Port Kubernetes Response Engine to AWS Technology (#460)

* Add a falco-sns utility which publishes to an AWS SNS topic

* Add an script for deploying function in AWS Lambda

* Bump dependencies

* Use an empty topic and pass AWS_DEFAULT_REGION environment variable

* Add gitignore

* Install ca-certificates.

Are used when we publish to a SNS topic.

* Add myself as a maintainer

* Decode events from SNS based messages

* Add Terraform manifests for getting an EKS up and running

Please, take attention to setup kubectl  and how to join workers:

https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html#obtaining-kubectl-configuration-from-terraform
https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html#required-kubernetes-configuration-to-join-worker-nodes

* Ignore terraform generated files

* Remove autogenerated files

* Also publish MessageAttributes which allows to use Filter Policies

This allows to subscribe only to errors, or warnings or several
priorities or by rule names.

It covers same funcionality than NATS publishe does.

* Add kubeconfig and aws-iam-authenticator from heptio to Lambda environment

* Add role trust from cluster creator to lambda role

* Enable CloudWatch for Lambda stuff

* Generate kubeconfig, kubeconfig for lambdas and the lambda arn

This is used by deployment script

* Just a cosmetic change

* Add a Makefile which creates the cluster and configures it

* Use terraform and artifacts which belongs to this repository for deploying

* Move CNCF related deployment to its own directory

* Create only SNS and Lambda stuff.

Assume that the EKS cluster will be created outside

* Bridge IAM with RBAC

This allows to use the role for lambdas for authenticating against
Kubernetes

* Do not rely on terraform for deploying a playbook in lambda

* Clean whitespace

* Move rebased playbooks to functions

* Fix rebase issues with deployment and rbac stuff

* Add a clean target to Makefile

* Inject sys.path modification to Kubeless function deployment

* Add documentation and instructions

integrations/kubernetes-response-engine/deployment/aws/.gitignore

@@ -0,0 +1,4 @@
+.terraform/*
+.terraform.*
+terraform.*
+*.yaml

integrations/kubernetes-response-engine/deployment/aws/Makefile

@@ -0,0 +1,11 @@
+all: create configure
+
+create:
+	terraform apply
+
+configure:
+	kubectl get -n kube-system configmap/aws-auth -o yaml | awk "/mapRoles: \|/{print;print \"$(shell terraform output patch_for_aws_auth)\";next}1" > aws-auth-patch.yml
+	kubectl -n kube-system replace -f aws-auth-patch.yml
+
+clean:
+	terraform destroy

integrations/kubernetes-response-engine/deployment/aws/README.md

@@ -0,0 +1,23 @@
+# Terraform manifests for Kubernetes Response Engine running on AWS
+
+In this directory are the Terraform manifests for creating required infrasturcture
+for the Kubernetes Response Engine running with AWS technology: SNS for messaging
+and Lambda for executing the playbooks.
+
+## Deploy
+
+For creating the resources, just run default Makefile target:
+
+```
+make
+```
+
+This will ask for an IAM user which creates the bridge between EKS rbac and AWS IAM.
+
+## Clean
+
+You can clean IAM roles and SNS topics with:
+
+```
+make clean
+```

integrations/kubernetes-response-engine/deployment/aws/lambda.tf

@@ -0,0 +1,25 @@
+resource "aws_iam_role" "iam-for-lambda" {
+  name = "iam_for_lambda"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com",
+        "AWS": "${var.iam-user-arn}"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "iam-for-lambda" {
+  policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccess"
+  role       = "${aws_iam_role.iam-for-lambda.name}"
+}

integrations/kubernetes-response-engine/deployment/aws/outputs.tf

@@ -0,0 +1,16 @@
+locals {
+  patch_for_aws_auth = <<CONFIGMAPAWSAUTH
+    - rolearn: ${aws_iam_role.iam-for-lambda.arn}\n
+     username: kubernetes-admin\n
+     groups:\n
+       - system:masters
+CONFIGMAPAWSAUTH
+}
+
+output "patch_for_aws_auth" {
+  value = "${local.patch_for_aws_auth}"
+}
+
+output "iam_for_lambda" {
+  value = "${aws_iam_role.iam-for-lambda.arn}"
+}

integrations/kubernetes-response-engine/deployment/aws/sns.tf

@@ -0,0 +1,3 @@
+resource "aws_sns_topic" "falco-alerts" {
+  name = "falco-alerts"
+}

integrations/kubernetes-response-engine/deployment/aws/variables.tf

@@ -0,0 +1,3 @@
+variable "iam-user-arn" {
+  type    = "string"
+}