diff --git a/deployments/core.yml b/deployments/core.yml index 1a2b7f98bf..44d6791d2a 100644 --- a/deployments/core.yml +++ b/deployments/core.yml @@ -750,16 +750,17 @@ Resources: Description: Manages database of source integrations Environment: Variables: - DEBUG: !Ref Debug - DATA_CATALOG_UPDATER_QUEUE_URL: !Sub https://sqs.${AWS::Region}.${AWS::URLSuffix}/${AWS::AccountId}/panther-datacatalog-updater-queue - SNAPSHOT_POLLERS_QUEUE_URL: !Sub https://sqs.${AWS::Region}.amazonaws.com/${AWS::AccountId}/panther-snapshot-queue - LOG_PROCESSOR_QUEUE_URL: !Sub https://sqs.${AWS::Region}.amazonaws.com/${AWS::AccountId}/panther-input-data-notifications-queue - LOG_PROCESSOR_QUEUE_ARN: !Sub arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:panther-input-data-notifications-queue - TABLE_NAME: !Ref IntegrationsTable ACCOUNT_ID: !Ref AWS::AccountId + DATA_CATALOG_UPDATER_QUEUE_URL: !Sub https://sqs.${AWS::Region}.${AWS::URLSuffix}/${AWS::AccountId}/panther-datacatalog-updater-queue + DEBUG: !Ref Debug INPUT_DATA_ROLE_ARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/PantherInputDataLogProcessingRole-${AWS::Region} INPUT_DATA_BUCKET_NAME: !Ref InputDataBucket INPUT_DATA_TOPIC_ARN: !Ref InputDataTopicArn + LOG_PROCESSOR_QUEUE_URL: !Sub https://sqs.${AWS::Region}.amazonaws.com/${AWS::AccountId}/panther-input-data-notifications-queue + LOG_PROCESSOR_QUEUE_ARN: !Sub arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:panther-input-data-notifications-queue + SNAPSHOT_POLLERS_QUEUE_URL: !Sub https://sqs.${AWS::Region}.amazonaws.com/${AWS::AccountId}/panther-snapshot-queue + TABLE_NAME: !Ref IntegrationsTable + VERSION: !Ref CustomResourceVersion FunctionName: panther-source-api # # The `panther-source-api` lambda manages Cloud Security and Log Analysis sources. This includes diff --git a/internal/compliance/aws_event_processor/processor/process.go b/internal/compliance/aws_event_processor/processor/process.go index 430ed97857..f798641e67 100644 --- a/internal/compliance/aws_event_processor/processor/process.go +++ b/internal/compliance/aws_event_processor/processor/process.go @@ -199,6 +199,7 @@ var ( // lambda "AddLayerVersionPermission": {}, + "Invoke": {}, "InvokeAsync": {}, "InvokeFunction": {}, diff --git a/internal/compliance/snapshot_poller/pollers/aws/cloudformation_stack.go b/internal/compliance/snapshot_poller/pollers/aws/cloudformation_stack.go index 92102f60d6..a1207b9cfa 100644 --- a/internal/compliance/snapshot_poller/pollers/aws/cloudformation_stack.go +++ b/internal/compliance/snapshot_poller/pollers/aws/cloudformation_stack.go @@ -361,7 +361,7 @@ func PollCloudFormationStacks(pollerInput *awsmodels.ResourcePollerInput) ([]api resources := make([]apimodels.AddResourceEntry, 0, len(stacks)) for _, stack := range stacks { // Check if this stack failed an earlier part of the scan - if ignoredIds[*stack.StackId] { + if stack == nil || ignoredIds[aws.StringValue(stack.StackId)] { continue } diff --git a/internal/core/source_api/api/get_integration_template.go b/internal/core/source_api/api/get_integration_template.go index f8715bc2f2..de0574e0b6 100644 --- a/internal/core/source_api/api/get_integration_template.go +++ b/internal/core/source_api/api/get_integration_template.go @@ -32,9 +32,7 @@ import ( ) const ( - TemplateBucket = "panther-public-cloudformation-templates" - CloudSecurityTemplateKey = "panther-cloudsec-iam/v1.0.1/template.yml" - LogAnalysisTemplateKey = "panther-log-analysis-iam/v1.0.0/template.yml" + TemplateBucket = "panther-public-cloudformation-templates" LogAnalysisStackNameTemplate = "panther-log-analysis-setup-%s" CloudSecStackName = "panther-cloudsec-setup" @@ -134,11 +132,13 @@ func getTemplate(integrationType string) (string, error) { templateRequest := &s3.GetObjectInput{ Bucket: aws.String(TemplateBucket), } + if integrationType == models.IntegrationTypeAWSScan { - templateRequest.Key = aws.String(CloudSecurityTemplateKey) + templateRequest.Key = aws.String("panther-cloudsec-iam/" + env.Version + "/template.yml") } else { - templateRequest.Key = aws.String(LogAnalysisTemplateKey) + templateRequest.Key = aws.String("panther-log-analysis-iam/" + env.Version + "/template.yml") } + zap.L().Debug("requesting template", zap.String("key", *templateRequest.Key), zap.String("bucket", *templateRequest.Bucket)) s3Object, err := templateS3Client.GetObject(templateRequest) if err != nil { return "", err diff --git a/internal/core/source_api/api/vars.go b/internal/core/source_api/api/vars.go index df82494628..459f64e180 100644 --- a/internal/core/source_api/api/vars.go +++ b/internal/core/source_api/api/vars.go @@ -54,15 +54,16 @@ var ( ) type envConfig struct { + AccountID string `required:"true" split_words:"true"` DataCatalogUpdaterQueueURL string `required:"true" split_words:"true"` - SnapshotPollersQueueURL string `required:"true" split_words:"true"` LogProcessorQueueURL string `required:"true" split_words:"true"` LogProcessorQueueArn string `required:"true" split_words:"true"` - TableName string `required:"true" split_words:"true"` - AccountID string `required:"true" split_words:"true"` InputDataRoleArn string `required:"true" split_words:"true"` InputDataBucketName string `required:"true" split_words:"true"` InputDataTopicArn string `required:"true" split_words:"true"` + SnapshotPollersQueueURL string `required:"true" split_words:"true"` + TableName string `required:"true" split_words:"true"` + Version string `required:"true" split_words:"true"` } // Setup parses the environment and constructs AWS and http clients on a cold Lambda start. diff --git a/web/src/components/wizards/ComplianceSourceWizard/StackDeploymentPanel/StackDeployment.tsx b/web/src/components/wizards/ComplianceSourceWizard/StackDeploymentPanel/StackDeployment.tsx index 2c01cd50d0..3a83738d53 100644 --- a/web/src/components/wizards/ComplianceSourceWizard/StackDeploymentPanel/StackDeployment.tsx +++ b/web/src/components/wizards/ComplianceSourceWizard/StackDeploymentPanel/StackDeployment.tsx @@ -17,6 +17,7 @@ */ import { Text, Box, Flex, SimpleGrid, Card, Img, Heading, Button, useSnackbar } from 'pouncejs'; +import { STABLE_PANTHER_VERSION } from 'Source/constants'; import React from 'react'; import { downloadData } from 'Helpers/utils'; import { useFormikContext } from 'formik'; @@ -47,7 +48,7 @@ const StackDeployment: React.FC = () => { const { stackName, body } = data?.getComplianceIntegrationTemplate ?? {}; const cfnConsoleLink = `https://${pantherConfig.AWS_REGION}.console.aws.amazon.com/cloudformation/home?region=${pantherConfig.AWS_REGION}#/stacks/create/review` + - `?templateURL=https://s3-us-west-2.amazonaws.com/panther-public-cloudformation-templates/panther-cloudsec-iam/v1.0.0/template.yml` + + `?templateURL=https://s3-us-west-2.amazonaws.com/panther-public-cloudformation-templates/panther-cloudsec-iam/${STABLE_PANTHER_VERSION}/template.yml` + `&stackName=${stackName}` + `¶m_MasterAccountRegion=${pantherConfig.AWS_REGION}` + `¶m_MasterAccountId=${pantherConfig.AWS_ACCOUNT_ID}` + diff --git a/web/src/components/wizards/S3LogSourceWizard/StackDeploymentPanel/StackDeployment.tsx b/web/src/components/wizards/S3LogSourceWizard/StackDeploymentPanel/StackDeployment.tsx index 246655b717..d8e252cf1b 100644 --- a/web/src/components/wizards/S3LogSourceWizard/StackDeploymentPanel/StackDeployment.tsx +++ b/web/src/components/wizards/S3LogSourceWizard/StackDeploymentPanel/StackDeployment.tsx @@ -18,6 +18,7 @@ import { Text, Box, Flex, SimpleGrid, Card, Img, Heading, Button, useSnackbar } from 'pouncejs'; import React from 'react'; +import { STABLE_PANTHER_VERSION } from 'Source/constants'; import { downloadData, toStackNameFormat } from 'Helpers/utils'; import { useFormikContext } from 'formik'; import { useWizardContext, WizardPanel } from 'Components/Wizard'; @@ -49,7 +50,7 @@ const StackDeployment: React.FC = () => { const { stackName, body } = data?.getS3LogIntegrationTemplate ?? {}; const cfnConsoleLink = `https://${pantherConfig.AWS_REGION}.console.aws.amazon.com/cloudformation/home?region=${pantherConfig.AWS_REGION}#/stacks/create/review` + - '?templateURL=https://panther-public-cloudformation-templates.s3-us-west-2.amazonaws.com/panther-log-analysis-iam/v1.0.0/template.yml' + + `?templateURL=https://panther-public-cloudformation-templates.s3-us-west-2.amazonaws.com/panther-log-analysis-iam/${STABLE_PANTHER_VERSION}/template.yml` + `&stackName=${stackName}` + `¶m_MasterAccountId=${pantherConfig.AWS_ACCOUNT_ID}` + `¶m_RoleSuffix=${toStackNameFormat(values.integrationLabel)}` +