-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity_hub_integration.tf
83 lines (65 loc) · 2.37 KB
/
security_hub_integration.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
module "sechub_integration_lambda" {
source = "terraform-aws-modules/lambda/aws"
version = "~> 4.10.1"
count = local.enable_security_hub_integration ? 1 : 0
function_name = "${local.name_prefix}-sechub-integration-function"
description = "Retrieves the External ID from Aqua CSPM"
handler = "index.lambda_handler"
runtime = "python3.9"
memory_size = 128
timeout = 30
create_package = false
local_existing_package = "${path.module}/src/security_hub_integration_function/lambda_function.zip"
create_role = false
lambda_role = module.lambda_role.iam_role_arn
tags = var.tags
}
resource "aws_lambda_invocation" "sechub_integration_external_id" {
count = local.enable_security_hub_integration ? 1 : 0
function_name = module.sechub_integration_lambda[0].lambda_function_name
input = jsonencode({
ResourceProperties = {
Secret = local.secret_name
},
LogicalResourceId = "ExternalIDInvoke"
})
depends_on = [
module.sechub_integration_lambda,
aws_secretsmanager_secret_version.aqua_cspm_secret,
time_sleep.sechub_integration_wait_10_aqua_cspm_secret,
]
}
resource "aws_lambda_invocation" "sechub_integration_onboarding" {
count = local.enable_security_hub_integration ? 1 : 0
function_name = module.sechub_integration_lambda[0].lambda_function_name
input = jsonencode({
ResourceProperties = {
Secret = local.secret_name,
RoleArn = aws_iam_role.aqua_cspm_sechub[0].arn,
ExtId = local.sechub_external_id,
AccId = data.aws_caller_identity.current.account_id,
Region = data.aws_region.current.name,
ScanNotifications = local.sechub_notification_type,
},
LogicalResourceId = "IntegrationInvoke"
})
depends_on = [
time_sleep.sechub_integration_wait_10_seconds,
aws_lambda_invocation.sechub_integration_external_id,
aws_iam_role.aqua_cspm,
]
}
resource "time_sleep" "sechub_integration_wait_10_seconds" {
count = local.enable_security_hub_integration ? 1 : 0
depends_on = [
aws_lambda_invocation.sechub_integration_external_id,
]
create_duration = "10s"
}
resource "time_sleep" "sechub_integration_wait_10_aqua_cspm_secret" {
count = local.enable_security_hub_integration ? 1 : 0
depends_on = [
aws_secretsmanager_secret_version.aqua_cspm_secret,
]
create_duration = "10s"
}