From 54cc0d418c68cea7bec01bc98ebf4ac59ba3c0d5 Mon Sep 17 00:00:00 2001
From: Calvin Rodo <calvin.rodo@cds-snc.ca>
Date: Tue, 14 Jun 2022 14:06:02 -0400
Subject: [PATCH] feat: send security hub events to sentinel (#74)

Since we can just send from the log_archive account there is no need to
forward the events to another eventbridge like we did in the existing
Landing Zone Instance.
---
 terragrunt/org_account/main/eventbridge.tf    | 23 +++++++++++++++++++
 .../org_account/main/sentinel_forwarders.tf   | 20 ++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 terragrunt/org_account/main/eventbridge.tf

diff --git a/terragrunt/org_account/main/eventbridge.tf b/terragrunt/org_account/main/eventbridge.tf
new file mode 100644
index 00000000..4c99ff4d
--- /dev/null
+++ b/terragrunt/org_account/main/eventbridge.tf
@@ -0,0 +1,23 @@
+resource "aws_cloudwatch_event_rule" "cds_sentinel_securityhub_rule" {
+  provider    = aws.log_archive
+  name        = "cds-sentinel-securityhub-rule"
+  description = "Capture security hub events"
+
+  event_pattern = <<PATTERN
+{
+  "source": [
+    "aws.securityhub"
+  ],
+  "detail-type": [
+    "Security Hub Findings - Imported"
+  ],
+  "detail": {
+    "findings": {
+      "Severity": [
+        "CRITICAL", "HIGH", "MEDIUM", "LOW"
+      ]
+    }
+  }
+}
+PATTERN
+}
\ No newline at end of file
diff --git a/terragrunt/org_account/main/sentinel_forwarders.tf b/terragrunt/org_account/main/sentinel_forwarders.tf
index 22142582..c480a4c9 100644
--- a/terragrunt/org_account/main/sentinel_forwarders.tf
+++ b/terragrunt/org_account/main/sentinel_forwarders.tf
@@ -45,3 +45,23 @@ module "guardduty_forwarder" {
     }
   ]
 }
+
+
+
+# Security Hub
+
+module "securityhub_forwarder" {
+  providers = {
+    aws = aws.log_archive
+  }
+
+  source            = "github.com/cds-snc/terraform-modules?ref=v3.0.2//sentinel_forwarder"
+  function_name     = "sentinel-securityhub-forwarder"
+  billing_tag_value = var.billing_code
+
+  customer_id = var.lw_customer_id
+  shared_key  = var.lw_shared_key
+
+  event_rule_names = [aws_cloudwatch_event_rule.cds_sentinel_securityhub_rule.name]
+
+}
\ No newline at end of file