feat: add variable to filter findings forwarded to SNOW

schubergphilis · Jun 24, 2024 · d05fe81 · d05fe81
1 parent 4a0a256
commit d05fe81
Show file tree

Hide file tree

Showing 8 changed files with 47 additions and 28 deletions.
diff --git a/README.md b/README.md
diff --git a/UPGRADING.md b/UPGRADING.md
@@ -18,7 +18,7 @@ The following variable defaults have been modified:
 
 ### Behaviour
 
-The need to provide a `providers = { aws = aws }` argument has been removed, but is still allowed. E.g. when deploying this module in the audit account typically `providers = { aws = aws.audit }` is passed. 
+The need to provide a `providers = { aws = aws }` argument has been removed, but is still allowed. E.g. when deploying this module in the audit account typically `providers = { aws = aws.audit }` is passed.
 
 ## Upgrading to v1.0.0
 

diff --git a/modules/servicenow/README.md b/modules/servicenow/README.md
@@ -15,12 +15,13 @@
 
 ## Inputs
 
-| Name | Description | Type | Default | Required |
-|------|-------------|------|---------|:--------:|
-| kms\_key\_arn | The ARN of the KMS key used to encrypt the resources | `string` | n/a | yes |
-| tags | A mapping of tags to assign to the resources | `map(string)` | n/a | yes |
-| cloudwatch\_retention\_days | Time to retain the CloudWatch Logs for the ServiceNow integration | `number` | `14` | no |
-| create\_access\_keys | Whether to create an access\_key and secret\_access key for the ServiceNow user | `bool` | `false` | no |
+| Name                        | Description                                                                                                       | Type           | Default | Required |
+|-----------------------------|-------------------------------------------------------------------------------------------------------------------|----------------|--------|:--------:|
+| kms\_key\_arn               | The ARN of the KMS key used to encrypt the resources                                                              | `string`       | n/a    | yes |
+| tags                        | A mapping of tags to assign to the resources                                                                      | `map(string)`  | n/a    | yes |
+| cloudwatch\_retention\_days | Time to retain the CloudWatch Logs for the ServiceNow integration                                                 | `number`       | `14`   | no |
+| create\_access\_keys        | Whether to create an access\_key and secret\_access key for the ServiceNow user                                   | `bool`         | `false` | no |
+| severity\_filter            | Only forward findings to ServiceNow with severity labels from this list (by default all severities are forwarded) | `list(string)` | `[]`   | no |
 
 ## Outputs
 

diff --git a/modules/servicenow/eventbridge.tf b/modules/servicenow/eventbridge.tf
@@ -1,13 +1,8 @@
 resource "aws_cloudwatch_event_rule" "securityhub" {
   name        = "snow-RuleLifeCycleEvents"
   description = "Send Security Hub imported findings to the AwsServiceManagementConnectorForSecurityHubQueue SQS."
-
-  event_pattern = <<EOF
-{
-  "detail-type": ["Security Hub Findings - Imported"],
-  "source": ["aws.securityhub"]
-}
-EOF
+  event_pattern = templatefile("${path.module}/findings_filter.json.tftpl", {
+  severity_filter = jsonencode(var.severity_filter) })
 }
 
 resource "aws_cloudwatch_event_target" "securityhub" {

diff --git a/modules/servicenow/findings_filter.json.tftpl b/modules/servicenow/findings_filter.json.tftpl
@@ -0,0 +1,14 @@
+{
+  "detail-type" : ["Security Hub Findings - Imported"],
+  "source" : ["aws.securityhub"]
+   %{ if length(jsondecode(severity_filter)) > 0 ~}
+  ,
+  "detail": {
+    "findings": {
+      "Severity": {
+        "Label": ${severity_filter}
+       }
+     }
+   }
+   %{ endif ~}
+}
diff --git a/modules/servicenow/variables.tf b/modules/servicenow/variables.tf
@@ -10,6 +10,12 @@ variable "create_access_keys" {
   description = "Whether to create an access_key and secret_access key for the ServiceNow user"
 }
 
+variable "severity_filter" {
+  type        = list(string)
+  default     = []
+  description = "JSON object describing the events to push to the ServiceNow queue"
+}
+
 variable "kms_key_arn" {
   type        = string
   description = "The ARN of the KMS key used to encrypt the resources"

diff --git a/servicenow.tf b/servicenow.tf
@@ -5,6 +5,7 @@ module "servicenow_integration" {
 
   cloudwatch_retention_days = var.servicenow_integration.cloudwatch_retention_days
   create_access_keys        = var.servicenow_integration.create_access_keys
+  severity_filter           = var.servicenow_integration.severity_filter
   kms_key_arn               = var.kms_key_arn
   tags                      = var.tags
 }
diff --git a/variables.tf b/variables.tf
@@ -143,6 +143,7 @@ variable "servicenow_integration" {
     enabled                   = optional(bool, false)
     create_access_keys        = optional(bool, false)
     cloudwatch_retention_days = optional(number, 365)
+    severity_filter           = optional(list(string), [])
   })
   default = {
     enabled = false