prowler/contrib/org-multi-account/serverless_codebuild/templates/ProwlerCodeBuildStack.yaml

---
AWSTemplateFormatVersion: 2010-09-09
Description: Creates a CodeBuild project to audit an AWS account with Prowler and stores the html report in a S3 bucket.
Parameters:
  AwsOrgId:
    Type: String
    Description: Enter AWS Organizations ID
    AllowedPattern: ^o-[a-z0-9]{10,32}$
    ConstraintDescription: The Org Id must be a 12 character string starting with o- and followed by 10 lower case alphanumeric characters.
    Default: o-itdezkbz6h
  CodeBuildRole:
    Description: Enter Name for CodeBuild Role to create
    Type: String
    AllowedPattern: ^[\w+=,.@-]{1,64}$
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters supported [+, =, ., @, -]
    Default: ProwlerCodeBuild-Role
  CodeBuildSourceS3:
    Type: String
    Description: Enter like <bucket-name>/<path>/<object-name>.zip
    ConstraintDescription: Max 63 characters. Can't start or end with dash.  Can use numbers and lowercase letters.
    Default: prowler-util-411267690458-ap-northeast-2/run-prowler-reports.sh.zip
  ProwlerReportS3:
    Type: String
    Description: Enter S3 Bucket for Prowler Reports.  prefix-awsaccount-awsregion
    AllowedPattern: ^[a-z0-9][a-z0-9-]{1,61}[a-z0-9]$
    ConstraintDescription: Max 63 characters. Can't start or end with dash.  Can use numbers and lowercase letters.
    Default: prowler-954896828174-ap-northeast-2
  ProwlerReportS3Account:
    Type: String
    Description: Enter AWS Account Number where Prowler S3 Bucket resides.
    AllowedPattern: ^\d{12}$
    ConstraintDescription: An AWS Account Number must be a 12 digit numeric string.
    Default: 954896828174
  CrossAccountRole:
    Type: String
    Description: Enter CrossAccount Role Prowler will be using to assess AWS Accounts in the AWS Organization. (ProwlerCrossAccountRole)
    AllowedPattern: ^[\w+=,.@-]{1,64}$
    ConstraintDescription: Max 64 alphanumeric characters. Also special characters [+, =, ., @, -]
    Default: ProwlerXA-CBRole
  ProwlerReportFormat:
    Type: String
    Description: Enter Prowler Option like html, csv, json
    Default: html

Resources:
  ProwlerCodeBuildRole:
    Type: AWS::IAM::Role
    Properties:
      Description: Prowler CodeBuild Role
      RoleName: !Ref CodeBuildRole
      Tags:
        - Key: App
          Value: Prowler
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - codebuild.amazonaws.com
            Action:
              - sts:AssumeRole
      Policies:
        - PolicyName: Prowler-S3
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: AllowGetPutListObject
                Effect: Allow
                Resource:
                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerReportS3}
                  - !Sub arn:${AWS::Partition}:s3:::${ProwlerReportS3}/*
                Action:
                  - s3:GetObject
                  - s3:PutObject
                  - s3:ListBucket
                  - s3:PutObjectAcl
              - Sid: AllowReadOnlyS3Access
                Effect: Allow
                Resource: "*"
                Action:
                  - "s3:Get*"
                  - "s3:List*"
        - PolicyName: Prowler-CrossAccount-AssumeRole
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: AllowStsAssumeRole
                Effect: Allow
                Resource: !Sub arn:${AWS::Partition}:iam::*:role/${CrossAccountRole}
                Action: sts:AssumeRole
                Condition:
                  StringEquals:
                    aws:PrincipalOrgId: !Ref AwsOrgId
        - PolicyName: Prowler-CloudWatch
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: AllowCreateLogs
                Effect: Allow
                Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:*
                Action:
                  - logs:CreateLogGroup
                  - logs:CreateLogStream
              - Sid: AllowPutevent
                Effect: Allow
                Resource: !Sub arn:${AWS::Partition}:logs:*:*:log-group:*:log-stream:*
                Action:
                  - logs:PutLogEvents

  ProwlerCodeBuild:
    Type: AWS::CodeBuild::Project
    Properties:
      Artifacts:
        Type: NO_ARTIFACTS
      Source:
        Type: S3
        Location: !Ref CodeBuildSourceS3
        BuildSpec: |
          version: 0.2
          phases:
            install:
              runtime-versions:
                python: 3.8
              commands:
                - echo "Updating yum ..."
                - yum -y update --skip-broken
                - echo "Updating pip ..."
                - python -m pip install --upgrade pip
                - echo "Installing requirements ..."
                - pip install "git+https://github.com/ibm/detect-secrets.git@master#egg=detect-secrets"
            build:
              commands:
                - echo "Running Prowler with script"
                - chmod +x run-prowler-reports.sh
                - ./run-prowler-reports.sh
            post_build:
              commands:
                - echo "Done!"
      Environment:
        # AWS CodeBuild free tier includes 100 build minutes of BUILD_GENERAL1_SMALL per month.
        # BUILD_GENERAL1_SMALL: Use up to 3 GB memory and 2 vCPUs for builds. $0.005/minute.
        # BUILD_GENERAL1_MEDIUM: Use up to 7 GB memory and 4 vCPUs for builds. $0.01/minute.
        # BUILD_GENERAL1_LARGE: Use up to 15 GB memory and 8 vCPUs for builds. $0.02/minute.
        # BUILD_GENERAL1_2XLARGE: Use up to 144 GB memory and 72 vCPUs for builds. $0.20/minute.
        ComputeType: "BUILD_GENERAL1_SMALL"
        Image: "aws/codebuild/amazonlinux2-x86_64-standard:3.0"
        Type: "LINUX_CONTAINER"
        EnvironmentVariables:
          - Name: "S3"
            Value: !Sub s3://${ProwlerReportS3}
            Type: PLAINTEXT
          - Name: "S3ACCOUNT"
            Value: !Ref ProwlerReportS3Account
            Type: PLAINTEXT
          - Name: "ROLE"
            Value: !Ref CrossAccountRole
            Type: PLAINTEXT
          - Name: "FORMAT"
            Value: !Ref ProwlerReportFormat
            Type: PLAINTEXT
      Description: Run Prowler assessment
      ServiceRole: !GetAtt ProwlerCodeBuildRole.Arn
      TimeoutInMinutes: 300

  ProwlerCWRuleRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - events.amazonaws.com
            Action:
              - sts:AssumeRole
      Description: ProwlerCWRuleRole
      RoleName: ProwlerCWRule-Role
      Policies:
        - PolicyName: Rule-Events
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Sid: AWSEventInvokeCodeBuild
                Effect: Allow
                Resource: "*"
                Action:
                  - codebuild:StartBuild

  ProwlerRule:
    Type: AWS::Events::Rule
    Properties:
      Description: This rule will trigger CodeBuild to audit AWS Accounts in my Organization with Prowler
      ScheduleExpression: cron(0 21 * * ? *)
      RoleArn: !GetAtt ProwlerCWRuleRole.Arn
      Name: ProwlerExecuteRule
      State: ENABLED
      Targets:
        - Arn: !Sub ${ProwlerCodeBuild.Arn}
          Id: Prowler-CodeBuild-Target
          RoleArn: !GetAtt ProwlerCWRuleRole.Arn


Outputs:
  ProwlerEc2Account:
    Description: AWS Account Number where Prowler EC2 Instance resides.
    Value: !Ref AWS::AccountId
  ProwlerCodeBuildRole:
    Description: Instance Role given to the Prowler EC2 Instance (needed to grant sts:AssumeRole rights).
    Value: !Ref ProwlerCodeBuildRole
  ProwlerReportS3:
    Description: S3 Bucket for Prowler Reports
    Value: !Ref ProwlerReportS3