Foundation-security-services-setup/setup-security-services at main · OpenSecOps-Org/Foundation-security-services-setup · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
#!/usr/bin/env python3

import argparse
import sys
import json

# Import shared utilities
from modules.utils import printc, get_client, YELLOW, LIGHT_BLUE, GREEN, RED, GRAY, END, BOLD

# Import service modules
from modules.aws_config import setup_aws_config
from modules.guardduty import setup_guardduty
from modules.security_hub import setup_security_hub
from modules.access_analyzer import setup_access_analyzer
from modules.detective import setup_detective
from modules.inspector import setup_inspector

def main():
    parser = argparse.ArgumentParser(description='Setup AWS Security Services')

    # Service enable/disable flags
    parser.add_argument('--aws-config', default='Yes', choices=['Yes', 'No'], help='Enable AWS Config (Yes/No, default: Yes)')
    parser.add_argument('--guardduty', default='Yes', choices=['Yes', 'No'], help='Enable GuardDuty (Yes/No, default: Yes)')
    parser.add_argument('--security-hub', default='Yes', choices=['Yes', 'No'], help='Enable Security Hub (Yes/No, default: Yes)')
    parser.add_argument('--access-analyzer', default='Yes', choices=['Yes', 'No'], help='Enable IAM Access Analyzer (Yes/No, default: Yes)')
    parser.add_argument('--detective', default='No', choices=['Yes', 'No'], help='Enable Detective (Yes/No, default: No)')
    parser.add_argument('--inspector', default='No', choices=['Yes', 'No'], help='Enable Inspector (Yes/No, default: No)')

    # AWS parameters
    parser.add_argument('--admin-account', required=True, help='Admin account ID')
    parser.add_argument('--security-account', required=True, help='Security account ID')
    parser.add_argument('--regions', required=True, help='All regions (comma-separated, main region first)')
    parser.add_argument('--cross-account-role',
                        default='AWSControlTowerExecution',
                        choices=['AWSControlTowerExecution', 'OrganizationAccountAccessRole'],
                        help='Cross-account role name (default: AWSControlTowerExecution for Control Tower, OrganizationAccountAccessRole for Organizations-only)')
    parser.add_argument('--org-id', required=True, help='Organization ID')
    parser.add_argument('--root-ou', required=True, help='Root organizational unit ID')

    # Standard flags (automatically passed by deployment system)
    parser.add_argument('--dry-run', action='store_true', help='Show what would be done without making changes')
    parser.add_argument('--verbose', action='store_true', help='Verbose output')

    args = parser.parse_args()

    # Main header banner (LIGHT_BLUE like Foundation-AWS-Core-SSO-Configuration)
    printc(LIGHT_BLUE, "=" * 60)
    printc(LIGHT_BLUE, "  Foundation Security Services Setup")
    printc(LIGHT_BLUE, "-" * 60)

    if args.dry_run:
        printc(YELLOW, "DRY RUN MODE: No actual changes will be made")

    if args.verbose:
        printc(GRAY, "VERBOSE MODE: Additional debugging output enabled")
        printc(GRAY, "\nService flags:")
        printc(GRAY, f"  --aws-config: {args.aws_config}")
        printc(GRAY, f"  --guardduty: {args.guardduty}")
        printc(GRAY, f"  --access-analyzer: {args.access_analyzer}")
        printc(GRAY, f"  --security-hub: {args.security_hub}")
        printc(GRAY, f"  --detective: {args.detective}")
        printc(GRAY, f"  --inspector: {args.inspector}")
        printc(GRAY, "\nAWS parameters:")
        printc(GRAY, f"  --admin-account: {args.admin_account}")
        printc(GRAY, f"  --security-account: {args.security_account}")
        printc(GRAY, f"  --regions: {args.regions}")
        printc(GRAY, f"  --cross-account-role: {args.cross_account_role}")
        printc(GRAY, f"  --org-id: {args.org_id}")
        printc(GRAY, f"  --root-ou: {args.root_ou}")
        printc(GRAY, "\nOther arguments:")
        printc(GRAY, f"  --dry-run: {args.dry_run}")
        printc(GRAY, f"  --verbose: {args.verbose}")

    # Parse region list from comma-separated string (required parameter)
    regions_list = [region.strip() for region in args.regions.split(',')]

    # Validate that we have at least one non-empty region after trimming
    regions_list = [region for region in regions_list if region]  # Remove empty strings
    if not regions_list:
        printc(RED, "❌ ERROR: At least one region must be specified")
        printc(RED, "   The --regions parameter cannot be empty or contain only whitespace")
        printc(RED, "   Example: --regions us-east-1,us-west-2")
        sys.exit(1)

    # Create parameters object for passing to service functions
    params = {
        'admin_account': args.admin_account,
        'security_account': args.security_account,
        'regions': regions_list,
        'cross_account_role': args.cross_account_role,
        'org_id': args.org_id,
        'root_ou': args.root_ou
    }

    # Track results for final summary
    results = {}

    # Execute security service setup functions in optimal dependency order
    services = [
        ("AWS Config", setup_aws_config, args.aws_config),
        ("GuardDuty", setup_guardduty, args.guardduty),
        ("IAM Access Analyzer", setup_access_analyzer, args.access_analyzer),
        ("Security Hub", setup_security_hub, args.security_hub),  # After core services, before optional ones
        ("Detective", setup_detective, args.detective),
        ("Inspector", setup_inspector, args.inspector),
    ]

    for service_name, setup_func, enabled in services:
        try:
            success = setup_func(enabled, params, args.dry_run, args.verbose)
            if success:
                results[service_name] = "SUCCESS"
            else:
                results[service_name] = "FAILED"
                printc(RED, f"⚠️ {service_name} failed")

        except Exception as e:
            printc(RED, f"❌ CRITICAL ERROR in {service_name}: {e}")
            results[service_name] = f"CRITICAL ERROR: {e}"

    # Final summary
    printc(LIGHT_BLUE, "\n" + "="*60)
    printc(LIGHT_BLUE, "FINAL SUMMARY")
    printc(LIGHT_BLUE, "="*60)

    for service_name, result in results.items():
        if "SUCCESS" in result:
            printc(GREEN, f"{service_name}: ✅ {result}")
        elif "FAILED" in result:
            printc(RED, f"{service_name}: ⚠️ {result}")
        else:
            printc(RED, f"{service_name}: ❌ {result}")

    # Determine overall exit code
    failed_services = [name for name, result in results.items() if "FAILED" in result or "ERROR" in result]

    if failed_services:
        printc(YELLOW, f"\n⚠️ {len(failed_services)} service(s) had issues: {', '.join(failed_services)}")
        printc(GREEN, "✅ Script completed with warnings")
        return 0  # Still return 0 to avoid breaking deployment pipeline
    else:
        printc(BOLD + GREEN, "\n✅ All services processed successfully")
        return 0

if __name__ == '__main__':
    sys.exit(main())