From b3d3fb6a75a0dd9a8def5f1a913300d22cbb9b00 Mon Sep 17 00:00:00 2001
From: Jack Naglieri <jack.naglieri@airbnb.com>
Date: Mon, 24 Apr 2017 17:21:27 -0700
Subject: [PATCH] [tf] support SNS as an input, and arbitrary S3/Lambda
 functions as outputs

---
 conf/inputs.json                              |  5 +++
 conf/outputs.json                             | 27 +++++++++-------
 stream_alert_cli/runner.py                    |  3 +-
 terraform/modules/tf_stream_alert/iam.tf      | 31 +++++++++++++++++--
 terraform/modules/tf_stream_alert/main.tf     | 11 +++++++
 terraform/modules/tf_stream_alert/sns.tf      |  8 +++++
 .../modules/tf_stream_alert/variables.tf      | 15 +++++++++
 terraform/variables.tf                        | 31 ++++++++++++++-----
 8 files changed, 107 insertions(+), 24 deletions(-)
 create mode 100644 conf/inputs.json

diff --git a/conf/inputs.json b/conf/inputs.json
new file mode 100644
index 000000000..4dfbea761
--- /dev/null
+++ b/conf/inputs.json
@@ -0,0 +1,5 @@
+{
+  "aws-sns": {
+    "sample_sns": "arn:aws:sns:us-region-1:111111111111:topicname"
+  }
+}
\ No newline at end of file
diff --git a/conf/outputs.json b/conf/outputs.json
index 90807833b..325ee12e8 100644
--- a/conf/outputs.json
+++ b/conf/outputs.json
@@ -1,14 +1,17 @@
 {
-    "aws-s3": {
-        "sample.bucket": "sample_bucket_name"
-    },
-    "pagerduty": [
-        "sample_integration"
-    ],
-    "phantom": [
-        "sample_integration"
-    ],
-    "slack": [
-        "sample_channel"
-    ]
+  "aws-s3": {
+    "sample.bucket": "sample_bucket_name"
+  },
+  "aws-lambda": {
+    "sample_lambda": "arn:aws:lambda:region:account-id:function:function-name"
+  },
+  "pagerduty": [
+    "sample_integration"
+  ],
+  "phantom": [
+    "sample_integration"
+  ],
+  "slack": [
+    "sample_channel"
+  ]
 }
\ No newline at end of file
diff --git a/stream_alert_cli/runner.py b/stream_alert_cli/runner.py
index eab707f38..f8e6dad7e 100644
--- a/stream_alert_cli/runner.py
+++ b/stream_alert_cli/runner.py
@@ -204,7 +204,8 @@ def tf_runner(**kwargs):
     refresh_state = kwargs.get('refresh_state', True)
     tf_action_index = 1  # The index to the terraform 'action'
 
-    tf_opts = ['-var-file=../{}'.format(CONFIG.filename)]
+    var_files = {CONFIG.filename, 'conf/outputs.json', 'conf/inputs.json'}
+    tf_opts = ['-var-file=../{}'.format(x) for x in var_files]
     tf_targets = ['-target={}'.format(x) for x in targets]
     tf_command = ['terraform', 'plan'] + tf_opts + tf_targets
     if action == 'destroy':
diff --git a/terraform/modules/tf_stream_alert/iam.tf b/terraform/modules/tf_stream_alert/iam.tf
index fe8abe5c1..e13c78319 100644
--- a/terraform/modules/tf_stream_alert/iam.tf
+++ b/terraform/modules/tf_stream_alert/iam.tf
@@ -146,8 +146,9 @@ EOF
 
 // Allow the Alert Processor to invoke Lambda
 resource "aws_iam_role_policy" "streamalert_alert_processor_lambda" {
-  name = "${var.prefix}_${var.cluster}_streamalert_alert_processor_lambda"
-  role = "${aws_iam_role.streamalert_alert_processor_role.id}"
+  count = "${length(keys(var.output_lambda_functions))}"
+  name  = "${var.prefix}_${var.cluster}_streamalert_alert_processor_lambda_${element(keys(var.output_lambda_functions), count.index)}"
+  role  = "${aws_iam_role.streamalert_alert_processor_role.id}"
 
   policy = <<EOF
 {
@@ -158,7 +159,31 @@ resource "aws_iam_role_policy" "streamalert_alert_processor_lambda" {
         "lambda:InvokeFunction"
       ],
       "Effect": "Allow",
-      "Resource": "*"
+      "Resource": "${lookup(var.output_lambda_functions, element(keys(var.output_lambda_functions), count.index))}"
+    }
+  ]
+}
+EOF
+}
+
+// Allow the Alert Processor to send to arbitrary S3 buckets as outputs
+resource "aws_iam_role_policy" "streamalert_alert_processor_s3_outputs" {
+  count = "${length(keys(var.output_s3_buckets))}"
+  name  = "${var.prefix}_${var.cluster}_streamalert_alert_processor_s3_output_${element(keys(var.output_s3_buckets), count.index)}"
+  role  = "${aws_iam_role.streamalert_alert_processor_role.id}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "s3:PutObject",
+        "s3:PutObjectAcl",
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::${lookup(var.output_s3_buckets, element(keys(var.output_s3_buckets), count.index))}"
     }
   ]
 }
diff --git a/terraform/modules/tf_stream_alert/main.tf b/terraform/modules/tf_stream_alert/main.tf
index 753d4091a..726b05595 100644
--- a/terraform/modules/tf_stream_alert/main.tf
+++ b/terraform/modules/tf_stream_alert/main.tf
@@ -20,6 +20,17 @@ resource "aws_lambda_alias" "rule_processor_production" {
   function_version = "${var.rule_processor_versions["${var.cluster}"]}"
 }
 
+// Allow SNS to invoke the StreamAlert Output Processor
+resource "aws_lambda_permission" "sns_inputs" {
+  count         = "${length(keys(var.input_sns_topics))}"
+  statement_id  = "AllowExecutionFromSNS_${element(keys(var.input_sns_topics), count.index)}"
+  action        = "lambda:InvokeFunction"
+  function_name = "${aws_lambda_function.streamalert_rule_processor.arn}"
+  principal     = "sns.amazonaws.com"
+  source_arn    = "${lookup(var.input_sns_topics, element(keys(var.input_sns_topics), count.index))}"
+  qualifier     = "production"
+}
+
 // AWS Lambda Function: StreamAlert Alert Processor
 //    Send alerts to declared outputs
 resource "aws_lambda_function" "streamalert_alert_processor" {
diff --git a/terraform/modules/tf_stream_alert/sns.tf b/terraform/modules/tf_stream_alert/sns.tf
index 586763f09..5d817ac49 100644
--- a/terraform/modules/tf_stream_alert/sns.tf
+++ b/terraform/modules/tf_stream_alert/sns.tf
@@ -10,3 +10,11 @@ resource "aws_sns_topic_subscription" "alert_processor" {
   endpoint  = "${aws_lambda_function.streamalert_alert_processor.arn}:production"
   protocol  = "lambda"
 }
+
+// Subscribe the Rule Processor Lambda function to arbitrary SNS topics
+resource "aws_sns_topic_subscription" "input_topic_subscriptions" {
+  count     = "${length(keys(var.input_sns_topics))}"
+  topic_arn = "${lookup(var.input_sns_topics, element(keys(var.input_sns_topics), count.index))}"
+  endpoint  = "${aws_lambda_function.streamalert_rule_processor.arn}:production"
+  protocol  = "lambda"
+}
diff --git a/terraform/modules/tf_stream_alert/variables.tf b/terraform/modules/tf_stream_alert/variables.tf
index 2aa6e9b46..974903773 100644
--- a/terraform/modules/tf_stream_alert/variables.tf
+++ b/terraform/modules/tf_stream_alert/variables.tf
@@ -47,3 +47,18 @@ variable "alert_processor_versions" {
   type    = "map"
   default = {}
 }
+
+variable "output_lambda_functions" {
+  type    = "map"
+  default = {}
+}
+
+variable "output_s3_buckets" {
+  type    = "map"
+  default = {}
+}
+
+variable "input_sns_topics" {
+  type    = "map"
+  default = {}
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 1027e6598..67a868312 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,20 +1,35 @@
 variable "account" {
-  type = "map"
+  type    = "map"
   default = {}
 }
 
 variable "alert_processor_config" {
-  type = "map"
+  type    = "map"
   default = {}
 }
 
 variable "alert_processor_lambda_config" {
-  type = "map"
+  type    = "map"
   default = {}
 }
 
 variable "alert_processor_versions" {
-  type = "map"
+  type    = "map"
+  default = {}
+}
+
+variable "aws-lambda" {
+  type    = "map"
+  default = {}
+}
+
+variable "aws-s3" {
+  type    = "map"
+  default = {}
+}
+
+variable "aws-sns" {
+  type    = "map"
   default = {}
 }
 
@@ -39,21 +54,21 @@ variable "kinesis_streams_config" {
 }
 
 variable "rule_processor_config" {
-  type = "map"
+  type    = "map"
   default = {}
 }
 
 variable "rule_processor_lambda_config" {
-  type = "map"
+  type    = "map"
   default = {}
 }
 
 variable "rule_processor_versions" {
-  type = "map"
+  type    = "map"
   default = {}
 }
 
 variable "terraform" {
-  type = "map"
+  type    = "map"
   default = {}
 }