Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SecurityHub Organization Configuration Resource #19108

Merged
merged 1 commit into from
Jul 14, 2021
Merged

Add SecurityHub Organization Configuration Resource #19108

merged 1 commit into from
Jul 14, 2021

Conversation

djsd123
Copy link
Contributor

@djsd123 djsd123 commented Apr 26, 2021
edited
Loading

Resource to enable security hub's auto-enroll feature when apart of an
organization and a security hub admin account has been configured.

By default the Auto-Enable feature is disabled. See: Automatically enabling new organization accounts

Community Note

  • Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Closes #17287

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

@djsd123 djsd123 requested a review from a team as a code owner April 26, 2021 09:15
@ghost ghost added size/L Managed by automation to categorize the size of a PR. documentation Introduces or discusses updates to documentation. provider Pertains to the provider itself, rather than any interaction with AWS. service/securityhub Issues and PRs that pertain to the securityhub service. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. labels Apr 26, 2021
@github-actions github-actions bot added the needs-triage Waiting for first response or review from a maintainer. label Apr 26, 2021
github-actions[bot]
github-actions bot reviewed Apr 26, 2021
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @djsd123 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTING guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

@djsd123
Copy link
Contributor Author

djsd123 commented Apr 27, 2021

Addresses Issue #17287

@ewbankkit ewbankkit removed the needs-triage Waiting for first response or review from a maintainer. label Jul 14, 2021
@ewbankkit
Copy link
Contributor

@djsd123 Thanks for the contribution 🎉 👏.
So as to not be surprised if AWS make future additions to the UpdateOrganizationConfiguration API and to match the behavior of the aws_guardduty_organization_configuration resource we should add a required auto_enable attribute.
I went ahead and made the changes but as you are not currently allowing maintainers to push to your branch, these are the modified files:

aws/resource_aws_securityhub_organization_configuration.go
package aws

import (
	"fmt"
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/service/securityhub"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
)

func resourceAwsSecurityHubOrganizationConfiguration() *schema.Resource {
	return &schema.Resource{
		Create: resourceAwsSecurityHubOrganizationConfigurationUpdate,
		Read:   resourceAwsSecurityHubOrganizationConfigurationRead,
		Update: resourceAwsSecurityHubOrganizationConfigurationUpdate,
		Delete: schema.Noop,

		Importer: &schema.ResourceImporter{
			State: schema.ImportStatePassthrough,
		},

		Schema: map[string]*schema.Schema{
			"auto_enable": {
				Type:     schema.TypeBool,
				Required: true,
			},
		},
	}
}

func resourceAwsSecurityHubOrganizationConfigurationUpdate(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).securityhubconn

	input := &securityhub.UpdateOrganizationConfigurationInput{
		AutoEnable: aws.Bool(d.Get("auto_enable").(bool)),
	}

	_, err := conn.UpdateOrganizationConfiguration(input)

	if err != nil {
		return fmt.Errorf("error updating Security Hub Organization Configuration (%s): %w", d.Id(), err)
	}

	d.SetId(meta.(*AWSClient).accountid)

	return resourceAwsSecurityHubOrganizationConfigurationRead(d, meta)
}

func resourceAwsSecurityHubOrganizationConfigurationRead(d *schema.ResourceData, meta interface{}) error {
	conn := meta.(*AWSClient).securityhubconn

	output, err := conn.DescribeOrganizationConfiguration(&securityhub.DescribeOrganizationConfigurationInput{})

	if err != nil {
		return fmt.Errorf("error reading Security Hub Organization Configuration: %w", err)
	}

	d.Set("auto_enable", output.AutoEnable)

	return nil
}
aws/resource_aws_securityhub_organization_configuration_test.go
package aws

import (
	"fmt"
	"testing"

	"github.com/aws/aws-sdk-go/service/securityhub"
	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
)

func testAccAwsSecurityHubOrganizationConfiguration_basic(t *testing.T) {
	resourceName := "aws_securityhub_organization_configuration.test"

	resource.Test(t, resource.TestCase{
		PreCheck:     func() { testAccPreCheck(t); testAccOrganizationsAccountPreCheck(t) },
		ErrorCheck:   testAccErrorCheck(t, securityhub.EndpointsID),
		Providers:    testAccProviders,
		CheckDestroy: nil, //lintignore:AT001
		Steps: []resource.TestStep{
			{
				Config: testAccAwsSecurityHubOrganizationConfigurationConfig(true),
				Check: resource.ComposeTestCheckFunc(
					testAccAwsSecurityHubOrganizationConfigurationExists(resourceName),
					resource.TestCheckResourceAttr(resourceName, "auto_enable", "true"),
				),
			},
			{
				ResourceName:      resourceName,
				ImportState:       true,
				ImportStateVerify: true,
			},
			{
				Config: testAccAwsSecurityHubOrganizationConfigurationConfig(false),
				Check: resource.ComposeTestCheckFunc(
					testAccAwsSecurityHubOrganizationConfigurationExists(resourceName),
					resource.TestCheckResourceAttr(resourceName, "auto_enable", "false"),
				),
			},
		},
	})
}

func testAccAwsSecurityHubOrganizationConfigurationExists(n string) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		_, ok := s.RootModule().Resources[n]
		if !ok {
			return fmt.Errorf("Not found: %s", n)
		}

		conn := testAccProvider.Meta().(*AWSClient).securityhubconn

		_, err := conn.DescribeOrganizationConfiguration(&securityhub.DescribeOrganizationConfigurationInput{})

		return err
	}
}

func testAccAwsSecurityHubOrganizationConfigurationConfig(autoEnable bool) string {
	return fmt.Sprintf(`
data "aws_partition" "current" {}

resource "aws_organizations_organization" "test" {
  aws_service_access_principals = ["securityhub.${data.aws_partition.current.dns_suffix}"]
  feature_set                   = "ALL"
}

resource "aws_securityhub_account" "test" {}

data "aws_caller_identity" "current" {}

resource "aws_securityhub_organization_admin_account" "test" {
  admin_account_id = data.aws_caller_identity.current.account_id

  depends_on = [aws_organizations_organization.test, aws_securityhub_account.test]
}

resource "aws_securityhub_organization_configuration" "test" {
  auto_enable = %[1]t

  depends_on = [aws_securityhub_organization_admin_account.test]
}
`, autoEnable)
}
website/docs/r/securityhub_organization_configuration.markdown

Attached with extra .txt extension:

securityhub_organization_configuration.markdown.txt

With these changes (running in an account that is not an existing member of an AWS Organization):

% make testacc TESTARGS='-run=TestAccAWSSecurityHub_serial/OrganizationConfiguration'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSSecurityHub_serial/OrganizationConfiguration -timeout 180m
=== RUN   TestAccAWSSecurityHub_serial
=== RUN   TestAccAWSSecurityHub_serial/OrganizationConfiguration
=== RUN   TestAccAWSSecurityHub_serial/OrganizationConfiguration/basic
--- PASS: TestAccAWSSecurityHub_serial (31.14s)
    --- PASS: TestAccAWSSecurityHub_serial/OrganizationConfiguration (31.14s)
        --- PASS: TestAccAWSSecurityHub_serial/OrganizationConfiguration/basic (31.14s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	34.082s

@ewbankkit ewbankkit added the waiting-response Maintainers are waiting on response from community or contributor. label Jul 14, 2021
@ewbankkit ewbankkit self-assigned this Jul 14, 2021
@djsd123
Copy link
Contributor Author

djsd123 commented Jul 14, 2021

Hi @ewbankkit, Thanks for the review. I've added you to the repo as a collaborator. However, I will go ahead and make the amendments and ping you shortly.

@djsd123
Copy link
Contributor Author

djsd123 commented Jul 14, 2021

Hello again @ewbankkit, That's done.

Thanks for the suggestions. I'll note what you did to inform any potential PRs in the future. 💯

@ewbankkit ewbankkit removed the waiting-response Maintainers are waiting on response from community or contributor. label Jul 14, 2021
@djsd123
Add SecurityHub Organization Configuration Resource
dc5410c 
Resource to enable security hub's auto-enroll feature when apart of an
organization and a security hub admin account has been configured.

By default the **Auto-Enable** feature is disabled. See: [Automatically enabling new organization accounts](https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-orgs-auto-enable.html)

[method]: https://docs.aws.amazon.com/sdk-for-go/api/service/securityhub/#SecurityHub.UpdateOrganizationConfiguration
[input]: https://docs.aws.amazon.com/sdk-for-go/api/service/securityhub/#UpdateOrganizationConfigurationInput

Refactored with amendments suggested by @ewbankkit
ewbankkit
ewbankkit approved these changes Jul 14, 2021
View reviewed changes
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccAWSSecurityHub_serial/OrganizationConfiguration'
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./aws -v -count 1 -parallel 20 -run=TestAccAWSSecurityHub_serial/OrganizationConfiguration -timeout 180m
=== RUN   TestAccAWSSecurityHub_serial
=== RUN   TestAccAWSSecurityHub_serial/OrganizationConfiguration
=== RUN   TestAccAWSSecurityHub_serial/OrganizationConfiguration/basic
--- PASS: TestAccAWSSecurityHub_serial (31.10s)
    --- PASS: TestAccAWSSecurityHub_serial/OrganizationConfiguration (31.10s)
        --- PASS: TestAccAWSSecurityHub_serial/OrganizationConfiguration/basic (31.10s)
PASS
ok  	github.com/terraform-providers/terraform-provider-aws/aws	34.162s

@ewbankkit ewbankkit merged commit 6cfb1a1 into hashicorp:main Jul 14, 2021
@github-actions github-actions bot added this to the v3.50.0 milestone Jul 14, 2021
This was referenced Jul 14, 2021
Merged
Merged
@github-actions
Copy link

This functionality has been released in v3.50.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@djsd123 djsd123 mentioned this pull request Jul 16, 2021
Merged
breathingdust pushed a commit that referenced this pull request Jul 16, 2021
@djsd123
Amend SecurityHub Org Admin docs (#20217)
2f89fca 
Relates to this [Pull Request](#19108)

The example doesn't include required parameter `auto_enable = true`
@djsd123 djsd123 deleted the djsd123/add-resource-sechub-org-config branch July 16, 2021 22:40
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 16, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@ewbankkit ewbankkit ewbankkit approved these changes

Assignees
No one assigned
Labels
documentation Introduces or discusses updates to documentation. provider Pertains to the provider itself, rather than any interaction with AWS. service/securityhub Issues and PRs that pertain to the securityhub service. size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v3.50.0
Development

Successfully merging this pull request may close these issues.

Support for Managing Security Hub Organization Configuration
2 participants
@djsd123 @ewbankkit