I need to setup an automated process to report Security Hub findings regularly to the relevant member account based on AWS account ownership. In my investigation, I found the repository below that does what I was looking for. https://github.com/aws-samples/automated-security-hub-account-findings-reports
I added the relevant code to the repository and merged it into main, but the pipeline failed in apply stage because it needs a default value for parameter in CloudFormation template. my questions are:
1- Is this enough to only use resource "aws_cloudformation_stack" and use the CF template as source in it? or I need to create more resource when wanted to deploy a CF template using terraform?
2- I received below error once I tried to deploy CF template: Error: creating CloudFormation Stack (automated-security-hub-account-findings-reports): ValidationError: Parameters: [KMSKeyAdmin] must have values
my question is why I get that error when I'm using a cloud formation template which includes everything that needed? what should I do to resolve this issue?
Thanks
To answer the question about CloudFormation. Based on these lines from the CloudFormation template, you must provide a value for the input parameter:
It has no default value, hence you have to provide it. This input parameter is defined so the KMS knows which role to add to the KMS key policy, as that role will be the key administrator. However, since you are using terraform for that, you could do one of two things:
Paramters
sectionIf you decide to use the first option, then you would do something like:
The second option would then be:
Since you have not provided the terraform code you have, I cannot test it and let you know if this works, but it should.
Last, but not the least, I would probably suggest using the
templatefile
built-in function. The input file would be the CloudFormation template, and then you can pass the values to the template and they will get replaced. So you could do something like:And in the templated file, you would have the following lines:
This will show up like this in the output then: