for item in pipeline_executions:
+        # Only include succeeded and failed executions.
+        # This is needed to properly detect a recovered
+        # pipeline (failed -> succeeded, even if e.g. superseeded in between).
+        if is_next and item["status"] in ["Succeeded", "Failed"]:
+            return item
+        if item["pipelineExecutionId"] == execution_id:
+            is_next = True
+
+    return None
+
+
+def get_text_for_failed(pipeline_name: str, execution_id: str, state: str) -> str:
+    """Return a Slack-formatted string that describes failed pipeline execution actions,
+    if any, in a failed execution"""
+
+    # We only show details if the pipeline has completed with failed state.
+    # If we were to process this for other events such as started events,
+    # we would include details from after the event took place.
+    if state != "FAILED":
+        return ""
+
+    action_executions = client.list_action_executions(
+        pipelineName=pipeline_name,
+        filter={
+            "pipelineExecutionId": execution_id,
+        },
+    )["actionExecutionDetails"]
+
+    failures = []
+
+    for action_execution in action_executions:
+        if action_execution["status"] == "Failed":
+            stage = action_execution["stageName"]
+            action = action_execution["actionName"]
+            summary = action_execution["output"]["executionResult"][
+                "externalExecutionSummary"
+            ]
+            failures.append(f"{stage}.{action} failed:\n{summary}")
+
+    result = ""
+
+    if len(failures):
+        result = "```\n" + "\n\n".join(failures) + "\n```"
+
+    return result
+
+
+def get_metadata_from_trigger(
+    pipeline_name: str, execution_id: str
+) -> TriggerMetadata | None:
+    """Returns a dictionary containing the metadata, if any, stored in the trigger file"""
+
+    action_response = client.list_action_executions(
+        pipelineName=pipeline_name, filter={"pipelineExecutionId": execution_id}
+    )
+
+    action = next(
+        (
+            action
+            for action in action_response["actionExecutionDetails"]
+            if action["input"]["actionTypeId"]["category"] == "Source"
+            and action["input"]["actionTypeId"]["provider"] == "S3"
+        ),
+        None,
+    )
+    if action:
+        s3_version_id = action["output"]["outputVariables"]["VersionId"]
+        artifacts_bucket = action["input"]["configuration"]["S3Bucket"]
+        trigger_file = action["input"]["configuration"]["S3ObjectKey"]
+
+    try:
+        response = s3.get_object(
+            Bucket=artifacts_bucket, Key=trigger_file, VersionId=s3_version_id
+        )
+        file_content = response["Body"].read().decode("utf-8")
+        ci_metadata = json.loads(file_content)
+        return ci_metadata
+    except Exception as e:
+        print(f"Could not obtain metadata from trigger file: {e}")
+
+    return None
+
+
+def get_footer_text(ci_metadata: TriggerMetadata) -> str:
+    """Returns the footer text for the Slack message if the metadata contains the required fields"""
+
+    footer_text = ""
+    if ci_metadata and ci_metadata.get("version", "") == "0.1":
+        ci = ci_metadata.get("ci", {})
+        vcs = ci_metadata.get("vcs", {})
+        triggering_actor = ci.get("triggeredBy", "")
+        repository_owner = vcs.get("repositoryOwner", "")
+        repository_name = vcs.get("repositoryName", "")
+        short_commit_hash = vcs.get("commitHash", "")[:8]
+        branch_name = vcs.get("branchName", "")
+        if (
+            triggering_actor
+            and repository_owner
+            and repository_name
+            and short_commit_hash
+            and branch_name
+        ):
+            commit_link_text = f"{repository_owner}/{repository_name} @ {branch_name} ({short_commit_hash})"
+            github_commit_link = f"https://github.com/{repository_owner}/{repository_name}/commit/{short_commit_hash}"
+            footer_text = f"Triggered by {triggering_actor} in <{github_commit_link}|{commit_link_text}>"
+
+    return footer_text
+
+
+def get_secret(secret):
+    try:
+        return secrets_manager.get_secret_value(SecretId=secret)["SecretString"]
+    except Exception as e:
+        raise Exception(f"Error retrieving secret: {e}")
+
+
+def handler(event, context):
+
+    print("Event: " + json.dumps(event))
+
+    region = event["region"]
+    account_id = event["account"]
+    pipeline_name = event["detail"]["pipeline"]
+    state = event["detail"]["state"]
+    execution_id = event["detail"]["execution-id"]
+
+    if state in ("STARTED", "SUPERSEDED") and NOTIFICATION_LEVEL != "DEBUG":
+        return
+
+    if event["detail-type"] != "CodePipeline Pipeline Execution State Change":
+        print("Ignoring unknown event")
+        return
+
+    previous_pipeline_execution = get_previous_pipeline_execution(
+        pipeline_name, execution_id
+    )
+
+    previous_failed = (
+        previous_pipeline_execution is not None
+        and previous_pipeline_execution["status"] == "Failed"
+    )
+
+    # We still show succeeded for the first event or when
+    # the previous execution was not success.
+    if state == "SUCCEEDED" and (NOTIFICATION_LEVEL == "WARN"):
+        if previous_pipeline_execution is not None and not previous_failed:
+            print("Ignoring succeeded event")
+            return
+
+    pipeline_url = f"https://{region}.console.aws.amazon.com/codesuite/codepipeline/pipelines/{quote(pipeline_name, safe='')}/view"
+    execution_url = f"https://{region}.console.aws.amazon.com/codesuite/codepipeline/pipelines/{quote(pipeline_name, safe='')}/executions/{execution_id}/timeline"
+
+    account_friendly_name = f"in {ACCOUNT_FRIENDLY_NAME or account_id}"
+
+    state_text = state
+    if previous_failed and state == "SUCCEEDED":
+        state_text += " (previously failed)"
+
+    ci_metadata = get_metadata_from_trigger(pipeline_name, execution_id)
+
+    footer_text = get_footer_text(ci_metadata)
+
+    style = STYLES.get(
+        state, {"emoji_prefix": ":question:", "message_color": "#ffdf00"}
+    )
+
+    emoji_prefix = style["emoji_prefix"]
+    message_color = style["message_color"]
+
+    text_for_failed = get_text_for_failed(pipeline_name, execution_id, state)
+
+    text = "\n".join(
+        s
+        for s in [f"*Execution:* <{execution_url}|{execution_id}>", text_for_failed]
+        if s
+    )
+    pretext = " ".join(
+        s
+        for s in [
+            f"{emoji_prefix} Pipeline *<{pipeline_url}|{pipeline_name}>*",
+            f"*{state_text}*",
+            account_friendly_name,
+        ]
+        if s
+    )
+    fallback = f"Pipeline {pipeline_name} {state}"
+    attachments = [
+        {
+            "footer": footer_text,
+            "color": message_color,
+            "text": text,
+            "mrkdwn_in": ["text", "pretext"],
+            "pretext": pretext,
+            "fallback": fallback,
+        },
+    ]
+
+    slack_message = {
+        "attachments": attachments,
+    }
+
+    slack_url = get_secret(SLACK_URL_SECRET_NAME)
+
+    req = Request(slack_url, json.dumps(slack_message).encode("utf-8"))
+    print(f"Posting message to Slack URL {get_masked_slack_webhook_url(slack_url)}")
+    try:
+        response = urlopen(req)
+        response.read()
+    except HTTPError as e:
+        raise Exception(f"Request to slack failed: {e.code} {e.reason}")
+    except URLError as e:
+        raise Exception(f"Server connection to slack failed: {e.reason}")