The SourceFuse AWS Reference Architecture (ARC) Terraform module streamlines the management of Security Hub components, enhancing security posture and compliance for AWS environments. This module offers simplified configuration and deployment for Security Hub, optimizing resource allocation and threat detection capabilities.
For more information about this repository and its usage, please see Terraform AWS ARC GitHub SECURITY Module Usage Guide.
To see a full example, check out the main.tf file in the example folder.
module "cloud_security" {
source = "sourcefuse/arc-security/aws"
version = "1.0.2"
region = var.region
environment = var.environment
namespace = var.namespace
enable_inspector = true
enable_aws_config = true
enable_guard_duty = true
enable_security_hub = false
create_config_iam_role = true
aws_config_sns_subscribers = local.aws_config_sns_subscribers
guard_duty_sns_subscribers = local.guard_duty_sns_subscribers
security_hub_sns_subscribers = local.security_hub_sns_subscribers
aws_config_managed_rules = var.aws_config_managed_rules
enabled_security_hub_standards = local.security_hub_standards
create_inspector_iam_role = var.create_inspector_iam_role
inspector_enabled_rules = var.inspector_enabled_rules
inspector_schedule_expression = var.inspector_schedule_expression
inspector_assessment_event_subscription = var.inspector_assessment_event_subscription
tags = module.tags.tags
}
Name | Version |
---|---|
terraform | >= 1.3, < 2.0.0 |
aws | >= 5.0, < 6.0 |
Name | Version |
---|---|
aws | 5.62.0 |
Name | Source | Version |
---|---|---|
aws_config_storage | cloudposse/config-storage/aws | 1.0.2 |
config | cloudposse/config/aws | 1.5.2 |
guard_duty | cloudposse/guardduty/aws | 0.6.0 |
guard_duty_sns_topic | cloudposse/sns-topic/aws | 0.20.1 |
inspector | ./modules/inspector | n/a |
security_hub | cloudposse/security-hub/aws | 0.12.2 |
securityhub_sns_kms_key | cloudposse/kms-key/aws | 0.12.2 |
securityhub_sns_topic | cloudposse/sns-topic/aws | 0.21.0 |
sns_guard_duty | cloudposse/sns-topic/aws | 0.21.0 |
Name | Type |
---|---|
aws_cloudwatch_event_rule.guard_duty_findings | resource |
aws_cloudwatch_event_rule.imported_findings | resource |
aws_cloudwatch_event_target.guard_duty_imported_findings | resource |
aws_cloudwatch_event_target.security_hub_imported_findings | resource |
aws_kms_alias.this | resource |
aws_kms_key.this | resource |
aws_sns_topic_policy.sns_topic_guard_duty | resource |
aws_caller_identity.current | data source |
aws_iam_policy_document.guard_duty_sns_topic_policy | data source |
aws_iam_policy_document.securityhub_sns_kms_key_policy | data source |
aws_iam_session_context.current | data source |
aws_partition.current | data source |
aws_region.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aws_config_managed_rules | A list of AWS Managed Rules that should be enabled on the account. See the following for a list of possible rules to enable: https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html |
map(object({ |
{} |
no |
aws_config_sns_subscribers | A map of subscription configurations for SNS topics For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference protocol: The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially supported, see link) (email is an option but is unsupported in terraform, see link). endpoint: The endpoint to send data to, the contents will vary with the protocol. (see link for more information) endpoint_auto_confirms: Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is false raw_message_delivery: Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false |
map(object({ |
n/a | yes |
create_config_iam_role | Flag to indicate whether an iam role should be created for aws config. | bool |
false |
no |
enable_aws_config | Whether to enable AWS Config | bool |
true |
no |
enable_guard_duty | Whether to enable Guard Duty | bool |
true |
no |
enable_inspector | Whether to enable Inspector | bool |
true |
no |
enable_inspector_at_orgnanization | Whether to enable Inspecter at Org level, if false account_list should be provided | bool |
false |
no |
enable_security_hub | Whether to enable Security Hub | bool |
true |
no |
enabled_security_hub_standards | A list of standards/rulesets to enable See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription#argument-reference The possible values are: - standards/aws-foundational-security-best-practices/v/1.0.0 - ruleset/cis-aws-foundations-benchmark/v/1.2.0 - standards/pci-dss/v/3.2.1 |
list(any) |
n/a | yes |
environment | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | string |
n/a | yes |
force_destroy | (Optional, Default:false ) A boolean that indicates all objects should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable | bool |
false |
no |
guard_duty_s3_protection_enabled | Flag to indicate whether S3 protection will be turned on in GuardDuty. | bool |
false |
no |
guard_duty_sns_subscribers | A map of subscription configurations for SNS topics For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference protocol: The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially supported, see link) (email is an option but is unsupported in terraform, see link). endpoint: The endpoint to send data to, the contents will vary with the protocol. (see link for more information) endpoint_auto_confirms: Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is false raw_message_delivery: Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false |
map(object({ |
null |
no |
inspector_account_list | List of Account for which inspector has to be enabled | list(string) |
n/a | yes |
inspector_resource_types | Type of resources to scan. Valid values are EC2, ECR, LAMBDA and LAMBDA_CODE. At least one item is required. | list(string) |
[ |
no |
inspector_schedule_expression | AWS Schedule Expression to indicate how often the inspector scheduled event shoud run | string |
"rate(7 days)" |
no |
inspector_sns_subscribers | A map of subscription configurations for SNS topics For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference protocol: The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially supported, see link) (email is an option but is unsupported in terraform, see link). endpoint: The endpoint to send data to, the contents will vary with the protocol. (see link for more information) endpoint_auto_confirms: Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is false raw_message_delivery: Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false |
map(object({ |
null |
no |
namespace | Namespace for the resources. | string |
n/a | yes |
region | AWS region | string |
"us-east-1" |
no |
security_hub_sns_subscribers | A map of subscription configurations for SNS topics For more information, see: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference protocol: The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially supported, see link) (email is an option but is unsupported in terraform, see link). endpoint: The endpoint to send data to, the contents will vary with the protocol. (see link for more information) endpoint_auto_confirms: Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is false raw_message_delivery: Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false |
map(object({ |
null |
no |
tags | Tags for AWS resources | map(string) |
n/a | yes |
Name | Description |
---|---|
aws_config_configuration_recorder_id | The ID of the AWS Config Recorder |
aws_config_iam_role | IAM Role used to make read or write requests to the delivery channel and to describe the AWS resources associated with the account. |
aws_config_sns_topic | SNS topic |
aws_config_sns_topic_subscriptions | SNS topic subscriptions |
guard_duty_detector | GuardDuty detector |
guard_duty_sns_topic | SNS topic |
guard_duty_sns_topic_subscriptions | SNS topic subscriptions |
inspector_aws_cloudwatch_event_rule | The AWS Inspector event rule |
inspector_aws_cloudwatch_event_target | The AWS Inspector event target |
security_hub_enabled_subscriptions | A list of subscriptions that have been enabled |
security_hub_sns_topic | The SNS topic that was created |
security_hub_sns_topic_subscriptions | The SNS topic that was created |
while Contributing or doing git commit please specify the breaking change in your commit message whether its major,minor or patch
For Example
git commit -m "your commit message #major"
By specifying this , it will bump the version and if you dont specify this in your commit message then by default it will consider patch and will bump that accordingly
- Configure pre-commit hooks
pre-commit install
- Tests are available in
test
directory - Configure the dependencies
cd test/ go mod init github.com/sourcefuse/terraform-aws-refarch-<module_name> go get github.com/gruntwork-io/terratest/modules/terraform
- Now execute the test
go test -timeout 30m
This project is authored by:
- SourceFuse