Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.
Awesome Lists | Featured Topics | Projects
https://github.com/trussworks/terraform-aws-s3-anti-virus

Creates and configures Anti-Virus Scanning of S3 Buckets.
https://github.com/trussworks/terraform-aws-s3-anti-virus
anti-virus aws aws-s3 terraform terraform-modules
Last synced: 2 months ago
JSON representation
Creates and configures Anti-Virus Scanning of S3 Buckets.
Host: GitHub
URL: https://github.com/trussworks/terraform-aws-s3-anti-virus
Owner: trussworks
License: bsd-3-clause
Created: 2019-09-09T21:17:56.000Z (over 5 years ago)
Default Branch: main
Last Pushed: 2024-05-24T13:22:56.000Z (9 months ago)
Last Synced: 2024-10-31T13:23:53.607Z (3 months ago)
Topics: anti-virus, aws, aws-s3, terraform, terraform-modules
Language: HCL
Homepage: https://registry.terraform.io/modules/trussworks/s3-anti-virus
Size: 77.1 KB
Stars: 41
Watchers: 9
Forks: 33
Open Issues: 4
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project

README

        
# terraform-aws-s3-anti-virus

Creates an AWS Lambda function to do anti-virus scanning of objects in AWS S3

using [bucket-antivirus-function](https://github.com/trussworks/bucket-antivirus-function)

The source repository hasn't been updated in a long time, so we've forked the repo to our account and made changes.

```sh

git clone [email protected]:trussworks/bucket-antivirus-function.git

cd bucket-antivirus-function

git checkout v2.2.0

```

With that repo checked out you must run the `make` command and then copy the resulting zip file

to AWS S3 with:

```sh

VERSION=2.2.0

aws s3 cp bucket-antivirus-function/build/lambda.zip "s3://lambda-builds-us-west-2/anti-virus/${VERSION}/anti-virus.zip"

```

NOTE: It is a good idea to make `VERSION` match the git tag you are deploying.

Creates the following resources for anti-virus updates:

* IAM role for Lambda function to update Anti-Virus databases in S3

* CloudWatch Event to trigger function on a schedule.

* AWS Lambda function to download Anti-Virus databases files to S3

Creates the following resources for anti-virus scanning:

* IAM role for Lambda function to scan files in S3

* S3 Event to trigger function on object creation

* AWS Lambda function to scan S3 object and send alert to slack if any objects are infected and quarantined.

## Usage

```hcl

module "s3_anti_virus" {

  source = "trussworks/s3-anti-virus/aws"

  version = "2.1.2"

  name_scan   = "s3-anti-virus-scan"

  name_update = "s3-anti-virus-updates"

  lambda_s3_bucket = "lambda-builds-us-west-2"

  lambda_package_key   = "lambda.zip"

  av_update_minutes = "180"

  av_scan_buckets   = ["bucket-name"]

  av_definition_s3_bucket   = "av-update-bucket-name"

  av_definition_s3_prefix   = "anti-virus"

  tags = {

    "Environment" = "my-environment"

    "Purpose"     = "s3-anti-virus"

    "Terraform"   = "true"

  }

}

```

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0 |

|  [aws](#requirement\_aws) | >= 3.0 |

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 3.0 |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [aws_cloudwatch_event_rule.main_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |

| [aws_cloudwatch_event_target.main_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |

| [aws_cloudwatch_log_group.main_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |

| [aws_cloudwatch_log_group.main_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |

| [aws_iam_role.main_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_iam_role.main_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |

| [aws_iam_role_policy.main_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |

| [aws_iam_role_policy.main_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |

| [aws_lambda_function.main_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |

| [aws_lambda_function.main_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |

| [aws_lambda_permission.main_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |

| [aws_lambda_permission.main_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |

| [aws_s3_bucket_notification.main_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |

| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |

| [aws_iam_policy_document.assume_role_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.assume_role_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.main_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_iam_policy_document.main_update](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |

| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |

| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |

| [aws_s3_bucket.main_scan](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [av\_definition\_s3\_bucket](#input\_av\_definition\_s3\_bucket) | Bucket containing antivirus database files. | `string` | n/a | yes |

|  [av\_definition\_s3\_prefix](#input\_av\_definition\_s3\_prefix) | Prefix for antivirus database files. | `string` | `"clamav_defs"` | no |

|  [av\_delete\_infected\_files](#input\_av\_delete\_infected\_files) | Set it True in order to delete infected values. | `string` | `"False"` | no |

|  [av\_scan\_buckets](#input\_av\_scan\_buckets) | A list of S3 bucket names to scan for viruses. | `list(string)` | n/a | yes |

|  [av\_scan\_start\_sns\_arn](#input\_av\_scan\_start\_sns\_arn) | SNS topic ARN to publish notification about start of scan (optional). | `string` | `""` | no |

|  [av\_status\_sns\_arn](#input\_av\_status\_sns\_arn) | SNS topic ARN to publish scan results (optional). | `string` | `""` | no |

|  [av\_status\_sns\_publish\_clean](#input\_av\_status\_sns\_publish\_clean) | Publish AV\_STATUS\_CLEAN results to AV\_STATUS\_SNS\_ARN. | `string` | `"True"` | no |

|  [av\_status\_sns\_publish\_infected](#input\_av\_status\_sns\_publish\_infected) | Publish AV\_STATUS\_INFECTED results to AV\_STATUS\_SNS\_ARN. | `string` | `"True"` | no |

|  [av\_update\_minutes](#input\_av\_update\_minutes) | How often to download updated Anti-Virus databases. | `string` | `180` | no |

|  [cloudwatch\_kms\_arn](#input\_cloudwatch\_kms\_arn) | The arn of the kms key used for encrypting the cloudwatch log groups created by this module. | `string` | `""` | no |

|  [cloudwatch\_logs\_retention\_days](#input\_cloudwatch\_logs\_retention\_days) | Number of days to keep logs in AWS CloudWatch. | `string` | `90` | no |

|  [kms\_key\_sns\_arn](#input\_kms\_key\_sns\_arn) | ARN of the KMS Key to use for SNS Encryption | `string` | `""` | no |

|  [lambda\_package](#input\_lambda\_package) | The name of the lambda package. Used for a directory tree and zip file. | `string` | `"anti-virus"` | no |

|  [lambda\_package\_key](#input\_lambda\_package\_key) | The object key for the lambda distribution. If given, the value is used as the key in lieu of the value constructed using `lambda_package` and `lambda_version`. | `string` | `null` | no |

|  [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | The name of the S3 bucket used to store the Lambda builds. | `string` | n/a | yes |

|  [lambda\_version](#input\_lambda\_version) | The version the Lambda function to deploy. | `any` | n/a | yes |

|  [memory\_size](#input\_memory\_size) | Lambda memory allocation, in MB | `string` | `2048` | no |

|  [name\_scan](#input\_name\_scan) | Name for resources associated with anti-virus scanning | `string` | `"s3-anti-virus-scan"` | no |

|  [name\_update](#input\_name\_update) | Name for resources associated with anti-virus updating | `string` | `"s3-anti-virus-updates"` | no |

|  [permissions\_boundary](#input\_permissions\_boundary) | ARN of the boundary policy to attach to IAM roles. | `string` | `null` | no |

|  [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no |

|  [timeout\_seconds](#input\_timeout\_seconds) | Lambda timeout, in seconds | `string` | `300` | no |

## Outputs

| Name | Description |

|------|-------------|

|  [scan\_aws\_cloudwatch\_log\_group\_arn](#output\_scan\_aws\_cloudwatch\_log\_group\_arn) | ARN for the Anti-Virus Scanning Cloudwatch LogGroup. |

|  [scan\_aws\_cloudwatch\_log\_group\_name](#output\_scan\_aws\_cloudwatch\_log\_group\_name) | The Anti-Virus Scanning Cloudwatch LogGroup name. |

|  [scan\_lambda\_function\_arn](#output\_scan\_lambda\_function\_arn) | ARN for the Anti-Virus Scanning lambda function. |

|  [scan\_lambda\_function\_iam\_role\_arn](#output\_scan\_lambda\_function\_iam\_role\_arn) | Name of the Anti-Virus Scanning lambda role. |

|  [scan\_lambda\_function\_iam\_role\_name](#output\_scan\_lambda\_function\_iam\_role\_name) | Name of the Anti-Virus Scanning lambda role. |

|  [scan\_lambda\_function\_name](#output\_scan\_lambda\_function\_name) | The Anti-Virus Scanning lambda function name. |

|  [scan\_lambda\_function\_version](#output\_scan\_lambda\_function\_version) | Current version of the Anti-Virus Scanning lambda function. |

|  [update\_aws\_cloudwatch\_log\_group\_arn](#output\_update\_aws\_cloudwatch\_log\_group\_arn) | ARN for the Anti-Virus Definitions Cloudwatch LogGroup. |

|  [update\_aws\_cloudwatch\_log\_group\_name](#output\_update\_aws\_cloudwatch\_log\_group\_name) | The Anti-Virus Definitions Cloudwatch LogGroup name. |

|  [update\_lambda\_function\_arn](#output\_update\_lambda\_function\_arn) | ARN for the Anti-Virus Definitions lambda function. |

|  [update\_lambda\_function\_iam\_role\_arn](#output\_update\_lambda\_function\_iam\_role\_arn) | ARN of the Anti-Virus Definitions lambda role. |

|  [update\_lambda\_function\_iam\_role\_name](#output\_update\_lambda\_function\_iam\_role\_name) | Name of the Anti-Virus Definitions lambda role. |

|  [update\_lambda\_function\_name](#output\_update\_lambda\_function\_name) | The Anti-Virus Definitions lambda function name. |

|  [update\_lambda\_function\_version](#output\_update\_lambda\_function\_version) | Current version of the Anti-Virus Definitions lambda function. |