github.com/GoogleCloudPlatform/terraformer@v0.8.18/providers/aws/securityhub.go (about) 1 // Copyright 2020 The Terraformer Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package aws 16 17 import ( 18 "context" 19 "strings" 20 21 "github.com/GoogleCloudPlatform/terraformer/terraformutils" 22 "github.com/aws/aws-sdk-go-v2/service/securityhub" 23 ) 24 25 var securityhubAllowEmptyValues = []string{"tags."} 26 27 type SecurityhubGenerator struct { 28 AWSService 29 } 30 31 func (g *SecurityhubGenerator) InitResources() error { 32 config, e := g.generateConfig() 33 if e != nil { 34 return e 35 } 36 client := securityhub.NewFromConfig(config) 37 38 account, err := g.getAccountNumber(config) 39 if err != nil { 40 return err 41 } 42 43 accountDisabled, err := g.addAccount(client, *account) 44 if accountDisabled { 45 return nil 46 } 47 if err != nil { 48 return err 49 } 50 err = g.addMembers(client, *account) 51 if err != nil { 52 return err 53 } 54 err = g.addStandardsSubscription(client, *account) 55 return err 56 } 57 58 func (g *SecurityhubGenerator) addAccount(client *securityhub.Client, accountNumber string) (bool, error) { 59 _, err := client.GetEnabledStandards(context.TODO(), &securityhub.GetEnabledStandardsInput{}) 60 61 if err != nil { 62 errorMsg := err.Error() 63 if !strings.Contains(errorMsg, "not subscribed to AWS Security Hub") { 64 return false, err 65 } 66 return true, nil 67 } 68 g.Resources = append(g.Resources, terraformutils.NewSimpleResource( 69 accountNumber, 70 accountNumber, 71 "aws_securityhub_account", 72 "aws", 73 securityhubAllowEmptyValues, 74 )) 75 return false, nil 76 } 77 78 func (g *SecurityhubGenerator) addMembers(svc *securityhub.Client, accountNumber string) error { 79 p := securityhub.NewListMembersPaginator(svc, &securityhub.ListMembersInput{}) 80 81 for p.HasMorePages() { 82 page, err := p.NextPage(context.TODO()) 83 if err != nil { 84 return err 85 } 86 for _, member := range page.Members { 87 id := *member.AccountId 88 attributes := map[string]string{ 89 "account_id": id, 90 } 91 if member.Email != nil { 92 attributes["email"] = *member.Email 93 } 94 g.Resources = append(g.Resources, terraformutils.NewResource( 95 id, 96 "securityhub_member_"+id, 97 "aws_securityhub_member", 98 "aws", 99 attributes, 100 securityhubAllowEmptyValues, 101 map[string]interface{}{ 102 "depends_on": []string{"${aws_securityhub_account.tfer--" + accountNumber + "}"}, 103 }, 104 )) 105 } 106 } 107 return nil 108 } 109 110 func (g *SecurityhubGenerator) addStandardsSubscription(svc *securityhub.Client, accountNumber string) error { 111 p := securityhub.NewGetEnabledStandardsPaginator(svc, &securityhub.GetEnabledStandardsInput{}) 112 113 for p.HasMorePages() { 114 page, err := p.NextPage(context.TODO()) 115 if err != nil { 116 return err 117 } 118 for _, standardsSubscription := range page.StandardsSubscriptions { 119 id := *standardsSubscription.StandardsSubscriptionArn 120 g.Resources = append(g.Resources, terraformutils.NewResource( 121 id, 122 id, 123 "aws_securityhub_standards_subscription", 124 "aws", 125 map[string]string{ 126 "standards_arn": id, 127 }, 128 securityhubAllowEmptyValues, 129 map[string]interface{}{ 130 "depends_on": []string{"aws_securityhub_account.tfer--" + accountNumber}, 131 }, 132 )) 133 } 134 } 135 return nil 136 }