-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Vishal Choudhary <[email protected]>
- Loading branch information
1 parent
5958b81
commit 5d8146b
Showing
4 changed files
with
180 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
package aws | ||
|
||
import "time" | ||
|
||
type LambdaEvent struct { | ||
Version string `json:"version"` | ||
ID string `json:"id"` | ||
DetailType string `json:"detail-type"` | ||
Source string `json:"source"` | ||
Account string `json:"account"` | ||
Time time.Time `json:"time"` | ||
Region string `json:"region"` | ||
Resources []string `json:"resources"` | ||
Detail Detail `json:"detail"` | ||
} | ||
type Details struct { | ||
Name string `json:"name"` | ||
Value string `json:"value"` | ||
} | ||
type Attachments struct { | ||
ID string `json:"id"` | ||
Type string `json:"type"` | ||
Status string `json:"status"` | ||
Details []Details `json:"details"` | ||
} | ||
type Attributes struct { | ||
Name string `json:"name"` | ||
Value string `json:"value"` | ||
} | ||
type Containers struct { | ||
ContainerArn string `json:"containerArn"` | ||
LastStatus string `json:"lastStatus"` | ||
Name string `json:"name"` | ||
Image string `json:"image"` | ||
TaskArn string `json:"taskArn"` | ||
NetworkInterfaces []interface{} `json:"networkInterfaces"` | ||
CPU string `json:"cpu"` | ||
Memory string `json:"memory"` | ||
} | ||
type EphemeralStorage struct { | ||
SizeInGiB int `json:"sizeInGiB"` | ||
} | ||
type ContainerOverrides struct { | ||
Name string `json:"name"` | ||
} | ||
type Overrides struct { | ||
ContainerOverrides []ContainerOverrides `json:"containerOverrides"` | ||
} | ||
type Detail struct { | ||
Attachments []Attachments `json:"attachments"` | ||
Attributes []Attributes `json:"attributes"` | ||
AvailabilityZone string `json:"availabilityZone"` | ||
ClusterArn string `json:"clusterArn"` | ||
Containers []Containers `json:"containers"` | ||
CPU string `json:"cpu"` | ||
CreatedAt time.Time `json:"createdAt"` | ||
DesiredStatus string `json:"desiredStatus"` | ||
EnableExecuteCommand bool `json:"enableExecuteCommand"` | ||
EphemeralStorage EphemeralStorage `json:"ephemeralStorage"` | ||
Group string `json:"group"` | ||
LaunchType string `json:"launchType"` | ||
LastStatus string `json:"lastStatus"` | ||
Memory string `json:"memory"` | ||
Overrides Overrides `json:"overrides"` | ||
PlatformVersion string `json:"platformVersion"` | ||
TaskArn string `json:"taskArn"` | ||
TaskDefinitionArn string `json:"taskDefinitionArn"` | ||
UpdatedAt time.Time `json:"updatedAt"` | ||
Version int `json:"version"` | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
package aws | ||
|
||
import ( | ||
"encoding/json" | ||
"log" | ||
|
||
"github.com/aws/aws-lambda-go/events" | ||
"github.com/aws/aws-lambda-go/lambda" | ||
"github.com/vishal-chdhry/cloud-image-verification/pkg/imageverifier" | ||
) | ||
|
||
func handler(event events.CloudWatchEvent) { | ||
var eventDetail Detail | ||
err := json.Unmarshal(event.Detail, &eventDetail) | ||
if err != nil { | ||
log.Fatalf("[ERROR] %v error during event unmarshalling: %v", event.ID, err) | ||
} | ||
|
||
lambdaEvent := LambdaEvent{ | ||
Version: event.Version, | ||
ID: event.ID, | ||
DetailType: event.DetailType, | ||
Source: event.Source, | ||
Account: event.AccountID, | ||
Time: event.Time, | ||
Region: event.Region, | ||
Resources: event.Resources, | ||
Detail: eventDetail, | ||
} | ||
|
||
log.Printf("Cluster: %v\n", lambdaEvent.Detail.ClusterArn) | ||
log.Printf("taskArn: %v\n", lambdaEvent.Detail.TaskArn) | ||
log.Printf("taskDefinitionArn: %v\n", lambdaEvent.Detail.TaskDefinitionArn) | ||
log.Printf("accountId: %v\n", lambdaEvent.Account) | ||
|
||
policies, err := getPolicies() | ||
if err != nil { | ||
log.Printf("Failed to fetch policies: %v", err) | ||
} | ||
iv := imageverifier.NewVerifier(*policies) | ||
for i := 0; i < len(lambdaEvent.Detail.Containers); i++ { | ||
log.Printf("Container Image %v : %v", i, lambdaEvent.Detail.Containers[i].Image) | ||
err := iv.Verify(lambdaEvent.Detail.Containers[i].Image) | ||
if err != nil { | ||
log.Printf("Error while verifing image: %v", err) | ||
log.Printf("%v NOT VERIFIED", lambdaEvent.Detail.Containers[i].Image) | ||
log.Printf("Stopping Task %v", lambdaEvent.Detail.TaskArn) | ||
err := stopTask(lambdaEvent.Detail.ClusterArn, lambdaEvent.Detail.TaskArn) | ||
if err != nil { | ||
log.Printf("Stopping Task %v : %v", lambdaEvent.Detail.TaskArn, err) | ||
} | ||
|
||
} else { | ||
log.Println("VERIFIED") | ||
} | ||
} | ||
} | ||
|
||
func main() { | ||
lambda.Start(handler) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
package aws | ||
|
||
import ( | ||
"encoding/json" | ||
"errors" | ||
"fmt" | ||
"os" | ||
|
||
"github.com/vishal-chdhry/cloud-image-verification/pkg/policy" | ||
) | ||
|
||
func getPolicies() (*policy.VerificationPolicies, error) { | ||
pol := os.Getenv("VERIFICATION_POLICIES") | ||
if len(pol) != 0 { | ||
return nil, errors.New("must provide VERIFICATION_POLICIES") | ||
} | ||
var validationPolicies policy.VerificationPolicies | ||
if err := json.Unmarshal([]byte(pol), &validationPolicies); err != nil { | ||
return nil, fmt.Errorf("invalid validation policy provided: %w", err) | ||
} | ||
return &validationPolicies, nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
package aws | ||
|
||
import ( | ||
"github.com/aws/aws-sdk-go/aws" | ||
"github.com/aws/aws-sdk-go/aws/session" | ||
"github.com/aws/aws-sdk-go/service/ecs" | ||
) | ||
|
||
type NotificationMessage struct { | ||
Message string | ||
ClusterArn string | ||
TaskDefinitionArn string | ||
TaskArn string | ||
} | ||
|
||
func stopTask(clusterArn string, taskArn string) error { | ||
stopTaskInput := ecs.StopTaskInput{Cluster: aws.String(clusterArn), | ||
Reason: aws.String("lambda error: image not verified"), Task: aws.String(taskArn)} | ||
|
||
var svc = ecs.New(session.Must(session.NewSession())) | ||
|
||
_, err := svc.StopTask(&stopTaskInput) | ||
if err != nil { | ||
return err | ||
} | ||
return nil | ||
} |