Last active
August 23, 2019 06:27
-
-
Save adamgoucher/5dcdb42b9383aef804c6 to your computer and use it in GitHub Desktop.
An AWS Lambda function which monitors CloudTrail logs created in the us-east-1 region for CreateHostedZone events and makes the corresponding private zone if they were public. The problem is that this can have a lag of up to 15 minutes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var aws = require('aws-sdk'); | |
| var zlib = require('zlib'); | |
| var async = require('async'); | |
| var EVENT_SOURCE_TO_TRACK = /route53.amazonaws.com/; | |
| var EVENT_NAME_TO_TRACK = /CreateHostedZone/; | |
| var s3 = new aws.S3(); | |
| var route53 = new aws.Route53(); | |
| exports.handler = function(event, context) { | |
| console.log("Event data:"); | |
| console.log(JSON.stringify(event)); | |
| console.log("SNS message data:"); | |
| console.log(event.Records[0].Sns.Message); | |
| var snsMessage = JSON.parse(event.Records[0].Sns.Message); | |
| if (snsMessage.s3ObjectKey[0].match(/us-east-1/)) { | |
| async.waterfall([ | |
| function fetchLogFromS3(next){ | |
| console.log('Fetching compressed log from S3...'); | |
| s3.getObject({ | |
| Bucket: snsMessage.s3Bucket, | |
| Key: snsMessage.s3ObjectKey[0] | |
| }, | |
| next); | |
| }, | |
| function uncompressLog(response, next){ | |
| console.log("Uncompressing log..."); | |
| zlib.gunzip(response.Body, next); | |
| }, | |
| function createPrivateHostedZone(jsonBuffer, next) { | |
| console.log('Filtering log...'); | |
| var json = jsonBuffer.toString(); | |
| console.log('CloudTrail JSON from S3:', json); | |
| var records; | |
| try { | |
| records = JSON.parse(json); | |
| } catch (err) { | |
| next('Unable to parse CloudTrail JSON: ' + err); | |
| return; | |
| } | |
| var matchingRecords = records | |
| .Records | |
| .filter(function(record) { | |
| return record.eventSource.match(EVENT_SOURCE_TO_TRACK) | |
| && record.eventName.match(EVENT_NAME_TO_TRACK) | |
| && record.requestParameters.hostedZoneConfig.privateZone === false; | |
| }); | |
| async.each( | |
| matchingRecords, | |
| function(record, createComplete) { | |
| console.log("Creating private zone for " + record.requestParameters.name); | |
| var params = { | |
| CallerReference: record.requestParameters.callerReference + '.1', | |
| Name: record.requestParameters.name, | |
| HostedZoneConfig: { | |
| Comment: 'private zone for ' + record.requestParameters.name | |
| }, | |
| VPC: { | |
| VPCId: 'vpc-XXXXXXXX', | |
| VPCRegion: 'us-west-2' | |
| } | |
| }; | |
| route53.createHostedZone(params, createComplete); | |
| }, | |
| next | |
| ); | |
| } | |
| ], function (err) { | |
| if (err) { | |
| console.error('Failed to create private hosted zone: ', err); | |
| } else { | |
| console.log('Successfully created private hosted zone.'); | |
| } | |
| context.done(err); | |
| }); | |
| } else { | |
| console.log('Route 53 logs to us-east-1.'); | |
| } | |
| }; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment