Py deps upgrade, TF upgrade, TF fixes

cli/config.py

@@ -58,6 +58,7 @@ class BinaryAlertConfig:
     """Wrapper around reading, validating, and updating the terraform.tfvars config file."""
     # Expected configuration value formats.
     VALID_AWS_ACCOUNT_ID_FORMAT = r'\d{12}'
+    VALID_AWS_ACCOUNT_NAME_FORMAT = r'[a-z]+\/?[a-z]+'
     VALID_AWS_REGION_FORMAT = r'[a-z]{2}-[a-z]{2,15}-\d'
     VALID_NAME_PREFIX_FORMAT = r'[a-z][a-z0-9_]{3,50}'
     VALID_CB_API_TOKEN_FORMAT = r'[a-f0-9]{40}'  # CarbonBlack API token.
@@ -96,6 +97,19 @@ def aws_account_id(self, value: str) -> None:
             )
         self._config['aws_account_id'] = value
 
+    @property
+    def aws_account_name(self) -> str:
+        return self._config['aws_account_name']
+
+    @aws_account_name.setter
+    def aws_account_name(self, value: str) -> None:
+        if not re.fullmatch(self.VALID_AWS_ACCOUNT_NAME_FORMAT, value, re.ASCII):
+            raise InvalidConfigError(
+                'aws_account_name "{}" does not match format {}'.format(
+                    value, self.VALID_AWS_ACCOUNT_NAME_FORMAT)
+            )
+        self._config['aws_account_name'] = value
+
     @property
     def aws_region(self) -> str:
         return self._config['aws_region']
@@ -260,6 +274,7 @@ def configure(self) -> None:
         Each request will be retried until the answer is in the correct format.
         """
         get_input('AWS Account ID', self.aws_account_id, self, 'aws_account_id')
+        get_input('AWS Account Name', self.aws_account_name, self, 'aws_account_name')
         get_input('AWS Region', self.aws_region, self, 'aws_region')
         get_input('Unique name prefix, e.g. "company_team"', self.name_prefix, self, 'name_prefix')
         enable_downloader = get_input('Enable the CarbonBlack downloader?',
@@ -285,6 +300,7 @@ def validate(self) -> None:
         """
         # Go through the internal setters which have the validation logic.
         self.aws_account_id = self.aws_account_id
+        self.aws_account_name = self.aws_account_name
         self.aws_region = self.aws_region
         self.name_prefix = self.name_prefix
         self.enable_carbon_black_downloader = self.enable_carbon_black_downloader

docs/source/conf.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
 # BinaryAlert documentation build configuration file, created by

manage.py

@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/env python
 """Command-line tool for easily managing BinaryAlert."""
 import argparse
 import os

requirements.txt

@@ -1,61 +1,76 @@
 alabaster==0.7.12
-asn1crypto==0.24.0
-astroid==2.1.0
+asn1crypto==1.4.0
+astroid==2.4.2
 attrdict==2.0.1
-Babel==2.6.0
-bandit==1.5.1
-boto3==1.9.99
-botocore==1.12.99
-cachetools==3.1.0
-cbapi==1.3.6
-certifi==2018.11.29
-cffi==1.12.1
-chardet==3.0.4
-coverage==4.5.2
-coveralls==1.6.0
-cryptography==2.5
+Babel==2.9.0
+bandit==1.7.0
+boto3==1.16.59
+botocore==1.19.59
+cachetools==4.2.1
+cbapi==1.7.3
+certifi==2020.12.5
+cffi==1.14.4
+chardet==4.0.0
+coverage==5.4
+coveralls==3.0.0
+cryptography==3.3.1
+decorator==4.4.2
 docopt==0.6.2
-docutils==0.14
+docutils==0.16
 futures==3.1.1
-gitdb2==2.0.5
-GitPython==2.1.11
-idna==2.8
-imagesize==1.1.0
-isort==4.3.4
-Jinja2==2.10
-jmespath==0.9.3
-lazy-object-proxy==1.3.1
-MarkupSafe==1.1.0
+gitdb==4.0.5
+gitdb2==4.0.2
+GitPython==3.1.12
+idna==2.5
+imagesize==1.2.0
+importlib-metadata==3.4.0
+isort==5.7.0
+Jinja2==2.11.2
+jmespath==0.10.0
+lazy-object-proxy==1.4.3
+MarkupSafe==1.1.1
 mccabe==0.6.1
-mypy==0.670
-mypy-extensions==0.4.1
-packaging==19.0
-pbr==5.1.2
-pika==0.13.0
-ply==3.10
-prompt-toolkit==2.0.9
-protobuf==3.6.1
-pycparser==2.19
-pyfakefs==3.5.7
-Pygments==2.3.1
-pyhcl==0.4.0
-pylint==2.2.2
-pyOpenSSL==19.0.0
-pyparsing==2.3.1
-python-dateutil==2.6.1
-pytz==2018.9
-PyYAML==3.13
-requests==2.21.0
-s3transfer==0.2.0
-six==1.12.0
-smmap2==2.0.5
-snowballstemmer==1.2.1
-Sphinx==1.8.4
-sphinx-rtd-theme==0.4.3
-sphinxcontrib-websupport==1.1.0
-stevedore==1.30.0
-typed-ast==1.3.1
-urllib3==1.24.1
-wcwidth==0.1.7
-wrapt==1.11.1
-yara-python==3.8.0
+mypy==0.800
+mypy-extensions==0.4.3
+packaging==20.8
+pbr==5.5.1
+pika==1.1.0
+ply==3.11
+prompt-toolkit==3.0.14
+protobuf==3.14.0
+pycparser==2.20
+pyfakefs==4.3.3
+Pygments==2.7.4
+pyhcl==0.4.4
+pylint==2.6.0
+pyOpenSSL==20.0.1
+pyparsing==2.4.7
+python-dateutil==2.8.1
+pytz==2020.5
+PyYAML==5.4.1
+requests==2.25.1
+s3transfer==0.3.4
+six==1.15.0
+smmap==3.0.1
+smmap2==3.0.1
+snowballstemmer==2.1.0
+solrq==1.1.1
+Sphinx==3.4.3
+sphinx-rtd-theme==0.5.1
+sphinxcontrib-applehelp==1.0.2
+sphinxcontrib-devhelp==1.0.2
+sphinxcontrib-htmlhelp==1.0.3
+sphinxcontrib-jsmath==1.0.1
+sphinxcontrib-qthelp==1.0.3
+sphinxcontrib-serializinghtml==1.1.4
+sphinxcontrib-websupport==1.2.4
+stevedore==3.3.0
+toml==0.10.2
+typed-ast==1.4.2
+typing-extensions==3.7.4.3
+urllib3==1.25.4
+validators==0.18.2
+wcwidth==0.2.5
+wrapt==1.12.1
+yara-python==4.0.2
+zipp==3.4.0

terraform/kms.tf

@@ -5,7 +5,7 @@ data "aws_iam_policy_document" "kms_allow_s3" {
 
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::${var.aws_account_id}:root"]
+      identifiers = ["arn:aws:iam::${var.aws_account_id}:${var.aws_account_name}"]
     }
 
     actions   = ["kms:*"]

terraform/modules/lambda/versions.tf

@@ -1,4 +1,4 @@
 
 terraform {
-  required_version = "~> 0.12.9"
+  required_version = ">= 0.13"
 }

terraform/variables.tf

@@ -1,100 +1,167 @@
 /* See terraform.tfvars for descriptions of each of the variables. */
 
 variable "aws_account_id" {
+  type        = string
+  description = "12-digit AWS account ID"
+}
+
+variable "aws_account_name" {
+  type        = string
+  description = "AWS account name, last part of the ARN, right after the ':' (colon), for instance 'root', or 'user/thename'"
 }
 
 variable "aws_region" {
+  type        = string
+  description = "AWS region in which to deploy the BinaryAlert components"
 }
 
 variable "name_prefix" {
+  type        = string
+  description = "Prefix used in all resource names (required for uniqueness) E.g. 'company_team'"
 }
 
 variable "enable_carbon_black_downloader" {
+  type        = bool
+  description = "Whether to enable CarbonBlack Downloader resources"
 }
 
 variable "carbon_black_url" {
+  type        = string
+  description = "URL of the CarbonBlack server"
 }
 
 variable "carbon_black_timeout" {
+  type        = number
+  description = "Timeout to use for Carbon Black API client. The client default is 60, so set to something lower if desired"
 }
 
 variable "encrypted_carbon_black_api_token" {
+  type        = string
+  description = "Encrypted API token used to interface with CarbonBlack"
 }
 
 variable "s3_log_bucket" {
+  type        = string
+  description = "Pre-existing bucket in which to store S3 access logs. If not specified, one will be created"
 }
 
 variable "s3_log_prefix" {
+  type        = string
+  description = "Log files will be stored in S3 with this prefix"
 }
 
 variable "s3_log_expiration_days" {
+  type        = number
+  description = "Access logs expire after this many days. Has no effect if using pre-existing bucket for logs"
 }
 
 variable "lambda_log_retention_days" {
+  type        = number
+  description = "How long to retain Lambda function logs for in days"
 }
 
 variable "tagged_name" {
+  type        = string
+  description = "Assigns this as the value for tag key 'Name' for all supported resources (CloudWatch logs, Dynamo, KMS, Lambda, S3, SQS)"
 }
 
 variable "metric_alarm_sns_topic_arn" {
+  type        = string
+  description = "Use an existing SNS topic for metric alarms (instead of creating one automatically)"
 }
 
 variable "expected_analysis_frequency_minutes" {
+  type        = number
+  description = "Alarm if no binaries are analyzed for this amount of time"
 }
 
 variable "dynamo_read_capacity" {
+  type        = number
+  description = "Provisioned read capacity for the Dynamo table which stores match results"
 }
 
 variable "dynamo_write_capacity" {
+  type        = number
+  description = "Provisioned write capacity for the Dynamo table which stores match results"
 }
 
 variable "lambda_analyze_memory_mb" {
+  type        = number
+  description = "Memory limit for the analyzer function"
 }
 
 variable "lambda_analyze_timeout_sec" {
+  type        = number
+  description = "Time limit for the analyzer function"
 }
 
 variable "lambda_analyze_concurrency_limit" {
+  type        = number
+  description = "Concurrency limit for the analyzer function"
 }
 
 variable "lambda_download_memory_mb" {
+  type        = number
+  description = "Memory limit for the downloader function"
 }
 
 variable "lambda_download_timeout_sec" {
+  type        = number
+  description = "Time limit for the downloader function"
 }
 
 variable "lambda_download_concurrency_limit" {
+  type        = number
+  description = "Concurrency limit for the downloader function"
 }
 
 variable "force_destroy" {
+  type        = bool
+  description = "WARNING: If force destroy is enabled, all objects in the S3 bucket(s) will be deleted during"
 }
 
 variable "external_s3_bucket_resources" {
-  type = list(string)
+  type        = list(string)
+  description = "Grants appropriate S3 bucket permissions to the analyzer function if you are using BinaryAlert to scan existing S3 buckets"
 }
 
 variable "external_kms_key_resources" {
-  type = list(string)
+  type        = list(string)
+  description = "Grants appropriate KMS permissions to the analyzer function if you are using BinaryAlert to scan existing S3 buckets"
 }
 
 variable "enable_negative_match_alerts" {
+  type        = bool
+  description = "Create a separate SNS topic which reports files that do NOT match any YARA rules"
 }
 
 variable "analyze_queue_batch_size" {
+  type        = number
+  description = "Maximum number of messages that will be received by each invocation of the analyzer function"
 }
 
 variable "download_queue_batch_size" {
+  type        = number
+  description = "Maximum number of messages that will be received by each invocation of the downloader function"
 }
 
 variable "analyze_queue_retention_secs" {
+  type        = number
+  description = "Messages in the analyzer queue will be retained and retried for the specified duration until expiring"
 }
 
 variable "download_queue_retention_secs" {
+  type        = number
+  description = "Messages in the downloader queue will be retained and retried for the specified duration until expiring"
 }
 
 variable "objects_per_retro_message" {
+  type        = number
+  description = "During a retroactive scan, number of S3 objects to pack into a single SQS message"
 }
 
 variable "download_queue_max_receives" {
+  type        = number
+  description = "Number of times a download SQS message is attempted to be delivered successfully before being moved to the DLQ"
 }
 

terraform/versions.tf

@@ -1,3 +1,8 @@
 terraform {
-  required_version = "~> 0.12.9"
-}
+  required_version = ">= 0.13"
+  required_providers {
+    aws = {
+      source = "hashicorp/aws"
+    }
+  }
+}