Lambda function that is used to perform actions against a target ldap database
This function must be deployed into a VPC that has layer 3 connectivity to the target LDAP deployment.
When provided an event with the query action this function will:
- Query ldap for the target objects and group them according to their time of last password change. (By default this is 120, 90, and 60 days)
- Generate human readable and machine readable artifacts which are then placed into S3
- Generate S3 presigned URLs of the artifacts
When provided an event with the disable action this function will:
- Retrieve the previous scan results from the provided s3 object key in the disable event (the expectation is that this object was generated during the
queryrun of this function) - Disable objects that have not have their passwords updated within the last 120 days.
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
| random | n/a |
| Name | Type |
|---|---|
| aws_caller_identity.current | data source |
| aws_iam_policy_document.lambda | data source |
| aws_region.current | data source |
| aws_s3_bucket.artifacts | data source |
| aws_subnet_ids.private | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| artifacts_bucket_name | Name of the artifacts bucket | string |
n/a | yes |
| domain_base_dn | Distinguished name of the domain | string |
n/a | yes |
| ldaps_url | LDAPS URL of the target domain | string |
n/a | yes |
| svc_user_dn | Distinguished name of the user account used to manage simpleAD | string |
n/a | yes |
| svc_user_pwd_ssm_key | SSM parameter key that contains the service account password | string |
n/a | yes |
| vpc_id | ID of the VPC hosting your Simple AD instance | string |
n/a | yes |
| additional_hands_off_accounts | List of accounts that will never be disabled | list(string) |
[] |
no |
| days_since_pwdlastset | Number of days since the pwdLastSet ldap attribute has been updated. This metric is used to disable the target ldap object. | number |
120 |
no |
| log_level | Log level of the lambda output, one of: Debug, Info, Warning, Error, or Critical | string |
"Info" |
no |
| project_name | Name of the project | string |
"ldap-maintainer" |
no |
| tags | Map of tags to assign to this module's resources | map(string) |
{} |
no |
| Name | Description |
|---|---|
| function_arn | The ARN of the Lambda function |
| function_invoke_arn | The Invoke ARN of the Lambda function |
| function_name | The name of the Lambda function |
| function_qualified_arn | The qualified ARN of the Lambda function |
| python_ldap_layer_arn | ARN of the python-ldap layer |
| role_arn | The ARN of the IAM role created for the Lambda function |
| role_name | The name of the IAM role created for the Lambda function |