Merge changes from Pr-21 along with some pipeline configutation.

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "submodules/cfn-abi-aws-securityhub"]
+	path = submodules/cfn-abi-aws-securityhub
+	url = https://github.com/aws-ia/cfn-abi-aws-securityhub.git
+[submodule "submodules/cfn-abi-aws-cloudtrail"]
+	path = submodules/cfn-abi-aws-cloudtrail
+	url = https://github.com/aws-ia/cfn-abi-aws-cloudtrail.git

.project_automation/functional_tests/entrypoint.sh

@@ -1,6 +1,5 @@
 #!/bin/bash -ex
 
-
 ## NOTE: paths may differ when running in a managed task. To ensure behavior is consistent between
 # managed and local tasks always use these variables for the project and project type path
 PROJECT_PATH=${BASE_PATH}/project
@@ -9,6 +8,16 @@ PROJECT_TYPE_PATH=${BASE_PATH}/projecttype
 cd ${PROJECT_PATH}
 
 regions=(us-east-1 us-east-2 us-west-2 us-west-1)
+
+for region in ${regions[@]}
+do
+    echo "Cleanup running in region: $region"
+    export AWS_DEFAULT_REGION=$region
+    python3 scripts/cleanup_config.py -C scripts/cleanup_config.json
+done
+
+taskcat test run -t security-hub 
+
 for region in ${regions[@]}
 do
     echo "Cleanup running in region: $region"
@@ -18,10 +27,18 @@ done
 
 echo $AWS_DEFAULT_REGION
 unset AWS_DEFAULT_REGION
-
 echo $AWS_DEFAULT_REGION
-# Run taskcat e2e test
-taskcat test run
+
+taskcat test run -t ws-ssm-deployment
+
+for region in ${regions[@]}
+do
+    echo "Cleanup running in region: $region"
+    export AWS_DEFAULT_REGION=$region
+    python3 scripts/cleanup_config.py -C scripts/cleanup_config.json
+done
+
+taskcat test run -t security-hub-no-abi
 
 ## Executing ash tool
 
@@ -34,4 +51,3 @@ taskcat test run
 
 #ash --source-dir .
 #cat aggregated_results.txt
-

.taskcat.yml

@@ -7,24 +7,84 @@ project:
   - us-east-1
 
 tests:
-  t1:
+  all-false: # No integration, only common resources.
     parameters:
+      DeployCloudTrailIntegration: "False"
+      DeploySSMIntegration: "False"
       CloudOneApiKey: $[taskcat_ssm_/trend/cloudone_svc_apikey]
+      OrganizationId: $[taskcat_ssm_/trend/organization_id]
       VisionOneAuthenticationToken: $[taskcat_ssm_/trend/visionone_authentication_token]
       QSS3BucketName: $[taskcat_autobucket]
       QSS3KeyPrefix: $[taskcat_project_name]
       ExistingOrganizationalCloudtrailBucketName: $[taskcat_ssm_/trend/existing_organizational_cloudtrail_bucket_name]
     regions:
     - us-east-1
-    template: templates/trend-cloudone-onboard/main.template.yaml
+    template: templates/main.template.yaml
+  cloudtrail:
+    parameters:
+      DeployCloudTrailIntegration: "True"
+      DeploySSMIntegration: "False"
+      DeploySecurityHubIntegration: "False"
+      CloudOneApiKey: $[taskcat_ssm_/trend/cloudone_svc_apikey]
+      OrganizationId: $[taskcat_ssm_/trend/organization_id]
+      VisionOneAuthenticationToken: $[taskcat_ssm_/trend/visionone_authentication_token]
+      QSS3BucketName: $[taskcat_autobucket]
+      QSS3KeyPrefix: $[taskcat_project_name]
+      ExistingOrganizationalCloudtrailBucketName: $[taskcat_ssm_/trend/existing_organizational_cloudtrail_bucket_name]
+    regions:
+    - us-east-1
+    template: templates/main.template.yaml
   ws-ssm-deployment:
     parameters:
-      DeploymentTargets: 'ou-br9h-5q1xhx7c,ou-br9h-pna1itsq'
-      dsActivationUrl: $[taskcat_ssm_/trend/activation_url]
-      dsManagerUrl: $[taskcat_ssm_/trend/manager_url]
-      dsTenantId: $[taskcat_ssm_/trend/tenant_id]
-      dsToken: $[taskcat_ssm_/trend/ds_token]
+      DeployCloudTrailIntegration: "False"
+      DeploySSMIntegration: "True"
+      DeploySecurityHubIntegration: "False"
+      CloudOneApiKey: $[taskcat_ssm_/trend/cloudone_svc_apikey]
+      OrganizationId: $[taskcat_ssm_/trend/organization_id]
+      AccountAdminStatus: SELF
+      QSS3BucketName: $[taskcat_autobucket]
+      QSS3KeyPrefix: $[taskcat_project_name]
+    regions:
+    - us-east-1
+    template: templates/main.template.yaml
+  security-hub:
+    parameters:
+      DeployCloudTrailIntegration: "False"
+      DeploySSMIntegration: "False"
+      DeploySecurityHubIntegration: "True"
+      CloudOneApiKey: $[taskcat_ssm_/trend/cloudone_svc_apikey]
+      OrganizationId: $[taskcat_ssm_/trend/organization_id]
+      QSS3BucketName: $[taskcat_autobucket]
+      QSS3KeyPrefix: $[taskcat_project_name]
+      EnableSecurityHub: "false"
+    regions:
+    - us-east-1
+    template: templates/main.template.yaml
+  security-hub-no-abi:
+    parameters:
+      DeployCloudTrailIntegration: "False"
+      DeploySSMIntegration: "False"
+      DeploySecurityHubIntegration: "True"
+      OrganizationId: $[taskcat_ssm_/trend/organization_id]
+      CloudOneApiKey: $[taskcat_ssm_/trend/cloudone_svc_apikey]
+      QSS3BucketName: $[taskcat_autobucket]
+      QSS3KeyPrefix: $[taskcat_project_name]
+      EnableSecurityHub: "false"
+    regions:
+    - us-east-1
+    template: templates/main.template.yaml
+  all-integrations:
+    parameters:
+      DeployCloudTrailIntegration: "True"
+      DeploySSMIntegration: "True"
+      DeploySecurityHubIntegration: "True"
+      CloudOneApiKey: $[taskcat_ssm_/trend/cloudone_svc_apikey]
+      OrganizationId: $[taskcat_ssm_/trend/organization_id]
+      VisionOneAuthenticationToken: $[taskcat_ssm_/trend/visionone_authentication_token]
+      QSS3BucketName: $[taskcat_autobucket]
+      QSS3KeyPrefix: $[taskcat_project_name]
+      ExistingOrganizationalCloudtrailBucketName: $[taskcat_ssm_/trend/existing_organizational_cloudtrail_bucket_name]
       AccountAdminStatus: DELEGATED_ADMIN
     regions:
     - us-east-1
-    template: templates/trend-cloudone-ws-ssm-association/c1ws-ssm-orgs.template.yaml
+    template: templates/main.template.yaml

lambda_functions/source/AddSecurityHub/app.py

@@ -0,0 +1,166 @@
+"""Custom Resource to enable Trend Cloud One in Security Hub.
+Version: 1.0
+
+Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+SPDX-License-Identifier: MIT-0
+"""
+import json
+import os
+import urllib3
+import cfnresponse
+import boto3
+
+# Initialize the SecurityHub SDK
+security_hub_client = boto3.client('securityhub')
+
+# Get the AWS account ID and region
+aws_account_id = boto3.client('sts').get_caller_identity().get('Account')
+aws_region = boto3.session.Session().region_name
+
+# ARN used to get the list of activated products
+get_tm_arn = "arn:aws:securityhub:"+aws_region+":"+aws_account_id+":product-subscription/trend-micro/cloud-one"
+
+# ARN used to add the product to the list of activated products
+add_tm_arn = os.environ['CloudOneProductArn']
+
+cloud_one_region = os.environ['CloudOneRegion']
+sm = boto3.client('secretsmanager')
+cloudOneApiKey = sm.get_secret_value(SecretId=os.environ['CloudOneApiKeySecret'])['SecretString']
+
+headers = {
+    'api-version': 'v1',
+    'Authorization': 'ApiKey '+cloudOneApiKey+'',
+    'Content-Type': 'application/json'
+}
+
+http = urllib3.PoolManager()
+
+url = "https://integrations."+cloud_one_region+".cloudone.trendmicro.com/api/integrations"
+
+def is_security_hub_enabled():
+    '''
+    Return True if Security Hub is enabled in the account, False otherwise.
+    '''
+    try:
+        response = security_hub_client.list_enabled_products_for_import()
+        if response['ResponseMetadata']['HTTPStatusCode'] == 200:
+            return True
+    except Exception as exception:
+        print(exception)
+        return False
+
+def list_enabled_products_for_import():
+    '''
+    Return the list of products enabled for import.
+    '''
+    enabled_list = []
+    paginator = security_hub_client.get_paginator('list_enabled_products_for_import')
+    for page in paginator.paginate():
+        enabled_list += page['ProductSubscriptions']
+    return enabled_list
+
+def initialize_integration():
+    '''
+    Initialize the integration between Trend Cloud One and Security Hub.
+    '''
+
+    if is_security_hub_enabled():
+        # Get the list of activated products
+        list_activated_product = list_enabled_products_for_import()
+
+        # Check if the product is already in the list of activated products, if not add it
+
+        if get_tm_arn in list_activated_product:
+            print(f"The arn {get_tm_arn} exists in the list, no action is required.")
+        else:
+            try:
+                print(f"The arn {get_tm_arn} does not exist in the list, adding it now.")
+                security_hub_client.enable_import_findings_for_product(ProductArn=add_tm_arn)
+            except Exception as exception:
+                raise exception
+
+        # Get the list of integrations
+        get_sechub_integration = http.request('GET', url, headers=headers)
+        get_sechub_integration = json.loads(get_sechub_integration.data.decode('utf-8'))
+        get_sechub_integration = get_sechub_integration["integrations"]
+
+        # Payload to add the Security Hub integration
+        payload = {
+            "name": f"Security Hub Integration - {aws_account_id}",
+            "description": f"This is an integration to send events from Trend Cloud One to Security Hub for the AWS Account Id {aws_account_id}",
+            "type": "SECURITY_HUB",
+            "configuration": {
+                "awsRegion": f"{aws_region}",
+                "awsAccountId": f"{aws_account_id}"
+            },
+            "filters": {
+                "serviceIds": [],
+                "severityIds": []
+            }
+        }
+
+        # Check if there is already an integration for the AWS Account ID, in case not add it
+        integration_id = None
+        for item in get_sechub_integration:
+            if item['configuration']['awsAccountId'] == aws_account_id:
+                print(f"There is already an integration for the AWS Account ID {aws_account_id}")
+                break
+        else:
+            print(f"No match found for ID {aws_account_id}, adding integration now.")
+            add_sechub_integration = http.request('POST', url, headers=headers, body=json.dumps(payload))
+            add_sechub_integration = json.loads(add_sechub_integration.data.decode('utf-8'))
+            integration_id = add_sechub_integration["id"]
+    else:
+        print("Security Hub is not enabled in this account, no action is required.")
+
+    print(f"The integration Id is: {integration_id}")
+    return integration_id
+
+def remove_integration(integration_id):
+    '''
+    Remove the integration between Trend Cloud One and Security Hub.
+    '''
+
+    if is_security_hub_enabled():
+        try:
+
+            # Deactivate the product
+            security_hub_client.disable_import_findings_for_product(ProductSubscriptionArn=get_tm_arn)
+
+            # Delete integration on Cloud One
+            delete_sechub_integration = http.request('DELETE', f"{url}/{integration_id}", headers=headers)
+            delete_sechub_integration = json.loads(delete_sechub_integration.data.decode('utf-8'))
+            print(delete_sechub_integration)
+        except Exception as exception:
+            print(exception)
+            raise exception
+    else:
+        print("Security Hub is not enabled in this account, no action is required.")
+
+def lambda_handler(event, context):
+    status = cfnresponse.SUCCESS
+    response_data = {}
+    physicalResourceId = None
+    try:
+
+        if event["RequestType"] == "Create":
+            integration_id = initialize_integration()
+            physicalResourceId = integration_id 
+            response_data = {"ID": integration_id}
+
+        elif event["RequestType"] == "Update":
+            integration_id = event["PhysicalResourceId"]
+            remove_integration(integration_id)
+            integration_id = initialize_integration()
+            physicalResourceId = integration_id
+            response_data = {"ID": physicalResourceId}
+
+        else: # if event["RequestType"] == "Delete":
+            integration_id = event["PhysicalResourceId"]
+            remove_integration(integration_id)
+
+    except Exception as exception:
+        print(exception)
+        status = cfnresponse.FAILED
+
+    cfnresponse.send(event, context, status, response_data, physicalResourceId)

lambda_functions/source/AddSecurityHub/cfnresponse.py

@@ -0,0 +1,47 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: MIT-0
+
+from __future__ import print_function
+import urllib3
+import json
+
+SUCCESS = "SUCCESS"
+FAILED = "FAILED"
+
+http = urllib3.PoolManager()
+
+
+def send(event, context, responseStatus, responseData, physicalResourceId=None, noEcho=False, reason=None):
+    responseUrl = event['ResponseURL']
+
+    print(responseUrl)
+
+    responseBody = {
+        'Status' : responseStatus,
+        'Reason' : reason or "See the details in CloudWatch Log Stream: {}".format(context.log_stream_name),
+        'PhysicalResourceId' : physicalResourceId or context.log_stream_name,
+        'StackId' : event['StackId'],
+        'RequestId' : event['RequestId'],
+        'LogicalResourceId' : event['LogicalResourceId'],
+        'NoEcho' : noEcho,
+        'Data' : responseData
+    }
+
+    json_responseBody = json.dumps(responseBody)
+
+    print("Response body:")
+    print(json_responseBody)
+
+    headers = {
+        'content-type' : '',
+        'content-length' : str(len(json_responseBody))
+    }
+
+    try:
+        response = http.request('PUT', responseUrl, headers=headers, body=json_responseBody)
+        print("Status code:", response.status)
+
+
+    except Exception as e:
+
+        print("send(..) failed executing http.request(..):", e)

lambda_functions/source/AddSecurityHub/requirements.txt

@@ -0,0 +1 @@
+# install the latest version