diff --git a/backend/env.yml b/backend/env.yml index df7309a4c..da3362d88 100644 --- a/backend/env.yml +++ b/backend/env.yml @@ -43,8 +43,6 @@ staging: MATOMO_URL: http://matomo.crossfeed.local EXPORT_BUCKET_NAME: cisa-crossfeed-staging-exports PE_API_URL: ${ssm:/crossfeed/staging/PE_API_URL} - PE_API_KEY: ${ssm:/crossfeed/staging/PE_API_KEY} - CF_API_KEY: ${ssm:/crossfeed/staging/CF_API_KEY} REPORTS_BUCKET_NAME: cisa-crossfeed-staging-reports CLOUDWATCH_BUCKET_NAME: cisa-crossfeed-staging-cloudwatch STAGE: staging @@ -95,8 +93,6 @@ prod: MATOMO_URL: http://matomo.crossfeed.local EXPORT_BUCKET_NAME: cisa-crossfeed-prod-exports PE_API_URL: ${ssm:/crossfeed/prod/PE_API_URL} - PE_API_KEY: ${ssm:/crossfeed/prod/PE_API_KEY} - CF_API_KEY: ${ssm:/crossfeed/prod/CF_API_KEY} REPORTS_BUCKET_NAME: cisa-crossfeed-prod-reports CLOUDWATCH_BUCKET_NAME: cisa-crossfeed-prod-cloudwatch STAGE: prod diff --git a/infrastructure/elastic.tf b/infrastructure/elastic.tf index 9cbf6f2ba..4f51938a4 100644 --- a/infrastructure/elastic.tf +++ b/infrastructure/elastic.tf @@ -28,38 +28,4 @@ resource "aws_instance" "elk_stack" { } } -data "aws_iam_policy_document" "elk_policy" { - statement { - effect = "Allow" - actions = ["cloudwatch:GetMetricData", - "cloudwatch:ListMetrics", - "ec2:DescribeInstances", - "ec2:DescribeRegions", - "logs:DescribeLogGroups", - "logs:FilterLogEvents", - "rds:DescribeDBInstances", - "rds:ListTagsForResource", - "sns:ListTopics", - "sqs:ChangeMessageVisibility", - "sqs:DeleteMessage", - "sqs:ListQueues", - "sqs:ReceiveMessage", - "sts:AssumeRole", - "sts:GetCallerIdentity", - "tag:GetResources"] - resources = ["*"] - } -} - -# Define IAM user -resource "aws_iam_user" "elk_integration_user" { - name = "ELKIntegrationUser" -} - -# Attach policy to the IAM user -resource "aws_iam_user_policy" "lb_ro" { - name = "test" - user = aws_iam_user.elk_integration_user.name - policy = data.aws_iam_policy_document.elk_policy.json -} diff --git a/infrastructure/prod.tfvars b/infrastructure/prod.tfvars index 865d71924..15a43db08 100644 --- a/infrastructure/prod.tfvars +++ b/infrastructure/prod.tfvars @@ -59,6 +59,8 @@ ssm_dnstwist_queue_url = "/crossfeed/prod/DNSTWIST_QUEUE_URL" ssm_hibp_queue_url = "/crossfeed/prod/HIBP_QUEUE_URL" ssm_intelx_queue_url = "/crossfeed/prod/INTELX_QUEUE_URL" ssm_cybersixgill_queue_url = "/crossfeed/prod/CYBERSIXGILL_QUEUE_URL" +ssm_pe_api_key = "/crossfeed/prod/PE_API_KEY" +ssm_cf_api_key = "/crossfeed/prod/CF_API_KEY" db_group_name = "crossfeed-prod-db-group" worker_ecs_repository_name = "crossfeed-prod-worker" worker_ecs_cluster_name = "crossfeed-prod-worker" diff --git a/infrastructure/stage.tfvars b/infrastructure/stage.tfvars index 7eee126d9..8a78c4049 100644 --- a/infrastructure/stage.tfvars +++ b/infrastructure/stage.tfvars @@ -60,6 +60,8 @@ ssm_dnstwist_queue_url = "/crossfeed/staging/DNSTWIST_QUEUE_URL" ssm_hibp_queue_url = "/crossfeed/staging/HIBP_QUEUE_URL" ssm_intelx_queue_url = "/crossfeed/staging/INTELX_QUEUE_URL" ssm_cybersixgill_queue_url = "/crossfeed/staging/CYBERSIXGILL_QUEUE_URL" +ssm_pe_api_key = "/crossfeed/staging/PE_API_KEY" +ssm_cf_api_key = "/crossfeed/staging/CF_API_KEY" db_group_name = "crossfeed-staging-db-group" worker_ecs_repository_name = "crossfeed-staging-worker" worker_ecs_cluster_name = "crossfeed-staging-worker" diff --git a/infrastructure/vars.tf b/infrastructure/vars.tf index ec46c379c..f47c3e7c9 100644 --- a/infrastructure/vars.tf +++ b/infrastructure/vars.tf @@ -334,6 +334,18 @@ variable "ssm_lg_api_key" { default = "/crossfeed/staging/LG_API_KEY" } +variable "ssm_pe_api_key" { + description = "ssm_pe_api_key" + type = string + default = "/crossfeed/staging/PE_API_KEY" +} + +variable "ssm_cf_api_key" { + description = "ssm_cf_api_key" + type = string + default = "/crossfeed/staging/CF_API_KEY" +} + variable "ssm_lg_workspace_name" { description = "ssm_lg_workspace_name" type = string diff --git a/infrastructure/worker.tf b/infrastructure/worker.tf index e77c4f376..223588544 100644 --- a/infrastructure/worker.tf +++ b/infrastructure/worker.tf @@ -94,7 +94,9 @@ resource "aws_iam_role_policy" "worker_task_execution_role_policy" { "${data.aws_ssm_parameter.hibp_queue_url.arn}", "${data.aws_ssm_parameter.intelx_queue_url.arn}", "${data.aws_ssm_parameter.cybersixgill_queue_url.arn}", - "${aws_ssm_parameter.es_endpoint.arn}" + "${aws_ssm_parameter.es_endpoint.arn}", + "${data.aws_ssm_parameter.pe_api_key.arn}", + "${data.aws_ssm_parameter.cf_api_key.arn}" ] } ] @@ -304,6 +306,14 @@ resource "aws_ecs_task_definition" "worker" { { "name": "ELASTICSEARCH_ENDPOINT", "valueFrom": "${aws_ssm_parameter.es_endpoint.arn}" + }, + { + "name": "PE_API_KEY", + "valueFrom": "${data.aws_ssm_parameter.pe_api_key.arn}" + }, + { + "name": "CF_API_KEY", + "valueFrom": "${data.aws_ssm_parameter.cf_api_key.arn}" } ] } @@ -375,6 +385,10 @@ data "aws_ssm_parameter" "intelx_queue_url" { name = var.ssm_intelx_queue_url } data "aws_ssm_parameter" "cybersixgill_queue_url" { name = var.ssm_cybersixgill_queue_url } +data "aws_ssm_parameter" "pe_api_key" { name = var.ssm_pe_api_key } + +data "aws_ssm_parameter" "cf_api_key" { name = var.ssm_cf_api_key } + resource "aws_s3_bucket" "export_bucket" { bucket = var.export_bucket_name tags = {