Merge pull request #113 from userhas404d/control_finding_generator

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 3.0.2
+current_version = 4.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

.github/dependabot.yml

@@ -8,15 +8,10 @@ updates:
   - package-ecosystem: docker
     directory: "/"
     schedule:
-      interval: daily
+      interval: weekly
     open-pull-requests-limit: 10
   - package-ecosystem: terraform
     directory: "/"
     schedule:
-      interval: daily
-    open-pull-requests-limit: 10
-  - package-ecosystem: gomod
-    directory: "/tests"
-    schedule:
-      interval: daily
+      interval: weekly
     open-pull-requests-limit: 10

.mergify.yml

@@ -1,15 +1,14 @@
 pull_request_rules:
-  - name: automatic approve dependabot pull requests
+  - name: approve dependabot pull requests
     conditions:
-      - author~=dependabot\[bot\]|dependabot-preview\[bot\]
-      - status-success=Travis CI - Pull Request
+      - author=dependabot[bot]
     actions:
       review:
         type: APPROVE
 
-  - name: automatic merge dependabot pull requests
+  - name: merge dependabot pull requests
     conditions:
-      - author~=dependabot\[bot\]|dependabot-preview\[bot\]
+      - author=dependabot[bot]
       - "#approved-reviews-by>=1"
     actions:
       merge:

CHANGELOG.md

@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [4.0.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.0.0)
+
+**Released**: 2023.05.25
+
+**Summary**:
+
+*   Adds support for security hub `control_finding_generator` feature
+*   Sets default value for `control_finding_generator` to `SECURITY_CONTROL`
+*   Updates minimum terraform aws provider version to 4.64.0
+
 ### 3.0.2
 
 **Released**: 2023.02.01

README.md

@@ -6,7 +6,7 @@ the `modules/cross-account-member` module.
 ## Testing
 You can find example implementations of this module in the tests folder. This module
 requires 2 different AWS accounts to test and so the terraform aws provider definitions
-are assuming that you will be using a profile with the name `resource-owner` and `resource-member`.
+are assuming that you will be using a profile with the name `aws` and `awsalternate`.
 
 Note: the implementation `tests/create_securityhub_member` will require you to provide the variables
 `email_address` prior to use
@@ -17,7 +17,7 @@ Note: the implementation `tests/create_securityhub_member` will require you to p
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.29.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
 
 ## Providers
 
@@ -32,6 +32,7 @@ No resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_action_targets"></a> [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | <pre>list(object({<br>    name        = string<br>    description = string<br>    identifer   = string<br>  }))</pre> | `[]` | no |
+| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
 | <a name="input_product_subscription_arns"></a> [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
 | <a name="input_standard_subscription_arns"></a> [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
 

main.tf

@@ -1,6 +1,8 @@
 # Enable SecurityHub
 module "account" {
   source = "./modules/account"
+
+  control_finding_generator = var.control_finding_generator
 }
 
 # Manage subscriptions

modules/accepter/README.md

@@ -6,13 +6,13 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.29.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.29.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.64.0 |
 
 ## Resources
 

modules/accepter/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.29.0"
+      version = ">= 4.64.0"
     }
   }
 }

modules/account/README.md

@@ -6,13 +6,13 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.29.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.29.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.64.0 |
 
 ## Resources
 
@@ -21,7 +21,9 @@
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
 
 ## Outputs
 

modules/account/main.tf

@@ -1 +1,3 @@
-resource "aws_securityhub_account" "this" {}
+resource "aws_securityhub_account" "this" {
+  control_finding_generator = var.control_finding_generator
+}

modules/account/variables.tf

@@ -0,0 +1,5 @@
+variable "control_finding_generator" {
+  description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+  type        = string
+  default     = "SECURITY_CONTROL"
+}

modules/account/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.29.0"
+      version = ">= 4.64.0"
     }
   }
 }

modules/action_target/README.md

@@ -6,13 +6,13 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.29.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.29.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.64.0 |
 
 ## Resources
 

modules/action_target/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.29.0"
+      version = ">= 4.64.0"
     }
   }
 }

modules/cross-account-member/README.md

@@ -6,7 +6,7 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.29.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
 
 ## Providers
 
@@ -22,6 +22,7 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_member_email"></a> [member\_email](#input\_member\_email) | Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow | `string` | n/a | yes |
 | <a name="input_action_targets"></a> [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | <pre>list(object({<br>    name        = string<br>    description = string<br>    identifer   = string<br>  }))</pre> | `[]` | no |
+| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
 | <a name="input_product_subscription_arns"></a> [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
 | <a name="input_standard_subscription_arns"></a> [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
 

modules/cross-account-member/main.tf

@@ -3,6 +3,7 @@ module "account" {
   source = "../../"
 
   action_targets             = var.action_targets
+  control_finding_generator  = var.control_finding_generator
   product_subscription_arns  = var.product_subscription_arns
   standard_subscription_arns = var.standard_subscription_arns
 }

modules/cross-account-member/variables.tf

@@ -13,6 +13,12 @@ variable "action_targets" {
   default = []
 }
 
+variable "control_finding_generator" {
+  description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+  type        = string
+  default     = "SECURITY_CONTROL"
+}
+
 variable "product_subscription_arns" {
   description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html"
   type        = list(string)

modules/cross-account-member/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source                = "hashicorp/aws"
-      version               = ">= 3.29.0"
+      version               = ">= 4.64.0"
       configuration_aliases = [aws.administrator]
     }
   }

modules/member/README.md

@@ -6,13 +6,13 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.29.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.29.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.64.0 |
 
 ## Resources
 

modules/member/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.29.0"
+      version = ">= 4.64.0"
     }
   }
 }

modules/subscriptions/README.md

@@ -6,13 +6,13 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.29.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.29.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.64.0 |
 
 ## Resources
 

modules/subscriptions/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.29.0"
+      version = ">= 4.64.0"
     }
   }
 }

tests/securityhub_cross_account/main.tf

@@ -1,12 +1,10 @@
 # Provider to use as the securityhub member (aka invitee)
 provider "aws" {
-  region  = "us-east-1"
   profile = "aws" # Profile must exist in your .aws/config
 }
 
 # Provider to use as the securityhub administrator
 provider "aws" {
-  region  = "us-east-1"
   alias   = "administrator"
   profile = "awsalternate" # Profile must exist in your .aws/config
 }

tests/securityhub_same_account/main.tf

@@ -1,6 +1,5 @@
 provider "aws" {
-  region  = "us-east-1"
-  profile = "resource-owner"
+  profile = "aws" # Profile must exist in your .aws/config
 }
 
 module "securityhub" {

variables.tf

@@ -8,6 +8,12 @@ variable "action_targets" {
   default = []
 }
 
+variable "control_finding_generator" {
+  description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+  type        = string
+  default     = "SECURITY_CONTROL"
+}
+
 variable "standard_subscription_arns" {
   description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html"
   type        = list(string)

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.29.0"
+      version = ">= 4.64.0"
     }
   }
 }