schubergphilis
diff --git a/‎README.md‎
Lines changed: 4 additions & 2 deletions b/‎README.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎files/lambda-artifacts/findings-manager-jira/findings_manager_jira.py‎
Lines changed: 2 additions & 1 deletion b/‎files/lambda-artifacts/findings-manager-jira/findings_manager_jira.py‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎files/lambda-artifacts/findings-manager-jira/helpers.py‎
Lines changed: 26 additions & 2 deletions b/‎files/lambda-artifacts/findings-manager-jira/helpers.py‎
Lines changed: 26 additions & 2 deletions
diff --git a/‎files/pkg/lambda_findings-manager-jira_python3.11.zip‎
-154 KB b/‎files/pkg/lambda_findings-manager-jira_python3.11.zip‎
-154 KB
diff --git a/‎files/pkg/lambda_findings-manager-jira_python3.12.zip‎
29.3 KB b/‎files/pkg/lambda_findings-manager-jira_python3.12.zip‎
29.3 KB
diff --git a/‎files/pkg/lambda_securityhub-findings-manager_python3.11.zip‎
-153 KB b/‎files/pkg/lambda_securityhub-findings-manager_python3.11.zip‎
-153 KB
diff --git a/‎files/pkg/lambda_securityhub-findings-manager_python3.12.zip‎
29.7 KB b/‎files/pkg/lambda_securityhub-findings-manager_python3.12.zip‎
29.7 KB
diff --git a/‎jira_lambda.tf‎
Lines changed: 13 additions & 12 deletions b/‎jira_lambda.tf‎
Lines changed: 13 additions & 12 deletions
diff --git a/‎variables.tf‎
Lines changed: 1 addition & 0 deletions b/‎variables.tf‎
Lines changed: 1 addition & 0 deletions
@@ -41,7 +41,9 @@ Deploys two Lambda functions:
 * Deploys an additional Jira lambda function and a Step function for orchestration, triggered by an EventBridge rule.
 * Non-suppressed findings with severity above a threshold result in ticket creation and workflow status update from `NEW` to `NOTIFIED`.
 * **ProductName Filtering**: You can optionally filter which AWS product findings create Jira tickets using `jira_integration.include_product_names` (default = `[]`, meaning all products). For example, set to `["Security Hub"]` to create tickets only for Security Hub findings, or `["Inspector"]` for Inspector findings only. Common values: `"Security Hub"`, `"Inspector"`, `"GuardDuty"`, `"Macie"`. The filtering is implemented at the Step Function level for optimal performance.
-* Auto-closing can be activated with `jira_integration.autoclose_enabled` (default = false). Using the issue number in the finding note, the function transitions issues using `jira_integration.autoclose_transition_name` and `jira_integration.autoclose_comment`. Criteria for being forwarded for automatic ticket closure are:
+* Auto-closing can be activated with `jira_integration.autoclose_enabled` (default = false). Using the issue number in the finding note, the function transitions issues using `jira_integration.autoclose_transition_name` and `jira_integration.autoclose_comment`. 
+* **Intermediate Transition**: Optionally specify `jira_integration.include_intermediate_transition` to transition the ticket through an intermediate status before closing it. This is useful for Jira workflows that require tickets to pass through specific statuses (e.g., "Review", "In Progress") before reaching the final closed state. If not specified, tickets are closed directly using `autoclose_transition_name`.
+* Criteria for being forwarded for automatic ticket closure are:
   * Workflow Status "RESOLVED"
   * Workflow Status "NOTIFIED" and one of:
     * Record State "ARCHIVED"
@@ -145,7 +147,7 @@ A lambda layer provides aws-lambda-powertools. To have these dependencies locall
 | <a name="input_findings_manager_trigger_lambda"></a> [findings\_manager\_trigger\_lambda](#input\_findings\_manager\_trigger\_lambda) | Findings Manager Lambda settings - Manage Security Hub findings in response to S3 file upload triggers | <pre>object({<br/>    name        = optional(string, "securityhub-findings-manager-trigger")<br/>    log_level   = optional(string, "ERROR")<br/>    memory_size = optional(number, 256)<br/>    timeout     = optional(number, 300)<br/><br/>    security_group_egress_rules = optional(list(object({<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = string<br/>      from_port                    = optional(number, 0)<br/>      ip_protocol                  = optional(string, "-1")<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      to_port                      = optional(number, 0)<br/>    })), [])<br/>  })</pre> | `{}` | no |
 | <a name="input_findings_manager_worker_lambda"></a> [findings\_manager\_worker\_lambda](#input\_findings\_manager\_worker\_lambda) | Findings Manager Lambda settings - Manage Security Hub findings in response to SQS trigger | <pre>object({<br/>    name        = optional(string, "securityhub-findings-manager-worker")<br/>    log_level   = optional(string, "ERROR")<br/>    memory_size = optional(number, 256)<br/>    timeout     = optional(number, 900)<br/><br/>    security_group_egress_rules = optional(list(object({<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = string<br/>      from_port                    = optional(number, 0)<br/>      ip_protocol                  = optional(string, "-1")<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      to_port                      = optional(number, 0)<br/>    })), [])<br/>  })</pre> | `{}` | no |
 | <a name="input_jira_eventbridge_iam_role_name"></a> [jira\_eventbridge\_iam\_role\_name](#input\_jira\_eventbridge\_iam\_role\_name) | The name of the role which will be assumed by EventBridge rules for Jira integration | `string` | `"SecurityHubFindingsManagerJiraEventBridge"` | no |
-| <a name="input_jira_integration"></a> [jira\_integration](#input\_jira\_integration) | Findings Manager - Jira integration settings | <pre>object({<br/>    enabled                               = optional(bool, false)<br/>    autoclose_enabled                     = optional(bool, false)<br/>    autoclose_comment                     = optional(string, "Security Hub finding has been resolved. Autoclosing the issue.")<br/>    autoclose_transition_name             = optional(string, "Close Issue")<br/>    credentials_secretsmanager_arn        = optional(string)<br/>    credentials_ssm_secret_arn            = optional(string)<br/>    exclude_account_ids                   = optional(list(string), [])<br/>    finding_severity_normalized_threshold = optional(number, 70)<br/>    include_account_ids                   = optional(list(string), [])<br/>    include_product_names                 = optional(list(string), [])<br/>    issue_custom_fields                   = optional(map(string), {})<br/>    issue_type                            = optional(string, "Security Advisory")<br/>    project_key                           = string<br/><br/>    security_group_egress_rules = optional(list(object({<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = string<br/>      from_port                    = optional(number, 0)<br/>      ip_protocol                  = optional(string, "-1")<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      to_port                      = optional(number, 0)<br/>    })), [])<br/><br/>    lambda_settings = optional(object({<br/>      name        = optional(string, "securityhub-findings-manager-jira")<br/>      log_level   = optional(string, "INFO")<br/>      memory_size = optional(number, 256)<br/>      timeout     = optional(number, 60)<br/>      }), {<br/>      name                        = "securityhub-findings-manager-jira"<br/>      iam_role_name               = "SecurityHubFindingsManagerJiraLambda"<br/>      log_level                   = "INFO"<br/>      memory_size                 = 256<br/>      timeout                     = 60<br/>      security_group_egress_rules = []<br/>    })<br/><br/>    step_function_settings = optional(object({<br/>      log_level = optional(string, "ERROR")<br/>      retention = optional(number, 90)<br/>      }), {<br/>      log_level = "ERROR"<br/>      retention = 90<br/>    })<br/><br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "project_key": null<br/>}</pre> | no |
+| <a name="input_jira_integration"></a> [jira\_integration](#input\_jira\_integration) | Findings Manager - Jira integration settings | <pre>object({<br/>    enabled                               = optional(bool, false)<br/>    autoclose_enabled                     = optional(bool, false)<br/>    autoclose_comment                     = optional(string, "Security Hub finding has been resolved. Autoclosing the issue.")<br/>    autoclose_transition_name             = optional(string, "Close Issue")<br/>    credentials_secretsmanager_arn        = optional(string)<br/>    credentials_ssm_secret_arn            = optional(string)<br/>    exclude_account_ids                   = optional(list(string), [])<br/>    finding_severity_normalized_threshold = optional(number, 70)<br/>    include_account_ids                   = optional(list(string), [])<br/>    include_intermediate_transition       = optional(string)<br/>    include_product_names                 = optional(list(string), [])<br/>    issue_custom_fields                   = optional(map(string), {})<br/>    issue_type                            = optional(string, "Security Advisory")<br/>    project_key                           = string<br/><br/>    security_group_egress_rules = optional(list(object({<br/>      cidr_ipv4                    = optional(string)<br/>      cidr_ipv6                    = optional(string)<br/>      description                  = string<br/>      from_port                    = optional(number, 0)<br/>      ip_protocol                  = optional(string, "-1")<br/>      prefix_list_id               = optional(string)<br/>      referenced_security_group_id = optional(string)<br/>      to_port                      = optional(number, 0)<br/>    })), [])<br/><br/>    lambda_settings = optional(object({<br/>      name        = optional(string, "securityhub-findings-manager-jira")<br/>      log_level   = optional(string, "INFO")<br/>      memory_size = optional(number, 256)<br/>      timeout     = optional(number, 60)<br/>      }), {<br/>      name                        = "securityhub-findings-manager-jira"<br/>      iam_role_name               = "SecurityHubFindingsManagerJiraLambda"<br/>      log_level                   = "INFO"<br/>      memory_size                 = 256<br/>      timeout                     = 60<br/>      security_group_egress_rules = []<br/>    })<br/><br/>    step_function_settings = optional(object({<br/>      log_level = optional(string, "ERROR")<br/>      retention = optional(number, 90)<br/>      }), {<br/>      log_level = "ERROR"<br/>      retention = 90<br/>    })<br/><br/>  })</pre> | <pre>{<br/>  "enabled": false,<br/>  "project_key": null<br/>}</pre> | no |
 | <a name="input_jira_step_function_iam_role_name"></a> [jira\_step\_function\_iam\_role\_name](#input\_jira\_step\_function\_iam\_role\_name) | The name of the role which will be assumed by AWS Step Function for Jira integration | `string` | `"SecurityHubFindingsManagerJiraStepFunction"` | no |
 | <a name="input_lambda_runtime"></a> [lambda\_runtime](#input\_lambda\_runtime) | The version of Python to use for the Lambda functions | `string` | `"python3.12"` | no |
 | <a name="input_rules_filepath"></a> [rules\_filepath](#input\_rules\_filepath) | Pathname to the file that stores the manager rules | `string` | `""` | no |
 
@@ -46,6 +46,7 @@ def lambda_handler(event: dict, context: LambdaContext):
         'JIRA_AUTOCLOSE_COMMENT', DEFAULT_JIRA_AUTOCLOSE_COMMENT)
     jira_autoclose_transition = os.getenv(
         'JIRA_AUTOCLOSE_TRANSITION', DEFAULT_JIRA_AUTOCLOSE_TRANSITION)
+    jira_intermediate_transition = os.getenv('JIRA_INTERMEDIATE_TRANSITION', '')
     jira_issue_custom_fields = os.environ['JIRA_ISSUE_CUSTOM_FIELDS']
     jira_issue_type = os.environ['JIRA_ISSUE_TYPE']
     jira_project_key = os.environ['JIRA_PROJECT_KEY']
@@ -147,7 +148,7 @@ def lambda_handler(event: dict, context: LambdaContext):
                         f"Failed to retrieve Jira issue {jira_issue_id}: {e}. Cannot autoclose.")
                     return  # Skip further processing for this finding
                 helpers.close_jira_issue(
-                    jira_client, issue, jira_autoclose_transition, jira_autoclose_comment)
+                    jira_client, issue, jira_autoclose_transition, jira_autoclose_comment, jira_intermediate_transition)
                 if workflow_status == STATUS_NOTIFIED:
                     # Resolve SecHub finding as it will be reopened anyway in case the compliance fails
                     # Also change the note to prevent a second run with RESOLVED status.
 
@@ -190,26 +190,50 @@ def create_jira_issue(jira_client: JIRA, project_key: str, issue_type: str, even
         raise e
 
 
-def close_jira_issue(jira_client: JIRA, issue: Issue, transition_name: str, comment: str) -> None:
+def close_jira_issue(jira_client: JIRA, issue: Issue, transition_name: str, comment: str, intermediate_transition: str = '') -> None:
     """
-    Close a Jira issue.
+    Close a Jira issue, intelligently handling transitions based on available options.
+    
+    If the direct close transition is not available, but an intermediate transition is specified
+    and available, the function will perform the intermediate transition first, then close.
 
     Args:
         jira_client (JIRA): An authenticated Jira client instance.
         issue (Issue): The Jira issue to close.
+        transition_name (str): The name of the final transition to close the issue.
+        comment (str): The comment to add when closing the issue.
+        intermediate_transition (str): Optional intermediate transition to perform before closing.
 
     Raises:
         Exception: If there is an error closing the Jira issue.
     """
 
     try:
+        # Get available transitions for the current issue state
+        available_transitions = jira_client.transitions(issue)
+        available_transition_names = {t['name']: t['id'] for t in available_transitions}
+        
+        logger.info(f"Available transitions for issue {issue.key}: {list(available_transition_names.keys())}")
+        
+        # Check if intermediate transition is available
+        if intermediate_transition and intermediate_transition in available_transition_names:
+            # Direct close not available, but intermediate transition is
+            logger.info(f"Direct close not available. Performing intermediate transition '{intermediate_transition}' for issue {issue.key}")
+            jira_client.transition_issue(issue, available_transition_names[intermediate_transition])
+            logger.info(f"Transitioned Jira issue {issue.key} to intermediate status: {intermediate_transition}")
+            
+            # Refresh the issue to get the updated status
+            issue = jira_client.issue(issue.key)
+        
+        # Attempt to close the issue
         transition_id = jira_client.find_transitionid_by_name(issue, transition_name)
         if transition_id is None:
             logger.warning(f"Failed to close Jira issue: Invalid transition.")
             return
         jira_client.add_comment(issue, comment)
         jira_client.transition_issue(issue, transition_id, comment=comment)
         logger.info(f"Closed Jira issue: {issue.key}")
+                
     except Exception as e:
         logger.error(f"Failed to close Jira issue {issue.key}: {e}")
         raise e
 
@@ -105,17 +105,18 @@ module "jira_lambda" {
   timeout                     = var.jira_integration.lambda_settings.timeout
 
   environment = {
-    EXCLUDE_ACCOUNT_FILTER      = jsonencode(var.jira_integration.exclude_account_ids)
-    INCLUDE_ACCOUNT_FILTER      = jsonencode(var.jira_integration.include_account_ids)
-    JIRA_AUTOCLOSE_COMMENT      = var.jira_integration.autoclose_comment
-    JIRA_AUTOCLOSE_TRANSITION   = var.jira_integration.autoclose_transition_name
-    JIRA_ISSUE_CUSTOM_FIELDS    = jsonencode(var.jira_integration.issue_custom_fields)
-    JIRA_ISSUE_TYPE             = var.jira_integration.issue_type
-    JIRA_PROJECT_KEY            = var.jira_integration.project_key
-    JIRA_SECRET_ARN             = var.jira_integration.credentials_secretsmanager_arn != null ? var.jira_integration.credentials_secretsmanager_arn : var.jira_integration.credentials_ssm_secret_arn
-    JIRA_SECRET_TYPE            = var.jira_integration.credentials_secretsmanager_arn != null ? "SECRETSMANAGER" : "SSM"
-    LOG_LEVEL                   = var.jira_integration.lambda_settings.log_level
-    POWERTOOLS_LOGGER_LOG_EVENT = "false"
-    POWERTOOLS_SERVICE_NAME     = "securityhub-findings-manager-jira"
+    EXCLUDE_ACCOUNT_FILTER       = jsonencode(var.jira_integration.exclude_account_ids)
+    INCLUDE_ACCOUNT_FILTER       = jsonencode(var.jira_integration.include_account_ids)
+    JIRA_AUTOCLOSE_COMMENT       = var.jira_integration.autoclose_comment
+    JIRA_AUTOCLOSE_TRANSITION    = var.jira_integration.autoclose_transition_name
+    JIRA_INTERMEDIATE_TRANSITION = var.jira_integration.include_intermediate_transition != null ? var.jira_integration.include_intermediate_transition : ""
+    JIRA_ISSUE_CUSTOM_FIELDS     = jsonencode(var.jira_integration.issue_custom_fields)
+    JIRA_ISSUE_TYPE              = var.jira_integration.issue_type
+    JIRA_PROJECT_KEY             = var.jira_integration.project_key
+    JIRA_SECRET_ARN              = var.jira_integration.credentials_secretsmanager_arn != null ? var.jira_integration.credentials_secretsmanager_arn : var.jira_integration.credentials_ssm_secret_arn
+    JIRA_SECRET_TYPE             = var.jira_integration.credentials_secretsmanager_arn != null ? "SECRETSMANAGER" : "SSM"
+    LOG_LEVEL                    = var.jira_integration.lambda_settings.log_level
+    POWERTOOLS_LOGGER_LOG_EVENT  = "false"
+    POWERTOOLS_SERVICE_NAME      = "securityhub-findings-manager-jira"
   }
 }
@@ -96,6 +96,7 @@ variable "jira_integration" {
     exclude_account_ids                   = optional(list(string), [])
     finding_severity_normalized_threshold = optional(number, 70)
     include_account_ids                   = optional(list(string), [])
+    include_intermediate_transition       = optional(string)
     include_product_names                 = optional(list(string), [])
     issue_custom_fields                   = optional(map(string), {})
     issue_type                            = optional(string, "Security Advisory")