Merge pull request #40 from sourcefuse/fix/inspector-member-acct-association

Fix/inspector member acct association

Author: vijay-stephen

.github/workflows/terratest.yaml

@@ -0,0 +1,86 @@
+---
+name: Terratest
+on:        # yamllint disable-line rule:truthy
+  pull_request:
+    types: [opened]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'Pull Request Number'
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+  statuses: write  # Required for setting commit status
+
+jobs:
+  terratest:
+    runs-on: ubuntu-latest
+    name: Terratest Checks
+
+    env:
+      PR_NUMBER: >-
+        ${{ github.event_name == 'workflow_dispatch' &&
+        github.event.inputs.pr_number || github.event.pull_request.number }}
+
+
+    steps:
+      - name: Checkout PR code
+        uses: actions/checkout@v4
+        with:
+          ref: refs/pull/${{ env.PR_NUMBER }}/head
+
+      - name: Configure AWS credentials via OIDC
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.ARC_IAC_TERRATEST_ROLE }}
+          aws-region: us-east-1
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.24'
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.5.7
+          terraform_wrapper: false
+
+      - name: Create test directory and download go from S3
+        run: |
+          mkdir -p terra-test
+          aws s3 cp ${{ secrets.ARC_TERRATEST_GO_FILE }} terra-test/terra_test.go
+      - name: Initialize Go module and install dependencies
+        run: |
+          cd terra-test
+          ls
+          go mod init terraform-test || true
+          go get github.com/gruntwork-io/terratest/modules/terraform
+          go get github.com/stretchr/testify/assert
+          go mod tidy
+          go test -v -timeout 40m
+      - name: Report check status manually
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const pr_number = parseInt(process.env.PR_NUMBER);
+            const pr = await github.rest.pulls.get({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              pull_number: pr_number,
+            });
+            const sha = pr.data.head.sha;
+            await github.rest.repos.createCommitStatus({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              sha: sha,
+              state: 'success',
+              context: 'terratest',
+              description: 'Manual terratest completed successfully',
+              target_url:
+                `https://github.com/${context.repo.owner}/${context.repo.repo}` +
+                `/actions/runs/${process.env.GITHUB_RUN_ID}`,
+            });

.github/workflows/test.yml renamed to .github/workflows/tflint.yml

@@ -53,14 +53,14 @@ module "cloud_security" {
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3, < 2.0.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0, < 6.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.62.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.99.1 |
 
 ## Modules
 
@@ -98,6 +98,7 @@ module "cloud_security" {
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_add_inspector_member_accounts"></a> [add\_inspector\_member\_accounts](#input\_add\_inspector\_member\_accounts) | Whether to associate as a member account with your Amazon Inspector delegated administrator account. | `bool` | `false` | no |
 | <a name="input_aws_config_managed_rules"></a> [aws\_config\_managed\_rules](#input\_aws\_config\_managed\_rules) | A list of AWS Managed Rules that should be enabled on the account.<br><br>See the following for a list of possible rules to enable:<br>https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html | <pre>map(object({<br>    description      = string<br>    identifier       = string<br>    input_parameters = any<br>    tags             = map(string)<br>    enabled          = bool<br>  }))</pre> | `{}` | no |
 | <a name="input_aws_config_sns_subscribers"></a> [aws\_config\_sns\_subscribers](#input\_aws\_config\_sns\_subscribers) | A map of subscription configurations for SNS topics<br><br>For more information, see:<br>https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription#argument-reference<br><br>protocol:<br>  The protocol to use. The possible values for this are: sqs, sms, lambda, application. (http or https are partially<br>  supported, see link) (email is an option but is unsupported in terraform, see link).<br>endpoint:<br>  The endpoint to send data to, the contents will vary with the protocol. (see link for more information)<br>endpoint\_auto\_confirms:<br>  Boolean indicating whether the end point is capable of auto confirming subscription e.g., PagerDuty. Default is<br>  false<br>raw\_message\_delivery:<br>  Boolean indicating whether or not to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property).<br>  Default is false | <pre>map(object({<br>    protocol               = string<br>    endpoint               = string<br>    endpoint_auto_confirms = bool<br>    raw_message_delivery   = bool<br>  }))</pre> | n/a | yes |
 | <a name="input_create_config_iam_role"></a> [create\_config\_iam\_role](#input\_create\_config\_iam\_role) | Flag to indicate whether an iam role should be created for aws config. | `bool` | `false` | no |

README.md

@@ -1,11 +1 @@
-data "aws_ssm_parameter" "guard_duty" {
-  name = "/${var.namespace}/${var.environment}/guard-duty/opsgenie/api-key"
-}
-
-data "aws_ssm_parameter" "security_hub" {
-  name = "/${var.namespace}/${var.environment}/security-hub/opsgenie/api-key"
-}
-
-data "aws_ssm_parameter" "aws_config" {
-  name = "/${var.namespace}/${var.environment}/aws-config/opsgenie/api-key"
-}
+data "aws_caller_identity" "current" {}

example/data.tf

@@ -1,5 +1,5 @@
 region      = "us-east-1"
-environment = "dev"
+environment = "poc"
 namespace   = "arc"
 project     = "aws-modules"
 
@@ -19,6 +19,4 @@ aws_config_managed_rules = {
   }
 }
 
-create_inspector_iam_role     = true
-inspector_enabled_rules       = ["cis"]
 inspector_schedule_expression = "rate(7 days)"

example/dev.tfvars renamed to example/dev.auto.tfvars

@@ -1,29 +1,39 @@
 locals {
   aws_config_sns_subscribers = {
     opsgenie = {
-      protocol               = "https"
-      endpoint               = data.aws_ssm_parameter.aws_config.value
+      protocol               = "email"
+      endpoint               = "devops-team@example.com"
       endpoint_auto_confirms = true
       raw_message_delivery   = false
     }
   }
   guard_duty_sns_subscribers = {
     opsgenie = {
-      protocol               = "https"
-      endpoint               = data.aws_ssm_parameter.guard_duty.value
+      protocol               = "email"
+      endpoint               = "devops-team@example.com"
       endpoint_auto_confirms = true
       raw_message_delivery   = false
     }
   }
   security_hub_sns_subscribers = {
     opsgenie = {
-      protocol               = "https"
-      endpoint               = data.aws_ssm_parameter.security_hub.value
+      protocol               = "email"
+      endpoint               = "devops-team@example.com"
       endpoint_auto_confirms = true
       raw_message_delivery   = false
     }
   }
 
+  inspector_sns_subscribers = {
+    opsgenie = {
+      protocol               = "email"
+      endpoint               = "devops-team@example.com"
+      endpoint_auto_confirms = true
+      raw_message_delivery   = false
+    }
+  }
+
+
   security_hub_standards = [
     "standards/aws-foundational-security-best-practices/v/1.0.0",
     "standards/cis-aws-foundations-benchmark/v/1.4.0"

example/locals.tf

@@ -2,7 +2,7 @@
 ## defaults
 ################################################################################
 terraform {
-  required_version = "~> 1.7"
+  required_version = ">= 1.5.0"
 
   required_providers {
     aws = {
@@ -32,8 +32,7 @@ module "tags" {
 
 
 module "cloud_security" {
-  source  = "sourcefuse/arc-security/aws"
-  version = "0.0.5"
+  source = "../"
 
   region      = var.region
   environment = var.environment
@@ -53,10 +52,10 @@ module "cloud_security" {
   aws_config_managed_rules       = var.aws_config_managed_rules
   enabled_security_hub_standards = local.security_hub_standards
 
-  create_inspector_iam_role               = var.create_inspector_iam_role
-  inspector_enabled_rules                 = var.inspector_enabled_rules
-  inspector_schedule_expression           = var.inspector_schedule_expression
-  inspector_assessment_event_subscription = var.inspector_assessment_event_subscription
+
+  inspector_schedule_expression = var.inspector_schedule_expression
+  inspector_account_list        = [data.aws_caller_identity.current.account_id]
+  inspector_sns_subscribers     = local.inspector_sns_subscribers
 
   tags = module.tags.tags
 }

example/main.tf

@@ -23,36 +23,12 @@ variable "project" {
   default     = ""
 }
 
-############################################################################
-## security hub
-############################################################################
-variable "create_inspector_iam_role" {
-  description = "Toggle to create aws inspector iam role"
-  type        = bool
-  default     = true
-}
-
-variable "inspector_enabled_rules" {
-  description = "list of rules to pass to inspector"
-  type        = list(string)
-  default     = []
-}
-
 variable "inspector_schedule_expression" {
   description = "AWS Schedule Expression to indicate how often the inspector scheduled event shoud run"
   type        = string
   default     = "rate(7 days)"
 }
 
-variable "inspector_assessment_event_subscription" {
-  description = "Configures sending notifications about a specified assessment template event to a designated SNS topic"
-  type = map(object({
-    event     = string
-    topic_arn = string
-  }))
-  default = {}
-}
-
 variable "aws_config_managed_rules" {
   description = <<-DOC
     A list of AWS Managed Rules that should be enabled on the account.

example/variables.tf

@@ -81,8 +81,9 @@ module "inspector" {
 
   enable_inspector_at_orgnanization = var.enable_inspector_at_orgnanization
 
-  account_list   = var.inspector_account_list
-  resource_types = var.inspector_resource_types
-  subscribers    = var.inspector_sns_subscribers
+  account_list                  = var.inspector_account_list
+  add_inspector_member_accounts = var.add_inspector_member_accounts
+  resource_types                = var.inspector_resource_types
+  subscribers                   = var.inspector_sns_subscribers
 
 }

main.tf

@@ -20,7 +20,7 @@ resource "aws_inspector2_organization_configuration" "this" {
 }
 
 resource "aws_inspector2_member_association" "this" {
-  for_each   = toset(var.account_list)
+  for_each   = var.add_inspector_member_accounts ? toset(var.account_list) : toset([])
   account_id = each.value
 }
 

modules/inspector/main.tf

@@ -4,6 +4,12 @@ variable "enable_inspector_at_orgnanization" {
   default     = false
 }
 
+variable "add_inspector_member_accounts" {
+  type        = bool
+  description = "Whether to associate as a member account with your Amazon Inspector delegated administrator account."
+  default     = false
+}
+
 variable "account_list" {
   type        = list(string)
   description = "List of Account for which inspector has to be enabled"

modules/inspector/variables.tf

@@ -216,6 +216,12 @@ variable "inspector_schedule_expression" {
   default     = "rate(7 days)"
 }
 
+variable "add_inspector_member_accounts" {
+  type        = bool
+  description = "Whether to associate as a member account with your Amazon Inspector delegated administrator account."
+  default     = false
+}
+
 variable "inspector_sns_subscribers" {
   type = map(object({
     protocol               = string

variables.tf

@@ -2,7 +2,7 @@
 ## defaults
 ################################################################################
 terraform {
-  required_version = ">= 1.3, < 2.0.0"
+  required_version = ">= 1.5.0"
 
   required_providers {
     aws = {