deploy cleanup

Makefile

@@ -1,3 +1,110 @@
+AWS_CLI	   ?= /usr/local/bin/aws
+TEMP_PATH   = .temp
+RELEASE_ZIP = release.zip
+BUCKET_PREFIX ?= aws-to-slack
 
-deploy:
-	sam deploy
+# Load from .env file
+ifdef TARGET
+  include $(TARGET)
+  export
+endif
+
+# Dependency definitions
+ifdef AWS_REGION
+  regionArg= --region $(AWS_REGION)
+endif
+ifdef AWS_PROFILE
+  awsProfile= --profile $(AWS_PROFILE)
+endif
+ifndef LAMBDA_NAME
+  ifndef STACK_ID
+  usesLambdaName := create-stack load-lambda-name
+  else
+  usesLambdaName := load-lambda-name
+  endif
+endif
+ifeq (,$(wildcard $(RELEASE_ZIP)))
+  usesReleaseZip := package
+endif
+
+info:
+	@echo "Deploying to $(BUCKET_PREFIX)"
+
+# Create release.zip file
+.PHONY: package
+package:
+	# Prepare
+	-@rm -r "$(TEMP_PATH)" 2>/dev/null || true
+	-@rm "$(RELEASE_ZIP)" 2>/dev/null || true
+	@mkdir -p "$(TEMP_PATH)"
+
+	# Copy sources to temporary folder
+	@cp -R src package-lock.json package.json "$(TEMP_PATH)/"
+
+	# Install dependencies
+	@cd "$(TEMP_PATH)" && npm install --production
+
+	# Package artifact
+	@cd "$(TEMP_PATH)" && zip -rq "../$(RELEASE_ZIP)" .
+
+	# Cleanup
+	@rm -r "$(TEMP_PATH)"
+
+
+# Perform create-stack operation
+.PHONY: create-stack-raw
+create-stack-raw:
+	# Create CloudFormation Stack
+	aws $(awsProfile) cloudformation create-stack --stack-name "$(STACK_NAME)" --template-body file://cloudformation.yaml \
+		$(regionArg) --capabilities CAPABILITY_IAM --parameters $(STACK_PARAMS)
+	aws $(awsProfile) cloudformation wait stack-create-complete --stack-name "$(STACK_NAME)" $(regionArg)
+
+
+# Create the stack, print output, and save to TARGET file
+#  (must be separate from create-stack-raw because uses $(shell ...)
+.PHONY: create-stack
+create-stack: create-stack-raw
+	$(eval STACK_ID := $(shell aws $(awsProfile) cloudformation describe-stacks --stack-name "$(STACK_NAME)" \
+		$(regionArg) --output text --query 'Stacks[0].StackId' ))
+	@echo "Add to your .env file: STACK_ID=$(STACK_ID)"
+	@ [ -z "$(TARGET)" ] || { echo "# Makefile on `date`" >> "$(TARGET)"; echo "STACK_ID=$(STACK_ID)" >> "$(TARGET)"; }
+
+
+# Update CloudFormation stack
+.PHONY: update-stack
+update-stack:
+	aws $(awsProfile) cloudformation update-stack --stack-name "$(STACK_NAME)" --template-body file://cloudformation.yaml \
+			$(regionArg) --capabilities CAPABILITY_IAM --parameters $(STACK_PARAMS)
+
+
+# Perform describe-stack to retrieve name of Lambda function
+.PHONY: load-lambda-name
+load-lambda-name:
+	# Load Lambda name from CloudFormation
+	@if [ -z "$(STACK_NAME)" ]; then echo "Var STACK_NAME must be defined"; exit 1; fi;
+	$(eval LAMBDA_NAME := $(shell aws $(awsProfile) cloudformation describe-stacks --stack-name "$(STACK_NAME)" \
+		$(regionArg) --output text --query 'Stacks[0].Outputs[?OutputKey==`LambdaFunction`].OutputValue'))
+	@echo "Add to your .env file: LAMBDA_NAME=$(LAMBDA_NAME)"
+	@ [ -z "$(TARGET)" ] || { echo "# Makefile on `date`" >> "$(TARGET)"; echo "LAMBDA_NAME=$(LAMBDA_NAME)" >> "$(TARGET)"; }
+
+
+# Update existing Lambda function
+.PHONY: deploy
+deploy: $(usesReleaseZip) $(usesLambdaName)
+	# Update Lambda function code
+	aws $(awsProfile) lambda update-function-code --function-name "$(LAMBDA_NAME)" \
+		$(regionArg) --zip-file "fileb://$(RELEASE_ZIP)" --publish
+
+
+# Copy local files to global S3 deployment buckets
+REGIONS ?= \
+  us-east-1 us-east-2 us-west-1 us-west-2 \
+  eu-central-1 eu-west-1 eu-west-2 eu-west-3 \
+  ap-northeast-1 ap-northeast-2 ap-south-1 ap-southeast-1 ap-southeast-2 \
+  ca-central-1 sa-east-1
+  # disabled: cn-north-1 cn-northwest-1
+.PHONY: publish
+publish: $(usesReleaseZip) $(REGIONS)
+$(REGIONS):
+	aws $(awsProfile) s3 cp "./cloudformation.yaml" "s3://$(BUCKET_PREFIX)-$@" --acl public-read
+	aws $(awsProfile) s3 cp "$(RELEASE_ZIP)" "s3://$(BUCKET_PREFIX)-$@" --acl public-read

package.json

@@ -19,10 +19,10 @@
   },
   "dependencies": {
     "lodash": "^4.17.21",
+    "aws-sdk": "^2.463.0",
     "test": "^3.3.0"
   },
   "devDependencies": {
-    "aws-sdk": "^2.463.0",
     "eslint": "^5.16.0",
     "eslint-plugin-import": "^2.17.3",
     "eslint-plugin-lodash": "^2.7.0",

src/eventdef.js

@@ -87,6 +87,15 @@ class EventDef {
 		return this.getArn().product;
 	}
 
+	/**
+	 * Get detail type from current record.
+	 *
+	 * @returns {string|undefined} The detail-type field
+	 */
+	getDetailType() {
+		return _.get(this.message, "detail-type");
+	}
+
 	/**
 	 * Get SNS subject from current record.
 	 *

src/index.js

@@ -18,7 +18,9 @@ const _ = require("lodash")
 		"codedeploySns",
 		"codepipeline",
 		"codepipeline-approval",
-		"guardduty",
+		"guardduty-apicall",
+		"guardduty-findings",
+		"guardduty-kuberuntime",
 		"securityhub",
 		"inspector",
 		"rds",

src/parsers/guardduty-apicall.js

@@ -0,0 +1,71 @@
+//
+// AWS GuardDuty event parser
+//
+exports.matches = event =>
+	event.getSource() === "guardduty" && event.getDetailType() === "AWS API Call via CloudTrail"
+
+exports.parse = event => {
+	const detail = event.get("detail");
+
+	let title = _.get(detail, "title");
+	let description = _.get(detail, "description");
+	const createdAt = new Date(_.get(detail, "time"));
+	let accountId = _.get(detail, "accountId");
+	let region = _.get(detail, "region");
+	let color = event.COLORS.neutral; //low severity below 4
+	const fields = [];
+
+	const eventName = _.get(detail, "eventName")
+
+	let actionedBy = _.get(detail, "userIdentity.principalId")
+	accountId = _.get(detail, "recipientAccountId");
+	region = _.get(detail, "awsRegion");
+	title = "Findings Archived"
+	description = `Findings Archived by ${actionedBy}`
+	color = event.COLORS.ok;
+
+	if (eventName === "UnarchiveFindings") {
+		title = "Findings Unarchived"
+		description = `Findings Unarchived by ${actionedBy}`
+		color = event.COLORS.warning;
+	}
+
+	fields.push({
+		title: "Account",
+		value: accountId,
+		short: true
+	});
+
+	fields.push({
+		title: "Region",
+		value: region,
+		short: true
+	});
+
+	fields.push({
+		title: "Actioned by",
+		value: actionedBy,
+		short: false
+	});
+
+	const findings = _.get(detail, "requestParameters.findingIds");
+
+	for (const finding of findings) {
+		fields.push({
+			title: "Finding ID",
+			value: finding,
+			short: false
+		});
+	}
+
+
+	return event.attachmentWithDefaults({
+		author_name: "Amazon GuardDuty",
+		fallback: `${title} ${description}`,
+		color: color,
+		title: title,
+		fields: fields,
+		mrkdwn_in: ["title", "text"],
+		ts: createdAt,
+	});
+};

src/parsers/guardduty.js → src/parsers/guardduty-findings.js

@@ -2,8 +2,7 @@
 // AWS GuardDuty event parser
 //
 exports.matches = event =>
-	event.getSource() === "guardduty"
-	|| _.get(event.message, "detail.service.serviceName") === "guardduty";
+	event.getSource() === "guardduty" && event.getDetailType() === "GuardDuty Finding"
 
 exports.parse = event => {
 	const detail = event.get("detail");
@@ -18,51 +17,6 @@ exports.parse = event => {
 
 	const eventName = _.get(detail, "eventName")
 
-	if (eventName === "ArchiveFindings" || eventName === "UnarchiveFindings") {
-		let actionedBy = _.get(detail, "userIdentity.principalId")
-		accountId = _.get(detail, "recipientAccountId");
-		region = _.get(detail, "awsRegion");
-		title = "Findings Archived"
-		description = `Findings Archived by ${actionedBy}`
-		color = event.COLORS.ok;
-
-		if (eventName === "UnarchiveFindings") {
-			title = "Findings Unarchived"
-			description = `Findings Unarchived by ${actionedBy}`
-			color = event.COLORS.warning;
-		}
-
-		fields.push({
-			title: "Account",
-			value: accountId,
-			short: true
-		});
-
-		fields.push({
-			title: "Region",
-			value: region,
-			short: true
-		});
-
-		fields.push({
-			title: "Actioned by",
-			value: actionedBy,
-			short: false
-		});
-
-		const findings = _.get(detail, "requestParameters.findingIds");
-
-		for (const finding of findings) {
-			fields.push({
-				title: "Finding ID",
-				value: finding,
-				short: false
-			});
-		}
-
-	}
-	else {
-
 	//const id = _.get(detail, "id");
 	const severity = _.get(detail, "severity");
 	//const partition = _.get(event, "partition");
@@ -430,7 +384,6 @@ exports.parse = event => {
     	if (severity > 7) { //high sevirity above 7
 		color = event.COLORS.critical;
 	}
-	}
 
 	return event.attachmentWithDefaults({
 		author_name: "Amazon GuardDuty",