changes

schubergphilis · Dec 29, 2020 · 8c89755 · 8c89755
1 parent 42a0f04
commit 8c89755
Show file tree

Hide file tree

Showing 6 changed files with 19 additions and 17 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,7 +4,7 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## Unreleased (2020-12-29)
+## Unreleased
 
 ENHANCEMENTS
 

diff --git a/README.md b/README.md
@@ -158,8 +158,10 @@ Example for https protocol and specified webhook endpoint:
 module "landing_zone"{
   ...
   
-  sns_endpoint          = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
-  sns_endpoint_protocol = "https"
+  sns_security_subscription = {
+    endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
+    protocol = "https"
+  }
 }
 ```
 

diff --git a/audit.tf b/audit.tf
@@ -154,10 +154,10 @@ module "kms_key_audit" {
 }
 
 module "security_hub_audit" {
-  source                    = "./modules/security_hub"
-  providers                 = { aws = aws.audit }
-  account_id                = data.aws_caller_identity.current.account_id
-  sns_security_subscription = var.sns_security_subscription
+  source           = "./modules/security_hub"
+  providers        = { aws = aws.audit }
+  account_id       = data.aws_caller_identity.current.account_id
+  sns_subscription = var.sns_security_subscription
 
   member_accounts = {
     for id, email in local.aws_account_emails : id => email if id != var.control_tower_account_ids.audit

diff --git a/modules/security_hub/main.tf b/modules/security_hub/main.tf
@@ -27,10 +27,10 @@ resource "aws_securityhub_standards_subscription" "default" {
   depends_on    = [aws_securityhub_account.default]
 }
 
-resource "aws_sns_topic_subscription" "datadog-security" {
-  for_each   = toset(try(var.sns_security_subscription, []))
-  endpoint   = each.value.sns_endpoint
-  protocol   = each.value.sns_endpoint_protocol
+resource "aws_sns_topic_subscription" "datadog_security" {
+  for_each   = toset(try(var.sns_subscription, []))
+  endpoint   = each.value.endpoint
+  protocol   = each.value.protocol
   topic_arn  = "arn:aws:sns:${var.region}:${var.account_id}:aws-controltower-AggregateSecurityNotifications"
   depends_on = [aws_securityhub_account.default]
 }
diff --git a/modules/security_hub/variables.tf b/modules/security_hub/variables.tf
@@ -1,7 +1,7 @@
 variable "account_id" {
   type        = string
   default     = null
-  description = "AWS Account ID"
+  description = "AWS Audit Account ID"
 }
 
 variable "member_accounts" {
@@ -22,10 +22,10 @@ variable "region" {
   description = "The name of the AWS region where SecurityHub will be enabled"
 }
 
-variable "sns_security_subscription" {
+variable "sns_subscription" {
   type = list(object({
-    sns_endpoint          = string
-    sns_endpoint_protocol = string
+    endpoint = string
+    protocol = string
   }))
   default     = null
   description = "Aggregated security SNS topic subscription options"

diff --git a/variables.tf b/variables.tf
@@ -103,8 +103,8 @@ variable "monitor_iam_access" {
 
 variable "sns_security_subscription" {
   type = list(object({
-    sns_endpoint          = string
-    sns_endpoint_protocol = string
+    endpoint = string
+    protocol = string
   }))
   default     = null
   description = "Aggregated security SNS topic subscription options"