Merge pull request #60 from lorengordon/accepter

Accepts invite using new resource "aws_securityhub_invite_accepter"
plus3it · Mar 4, 2021 · f0c0856 · f0c0856
2 parents 7218377 + b87bd97
commit f0c0856
Show file tree

Hide file tree

Showing 22 changed files with 219 additions and 390 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.0
+current_version = 2.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/.gitignore b/.gitignore
@@ -15,9 +15,8 @@
 tardigrade-ci/
 .tardigrade-ci
 
-# eclint
-
-.git/
-
 # terratest
 tests/go.*
+
+# terraform lock file
+.terraform.lock.hcl
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,11 +4,60 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 2.0.0
+
+**Released**: 2021.03.03
+
+**Commit Delta**: [Change from 1.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/1.0.0...2.0.0)
+
+**Summary**:
+
+*   Replaces python accepter with new resource, `aws_securityhub_invite_accepter`.
+    See [PR #60](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/60).
+*   Moves cross-account workflow into separate module. This eliminates the extra
+    "provider" when *not* using the cross-account workflow. It also streamlines
+    the inputs for each use case. See [PR #60](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/60).
+*   Renames the `master` provider to `administrator` for the cross-account workflow.
+    See [PR #60](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/60).
+
+### 1.0.0
+
+**Released**: 2020.10.07
+
+**Commit Delta**: [Change from 0.0.3 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.3...1.0.0)
+
+**Summary**:
+
+*   Splits resources into submodules to support separate master/member workflows.
+    See [PR #44](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/44).
+
+### 0.0.3
+
+**Released**: 2020.05.14
+
+**Commit Delta**: [Change from 0.0.2 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.2...0.0.3)
+
+**Summary**:
+
+*   Avoids error, "Cannot include a null value in a string template".
+    See [PR #16](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/16).
+
+### 0.0.2
+
+**Released**: 2020.05.13
+
+**Commit Delta**: [Change from 0.0.1 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.1...0.0.2)
+
+**Summary**:
+
+*   Passes profile and region through the refreshable credential properly.
+    See [PR #15](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/15).
+
 ### 0.0.1
 
 **Released**: 2020.05.08
 
-**Commit Delta**: [Change from 1.0.4 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.0...0.0.1)
+**Commit Delta**: [Change from 0.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.0...0.0.1)
 
 **Summary**:
 

diff --git a/README.md b/README.md
@@ -1,6 +1,7 @@
 # terraform-aws-tardigrade-security-hub
-Terraform module to enable SecurityHub in a child account and link it
-to a pre-existing SecurityHub instance in the parent account
+Terraform module to enable and configure SecurityHub. The module supports independent
+accounts with the top-level module, and the cross-account invite/accept workflow with
+the `modules/cross-account-member` module.
 
 ## Testing
 You can find example implementations of this module in the tests folder. This module
@@ -16,34 +17,26 @@ Note: the implementation `tests/create_securityhub_member` will require you to p
 | Name | Version |
 |------|---------|
 | terraform | >= 0.13 |
+| aws | >= 3.29.0 |
 
 ## Providers
 
-| Name | Version |
-|------|---------|
-| aws | n/a |
-| aws.master | n/a |
+No provider.
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| accepter\_profile | (Optional) Used by null\_resource accepter to establish botocore session. Required for the cross-account SecurityHub member accept workflow | `string` | `""` | no |
-| accepter\_region | (Optional) Used by null\_resource accepter to establish botocore client. Required for the cross-account SecurityHub member accept workflow | `string` | `""` | no |
-| accepter\_role\_arn | (Optional) Used by null\_resource accepter to assume a role in the accepter account. Required for the cross-account SecurityHub member accept workflow | `string` | `""` | no |
 | action\_targets | Schema list of SecurityHub action targets. | <pre>list(object({<br>    name        = string<br>    description = string<br>    identifer   = string<br>  }))</pre> | `[]` | no |
-| member\_email | (Optional) Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow | `string` | `null` | no |
 | product\_subscription\_arns | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
 | standard\_subscription\_arns | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| accept | Object containing the SecurityHub (null) accepter resource |
 | account | Object containing the SecurityHub account resource |
 | action\_targets | Object containing the SecurityHub action targets resources |
-| member | Object containing the SecurityHub member resource |
 | subscriptions | Object containing the SecurityHub subscriptions resources |
 
 <!-- END TFDOCS -->
diff --git a/main.tf b/main.tf
@@ -1,44 +1,8 @@
-provider "aws" {
-  alias = "master"
-}
-
 # Enable SecurityHub
 module "account" {
   source = "./modules/account"
 }
 
-# Send invite from master
-module "member" {
-  source = "./modules/member"
-  count  = local.cross_account ? 1 : 0
-  providers = {
-    aws = aws.master
-  }
-
-  account_id = data.aws_caller_identity.this.account_id
-  email      = var.member_email
-
-  depends_on = [
-    module.account
-  ]
-}
-
-# Accept invite
-module "accept" {
-  source = "./modules/accepter"
-  count  = local.cross_account ? 1 : 0
-
-  master_account_id = data.aws_caller_identity.master.account_id
-
-  profile  = var.accepter_profile
-  role_arn = var.accepter_role_arn
-  region   = var.accepter_region
-
-  depends_on = [
-    module.member
-  ]
-}
-
 # Manage subscriptions
 module "subscriptions" {
   source = "./modules/subscriptions"
@@ -60,13 +24,3 @@ module "action_targets" {
   description = each.value.description
   identifier  = each.value.identifier
 }
-
-locals {
-  cross_account = data.aws_caller_identity.this.account_id != data.aws_caller_identity.master.account_id
-}
-
-data "aws_caller_identity" "this" {}
-
-data "aws_caller_identity" "master" {
-  provider = aws.master
-}
diff --git a/modules/accepter/README.md b/modules/accepter/README.md
@@ -9,21 +9,18 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| null | n/a |
+| aws | n/a |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | master\_account\_id | Account ID of the AWS SecurityHub master account that sent the invite | `string` | n/a | yes |
-| profile | Used by null\_resource to establish botocore session | `string` | n/a | yes |
-| region | Used by null\_resource to establish botocore client | `string` | n/a | yes |
-| role\_arn | Used by null\_resource to assume a role in the accepter account | `string` | n/a | yes |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| accepter | Object containing SecurityHub accepter (null) resource |
+| accepter | Object containing SecurityHub accepter resource |
 
 <!-- END TFDOCS -->
diff --git a/modules/accepter/main.tf b/modules/accepter/main.tf
@@ -1,63 +1,3 @@
-resource "null_resource" "accepter" {
-  provisioner "local-exec" {
-    command = join(" ", local.create)
-  }
-
-  provisioner "local-exec" {
-    when    = destroy
-    command = self.triggers.destroy_command
-  }
-
-  provisioner "local-exec" {
-    when    = destroy
-    command = "python -c 'import time; time.sleep(5)'"
-  }
-
-  lifecycle {
-    ignore_changes = [triggers["destroy_command"]]
-  }
-
-  triggers = {
-    destroy_command = join(" ", local.destroy)
-  }
-}
-
-locals {
-  # Replace a terraform-aws-provider sts assumed role with the equivalent iam role, i.e:
-  #     arn:aws:sts::<account-id>:assumed-role/<role-name>/<numeric-session-id>
-  # =>
-  #     arn:aws:iam::<account-id>:role/<role-name>
-  # This allows a user to simply pass `role_arn = "${data.aws_caller_identity.this.arn}"`
-  role_arn = replace(
-    var.role_arn,
-    "/(.*):sts:(.*):assumed-role/(.*)/[0-9]*$/",
-    "$1:iam:$2:role/$3",
-  )
-
-  create = [
-    "python",
-    "\"${path.module}/security_hub_accepter.py\"",
-    "--master-account-id",
-    "\"${var.master_account_id}\"",
-    "--profile",
-    "\"${var.profile}\"",
-    "--role-arn",
-    "\"${local.role_arn}\"",
-    "--region",
-    "\"${var.region}\"",
-  ]
-
-  destroy = [
-    "python",
-    "\"${path.module}/security_hub_accepter.py\"",
-    "--master-account-id",
-    "\"${var.master_account_id}\"",
-    "--remove-master",
-    "--profile",
-    "\"${var.profile}\"",
-    "--role-arn",
-    "\"${local.role_arn}\"",
-    "--region",
-    "\"${var.region}\"",
-  ]
+resource "aws_securityhub_invite_accepter" "this" {
+  master_id = var.master_account_id
 }
diff --git a/modules/accepter/outputs.tf b/modules/accepter/outputs.tf
@@ -1,4 +1,4 @@
 output "accepter" {
-  description = "Object containing SecurityHub accepter (null) resource"
-  value       = null_resource.accepter
+  description = "Object containing SecurityHub accepter resource"
+  value       = aws_securityhub_invite_accepter.this
 }