Browse the Repo
Browse the Repo
Modules and utilities certified by Gruntwork and CIS to comply with the CIS AWS Foundations Benchmark
This folder contains a program called
generate-securityhub which is used to manage the aws-securityhub
module in this repo. The code generator is used to make it easier to manage terraform blocks
that need to apply to more than one region.
generate-securityhub is a single, self-contained, statically compiled binary written in Go. The easiest way to get it onto your servers is to use the Gruntwork
Installer (make sure to replace
<VERSION> below with the latest
version from the releases page):
gruntwork-install --binary-name generate-securityhub --repo https://github.com/gruntwork-io/cis-compliance-aws --tag <VERSION>
Alternatively, you can download the binary from the Releases Page.
This command should be run in the
modules folder of this repo. This command will output the autogenerated contents of
aws-securityhub module that can be used to enable AWS Security Hub on all enabled regions of an account.
Note that you can also use this command to generate the module in a different folder, such as your own
For example, suppose you had an
infrastructure-modules repository that mimics the Gruntwork Reference Architecture,
and has the following structure:
infrastructure-modules ├── README.md ├── data-stores │ └── rds │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── security ├── iam-groups │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── cloudtrail ├── README.md ├── main.tf ├── outputs.tf └── variables.tf
Suppose that you now want to add a module
aws-securityhub as generated by this script in the
security folder. To do
so, first install the binary so that it is available in your
PATH as described in the Installation section of this
Next, run the generator in the
infrastructure-modules directory, passing in the target directory and main region. Note
that you will need to be authenticated to your AWS account. Refer to the Comprehensive Guide to Authenticating to AWS
on the Command
recommended ways to authenticate on the command line.
generate-securityhub --target-directory ./security/aws-securityhub
At the end of this command, you should see the
aws-securityhub module generated in your
infrastructure-modules ├── README.md ├── data-stores │ └── rds │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── security ├── aws-securityhub │ ├── invite-external-accounts │ ├── README.adoc │ ├── main.tf │ ├── outputs.tf │ └── variables.tf ├── iam-groups │ ├── README.md │ ├── main.tf │ ├── outputs.tf │ └── variables.tf └── cloudtrail ├── README.md ├── main.tf ├── outputs.tf └── variables.tf
You can now invoke the module using Terragrunt, or any other production Terraform frontend that you are currently using.
We use packr to compile the templates into the binary so that it is portable. To
do so, we need to run
packr2 prior to building the binaries.
Here are the steps for compiling from source:
go get -u github.com/gobuffalo/packr/v2/packr2
$GOPATH/bin/packr2. This will convert the template files into go files so that they are available in the go binary.
go env -w GOPRIVATE=github.com/gruntwork-io
go build -o $BIN_PATH .
Since terraform currently does not support managing Security Hub multi account memberships, we use python with the
boto3 library to workaround it. The script to handle the logic for managing multi account memberships is shipped with
aws-securityhub module. The source code for the script lives in
To support portability of the python libraries, we package all the dependencies of the scripts into a
pex file. This pex file must be distributed with the module in
order to be correctly called by
terraform without the user having to install extra python dependencies into their
As such, the operator machine consuming the module must have a valid python interpreter available in the
python. The pex binary supports python versions 2.7, 3.5, 3.6, and 3.7, on Mac OSX or Linux.
The pex binary is a python executable that includes the necessary third party requirements. This special version of python embeds cross platform versions of the requirements that are unpacked at runtime into a virtualenv. This executable is then used to call out to the entrypoint script, which will import the library function.
As such, the binary only needs to be built when the requirements change. You do not need to rebuild the binary for any
changes to the source files in the
This approach is taken so that consumers of the module do not need to install additional third party libraries on top of
python to utilize the script. To make this work, the
pex binaries need to be checked into the repository so that they
are distributed with the module.
The binary is generated using the
pex utility. Pex will package
the python script with all its requirements into a single binary, that can be made to be compatible with multiple
versions of python and multiple OS platforms.
To build the binary, you will need the following:
pip install -r dev_requirements.txt)
You can then build the binary using the helper script
build_scripts/build.sh which will build the binary and create a
tarball containing the binaries. This tarball should be checked in so that the
generate-securityhub utility can
distribute it with the generated Terraform module.
It is recommended to use
pyenv to help setup an environment with multiple python
interpreters. The latest binaries are built with the following python environment:
pyenv shell 2.7.15 3.5.2 3.6.6 3.7.0
We're here to talk about our services, answer any questions, give advice, or just to chat.