terraform-aws-s3-anti-virus

Creates an AWS Lambda function to do anti-virus scanning of objects in AWS S3 using bucket-antivirus-function

The source repository hasn't been updated in a long time, so we've forked the repo to our account and made changes.

git clone git@github.com:trussworks/bucket-antivirus-function.git
cd bucket-antivirus-function
git checkout v2.2.0

With that repo checked out you must run the make command and then copy the resulting zip file to AWS S3 with:

VERSION=2.2.0
aws s3 cp bucket-antivirus-function/build/lambda.zip "s3://lambda-builds-us-west-2/anti-virus/${VERSION}/anti-virus.zip"

NOTE: It is a good idea to make VERSION match the git tag you are deploying.

Creates the following resources for anti-virus updates:

• IAM role for Lambda function to update Anti-Virus databases in S3
• CloudWatch Event to trigger function on a schedule.
• AWS Lambda function to download Anti-Virus databases files to S3

Creates the following resources for anti-virus scanning:

• IAM role for Lambda function to scan files in S3
• S3 Event to trigger function on object creation
• AWS Lambda function to scan S3 object and send alert to slack if any objects are infected and quarantined.

Usage

module "s3_anti_virus" {
  source = "trussworks/s3-anti-virus/aws"
  version = "2.1.2"

  name_scan   = "s3-anti-virus-scan"
  name_update = "s3-anti-virus-updates"

  lambda_s3_bucket = "lambda-builds-us-west-2"
  lambda_package_key   = "lambda.zip"

  av_update_minutes = "180"
  av_scan_buckets   = ["bucket-name"]

  av_definition_s3_bucket   = "av-update-bucket-name"
  av_definition_s3_prefix   = "anti-virus"

  tags = {
    "Environment" = "my-environment"
    "Purpose"     = "s3-anti-virus"
    "Terraform"   = "true"
  }
}

Requirements

Name	Version
terraform	>= 1.0
aws	>= 3.0

Providers

Name	Version
aws	>= 3.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_event_rule.main_update	resource
aws_cloudwatch_event_target.main_update	resource
aws_cloudwatch_log_group.main_scan	resource
aws_cloudwatch_log_group.main_update	resource
aws_iam_role.main_scan	resource
aws_iam_role.main_update	resource
aws_iam_role_policy.main_scan	resource
aws_iam_role_policy.main_update	resource
aws_lambda_function.main_scan	resource
aws_lambda_function.main_update	resource
aws_lambda_permission.main_scan	resource
aws_lambda_permission.main_update	resource
aws_s3_bucket_notification.main_scan	resource
aws_caller_identity.current	data source
aws_iam_policy_document.assume_role_scan	data source
aws_iam_policy_document.assume_role_update	data source
aws_iam_policy_document.main_scan	data source
aws_iam_policy_document.main_update	data source
aws_partition.current	data source
aws_region.current	data source
aws_s3_bucket.main_scan	data source

Inputs

Name	Description	Type	Default	Required
av_definition_s3_bucket	Bucket containing antivirus database files.	string	n/a	yes
av_definition_s3_prefix	Prefix for antivirus database files.	string	"clamav_defs"	no
av_delete_infected_files	Set it True in order to delete infected values.	string	"False"	no
av_scan_buckets	A list of S3 bucket names to scan for viruses.	list(string)	n/a	yes
av_scan_start_sns_arn	SNS topic ARN to publish notification about start of scan (optional).	string	""	no
av_status_sns_arn	SNS topic ARN to publish scan results (optional).	string	""	no
av_status_sns_publish_clean	Publish AV_STATUS_CLEAN results to AV_STATUS_SNS_ARN.	string	"True"	no
av_status_sns_publish_infected	Publish AV_STATUS_INFECTED results to AV_STATUS_SNS_ARN.	string	"True"	no
av_update_minutes	How often to download updated Anti-Virus databases.	string	180	no
cloudwatch_kms_arn	The arn of the kms key used for encrypting the cloudwatch log groups created by this module.	string	""	no
cloudwatch_logs_retention_days	Number of days to keep logs in AWS CloudWatch.	string	90	no
kms_key_sns_arn	ARN of the KMS Key to use for SNS Encryption	string	""	no
lambda_package	The name of the lambda package. Used for a directory tree and zip file.	string	"anti-virus"	no
lambda_package_key	The object key for the lambda distribution. If given, the value is used as the key in lieu of the value constructed using lambda_package and lambda_version.	string	null	no
lambda_s3_bucket	The name of the S3 bucket used to store the Lambda builds.	string	n/a	yes
lambda_version	The version the Lambda function to deploy.	any	n/a	yes
memory_size	Lambda memory allocation, in MB	string	2048	no
name_scan	Name for resources associated with anti-virus scanning	string	"s3-anti-virus-scan"	no
name_update	Name for resources associated with anti-virus updating	string	"s3-anti-virus-updates"	no
permissions_boundary	ARN of the boundary policy to attach to IAM roles.	string	null	no
tags	A map of tags to add to all resources.	map(string)	{}	no
timeout_seconds	Lambda timeout, in seconds	string	300	no

Outputs

Name	Description
scan_aws_cloudwatch_log_group_arn	ARN for the Anti-Virus Scanning Cloudwatch LogGroup.
scan_aws_cloudwatch_log_group_name	The Anti-Virus Scanning Cloudwatch LogGroup name.
scan_lambda_function_arn	ARN for the Anti-Virus Scanning lambda function.
scan_lambda_function_iam_role_arn	Name of the Anti-Virus Scanning lambda role.
scan_lambda_function_iam_role_name	Name of the Anti-Virus Scanning lambda role.
scan_lambda_function_name	The Anti-Virus Scanning lambda function name.
scan_lambda_function_version	Current version of the Anti-Virus Scanning lambda function.
update_aws_cloudwatch_log_group_arn	ARN for the Anti-Virus Definitions Cloudwatch LogGroup.
update_aws_cloudwatch_log_group_name	The Anti-Virus Definitions Cloudwatch LogGroup name.
update_lambda_function_arn	ARN for the Anti-Virus Definitions lambda function.
update_lambda_function_iam_role_arn	ARN of the Anti-Virus Definitions lambda role.
update_lambda_function_iam_role_name	Name of the Anti-Virus Definitions lambda role.
update_lambda_function_name	The Anti-Virus Definitions lambda function name.
update_lambda_function_version	Current version of the Anti-Virus Definitions lambda function.