feat: send security hub events to sentinel (#74)

Since we can just send from the log_archive account there is no need to
forward the events to another eventbridge like we did in the existing
Landing Zone Instance.

terragrunt/org_account/main/eventbridge.tf

@@ -0,0 +1,23 @@
+resource "aws_cloudwatch_event_rule" "cds_sentinel_securityhub_rule" {
+  provider    = aws.log_archive
+  name        = "cds-sentinel-securityhub-rule"
+  description = "Capture security hub events"
+
+  event_pattern = <<PATTERN
+{
+  "source": [
+    "aws.securityhub"
+  ],
+  "detail-type": [
+    "Security Hub Findings - Imported"
+  ],
+  "detail": {
+    "findings": {
+      "Severity": [
+        "CRITICAL", "HIGH", "MEDIUM", "LOW"
+      ]
+    }
+  }
+}
+PATTERN
+}

terragrunt/org_account/main/sentinel_forwarders.tf

@@ -45,3 +45,23 @@ module "guardduty_forwarder" {
     }
   ]
 }
+
+
+
+# Security Hub
+
+module "securityhub_forwarder" {
+  providers = {
+    aws = aws.log_archive
+  }
+
+  source            = "github.com/cds-snc/terraform-modules?ref=v3.0.2//sentinel_forwarder"
+  function_name     = "sentinel-securityhub-forwarder"
+  billing_tag_value = var.billing_code
+
+  customer_id = var.lw_customer_id
+  shared_key  = var.lw_shared_key
+
+  event_rule_names = [aws_cloudwatch_event_rule.cds_sentinel_securityhub_rule.name]
+
+}