Add files via upload

himanshu219 · web-flow · commit c0d62425e4fa · 2025-04-01T22:35:28.000+05:30
diff --git a/cloudwatchevents/guarddutyeventprocessor.yaml b/cloudwatchevents/guarddutyeventprocessor.yaml
@@ -0,0 +1,204 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: >
+  This function is invoked by AWS CloudWatch events in response to state change
+  in your AWS resources which matches a event target definition. The event
+  payload received is then forwarded to Sumo Logic HTTP source endpoint.
+Parameters:
+  SumoEndpointUrl:
+    Type: String
+Outputs:
+  CloudWatchEventFunction:
+    Description: CloudWatchEvent Processor Function ARN
+    Value: !GetAtt 
+      - CloudWatchEventFunction
+      - Arn
+Resources:
+  CloudWatchEventFunction:
+    Type: 'AWS::Lambda::Function'
+    Metadata:
+      SamResourceId: CloudWatchEventFunction
+    Properties:
+      Code:
+        ZipFile: |
+          // SumoLogic Endpoint to post logs
+          var SumoURL = process.env.SUMO_ENDPOINT;
+
+          // For some beta AWS services, the default is to remove the outer fields of the received object since they are not useful.
+          // change this if necessary.
+          var removeOuterFields = false;
+
+          // The following parameters override the sourceCategoryOverride, sourceHostOverride and sourceNameOverride metadata fields within SumoLogic.
+          // Not these can also be overridden via json within the message payload. See the README for more information.
+          var sourceCategoryOverride = process.env.SOURCE_CATEGORY_OVERRIDE || '';  // If empty sourceCategoryOverride will not be overridden
+          var sourceHostOverride = process.env.SOURCE_HOST_OVERRIDE || '';          // If empty sourceHostOverride will not be set to the name of the logGroup
+          var sourceNameOverride = process.env.SOURCE_NAME_OVERRIDE || '';          // If empty sourceNameOverride will not be set to the name of the logStream
+
+          var retryInterval = process.env.RETRY_INTERVAL || 5000; // the interval in millisecs between retries
+          var numOfRetries = process.env.NUMBER_OF_RETRIES || 3;  // the number of retries
+
+          var https = require('https');
+          var zlib = require('zlib');
+          var url = require('url');
+
+          Promise.retryMax = function(fn,retry,interval,fnParams) {
+              return fn.apply(this,fnParams).catch( err => {
+                  var waitTime = typeof interval === 'function' ? interval() : interval;
+                  console.log("Retries left " + (retry-1) + " delay(in ms) " + waitTime);
+                  return (retry>1? Promise.wait(waitTime).then(()=> Promise.retryMax(fn,retry-1,interval, fnParams)):Promise.reject(err));
+              });
+          }
+
+          Promise.wait = function(delay) {
+              return new Promise((fulfill,reject)=> {
+                  //console.log(Date.now());
+                  setTimeout(fulfill,delay||0);
+              });
+          };
+
+          function exponentialBackoff(seed) {
+              var count = 0;
+              return function() {
+                  count++;
+                  return count*seed;
+              }
+          }
+
+          function postToSumo(callback, messages) {
+              var messagesTotal = Object.keys(messages).length;
+              var messagesSent = 0;
+              var messageErrors = [];
+
+              var urlObject = url.parse(SumoURL);
+              var options = {
+                  'hostname': urlObject.hostname,
+                  'path': urlObject.pathname,
+                  'method': 'POST'
+              };
+
+              var finalizeContext = function () {
+                  var total = messagesSent + messageErrors.length;
+                  if (total == messagesTotal) {
+                      console.log('messagesSent: ' + messagesSent + ' messagesErrors: ' + messageErrors.length);
+                      if (messageErrors.length > 0) {
+                          callback('errors: ' + messageErrors);
+                      } else {
+                          callback(null, "Success");
+                      }
+                  }
+              };
+
+              function httpSend(options, headers, data) {
+                  return new Promise( (resolve,reject) => {
+                      var curOptions = options;
+                      curOptions.headers = headers;
+                      var req = https.request(curOptions, function (res) {
+                          var body = '';
+                          res.setEncoding('utf8');
+                          res.on('data', function (chunk) {
+                              body += chunk; // don't really do anything with body
+                          });
+                          res.on('end', function () {
+                              if (res.statusCode == 200) {
+                                  resolve(body);
+                              } else {
+                                  reject({'error':'HTTP Return code ' + res.statusCode,'res':res});
+                              }
+                          });
+                      });
+                      req.on('error', function (e) {
+                          reject({'error':e,'res':null});
+                      });
+                      for (var i = 0; i < data.length; i++) {
+                          req.write(JSON.stringify(data[i]) + '\n');
+                      }
+                      console.log("sending to Sumo...")
+                      req.end();
+                  });
+              }
+              Object.keys(messages).forEach(function (key, index) {
+                  var headerArray = key.split(':');
+                  var headers = {
+                      'X-Sumo-Name': headerArray[0],
+                      'X-Sumo-Category': headerArray[1],
+                      'X-Sumo-Host': headerArray[2],
+                      'X-Sumo-Client': 'cloudwatchevents-aws-lambda'
+                  };
+                  Promise.retryMax(httpSend, numOfRetries, retryInterval, [options, headers, messages[key]]).then((body)=> {
+                      messagesSent++;
+                      finalizeContext()
+                  }).catch((e) => {
+                      messageErrors.push(e.error);
+                      finalizeContext();
+                  });
+              });
+          }
+
+          exports.handler = function (event, context, callback) {
+
+              // Used to hold chunks of messages to post to SumoLogic
+              var messageList = {};
+              var final_event;
+              // Validate URL has been set
+              var urlObject = url.parse(SumoURL);
+              if (urlObject.protocol != 'https:' || urlObject.host === null || urlObject.path === null) {
+                  callback('Invalid SUMO_ENDPOINT environment variable: ' + SumoURL);
+              }
+
+              //console.log(event);
+              if ((event.source==="aws.guardduty") || (removeOuterFields)) {
+                  final_event =event.detail;
+              } else {
+                  final_event = event;
+              }
+              messageList[sourceNameOverride+':'+sourceCategoryOverride+':'+sourceHostOverride]=[final_event];
+              postToSumo(callback, messageList);
+          };
+      Handler: index.handler
+      Role: !GetAtt 
+        - CloudWatchEventFunctionRole
+        - Arn
+      Runtime: nodejs22.x
+      Timeout: 300
+      Environment:
+        Variables:
+          SUMO_ENDPOINT: !Ref SumoEndpointUrl
+      Tags:
+        - Key: 'lambda:createdBy'
+          Value: SAM
+  CloudWatchEventFunctionRole:
+    Type: 'AWS::IAM::Role'
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Action:
+              - 'sts:AssumeRole'
+            Effect: Allow
+            Principal:
+              Service:
+                - lambda.amazonaws.com
+      ManagedPolicyArns:
+        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
+      Tags:
+        - Key: 'lambda:createdBy'
+          Value: SAM
+  CloudWatchEventFunctionCloudWatchEventTrigger:
+    Type: 'AWS::Events::Rule'
+    Properties:
+      EventPattern:
+        source:
+          - aws.guardduty
+      Targets:
+        - Arn: !GetAtt 
+            - CloudWatchEventFunction
+            - Arn
+          Id: CloudWatchEventFunctionCloudWatchEventTriggerLambdaTarget
+  CloudWatchEventFunctionCloudWatchEventTriggerPermission:
+    Type: 'AWS::Lambda::Permission'
+    Properties:
+      Action: 'lambda:InvokeFunction'
+      FunctionName: !Ref CloudWatchEventFunction
+      Principal: events.amazonaws.com
+      SourceArn: !GetAtt 
+        - CloudWatchEventFunctionCloudWatchEventTrigger
+        - Arn
