-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security topic sns subscription #41
Conversation
|
variables.tf
Outdated
variable "sns_endpoint" { | ||
type = string | ||
description = "Endpoint for SNS topic subscription" | ||
} | ||
|
||
variable "sns_endpoint_protocol" { | ||
type = string | ||
description = "Endpoint protocol for SNS topic subscription" | ||
} | ||
|
||
variable "sns_security_topic_subscription" { | ||
type = bool | ||
description = "Enable SNS aggregated security topic subscription" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could these values be specified in a single sns_security_subscription
object?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
modules/security_hub/variables.tf
Outdated
variable "sns_endpoint" { | ||
type = string | ||
description = "Endpoint for SNS topic subscription" | ||
} | ||
|
||
variable "sns_endpoint_protocol" { | ||
type = string | ||
description = "Endpoint protocol for SNS topic subscription" | ||
} | ||
|
||
variable "sns_security_topic_subscription" { | ||
type = bool | ||
default = false | ||
description = "Enable SNS aggregated security topic subscription" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could these values be specified in a single sns_security_subscription
object?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
modules/security_hub/variables.tf
Outdated
variable "account_id" { | ||
type = string | ||
description = "AWS Account ID" | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is this for? There is no reference to this variable anywhere else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is referenced in topic_arn = "arn:aws:sns:${var.region}:${var.account_id}:aws-controltower-AggregateSecurityNotifications"
, line 34 in modules/security_hub/main.tf
README.md
Outdated
If you would like to subscribe to aggregated security SNS topic created by Control Tower, set `sns_security_topic_subscription` variable to `true`. | ||
And provide values for your endpoint to receive notifications, variable `sns_endpoint` and protocol to be used, variable `sns_endpoint_protocol`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be reworded as it's hard to follow in the current form. Can you please also add an example like other opt-in settings.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
2b039c2
to
cb768ab
Compare
|
|
a496048
to
45bc98e
Compare
|
b3afc70
to
42a0f04
Compare
CHANGELOG.md
Outdated
@@ -4,7 +4,11 @@ All notable changes to this project will be documented in this file. | |||
|
|||
The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). | |||
|
|||
## Unreleased | |||
## Unreleased (2020-12-29) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
## Unreleased (2020-12-29) | |
## Unreleased |
No need to append a date to the unreleased header.
modules/security_hub/main.tf
Outdated
@@ -26,3 +26,11 @@ resource "aws_securityhub_standards_subscription" "default" { | |||
standards_arn = each.value | |||
depends_on = [aws_securityhub_account.default] | |||
} | |||
|
|||
resource "aws_sns_topic_subscription" "datadog-security" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
resource "aws_sns_topic_subscription" "datadog-security" { | |
resource "aws_sns_topic_subscription" "datadog_security" { |
We should use _
in resource names.
modules/security_hub/variables.tf
Outdated
variable "account_id" { | ||
type = string | ||
default = null | ||
description = "AWS Account ID" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What AWS Account ID should be entered here? The description could do with some updating 🙂
modules/security_hub/variables.tf
Outdated
sns_endpoint = string | ||
sns_endpoint_protocol = string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sns_endpoint = string | |
sns_endpoint_protocol = string | |
endpoint = string | |
protocol = string |
No need to include an sns
prefix if the variable is about SNS already.
Does it make sense to trim endpoint_protocol
down to just protocol
too?
variables.tf
Outdated
sns_endpoint = string | ||
sns_endpoint_protocol = string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sns_endpoint = string | |
sns_endpoint_protocol = string | |
endpoint = string | |
protocol = string |
No need to include an sns
prefix if the variable is about SNS already.
Does it make sense to trim endpoint_protocol
down to just protocol
too?
README.md
Outdated
sns_endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789" | ||
sns_endpoint_protocol = "https" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sns_endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789" | |
sns_endpoint_protocol = "https" | |
sns_security_subscription = { | |
endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789" | |
protocol = "https" | |
} |
223e21f
to
8c89755
Compare
1639d16
to
2ab0cc2
Compare
|
README.md
Outdated
Example for https protocol and specified webhook endpoint: | ||
|
||
```hcl | ||
module "landing_zone"{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
module "landing_zone"{ | |
module "landing_zone" { |
README.md
Outdated
@@ -148,6 +148,24 @@ module "landing_zone" { | |||
] | |||
``` | |||
|
|||
### Enable SNS topic subscription | |||
|
|||
If you need to subscribe to AggregatedSecurityNotifications topic in order to receive security findings, please set values for `sns_endpoint` and `sns_endpoint_protocol` variables. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you need to subscribe to AggregatedSecurityNotifications topic in order to receive security findings, please set values for `sns_endpoint` and `sns_endpoint_protocol` variables. | |
To subscribe to the `AggregatedSecurityNotifications` topic to receive security findings, set the `sns_security_subscription` variable as shown below. |
0ceaf1f
to
1146d3c
Compare
|
d1b869a
to
2dd3ad8
Compare
|
66e8b0d
to
4cd4a9d
Compare
audit.tf
Outdated
merge(sub, { account_id = var.control_tower_account_ids.audit } | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
merge(sub, { account_id = var.control_tower_account_ids.audit } | |
) | |
merge(sub, { account_id = var.control_tower_account_ids.audit }) |
cc9c8b0
to
2f075b0
Compare
This is PR to support subscribing to SNS topic, aws-controltower-AggregateSecurityNotifications