twilio-labs / socless Goto Github PK

Project currently has no test coverage. Unit tests should be added in order to reduce the likelihood of errors caused by any future changes.

"message_template": "`{context.artifacts.event.details.username}` logged in from `{context.results.Geolocate_IP.country_name}` at coordinates `{context.results.Geolocate_IP.latitude}`, `{context.results.Geolocate_IP.longitude}`"

should be

"message_template": "`{context.artifacts.event.details.username}` logged in from `{context.results.Geolocate_IP.country}` at coordinates `{context.results.Geolocate_IP.latitude}`, `{context.results.Geolocate_IP.longitude}`"

SOCless is deployed using the serverless framework. Currently, the IAM permissions needed to deploy SOCless are not defined. This often leads SOCless users to deploy using * permissions.

To improve the security of the SOCless framework, SOCless needs a permissions template for the SOCless deployment role that SOCless users can use for deployment. The permissions template would ideally provide the least-privilege access needed to successfully deploy SOCless.

Acceptance Criteria:

• A permissions template for the SOCless deployment user/role has been created, tested and added to the SOCless documentation and SOCless code-base

Helpful Resoures:

• This issue on the serverless framework github repo shows how an individual successfully scoped down the permissions they needed to deploy using the serverless framework serverless/serverless#1439
• This blog post discusses IAM permissions for the serverless framework https://www.serverless.com/blog/abcs-of-iam-permissions/

The dynamoDB tables supporting SOCless should be encrypted at rest by default.

• socless_dedup
• socless_playbooks
• socless_execution_results
• socless_message_responses
• socless_custom_mappings
• socless_events

Same for S3:

• socless-dev/prod-soclesslogs
• socless-dev/prod-soclessvault

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/EncryptionAtRest.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-encryption.html

https://twilio-labs.github.io/socless/your-first-endpoint/
" At the bottom of the file, let’s configure a lambda function that:" - is a bit confusing when going through the demo and can lead to improperly updating your yml file. Probably makes sense to add a code block showing https://github.com/twilio-labs/socless-examples/blob/master/getting-started-tutorial/socless-tutorial/serverless.yml so its clear.

Project is missing a number of useful documentation files (CODE_OF_CONDUCT, CONTRIBUTING, ISSUE_TEMPLATE, PULL_REQUEST_TEMPLATE) and does not conform to a number of PEP8 standards.

Currently the project dosen't support the map state.

It would be really useful when a series of actions / integrations need to be applied to an array. It would reduce the number of steps needed in the playbook.

Currently IAM for lambda functions is done via serverless role/policy creation in serverless.yaml.

Would be a huge QoL improvement to simplify the creation of lambda roles for easier adherence to principle of least privilege.

This could be done by including a number of default lambda roles (EG if lambda layers are used, they always require lambda:getLayerVersion) with a fill-in-the-blanks section for the ARN of the resource as necessary.

Alternatively, a quick(ish) IAM win would be to include the creation of a policy and role for the tutorial in serverless.yaml.

OS: Monterey, Version 12.3.1
npm version: 8.6.0
node version: v16 & v18.0.0
serverless version: Framework Core: 3.15.2 (local) 3.15.2 (global)
Plugin: 6.2.2
SDK: 4.3.2

Upon running npm run dev (even with the --force option), I receive the following :

file:///Users/m_a_t/socless/node_modules/lambda-packager/build/lib/packaging.js:126
throw new Error(errors.error);
^

Error: Directory of code to package does not exist: layers does not exist
at file:///Users/m_a_t/socless/node_modules/lambda-packager/build/lib/packaging.js:126:31
at step (file:///Users/m_a_t/socless/node_modules/lambda-packager/build/lib/packaging.js:43:23)
at Object.next (file:///Users/m_a_t/socless/node_modules/lambda-packager/build/lib/packaging.js:24:53)
at file:///Users/m_a_t/socless/node_modules/lambda-packager/build/lib/packaging.js:18:71
at new Promise ()
at __awaiter (file:///Users/m_a_t/socless/node_modules/lambda-packager/build/lib/packaging.js:14:12)
at makePackages (file:///Users/m_a_t/socless/node_modules/lambda-packager/build/lib/packaging.js:118:12)
at Object.handler (file:///Users/m_a_t/socless/node_modules/lambda-packager/build/src/main.js:93:9)
at Object.run (/Users/m_a_t/socless/node_modules/cmd-ts/dist/cjs/command.js:150:41)
at async runSafely (/Users/m_a_t/socless/node_modules/cmd-ts/dist/cjs/runner.js:38:24)

I am by no means an expert in JavaScript, but I do not understand the issue with the "throw new Error" line, and the files the second error prints, are indeed within the Socless folder.

The program continues until the next error as seen below:

[email protected] dev
serverless deploy $npm_package_config_dev --aws-profile $npm_package_config_aws_profile --verbose

StepFunctions logging not enabled. To ship playbook logs, set custom.sls_apb.logging = true in serverless.yml
Rendering State Machine for ./playbooks/socless_core_integration_test/playbook.json...

Error:
Non-object value specified in resources array: ${{file(resources/dynamodb.yml)}}

The dynamodb.yml file was untouched, and googling for the above error has not been fruitful thus far.

Any suggestions would be greatly appreciated.

Following the documentation to deploy Socless core infrastructure I am currently getting the following error:

Stack with id socless-dev does not exist

Have tried on two different environments (MacOS and Ubuntu 18) as follows:

Your Environment Information ---------------------------
Operating System: darwin
Node Version: 16.10.0
Framework Version: 2.57.0 (local)
Plugin Version: 5.4.4
SDK Version: 4.3.0
Components Version: 3.17.0

Your Environment Information ---------------------------
Operating System: linux
Node Version: 14.18.0
Framework Version: 2.57.0 (local)
Plugin Version: 5.4.4
SDK Version: 4.3.0
Components Version: 3.17.0

None of them managed to deploy the core infrastructure. I have also tried with no success to:

• Deploy a dummy infrastructure with Serverless to check IAM permissions and that was working ok
• Add the --force command to the deploy command
• Deploy to another region / aws account
• Follow this troubleshooting guide again with no success

Also looked into the AWS Cloudtrail logs and I am getting a "ValidationException" when making the API call to "DescribeStacks" done by cloudformation with the same error message that serverless provides.

Look forward to some guidance in here.