Creates an AWS Lambda function to do anti-virus scanning of objects in AWS S3 using bucket-antivirus-function
The source repository hasn't been updated in a long time, so we've forked the repo to our account and made changes.
git clone [email protected]:trussworks/bucket-antivirus-function.git
cd bucket-antivirus-function
git checkout v2.2.0
With that repo checked out you must run the make
command and then copy the resulting zip file
to AWS S3 with:
VERSION=2.2.0
aws s3 cp bucket-antivirus-function/build/lambda.zip "s3://lambda-builds-us-west-2/anti-virus/${VERSION}/anti-virus.zip"
NOTE: It is a good idea to make VERSION
match the git tag you are deploying.
Creates the following resources for anti-virus updates:
- IAM role for Lambda function to update Anti-Virus databases in S3
- CloudWatch Event to trigger function on a schedule.
- AWS Lambda function to download Anti-Virus databases files to S3
Creates the following resources for anti-virus scanning:
- IAM role for Lambda function to scan files in S3
- S3 Event to trigger function on object creation
- AWS Lambda function to scan S3 object and send alert to slack if any objects are infected and quarantined.
module "s3_anti_virus" {
source = "trussworks/s3-anti-virus/aws"
version = "2.1.2"
name_scan = "s3-anti-virus-scan"
name_update = "s3-anti-virus-updates"
lambda_s3_bucket = "lambda-builds-us-west-2"
lambda_package_key = "lambda.zip"
av_update_minutes = "180"
av_scan_buckets = ["bucket-name"]
av_definition_s3_bucket = "av-update-bucket-name"
av_definition_s3_prefix = "anti-virus"
tags = {
"Environment" = "my-environment"
"Purpose" = "s3-anti-virus"
"Terraform" = "true"
}
}
Name | Version |
---|---|
terraform | >= 1.0 |
aws | >= 5.0 |
Name | Version |
---|---|
aws | >= 5.0 |
No modules.
Name | Type |
---|---|
aws_cloudwatch_event_rule.main_update | resource |
aws_cloudwatch_event_target.main_update | resource |
aws_cloudwatch_log_group.main_scan | resource |
aws_cloudwatch_log_group.main_update | resource |
aws_iam_role.main_scan | resource |
aws_iam_role.main_update | resource |
aws_iam_role_policy.main_scan | resource |
aws_iam_role_policy.main_update | resource |
aws_lambda_function.main_scan | resource |
aws_lambda_function.main_update | resource |
aws_lambda_permission.main_scan | resource |
aws_lambda_permission.main_update | resource |
aws_s3_bucket_notification.main_scan | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.assume_role_scan | data source |
aws_iam_policy_document.assume_role_update | data source |
aws_iam_policy_document.main_scan | data source |
aws_iam_policy_document.main_update | data source |
aws_partition.current | data source |
aws_region.current | data source |
aws_s3_bucket.main_scan | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
activate_s3_event_notification | true activates the s3 event notification to clamav. default is false | bool |
false |
no |
av_definition_s3_bucket | Bucket containing antivirus database files. | string |
n/a | yes |
av_definition_s3_prefix | Prefix for antivirus database files. | string |
"clamav_defs" |
no |
av_delete_infected_files | Set it True in order to delete infected values. | string |
"False" |
no |
av_scan_buckets | A list of S3 bucket names to scan for viruses. | list(string) |
n/a | yes |
av_scan_start_sns_arn | SNS topic ARN to publish notification about start of scan (optional). | string |
"" |
no |
av_status_sns_arn | SNS topic ARN to publish scan results (optional). | string |
"" |
no |
av_status_sns_publish_clean | Publish AV_STATUS_CLEAN results to AV_STATUS_SNS_ARN. | string |
"True" |
no |
av_status_sns_publish_infected | Publish AV_STATUS_INFECTED results to AV_STATUS_SNS_ARN. | string |
"True" |
no |
av_update_minutes | How often to download updated Anti-Virus databases. | string |
180 |
no |
cloudwatch_kms_arn | The arn of the kms key used for encrypting the cloudwatch log groups created by this module. | string |
"" |
no |
cloudwatch_logs_retention_days | Number of days to keep logs in AWS CloudWatch. | string |
90 |
no |
kms_key_sns_arn | ARN of the KMS Key to use for SNS Encryption | string |
"" |
no |
lambda_package | The name of the lambda package. Used for a directory tree and zip file. | string |
"anti-virus" |
no |
lambda_package_key | The object key for the lambda distribution. If given, the value is used as the key in lieu of the value constructed using lambda_package and lambda_version . |
string |
null |
no |
lambda_s3_bucket | The name of the S3 bucket used to store the Lambda builds. | string |
n/a | yes |
lambda_version | The version the Lambda function to deploy. | any |
n/a | yes |
memory_size | Lambda memory allocation, in MB | string |
2048 |
no |
name_scan | Name for resources associated with anti-virus scanning | string |
"s3-anti-virus-scan" |
no |
name_update | Name for resources associated with anti-virus updating | string |
"s3-anti-virus-updates" |
no |
permissions_boundary | ARN of the boundary policy to attach to IAM roles. | string |
null |
no |
platform | Instruction set architecture for your Lambda function. Valid values are 'x86_64' and 'arm64' | string |
"arm64" |
no |
s3_event_notification_name | s3 event notification name | string |
null |
no |
tags | A map of tags to add to all resources. | map(string) |
{} |
no |
timeout_seconds | Lambda timeout, in seconds | string |
300 |
no |
Name | Description |
---|---|
scan_aws_cloudwatch_log_group_arn | ARN for the Anti-Virus Scanning Cloudwatch LogGroup. |
scan_aws_cloudwatch_log_group_name | The Anti-Virus Scanning Cloudwatch LogGroup name. |
scan_lambda_function_arn | ARN for the Anti-Virus Scanning lambda function. |
scan_lambda_function_iam_role_arn | Name of the Anti-Virus Scanning lambda role. |
scan_lambda_function_iam_role_name | Name of the Anti-Virus Scanning lambda role. |
scan_lambda_function_name | The Anti-Virus Scanning lambda function name. |
scan_lambda_function_version | Current version of the Anti-Virus Scanning lambda function. |
update_aws_cloudwatch_log_group_arn | ARN for the Anti-Virus Definitions Cloudwatch LogGroup. |
update_aws_cloudwatch_log_group_name | The Anti-Virus Definitions Cloudwatch LogGroup name. |
update_lambda_function_arn | ARN for the Anti-Virus Definitions lambda function. |
update_lambda_function_iam_role_arn | ARN of the Anti-Virus Definitions lambda role. |
update_lambda_function_iam_role_name | Name of the Anti-Virus Definitions lambda role. |
update_lambda_function_name | The Anti-Virus Definitions lambda function name. |
update_lambda_function_version | Current version of the Anti-Virus Definitions lambda function. |