-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
breaking: move variables to objects and improve settings
- Loading branch information
1 parent
c44f9fb
commit 32f4b34
Showing
19 changed files
with
374 additions
and
122 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -7,3 +7,6 @@ | |
|
||
# .tfvars files | ||
*.tfvars | ||
|
||
# CheckOv pre-commit external modules path | ||
**/.external_modules/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# Upgrading Notes | ||
|
||
This document captures required refactoring on your part when upgrading to a module version that contains breaking changes. | ||
|
||
## Upgrading to v1.0.0 | ||
|
||
### Behaviour | ||
|
||
- Timeouts of the suppressor lambdas have been increased to 120 seconds. The current timeout of 60 seconds is not always enough to process 100 records of findings. | ||
- The `create_servicenow_access_keys` variable, now called `servicenow_integration.create_access_keys` was not used in the code and therefore the default behaviour was that access keys would be created. This issue has been resolved. | ||
- The `create_allow_all_egress_rule` variable has been set to `false`. | ||
- The `tags` variable is now optional. | ||
|
||
### Variables | ||
|
||
The following variables have been replaced by a new variable `jira_integration`: | ||
|
||
- `jira_exclude_account_filter` -> `jira_integration.exclude_account_ids` | ||
- `jira_finding_severity_normalized` -> `jira_integration.finding_severity_normalized_threshold` | ||
- `jira_integration` -> `jira_integration.enabled` | ||
- `jira_issue_type` -> `jira_integration.issue_type` | ||
- `jira_project_key` -> `jira_integration.project_key` | ||
- `jira_secret_arn` -> `jira_integration.credentials_secret_arn` | ||
- `lambda_jira_name` -> `jira_integration.lambda_settings.name` | ||
- `lambda_jira_iam_role_name` -> `jira_integration.lambda_settings.iam_role_name` | ||
- Additionally you are now able to specify the `log_level`, `memory_size,` and `timeout` of the lambda. | ||
|
||
The following variables have been replaced by a new variable `servicenow_integration`: | ||
|
||
- `servicenow_integration` -> `servicenow_integration.enabled` | ||
- `create_servicenow_access_keys` -> `servicenow_integration.create_access_keys` | ||
|
||
The following variables have been replaced by a new variable `lambda_events_suppressor`: | ||
|
||
- `lambda_events_suppressor_name` -> `lambda_events_suppressor.name` | ||
- Additionally you are now able to specify the `log_level`, `memory_size,` and `timeout` of the lambda. | ||
|
||
The following variables have been replaced by a new variable `lambda_streams_suppressor`: | ||
|
||
- `lambda_streams_suppressor_name` -> `lambda_streams_suppressor.name` | ||
- Additionally you are now able to specify the `log_level`, `memory_size,` and `timeout` of the lambda. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
provider "aws" { | ||
region = "eu-west-1" | ||
} | ||
|
||
resource "aws_kms_key" "default" { | ||
enable_key_rotation = true | ||
} | ||
|
||
resource "random_pet" "default" { | ||
length = 8 | ||
} | ||
|
||
module "security_hub_manager" { | ||
providers = { aws = aws } | ||
source = "../../" | ||
|
||
kms_key_arn = aws_kms_key.default | ||
s3_bucket_name = "securityhub-suppressor-artifacts-${random_pet.default.id}" | ||
tags = { Terraform = true } | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
terraform { | ||
required_version = ">= 1.3.0" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 4.9" | ||
} | ||
local = { | ||
source = "hashicorp/local" | ||
version = ">= 1.0" | ||
} | ||
null = { | ||
source = "hashicorp/null" | ||
version = ">= 2.0" | ||
} | ||
random = { | ||
source = "hashicorp/random" | ||
version = ">= 3.0" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
provider "aws" { | ||
region = "eu-west-1" | ||
} | ||
|
||
resource "aws_kms_key" "default" { | ||
enable_key_rotation = true | ||
} | ||
|
||
resource "random_pet" "default" { | ||
length = 8 | ||
} | ||
|
||
resource "aws_secretsmanager_secret" "jira_credentials" { | ||
description = "Security Hub Findings Manager Jira Credentials Secret" | ||
kms_key_id = aws_kms_key.default | ||
name = "lambda/jira_credentials_secret" | ||
} | ||
|
||
// tfsec:ignore:GEN003 | ||
resource "aws_secretsmanager_secret_version" "jira_credentials" { | ||
secret_id = aws_secretsmanager_secret.jira_credentials.id | ||
secret_string = jsonencode({ | ||
"url" = "https://jira.mycompany.com" | ||
"apiuser" = "username" | ||
"apikey" = "apikey" | ||
}) | ||
} | ||
|
||
module "security_hub_manager" { | ||
providers = { aws = aws } | ||
source = "../../" | ||
|
||
kms_key_arn = aws_kms_key.default | ||
s3_bucket_name = "securityhub-suppressor-artifacts-${random_pet.default.id}" | ||
tags = { Terraform = true } | ||
|
||
jira_integration = { | ||
enabled = true | ||
credentials_secret_arn = aws_secretsmanager_secret.jira_credentials.arn | ||
project_key = "PROJECT" | ||
} | ||
} | ||
|
||
resource "aws_security_group_rule" "lambda_jira_security_hub_to_jira" { | ||
type = "egress" | ||
description = "Allow access from lambda_jira_security_hub to Jira" | ||
from_port = 443 | ||
to_port = 443 | ||
protocol = "tcp" | ||
cidr_blocks = ["1.1.1.1/32"] | ||
security_group_id = module.security_hub_manager.lambda_jira_security_hub_sg_id[0] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
terraform { | ||
required_version = ">= 1.3.0" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 4.9" | ||
} | ||
local = { | ||
source = "hashicorp/local" | ||
version = ">= 1.0" | ||
} | ||
null = { | ||
source = "hashicorp/null" | ||
version = ">= 2.0" | ||
} | ||
random = { | ||
source = "hashicorp/random" | ||
version = ">= 3.0" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
provider "aws" { | ||
region = "eu-west-1" | ||
} | ||
|
||
resource "aws_kms_key" "default" { | ||
enable_key_rotation = true | ||
} | ||
|
||
resource "random_pet" "default" { | ||
length = 8 | ||
} | ||
|
||
module "security_hub_manager" { | ||
providers = { aws = aws } | ||
source = "../../" | ||
|
||
kms_key_arn = aws_kms_key.default | ||
s3_bucket_name = "securityhub-suppressor-artifacts-${random_pet.default.id}" | ||
tags = { Terraform = true } | ||
|
||
servicenow_integration = { | ||
enabled = true | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
terraform { | ||
required_version = ">= 1.3.0" | ||
|
||
required_providers { | ||
aws = { | ||
source = "hashicorp/aws" | ||
version = ">= 4.9" | ||
} | ||
local = { | ||
source = "hashicorp/local" | ||
version = ">= 1.0" | ||
} | ||
null = { | ||
source = "hashicorp/null" | ||
version = ">= 2.0" | ||
} | ||
random = { | ||
source = "hashicorp/random" | ||
version = ">= 3.0" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.