try-panwiac · try-panwiac · Mar 14, 2023 · prisma-cloud-devsecops · Mar 14, 2023 · prisma-cloud-devsecops
diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,7 @@
-FROM node:12-alpine
-ENV WORKDIR /usr/src/app/
-WORKDIR $WORKDIR
-COPY package*.json $WORKDIR
-RUN npm install --production --no-cache
+FROM node
 
-FROM node:12-alpine
-ENV USER node
-ENV WORKDIR /home/$USER/app
-WORKDIR $WORKDIR
-COPY --from=0 /usr/src/app/node_modules node_modules
-RUN chown $USER:$USER $WORKDIR
-COPY --chown=node . $WORKDIR
-# In production environment uncomment the next line
-#RUN chown -R $USER:$USER /home/$USER && chmod -R g-s,o-rx /home/$USER && chmod -R o-wrx $WORKDIR
-# Then all further actions including running the containers should be done under non-root user.
-USER $USER
-EXPOSE 4000
+COPY . /
+
+RUN npm install
+
+CMD "npm" "start"
diff --git a/main.tf b/main.tf
@@ -1,94 +1,36 @@
-resource "aws_s3_bucket" "data" {
-  # bucket is public
-  # bucket is not encrypted
-  # bucket does not have access logs
-  # bucket does not have versioning
-  bucket        = "${local.resource_prefix.value}-data"
-  region        = "us-west-2"
-  acl           = "public-read"
-  #force_destroy = true
-  tags = {
-    Name        = "${local.resource_prefix.value}-data"
-    Environment = local.resource_prefix.value
-  }
+provider "aws" {
+  region = "us-east-1"
 }
 
-resource "aws_s3_bucket_object" "data_object" {
-  bucket = aws_s3_bucket.data.id
-  region        = "us-west-2"
-  key    = "customer-master.xlsx"
-  source = "resources/customer-master.xlsx"
-  tags = {
-    Name        = "${local.resource_prefix.value}-customer-master"
-    Environment = local.resource_prefix.value
-  }
+resource "aws_lambda_function" "example_lambda" {
+  function_name    = "example_lambda_function"
+  handler          = "index.handler"
+  runtime          = "provided.al2"
+  role             = aws_iam_role.lambda_exec.arn
+  timeout          = 15
+  memory_size      = 256
+  package_type     = "Image"
+  image_uri        = "node"
 }
-}
+  tracing_config {
+    mode = "PassThrough"
+  }
+}
-}
+  tracing_config {
+    mode = "PassThrough"
+  }
+}
 
-resource "aws_s3_bucket" "financials" {
-  # bucket is not encrypted
-  # bucket does not have access logs
-  # bucket does not have versioning
-  bucket        = "${local.resource_prefix.value}-financials"
-  region        = "us-west-2"
-  acl           = "public-read"
-  force_destroy = true
-  tags = {
-    Name        = "${local.resource_prefix.value}-financials"
-    Environment = local.resource_prefix.value
-  }
+resource "aws_iam_role" "lambda_exec" {
+  name = "example-lambda-exec"
 
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "lambda.amazonaws.com"
+        }
+      }
+    ]
+  })
 }
 
-resource "aws_s3_bucket" "operations" {
-  # bucket is not encrypted
-  # bucket does not have access logs
-  bucket = "${local.resource_prefix.value}-operations"
-  region        = "us-west-2"
-  acl    = "private"
-  versioning {
-    enabled = true
-  }
-  force_destroy = true
-  tags = {
-    Name        = "${local.resource_prefix.value}-operations"
-    Environment = local.resource_prefix.value
-  }
-
-}
-
-resource "aws_s3_bucket" "data_science" {
-  # bucket is not encrypted
-  bucket = "${local.resource_prefix.value}-data-science"
-  region        = "us-west-2"
-  acl    = "private"
-  versioning {
-    enabled = true
-  }
-  logging {
-    target_bucket = "${aws_s3_bucket.logs.id}"
-    target_prefix = "log/"
-  }
-  force_destroy = true
-}
-
-resource "aws_s3_bucket" "logs" {
-  bucket = "${local.resource_prefix.value}-logs"
-  region = "us-west-2"
-  acl    = "log-delivery-write"
-  versioning {
-    enabled = true
-  }
-  server_side_encryption_configuration {
-    rule {
-      apply_server_side_encryption_by_default {
-        sse_algorithm     = "aws:kms"
-        kms_master_key_id = "${aws_kms_key.logs_key.arn}"
-      }
-    }
-  }
-  force_destroy = true
-  tags = {
-    Name        = "${local.resource_prefix.value}-logs"
-    Environment = local.resource_prefix.value
-  }
+resource "aws_iam_role_policy_attachment" "lambda_exec_attachment" {
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+  role       = aws_iam_role.lambda_exec.name
 }