Merge pull request #23 from rhythmictech/securityhub

add configurable support for securityhub integration

Author: cdaniluk

.terraform.lock.hcl

@@ -99,6 +99,7 @@ module "datadog" {
 | <a name="requirement_datadog"></a> [datadog](#requirement\_datadog) | >= 3.37 |
 | <a name="requirement_http"></a> [http](#requirement\_http) | >= 3.4 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.1.0 |
+| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.12 |
 
 ## Providers
 
@@ -109,6 +110,7 @@ module "datadog" {
 | <a name="provider_datadog"></a> [datadog](#provider\_datadog) | 3.37.0 |
 | <a name="provider_http"></a> [http](#provider\_http) | 3.4.2 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.2 |
+| <a name="provider_time"></a> [time](#provider\_time) | 0.12.1 |
 
 ## Modules
 
@@ -123,8 +125,10 @@ module "datadog" {
 | [aws_cloudformation_stack.datadog_forwarder](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack) | resource |
 | [aws_cloudwatch_event_rule.awshealth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_rule.guardduty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
+| [aws_cloudwatch_event_rule.securityhub_to_datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource |
 | [aws_cloudwatch_event_target.awshealth](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_event_target.guardduty](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
+| [aws_cloudwatch_event_target.securityhub_to_datadog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource |
 | [aws_cloudwatch_log_subscription_filter.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |
 | [aws_cloudwatch_log_subscription_filter.rds_enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_subscription_filter) | resource |
 | [aws_cur_report_definition.cur](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cur_report_definition) | resource |
@@ -146,6 +150,7 @@ module "datadog" {
 | [aws_lambda_permission.bucket_trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.cloudwatch_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_lambda_permission.guardduty_trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_lambda_permission.securityhub_trigger](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
 | [aws_s3_bucket.local_cur](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
 | [aws_s3_bucket_lifecycle_configuration.local_cur](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource |
 | [aws_s3_bucket_notification.bucket_notification](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_notification) | resource |
@@ -164,6 +169,7 @@ module "datadog" {
 | [datadog_monitor.anomaly_usage](https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/monitor) | resource |
 | [datadog_monitor.forecast_usage](https://registry.terraform.io/providers/datadog/datadog/latest/docs/resources/monitor) | resource |
 | [null_resource.rds_enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [time_sleep.wait_datadog_forwarder](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [archive_file.rds_enhanced_monitoring](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -190,6 +196,7 @@ module "datadog" {
 | <a name="input_enable_health_notifications"></a> [enable\_health\_notifications](#input\_enable\_health\_notifications) | Send AWS health notifications to Datadog (`install_log_forwarder` must be true). This routes AWS Health events to the log forwarder. Health events can also be received as a Datadog Event through the AWS Health integration. | `bool` | `true` | no |
 | <a name="input_enable_rds_enhanced_monitoring_lambda"></a> [enable\_rds\_enhanced\_monitoring\_lambda](#input\_enable\_rds\_enhanced\_monitoring\_lambda) | Install the RDS Enhanced Monitoring Lambda | `bool` | `false` | no |
 | <a name="input_enable_resource_collection"></a> [enable\_resource\_collection](#input\_enable\_resource\_collection) | Enable or disable resource collection | `bool` | `true` | no |
+| <a name="input_enable_securityhub_notifications"></a> [enable\_securityhub\_notifications](#input\_enable\_securityhub\_notifications) | Send Security Hub notifications to Datadog (`install_log_forwarder` must be true). This routes Security Hub events to the log forwarder. | `bool` | `false` | no |
 | <a name="input_estimated_usage_anomaly_message"></a> [estimated\_usage\_anomaly\_message](#input\_estimated\_usage\_anomaly\_message) | Message for usage anomaly alerts | `string` | `"Datadog usage anomaly detected"` | no |
 | <a name="input_estimated_usage_detection_config"></a> [estimated\_usage\_detection\_config](#input\_estimated\_usage\_detection\_config) | Map of usage types to monitor. | `map(any)` | `{}` | no |
 | <a name="input_estimated_usage_detection_default_config"></a> [estimated\_usage\_detection\_default\_config](#input\_estimated\_usage\_detection\_default\_config) | Map of default usage monitoring settings for each metric type. All are disabled by default. Use `usage_anomaly_services` to enable services and alternately override default settings | <pre>map(object({<br>    anomaly_enabled       = bool<br>    anomaly_span          = string<br>    anomaly_threshold     = number<br>    anomaly_window        = string<br>    anomaly_deviations    = number<br>    anomaly_seasonality   = string<br>    anomaly_rollup        = number<br>    forecast_enabled      = bool<br>    forecast_deviations   = number<br>    forecast_rollup_type  = string<br>    forecast_rollup_value = number<br>    forecast_threshold    = number<br>  }))</pre> | <pre>{<br>  "hosts": {<br>    "anomaly_deviations": 1,<br>    "anomaly_enabled": false,<br>    "anomaly_rollup": 600,<br>    "anomaly_seasonality": "daily",<br>    "anomaly_span": "last_1d",<br>    "anomaly_threshold": 0.15,<br>    "anomaly_window": "last_1h",<br>    "forecast_deviations": 1,<br>    "forecast_enabled": false,<br>    "forecast_rollup_type": "avg",<br>    "forecast_rollup_value": 300,<br>    "forecast_threshold": 1000<br>  },<br>  "logs_indexed": {<br>    "anomaly_deviations": 2,<br>    "anomaly_enabled": false,<br>    "anomaly_rollup": 60,<br>    "anomaly_seasonality": "hourly",<br>    "anomaly_span": "last_1d",<br>    "anomaly_threshold": 0.15,<br>    "anomaly_window": "last_1h",<br>    "forecast_deviations": 1,<br>    "forecast_enabled": false,<br>    "forecast_rollup_type": "sum",<br>    "forecast_rollup_value": 86400,<br>    "forecast_threshold": 1000<br>  },<br>  "logs_ingested": {<br>    "anomaly_deviations": 2,<br>    "anomaly_enabled": false,<br>    "anomaly_rollup": 60,<br>    "anomaly_seasonality": "hourly",<br>    "anomaly_span": "last_1d",<br>    "anomaly_threshold": 0.15,<br>    "anomaly_window": "last_1h",<br>    "forecast_deviations": 1,<br>    "forecast_enabled": false,<br>    "forecast_rollup_type": "sum",<br>    "forecast_rollup_value": 86400,<br>    "forecast_threshold": 1000<br>  }<br>}</pre> | no |

README.md

@@ -19,6 +19,11 @@ terraform {
       source  = "hashicorp/null"
       version = ">= 3.1.0"
     }
+
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.12"
+    }
   }
 }
 

examples/basic/main.tf

@@ -0,0 +1,65 @@
+terraform {
+  required_providers {
+    archive = {
+      source  = "hashicorp/archive"
+      version = ">= 2.2.0"
+    }
+
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.62"
+    }
+
+    datadog = {
+      source  = "datadog/datadog"
+      version = ">= 3.37"
+    }
+
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.1.0"
+    }
+
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.12"
+    }
+  }
+}
+
+provider "aws" {
+}
+
+provider "datadog" {
+  api_key = var.datadog_api_key
+  app_key = var.datadog_app_key
+}
+
+module "datadog" {
+  source = "../.."
+
+  name                    = "datadog-integration"
+  install_log_forwarder   = true
+  integration_filter_tags = ["datadog_managed:true"]
+
+  # logs
+  logs_manage_main_index = true
+  logs_main_index_exclusion_filters = [
+    {
+      name       = "Exclude Datadog agent logs"
+      is_enabled = true
+      filter = {
+        query       = "source:runtime-security-agent"
+        sample_rate = 0
+      }
+    },
+    {
+      name       = "Exclude Datadog CloudTrail logs"
+      is_enabled = true
+      filter = {
+        query       = "service:cloudtrail @userIdentity.assumed_role:DatadogIntegrationRole status:info"
+        sample_rate = 0
+      }
+    }
+  ]
+}

examples/log_exclusions/.terraform.lock.hcl

@@ -0,0 +1,9 @@
+variable "datadog_api_key" {
+  description = "Datadog API key"
+  type        = string
+}
+
+variable "datadog_app_key" {
+  description = "Datadog APP key"
+  type        = string
+}

examples/log_exclusions/main.tf

@@ -19,6 +19,11 @@ terraform {
       source  = "hashicorp/null"
       version = ">= 3.1.0"
     }
+
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.12"
+    }
   }
 }
 

examples/log_exclusions/variables.tf

@@ -8,6 +8,7 @@
         "bcm-data-exports:GetExport",
         "bcm-data-exports:ListExports",
         "budgets:ViewBudget",
+        "cassandra:Select",
         "cloudfront:GetDistributionConfig",
         "cloudfront:ListDistributions",
         "cloudtrail:DescribeTrails",
@@ -23,6 +24,7 @@
         "dynamodb:Describe*",
         "dynamodb:List*",
         "ec2:Describe*",
+        "ec2:GetSnapshotBlockPublicAccessState",
         "ec2:GetTransitGatewayPrefixListReferences",
         "ec2:SearchTransitGatewayRoutes",
         "ecs:Describe*",
@@ -41,13 +43,16 @@
         "events:CreateEventBus",
         "fsx:DescribeFileSystems",
         "fsx:ListTagsForResource",
+        "glacier:GetVaultNotifications",
+        "glue:ListRegistries",
         "health:DescribeAffectedEntities",
         "health:DescribeEventDetails",
         "health:DescribeEvents",
         "kinesis:Describe*",
         "kinesis:List*",
         "lambda:GetPolicy",
         "lambda:List*",
+        "lightsail:GetInstancePortStates",
         "logs:DeleteSubscriptionFilter",
         "logs:DescribeLogGroups",
         "logs:DescribeLogStreams",
@@ -70,6 +75,8 @@
         "s3:GetBucketTagging",
         "s3:ListAllMyBuckets",
         "s3:PutBucketNotification",
+        "savingsplans:DescribeSavingsPlanRates",
+        "savingsplans:DescribeSavingsPlans",
         "ses:Get*",
         "sns:GetSubscriptionAttributes",
         "sns:List*",
@@ -82,7 +89,15 @@
         "tag:GetResources",
         "tag:GetTagKeys",
         "tag:GetTagValues",
+        "timestream:DescribeEndpoints",
+        "waf-regional:ListRuleGroups",
+        "waf-regional:ListRules",
+        "waf:ListRuleGroups",
+        "waf:ListRules",
+        "wafv2:GetIPSet",
         "wafv2:GetLoggingConfiguration",
+        "wafv2:GetRegexPatternSet",
+        "wafv2:GetRuleGroup",
         "wafv2:ListLoggingConfigurations",
         "xray:BatchGetTraces",
         "xray:GetTraceSummaries"

examples/with_style/main.tf

@@ -22,12 +22,18 @@ resource "datadog_integration_aws_lambda_arn" "datadog_forwarder" {
   depends_on = [aws_cloudformation_stack.datadog_forwarder]
 }
 
+resource "time_sleep" "wait_datadog_forwarder" {
+  create_duration = "30s"
+
+  depends_on = [datadog_integration_aws_lambda_arn.datadog_forwarder]
+}
+
 resource "datadog_integration_aws_log_collection" "datadog_forwarder" {
   count      = var.install_log_forwarder ? 1 : 0
   account_id = local.account_id
   services   = var.log_forwarder_sources
 
-  depends_on = [aws_cloudformation_stack.datadog_forwarder]
+  depends_on = [time_sleep.wait_datadog_forwarder]
 }
 
 resource "aws_lambda_permission" "bucket_trigger" {