From a0b3e773b92a71bfd3639a358d4cda77df9d2ee9 Mon Sep 17 00:00:00 2001
From: userhas404d <29389186+userhas404d@users.noreply.github.com>
Date: Tue, 23 May 2023 12:16:05 -0400
Subject: [PATCH 1/3] Adds control_finding_generator input var
---
README.md | 3 ++-
main.tf | 2 ++
modules/account/README.md | 4 +++-
modules/account/main.tf | 4 +++-
modules/account/variables.tf | 5 +++++
modules/cross-account-member/README.md | 1 +
modules/cross-account-member/main.tf | 1 +
modules/cross-account-member/variables.tf | 6 ++++++
variables.tf | 6 ++++++
versions.tf | 2 +-
10 files changed, 30 insertions(+), 4 deletions(-)
create mode 100644 modules/account/variables.tf
diff --git a/README.md b/README.md
index de2a58e..47c752e 100644
--- a/README.md
+++ b/README.md
@@ -17,7 +17,7 @@ Note: the implementation `tests/create_securityhub_member` will require you to p
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.29.0 |
+| [aws](#requirement\_aws) | >= 4.64.0 |
## Providers
@@ -32,6 +32,7 @@ No resources.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | list(object({
name = string
description = string
identifer = string
})) | `[]` | no |
+| [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
| [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
| [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
diff --git a/main.tf b/main.tf
index f15b60d..aaa9133 100644
--- a/main.tf
+++ b/main.tf
@@ -1,6 +1,8 @@
# Enable SecurityHub
module "account" {
source = "./modules/account"
+
+ control_finding_generator = var.control_finding_generator
}
# Manage subscriptions
diff --git a/modules/account/README.md b/modules/account/README.md
index 074ca02..21fb553 100644
--- a/modules/account/README.md
+++ b/modules/account/README.md
@@ -21,7 +21,9 @@
## Inputs
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
## Outputs
diff --git a/modules/account/main.tf b/modules/account/main.tf
index 4812a49..e80ce05 100644
--- a/modules/account/main.tf
+++ b/modules/account/main.tf
@@ -1 +1,3 @@
-resource "aws_securityhub_account" "this" {}
+resource "aws_securityhub_account" "this" {
+ control_finding_generator = var.control_finding_generator
+}
diff --git a/modules/account/variables.tf b/modules/account/variables.tf
new file mode 100644
index 0000000..5a94461
--- /dev/null
+++ b/modules/account/variables.tf
@@ -0,0 +1,5 @@
+variable "control_finding_generator" {
+ description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+ type = string
+ default = "SECURITY_CONTROL"
+}
diff --git a/modules/cross-account-member/README.md b/modules/cross-account-member/README.md
index 286e751..1b73273 100644
--- a/modules/cross-account-member/README.md
+++ b/modules/cross-account-member/README.md
@@ -22,6 +22,7 @@ No resources.
|------|-------------|------|---------|:--------:|
| [member\_email](#input\_member\_email) | Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow | `string` | n/a | yes |
| [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | list(object({
name = string
description = string
identifer = string
})) | `[]` | no |
+| [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
| [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
| [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
diff --git a/modules/cross-account-member/main.tf b/modules/cross-account-member/main.tf
index 11371d5..849ed85 100644
--- a/modules/cross-account-member/main.tf
+++ b/modules/cross-account-member/main.tf
@@ -3,6 +3,7 @@ module "account" {
source = "../../"
action_targets = var.action_targets
+ control_finding_generator = var.control_finding_generator
product_subscription_arns = var.product_subscription_arns
standard_subscription_arns = var.standard_subscription_arns
}
diff --git a/modules/cross-account-member/variables.tf b/modules/cross-account-member/variables.tf
index 36e20bd..f618590 100644
--- a/modules/cross-account-member/variables.tf
+++ b/modules/cross-account-member/variables.tf
@@ -13,6 +13,12 @@ variable "action_targets" {
default = []
}
+variable "control_finding_generator" {
+ description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+ type = string
+ default = "SECURITY_CONTROL"
+}
+
variable "product_subscription_arns" {
description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html"
type = list(string)
diff --git a/variables.tf b/variables.tf
index 885497d..009ba23 100644
--- a/variables.tf
+++ b/variables.tf
@@ -8,6 +8,12 @@ variable "action_targets" {
default = []
}
+variable "control_finding_generator" {
+ description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+ type = string
+ default = "SECURITY_CONTROL"
+}
+
variable "standard_subscription_arns" {
description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html"
type = list(string)
diff --git a/versions.tf b/versions.tf
index 966e9bd..076bf5b 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.29.0"
+ version = ">= 4.64.0"
}
}
}
From 3e3d9184d7a3499b2cec55d668a40c445fa32edf Mon Sep 17 00:00:00 2001
From: Loren Gordon
Date: Thu, 25 May 2023 08:03:05 -0700
Subject: [PATCH 2/3] Updates tests and readme with correct provider/profile
configs
---
.mergify.yml | 9 ++++-----
README.md | 2 +-
tests/securityhub_cross_account/main.tf | 2 --
tests/securityhub_same_account/main.tf | 3 +--
4 files changed, 6 insertions(+), 10 deletions(-)
diff --git a/.mergify.yml b/.mergify.yml
index 9ef8ea9..0c77e19 100644
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -1,15 +1,14 @@
pull_request_rules:
- - name: automatic approve dependabot pull requests
+ - name: approve dependabot pull requests
conditions:
- - author~=dependabot\[bot\]|dependabot-preview\[bot\]
- - status-success=Travis CI - Pull Request
+ - author=dependabot[bot]
actions:
review:
type: APPROVE
- - name: automatic merge dependabot pull requests
+ - name: merge dependabot pull requests
conditions:
- - author~=dependabot\[bot\]|dependabot-preview\[bot\]
+ - author=dependabot[bot]
- "#approved-reviews-by>=1"
actions:
merge:
diff --git a/README.md b/README.md
index 47c752e..f5a784c 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ the `modules/cross-account-member` module.
## Testing
You can find example implementations of this module in the tests folder. This module
requires 2 different AWS accounts to test and so the terraform aws provider definitions
-are assuming that you will be using a profile with the name `resource-owner` and `resource-member`.
+are assuming that you will be using a profile with the name `aws` and `awsalternate`.
Note: the implementation `tests/create_securityhub_member` will require you to provide the variables
`email_address` prior to use
diff --git a/tests/securityhub_cross_account/main.tf b/tests/securityhub_cross_account/main.tf
index b6c091f..f79648c 100644
--- a/tests/securityhub_cross_account/main.tf
+++ b/tests/securityhub_cross_account/main.tf
@@ -1,12 +1,10 @@
# Provider to use as the securityhub member (aka invitee)
provider "aws" {
- region = "us-east-1"
profile = "aws" # Profile must exist in your .aws/config
}
# Provider to use as the securityhub administrator
provider "aws" {
- region = "us-east-1"
alias = "administrator"
profile = "awsalternate" # Profile must exist in your .aws/config
}
diff --git a/tests/securityhub_same_account/main.tf b/tests/securityhub_same_account/main.tf
index 512c14e..5f660e4 100644
--- a/tests/securityhub_same_account/main.tf
+++ b/tests/securityhub_same_account/main.tf
@@ -1,6 +1,5 @@
provider "aws" {
- region = "us-east-1"
- profile = "resource-owner"
+ profile = "aws" # Profile must exist in your .aws/config
}
module "securityhub" {
From 10fcda9a230454f478f2ebe41aeda4b68dd0b573 Mon Sep 17 00:00:00 2001
From: Loren Gordon
Date: Thu, 25 May 2023 08:05:42 -0700
Subject: [PATCH 3/3] Bumps version to 4.0.0
---
.bumpversion.cfg | 2 +-
.github/dependabot.yml | 9 +---
CHANGELOG.md | 10 ++++
modules/accepter/README.md | 4 +-
modules/accepter/versions.tf | 2 +-
modules/account/README.md | 4 +-
modules/account/versions.tf | 2 +-
modules/action_target/README.md | 4 +-
modules/action_target/versions.tf | 2 +-
modules/cross-account-member/README.md | 2 +-
modules/cross-account-member/versions.tf | 2 +-
modules/member/README.md | 4 +-
modules/member/versions.tf | 2 +-
modules/subscriptions/README.md | 4 +-
modules/subscriptions/versions.tf | 2 +-
tests/module_test.go | 63 ------------------------
16 files changed, 30 insertions(+), 88 deletions(-)
delete mode 100644 tests/module_test.go
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index cbe3057..0e34519 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
[bumpversion]
-current_version = 3.0.2
+current_version = 4.0.0
commit = True
message = Bumps version to {new_version}
tag = False
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index fd0d595..8f483b4 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -8,15 +8,10 @@ updates:
- package-ecosystem: docker
directory: "/"
schedule:
- interval: daily
+ interval: weekly
open-pull-requests-limit: 10
- package-ecosystem: terraform
directory: "/"
schedule:
- interval: daily
- open-pull-requests-limit: 10
- - package-ecosystem: gomod
- directory: "/tests"
- schedule:
- interval: daily
+ interval: weekly
open-pull-requests-limit: 10
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 00378f9..02e2901 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
+### [4.0.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.0.0)
+
+**Released**: 2023.05.25
+
+**Summary**:
+
+* Adds support for security hub `control_finding_generator` feature
+* Sets default value for `control_finding_generator` to `SECURITY_CONTROL`
+* Updates minimum terraform aws provider version to 4.64.0
+
### 3.0.2
**Released**: 2023.02.01
diff --git a/modules/accepter/README.md b/modules/accepter/README.md
index d8aef16..91ab813 100644
--- a/modules/accepter/README.md
+++ b/modules/accepter/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.29.0 |
+| [aws](#requirement\_aws) | >= 4.64.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.29.0 |
+| [aws](#provider\_aws) | >= 4.64.0 |
## Resources
diff --git a/modules/accepter/versions.tf b/modules/accepter/versions.tf
index 966e9bd..076bf5b 100644
--- a/modules/accepter/versions.tf
+++ b/modules/accepter/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.29.0"
+ version = ">= 4.64.0"
}
}
}
diff --git a/modules/account/README.md b/modules/account/README.md
index 21fb553..d5e4a7b 100644
--- a/modules/account/README.md
+++ b/modules/account/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.29.0 |
+| [aws](#requirement\_aws) | >= 4.64.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.29.0 |
+| [aws](#provider\_aws) | >= 4.64.0 |
## Resources
diff --git a/modules/account/versions.tf b/modules/account/versions.tf
index 966e9bd..076bf5b 100644
--- a/modules/account/versions.tf
+++ b/modules/account/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.29.0"
+ version = ">= 4.64.0"
}
}
}
diff --git a/modules/action_target/README.md b/modules/action_target/README.md
index 190305b..d29069f 100644
--- a/modules/action_target/README.md
+++ b/modules/action_target/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.29.0 |
+| [aws](#requirement\_aws) | >= 4.64.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.29.0 |
+| [aws](#provider\_aws) | >= 4.64.0 |
## Resources
diff --git a/modules/action_target/versions.tf b/modules/action_target/versions.tf
index 966e9bd..076bf5b 100644
--- a/modules/action_target/versions.tf
+++ b/modules/action_target/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.29.0"
+ version = ">= 4.64.0"
}
}
}
diff --git a/modules/cross-account-member/README.md b/modules/cross-account-member/README.md
index 1b73273..d7356aa 100644
--- a/modules/cross-account-member/README.md
+++ b/modules/cross-account-member/README.md
@@ -6,7 +6,7 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.29.0 |
+| [aws](#requirement\_aws) | >= 4.64.0 |
## Providers
diff --git a/modules/cross-account-member/versions.tf b/modules/cross-account-member/versions.tf
index 41d8925..74e5487 100644
--- a/modules/cross-account-member/versions.tf
+++ b/modules/cross-account-member/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.29.0"
+ version = ">= 4.64.0"
configuration_aliases = [aws.administrator]
}
}
diff --git a/modules/member/README.md b/modules/member/README.md
index c7b99aa..975b6fd 100644
--- a/modules/member/README.md
+++ b/modules/member/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.29.0 |
+| [aws](#requirement\_aws) | >= 4.64.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.29.0 |
+| [aws](#provider\_aws) | >= 4.64.0 |
## Resources
diff --git a/modules/member/versions.tf b/modules/member/versions.tf
index 966e9bd..076bf5b 100644
--- a/modules/member/versions.tf
+++ b/modules/member/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.29.0"
+ version = ">= 4.64.0"
}
}
}
diff --git a/modules/subscriptions/README.md b/modules/subscriptions/README.md
index 035c8ec..6b11621 100644
--- a/modules/subscriptions/README.md
+++ b/modules/subscriptions/README.md
@@ -6,13 +6,13 @@
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.13 |
-| [aws](#requirement\_aws) | >= 3.29.0 |
+| [aws](#requirement\_aws) | >= 4.64.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 3.29.0 |
+| [aws](#provider\_aws) | >= 4.64.0 |
## Resources
diff --git a/modules/subscriptions/versions.tf b/modules/subscriptions/versions.tf
index 966e9bd..076bf5b 100644
--- a/modules/subscriptions/versions.tf
+++ b/modules/subscriptions/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 3.29.0"
+ version = ">= 4.64.0"
}
}
}
diff --git a/tests/module_test.go b/tests/module_test.go
deleted file mode 100644
index d2b547b..0000000
--- a/tests/module_test.go
+++ /dev/null
@@ -1,63 +0,0 @@
-package testing
-
-import "github.com/gruntwork-io/terratest/modules/terraform"
-import "io/ioutil"
-import "log"
-import "os"
-import "strings"
-import "testing"
-
-func TestModule(t *testing.T) {
- files, err := ioutil.ReadDir("./")
-
- if err != nil {
- log.Fatal(err)
- }
-
- for _, f := range files {
- // look for directories with test cases in it
- if f.IsDir() && f.Name() != "vendor" {
- tfFiles, tfErr := ioutil.ReadDir(f.Name())
-
- if tfErr != nil {
- log.Fatal(tfErr)
- }
-
- // check if directory contains terraform files
- terraformDir := false
- for _, tf := range tfFiles {
- if strings.HasSuffix(tf.Name(), ".tf") {
- terraformDir = true
- break
- }
- }
-
- // create a test for each directory with terraform files in it
- if terraformDir {
- t.Run(f.Name(), func(t *testing.T) {
- // check if a prereq directory exists
- prereqDir := f.Name() + "/prereq/"
- if _, err := os.Stat(prereqDir); err == nil {
- prereqOptions := createTerraformOptions(prereqDir)
- defer terraform.Destroy(t, prereqOptions)
- terraform.InitAndApply(t, prereqOptions)
- }
-
- // run terraform code for test case
- terraformOptions := createTerraformOptions(f.Name())
- defer terraform.Destroy(t, terraformOptions)
- terraform.InitAndApply(t, terraformOptions)
- })
- }
- }
- }
-}
-
-func createTerraformOptions(directory string) *terraform.Options {
- terraformOptions := &terraform.Options{
- TerraformDir: directory,
- NoColor: true,
- }
-
- return terraformOptions
-}