Add commands to bootstrap and enable audit logging (#117)

Add commands to bootstrap and enable audit logging

build.gradle

@@ -9,6 +9,9 @@ allprojects {
     apply plugin: "com.github.johnrengelman.shadow"
 }
 
+sourceCompatibility = 1.8
+targetCompatibility = 1.8
+
 apply from: file('gradle/dependencies.gradle')
 apply from: file('gradle/check.gradle')
 apply from: file('gradle/integration.gradle')

gradle.properties

@@ -16,4 +16,4 @@
 
 group=com.nike
 artifactId=cerberus-lifecycle-cli
-version=4.0.0
+version=4.1.0

gradle/dependencies.gradle

@@ -19,7 +19,7 @@ allprojects {
         jcenter()
     }
 
-    def awsSDKVersion = '1.11.229'
+    def awsSDKVersion = '1.11.269'
 
     //noinspection GroovyAssignabilityCheck
     dependencies {
@@ -36,9 +36,8 @@ allprojects {
         compile group: 'com.amazonaws', name: 'aws-java-sdk-route53', version: awsSDKVersion
         compile group: 'com.amazonaws', name: 'aws-java-sdk-elasticloadbalancingv2', version: awsSDKVersion
         compile group: 'com.amazonaws', name: 'aws-java-sdk-rds', version: awsSDKVersion
-
-        // https://mvnrepository.com/artifact/com.amazonaws/aws-encryption-sdk-java
         compile group: 'com.amazonaws', name: 'aws-encryption-sdk-java', version: '1.3.1'
+        compile group: 'com.amazonaws', name: 'aws-java-sdk-athena', version: awsSDKVersion
 
         compile 'com.nike:vault-client:1.4.1'
         compile 'com.squareup.okhttp3:okhttp:3.3.1'

src/main/java/com/nike/cerberus/ConfigConstants.java

@@ -21,54 +21,33 @@
 public class ConfigConstants {
 
     public static final String ENV_PREFIX = "cerberus-";
-
     public static final String DEFAULT_ENCODING = "UTF-8";
-
     public static final int MINIMUM_AZS = 3;
-
     public static final String CONFIG_BUCKET_KEY = "cerberusconfigbucket";
-
     public static final String DEFAULT_CMS_DB_NAME = "cms";
-
     public static final String ENVIRONMENT_DATA_FILE = "environment.json";
-
     public static final String CERT_PART_CA = "ca.pem";
-
     public static final String CERT_PART_CERT = "cert.pem";
-
     public static final String CERT_PART_PKCS8_KEY = "pkcs8-key.pem";
-
     public static final String CERT_PART_KEY = "key.pem";
-
     public static final String CERT_PART_PUBKEY = "pubkey.pem";
-
     public static final String CERT_ACME_ACCOUNT_PRIVATE_KEY = "certificates/acme/account-private-key-pkcs1.pem";
-
     public static final String CMS_ENV_CONFIG_PATH = "cms/environment.properties";
-
     public static final String VERSION_PROPERTY = "cli.version";
-
     public static final String CMS_ADMIN_GROUP_KEY = "cms.admin.group";
-
     public static final String ROOT_USER_ARN_KEY = "root.user.arn";
-
     public static final String ADMIN_ROLE_ARN_KEY = "admin.role.arn";
-
     public static final String CMS_ROLE_ARN_KEY = "cms.role.arn";
-
     public static final String JDBC_URL_KEY = "JDBC.url";
-
     public static final String JDBC_USERNAME_KEY = "JDBC.username";
-
     public static final String JDBC_PASSWORD_KEY = "JDBC.password";
-
     public static final String CMK_ARNS_KEY = "cms.encryption.cmk.arns";
-
     public static final String HASH_SALT = "cms.auth.token.hash.salt";
-
     public static final String CMS_ENV_NAME = "cms.env.name";
-
     public static final String CMS_CERTIFICATE_TO_USE = "cms.ssl.certificateName";
+    public static final String AUDIT_LOG_PROCESSOR = "cms.event.processors.com.nike.cerberus.event.processor.AuditLogProcessor";
+    public static final String AUDIT_LOG_BUCKET = "cms.audit.bucket";
+    public static final String AUDIT_LOG_BUCKET_REGION = "cms.audit.bucket_region";
 
     public static final ImmutableSet<String> SYSTEM_CONFIGURED_CMS_PROPERTIES = ImmutableSet.of(
             ROOT_USER_ARN_KEY,
@@ -80,7 +59,10 @@ public class ConfigConstants {
             CMK_ARNS_KEY,
             HASH_SALT,
             CMS_ENV_NAME,
-            CMS_CERTIFICATE_TO_USE);
+            CMS_CERTIFICATE_TO_USE,
+            AUDIT_LOG_PROCESSOR,
+            AUDIT_LOG_BUCKET,
+            AUDIT_LOG_BUCKET_REGION);
 
     public static final String CERBERUS_AMI_TAG_NAME = "tag:cerberus_component";
 

src/main/java/com/nike/cerberus/cli/CerberusRunner.java

@@ -27,6 +27,10 @@
 import com.nike.cerberus.ConfigConstants;
 import com.nike.cerberus.command.CerberusCommand;
 import com.nike.cerberus.command.Command;
+import com.nike.cerberus.command.audit.CreateAuditAthenaDbAndTableCommand;
+import com.nike.cerberus.command.audit.CreateAuditLoggingStackCommand;
+import com.nike.cerberus.command.audit.DisableAuditLoggingCommand;
+import com.nike.cerberus.command.audit.EnableAuditLoggingForExistingEnvironmentCommand;
 import com.nike.cerberus.command.certificates.RotateAcmeAccountPrivateKeyCommand;
 import com.nike.cerberus.command.cms.CreateCmsClusterCommand;
 import com.nike.cerberus.command.cms.CreateCmsConfigCommand;
@@ -208,6 +212,10 @@ private void registerAllCommands() {
         registerCommand(new GenerateAndRotateCertificatesCommand());
         registerCommand(new RotateAcmeAccountPrivateKeyCommand());
         registerCommand(new CleanUpRdsSnapshotsCommand());
+        registerCommand(new CreateAuditLoggingStackCommand());
+        registerCommand(new CreateAuditAthenaDbAndTableCommand());
+        registerCommand(new DisableAuditLoggingCommand());
+        registerCommand(new EnableAuditLoggingForExistingEnvironmentCommand());
     }
 
     /**

src/main/java/com/nike/cerberus/cli/EnvironmentConfigToArgsMapper.java

@@ -18,6 +18,7 @@
 
 import com.google.common.collect.Lists;
 import com.nike.cerberus.command.StackDelegate;
+import com.nike.cerberus.command.audit.CreateAuditLoggingStackCommand;
 import com.nike.cerberus.command.cms.CreateCmsClusterCommand;
 import com.nike.cerberus.command.cms.CreateCmsConfigCommand;
 import com.nike.cerberus.command.cms.UpdateCmsConfigCommand;
@@ -142,6 +143,9 @@ public static List<String> getArgsForCommand(EnvironmentConfig environmentConfig
             case RotateCertificatesCommand.COMMAND_NAME:
                 args = getUploadCertFilesCommandArgs(environmentConfig, passedArgs);
                 break;
+            case CreateAuditLoggingStackCommand.COMMAND_NAME:
+                args = getCreateAuditLoggingStackCommandArgs(environmentConfig);
+                break;
             default:
                 break;
         }
@@ -152,6 +156,12 @@ public static List<String> getArgsForCommand(EnvironmentConfig environmentConfig
         return args;
     }
 
+    private static List<String> getCreateAuditLoggingStackCommandArgs(EnvironmentConfig environmentConfig) {
+        return ArgsBuilder.create()
+                .addOption(CreateAuditLoggingStackCommand.ADMIN_ROLE_ARN_LONG_ARG, environmentConfig.getAdminRoleArn())
+                .build();
+    }
+
     private static List<String> getCreateEdgeDomainRecordCommandArgs(EnvironmentConfig environmentConfig) {
         ArgsBuilder args = ArgsBuilder.create()
                 .addOption(CreateEdgeDomainRecordCommand.BASE_DOMAIN_NAME_LONG_ARG, environmentConfig.getBaseDomainName())

src/main/java/com/nike/cerberus/client/aws/AthenaAwsClientFactory.java

@@ -0,0 +1,24 @@
+package com.nike.cerberus.client.aws;
+
+import com.amazonaws.regions.Regions;
+import com.amazonaws.services.athena.AmazonAthenaClient;
+import com.nike.cerberus.service.AwsClientFactory;
+
+public class AthenaAwsClientFactory extends AwsClientFactory<AmazonAthenaClient> {
+
+    @Override
+    public AmazonAthenaClient getClient(Regions region) {
+        if (!clients.containsKey(region)) {
+            clients.put(region, createClient(region));
+        }
+        return clients.get(region);
+    }
+
+    private AmazonAthenaClient createClient(Regions region) {
+        return (AmazonAthenaClient) AmazonAthenaClient.builder()
+                .withRegion(region)
+                .withCredentials(getAWSCredentialsProviderChain())
+                .build();
+    }
+
+}

src/main/java/com/nike/cerberus/command/audit/CreateAuditAthenaDbAndTableCommand.java

@@ -0,0 +1,27 @@
+package com.nike.cerberus.command.audit;
+
+import com.beust.jcommander.Parameters;
+import com.nike.cerberus.command.Command;
+import com.nike.cerberus.operation.Operation;
+import com.nike.cerberus.operation.audit.CreateAuditAthenaDbAndTableOperation;
+
+import static com.nike.cerberus.command.audit.CreateAuditAthenaDbAndTableCommand.COMMAND_NAME;
+
+@Parameters(
+        commandNames = COMMAND_NAME,
+        commandDescription = "Creates the db and table needed in athena to enable interacting with the audit data via athena"
+)
+public class CreateAuditAthenaDbAndTableCommand implements Command {
+
+    public static final String COMMAND_NAME = "create-audit-log-athena-db-and-table";
+
+    @Override
+    public String getCommandName() {
+        return COMMAND_NAME;
+    }
+
+    @Override
+    public Class<? extends Operation<?>> getOperationClass() {
+        return CreateAuditAthenaDbAndTableOperation.class;
+    }
+}

src/main/java/com/nike/cerberus/command/audit/CreateAuditLoggingStackCommand.java

@@ -0,0 +1,51 @@
+package com.nike.cerberus.command.audit;
+
+import com.beust.jcommander.Parameter;
+import com.beust.jcommander.Parameters;
+import com.beust.jcommander.ParametersDelegate;
+import com.nike.cerberus.command.Command;
+import com.nike.cerberus.domain.cloudformation.TagParametersDelegate;
+import com.nike.cerberus.operation.Operation;
+import com.nike.cerberus.operation.audit.CreateAuditStackOperation;
+
+import static com.nike.cerberus.command.audit.CreateAuditLoggingStackCommand.COMMAND_NAME;
+
+@Parameters(
+        commandNames = COMMAND_NAME,
+        commandDescription = "Creates an S3 bucket and IAM roles configured to allow CMS to write audit log data and " +
+                "IAM role that allows AWS Athena/Glue queries"
+)
+public class CreateAuditLoggingStackCommand implements Command {
+
+    public static final String COMMAND_NAME = "create-audit-logging-stack";
+
+    public static final String ADMIN_ROLE_ARN_LONG_ARG = "--admin-role-arn";
+
+    @Parameter(
+            names = ADMIN_ROLE_ARN_LONG_ARG,
+            description = "An IAM role ARN that will be given elevated privileges for the KMS CMKs created.",
+            required = true
+    )
+    private String adminRoleArn;
+
+    public String getAdminRoleArn() {
+        return adminRoleArn;
+    }
+
+    @ParametersDelegate
+    private TagParametersDelegate tagsDelegate = new TagParametersDelegate();
+
+    public TagParametersDelegate getTagsDelegate() {
+        return tagsDelegate;
+    }
+
+    @Override
+    public String getCommandName() {
+        return COMMAND_NAME;
+    }
+
+    @Override
+    public Class<? extends Operation<?>> getOperationClass() {
+        return CreateAuditStackOperation.class;
+    }
+}

src/main/java/com/nike/cerberus/command/audit/DisableAuditLoggingCommand.java

@@ -0,0 +1,27 @@
+package com.nike.cerberus.command.audit;
+
+import com.beust.jcommander.Parameters;
+import com.nike.cerberus.command.Command;
+import com.nike.cerberus.operation.Operation;
+import com.nike.cerberus.operation.audit.DisableAuditLoggingOperation;
+
+import static com.nike.cerberus.command.audit.DisableAuditLoggingCommand.COMMAND_NAME;
+
+@Parameters(
+        commandNames = COMMAND_NAME,
+        commandDescription = "Disables the CLI to set the required CMS properties to enable audit logging, when creating or updating CMS config"
+)
+public class DisableAuditLoggingCommand implements Command {
+
+    public static final String COMMAND_NAME = "disable-audit-logging";
+
+    @Override
+    public String getCommandName() {
+        return COMMAND_NAME;
+    }
+
+    @Override
+    public Class<? extends Operation<?>> getOperationClass() {
+        return DisableAuditLoggingOperation.class;
+    }
+}

src/main/java/com/nike/cerberus/command/audit/EnableAuditLoggingCommand.java

@@ -0,0 +1,27 @@
+package com.nike.cerberus.command.audit;
+
+import com.beust.jcommander.Parameters;
+import com.nike.cerberus.command.Command;
+import com.nike.cerberus.operation.Operation;
+import com.nike.cerberus.operation.audit.EnableAuditLoggingOperation;
+
+import static com.nike.cerberus.command.audit.EnableAuditLoggingCommand.COMMAND_NAME;
+
+@Parameters(
+        commandNames = COMMAND_NAME,
+        commandDescription = "Enables the CLI to set the required CMS properties to enable audit logging, when creating or updating CMS config"
+)
+public class EnableAuditLoggingCommand implements Command {
+
+    public static final String COMMAND_NAME = "enable-audit-logging";
+
+    @Override
+    public String getCommandName() {
+        return COMMAND_NAME;
+    }
+
+    @Override
+    public Class<? extends Operation<?>> getOperationClass() {
+        return EnableAuditLoggingOperation.class;
+    }
+}

src/main/java/com/nike/cerberus/command/audit/EnableAuditLoggingForExistingEnvironmentCommand.java

@@ -0,0 +1,36 @@
+package com.nike.cerberus.command.audit;
+
+import com.beust.jcommander.Parameters;
+import com.nike.cerberus.command.Command;
+import com.nike.cerberus.operation.Operation;
+import com.nike.cerberus.operation.audit.EnableAuditLoggingForExistingEnvironmentOperation;
+
+import static com.nike.cerberus.command.audit.EnableAuditLoggingForExistingEnvironmentCommand.COMMAND_DESCRIPTION;
+import static com.nike.cerberus.command.audit.EnableAuditLoggingForExistingEnvironmentCommand.COMMAND_NAME;
+
+@Parameters(
+        commandNames = COMMAND_NAME,
+        commandDescription = COMMAND_DESCRIPTION
+)
+public class EnableAuditLoggingForExistingEnvironmentCommand implements Command {
+
+    public static final String COMMAND_NAME = "enable-audit-logging-for-existing-environment";
+    public static final String COMMAND_DESCRIPTION =
+            "A Composite command that will will execute the following commands in order: "
+                    + "create-audit-logging-stack, "
+                    + "create-audit-log-athena-db-and-table, "
+                    + "enable-audit-logging, "
+                    + "update-cms-config, "
+                    + "reboot-cms. "
+                    + "This will do everything required to enable audit logging for an existing environment.";
+
+    @Override
+    public String getCommandName() {
+        return COMMAND_NAME;
+    }
+
+    @Override
+    public Class<? extends Operation<?>> getOperationClass() {
+        return EnableAuditLoggingForExistingEnvironmentOperation.class;
+    }
+}

src/main/java/com/nike/cerberus/domain/cloudformation/AuditOutputs.java

@@ -0,0 +1,14 @@
+package com.nike.cerberus.domain.cloudformation;
+
+public class AuditOutputs {
+    String auditBucketName;
+
+    public String getAuditBucketName() {
+        return auditBucketName;
+    }
+
+    public AuditOutputs setAuditBucketName(String auditBucketName) {
+        this.auditBucketName = auditBucketName;
+        return this;
+    }
+}