schubergphilis
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎files/lambda-artifacts/findings-manager-jira/findings_manager_jira.py‎
Lines changed: 18 additions & 7 deletions b/‎files/lambda-artifacts/findings-manager-jira/findings_manager_jira.py‎
Lines changed: 18 additions & 7 deletions
diff --git a/‎files/pkg/lambda_findings-manager-jira_python3.11.zip‎
136 Bytes b/‎files/pkg/lambda_findings-manager-jira_python3.11.zip‎
136 Bytes
diff --git a/‎files/pkg/lambda_findings-manager-jira_python3.12.zip‎
136 Bytes b/‎files/pkg/lambda_findings-manager-jira_python3.12.zip‎
136 Bytes
diff --git a/‎files/pkg/lambda_securityhub-findings-manager_python3.11.zip‎
1.38 KB b/‎files/pkg/lambda_securityhub-findings-manager_python3.11.zip‎
1.38 KB
diff --git a/‎files/pkg/lambda_securityhub-findings-manager_python3.12.zip‎
1.58 KB b/‎files/pkg/lambda_securityhub-findings-manager_python3.12.zip‎
1.58 KB
diff --git a/‎jira_lambda.tf‎
Lines changed: 1 addition & 0 deletions b/‎jira_lambda.tf‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎variables.tf‎
Lines changed: 6 additions & 0 deletions b/‎variables.tf‎
Lines changed: 6 additions & 0 deletions
@@ -144,7 +144,7 @@ A lambda layer provides aws-lambda-powertools. To have these dependencies locall
 | <a name="input_findings_manager_trigger_lambda"></a> [findings\_manager\_trigger\_lambda](#input\_findings\_manager\_trigger\_lambda) | Findings Manager Lambda settings - Manage Security Hub findings in response to S3 file upload triggers | <pre>object({<br/>    name        = optional(string, "securityhub-findings-manager-trigger")<br/>    log_level   = optional(string, "ERROR")<br/>    memory_size = optional(number, 256)<br/>    timeout     = optional(number, 300)<br/><br/>    security_group_egress_rules = optional(list(object({<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = string<br/>      from_port                    = optional(number, 0)<br/>      ip_protocol                  = optional(string, "-1")<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      to_port                      = optional(number, 0)<br/>    })), [])<br/>  })</pre> | `{}` | no |
 | <a name="input_findings_manager_worker_lambda"></a> [findings\_manager\_worker\_lambda](#input\_findings\_manager\_worker\_lambda) | Findings Manager Lambda settings - Manage Security Hub findings in response to SQS trigger | <pre>object({<br/>    name        = optional(string, "securityhub-findings-manager-worker")<br/>    log_level   = optional(string, "ERROR")<br/>    memory_size = optional(number, 256)<br/>    timeout     = optional(number, 900)<br/><br/>    security_group_egress_rules = optional(list(object({<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = string<br/>      from_port                    = optional(number, 0)<br/>      ip_protocol                  = optional(string, "-1")<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      to_port                      = optional(number, 0)<br/>    })), [])<br/>  })</pre> | `{}` | no |
 | <a name="input_jira_eventbridge_iam_role_name"></a> [jira\_eventbridge\_iam\_role\_name](#input\_jira\_eventbridge\_iam\_role\_name) | The name of the role which will be assumed by EventBridge rules for Jira integration | `string` | `"SecurityHubFindingsManagerJiraEventBridge"` | no |
-| <a name="input_jira_integration"></a> [jira\_integration](#input\_jira\_integration) | Findings Manager - Jira integration settings | <pre>object({<br/>    enabled                               = optional(bool, false)<br/>    autoclose_enabled                     = optional(bool, false)<br/>    autoclose_comment                     = optional(string, "Security Hub finding has been resolved. Autoclosing the issue.")<br/>    autoclose_transition_name             = optional(string, "Close Issue")<br/>    credentials_secretsmanager_arn        = optional(string)<br/>    credentials_ssm_secret_arn            = optional(string)<br/>    exclude_account_ids                   = optional(list(string), [])<br/>    finding_severity_normalized_threshold = optional(number, 70)<br/>    issue_custom_fields                   = optional(map(string), {})<br/>    issue_type                            = optional(string, "Security Advisory")<br/>    project_key                           = string<br/><br/>    security_group_egress_rules = optional(list(object({<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = string<br/>      from_port                    = optional(number, 0)<br/>      ip_protocol                  = optional(string, "-1")<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      to_port                      = optional(number, 0)<br/>    })), [])<br/><br/>    lambda_settings = optional(object({<br/>      name        = optional(string, "securityhub-findings-manager-jira")<br/>      log_level   = optional(string, "INFO")<br/>      memory_size = optional(number, 256)<br/>      timeout     = optional(number, 60)<br/>      }), {<br/>      name                        = "securityhub-findings-manager-jira"<br/>      iam_role_name               = "SecurityHubFindingsManagerJiraLambda"<br/>      log_level                   = "INFO"<br/>      memory_size                 = 256<br/>      timeout                     = 60<br/>      security_group_egress_rules = []<br/>    })<br/><br/>    step_function_settings = optional(object({<br/>      log_level = optional(string, "ERROR")<br/>      retention = optional(number, 90)<br/>      }), {<br/>      log_level = "ERROR"<br/>      retention = 90<br/>    })<br/><br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "project_key": null<br/>}</pre> | no |
+| <a name="input_jira_integration"></a> [jira\_integration](#input\_jira\_integration) | Findings Manager - Jira integration settings | <pre>object({<br/>    enabled                               = optional(bool, false)<br/>    autoclose_enabled                     = optional(bool, false)<br/>    autoclose_comment                     = optional(string, "Security Hub finding has been resolved. Autoclosing the issue.")<br/>    autoclose_transition_name             = optional(string, "Close Issue")<br/>    credentials_secretsmanager_arn        = optional(string)<br/>    credentials_ssm_secret_arn            = optional(string)<br/>    exclude_account_ids                   = optional(list(string), [])<br/>    finding_severity_normalized_threshold = optional(number, 70)<br/>    include_account_ids                   = optional(list(string), [])<br/>    issue_custom_fields                   = optional(map(string), {})<br/>    issue_type                            = optional(string, "Security Advisory")<br/>    project_key                           = string<br/><br/>    security_group_egress_rules = optional(list(object({<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = string<br/>      from_port                    = optional(number, 0)<br/>      ip_protocol                  = optional(string, "-1")<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      to_port                      = optional(number, 0)<br/>    })), [])<br/><br/>    lambda_settings = optional(object({<br/>      name        = optional(string, "securityhub-findings-manager-jira")<br/>      log_level   = optional(string, "INFO")<br/>      memory_size = optional(number, 256)<br/>      timeout     = optional(number, 60)<br/>      }), {<br/>      name                        = "securityhub-findings-manager-jira"<br/>      iam_role_name               = "SecurityHubFindingsManagerJiraLambda"<br/>      log_level                   = "INFO"<br/>      memory_size                 = 256<br/>      timeout                     = 60<br/>      security_group_egress_rules = []<br/>    })<br/><br/>    step_function_settings = optional(object({<br/>      log_level = optional(string, "ERROR")<br/>      retention = optional(number, 90)<br/>      }), {<br/>      log_level = "ERROR"<br/>      retention = 90<br/>    })<br/><br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "project_key": null<br/>}</pre> | no |
 | <a name="input_jira_step_function_iam_role_name"></a> [jira\_step\_function\_iam\_role\_name](#input\_jira\_step\_function\_iam\_role\_name) | The name of the role which will be assumed by AWS Step Function for Jira integration | `string` | `"SecurityHubFindingsManagerJiraStepFunction"` | no |
 | <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | The version of Python to use for the Lambda functions | `string` | `"python3.12"` | no |
 | <a name="input_rules_filepath"></a> [rules\_filepath](#input\_rules\_filepath) | Pathname to the file that stores the manager rules | `string` | `""` | no |
 
@@ -12,7 +12,7 @@
 ssm = boto3.client('ssm')
 
 REQUIRED_ENV_VARS = [
-    'EXCLUDE_ACCOUNT_FILTER', 'JIRA_ISSUE_CUSTOM_FIELDS', 'JIRA_ISSUE_TYPE', 'JIRA_PROJECT_KEY', 'JIRA_SECRET_ARN', 'JIRA_SECRET_TYPE'
+    'EXCLUDE_ACCOUNT_FILTER', 'INCLUDE_ACCOUNT_FILTER', 'JIRA_ISSUE_CUSTOM_FIELDS', 'JIRA_ISSUE_TYPE', 'JIRA_PROJECT_KEY', 'JIRA_SECRET_ARN', 'JIRA_SECRET_TYPE'
 ]
 
 DEFAULT_JIRA_AUTOCLOSE_COMMENT = 'Security Hub finding has been resolved. Autoclosing the issue.'
@@ -40,7 +40,8 @@ def lambda_handler(event: dict, context: LambdaContext):
         raise RuntimeError("Required environment variables are missing.") from e
 
     # Retrieve environment variables
-    exclude_account_filter = os.environ['EXCLUDE_ACCOUNT_FILTER']
+    exclude_account_filter = json.loads(os.environ['EXCLUDE_ACCOUNT_FILTER'])
+    include_account_filter = json.loads(os.environ['INCLUDE_ACCOUNT_FILTER'])
     jira_autoclose_comment = os.getenv(
         'JIRA_AUTOCLOSE_COMMENT', DEFAULT_JIRA_AUTOCLOSE_COMMENT)
     jira_autoclose_transition = os.getenv(
@@ -85,11 +86,21 @@ def lambda_handler(event: dict, context: LambdaContext):
     compliance_status = finding['Compliance']['Status'] if 'Compliance' in finding else COMPLIANCE_STATUS_MISSING
     record_state = finding['RecordState']
 
-    # Only process finding if account is not excluded
-    if finding_account_id in exclude_account_filter:
-        logger.info(
-            f"Account {finding_account_id} is excluded from Jira ticket creation.")
-        return
+    # Apply account filtering logic
+    # Priority: include_account_filter > exclude_account_filter
+    if include_account_filter:
+        # If include list is provided, only process accounts in the list
+        if finding_account_id not in include_account_filter:
+            logger.info(
+                f"Account {finding_account_id} is not in the include list. Skipping Jira ticket creation.")
+            return
+    elif exclude_account_filter:
+        # If exclude list is provided (and no include list), skip accounts in the list
+        if finding_account_id in exclude_account_filter:
+            logger.info(
+                f"Account {finding_account_id} is excluded from Jira ticket creation.")
+            return
+    # If neither list is provided, process all accounts
 
     # Handle new findings
     # Ticket is created when Workflow Status is NEW and Compliance Status is FAILED, WARNING or is missing from the finding (case with e.g. Inspector findings)
 
@@ -106,6 +106,7 @@ module "jira_lambda" {
 
   environment = {
     EXCLUDE_ACCOUNT_FILTER      = jsonencode(var.jira_integration.exclude_account_ids)
+    INCLUDE_ACCOUNT_FILTER      = jsonencode(var.jira_integration.include_account_ids)
     JIRA_AUTOCLOSE_COMMENT      = var.jira_integration.autoclose_comment
     JIRA_AUTOCLOSE_TRANSITION   = var.jira_integration.autoclose_transition_name
     JIRA_ISSUE_CUSTOM_FIELDS    = jsonencode(var.jira_integration.issue_custom_fields)
 
@@ -95,6 +95,7 @@ variable "jira_integration" {
     credentials_ssm_secret_arn            = optional(string)
     exclude_account_ids                   = optional(list(string), [])
     finding_severity_normalized_threshold = optional(number, 70)
+    include_account_ids                   = optional(list(string), [])
     issue_custom_fields                   = optional(map(string), {})
     issue_type                            = optional(string, "Security Advisory")
     project_key                           = string
@@ -148,6 +149,11 @@ variable "jira_integration" {
     condition     = var.jira_integration.enabled == false || (var.jira_integration.credentials_secretsmanager_arn != null && var.jira_integration.credentials_ssm_secret_arn == null) || (var.jira_integration.credentials_secretsmanager_arn == null && var.jira_integration.credentials_ssm_secret_arn != null)
     error_message = "You must provide either 'credentials_secretsmanager_arn' or 'credentials_ssm_secret_arn' for jira credentials, but not both."
   }
+
+  validation {
+    condition     = !(length(var.jira_integration.exclude_account_ids) > 0 && length(var.jira_integration.include_account_ids) > 0)
+    error_message = "You cannot provide both 'exclude_account_ids' and 'include_account_ids'. Use only one filtering method."
+  }
 }
 
 variable "jira_step_function_iam_role_name" {