Support Alert Processor in VPC, Various Bug Fixes #168
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
to: @austinbyers @ryandeivert
cc: @airbnb/streamalert-maintainers
size: medium
Background
The primary purpose of this PR is to support the Alert Processor running from within an AWS VPC (Virtual Private Cloud). The benefit of this change is that alerting logic will be able to reach into private services/resources behind a firewall or security groups in AWS cloud. An example of this is an alert with Phantom as an output, or any other orchestration trigger as a result of a StreamAlert.
Along the way, I identified other small bugs with the CLI that I have also fixed.
Changes
tf_stream_alert
Terraform module to support running the Alert Processor from within a VPC.stream_alert_cli.py terraform status
command.stream_alert_cli.py terraform destroy
to allow destruction of selective modules.handler
import path for thealert_processor
Usage
Important! To enable the
alert_processor
from within a VPC, you must first add the following to your cluster config:Example:
You will have to destroy the existing alert processor, you can do it with the following command:
Then, run: