Merge pull request #21 from mitre/groups

v0.16.0
mitre · Sep 27, 2021 · 39d49dd · 39d49dd
2 parents b613436 + 486d36d
commit 39d49dd
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 5 deletions.
diff --git a/main.tf b/main.tf
@@ -54,6 +54,21 @@ resource "null_resource" "push_image" {
   }
 }
 
+##
+# KMS key for encrypting lambda log data
+#
+# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key
+#
+resource "aws_kms_key" "ServerlessInSpecLogsKmsKey" {
+  description             = "The KMS key used to encrypt ConfigToHdf's logs"
+  deletion_window_in_days = 10
+  enable_key_rotation     = true
+
+  tags = {
+    Name = "ServerlessInSpecLogsKmsKey"
+  }
+}
+
 ##
 # InSpec Lambda function
 #
@@ -77,6 +92,9 @@ module "serverless-inspec-lambda" {
   vpc_subnet_ids         = var.subnet_ids
   vpc_security_group_ids = var.security_groups
 
+  cloudwatch_logs_kms_key_id        = aws_kms_key.ServerlessInSpecLogsKmsKey.key_id
+  cloudwatch_logs_retention_in_days = 30
+
   create_package = false
   image_uri      = "${aws_ecr_repository.mitre_serverless_inspec.repository_url}:${local.image_version}"
   package_type   = "Image"

diff --git a/src/lambda_function.rb b/src/lambda_function.rb
@@ -68,15 +68,26 @@ def lambda_handler(event:, context:)
   # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Client.html
   # Consider allowing passing additional eval_tags through the event
   # Consider tagging with the account ID
+  payload = {
+    'data' => JSON.parse(File.read(file_path)),
+    'eval_tags' => event['eval_tags'] || 'ServerlessInspec'
+  }
+  # Groups is expected to be a string array
+  if event['groups']
+    # Ensure string array
+    unless event['groups'].is_a?(Array) && (event['groups'].all? { |element| element.is_a?(String) })
+      $logger.error("Groups argument must be an Array of Strings: #{event['groups']}")
+      exit 1
+    end
+    payload['groups'] = event['groups']
+  end
+
   event['results_buckets'].each do |bucket|
     $logger.info("Pushing results to S3 bucket: #{bucket}")
     s3_client = Aws::S3::Client.new
     s3_client.put_object(
       {
-        body: StringIO.new({
-          'data' => JSON.parse(File.read(file_path)),
-          'eval_tags' => event['eval_tags'] || 'ServerlessInspec'
-        }.to_json),
+        body: StringIO.new(payload.to_json),
         bucket: bucket,
         key: "unprocessed/#{filename}"
       }

diff --git a/version b/version
@@ -1 +1 @@
-0.15.7
+0.16.0