From 8e1125cbf9687feeccfc0480ee818cfed8e82aa1 Mon Sep 17 00:00:00 2001
From: Andrew <andrew.cleveland1@nhs.net>
Date: Wed, 6 Aug 2025 10:06:24 +0100
Subject: [PATCH 1/3] AC - added securityhub module

---
 .../modules/security-hub/security-hub.tf      | 74 +++++++++++++++++++
 .../modules/security-hub/variables.tf         | 36 +++++++++
 2 files changed, 110 insertions(+)
 create mode 100644 infrastructure/modules/security-hub/security-hub.tf
 create mode 100644 infrastructure/modules/security-hub/variables.tf

diff --git a/infrastructure/modules/security-hub/security-hub.tf b/infrastructure/modules/security-hub/security-hub.tf
new file mode 100644
index 0000000..9064cac
--- /dev/null
+++ b/infrastructure/modules/security-hub/security-hub.tf
@@ -0,0 +1,74 @@
+
+# Enable Security Hub
+resource "aws_securityhub_account" "main" {
+  enable_default_standards = true
+}
+
+# Optional: Enable specific Security Hub standards
+resource "aws_securityhub_standards_subscription" "aws_foundational" {
+  standards_arn = "arn:aws:securityhub:eu-west-2::standard/aws-foundational-security"
+  depends_on    = [aws_securityhub_account.main]
+}
+
+resource "aws_securityhub_standards_subscription" "cis" {
+  standards_arn = "arn:aws:securityhub:eu-west-2::standard/cis-aws-foundations-benchmark/v/1.2.0"
+  depends_on    = [aws_securityhub_account.main]
+}
+
+resource "aws_securityhub_standards_subscription" "pci_dss" {
+  standards_arn = "arn:aws:securityhub:eu-west-2::standard/pci-dss/v/3.2.1"
+  depends_on    = [aws_securityhub_account.main]
+}
+
+# Optional: Enable Config (required for some Security Hub checks)
+resource "aws_config_configuration_recorder_status" "main" {
+  name       = "${var.name_prefix}-${var.name}"
+  is_enabled = true
+  depends_on = [aws_config_delivery_channel.main]
+}
+
+resource "aws_config_delivery_channel" "main" {
+  name           = "${var.name_prefix}-${var.name}"
+  s3_bucket_name = var.s3_bucket_name
+}
+
+resource "aws_config_configuration_recorder" "main" {
+  name     = "${var.name_prefix}-${var.name}"
+  role_arn = aws_iam_role.config.arn
+
+  recording_group {
+    all_supported                 = true
+    include_global_resource_types = true
+  }
+}
+
+
+# IAM role for AWS Config
+resource "aws_iam_role" "config" {
+  name = "${var.name_prefix}-${var.name}"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "config.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "config" {
+  role       = aws_iam_role.config.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/ConfigRole"
+}
+
+# Outputs
+output "security_hub_arn" {
+  description = "The ARN of the Security Hub account"
+  value       = aws_securityhub_account.main.arn
+}
+
diff --git a/infrastructure/modules/security-hub/variables.tf b/infrastructure/modules/security-hub/variables.tf
new file mode 100644
index 0000000..fbf29ae
--- /dev/null
+++ b/infrastructure/modules/security-hub/variables.tf
@@ -0,0 +1,36 @@
+variable "name_prefix" {
+  description = "the prefix for the name which containts the environment and business unit"
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the resource"
+  type        = string
+  default     = "-elasticache"
+}
+
+variable "environment" {
+  description = "The name of the Environment this is deployed into, for example CICD, NFT, UAT or PROD"
+  type        = string
+}
+
+variable "aws_account_id" {
+  description = "The AWS account ID"
+  type        = string
+  sensitive   = true
+}
+
+variable "vpc_id" {
+  description = "The ID for the VPC"
+  type        = string
+}
+
+variable "subnet_ids" {
+  description = "The subnets that will be used for elasticache, usually private"
+  type        = list(string)
+}
+
+variable "s3_bucket_name" {
+  description = "The s3 bucket that security-hub will use"
+  type        = string
+}

From 9c399c6143ec65f1f7ee254f8267b454dee7927c Mon Sep 17 00:00:00 2001
From: Andrew <andrew.cleveland1@nhs.net>
Date: Wed, 6 Aug 2025 10:28:38 +0100
Subject: [PATCH 2/3] AC - updated bucket reference

---
 .../modules/security-hub/security-hub.tf      |  2 +-
 .../modules/security-hub/variables.tf         | 25 ++-----------------
 2 files changed, 3 insertions(+), 24 deletions(-)

diff --git a/infrastructure/modules/security-hub/security-hub.tf b/infrastructure/modules/security-hub/security-hub.tf
index 9064cac..98239d4 100644
--- a/infrastructure/modules/security-hub/security-hub.tf
+++ b/infrastructure/modules/security-hub/security-hub.tf
@@ -29,7 +29,7 @@ resource "aws_config_configuration_recorder_status" "main" {
 
 resource "aws_config_delivery_channel" "main" {
   name           = "${var.name_prefix}-${var.name}"
-  s3_bucket_name = var.s3_bucket_name
+  s3_bucket_name = var.s3_bucket.bucket
 }
 
 resource "aws_config_configuration_recorder" "main" {
diff --git a/infrastructure/modules/security-hub/variables.tf b/infrastructure/modules/security-hub/variables.tf
index fbf29ae..26fe8a5 100644
--- a/infrastructure/modules/security-hub/variables.tf
+++ b/infrastructure/modules/security-hub/variables.tf
@@ -6,31 +6,10 @@ variable "name_prefix" {
 variable "name" {
   description = "The name of the resource"
   type        = string
-  default     = "-elasticache"
+  default     = "security-hub"
 }
 
-variable "environment" {
-  description = "The name of the Environment this is deployed into, for example CICD, NFT, UAT or PROD"
-  type        = string
-}
-
-variable "aws_account_id" {
-  description = "The AWS account ID"
-  type        = string
-  sensitive   = true
-}
-
-variable "vpc_id" {
-  description = "The ID for the VPC"
-  type        = string
-}
-
-variable "subnet_ids" {
-  description = "The subnets that will be used for elasticache, usually private"
-  type        = list(string)
-}
-
-variable "s3_bucket_name" {
+variable "s3_bucket" {
   description = "The s3 bucket that security-hub will use"
   type        = string
 }

From 436c06bf28d6752a064da3283bdf258388f2719a Mon Sep 17 00:00:00 2001
From: Andrew <andrew.cleveland1@nhs.net>
Date: Wed, 6 Aug 2025 10:30:35 +0100
Subject: [PATCH 3/3] AC - updated bucket reference

---
 infrastructure/modules/security-hub/security-hub.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/infrastructure/modules/security-hub/security-hub.tf b/infrastructure/modules/security-hub/security-hub.tf
index 98239d4..b310eb1 100644
--- a/infrastructure/modules/security-hub/security-hub.tf
+++ b/infrastructure/modules/security-hub/security-hub.tf
@@ -29,7 +29,7 @@ resource "aws_config_configuration_recorder_status" "main" {
 
 resource "aws_config_delivery_channel" "main" {
   name           = "${var.name_prefix}-${var.name}"
-  s3_bucket_name = var.s3_bucket.bucket
+  s3_bucket_name = var.s3_bucket
 }
 
 resource "aws_config_configuration_recorder" "main" {