Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SecurityHub central organization configuration support #35752

Merged

Conversation

twelsh-aw
Copy link
Contributor

@twelsh-aw twelsh-aw commented Feb 10, 2024

Description

Adds resources to manage Security Hub central configuration

  • updates aws_securityhub_organization_configuration resource to support setting configuration_type = "CENTRAL"
  • adds aws_securityhub_configuration_policy resource to allow defining configuration policies
  • adds aws_securityhub_configuration_policy_association resource to allow associating configuration policies with targets (accounts, ous, roots)

Relations

Closes #34651

References

Output from Acceptance Testing

Existing tests affected (single account):

make testacc TESTS=TestAccSecurityHub_serial PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run='TestAccSecurityHub_serial'  -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/basic
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards
--- PASS: TestAccSecurityHub_serial (224.10s)
    --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration (224.10s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/basic (107.08s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards (117.02s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/securityhub        231.228s

New Tests (multi account):

╰─ make testacc TESTS=TestAccSecurityHub_centralConfiguration PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run='TestAccSecurityHub_centralConfiguration'  -timeout 360m
=== RUN   TestAccSecurityHub_centralConfiguration
=== PAUSE TestAccSecurityHub_centralConfiguration
=== CONT  TestAccSecurityHub_centralConfiguration
=== RUN   TestAccSecurityHub_centralConfiguration/OrganizationConfiguration
=== RUN   TestAccSecurityHub_centralConfiguration/OrganizationConfiguration/centralConfiguration
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicy
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/customParameters
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/controlIdentifiers
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/basic
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicyAssociation/basic
--- PASS: TestAccSecurityHub_centralConfiguration (1726.24s)
    --- PASS: TestAccSecurityHub_centralConfiguration/OrganizationConfiguration (143.96s)
        --- PASS: TestAccSecurityHub_centralConfiguration/OrganizationConfiguration/centralConfiguration (143.96s)
    --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicy (729.05s)
        --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/customParameters (413.05s)
        --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/controlIdentifiers (156.85s)
        --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/basic (159.14s)
    --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicyAssociation (853.23s)
        --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicyAssociation/basic (853.23s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/securityhub        1730.487s

Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/securityhub Issues and PRs that pertain to the securityhub service. labels Feb 10, 2024
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 10, 2024
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @twelsh-aw 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTOR guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

The dependency order is sound here... we just didn't code anything to destroy.
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Feb 12, 2024
- separate test suite for future resources
- dedicated destroy function for clarity
- refactor some common test setup for member account delegated admin
\+ some fixes to destroy checks added. Can't call Gets/Describes on these resources once not delegated admin (which is always the case when suite is properly destroyed)
We want this new property to be Optional and Computed so that it doesn't break anything on upgrade.
@github-actions github-actions bot added the generators Relates to code generators. label Feb 20, 2024
@github-actions github-actions bot added size/XL Managed by automation to categorize the size of a PR. and removed size/L Managed by automation to categorize the size of a PR. labels Feb 20, 2024
@github-actions github-actions bot added documentation Introduces or discusses updates to documentation. and removed documentation Introduces or discusses updates to documentation. labels Mar 3, 2024
Delegating as admin implicitly creates the security hub account so this is not needed. We remove this to make tests less flaky, as sometimes security hub would remain active in the region after test cleanup, which would interfere with subsequent tests
The OU attachment is much faster since it's empty
ewbankkit added 20 commits March 8, 2024 10:34
…acctest.PreCheckOrganizationMemberAccountWithProvider'.
…PreCheckOrganizationManagementAccountWithProvider'.
…ataUnavailableException: Central configuration couldn't be enabled because data from organization ... is still syncing. Retry later'.
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/basic -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/basic
--- PASS: TestAccSecurityHub_serial (83.81s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (83.81s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/basic (83.81s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	90.802s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/disappears' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/disappears -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/disappears
--- PASS: TestAccSecurityHub_serial (56.46s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (56.46s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/disappears (56.46s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	63.306s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears
--- PASS: TestAccSecurityHub_serial (388.18s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (388.18s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (323.79s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears (64.39s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	395.181s
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccSecurityHub_serial/OrganizationConfiguration' PKG=securityhub 
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/OrganizationConfiguration -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/basic
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration
    organization_configuration_test.go:99: this AWS account must not be the management account of an AWS Organization
--- PASS: TestAccSecurityHub_serial (72.77s)
    --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration (72.77s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/basic (37.71s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards (34.86s)
        --- SKIP: TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration (0.20s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	79.705s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration
--- PASS: TestAccSecurityHub_serial (88.08s)
    --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration (88.08s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration (88.08s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	95.411s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/basic -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/basic
--- PASS: TestAccSecurityHub_serial (83.81s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (83.81s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/basic (83.81s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	90.802s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/disappears' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/disappears -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/disappears
--- PASS: TestAccSecurityHub_serial (56.46s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (56.46s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/disappears (56.46s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	63.306s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/^C' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/^C -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers
--- PASS: TestAccSecurityHub_serial (234.27s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (234.27s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters (159.73s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers (74.54s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	240.906s
 % make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
--- PASS: TestAccSecurityHub_serial (321.29s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (321.29s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (321.29s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	328.106s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation' PKG=securityhub 
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears
--- PASS: TestAccSecurityHub_serial (388.18s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (388.18s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (323.79s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears (64.39s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	395.181s

@ewbankkit
Copy link
Contributor

@twelsh-aw Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit merged commit 259cfa9 into hashicorp:main Mar 8, 2024
33 checks passed
@github-actions github-actions bot added this to the v5.41.0 milestone Mar 8, 2024
@MinhDBui
Copy link

Absolutely amazing m8! Thank yo @twelsh-aw for the hard work and contribution 💪 🎉

@konstantinzehnter
Copy link

@twelsh-aw Thank you, great work! :)

Copy link

This functionality has been released in v5.41.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. generators Relates to code generators. new-resource Introduces a new resource. service/securityhub Issues and PRs that pertain to the securityhub service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[New]: Add resources for SecurityHub Central Configuration
5 participants