Bug Fixes (Initialization, AWS Perms, Config), CloudWatch Event Patterns, and More

[jacknagz]

to: @ryandeivert (code) @mime-frame (docs)
cc: @airbnb/streamalert-maintainers @zbuc
size: medium

A combination of various bug fixes and feature additions.

Related Issues

• resolves KMS permissions not included in documentation #201
• completes another task in Follow Up: JSON Cluster Files #176

Conf Changes

• Make sure we are starting with "$LATEST" as the AWS Lambda current_version. This currently throws an error during the first deploy since the versions do not exist yet.
• Reset the Kinesis and Lambda settings to be a bare minimum.
• Enable force_destroy for prerequisite buckets. This is makes destroying clusters easier, since this data is not of high value.

CLI Changes

• Add a stream_alert_cli.py terraform clean command to simply remove any Terraform statefiles and other related files. This is useful to have while troubleshooting issues with initialization.
• Fix a bug in the init target list: This list of Terraform resources is used during init to create the prerequisite infrastructure. There was a resource naming issue here causing errors.
• Add a default to the flow_logs module for the log group name. Adds some unit tests too.

Terraform Changes

• Support all tf_stream_alert_cloudtrail module options. This gives control over how users can configure CloudTrail to send to their StreamAlert cluster. For more information, see the module documentation.

Documentation Changes

• Update the Account setup page which explains how to configure your admin user
• Update the clusters section on how to configure flow_logs and cloudtrail modules

[ryandeivert]

Some comments

[ryandeivert]

Maybe I'm just not seeing it elsewhere, but it looks like existing_trail_default and is_global_trail_default are just booleans and only used to hold default values for the .get() calls. Can we just place the boolean value directly in the get for brevity?

[jacknagz]

Correct, they're just booleans. I defined them as variables to be really explicit about what the defaults are for these options.

[ryandeivert]

We should probably start returning a value in places like this (maybe just a simple bool == False, or a more comprehensive solution would be returning a non-zero error number) that we could check up the call stack and exit on error. It would avoid having sys.exit(1) calls scattered about the CLI and could allow for us to start using useful exit codes for certain errors (that are not 1). Not a necessary change now, but something to keep in mind.

[jacknagz]

Agreed, I'll make some changes

[ryandeivert]

Why do we want event_pattern to be a json string within a dictionary as opposed to just another python dict? I assume this has something to do with the config stuff below?

[jacknagz]

https://www.terraform.io/docs/providers/aws/r/cloudwatch_event_rule.html

[jacknagz]

PTAL @ryandeivert, tested all CLI commands by bringing up a test cluster, deploying, and destroying

[ryandeivert]

Liking this direction a lot - a few comments in-line.

[ryandeivert]

@jacknagz in a handful of these functions it looks like we return True and there's really no possibility of the function returning a falsey value. Am I overlooking something? If that's the case, there's not much benefit to having a check for the return value for these function calls.

That said, I do see a few functions below that can return False, so it definitely applies some places.

[jacknagz]

I'm doing it for consistency, this could change in the future as we add more checks for validity

[ryandeivert]

I think the formatting/indent here got messed up when the return was added. (meaning in the following 2 lines, not this one).

[coveralls]

Coverage remained the same at 79.307% when pulling 61d5a13 on jacknaglieri-cloudtrail-patterns into 2abbcb3 on master.