slack/ecr-scanner-notifier: Add ECR scanner Slack notifier (#196)

#### Summary
Send slack message when a vulnerability is found in the ECR image scanning 

#### Motivation
closes #171

Author: thekcsam

.github/workflows/ci.yml

@@ -53,6 +53,7 @@ jobs:
           - script/database-roles
           - secrets
           - slack/chatbot
+          - slack/ecr-scanner-notifier
           - slack/ecs-deployment-failure
           - slack/sentry
           - slack/sns

CHANGELOG.md

@@ -7,8 +7,12 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 This project does not follow SemVer, since modules are independent of each other; thus, SemVer does not make sense. Changes are grouped per module.
 
 ## Unreleased
+### slack/ecr-scanner-notifier
+* Slack notifier for AWS Elastic Container Registry (ECR) image scans. It automatically sends notifications to a designated Slack channel whenever vulnerabilities are detected in ECR scans. [#196](https://github.com/dbl-works/terraform/pull/196)
+
 ### stack/global
 * New module for deploying resources required only once per project. [#273](https://github.com/dbl-works/terraform/pull/273)
+* Add ecr-scanner-notifier module [#196](https://github.com/dbl-works/terraform/pull/196)
 
 ### rds
 * update default value for backup_retention_period, max_allocated_storage, and allocated_storage. [#274](https://github.com/dbl-works/terraform/pull/274)

lambda/README.md

@@ -9,14 +9,16 @@ Used for managing lambda functions.
 module "lambda" {
   source = "github.com/dbl-works/terraform//lambda?ref=main"
 
-  project     = "dbl"
-  environment = "production"
-  source_dir  = "Path to the directory containing the lambda function code."
+  function_name   = "lambda"
+  project         = "dbl"
+  environment     = "production"
+  source_dir      = "Path to the directory containing the lambda function code."
 
   # optional
   handler     = "index.handler"
   timeout     = 10
   memory_size = 1024
+  runtime     = "nodejs16.x"
 
   # Subnets the lambdas are allowed to use to access resources in the VPC.
   subnet_ids = [
@@ -40,5 +42,30 @@ module "lambda" {
   secrets_and_kms_arns = [
     "arn:aws:secrets:*:abc:123",
   ]
+
+  lambda_policy_json = data.aws_iam_policy_document.s3.json
+  environment_variables = {
+    foo = "bar"
+  }
+  lambda_role_name = "aws-lambda-role"
 }
+
+data "aws_iam_policy_document" "s3" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "kms:GenerateDataKey"
+    ]
+    resources = ["*"]
+  }
+}
+
 ```

lambda/output.tf lambda/outputs.tflambda/output.tf renamed to lambda/outputs.tf

@@ -0,0 +1,21 @@
+# Terraform Module: ECR Scanner Slack Notifier
+
+Slack notifier for AWS Elastic Container Registry (ECR) image scans. It automatically sends notifications to a designated Slack channel whenever vulnerabilities are detected in ECR scans.
+
+## Usage
+
+```terraform
+module "ecr-scanner-notifier" {
+  source = "github.com/dbl-works/terraform//slack/ecr-scanner-notifier?ref=v2023.03.06"
+
+  project = local.project
+  slack_webhook_url = "https://hooks.slack.com/services/XXXXXXXXX/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+  slack_channel = "ecr-scanner"
+}
+```
+
+## Pre-requisites
+
+1. Setting up a [Slack App](https://api.slack.com/start/overview#creating).
+
+2. [Configure](https://api.slack.com/messaging/sending) the Slack app for message sending.

slack/ecr-scanner-notifier/README.md

@@ -0,0 +1,84 @@
+locals {
+  function_name = "${var.project}-ecr-scanner-notifier"
+}
+module "lambda" {
+  source = "../../lambda"
+
+  function_name = local.function_name
+  project       = var.project
+  environment   = "production"
+  source_dir    = "${path.module}/script"
+
+  environment_variables = {
+    WEBHOOK_URL = var.slack_webhook_url
+    CHANNEL     = var.slack_channel
+  }
+
+  # optional
+  handler               = "main.lambda_handler"
+  aws_lambda_layer_arns = []
+  runtime               = "ruby3.2"
+}
+
+# EventBridge was formerly known as CloudWatch Events. The functionality is identical.
+resource "aws_cloudwatch_event_rule" "ecr_scanner" {
+  name        = "${var.project}-ecr-scanner"
+  description = "Send notification to slack after each ecr scan"
+
+  event_pattern = <<EOF
+{
+  "source": ["aws.ecr"],
+  "detail-type": ["ECR Image Scan"],
+  "detail": {
+    "finding-severity-counts": {
+      "$or": [{
+        "CRITICAL": [{
+          "exists": true
+        }]
+      }, {
+        "HIGH": [{
+          "exists": true
+        }]
+      }, {
+        "MEDIUM": [{
+          "exists": true
+        }]
+      }, {
+        "LOW": [{
+          "exists": true
+        }]
+      }, {
+        "UNDEFINED": [{
+          "exists": true
+        }]
+      }]
+    }
+  }
+}
+  EOF
+
+  tags = {
+    Project = var.project
+  }
+}
+
+resource "aws_cloudwatch_event_target" "ecr_scanner" {
+  rule      = aws_cloudwatch_event_rule.ecr_scanner.name
+  target_id = aws_cloudwatch_event_rule.ecr_scanner.name
+  arn       = module.lambda.arn
+
+  depends_on = [
+    aws_cloudwatch_event_rule.ecr_scanner
+  ]
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch_event_to_invoke_lambda" {
+  action        = "lambda:InvokeFunction"
+  function_name = local.function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.ecr_scanner.arn
+
+  depends_on = [
+    module.lambda
+  ]
+}

slack/ecr-scanner-notifier/main.tf

@@ -0,0 +1,3 @@
+output "lambda_log_group_name" {
+  value = "/aws/lambda/${local.function_name}"
+}

slack/ecr-scanner-notifier/outputs.tf

@@ -0,0 +1,86 @@
+require 'json'
+require 'net/http'
+require 'uri'
+
+def text_block_from(finding_counts)
+  if finding_counts.fetch('CRITICAL', 0) != 0
+    { 'color' => 'danger', 'icon' => ':red_circle:' }
+  elsif finding_counts.fetch('HIGH', 0) != 0
+    { 'color' => 'warning', 'icon' => ':large_orange_diamond:' }
+  else
+    { 'color' => 'good', 'icon' => ':green_heart:' }
+  end
+end
+
+def build_slack_message(event)
+  channel = ENV.fetch('CHANNEL')
+
+  account_id = event.fetch('account')
+  detail = event.fetch('detail')
+  region = event.fetch('region')
+  repository_name = detail.fetch('repository-name')
+  severity_counts = detail.fetch('finding-severity-counts')
+  image_digest = detail.fetch('image-digest')
+
+  message = "*ECR Image Scan findings | #{region} | Account ID:#{account_id}*"
+  text_properties = text_block_from(severity_counts)
+
+  {
+    'username' => 'Amazon ECR',
+    'channels' => channel,
+    'icon_emoji' => ':ecr:',
+    'text' => message,
+    'attachments' => [
+      {
+        'fallback' => 'AmazonECR Image Scan Findings Description.',
+        'color' => text_properties.fetch('color'),
+        'title' => "#{text_properties.fetch('icon')} #{repository_name}:#{detail.fetch('image-tags', [])[0]}",
+        'title_link' => "https://#{region}.console.aws.amazon.com/ecr/repositories/#{repository_name}/_/image/#{image_digest}/scan-results?region=#{region}",
+        'text' => "Image Scan Completed at #{event.fetch('time')}",
+        'fields' => severity_counts.map do |severity_level, count|
+                      { 'title' => severity_level.capitalize, 'value' => count, 'short' => true }
+                    end
+      }
+    ]
+  }
+end
+
+def lambda_handler(event:, context:)
+  # Sample responses
+  # {
+  #   "version": "0",
+  #   "id": "85fc3613-e913-7fc4-a80c-a3753e4aa9ae",
+  #   "detail-type": "ECR Image Scan",
+  #   "source": "aws.ecr",
+  #   "account": "123456789012",
+  #   "time": "2019-10-29T02:36:48Z",
+  #   "region": "us-east-1",
+  #   "resources": [
+  #       "arn:aws:ecr:us-east-1:123456789012:repository/my-repo"
+  #   ],
+  #   "detail": {
+  #       "scan-status": "COMPLETE",
+  #       "repository-name": "my-repo",
+  #       "finding-severity-counts": {
+  #          "CRITICAL": 10,
+  #          "MEDIUM": 9
+  #        },
+  #       "image-digest": "sha256:7f5b2640fe6fb4f46592dfd3410c4a79dac4f89e4782432e0378abcd1234",
+  #       "image-tags": ["commit-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"]
+  #   }
+  # }
+  #
+  slack_message = build_slack_message(event)
+  uri = URI(ENV.fetch('WEBHOOK_URL'))
+  req = Net::HTTP::Post.new(uri, 'Content-Type' => 'application/json')
+  req.body = slack_message.to_json
+
+  begin
+    Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
+      http.request(req)
+    end
+    puts('Message posted.')
+  rescue StandardError => e
+    puts("Request failed: #{e.message}")
+  end
+end

slack/ecr-scanner-notifier/script/main.rb

@@ -0,0 +1,15 @@
+variable "project" {
+  type = string
+}
+
+variable "slack_webhook_url" {
+  type = string
+  validation {
+    condition     = can(regex("^https://", var.slack_webhook_url))
+    error_message = "The URL must start with https"
+  }
+}
+
+variable "slack_channel" {
+  type = string
+}

slack/ecr-scanner-notifier/variables.tf

@@ -0,0 +1,9 @@
+module "ecr-scanner-notifier" {
+  count = var.ecr_scanner_notifier_config == null ? 0 : 1
+
+  source = "../../slack/ecr-scanner-notifier"
+
+  project           = var.project
+  slack_webhook_url = var.ecr_scanner_notifier_config.slack_webhook_url
+  slack_channel     = var.ecr_scanner_notifier_config.slack_channel
+}