ministryofjustice · richgreen-moj · Oct 18, 2024 · Oct 17, 2024 · Oct 18, 2024
@@ -67,7 +67,7 @@ resource "aws_securityhub_standards_control" "pci_disable_ensure_mfa_for_root" {
 
 # Filter for New, High & Critical SecHub findings but exclude Inspector
 resource "aws_cloudwatch_event_rule" "sechub_high_and_critical_findings" {
-  name        = "sechub-high-and-critical-findings"
+  name        = var.sechub_eventbridge_rule_name
   description = "Check for High or Critical Severity SecHub findings"
   event_pattern = jsonencode({
     "source" : ["aws.securityhub"],
@@ -101,7 +101,7 @@ resource "aws_cloudwatch_event_target" "sechub_findings_sns_topic" {
 
 # Create SNS topic and access policy
 resource "aws_sns_topic" "sechub_findings_sns_topic" {
-  name              = "sechub_findings_sns_topic"
+  name              = var.sechub_sns_topic_name
   kms_master_key_id = aws_kms_key.sns_kms_key.id
 }
 resource "aws_sns_topic_policy" "sechub_findings_sns_topic" {
@@ -168,7 +168,7 @@ resource "aws_kms_key" "sns_kms_key" {
 }
 
 resource "aws_kms_alias" "sns_kms_alias" {
-  name          = "alias/sns-kms-key"
+  name          = var.sechub_sns_kms_key_name
   target_key_id = aws_kms_key.sns_kms_key.id
 }
 

@@ -0,0 +1,13 @@
+output "sechub_eventbridge_rule_arn" {
+  description = "The ARN of the SecurityHub EventBridge rule"
+  value       = aws_cloudwatch_event_rule.sechub_high_and_critical_findings.arn
+}
+output "sechub_sns_topic_arn" {
+  description = "The ARN of the SecurityHub SNS topic"
+  value       = aws_sns_topic.sechub_findings_sns_topic.arn
+}
+
+output "sechub_sns_kms_key_arn" {
+  description = "The ARN of the SecurityHub SNS Topic KMS key"
+  value       = aws_kms_key.sns_kms_key.arn
+}
@@ -0,0 +1,17 @@
+variable "sechub_eventbridge_rule_name" {
+  description = "SecurityHub Eventbridge rule name"
+  default     = "sechub_high_and_critical_findings"
+  type        = string
+}
+
+variable "sechub_sns_topic_name" {
+  description = "SecurityHub SNS Topic name"
+  default     = "sechub_findings_sns_topic"
+  type        = string
+}
+
+variable "sechub_sns_kms_key_name" {
+  description = "SecurityHub SNS Topic KMS key name"
+  default     = "alias/sns-kms-key"
+  type        = string
+}
@@ -334,3 +334,49 @@ func TestTerraformSecurityHubAlarms(t *testing.T) {
 	assert.Regexp(t, regexp.MustCompile(AdminRoleUsageMetricFilterName), AdminRoleUsageMetricFilterId)
 	assert.Regexp(t, regexp.MustCompile(`^arn:aws:cloudwatch:eu-west-2:[0-9]{12}:alarm:`+AdminRoleUsageAlarmName), AdminRoleUsageAlarmArn)
 }
+
+// SecurityHub Module Unit Testing
+func TestTerraformSecurityHub(t *testing.T) {
+	t.Parallel()
+
+	terraformDir := "./securityhub-test"
+	uniqueId := random.UniqueId()
+
+	// Unique names for SecurityHub resources
+	SecHubEventbridgeRuleName := fmt.Sprintf("sechub_high_and_critical_findings-%s", uniqueId)
+	SecHubSNSTopicName := fmt.Sprintf("sechub_findings_sns_topic-%s", uniqueId)
+	SecHubSNSTopicKMSKey := fmt.Sprintf("alias/sns-kms-key-%s", uniqueId)
+
+	terraformOptions := &terraform.Options{
+		TerraformDir: terraformDir,
+		Targets: []string{ // Targeting specific resources as not all are able to be duplicated in the same account
+			"module.securityhub-test.aws_cloudwatch_event_rule.sechub_high_and_critical_findings",
+			"module.securityhub-test.aws_cloudwatch_event_target.sechub_findings_sns_topic",
+			"module.securityhub-test.aws_sns_topic.sechub_findings_sns_topic",
+			"module.securityhub-test.aws_sns_topic_policy.sechub_findings_sns_topic",
+			"module.securityhub-test.aws_iam_policy_document.sechub_findings_sns_topic_policy",
+			"module.securityhub-test.aws_kms_key.sns_kms_key",
+			"module.securityhub-test.aws_kms_alias.sns_kms_alias",
+			"module.securityhub-test.aws_iam_policy_document.sns_kms",
+		},
+		Vars: map[string]interface{}{
+			"sechub_eventbridge_rule_name": SecHubEventbridgeRuleName,
+			"sechub_sns_topic_name":        SecHubSNSTopicName,
+			"sechub_sns_kms_key_name":      SecHubSNSTopicKMSKey,
+		},
+	}
+	// Clean up resources with "terraform destroy" at the end of the test
+	defer terraform.Destroy(t, terraformOptions)
+
+	// Run "terraform init" and "terraform apply"
+	terraform.InitAndApply(t, terraformOptions)
+
+	// SecurityHub module tests
+	SecHubEventbridgeRuleARN := terraform.Output(t, terraformOptions, "sechub_eventbridge_rule_arn")
+	SecHubSNSTopicARN := terraform.Output(t, terraformOptions, "sechub_sns_topic_arn")
+	SecHubSNSTopicKMSKeyARN := terraform.Output(t, terraformOptions, "sechub_sns_kms_key_arn")
+
+	assert.Regexp(t, regexp.MustCompile(`^arn:aws:events:eu-west-2:[0-9]{12}:rule/sechub_high_and_critical_findings-`+uniqueId), SecHubEventbridgeRuleARN)
+	assert.Regexp(t, regexp.MustCompile(`^arn:aws:sns:eu-west-2:[0-9]{12}:sechub_findings_sns_topic-`+uniqueId), SecHubSNSTopicARN)
+	assert.Regexp(t, regexp.MustCompile(`^arn:aws:kms:eu-west-2:[0-9]{12}:key/*`), SecHubSNSTopicKMSKeyARN)
+}
@@ -0,0 +1,3 @@
+locals {
+  environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)
+}
@@ -0,0 +1,6 @@
+module "securityhub-test" {
+  source                       = "../../modules/securityhub"
+  sechub_eventbridge_rule_name = var.sechub_eventbridge_rule_name
+  sechub_sns_topic_name        = var.sechub_sns_topic_name
+  sechub_sns_kms_key_name      = var.sechub_sns_kms_key_name
+}
@@ -0,0 +1,13 @@
+output "sechub_eventbridge_rule_arn" {
+  description = "The ARN of the SecurityHub EventBridge rule"
+  value       = module.securityhub-test.sechub_eventbridge_rule_arn
+}
+output "sechub_sns_topic_arn" {
+  description = "The ARN of the SecurityHub SNS topic"
+  value       = module.securityhub-test.sechub_sns_topic_arn
+}
+
+output "sechub_sns_kms_key_arn" {
+  description = "The ARN of the SecurityHub SNS Topic KMS key"
+  value       = module.securityhub-test.sechub_sns_kms_key_arn
+}
@@ -0,0 +1,13 @@
+# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified)
+provider "aws" {
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids["testing-test"]}:role/MemberInfrastructureAccess"
+  }
+}
+
+# AWS provider for the testing-ci user (testing-test account), to get things from there if required
+provider "aws" {
+  alias  = "testing-ci-user"
+  region = "eu-west-2"
+}
@@ -0,0 +1,16 @@
+# Get secret by arn for environment management
+data "aws_ssm_parameter" "environment_management_arn" {
+  provider = aws.testing-ci-user
+  name     = "environment_management_arn"
+}
+
+data "aws_secretsmanager_secret" "environment_management" {
+  provider = aws.testing-ci-user
+  arn      = data.aws_ssm_parameter.environment_management_arn.value
+}
+
+# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
+data "aws_secretsmanager_secret_version" "environment_management" {
+  provider  = aws.testing-ci-user
+  secret_id = data.aws_secretsmanager_secret.environment_management.id
+}
@@ -0,0 +1,17 @@
+variable "sechub_eventbridge_rule_name" {
+  description = "SecurityHub Eventbridge rule name"
+  default     = "sechub_high_and_critical_findings"
+  type        = string
+}
+
+variable "sechub_sns_topic_name" {
+  description = "SecurityHub SNS Topic name"
+  default     = "sechub_findings_sns_topic"
+  type        = string
+}
+
+variable "sechub_sns_kms_key_name" {
+  description = "SecurityHub SNS Topic KMS key name"
+  default     = "alias/sns-kms-key"
+  type        = string
+}
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 5.0"
+      source  = "hashicorp/aws"
+    }
+    http = {
+      version = "~> 3.0"
+      source  = "hashicorp/http"
+    }
+  }
+  required_version = "~> 1.0"
+}