diff --git a/global_helpers/panther_base_helpers.py b/global_helpers/panther_base_helpers.py index 8ebeb2a27..4c1255d8f 100644 --- a/global_helpers/panther_base_helpers.py +++ b/global_helpers/panther_base_helpers.py @@ -7,6 +7,7 @@ from functools import reduce from ipaddress import ip_address, ip_network from typing import Any, List, Optional, Sequence, Union +from panther_config import config # # # # # # # # # # # # # # # Exceptions # @@ -59,16 +60,17 @@ def is_dmz_cidr(ip_range): return any(ip_network(ip_range).overlaps(dmz_network) for dmz_network in DMZ_NETWORKS) -DMZ_TAG_KEY = "environment" -DMZ_TAG_VALUE = "dmz" - +DMZ_TAGS = config.DMZ_TAGS # Defaults to False to assume something is not a DMZ if it is not tagged def is_dmz_tags(resource): """This function determines whether a given resource is tagged as existing in a DMZ.""" if resource["Tags"] is None: return False - return resource["Tags"].get(DMZ_TAG_KEY) == DMZ_TAG_VALUE + for key, value in DMZ_TAGS: + if resource["Tags"].get(key) == value: + return True + return False # Function variables here so that implementation details of these functions can be changed without diff --git a/global_helpers/panther_config_defaults.py b/global_helpers/panther_config_defaults.py index 87a8f01bb..cacf232e3 100644 --- a/global_helpers/panther_config_defaults.py +++ b/global_helpers/panther_config_defaults.py @@ -13,3 +13,10 @@ MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_DOMAINS = ORGANIZATION_DOMAINS MS_EXCHANGE_ALLOWED_FORWARDING_DESTINATION_EMAILS = ["postmaster@" + ORGANIZATION_DOMAINS[0]] TELEPORT_ORGANIZATION_DOMAINS = ORGANIZATION_DOMAINS + +# Key/value pairs of tags used to denote resources that are intentionally exposed +DMZ_TAGS = set( + [ + ("environment", "dmz"), + ] +)