terraform-aws-s3-anti-virus
Creates an AWS Lambda function to do anti-virus scanning of objects in AWS S3 using bucket-antivirus-function
While waiting for updates on that repo you will need to use a special fork and branch:
git clone git@github.com:upsidetravel/bucket-antivirus-function.git
cd bucket-antivirus-function
git checkout v2.0.0With that repo checked out you must run the make command and then copy the resulting zip file
to AWS S3 with:
VERSION=2.0.0
aws s3 cp bucket-antivirus-function/build/lambda.zip "s3://lambda-builds-us-west-2/anti-virus/${VERSION}/anti-virus.zip"NOTE: It is a good idea to make VERSION match the git tag you are deploying.
Creates the following resources for anti-virus updates:
- IAM role for Lambda function to update Anti-Virus databases in S3
- CloudWatch Event to trigger function on a schedule.
- AWS Lambda function to download Anti-Virus databases files to S3
Creates the following resources for anti-virus scanning:
- IAM role for Lambda function to scan files in S3
- S3 Event to trigger function on object creation
- AWS Lambda function to scan S3 object and send alert to slack if any objects are infected and quarantined.
Terraform Versions
Terraform 0.13 and newer. Pin module version to ~> 3.X. Submit pull-requests to master branch.
Terraform 0.12. Pin module version to ~> 2.X. Submit pull-requests to terraform012 branch.
Usage
module "s3_anti_virus" {
source = "trussworks/s3-anti-virus/aws"
version = "2.1.2"
name_scan = "s3-anti-virus-scan"
name_update = "s3-anti-virus-updates"
lambda_s3_bucket = "lambda-builds-us-west-2"
lambda_version = "2.0.0"
lambda_package = "anti-virus"
av_update_minutes = "180"
av_scan_buckets = ["bucket-name"]
av_definition_s3_bucket = "av-update-bucket-name"
av_definition_s3_prefix = "anti-virus"
av_scan_start_sns_arn = "sns-topic-name"
av_status_sns_arn = "sns-topic-name"
tags = {
"Environment" = "my-environment"
"Purpose" = "s3-anti-virus"
"Terraform" = "true"
}
}Requirements
| Name | Version |
|---|---|
| terraform | >= 0.13.0 |
| aws | >= 3.0 |
Providers
| Name | Version |
|---|---|
| aws | >= 3.0 |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| av_definition_s3_bucket | Bucket containing antivirus database files. | string |
n/a | yes |
| av_definition_s3_prefix | Prefix for antivirus database files. | string |
"clamav_defs" |
no |
| av_scan_buckets | A list of S3 bucket names to scan for viruses. | list(string) |
n/a | yes |
| av_scan_start_sns_arn | SNS topic ARN to publish notification about start of scan (optional). | string |
"" |
no |
| av_status_sns_arn | SNS topic ARN to publish scan results (optional). | string |
"" |
no |
| av_status_sns_publish_clean | Publish AV_STATUS_CLEAN results to AV_STATUS_SNS_ARN. | string |
"True" |
no |
| av_status_sns_publish_infected | Publish AV_STATUS_INFECTED results to AV_STATUS_SNS_ARN. | string |
"True" |
no |
| av_update_minutes | How often to download updated Anti-Virus databases. | string |
180 |
no |
| cloudwatch_logs_retention_days | Number of days to keep logs in AWS CloudWatch. | string |
90 |
no |
| lambda_package | The name of the lambda package. Used for a directory tree and zip file. | string |
"anti-virus" |
no |
| lambda_s3_bucket | The name of the S3 bucket used to store the Lambda builds. | string |
n/a | yes |
| lambda_version | The version the Lambda function to deploy. | string |
n/a | yes |
| memory_size | Lambda memory allocation, in MB | string |
2048 |
no |
| name_scan | Name for resources associated with anti-virus scanning | string |
"s3-anti-virus-scan" |
no |
| name_update | Name for resources associated with anti-virus updating | string |
"s3-anti-virus-updates" |
no |
| tags | A map of tags to add to all resources. | map(string) |
{} |
no |
| timeout_seconds | Lambda timeout, in seconds | string |
300 |
no |
Outputs
| Name | Description |
|---|---|
| scan_aws_cloudwatch_log_group_arn | ARN for the Anti-Virus Scanning Cloudwatch LogGroup. |
| scan_aws_cloudwatch_log_group_name | The Anti-Virus Scanning Cloudwatch LogGroup name. |
| scan_lambda_function_arn | ARN for the Anti-Virus Scanning lambda function. |
| scan_lambda_function_iam_role_arn | Name of the Anti-Virus Scanning lambda role. |
| scan_lambda_function_iam_role_name | Name of the Anti-Virus Scanning lambda role. |
| scan_lambda_function_name | The Anti-Virus Scanning lambda function name. |
| scan_lambda_function_version | Current version of the Anti-Virus Scanning lambda function. |
| update_aws_cloudwatch_log_group_arn | ARN for the Anti-Virus Definitions Cloudwatch LogGroup. |
| update_aws_cloudwatch_log_group_name | The Anti-Virus Definitions Cloudwatch LogGroup name. |
| update_lambda_function_arn | ARN for the Anti-Virus Definitions lambda function. |
| update_lambda_function_iam_role_arn | ARN of the Anti-Virus Definitions lambda role. |
| update_lambda_function_iam_role_name | Name of the Anti-Virus Definitions lambda role. |
| update_lambda_function_name | The Anti-Virus Definitions lambda function name. |
| update_lambda_function_version | Current version of the Anti-Virus Definitions lambda function. |