security topic sns subscription

[64ne]

This is PR to support subscribing to SNS topic, aws-controltower-AggregateSecurityNotifications

[github-actions]

terraform validate Failed

Error: Missing required argument

  on audit.tf line 156, in module "security_hub_audit":
 156: module "security_hub_audit" {

The argument "account_id" is required, but no definition was found.


Error: Missing required argument

  on audit.tf line 156, in module "security_hub_audit":
 156: module "security_hub_audit" {

The argument "sns_endpoint" is required, but no definition was found.


Error: Missing required argument

  on audit.tf line 156, in module "security_hub_audit":
 156: module "security_hub_audit" {

The argument "sns_endpoint_protocol" is required, but no definition was found.

Workflow: Terraform, Action: hashicorpterraform-github-actions2, Working Directory: ., Workspace: default

[shoekstra]

Could these values be specified in a single sns_security_subscription object?

[64ne]

done

[shoekstra]

Could these values be specified in a single sns_security_subscription object?

[64ne]

done

[shoekstra]

What is this for? There is no reference to this variable anywhere else.

[64ne]

it is referenced in topic_arn = "arn:aws:sns:${var.region}:${var.account_id}:aws-controltower-AggregateSecurityNotifications", line 34 in modules/security_hub/main.tf

[shoekstra]

This needs to be reworded as it's hard to follow in the current form. Can you please also add an example like other opt-in settings.

[64ne]

done

[github-actions]

terraform fmt Failed

./audit.tf

 }
 
 module "security_hub_audit" {
-  source                          = "./modules/security_hub"
-  providers                       = { aws = aws.audit }
-  account_id                      = data.aws_caller_identity.current.account_id
-  sns_security_subscription       = var.sns_security_subscription
+  source                    = "./modules/security_hub"
+  providers                 = { aws = aws.audit }
+  account_id                = data.aws_caller_identity.current.account_id
+  sns_security_subscription = var.sns_security_subscription
 
   member_accounts = {
     for id, email in local.aws_account_emails : id => email if id != var.control_tower_account_ids.audit

./modules/security_hub/variables.tf

 
 variable "sns_security_subscription" {
   type = list(object({
-    sns_endpoint                    = string
-    sns_endpoint_protocol           = string
+    sns_endpoint          = string
+    sns_endpoint_protocol = string
   }))
   default     = null
   description = "Aggregated security SNS topic subscription options"

./variables.tf

 
 variable "sns_security_subscription" {
   type = list(object({
-    sns_endpoint                    = string
-    sns_endpoint_protocol           = string
+    sns_endpoint          = string
+    sns_endpoint_protocol = string
   }))
   default     = null
   description = "Aggregated security SNS topic subscription options"

Workflow: Terraform, Action: hashicorpterraform-github-actions, Working Directory: ., Workspace: default

[github-actions]

terraform validate Failed

Error: Missing required argument

  on main.tf line 129, in module "security_hub_master":
 129: module "security_hub_master" {

The argument "account_id" is required, but no definition was found.

Workflow: Terraform, Action: hashicorpterraform-github-actions2, Working Directory: ., Workspace: default

[github-actions]

terraform validate Failed

Error: Missing required argument

  on logging.tf line 70, in module "security_hub_logging":
  70: module "security_hub_logging" {

The argument "account_id" is required, but no definition was found.

Workflow: Terraform, Action: hashicorpterraform-github-actions2, Working Directory: ., Workspace: default

[shoekstra]

Suggested change

	## Unreleased (2020-12-29)
	## Unreleased

No need to append a date to the unreleased header.

[shoekstra]

Suggested change

	resource "aws_sns_topic_subscription" "datadog-security" {
	resource "aws_sns_topic_subscription" "datadog_security" {

We should use _ in resource names.

[shoekstra]

What AWS Account ID should be entered here? The description could do with some updating 🙂

[shoekstra]

Suggested change

	sns_endpoint = string
	sns_endpoint_protocol = string
	endpoint = string
	protocol = string

No need to include an sns prefix if the variable is about SNS already.

Does it make sense to trim endpoint_protocol down to just protocol too?

[shoekstra]

Suggested change

	sns_endpoint = string
	sns_endpoint_protocol = string
	endpoint = string
	protocol = string

No need to include an sns prefix if the variable is about SNS already.

Does it make sense to trim endpoint_protocol down to just protocol too?

[shoekstra]

Suggested change

	sns_endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
	sns_endpoint_protocol = "https"
	sns_security_subscription = {
	endpoint = "https://app.datadoghq.com/intake/webhook/sns?api_key=qwerty0123456789"
	protocol = "https"
	}

[github-actions]

terraform validate Failed

Error: Error in function call

  on audit.tf line 2, in locals:
   2:   sns_security_subscription = merge(
   3:     var.sns_security_subscription,
   4:     { account_id = var.control_tower_account_ids.audit }
   5:   )

Call to function "merge" failed: arguments must be maps or objects, got "list
of object".

Workflow: Terraform, Action: hashicorpterraform-github-actions2, Working Directory: ., Workspace: default

[shoekstra]

Suggested change

	module "landing_zone"{
	module "landing_zone" {

[shoekstra]

Suggested change

	If you need to subscribe to AggregatedSecurityNotifications topic in order to receive security findings, please set values for `sns_endpoint` and `sns_endpoint_protocol` variables.
	To subscribe to the `AggregatedSecurityNotifications` topic to receive security findings, set the `sns_security_subscription` variable as shown below.

[github-actions]

terraform validate Failed

Error: Invalid value for module argument

  on audit.tf line 166, in module "security_hub_audit":
 166:   sns_subscription = local.sns_security_subscription

The given value is not suitable for child module variable "sns_subscription"
defined at modules/security_hub/variables.tf:19,1-28: list of object required.

Workflow: Terraform, Action: hashicorpterraform-github-actions2, Working Directory: ., Workspace: default

[github-actions]

terraform fmt Failed

./audit.tf

 locals {
   sns_security_subscription = [
     for sub in var.sns_security_subscription :
-      merge(sub, { account_id = var.control_tower_account_ids.audit }
+    merge(sub, { account_id = var.control_tower_account_ids.audit }
     )
   ]
 }

Workflow: Terraform, Action: hashicorpterraform-github-actions, Working Directory: ., Workspace: default

[shoekstra]

Suggested change

	merge(sub, { account_id = var.control_tower_account_ids.audit }
	)
	merge(sub, { account_id = var.control_tower_account_ids.audit })