Merge pull request #19 from schubergphilis/remove-sechub

breaking: remove aws_security_hub_standards_arns to support centralized security hub configuration

README.md

@@ -28,16 +28,6 @@ aws_config = {
 }
 ```
 
-## AWS Security Hub
-
-This module enables the following standards by default:
-
-- `AWS Foundational Security Best Practices v1.0.0`
-- `CIS AWS Foundations Benchmark v1.4.0`
-- `PCI DSS v3.2.1`
-
-You are able to control the enabled standards via `var.aws_security_hub_standards_arns`.
-
 ## MCAF Service Quotas Manager integration
 
 This module can deploy the IAM role required by the [MCAF Service Quotas Manager](https://github.com/schubergphilis/terraform-aws-mcaf-service-quotas-manager) module. The `assuming_principal_identifier` should be the `ServiceQuotasManagerExecutionRole`. This is by default `arn:aws:iam::<account_id>:role/ServiceQuotasManagerExecutionRole-<region_name>`.
@@ -50,7 +40,7 @@ This module can deploy the IAM role required by the [MCAF Service Quotas Manager
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.7.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.0.0 |
 
 ## Providers
@@ -74,7 +64,6 @@ This module can deploy the IAM role required by the [MCAF Service Quotas Manager
 | [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource |
 | [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource |
 | [aws_s3_account_public_access_block.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_account_public_access_block) | resource |
-| [aws_securityhub_standards_subscription.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_standards_subscription) | resource |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
@@ -87,7 +76,6 @@ This module can deploy the IAM role required by the [MCAF Service Quotas Manager
 | <a name="input_aws_ebs_encryption_custom_key"></a> [aws\_ebs\_encryption\_custom\_key](#input\_aws\_ebs\_encryption\_custom\_key) | Set to true and specify the `aws_kms_key_arn` to use in place of the AWS-managed default CMK | `bool` | `false` | no |
 | <a name="input_aws_kms_key_arn"></a> [aws\_kms\_key\_arn](#input\_aws\_kms\_key\_arn) | The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volumes | `string` | `null` | no |
 | <a name="input_aws_s3_public_access_block_config"></a> [aws\_s3\_public\_access\_block\_config](#input\_aws\_s3\_public\_access\_block\_config) | S3 bucket-level Public Access Block config | <pre>object({<br>    enabled                 = optional(bool, true)<br>    block_public_acls       = optional(bool, true)<br>    block_public_policy     = optional(bool, true)<br>    ignore_public_acls      = optional(bool, true)<br>    restrict_public_buckets = optional(bool, true)<br>  })</pre> | `{}` | no |
-| <a name="input_aws_security_hub_standards_arns"></a> [aws\_security\_hub\_standards\_arns](#input\_aws\_security\_hub\_standards\_arns) | A list of the ARNs of the standards you want to enable in AWS Security Hub. If you do not provide a list the default standards are enabled | `list(string)` | `null` | no |
 | <a name="input_service_quotas_manager_role"></a> [service\_quotas\_manager\_role](#input\_service\_quotas\_manager\_role) | Create the role needed to integrate the terraform-aws-mcaf-service-quotas-manager module | <pre>object({<br>    assuming_principal_identifier = string<br>    path                          = optional(string, "/")<br>    permissions_boundary          = optional(string, null)<br>  })</pre> | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of tags | `map(string)` | `{}` | no |
 

UPGRADING.md

@@ -0,0 +1,82 @@
+# Upgrading Notes
+
+This document captures required refactoring on your part when upgrading to a module version that contains breaking changes.
+
+## Upgrading to v2.0.0
+
+### Key Changes
+
+#### Transition to Centralized Security Hub Configuration
+
+This version relies on the centralized security hub configuration as added in [terraform-aws-mcaf-landing-zone version v5.0.0](https://github.com/schubergphilis/terraform-aws-mcaf-landing-zone/releases/tag/v5.0.0)  
+
+Using centralized security hub it's no longer possible to modify the AWS SecurityHub standards in the account itself, therefore this functionality has been removed from this module. 
+
+
+### Variables
+
+The following variables have been removed:
+* `aws_security_hub_standards_arns`. This variable is not configurable anymore using security hub central configuration.
+
+### How to upgrade.
+
+1. Upgrade your landing zone deployment to v5.0.0 or higher FIRST, before updating your account-baseline to v2.0.0 or higher.
+
+2. Update the variables according to the variables section above. 
+
+3. Manually Removing Local Security Hub Standards for all account-baseline workspaces.
+
+    Previous versions managed `aws_securityhub_standards_subscription` resources locally in the accounts. These are now centrally configured. **Terraform will attempt to remove these resources from the state**. To prevent disabling them, the resources must be manually removed from the Terraform state.
+
+    *Steps to Remove Resources: Option 1: Using the Removed block:*
+
+    ```
+    removed {
+      from = module.account_baseline.aws_securityhub_standards_subscription["arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1"]
+
+      lifecycle {
+        destroy = false
+      }
+    }
+
+    removed {
+      from = module.account_baseline.aws_securityhub_standards_subscription["arn:aws:securityhub:eu-central-1::standards/cis-aws-foundations-benchmark/v/1.4.0"]
+
+      lifecycle {
+        destroy = false
+      }
+    }
+
+    removed {
+      from = module.account_baseline.aws_securityhub_standards_subscription["aws-foundational-security-best-practices/v/1.0.0"]
+
+      lifecycle {
+        destroy = false
+      }
+    }
+    ```
+
+    Note: you may need to alter the removed blocks based on the actually configured subscriptions.
+
+
+    *Steps to Remove Resources: Option 2: Using Terraform State manipulation*
+
+    a. Generate Removal Commands. Run the following shell snippet:
+
+    ```shell
+    terraform init
+    for local_standard in $(terraform state list | grep "module.account_baseline.aws_securityhub_standards_subscription"); do
+      echo "terraform state rm '$local_standard'"
+    done
+    ```
+
+    b. Execute Commands: Evaluate and run the generated statements. They will look like:
+
+    ```shell
+    terraform state rm 'module.account_baseline.aws_securityhub_standards_subscription["arn:aws:securityhub:eu-central-1::standards/pci-dss/v/3.2.1"]'
+    ...
+    ```
+
+    *Why Manual Removal is Required*
+
+    Terraform cannot handle `for_each` loops in `removed` statements ([HashiCorp Issue #34439](https://github.com/hashicorp/terraform/issues/34439)). Therefore we could not add these removed statements in the module itself. 

examples/basic/versions.tf

@@ -5,5 +5,5 @@ terraform {
       version = ">= 4.0.0"
     }
   }
-  required_version = ">= 1.2.0"
+  required_version = ">= 1.7.0"
 }

locals.tf

@@ -7,12 +7,4 @@ locals {
       }
     ]
   ]) : []
-
-  security_hub_standards_arns_default = [
-    "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0",
-    "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0",
-    "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
-  ]
-
-  security_hub_standards_arns = var.aws_security_hub_standards_arns != null ? var.aws_security_hub_standards_arns : local.security_hub_standards_arns_default
 }

main.tf

@@ -29,12 +29,6 @@ resource "aws_iam_account_password_policy" "default" {
   require_uppercase_characters   = var.account_password_policy.require_uppercase_characters
 }
 
-resource "aws_securityhub_standards_subscription" "default" {
-  for_each = toset(local.security_hub_standards_arns)
-
-  standards_arn = each.value
-}
-
 resource "aws_s3_account_public_access_block" "default" {
   count = var.aws_s3_public_access_block_config.enabled ? 1 : 0
 

variables.tf

@@ -61,12 +61,6 @@ variable "aws_s3_public_access_block_config" {
   description = "S3 bucket-level Public Access Block config"
 }
 
-variable "aws_security_hub_standards_arns" {
-  type        = list(string)
-  default     = null
-  description = "A list of the ARNs of the standards you want to enable in AWS Security Hub. If you do not provide a list the default standards are enabled"
-}
-
 variable "service_quotas_manager_role" {
   type = object({
     assuming_principal_identifier = string

versions.tf

@@ -5,5 +5,5 @@ terraform {
       version = ">= 4.0.0"
     }
   }
-  required_version = ">= 1.2.0"
+  required_version = ">= 1.7.0"
 }