-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SecurityHub central organization configuration support #35752
Add SecurityHub central organization configuration support #35752
Conversation
Community NoteVoting for Prioritization
For Submitters
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Welcome @twelsh-aw 👋
It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTOR guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.
Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.
Thanks again, and welcome to the community! 😃
The dependency order is sound here... we just didn't code anything to destroy.
- separate test suite for future resources - dedicated destroy function for clarity - refactor some common test setup for member account delegated admin
\+ some fixes to destroy checks added. Can't call Gets/Describes on these resources once not delegated admin (which is always the case when suite is properly destroyed)
We want this new property to be Optional and Computed so that it doesn't break anything on upgrade.
Passes `make docs-lint`
This got re-named
Delegating as admin implicitly creates the security hub account so this is not needed. We remove this to make tests less flaky, as sometimes security hub would remain active in the region after test cleanup, which would interfere with subsequent tests
The OU attachment is much faster since it's empty
…curityHub_serial'.
…nfiguration_type = "CENTRAL"'.
… resource Delete behaviour.
…t.PreCheckAlternateRegionIs'.
…acctest.PreCheckOrganizationMemberAccountWithProvider'.
…PreCheckOrganizationManagementAccountWithProvider'.
…ataUnavailableException: Central configuration couldn't be enabled because data from organization ... is still syncing. Retry later'.
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/basic' PKG=securityhub ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/basic -timeout 360m === RUN TestAccSecurityHub_serial === PAUSE TestAccSecurityHub_serial === CONT TestAccSecurityHub_serial === RUN TestAccSecurityHub_serial/ConfigurationPolicy === RUN TestAccSecurityHub_serial/ConfigurationPolicy/basic --- PASS: TestAccSecurityHub_serial (83.81s) --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (83.81s) --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/basic (83.81s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 90.802s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/disappears' PKG=securityhub ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/disappears -timeout 360m === RUN TestAccSecurityHub_serial === PAUSE TestAccSecurityHub_serial === CONT TestAccSecurityHub_serial === RUN TestAccSecurityHub_serial/ConfigurationPolicy === RUN TestAccSecurityHub_serial/ConfigurationPolicy/disappears --- PASS: TestAccSecurityHub_serial (56.46s) --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (56.46s) --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/disappears (56.46s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 63.306s
…otFoundException' on Delete.
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation' PKG=securityhub ==> Checking that code complies with gofmt requirements... TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation -timeout 360m === RUN TestAccSecurityHub_serial === PAUSE TestAccSecurityHub_serial === CONT TestAccSecurityHub_serial === RUN TestAccSecurityHub_serial/ConfigurationPolicyAssociation === RUN TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic === RUN TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears --- PASS: TestAccSecurityHub_serial (388.18s) --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (388.18s) --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (323.79s) --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears (64.39s) PASS ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 395.181s
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀.
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/OrganizationConfiguration' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/OrganizationConfiguration -timeout 360m
=== RUN TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT TestAccSecurityHub_serial
=== RUN TestAccSecurityHub_serial/OrganizationConfiguration
=== RUN TestAccSecurityHub_serial/OrganizationConfiguration/basic
=== RUN TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards
=== RUN TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration
organization_configuration_test.go:99: this AWS account must not be the management account of an AWS Organization
--- PASS: TestAccSecurityHub_serial (72.77s)
--- PASS: TestAccSecurityHub_serial/OrganizationConfiguration (72.77s)
--- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/basic (37.71s)
--- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards (34.86s)
--- SKIP: TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration (0.20s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 79.705s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration -timeout 360m
=== RUN TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT TestAccSecurityHub_serial
=== RUN TestAccSecurityHub_serial/OrganizationConfiguration
=== RUN TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration
--- PASS: TestAccSecurityHub_serial (88.08s)
--- PASS: TestAccSecurityHub_serial/OrganizationConfiguration (88.08s)
--- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration (88.08s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 95.411s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/basic -timeout 360m
=== RUN TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT TestAccSecurityHub_serial
=== RUN TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN TestAccSecurityHub_serial/ConfigurationPolicy/basic
--- PASS: TestAccSecurityHub_serial (83.81s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (83.81s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/basic (83.81s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 90.802s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/disappears' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/disappears -timeout 360m
=== RUN TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT TestAccSecurityHub_serial
=== RUN TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN TestAccSecurityHub_serial/ConfigurationPolicy/disappears
--- PASS: TestAccSecurityHub_serial (56.46s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (56.46s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/disappears (56.46s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 63.306s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/^C' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/^C -timeout 360m
=== RUN TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT TestAccSecurityHub_serial
=== RUN TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters
=== RUN TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers
--- PASS: TestAccSecurityHub_serial (234.27s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (234.27s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters (159.73s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers (74.54s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 240.906s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic -timeout 360m
=== RUN TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT TestAccSecurityHub_serial
=== RUN TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
--- PASS: TestAccSecurityHub_serial (321.29s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (321.29s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (321.29s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 328.106s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation -timeout 360m
=== RUN TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT TestAccSecurityHub_serial
=== RUN TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
=== RUN TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears
--- PASS: TestAccSecurityHub_serial (388.18s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (388.18s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (323.79s)
--- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears (64.39s)
PASS
ok github.com/hashicorp/terraform-provider-aws/internal/service/securityhub 395.181s
@twelsh-aw Thanks for the contribution 🎉 👏. |
Absolutely amazing m8! Thank yo @twelsh-aw for the hard work and contribution 💪 🎉 |
@twelsh-aw Thank you, great work! :) |
This functionality has been released in v5.41.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
Description
Adds resources to manage Security Hub central configuration
aws_securityhub_organization_configuration
resource to support settingconfiguration_type = "CENTRAL"
aws_securityhub_configuration_policy
resource to allow defining configuration policiesaws_securityhub_configuration_policy_association
resource to allow associating configuration policies with targets (accounts, ous, roots)Relations
Closes #34651
References
Output from Acceptance Testing
Existing tests affected (single account):
New Tests (multi account):