diff --git a/.bumpversion.cfg b/.bumpversion.cfg
index fab32b7..b49e513 100644
--- a/.bumpversion.cfg
+++ b/.bumpversion.cfg
@@ -1,5 +1,5 @@
[bumpversion]
-current_version = 1.0.0
+current_version = 2.0.0
commit = True
message = Bumps version to {new_version}
tag = False
diff --git a/.gitignore b/.gitignore
index f325ca8..724e9c9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,9 +15,8 @@
tardigrade-ci/
.tardigrade-ci
-# eclint
-
-.git/
-
# terratest
tests/go.*
+
+# terraform lock file
+.terraform.lock.hcl
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 40e2664..c71c213 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,11 +4,60 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
+### 2.0.0
+
+**Released**: 2021.03.03
+
+**Commit Delta**: [Change from 1.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/1.0.0...2.0.0)
+
+**Summary**:
+
+* Replaces python accepter with new resource, `aws_securityhub_invite_accepter`.
+ See [PR #60](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/60).
+* Moves cross-account workflow into separate module. This eliminates the extra
+ "provider" when *not* using the cross-account workflow. It also streamlines
+ the inputs for each use case. See [PR #60](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/60).
+* Renames the `master` provider to `administrator` for the cross-account workflow.
+ See [PR #60](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/60).
+
+### 1.0.0
+
+**Released**: 2020.10.07
+
+**Commit Delta**: [Change from 0.0.3 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.3...1.0.0)
+
+**Summary**:
+
+* Splits resources into submodules to support separate master/member workflows.
+ See [PR #44](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/44).
+
+### 0.0.3
+
+**Released**: 2020.05.14
+
+**Commit Delta**: [Change from 0.0.2 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.2...0.0.3)
+
+**Summary**:
+
+* Avoids error, "Cannot include a null value in a string template".
+ See [PR #16](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/16).
+
+### 0.0.2
+
+**Released**: 2020.05.13
+
+**Commit Delta**: [Change from 0.0.1 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.1...0.0.2)
+
+**Summary**:
+
+* Passes profile and region through the refreshable credential properly.
+ See [PR #15](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/pull/15).
+
### 0.0.1
**Released**: 2020.05.08
-**Commit Delta**: [Change from 1.0.4 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.0...0.0.1)
+**Commit Delta**: [Change from 0.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/compare/0.0.0...0.0.1)
**Summary**:
diff --git a/README.md b/README.md
index 484ab0d..a4d11c1 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
# terraform-aws-tardigrade-security-hub
-Terraform module to enable SecurityHub in a child account and link it
-to a pre-existing SecurityHub instance in the parent account
+Terraform module to enable and configure SecurityHub. The module supports independent
+accounts with the top-level module, and the cross-account invite/accept workflow with
+the `modules/cross-account-member` module.
## Testing
You can find example implementations of this module in the tests folder. This module
@@ -16,23 +17,17 @@ Note: the implementation `tests/create_securityhub_member` will require you to p
| Name | Version |
|------|---------|
| terraform | >= 0.13 |
+| aws | >= 3.29.0 |
## Providers
-| Name | Version |
-|------|---------|
-| aws | n/a |
-| aws.master | n/a |
+No provider.
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| accepter\_profile | (Optional) Used by null\_resource accepter to establish botocore session. Required for the cross-account SecurityHub member accept workflow | `string` | `""` | no |
-| accepter\_region | (Optional) Used by null\_resource accepter to establish botocore client. Required for the cross-account SecurityHub member accept workflow | `string` | `""` | no |
-| accepter\_role\_arn | (Optional) Used by null\_resource accepter to assume a role in the accepter account. Required for the cross-account SecurityHub member accept workflow | `string` | `""` | no |
| action\_targets | Schema list of SecurityHub action targets. | list(object({
name = string
description = string
identifer = string
})) | `[]` | no |
-| member\_email | (Optional) Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow | `string` | `null` | no |
| product\_subscription\_arns | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
| standard\_subscription\_arns | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
@@ -40,10 +35,8 @@ Note: the implementation `tests/create_securityhub_member` will require you to p
| Name | Description |
|------|-------------|
-| accept | Object containing the SecurityHub (null) accepter resource |
| account | Object containing the SecurityHub account resource |
| action\_targets | Object containing the SecurityHub action targets resources |
-| member | Object containing the SecurityHub member resource |
| subscriptions | Object containing the SecurityHub subscriptions resources |
diff --git a/main.tf b/main.tf
index 4c7f4e6..f15b60d 100644
--- a/main.tf
+++ b/main.tf
@@ -1,44 +1,8 @@
-provider "aws" {
- alias = "master"
-}
-
# Enable SecurityHub
module "account" {
source = "./modules/account"
}
-# Send invite from master
-module "member" {
- source = "./modules/member"
- count = local.cross_account ? 1 : 0
- providers = {
- aws = aws.master
- }
-
- account_id = data.aws_caller_identity.this.account_id
- email = var.member_email
-
- depends_on = [
- module.account
- ]
-}
-
-# Accept invite
-module "accept" {
- source = "./modules/accepter"
- count = local.cross_account ? 1 : 0
-
- master_account_id = data.aws_caller_identity.master.account_id
-
- profile = var.accepter_profile
- role_arn = var.accepter_role_arn
- region = var.accepter_region
-
- depends_on = [
- module.member
- ]
-}
-
# Manage subscriptions
module "subscriptions" {
source = "./modules/subscriptions"
@@ -60,13 +24,3 @@ module "action_targets" {
description = each.value.description
identifier = each.value.identifier
}
-
-locals {
- cross_account = data.aws_caller_identity.this.account_id != data.aws_caller_identity.master.account_id
-}
-
-data "aws_caller_identity" "this" {}
-
-data "aws_caller_identity" "master" {
- provider = aws.master
-}
diff --git a/modules/accepter/README.md b/modules/accepter/README.md
index 45647f8..3df8866 100644
--- a/modules/accepter/README.md
+++ b/modules/accepter/README.md
@@ -9,21 +9,18 @@ No requirements.
| Name | Version |
|------|---------|
-| null | n/a |
+| aws | n/a |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| master\_account\_id | Account ID of the AWS SecurityHub master account that sent the invite | `string` | n/a | yes |
-| profile | Used by null\_resource to establish botocore session | `string` | n/a | yes |
-| region | Used by null\_resource to establish botocore client | `string` | n/a | yes |
-| role\_arn | Used by null\_resource to assume a role in the accepter account | `string` | n/a | yes |
## Outputs
| Name | Description |
|------|-------------|
-| accepter | Object containing SecurityHub accepter (null) resource |
+| accepter | Object containing SecurityHub accepter resource |
diff --git a/modules/accepter/main.tf b/modules/accepter/main.tf
index 1be09c6..4b899d8 100644
--- a/modules/accepter/main.tf
+++ b/modules/accepter/main.tf
@@ -1,63 +1,3 @@
-resource "null_resource" "accepter" {
- provisioner "local-exec" {
- command = join(" ", local.create)
- }
-
- provisioner "local-exec" {
- when = destroy
- command = self.triggers.destroy_command
- }
-
- provisioner "local-exec" {
- when = destroy
- command = "python -c 'import time; time.sleep(5)'"
- }
-
- lifecycle {
- ignore_changes = [triggers["destroy_command"]]
- }
-
- triggers = {
- destroy_command = join(" ", local.destroy)
- }
-}
-
-locals {
- # Replace a terraform-aws-provider sts assumed role with the equivalent iam role, i.e:
- # arn:aws:sts:::assumed-role//
- # =>
- # arn:aws:iam:::role/
- # This allows a user to simply pass `role_arn = "${data.aws_caller_identity.this.arn}"`
- role_arn = replace(
- var.role_arn,
- "/(.*):sts:(.*):assumed-role/(.*)/[0-9]*$/",
- "$1:iam:$2:role/$3",
- )
-
- create = [
- "python",
- "\"${path.module}/security_hub_accepter.py\"",
- "--master-account-id",
- "\"${var.master_account_id}\"",
- "--profile",
- "\"${var.profile}\"",
- "--role-arn",
- "\"${local.role_arn}\"",
- "--region",
- "\"${var.region}\"",
- ]
-
- destroy = [
- "python",
- "\"${path.module}/security_hub_accepter.py\"",
- "--master-account-id",
- "\"${var.master_account_id}\"",
- "--remove-master",
- "--profile",
- "\"${var.profile}\"",
- "--role-arn",
- "\"${local.role_arn}\"",
- "--region",
- "\"${var.region}\"",
- ]
+resource "aws_securityhub_invite_accepter" "this" {
+ master_id = var.master_account_id
}
diff --git a/modules/accepter/outputs.tf b/modules/accepter/outputs.tf
index e72f94c..bf0e88b 100644
--- a/modules/accepter/outputs.tf
+++ b/modules/accepter/outputs.tf
@@ -1,4 +1,4 @@
output "accepter" {
- description = "Object containing SecurityHub accepter (null) resource"
- value = null_resource.accepter
+ description = "Object containing SecurityHub accepter resource"
+ value = aws_securityhub_invite_accepter.this
}
diff --git a/modules/accepter/security_hub_accepter.py b/modules/accepter/security_hub_accepter.py
deleted file mode 100644
index 84b4b48..0000000
--- a/modules/accepter/security_hub_accepter.py
+++ /dev/null
@@ -1,170 +0,0 @@
-"""Helper script to accept invite for cross-account RAM Share."""
-from __future__ import print_function
-
-import argparse
-import collections
-import logging
-import os
-import sys
-
-import botocore.credentials
-import botocore.session
-
-DEFAULT_LOG_LEVEL = logging.INFO
-LOG_LEVELS = collections.defaultdict(
- lambda: DEFAULT_LOG_LEVEL,
- {
- "critical": logging.CRITICAL,
- "error": logging.ERROR,
- "warning": logging.WARNING,
- "info": logging.INFO,
- "debug": logging.DEBUG,
- },
-)
-
-# Clear out any other root log handler
-root = logging.getLogger()
-if root.handlers:
- for handler in root.handlers:
- root.removeHandler(handler)
-
-logging.basicConfig(
- format="%(asctime)s.%(msecs)03dZ [%(name)s][%(levelname)-5s]: %(message)s",
- datefmt="%Y-%m-%dT%H:%M:%S",
- level=LOG_LEVELS[os.environ.get("LOG_LEVEL", "").lower()],
-)
-log = logging.getLogger("security_hub_accepter.py")
-
-
-class NoPendingInviteException(Exception):
- """Custom exception for no pending invite."""
-
-
-class AssumeRoleProvider(
- object
-): # pylint: disable=useless-object-inheritance, too-few-public-methods
- """Refreshable assume-role credential provider."""
-
- METHOD = "assume-role"
-
- def __init__(self, fetcher): # noqa: D107
- self._fetcher = fetcher
-
- def load(self):
- """Load refreshable credential."""
- return botocore.credentials.DeferredRefreshableCredentials(
- self._fetcher.fetch_credentials, self.METHOD
- )
-
-
-def filter_none_values(data):
- """Return new dictionary excluding items where value was None."""
- return {k: v for k, v in data.items() if v is not None}
-
-
-def assume_role(
- session,
- role_arn,
- profile=None,
- duration=3600,
- session_name=None,
- serial_number=None,
-): # pylint: disable=too-many-arguments
- """Assume a role with a refreshable credential."""
- fetcher = botocore.credentials.AssumeRoleCredentialFetcher(
- session.create_client,
- session.get_credentials(),
- role_arn,
- extra_args=filter_none_values(
- {
- "DurationSeconds": duration,
- "RoleSessionName": session_name,
- "SerialNumber": serial_number,
- }
- ),
- cache=botocore.credentials.JSONFileCache(),
- )
- role_session = botocore.session.Session(profile=profile)
- role_session.register_component(
- "credential_provider",
- botocore.credentials.CredentialResolver([AssumeRoleProvider(fetcher)]),
- )
- return role_session
-
-
-def get_pending_invite_id(sechub, master_account_id):
- """Get pending invite id."""
- invitations = sechub.list_invitations()
-
- for invite in invitations["Invitations"]:
- invite_id = invite["InvitationId"]
- if (
- invite["MemberStatus"] == "Invited"
- and invite["AccountId"] == master_account_id
- ):
- return invite_id
-
- return None
-
-
-def accept_pending_invite(sechub, master_account_id, invite_id):
- """Accept pending invite."""
- sechub.accept_invitation(MasterId=master_account_id, InvitationId=invite_id)
-
-
-def main(
- master_account_id, remove_master=False, profile=None, role_arn=None, region=None
-):
- """Entrypoint for accept invite for cross-account RAM Share."""
- region = region or None
- profile = profile or None
- role_arn = role_arn or None
-
- session = botocore.session.Session(profile=profile)
- session.set_default_client_config(botocore.client.Config(region_name=region))
-
- if role_arn:
- session = assume_role(session, role_arn, profile=profile)
-
- sechub = session.create_client("securityhub", region_name=region)
-
- if remove_master:
- sechub.disassociate_from_master_account()
- log.info("Disassociated member from master account: %s", master_account_id)
- else:
- invite_id = get_pending_invite_id(sechub, master_account_id)
-
- if not invite_id:
- raise NoPendingInviteException("No pending invite found for Security Hub:")
-
- log.info("Found pending invite_id: %s", invite_id)
- accept_pending_invite(sechub, master_account_id, invite_id)
- log.info("Accepted invite from SecurityHub master: %s", master_account_id)
-
-
-if __name__ == "__main__":
- parser = argparse.ArgumentParser()
- parser.add_argument(
- "--master-account-id", help="Account ID of the SecurityHub master"
- )
- parser.add_argument(
- "--remove-master",
- action="store_true",
- help="Dissasociate from the SecurityHub master",
- )
- parser.add_argument(
- "--profile", default=None, help="Profile to use when setting up the AWS session"
- )
- parser.add_argument(
- "--role-arn",
- default=None,
- help="ARN of a role to assume with permissions to SecurityHub",
- )
- parser.add_argument(
- "--region",
- default=None,
- help="Region in which to look for the SecurityHub invite",
- )
-
- args = parser.parse_args()
- sys.exit(main(**vars(args)))
diff --git a/modules/accepter/variables.tf b/modules/accepter/variables.tf
index 84bb54c..13892e6 100644
--- a/modules/accepter/variables.tf
+++ b/modules/accepter/variables.tf
@@ -2,18 +2,3 @@ variable "master_account_id" {
description = "Account ID of the AWS SecurityHub master account that sent the invite"
type = string
}
-
-variable "profile" {
- description = "Used by null_resource to establish botocore session"
- type = string
-}
-
-variable "role_arn" {
- description = "Used by null_resource to assume a role in the accepter account"
- type = string
-}
-
-variable "region" {
- description = "Used by null_resource to establish botocore client"
- type = string
-}
diff --git a/modules/cross-account-member/README.md b/modules/cross-account-member/README.md
new file mode 100644
index 0000000..e741eed
--- /dev/null
+++ b/modules/cross-account-member/README.md
@@ -0,0 +1,37 @@
+# terraform-aws-tardigrade-security-hub/cross-account-member
+
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | >= 0.13 |
+| aws | >= 3.29.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | >= 3.29.0 |
+| aws.administrator | >= 3.29.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| member\_email | Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow | `string` | n/a | yes |
+| action\_targets | Schema list of SecurityHub action targets. | list(object({
name = string
description = string
identifer = string
})) | `[]` | no |
+| product\_subscription\_arns | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
+| standard\_subscription\_arns | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| accepter | Object containing the SecurityHub accepter resource |
+| account | Object containing the SecurityHub account resource |
+| action\_targets | Object containing the SecurityHub action targets resources |
+| member | Object containing the SecurityHub member resource |
+| subscriptions | Object containing the SecurityHub subscriptions resources |
+
+
diff --git a/modules/cross-account-member/main.tf b/modules/cross-account-member/main.tf
new file mode 100644
index 0000000..eda9cb2
--- /dev/null
+++ b/modules/cross-account-member/main.tf
@@ -0,0 +1,44 @@
+provider "aws" {
+ alias = "administrator"
+}
+
+# Enables/configures Security Hub in member account
+module "account" {
+ source = "../../"
+
+ action_targets = var.action_targets
+ product_subscription_arns = var.product_subscription_arns
+ standard_subscription_arns = var.standard_subscription_arns
+}
+
+# Send invite from administrator account
+module "member" {
+ source = "../member"
+ providers = {
+ aws = aws.administrator
+ }
+
+ account_id = data.aws_caller_identity.this.account_id
+ email = var.member_email
+
+ depends_on = [
+ module.account
+ ]
+}
+
+# Accept invite
+module "accept" {
+ source = "../accepter"
+
+ master_account_id = data.aws_caller_identity.administrator.account_id
+
+ depends_on = [
+ module.member
+ ]
+}
+
+data "aws_caller_identity" "this" {}
+
+data "aws_caller_identity" "administrator" {
+ provider = aws.administrator
+}
diff --git a/modules/cross-account-member/outputs.tf b/modules/cross-account-member/outputs.tf
new file mode 100644
index 0000000..624b223
--- /dev/null
+++ b/modules/cross-account-member/outputs.tf
@@ -0,0 +1,24 @@
+output "account" {
+ description = "Object containing the SecurityHub account resource"
+ value = module.account.account
+}
+
+output "member" {
+ description = "Object containing the SecurityHub member resource"
+ value = module.member.member
+}
+
+output "accepter" {
+ description = "Object containing the SecurityHub accepter resource"
+ value = module.accept.accepter
+}
+
+output "subscriptions" {
+ description = "Object containing the SecurityHub subscriptions resources"
+ value = module.account.subscriptions
+}
+
+output "action_targets" {
+ description = "Object containing the SecurityHub action targets resources"
+ value = module.account.action_targets
+}
diff --git a/modules/cross-account-member/variables.tf b/modules/cross-account-member/variables.tf
new file mode 100644
index 0000000..36e20bd
--- /dev/null
+++ b/modules/cross-account-member/variables.tf
@@ -0,0 +1,26 @@
+variable "member_email" {
+ description = "Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow"
+ type = string
+}
+
+variable "action_targets" {
+ description = "Schema list of SecurityHub action targets."
+ type = list(object({
+ name = string
+ description = string
+ identifer = string
+ }))
+ default = []
+}
+
+variable "product_subscription_arns" {
+ description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html"
+ type = list(string)
+ default = []
+}
+
+variable "standard_subscription_arns" {
+ description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html"
+ type = list(string)
+ default = []
+}
diff --git a/modules/cross-account-member/versions.tf b/modules/cross-account-member/versions.tf
new file mode 100644
index 0000000..966e9bd
--- /dev/null
+++ b/modules/cross-account-member/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+ required_version = ">= 0.13"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.29.0"
+ }
+ }
+}
diff --git a/modules/member/main.tf b/modules/member/main.tf
index 3986d19..6c0748d 100644
--- a/modules/member/main.tf
+++ b/modules/member/main.tf
@@ -2,10 +2,4 @@ resource "aws_securityhub_member" "this" {
account_id = var.account_id
email = var.email
invite = true
-
- # The invite sometimes takes a few seconds to register before it can be accepted in the target account,
- # so we pause for 5 seconds to let the invite propagate
- provisioner "local-exec" {
- command = "python -c 'import time; time.sleep(5)'"
- }
}
diff --git a/outputs.tf b/outputs.tf
index 591fec1..ae3247f 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -3,16 +3,6 @@ output "account" {
value = module.account.account
}
-output "member" {
- description = "Object containing the SecurityHub member resource"
- value = local.cross_account ? module.member[0].member : null
-}
-
-output "accept" {
- description = "Object containing the SecurityHub (null) accepter resource"
- value = local.cross_account ? module.accept[0].accepter : null
-}
-
output "subscriptions" {
description = "Object containing the SecurityHub subscriptions resources"
value = module.subscriptions
diff --git a/tests/securityhub_cross_account/main.tf b/tests/securityhub_cross_account/main.tf
index f13b9cb..fce6db6 100644
--- a/tests/securityhub_cross_account/main.tf
+++ b/tests/securityhub_cross_account/main.tf
@@ -9,17 +9,15 @@ provider "aws" {
profile = "resource-owner"
}
-module "securityhub_member" {
- source = "../../"
+module "securityhub" {
+ source = "../../modules/cross-account-member"
providers = {
- aws = aws
- aws.master = aws.resource-owner
+ aws = aws
+ aws.administrator = aws.resource-owner
}
- member_email = var.member_email
- accepter_region = data.aws_region.current.name
- accepter_profile = "resource-member"
+ member_email = var.member_email
standard_subscription_arns = [
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
@@ -31,8 +29,6 @@ module "securityhub_member" {
]
}
-data "aws_region" "current" {}
-
output "securityhub" {
- value = module.securityhub_member
+ value = module.securityhub
}
diff --git a/tests/securityhub_cross_account/prereq/main.tf b/tests/securityhub_cross_account/prereq/main.tf
index 9ade683..ecfeb59 100644
--- a/tests/securityhub_cross_account/prereq/main.tf
+++ b/tests/securityhub_cross_account/prereq/main.tf
@@ -1,19 +1,8 @@
provider "aws" {
region = "us-east-1"
- profile = "resource-member"
-}
-
-provider "aws" {
- region = "us-east-1"
- alias = "resource-owner"
profile = "resource-owner"
}
module "securityhub_owner" {
source = "../../../"
-
- providers = {
- aws = aws.resource-owner
- aws.master = aws.resource-owner
- }
}
diff --git a/tests/securityhub_same_account/main.tf b/tests/securityhub_same_account/main.tf
index f6d4ca2..512c14e 100644
--- a/tests/securityhub_same_account/main.tf
+++ b/tests/securityhub_same_account/main.tf
@@ -3,20 +3,9 @@ provider "aws" {
profile = "resource-owner"
}
-provider "aws" {
- region = "us-east-1"
- alias = "resource-owner"
- profile = "resource-owner"
-}
-
module "securityhub" {
source = "../../"
- providers = {
- aws = aws
- aws.master = aws.resource-owner
- }
-
standard_subscription_arns = [
"arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
"arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1",
diff --git a/variables.tf b/variables.tf
index b23164c..885497d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -19,27 +19,3 @@ variable "product_subscription_arns" {
type = list(string)
default = []
}
-
-variable "member_email" {
- description = "(Optional) Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow"
- type = string
- default = null
-}
-
-variable "accepter_profile" {
- description = "(Optional) Used by null_resource accepter to establish botocore session. Required for the cross-account SecurityHub member accept workflow"
- type = string
- default = ""
-}
-
-variable "accepter_role_arn" {
- description = "(Optional) Used by null_resource accepter to assume a role in the accepter account. Required for the cross-account SecurityHub member accept workflow"
- type = string
- default = ""
-}
-
-variable "accepter_region" {
- description = "(Optional) Used by null_resource accepter to establish botocore client. Required for the cross-account SecurityHub member accept workflow"
- type = string
- default = ""
-}
diff --git a/versions.tf b/versions.tf
index 6b6318d..966e9bd 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,3 +1,10 @@
terraform {
required_version = ">= 0.13"
+
+ required_providers {
+ aws = {
+ source = "hashicorp/aws"
+ version = ">= 3.29.0"
+ }
+ }
}