DMZ Tagging: Support multiple tags, move to panther_config

panther-labs · Dec 11, 2023 · 4f3eb8e · 4f3eb8e
1 parent 2f53632
commit 4f3eb8e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py
@@ -7,6 +7,7 @@
 from functools import reduce
 from ipaddress import ip_address, ip_network
 from typing import Any, List, Optional, Sequence, Union
+from panther_config import config
 
 # # # # # # # # # # # # # #
 #       Exceptions        #
@@ -59,16 +60,17 @@ def is_dmz_cidr(ip_range):
     return any(ip_network(ip_range).overlaps(dmz_network) for dmz_network in DMZ_NETWORKS)
 
 
-DMZ_TAG_KEY = "environment"
-DMZ_TAG_VALUE = "dmz"
-
+DMZ_TAGS = config.DMZ_TAGS
 
 # Defaults to False to assume something is not a DMZ if it is not tagged
 def is_dmz_tags(resource):
     """This function determines whether a given resource is tagged as existing in a DMZ."""
     if resource["Tags"] is None:
         return False
-    return resource["Tags"].get(DMZ_TAG_KEY) == DMZ_TAG_VALUE
+    for key, value in DMZ_TAGS:
+        if resource["Tags"].get(key) == value:
+            return True
+    return False
 
 
 # Function variables here so that implementation details of these functions can be changed without

diff --git a/global_helpers/panther_config_defaults.py b/global_helpers/panther_config_defaults.py
@@ -13,3 +13,10 @@
 MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS
 MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]]
 TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS
+
+# Key/value pairs of tags used to denote resources that are intentionally exposed
+DMZ_TAGS = set(
+    [
+        ("environment", "dmz"),
+    ]
+)