An Amazon Web Services (AWS) Lambda function for running Chef InSpec in a serverless fashion
The following steps walk through how to deploy the "builder" AWS EC2 instance (optional) and deploy the serverless inspec Lambda function.
Clone the github repository
git clone https://github.com/martezr/serverless-inspec.gitChange directory to serverless-inspec
cd serverless-inspecThe code in this repository uses the serverless framework to deploy the Lambda function and Lambda layer. An AWS EC2 instance is used to act as a deployment server and has the serverless CLI installed along with Docker.
** Requires Terraform to be installed **
Change directory into the aws-terraform directory where the Terraform code is located.
cd aws-terraformRun the terraform init command to download the appropriate Terraform providers. The scaffold code uses local storage for storing the Terraform state file.
terraform initThe Terraform code supports the following input variables. The variables can be supplied on the command line as individual arguments or added to a variables file similar to the grt-dev.tfvars file in the repo.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| region | The AWS region to depoy to | string | us-east-1 |
no |
| instance_type | The type of instance to start | string | t2.micro |
no |
| key_name | The key name to use for the instance | string | - |
yes |
| subnet_id | The VPC Subnet ID to launch in | string | - |
yes |
| vpc_security_group_ids | A list of security group IDs to associate with | list | - |
no |
Run the terraform apply command with the --auto-approve flag to prevent being prompted for confirmation along with the name of the Terraform variables file.
terraform apply --auto-approve -var-file=grt-dev.tfvarsSSH to the EC2 instance and change the directory to the code directory in the serverless-inspec git repo on the EC2 instance.
cd /serverless-inspec/codeThe Lambda function is deployed using the Serverless framework (https://serverless.com) to simplify the packaging and deployment. Included in the repository is the code/serverless.yaml deployment file that can be used and modifications can be made by referencing the Serverless documentation (https://serverless.com/framework/docs/providers/aws/guide/serverless.yml/).
The sls deploy command is used to deploy the Lambda function and the name of the S3 bucket to store the scan results along with the URL of the InSpec profile to run should be provided as command line arguments.
service: inspec-serverless
provider:
name: aws
runtime: ruby2.5
region: us-east-1
stage: prod
iamManagedPolicies:
- 'arn:aws:iam::aws:policy/ReadOnlyAccess'
environment:
HOME: /tmp
INSPEC_PROFILE: "https://github.com/martezr/serverless-inspec-profile"
S3_DATA_BUCKET: mreed-bucket
functions:
inspec_scan:
handler: handler.inspec_scan
layers:
- {Ref: InspecLambdaLayer }
layers:
inspec:
path: layerThe Lambda function can be deployed using the provided serverless deployment file by running the following command from the "code" directory in the repository.
[root@ip-172-31-2-252 code]# sls deploy --s3_data_bucket mreed-bucket --inspec_profile https://github.com/martezr/serverless-inspec-profile
Serverless: Packaging service...
Serverless: Excluding development dependencies...
Serverless: Excluding development dependencies...
Serverless: Creating Stack...
Serverless: Checking Stack create progress...
.....
Serverless: Stack create finished...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading artifacts...
Serverless: Uploading service inspec-serverless.zip file to S3 (372 B)...
Serverless: Uploading service inspec.zip file to S3 (37.66 MB)...
Serverless: Validating template...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
..................
Serverless: Stack update finished...
Service Information
service: inspec-serverless
stage: prod
region: us-east-1
stack: inspec-serverless-prod
resources: 6
api keys:
None
endpoints:
None
functions:
inspec_scan: inspec-serverless-prod-inspec_scan
layers:
inspec: arn:aws:lambda:us-east-1:684882843674:layer:inspec:7The following environment variables are defined for the Lambda function.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| HOME | The HOME environment variable for enabling proper execution of the Lambda function | string | /tmp |
yes |
| INSPEC_PROFILE | The github url of the InSpec profile to run | string | - |
yes |
| S3_DATA_BUCKET | The name of the Amazon Web Services (AWS) S3 bucket to store the JSON output file | string | - |
no |
Once the Lambda function has been deployed the "builder" AWS EC2 instance can be destroyed.
Run the terraform destroy command with the --auto-approve flag to prevent being prompted for confirmation along with the name of the Terraform variables file.
terraform destroy --auto-approve -var-file=grt-dev.tfvarsThe Lambda function can be invoked in a generic manner that accepts parameters to specified in the JSON payload sent to the function during invocation.
{
"s3_bucket": "",
"inspec_profiles": ["https://github.com/martezr/serverless-inspec-profile"]
}| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| inspec_profiles | The github url of the InSpec profile(s) to run | array | - |
yes |
| s3_bucket | The name of the Amazon Web Services (AWS) S3 bucket to store the JSON output file | string | - |
yes |
Special Thanks to Martez Reed for the orginal start on this work and helping the community get a great start on this effort.
| Orginal Contributor: | Martez Reed (martez.reed@greenreedtech.com) |
© 2019-2021 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.
No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation.