Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SecurityHub central organization configuration support #35752

Merged
merged 80 commits into from
Mar 8, 2024
Merged

Add SecurityHub central organization configuration support #35752

merged 80 commits into from
Mar 8, 2024

Conversation

twelsh-aw
Copy link
Contributor

@twelsh-aw twelsh-aw commented Feb 10, 2024
edited
Loading

Description

Adds resources to manage Security Hub central configuration

  • updates aws_securityhub_organization_configuration resource to support setting configuration_type = "CENTRAL"
  • adds aws_securityhub_configuration_policy resource to allow defining configuration policies
  • adds aws_securityhub_configuration_policy_association resource to allow associating configuration policies with targets (accounts, ous, roots)

Relations

Closes #34651

References

Output from Acceptance Testing

Existing tests affected (single account):

make testacc TESTS=TestAccSecurityHub_serial PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run='TestAccSecurityHub_serial'  -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/basic
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards
--- PASS: TestAccSecurityHub_serial (224.10s)
    --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration (224.10s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/basic (107.08s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards (117.02s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/securityhub        231.228s

New Tests (multi account):

╰─ make testacc TESTS=TestAccSecurityHub_centralConfiguration PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20 -run='TestAccSecurityHub_centralConfiguration'  -timeout 360m
=== RUN   TestAccSecurityHub_centralConfiguration
=== PAUSE TestAccSecurityHub_centralConfiguration
=== CONT  TestAccSecurityHub_centralConfiguration
=== RUN   TestAccSecurityHub_centralConfiguration/OrganizationConfiguration
=== RUN   TestAccSecurityHub_centralConfiguration/OrganizationConfiguration/centralConfiguration
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicy
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/customParameters
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/controlIdentifiers
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/basic
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_centralConfiguration/ConfigurationPolicyAssociation/basic
--- PASS: TestAccSecurityHub_centralConfiguration (1726.24s)
    --- PASS: TestAccSecurityHub_centralConfiguration/OrganizationConfiguration (143.96s)
        --- PASS: TestAccSecurityHub_centralConfiguration/OrganizationConfiguration/centralConfiguration (143.96s)
    --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicy (729.05s)
        --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/customParameters (413.05s)
        --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/controlIdentifiers (156.85s)
        --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicy/basic (159.14s)
    --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicyAssociation (853.23s)
        --- PASS: TestAccSecurityHub_centralConfiguration/ConfigurationPolicyAssociation/basic (853.23s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/securityhub        1730.487s

@github-actions GitHub Actions
Copy link

Community Note

Voting for Prioritization

  • Please vote on this pull request by adding a 👍 reaction to the original post to help the community and maintainers prioritize this pull request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

For Submitters

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions github-actions bot added size/L Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/securityhub Issues and PRs that pertain to the securityhub service. labels Feb 10, 2024
@terraform-aws-provider terraform-aws-provider bot added the needs-triage Waiting for first response or review from a maintainer. label Feb 10, 2024
github-actions[bot]
github-actions bot reviewed Feb 10, 2024
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Welcome @twelsh-aw 👋

It looks like this is your first Pull Request submission to the Terraform AWS Provider! If you haven’t already done so please make sure you have checked out our CONTRIBUTOR guide and FAQ to make sure your contribution is adhering to best practice and has all the necessary elements in place for a successful approval.

Also take a look at our FAQ which details how we prioritize Pull Requests for inclusion.

Thanks again, and welcome to the community! 😃

@twelsh-aw
Implement delete and cleanup misleading comments
77ff562 
The dependency order is sound here... we just didn't code anything to destroy.
@justinretzolk justinretzolk removed the needs-triage Waiting for first response or review from a maintainer. label Feb 12, 2024
@twelsh-aw
Merge branch 'hashicorp:main' into issues-34651_securityhub_central_c…
44549af 
…onfig
@twelsh-aw
Cleanups for organization_configuration
4786a7c 
- separate test suite for future resources
- dedicated destroy function for clarity
- refactor some common test setup for member account delegated admin
@twelsh-aw
Add resource for configuration_policy
6c5ee7b
@twelsh-aw
Add more acceptance tests
10981bb 
\+ some fixes to destroy checks added. Can't call Gets/Describes on these resources once not delegated admin (which is always the case when suite is properly destroyed)
@twelsh-aw
Fix TestAccSecurityHub_serial
c1e3041 
We want this new property to be Optional and Computed so that it doesn't break anything on upgrade.
@github-actions github-actions bot added the generators Relates to code generators. label Feb 20, 2024
@github-actions github-actions bot added size/XL Managed by automation to categorize the size of a PR. and removed size/L Managed by automation to categorize the size of a PR. labels Feb 20, 2024
@github-actions github-actions bot added documentation Introduces or discusses updates to documentation. and removed documentation Introduces or discusses updates to documentation. labels Mar 3, 2024
@twelsh-aw
Remove security hub account resource in central config test setup
a0515f5 
Delegating as admin implicitly creates the security hub account so this is not needed. We remove this to make tests less flaky, as sometimes security hub would remain active in the region after test cleanup, which would interfere with subsequent tests
@twelsh-aw
Speed up configuration_policy_association_test.go
fa30e8e 
The OU attachment is much faster since it's empty
@ewbankkit
Consolidate 'TestAccSecurityHub_centralConfiguration' into 'TestAccSe…
919e7ef 
…curityHub_serial'.
@ewbankkit
r/aws_securityhub_configuration_policy: Fix typos.
20c4c99
@ewbankkit
r/aws_securityhub_organization_configuration: Only run waiters if 'co…
40980ce 
…nfiguration_type = "CENTRAL"'.
@ewbankkit
Add 'testAccCheckOrganizationConfigurationDestroy'.
db3b85e
@ewbankkit
r/aws_securityhub_organization_configuration: Add CHANGELOG entry for…
2e606a4 
… resource Delete behaviour.
@ewbankkit
testAccOrganizationConfiguration_centralConfiguration: Remove 'acctes…
abf31cb 
…t.PreCheckAlternateRegionIs'.
@ewbankkit
Add 'acctest.PreCheckOrganizationManagementAccountWithProvider' and '…
5bfe14e 
…acctest.PreCheckOrganizationMemberAccountWithProvider'.
@ewbankkit
Add 'acctest.ProviderFunc'.
fe4b269
@ewbankkit
testAccOrganizationConfiguration_centralConfiguration: Call 'acctest.…
109eb81 
…PreCheckOrganizationManagementAccountWithProvider'.
@ewbankkit
r/aws_securityhub_organization_configuration: Retry on errors like 'D…
9779c21 
…ataUnavailableException: Central configuration couldn't be enabled because data from organization ... is still syncing. Retry later'.
@ewbankkit
Add 'testAccConfigurationPolicyAssociation_disappears'.
835b8a5
@ewbankkit
r/aws_securityhub_configuration_policy: Better error handling.
75eac52
@ewbankkit
Acceptane test output:
ea9f200 
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/basic -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/basic
--- PASS: TestAccSecurityHub_serial (83.81s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (83.81s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/basic (83.81s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	90.802s
@ewbankkit
r/aws_securityhub_configuration_policy: Handle 'ResourceNotFoundExcep…
c9593fe 
…tion' in Read.
@ewbankkit
Acceptance test output:
502d829 
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/disappears' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/disappears -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/disappears
--- PASS: TestAccSecurityHub_serial (56.46s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (56.46s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/disappears (56.46s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	63.306s
@ewbankkit
r/aws_securityhub_configuration_policy_association: Tidy up acceptanc…
a119cb5 
…e tests.
@ewbankkit
r/aws_securityhub_configuration_policy_association: Better error hand…
7402052 
…ling.
@ewbankkit
r/aws_securityhub_configuration_policy_association: Handle 'ResourceN…
a0dc5c2 
…otFoundException' on Delete.
@ewbankkit
r/aws_securityhub_configuration_policy_association: Random names in a…
65ffc0b 
…cceptance tests.
@ewbankkit
Acceptance test output:
38abadb 
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears
--- PASS: TestAccSecurityHub_serial (388.18s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (388.18s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (323.79s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears (64.39s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	395.181s
ewbankkit
ewbankkit approved these changes Mar 8, 2024
View reviewed changes
Copy link
Contributor

@ewbankkit ewbankkit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀.

% make testacc TESTARGS='-run=TestAccSecurityHub_serial/OrganizationConfiguration' PKG=securityhub 
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/OrganizationConfiguration -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/basic
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration
    organization_configuration_test.go:99: this AWS account must not be the management account of an AWS Organization
--- PASS: TestAccSecurityHub_serial (72.77s)
    --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration (72.77s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/basic (37.71s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/AutoEnableStandards (34.86s)
        --- SKIP: TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration (0.20s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	79.705s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration
=== RUN   TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration
--- PASS: TestAccSecurityHub_serial (88.08s)
    --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration (88.08s)
        --- PASS: TestAccSecurityHub_serial/OrganizationConfiguration/CentralConfiguration (88.08s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	95.411s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/basic -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/basic
--- PASS: TestAccSecurityHub_serial (83.81s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (83.81s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/basic (83.81s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	90.802s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/disappears' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/disappears -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/disappears
--- PASS: TestAccSecurityHub_serial (56.46s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (56.46s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/disappears (56.46s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	63.306s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/^ConfigurationPolicy$$/^C' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/^ConfigurationPolicy$/^C -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers
--- PASS: TestAccSecurityHub_serial (234.27s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy (234.27s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/CustomParameters (159.73s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicy/ControlIdentifiers (74.54s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	240.906s
 % make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic' PKG=securityhub
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
--- PASS: TestAccSecurityHub_serial (321.29s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (321.29s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (321.29s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	328.106s
% make testacc TESTARGS='-run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation' PKG=securityhub 
==> Checking that code complies with gofmt requirements...
TF_ACC=1 go test ./internal/service/securityhub/... -v -count 1 -parallel 20  -run=TestAccSecurityHub_serial/ConfigurationPolicyAssociation -timeout 360m
=== RUN   TestAccSecurityHub_serial
=== PAUSE TestAccSecurityHub_serial
=== CONT  TestAccSecurityHub_serial
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic
=== RUN   TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears
--- PASS: TestAccSecurityHub_serial (388.18s)
    --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation (388.18s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/basic (323.79s)
        --- PASS: TestAccSecurityHub_serial/ConfigurationPolicyAssociation/disappears (64.39s)
PASS
ok  	github.com/hashicorp/terraform-provider-aws/internal/service/securityhub	395.181s

@ewbankkit
Copy link
Contributor

@twelsh-aw Thanks for the contribution 🎉 👏.

@ewbankkit ewbankkit merged commit 259cfa9 into hashicorp:main Mar 8, 2024
33 checks passed
@github-actions github-actions bot added this to the v5.41.0 milestone Mar 8, 2024
@MinhDBui
Copy link

Absolutely amazing m8! Thank yo @twelsh-aw for the hard work and contribution 💪 🎉

@konstantinzehnter
Copy link

@twelsh-aw Thank you, great work! :)

@github-actions GitHub Actions
Copy link

This functionality has been released in v5.41.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions GitHub Actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@ewbankkit ewbankkit ewbankkit approved these changes

Assignees
No one assigned
Labels
documentation Introduces or discusses updates to documentation. enhancement Requests to existing resources that expand the functionality or scope. generators Relates to code generators. new-resource Introduces a new resource. service/securityhub Issues and PRs that pertain to the securityhub service. size/XL Managed by automation to categorize the size of a PR. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
v5.41.0
Development

Successfully merging this pull request may close these issues.

[New]: Add resources for SecurityHub Central Configuration
5 participants
@twelsh-aw @ewbankkit @MinhDBui @konstantinzehnter @justinretzolk