r/aws_securityhub: Add product subscription/standards subscription

hashicorp · Dec 7, 2018 · 950a81d · 950a81d
1 parent b7ab456
commit 950a81d
Show file tree

Hide file tree

Showing 12 changed files with 344 additions and 9 deletions.
diff --git a/aws/provider.go b/aws/provider.go
@@ -623,6 +623,8 @@ func Provider() terraform.ResourceProvider {
 			"aws_securityhub_member":                           resourceAwsSecurityHubMember(),
 			"aws_securityhub_invitation":                       resourceAwsSecurityHubInvitation(),
 			"aws_securityhub_invitation_accepter":              resourceAwsSecurityHubInvitationAccepter(),
+			"aws_securityhub_product_subscription":             resourceAwsSecurityHubProductSubscription(),
+			"aws_securityhub_standard":                         resourceAwsSecurityHubStandard(),
 			"aws_servicecatalog_portfolio":                     resourceAwsServiceCatalogPortfolio(),
 			"aws_service_discovery_private_dns_namespace":      resourceAwsServiceDiscoveryPrivateDnsNamespace(),
 			"aws_service_discovery_public_dns_namespace":       resourceAwsServiceDiscoveryPublicDnsNamespace(),

diff --git a/aws/resource_aws_securityhub_account.go b/aws/resource_aws_securityhub_account.go
@@ -41,9 +41,20 @@ func resourceAwsSecurityHubAccountCreate(d *schema.ResourceData, meta interface{
 }
 
 func resourceAwsSecurityHubAccountRead(d *schema.ResourceData, meta interface{}) error {
-	// AWS does not currently publically expose API methods to check if an account is
-	// enabled for Security Hub. The console uses a private API method called
-	// isSecurityHubEnabled - this may become public in the future.
+	conn := meta.(*AWSClient).securityhubconn
+
+	log.Printf("[DEBUG] Checking if Security Hub is enabled")
+	_, err := conn.GetEnabledStandards(&securityhub.GetEnabledStandardsInput{})
+
+	if err != nil {
+		// Can only read enabled standards if Security Hub is enabled
+		if isAWSErr(err, "InvalidAccessException", "not subscribed to AWS Security Hub") {
+			d.SetId("")
+			return nil
+		}
+		return fmt.Errorf("Error checking if Security Hub is enabled: %s", err)
+	}
+
 	return nil
 }
 

diff --git a/aws/resource_aws_securityhub_invitation_accepter.go b/aws/resource_aws_securityhub_invitation_accepter.go
@@ -39,6 +39,10 @@ func resourceAwsSecurityHubInvitationAccepterCreate(d *schema.ResourceData, meta
 
 	invitationId, err := resourceAwsSecurityHubInvitationAccepterGetInvitationId(conn, d.Get("master_id").(string))
 
+	if err != nil {
+		return err
+	}
+
 	_, err = conn.AcceptInvitation(&securityhub.AcceptInvitationInput{
 		InvitationId: aws.String(invitationId),
 		MasterId:     aws.String(d.Get("master_id").(string)),
@@ -80,14 +84,21 @@ func resourceAwsSecurityHubInvitationAccepterRead(d *schema.ResourceData, meta i
 
 	if err != nil {
 		if isAWSErr(err, securityhub.ErrCodeResourceNotFoundException, "") {
-			log.Print("[WARN] Security Hub master account not found")
+			log.Print("[WARN] Security Hub master account not found, removing from state")
+			d.SetId("")
 			return nil
 		}
 		return err
 	}
 
 	master := resp.Master
 
+	if master == nil {
+		log.Print("[WARN] Security Hub master account not found, removing from state")
+		d.SetId("")
+		return nil
+	}
+
 	d.Set("invitation_id", master.InvitationId)
 	d.Set("master_id", master.AccountId)
 
@@ -101,8 +112,8 @@ func resourceAwsSecurityHubInvitationAccepterDelete(d *schema.ResourceData, meta
 	_, err := conn.DisassociateFromMasterAccount(&securityhub.DisassociateFromMasterAccountInput{})
 
 	if err != nil {
-		if isAWSErr(err, securityhub.ErrCodeResourceNotFoundException, "") {
-			log.Print("[WARN] Security Hub invitation not found")
+		if isAWSErr(err, "BadRequestException", "The request is rejected because the current account is not associated to a master account") {
+			log.Print("[WARN] Security Hub account is not a member account")
 			return nil
 		}
 		return err

diff --git a/aws/resource_aws_securityhub_product_subscription.go b/aws/resource_aws_securityhub_product_subscription.go
@@ -0,0 +1,84 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsSecurityHubProductSubscription() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsSecurityHubProductSubscriptionCreate,
+		Read:   resourceAwsSecurityHubProductSubscriptionRead,
+		Delete: resourceAwsSecurityHubProductSubscriptionDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"product_arn": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsSecurityHubProductSubscriptionCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).securityhubconn
+	log.Print("[DEBUG] Enabling Security Hub product subscription for product %s", d.Get("product_arn"))
+
+	resp, err := conn.EnableImportFindingsForProduct(&securityhub.EnableImportFindingsForProductInput{
+		ProductArn: aws.String(d.Get("product_arn").(string)),
+	})
+
+	if err != nil {
+		return fmt.Errorf("Error enabling Security Hub product subscription for product %s: %s", d.Get("product_arn"), err)
+	}
+
+	d.SetId(*resp.ProductSubscriptionArn)
+
+	return resourceAwsSecurityHubProductSubscriptionRead(d, meta)
+}
+
+func resourceAwsSecurityHubProductSubscriptionRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).securityhubconn
+
+	log.Printf("[DEBUG] Reading Security Hub product subscriptions to find %s", d.Id())
+	resp, err := conn.ListEnabledProductsForImport(&securityhub.ListEnabledProductsForImportInput{})
+
+	if err != nil {
+		return fmt.Errorf("Error reading Security Hub product subscriptions to find %s: %s", d.Id(), err)
+	}
+
+	productSubscriptions := make([]interface{}, len(resp.ProductSubscriptions))
+	for i := range resp.ProductSubscriptions {
+		productSubscriptions[i] = *resp.ProductSubscriptions[i]
+	}
+
+	if _, contains := sliceContainsString(productSubscriptions, d.Id()); !contains {
+		log.Printf("[WARN] Security Hub product subscriptions (%s) not found, removing from state", d.Id())
+		d.SetId("")
+	}
+
+	return nil
+}
+
+func resourceAwsSecurityHubProductSubscriptionDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).securityhubconn
+	log.Print("[DEBUG] Disabling Security Hub product subscription %s", d.Id())
+
+	_, err := conn.DisableImportFindingsForProduct(&securityhub.DisableImportFindingsForProductInput{
+		ProductSubscriptionArn: aws.String(d.Id()),
+	})
+
+	if err != nil {
+		return fmt.Errorf("Error disabling Security Hub product subscription %s: %s", d.Id(), err)
+	}
+
+	return nil
+}
diff --git a/aws/resource_aws_securityhub_standard.go b/aws/resource_aws_securityhub_standard.go
@@ -0,0 +1,88 @@
+package aws
+
+import (
+	"fmt"
+	"log"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/securityhub"
+	"github.com/hashicorp/terraform/helper/schema"
+)
+
+func resourceAwsSecurityHubStandard() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceAwsSecurityHubStandardCreate,
+		Read:   resourceAwsSecurityHubStandardRead,
+		Delete: resourceAwsSecurityHubStandardDelete,
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Schema: map[string]*schema.Schema{
+			"standards_arn": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+		},
+	}
+}
+
+func resourceAwsSecurityHubStandardCreate(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).securityhubconn
+	log.Print("[DEBUG] Enabling Security Hub standard")
+
+	resp, err := conn.BatchEnableStandards(&securityhub.BatchEnableStandardsInput{
+		StandardsSubscriptionRequests: []*securityhub.StandardsSubscriptionRequest{
+			{
+				StandardsArn: aws.String(d.Get("standards_arn").(string)),
+			},
+		},
+	})
+
+	if err != nil {
+		return fmt.Errorf("Error enabling Security Hub standard: %s", err)
+	}
+
+	standardsSubscription := resp.StandardsSubscriptions[0]
+
+	d.SetId(*standardsSubscription.StandardsSubscriptionArn)
+
+	return resourceAwsSecurityHubStandardRead(d, meta)
+}
+
+func resourceAwsSecurityHubStandardRead(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).securityhubconn
+
+	log.Printf("[DEBUG] Reading Security Hub standard %s", d.Id())
+	resp, err := conn.GetEnabledStandards(&securityhub.GetEnabledStandardsInput{
+		StandardsSubscriptionArns: []*string{aws.String(d.Id())},
+	})
+
+	if err != nil {
+		return fmt.Errorf("Error reading Security Hub standard %s: %s", d.Id(), err)
+	}
+
+	if len(resp.StandardsSubscriptions) == 0 {
+		log.Printf("[WARN] Security Hub standard (%s) not found, removing from state", d.Id())
+		d.SetId("")
+		return nil
+	}
+
+	return nil
+}
+
+func resourceAwsSecurityHubStandardDelete(d *schema.ResourceData, meta interface{}) error {
+	conn := meta.(*AWSClient).securityhubconn
+	log.Print("[DEBUG] Disabling Security Hub standard %s", d.Id())
+
+	_, err := conn.BatchDisableStandards(&securityhub.BatchDisableStandardsInput{
+		StandardsSubscriptionArns: []*string{aws.String(d.Id())},
+	})
+
+	if err != nil {
+		return fmt.Errorf("Error disabling Security Hub standard %s: %s", d.Id(), err)
+	}
+
+	return nil
+}
diff --git a/main.tf b/main.tf
@@ -0,0 +1 @@
+/Users/gaz/go/bin/main.tf
diff --git a/website/aws.erb b/website/aws.erb
@@ -2183,6 +2183,14 @@
                             <a href="/docs/providers/aws/r/securityhub_member.html">aws_securityhub_member</a>
                         </li>
 
+                        <li<%= sidebar_current("docs-aws-resource-securityhub-product-subscription") %>>
+                            <a href="/docs/providers/aws/r/securityhub_product_subscription.html">aws_securityhub_product_subscription</a>
+                        </li>
+
+                        <li<%= sidebar_current("docs-aws-resource-securityhub-standard") %>>
+                            <a href="/docs/providers/aws/r/securityhub_standard.html">aws_securityhub_standard</a>
+                        </li>
+
                     </ul>
                 </li>
 

diff --git a/website/docs/r/securityhub_invitation.markdown b/website/docs/r/securityhub_invitation.markdown
@@ -15,13 +15,15 @@ Provides a Security Hub invitation resource.
 ## Example Usage
 
 ```hcl
+resource "aws_securityhub_account" "example" {}
+
 resource "aws_securityhub_member" "example" {
   account_id = "123456789012"
   email      = "example@example.com"
 }
 
 resource "aws_securityhub_invitation" "example" {
-  account_id = "123456789012"
+  account_id = "${aws_securityhub_member.example.account_id}"
 }
 ```
 

diff --git a/website/docs/r/securityhub_invitation_accepter.markdown b/website/docs/r/securityhub_invitation_accepter.markdown
@@ -3,7 +3,7 @@ layout: "aws"
 page_title: "AWS: aws_securityhub_invitation_accepter"
 sidebar_current: "docs-aws-resource-securityhub-invitation-accepter"
 description: |-
-  Provides a Security Hub invitation resource.
+  Accepts a Security Hub invitation.
 ---
 
 # aws_securityhub_invitation_accepter
@@ -21,7 +21,7 @@ resource "aws_securityhub_member" "example" {
 }
 
 resource "aws_securityhub_invitation" "example" {
-  account_id = "123456789012"
+  account_id = "${aws_securityhub_member.example.id}"
 }
 
 resource "aws_securityhub_invitation_accepter" "example" {

diff --git a/website/docs/r/securityhub_member.markdown b/website/docs/r/securityhub_member.markdown
@@ -13,6 +13,8 @@ Provides a Security Hub member resource.
 ## Example Usage
 
 ```hcl
+resource "aws_securityhub_account" "example" {}
+
 resource "aws_securityhub_member" "example" {
   account_id = "123456789012"
   email      = "example@example.com"

diff --git a/website/docs/r/securityhub_product_subscription.markdown b/website/docs/r/securityhub_product_subscription.markdown
@@ -0,0 +1,78 @@
+---
+layout: "aws"
+page_title: "AWS: aws_securityhub_product_subscription"
+sidebar_current: "docs-aws-resource-securityhub-product-subscription"
+description: |-
+  Subscribes to a Security Hub product.
+---
+
+# aws_securityhub_product_subscription
+
+Subscribes to a Security Hub product.
+
+## Example Usage
+
+```hcl
+resource "aws_securityhub_account" "example" {}
+
+data "aws_region" "current" {}
+
+resource "aws_securityhub_product_subscription" "example" {
+  depends_on  = ["aws_securityhub_account.example"]
+  product_arn = "arn:aws:securityhub:${data.aws_region.current.name}:679703615338:product/alertlogic/althreatmanagement"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `product_arn` - (Required) The ARN of the product that generates findings that you want to import into Security Hub - see below.
+
+Currently available products (remember to replace `${var.region}` as appropriate):
+
+* `arn:aws:securityhub:${var.region}::product/aws/guardduty`
+* `arn:aws:securityhub:${var.region}::product/aws/inspector`
+* `arn:aws:securityhub:${var.region}::product/aws/macie`
+* `arn:aws:securityhub:${var.region}:733251395267:product/alertlogic/althreatmanagement`
+* `arn:aws:securityhub:${var.region}:679703615338:product/armordefense/armoranywhere`
+* `arn:aws:securityhub:${var.region}:151784055945:product/barracuda/cloudsecurityguardian`
+* `arn:aws:securityhub:${var.region}:758245563457:product/checkpoint/cloudguard-iaas`
+* `arn:aws:securityhub:${var.region}:634729597623:product/checkpoint/dome9-arc`
+* `arn:aws:securityhub:${var.region}:517716713836:product/crowdstrike/crowdstrike-falcon`
+* `arn:aws:securityhub:${var.region}:749430749651:product/cyberark/cyberark-pta`
+* `arn:aws:securityhub:${var.region}:250871914685:product/f5networks/f5-advanced-waf`
+* `arn:aws:securityhub:${var.region}:123073262904:product/fortinet/fortigate`
+* `arn:aws:securityhub:${var.region}:324264561773:product/guardicore/aws-infection-monkey`
+* `arn:aws:securityhub:${var.region}:324264561773:product/guardicore/guardicore`
+* `arn:aws:securityhub:${var.region}:949680696695:product/ibm/qradar-siem`
+* `arn:aws:securityhub:${var.region}:955745153808:product/imperva/imperva-attack-analytics`
+* `arn:aws:securityhub:${var.region}:297986523463:product/mcafee-skyhigh/mcafee-mvision-cloud-aws`
+* `arn:aws:securityhub:${var.region}:188619942792:product/paloaltonetworks/redlock`
+* `arn:aws:securityhub:${var.region}:122442690527:product/paloaltonetworks/vm-series`
+* `arn:aws:securityhub:${var.region}:805950163170:product/qualys/qualys-pc`
+* `arn:aws:securityhub:${var.region}:805950163170:product/qualys/qualys-vm`
+* `arn:aws:securityhub:${var.region}:336818582268:product/rapid7/insightvm`
+* `arn:aws:securityhub:${var.region}:062897671886:product/sophos/sophos-server-protection`
+* `arn:aws:securityhub:${var.region}:112543817624:product/splunk/splunk-enterprise`
+* `arn:aws:securityhub:${var.region}:112543817624:product/splunk/splunk-phantom`
+* `arn:aws:securityhub:${var.region}:956882708938:product/sumologicinc/sumologic-mda`
+* `arn:aws:securityhub:${var.region}:754237914691:product/symantec-corp/symantec-cwp`
+* `arn:aws:securityhub:${var.region}:422820575223:product/tenable/tenable-io`
+* `arn:aws:securityhub:${var.region}:679593333241:product/trend-micro/deep-security`
+* `arn:aws:securityhub:${var.region}:453761072151:product/turbot/turbot`
+* `arn:aws:securityhub:${var.region}:496947949261:product/twistlock/twistlock-enterprise`
+
+## Attributes Reference
+
+The following attributes are exported in addition to the arguments listed above:
+
+* `id` - The ARN of a resource that represents your subscription to the product that generates the findings that you want to import into Security Hub.
+
+## Import
+
+Security Hub product subscriptions can be imported using the product subscription ID, e.g.
+
+```
+$ terraform import aws_securityhub_product_subscription.example arn:aws:securityhub:eu-west-1:123456789012:product-subscription/alertlogic/althreatmanagement
+```