From f4b8441d524682a8705c0037e35e7312e767ad4d Mon Sep 17 00:00:00 2001 From: Loren Gordon Date: Fri, 27 Dec 2024 07:16:28 -0800 Subject: [PATCH 1/4] Refactors implementation to remove unneeded submodules and modernize syntax --- main.tf | 76 ++++++++++------- modules/account/README.md | 36 --------- modules/account/main.tf | 5 -- modules/account/outputs.tf | 4 - modules/account/variables.tf | 26 ------ modules/account/versions.tf | 10 --- modules/action_target/README.md | 36 --------- modules/action_target/main.tf | 5 -- modules/action_target/outputs.tf | 4 - modules/action_target/variables.tf | 14 ---- modules/action_target/versions.tf | 10 --- modules/member/README.md | 35 -------- modules/member/main.tf | 5 -- modules/member/outputs.tf | 4 - modules/member/variables.tf | 9 --- modules/member/versions.tf | 10 --- modules/standards_controls/README.md | 36 --------- modules/standards_controls/main.tf | 5 -- modules/standards_controls/outputs.tf | 4 - modules/standards_controls/variables.tf | 14 ---- modules/standards_controls/versions.tf | 10 --- modules/subscriptions/README.md | 36 --------- modules/subscriptions/main.tf | 11 --- modules/subscriptions/outputs.tf | 9 --- modules/subscriptions/variables.tf | 11 --- modules/subscriptions/versions.tf | 10 --- outputs.tf | 26 ++++-- tests/securityhub_same_account/main.tf | 36 --------- .../main.tf | 0 .../variables.tf | 0 tests/test-same-account/main.tf | 54 +++++++++++++ variables.tf | 81 +++++++------------ versions.tf | 4 +- 33 files changed, 150 insertions(+), 486 deletions(-) delete mode 100644 modules/account/README.md delete mode 100644 modules/account/main.tf delete mode 100644 modules/account/outputs.tf delete mode 100644 modules/account/variables.tf delete mode 100644 modules/account/versions.tf delete mode 100644 modules/action_target/README.md delete mode 100644 modules/action_target/main.tf delete mode 100644 modules/action_target/outputs.tf delete mode 100644 modules/action_target/variables.tf delete mode 100644 modules/action_target/versions.tf delete mode 100644 modules/member/README.md delete mode 100644 modules/member/main.tf delete mode 100644 modules/member/outputs.tf delete mode 100644 modules/member/variables.tf delete mode 100644 modules/member/versions.tf delete mode 100644 modules/standards_controls/README.md delete mode 100644 modules/standards_controls/main.tf delete mode 100644 modules/standards_controls/outputs.tf delete mode 100644 modules/standards_controls/variables.tf delete mode 100644 modules/standards_controls/versions.tf delete mode 100644 modules/subscriptions/README.md delete mode 100644 modules/subscriptions/main.tf delete mode 100644 modules/subscriptions/outputs.tf delete mode 100644 modules/subscriptions/variables.tf delete mode 100644 modules/subscriptions/versions.tf delete mode 100644 tests/securityhub_same_account/main.tf rename tests/{securityhub_cross_account => test-cross-account}/main.tf (100%) rename tests/{securityhub_cross_account => test-cross-account}/variables.tf (100%) create mode 100644 tests/test-same-account/main.tf diff --git a/main.tf b/main.tf index 3dd4970..da0528e 100644 --- a/main.tf +++ b/main.tf @@ -1,46 +1,64 @@ -# Enable SecurityHub -module "account" { - source = "./modules/account" - - auto_enable_controls = var.auto_enable_controls - control_finding_generator = var.control_finding_generator - enable_default_standards = var.enable_default_standards +resource "aws_securityhub_account" "this" { + auto_enable_controls = var.security_hub.auto_enable_controls + control_finding_generator = var.security_hub.control_finding_generator + enable_default_standards = false } -# Manage subscriptions -module "subscriptions" { - source = "./modules/subscriptions" +resource "aws_securityhub_action_target" "this" { + for_each = { for action_target in var.security_hub.action_targets : action_target.name => action_target } - standard_subscription_arns = var.standard_subscription_arns - product_subscription_arns = var.product_subscription_arns + name = each.value.name + identifier = each.value.identifier + description = each.value.description depends_on = [ - module.account + aws_securityhub_account.this, ] } -# Manage Control status -module "standards_controls" { - source = "./modules/standards_controls" - for_each = { for control in var.standards_controls : control.name => control } +resource "aws_securityhub_product_subscription" "this" { + for_each = toset(var.security_hub.product_subscription_arns) + + product_arn = each.value + + depends_on = [ + aws_securityhub_account.this, + ] +} - standards_control_arn = each.value.standards_control_arn - control_status = each.value.control_status - disabled_reason = each.value.disabled_reason +resource "aws_securityhub_standards_subscription" "this" { + for_each = toset(local.standards_subscription_arns) + standards_arn = each.value depends_on = [ - module.account, - module.subscriptions + aws_securityhub_account.this, ] } -# Manage action targets -module "action_targets" { - source = "./modules/action_target" - for_each = { for action_target in var.action_targets : action_target.name => action_target } +resource "aws_securityhub_standards_control_association" "this" { + for_each = { for association in var.security_hub.standards_control_associations : association.name => association } - name = each.key - description = each.value.description - identifier = each.value.identifier + standards_arn = aws_securityhub_standards_subscription.this[each.value.standards_arn].standards_arn + security_control_id = each.value.security_control_id + association_status = each.value.association_status + updated_reason = each.value.updated_reason +} + +locals { + standards_subscription_arns = flatten([ + var.security_hub.enable_default_standards ? local.default_standards_arns : [], + var.security_hub.standard_subscription_arns, + ]) + + default_standards_arns = [ + "arn:${local.partition}:securityhub:${local.region}::standards/aws-foundational-security-best-practices/v/1.0.0", + "arn:${local.partition}:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", + ] + + partition = data.aws_partition.current.partition + region = data.aws_region.current.name } + +data "aws_partition" "current" {} +data "aws_region" "current" {} diff --git a/modules/account/README.md b/modules/account/README.md deleted file mode 100644 index 811a222..0000000 --- a/modules/account/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# terraform-aws-tardigrade-security-hub/account - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 4.64.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.64.0 | - -## Resources - -| Name | Type | -|------|------| - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no | -| [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `null` | no | -| [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [account](#output\_account) | Object containing SecurityHub account resource | - - diff --git a/modules/account/main.tf b/modules/account/main.tf deleted file mode 100644 index b0ee047..0000000 --- a/modules/account/main.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "aws_securityhub_account" "this" { - auto_enable_controls = var.auto_enable_controls - control_finding_generator = var.control_finding_generator - enable_default_standards = var.enable_default_standards -} diff --git a/modules/account/outputs.tf b/modules/account/outputs.tf deleted file mode 100644 index 3d77adf..0000000 --- a/modules/account/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "account" { - description = "Object containing SecurityHub account resource" - value = aws_securityhub_account.this -} diff --git a/modules/account/variables.tf b/modules/account/variables.tf deleted file mode 100644 index b22c5cf..0000000 --- a/modules/account/variables.tf +++ /dev/null @@ -1,26 +0,0 @@ -variable "auto_enable_controls" { - description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`" - type = bool - default = true -} - -variable "control_finding_generator" { - description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard." - type = string - default = null - - validation { - condition = ( - var.control_finding_generator != null ? - contains(["SECURITY_CONTROL", "STANDARDS_CONTROL"], var.control_finding_generator) : - true - ) - error_message = "control_finding_generator must be one of: SECURITY_CONTROL, STANDARDS_CONTROL, null" - } -} - -variable "enable_default_standards" { - description = "Boolean that automatically enables new controls when they are added to standards that are enabled" - type = bool - default = true -} diff --git a/modules/account/versions.tf b/modules/account/versions.tf deleted file mode 100644 index 076bf5b..0000000 --- a/modules/account/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.13" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.64.0" - } - } -} diff --git a/modules/action_target/README.md b/modules/action_target/README.md deleted file mode 100644 index d29069f..0000000 --- a/modules/action_target/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# terraform-aws-tardigrade-security-hub/action_target - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 4.64.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.64.0 | - -## Resources - -| Name | Type | -|------|------| - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [description](#input\_description) | Description for the custom action target | `string` | n/a | yes | -| [identifier](#input\_identifier) | ID for the custom action target | `string` | n/a | yes | -| [name](#input\_name) | Name of the custom action target | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [account](#output\_account) | Object containing SecurityHub action target resource | - - diff --git a/modules/action_target/main.tf b/modules/action_target/main.tf deleted file mode 100644 index b172ece..0000000 --- a/modules/action_target/main.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "aws_securityhub_action_target" "this" { - name = var.name - identifier = var.identifier - description = var.description -} diff --git a/modules/action_target/outputs.tf b/modules/action_target/outputs.tf deleted file mode 100644 index 4243cae..0000000 --- a/modules/action_target/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "account" { - description = "Object containing SecurityHub action target resource" - value = aws_securityhub_action_target.this -} diff --git a/modules/action_target/variables.tf b/modules/action_target/variables.tf deleted file mode 100644 index 5380815..0000000 --- a/modules/action_target/variables.tf +++ /dev/null @@ -1,14 +0,0 @@ -variable "description" { - description = "Description for the custom action target" - type = string -} - -variable "name" { - description = "Name of the custom action target" - type = string -} - -variable "identifier" { - description = "ID for the custom action target" - type = string -} diff --git a/modules/action_target/versions.tf b/modules/action_target/versions.tf deleted file mode 100644 index 076bf5b..0000000 --- a/modules/action_target/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.13" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.64.0" - } - } -} diff --git a/modules/member/README.md b/modules/member/README.md deleted file mode 100644 index 975b6fd..0000000 --- a/modules/member/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# terraform-aws-tardigrade-security-hub/member - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 4.64.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.64.0 | - -## Resources - -| Name | Type | -|------|------| - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_id](#input\_account\_id) | Account ID of the member AWS account. | `string` | n/a | yes | -| [email](#input\_email) | Root email address of the member AWS account. | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [member](#output\_member) | Object containing SecurityHub member resource | - - diff --git a/modules/member/main.tf b/modules/member/main.tf deleted file mode 100644 index 6c0748d..0000000 --- a/modules/member/main.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "aws_securityhub_member" "this" { - account_id = var.account_id - email = var.email - invite = true -} diff --git a/modules/member/outputs.tf b/modules/member/outputs.tf deleted file mode 100644 index f9955be..0000000 --- a/modules/member/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "member" { - description = "Object containing SecurityHub member resource" - value = aws_securityhub_member.this -} diff --git a/modules/member/variables.tf b/modules/member/variables.tf deleted file mode 100644 index 4c8371d..0000000 --- a/modules/member/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "account_id" { - description = "Account ID of the member AWS account." - type = string -} - -variable "email" { - description = "Root email address of the member AWS account." - type = string -} diff --git a/modules/member/versions.tf b/modules/member/versions.tf deleted file mode 100644 index 076bf5b..0000000 --- a/modules/member/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.13" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.64.0" - } - } -} diff --git a/modules/standards_controls/README.md b/modules/standards_controls/README.md deleted file mode 100644 index ee6ad00..0000000 --- a/modules/standards_controls/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# terraform-aws-tardigrade-security-hub/standards_control - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 4.64.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.64.0 | - -## Resources - -| Name | Type | -|------|------| - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [control\_status](#input\_control\_status) | Control status enabled or disabled | `string` | n/a | yes | -| [disabled\_reason](#input\_disabled\_reason) | A description of the reason why you are disabling a security standard control | `string` | n/a | yes | -| [standards\_control\_arn](#input\_standards\_control\_arn) | The standards control ARN | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [standards\_control](#output\_standards\_control) | Object containing SecurityHub standards control resource | - - diff --git a/modules/standards_controls/main.tf b/modules/standards_controls/main.tf deleted file mode 100644 index 8f4820c..0000000 --- a/modules/standards_controls/main.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "aws_securityhub_standards_control" "this" { - standards_control_arn = var.standards_control_arn - control_status = var.control_status - disabled_reason = var.disabled_reason -} diff --git a/modules/standards_controls/outputs.tf b/modules/standards_controls/outputs.tf deleted file mode 100644 index 67f8119..0000000 --- a/modules/standards_controls/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "standards_control" { - description = "Object containing SecurityHub standards control resource" - value = aws_securityhub_standards_control.this -} diff --git a/modules/standards_controls/variables.tf b/modules/standards_controls/variables.tf deleted file mode 100644 index 198a8a1..0000000 --- a/modules/standards_controls/variables.tf +++ /dev/null @@ -1,14 +0,0 @@ -variable "standards_control_arn" { - description = "The standards control ARN" - type = string -} - -variable "control_status" { - description = "Control status enabled or disabled" - type = string -} - -variable "disabled_reason" { - description = "A description of the reason why you are disabling a security standard control" - type = string -} diff --git a/modules/standards_controls/versions.tf b/modules/standards_controls/versions.tf deleted file mode 100644 index 076bf5b..0000000 --- a/modules/standards_controls/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.13" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.64.0" - } - } -} diff --git a/modules/subscriptions/README.md b/modules/subscriptions/README.md deleted file mode 100644 index 6b11621..0000000 --- a/modules/subscriptions/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# terraform-aws-tardigrade-security-hub/subscriptions - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 4.64.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.64.0 | - -## Resources - -| Name | Type | -|------|------| - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no | -| [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [product\_subscriptions](#output\_product\_subscriptions) | Object containing SecurityHub product subscription resources | -| [standards\_subscriptions](#output\_standards\_subscriptions) | Object containing SecurityHub standards subscription resources | - - diff --git a/modules/subscriptions/main.tf b/modules/subscriptions/main.tf deleted file mode 100644 index eb3d2bf..0000000 --- a/modules/subscriptions/main.tf +++ /dev/null @@ -1,11 +0,0 @@ -resource "aws_securityhub_standards_subscription" "this" { - for_each = toset(var.standard_subscription_arns) - - standards_arn = each.value -} - -resource "aws_securityhub_product_subscription" "this" { - for_each = toset(var.product_subscription_arns) - - product_arn = each.value -} diff --git a/modules/subscriptions/outputs.tf b/modules/subscriptions/outputs.tf deleted file mode 100644 index 3235f9f..0000000 --- a/modules/subscriptions/outputs.tf +++ /dev/null @@ -1,9 +0,0 @@ -output "standards_subscriptions" { - description = "Object containing SecurityHub standards subscription resources" - value = aws_securityhub_standards_subscription.this -} - -output "product_subscriptions" { - description = "Object containing SecurityHub product subscription resources" - value = aws_securityhub_product_subscription.this -} diff --git a/modules/subscriptions/variables.tf b/modules/subscriptions/variables.tf deleted file mode 100644 index 42eca4b..0000000 --- a/modules/subscriptions/variables.tf +++ /dev/null @@ -1,11 +0,0 @@ -variable "standard_subscription_arns" { - description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html" - type = list(string) - default = [] -} - -variable "product_subscription_arns" { - description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html" - type = list(string) - default = [] -} diff --git a/modules/subscriptions/versions.tf b/modules/subscriptions/versions.tf deleted file mode 100644 index 076bf5b..0000000 --- a/modules/subscriptions/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.13" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.64.0" - } - } -} diff --git a/outputs.tf b/outputs.tf index ae3247f..0972951 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,14 +1,24 @@ output "account" { - description = "Object containing the SecurityHub account resource" - value = module.account.account + description = "Object of the Security Hub account resource" + value = aws_securityhub_account.this } -output "subscriptions" { - description = "Object containing the SecurityHub subscriptions resources" - value = module.subscriptions +output "action_targets" { + description = "Map of Security Hub action targets" + value = aws_securityhub_action_target.this } -output "action_targets" { - description = "Object containing the SecurityHub action targets resources" - value = module.action_targets +output "product_subscriptions" { + description = "Map of Security Hub Product Subscriptions" + value = aws_securityhub_product_subscription.this +} + +output "standards_subscriptions" { + description = "Map of Security Hub Standards Subscriptions" + value = aws_securityhub_standards_subscription.this +} + +output "standards_control_associations" { + description = "Map of Security Hub Standards Control Associations" + value = aws_securityhub_standards_control_association.this } diff --git a/tests/securityhub_same_account/main.tf b/tests/securityhub_same_account/main.tf deleted file mode 100644 index 0bf805b..0000000 --- a/tests/securityhub_same_account/main.tf +++ /dev/null @@ -1,36 +0,0 @@ -provider "aws" { - profile = "aws" # Profile must exist in your .aws/config -} - -module "securityhub" { - source = "../../" - - standard_subscription_arns = [ - "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", - "arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1", - ] - - product_subscription_arns = [ - "arn:aws:securityhub:us-east-1:453761072151:product/turbot/turbot", - ] - - standards_controls = [ - { - name = "cis-aws-foundations-benchmark" - standards_control_arn = "arn:aws:securityhub:us-east-1:303523384066:control/cis-aws-foundations-benchmark/v/1.2.0/1.10" - control_status = "ENABLED" - disabled_reason = "" - }, - { - name = "pci-dss" - standards_control_arn = "arn:aws:securityhub:us-east-1:303523384066:control/pci-dss/v/3.2.1/PCI.AutoScaling.1" - control_status = "DISABLED" - disabled_reason = "I don't like security" - } - ] -} - -output "securityhub" { - value = module.securityhub -} - diff --git a/tests/securityhub_cross_account/main.tf b/tests/test-cross-account/main.tf similarity index 100% rename from tests/securityhub_cross_account/main.tf rename to tests/test-cross-account/main.tf diff --git a/tests/securityhub_cross_account/variables.tf b/tests/test-cross-account/variables.tf similarity index 100% rename from tests/securityhub_cross_account/variables.tf rename to tests/test-cross-account/variables.tf diff --git a/tests/test-same-account/main.tf b/tests/test-same-account/main.tf new file mode 100644 index 0000000..83f0689 --- /dev/null +++ b/tests/test-same-account/main.tf @@ -0,0 +1,54 @@ +provider "aws" { + profile = "aws" # Profile must exist in ~/.aws/config +} + +module "security_hub" { + source = "../../" + + security_hub = { + auto_enable_controls = true + control_finding_generator = null # "SECURITY_CONTROL|STANDARD_CONTROL" + enable_default_standards = true # Enables CIS AWS Foundations and AWS Foundational Security Best Practices + + standard_subscription_arns = [ + "arn:${local.partition}:securityhub:${local.region}::standards/aws-resource-tagging-standard/v/1.0.0", + "arn:${local.partition}:securityhub:${local.region}::standards/pci-dss/v/3.2.1", + ] + + product_subscription_arns = [ + "arn:${local.partition}:securityhub:${local.region}:453761072151:product/turbot/turbot", + ] + + standards_control_associations = [ + { + name = "cis-foundations-cloudtrail-2" + association_status = "DISABLED" + security_control_id = "CloudTrail.2" + updated_reason = "I don't like security" + standards_arn = "arn:${local.partition}:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" + }, + { + name = "aws-foundations-cloudtrail-2" + association_status = "DISABLED" + security_control_id = "CloudTrail.2" + updated_reason = "I don't like security" + standards_arn = "arn:${local.partition}:securityhub:${local.region}::standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + name = "pci-dss-cloudtrail-2" + association_status = "DISABLED" + security_control_id = "CloudTrail.2" + updated_reason = "I don't like security" + standards_arn = "arn:${local.partition}:securityhub:${local.region}::standards/pci-dss/v/3.2.1" + }, + ] + } +} + +locals { + partition = data.aws_partition.current.partition + region = data.aws_region.current.name +} + +data "aws_partition" "current" {} +data "aws_region" "current" {} diff --git a/variables.tf b/variables.tf index 876d478..a7c2fae 100644 --- a/variables.tf +++ b/variables.tf @@ -1,59 +1,36 @@ -variable "action_targets" { - description = "Schema list of SecurityHub action targets." - type = list(object({ - name = string - description = string - identifer = string - })) - default = [] -} +variable "security_hub" { + description = "Object of inputs for Security Hub configuration" + type = object({ + auto_enable_controls = optional(bool, true) + control_finding_generator = optional(string) + enable_default_standards = optional(bool, true) -variable "auto_enable_controls" { - description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`" - type = bool - default = true -} + product_subscription_arns = optional(list(string), []) + standard_subscription_arns = optional(list(string), []) + + action_targets = optional(list(object({ + name = string + description = string + identifier = string + })), []) -variable "control_finding_generator" { - description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard." - type = string - default = null + standards_control_associations = optional(list(object({ + name = string + association_status = string + security_control_id = string + standards_arn = string + updated_reason = optional(string) + })), []) + }) validation { - condition = ( - var.control_finding_generator != null ? - contains(["SECURITY_CONTROL", "STANDARDS_CONTROL"], var.control_finding_generator) : - true + condition = anytrue([ + var.security_hub.control_finding_generator == null, + contains(["SECURITY_CONTROL", "STANDARD_CONTROL"], format("%v", var.security_hub.control_finding_generator)), + ]) + error_message = format( + "Expected `control_finding_generator` to be one of [\"STANDARD_CONTROL\", \"SECURITY_CONTROL\"], got %v.", + var.security_hub.control_finding_generator ) - error_message = "control_finding_generator must be one of: SECURITY_CONTROL, STANDARDS_CONTROL, null" } } - -variable "enable_default_standards" { - description = "Boolean that automatically enables new controls when they are added to standards that are enabled" - type = bool - default = true -} - -variable "product_subscription_arns" { - description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html" - type = list(string) - default = [] -} - -variable "standard_subscription_arns" { - description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html" - type = list(string) - default = [] -} - -variable "standards_controls" { - description = "List of Security Hub standards to enable or disable in current region." - type = list(object({ - name = string - standards_control_arn = string - control_status = string - disabled_reason = string - })) - default = [] -} diff --git a/versions.tf b/versions.tf index 076bf5b..b302872 100644 --- a/versions.tf +++ b/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.64.0" + version = ">= 5.70.0" } } } From 386a2bcd2712dc30a516b6b83bb06bd3ff6ecc31 Mon Sep 17 00:00:00 2001 From: Loren Gordon Date: Fri, 27 Dec 2024 09:22:54 -0800 Subject: [PATCH 2/4] Refactors cross-account member for modern terraform syntax --- main.tf | 4 +- modules/accepter/README.md | 34 ---------- modules/accepter/main.tf | 3 - modules/accepter/outputs.tf | 4 -- modules/accepter/variables.tf | 4 -- modules/accepter/versions.tf | 10 --- modules/cross-account-member/main.tf | 36 +++++------ modules/cross-account-member/outputs.tf | 18 ++---- modules/cross-account-member/variables.tf | 74 +++++++-------------- modules/cross-account-member/versions.tf | 4 +- tests/test-cross-account/main.tf | 79 ++++++++++++++--------- tests/test-same-account/main.tf | 4 +- variables.tf | 2 + 13 files changed, 98 insertions(+), 178 deletions(-) delete mode 100644 modules/accepter/README.md delete mode 100644 modules/accepter/main.tf delete mode 100644 modules/accepter/outputs.tf delete mode 100644 modules/accepter/variables.tf delete mode 100644 modules/accepter/versions.tf diff --git a/main.tf b/main.tf index da0528e..23d3e01 100644 --- a/main.tf +++ b/main.tf @@ -56,8 +56,8 @@ locals { "arn:${local.partition}:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", ] - partition = data.aws_partition.current.partition - region = data.aws_region.current.name + partition = data.aws_partition.current.partition + region = data.aws_region.current.name } data "aws_partition" "current" {} diff --git a/modules/accepter/README.md b/modules/accepter/README.md deleted file mode 100644 index 91ab813..0000000 --- a/modules/accepter/README.md +++ /dev/null @@ -1,34 +0,0 @@ -# terraform-aws-tardigrade-security-hub/accepter - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 4.64.0 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.64.0 | - -## Resources - -| Name | Type | -|------|------| - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [master\_account\_id](#input\_master\_account\_id) | Account ID of the AWS SecurityHub master account that sent the invite | `string` | n/a | yes | - -## Outputs - -| Name | Description | -|------|-------------| -| [accepter](#output\_accepter) | Object containing SecurityHub accepter resource | - - diff --git a/modules/accepter/main.tf b/modules/accepter/main.tf deleted file mode 100644 index 4b899d8..0000000 --- a/modules/accepter/main.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "aws_securityhub_invite_accepter" "this" { - master_id = var.master_account_id -} diff --git a/modules/accepter/outputs.tf b/modules/accepter/outputs.tf deleted file mode 100644 index bf0e88b..0000000 --- a/modules/accepter/outputs.tf +++ /dev/null @@ -1,4 +0,0 @@ -output "accepter" { - description = "Object containing SecurityHub accepter resource" - value = aws_securityhub_invite_accepter.this -} diff --git a/modules/accepter/variables.tf b/modules/accepter/variables.tf deleted file mode 100644 index 13892e6..0000000 --- a/modules/accepter/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable "master_account_id" { - description = "Account ID of the AWS SecurityHub master account that sent the invite" - type = string -} diff --git a/modules/accepter/versions.tf b/modules/accepter/versions.tf deleted file mode 100644 index 076bf5b..0000000 --- a/modules/accepter/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.13" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.64.0" - } - } -} diff --git a/modules/cross-account-member/main.tf b/modules/cross-account-member/main.tf index 83dacce..649fa92 100644 --- a/modules/cross-account-member/main.tf +++ b/modules/cross-account-member/main.tf @@ -2,32 +2,26 @@ module "account" { source = "../../" - action_targets = var.action_targets - auto_enable_controls = var.auto_enable_controls - control_finding_generator = var.control_finding_generator - enable_default_standards = var.enable_default_standards - product_subscription_arns = var.product_subscription_arns - standard_subscription_arns = var.standard_subscription_arns - standards_controls = var.standards_controls + security_hub = var.security_hub } -# Send invite from administrator account -module "member" { - source = "../member" - - providers = { - aws = aws.administrator - } +resource "aws_securityhub_member" "this" { + provider = aws.administrator account_id = module.account.account.id - email = var.member_email + email = var.security_hub.member_email + invite = true } -# Accept invite -module "accept" { - source = "../accepter" - - depends_on = [module.account] +resource "aws_securityhub_invite_accepter" "this" { + master_id = terraform_data.accepter_dependencies.input.master_id +} - master_account_id = module.member.member.master_id +# Creates dependency on `module.account.account.id`, so security hub is enabled +# in the account before the invite can be accepted +resource "terraform_data" "accepter_dependencies" { + input = { + master_id = coalesce(var.security_hub.master_id, aws_securityhub_member.this.master_id) + account_id = module.account.account.id + } } diff --git a/modules/cross-account-member/outputs.tf b/modules/cross-account-member/outputs.tf index 624b223..ea0c0f4 100644 --- a/modules/cross-account-member/outputs.tf +++ b/modules/cross-account-member/outputs.tf @@ -1,24 +1,14 @@ output "account" { - description = "Object containing the SecurityHub account resource" - value = module.account.account + description = "Object containing the SecurityHub resources" + value = module.account } output "member" { description = "Object containing the SecurityHub member resource" - value = module.member.member + value = aws_securityhub_member.this } output "accepter" { description = "Object containing the SecurityHub accepter resource" - value = module.accept.accepter -} - -output "subscriptions" { - description = "Object containing the SecurityHub subscriptions resources" - value = module.account.subscriptions -} - -output "action_targets" { - description = "Object containing the SecurityHub action targets resources" - value = module.account.action_targets + value = aws_securityhub_invite_accepter.this } diff --git a/modules/cross-account-member/variables.tf b/modules/cross-account-member/variables.tf index 610452f..d4f6e15 100644 --- a/modules/cross-account-member/variables.tf +++ b/modules/cross-account-member/variables.tf @@ -1,55 +1,29 @@ -variable "member_email" { - description = "Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow" - type = string -} - -variable "action_targets" { - description = "Schema list of SecurityHub action targets." - type = list(object({ - name = string - description = string - identifer = string - })) - default = [] -} - -variable "auto_enable_controls" { - description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`" - type = bool - default = true -} +variable "security_hub" { + description = "Object of inputs for Security Hub configuration" + nullable = false + type = object({ + member_email = string + master_id = optional(string) -variable "control_finding_generator" { - description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard." - type = string - default = "SECURITY_CONTROL" -} + auto_enable_controls = optional(bool, true) + control_finding_generator = optional(string) + enable_default_standards = optional(bool, true) -variable "enable_default_standards" { - description = "Boolean that automatically enables new controls when they are added to standards that are enabled" - type = bool - default = true -} + product_subscription_arns = optional(list(string), []) + standard_subscription_arns = optional(list(string), []) -variable "product_subscription_arns" { - description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html" - type = list(string) - default = [] -} - -variable "standard_subscription_arns" { - description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html" - type = list(string) - default = [] -} + action_targets = optional(list(object({ + name = string + description = string + identifier = string + })), []) -variable "standards_controls" { - description = "List of Security Hub standards to enable or disable in current region." - type = list(object({ - name = string - standards_control_arn = string - control_status = string - disabled_reason = string - })) - default = [] + standards_control_associations = optional(list(object({ + name = string + association_status = string + security_control_id = string + standards_arn = string + updated_reason = optional(string) + })), []) + }) } diff --git a/modules/cross-account-member/versions.tf b/modules/cross-account-member/versions.tf index 74e5487..7773030 100644 --- a/modules/cross-account-member/versions.tf +++ b/modules/cross-account-member/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.64.0" + version = ">= 5.70.0" configuration_aliases = [aws.administrator] } } diff --git a/tests/test-cross-account/main.tf b/tests/test-cross-account/main.tf index 1e055f2..4f0416d 100644 --- a/tests/test-cross-account/main.tf +++ b/tests/test-cross-account/main.tf @@ -18,45 +18,60 @@ module "securityhub_owner" { } } -module "securityhub" { +module "security_hub" { source = "../../modules/cross-account-member" providers = { aws.administrator = aws.administrator } - # Without the following line it takes two attepts to destroy the resources created by the test - depends_on = [module.securityhub_owner] - - member_email = var.member_email - - standard_subscription_arns = [ - "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0", - "arn:aws:securityhub:us-east-1::standards/pci-dss/v/3.2.1", - ] - - product_subscription_arns = [ - "arn:aws:securityhub:us-east-1:453761072151:product/turbot/turbot", - ] - - standards_controls = [ - { - name = "cis-aws-foundations-benchmark" - standards_control_arn = "arn:aws:securityhub:us-east-1:303523384066:control/cis-aws-foundations-benchmark/v/1.2.0/1.10" - control_status = "ENABLED" - disabled_reason = "" - }, - { - name = "pci-dss" - standards_control_arn = "arn:aws:securityhub:us-east-1:303523384066:control/pci-dss/v/3.2.1/PCI.AutoScaling.1" - control_status = "DISABLED" - disabled_reason = "I don't like security" - } - ] -} + security_hub = { + member_email = var.member_email + master_id = module.securityhub_owner.account.id + + auto_enable_controls = true + control_finding_generator = null # "SECURITY_CONTROL|STANDARD_CONTROL" + enable_default_standards = true # Enables CIS AWS Foundations and AWS Foundational Security Best Practices + + standard_subscription_arns = [ + "arn:${local.partition}:securityhub:${local.region}::standards/aws-resource-tagging-standard/v/1.0.0", + "arn:${local.partition}:securityhub:${local.region}::standards/pci-dss/v/3.2.1", + ] -output "securityhub" { - value = module.securityhub + product_subscription_arns = [ + "arn:${local.partition}:securityhub:${local.region}:453761072151:product/turbot/turbot", + ] + + standards_control_associations = [ + { + name = "cis-foundations-cloudtrail-2" + association_status = "DISABLED" + security_control_id = "CloudTrail.2" + updated_reason = "I don't like security" + standards_arn = "arn:${local.partition}:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" + }, + { + name = "aws-foundations-cloudtrail-2" + association_status = "DISABLED" + security_control_id = "CloudTrail.2" + updated_reason = "I don't like security" + standards_arn = "arn:${local.partition}:securityhub:${local.region}::standards/aws-foundational-security-best-practices/v/1.0.0" + }, + { + name = "pci-dss-cloudtrail-2" + association_status = "DISABLED" + security_control_id = "CloudTrail.2" + updated_reason = "I don't like security" + standards_arn = "arn:${local.partition}:securityhub:${local.region}::standards/pci-dss/v/3.2.1" + }, + ] + } } +locals { + partition = data.aws_partition.current.partition + region = data.aws_region.current.name +} +data "aws_partition" "current" {} +data "aws_region" "current" {} diff --git a/tests/test-same-account/main.tf b/tests/test-same-account/main.tf index 83f0689..379f741 100644 --- a/tests/test-same-account/main.tf +++ b/tests/test-same-account/main.tf @@ -46,8 +46,8 @@ module "security_hub" { } locals { - partition = data.aws_partition.current.partition - region = data.aws_region.current.name + partition = data.aws_partition.current.partition + region = data.aws_region.current.name } data "aws_partition" "current" {} diff --git a/variables.tf b/variables.tf index a7c2fae..1d0bf7a 100644 --- a/variables.tf +++ b/variables.tf @@ -1,5 +1,6 @@ variable "security_hub" { description = "Object of inputs for Security Hub configuration" + nullable = false type = object({ auto_enable_controls = optional(bool, true) control_finding_generator = optional(string) @@ -22,6 +23,7 @@ variable "security_hub" { updated_reason = optional(string) })), []) }) + default = {} validation { condition = anytrue([ From a53c9ba7cd56f56140390815e8d3cc924196ea5c Mon Sep 17 00:00:00 2001 From: Loren Gordon Date: Fri, 27 Dec 2024 09:23:40 -0800 Subject: [PATCH 3/4] Updates readmes with terraform docs --- README.md | 33 +++++++++++++------------- main.tf | 7 +++++- modules/cross-account-member/README.md | 26 +++++++++----------- 3 files changed, 34 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index c3e84bb..d9e15ce 100644 --- a/README.md +++ b/README.md @@ -8,43 +8,44 @@ You can find example implementations of this module in the tests folder. This mo requires 2 different AWS accounts to test and so the terraform aws provider definitions are assuming that you will be using a profile with the name `aws` and `awsalternate`. -Note: the implementation `tests/create_securityhub_member` will require you to provide the variables -`email_address` prior to use +Note: the implementation `tests/test-cross-account` will require you to provide the variable +`email_address`. ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 4.64.0 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 5.70.0 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.70.0 | ## Resources -No resources. +| Name | Type | +|------|------| +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | 
list(object({
    name        = string
    description = string
    identifer   = string
  }))
| `[]` | no | -| [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no | -| [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `null` | no | -| [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no | -| [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no | -| [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no | -| [standards\_controls](#input\_standards\_controls) | List of Security Hub standards to enable or disable in current region. | 
list(object({
    name                  = string
    standards_control_arn = string
    control_status        = string
    disabled_reason       = string
  }))
| `[]` | no | +| [security\_hub](#input\_security\_hub) | Object of inputs for Security Hub configuration | 
object({
    auto_enable_controls      = optional(bool, true)
    control_finding_generator = optional(string)
    enable_default_standards  = optional(bool, true)

    product_subscription_arns  = optional(list(string), [])
    standard_subscription_arns = optional(list(string), [])

    action_targets = optional(list(object({
      name        = string
      description = string
      identifier  = string
    })), [])

    standards_control_associations = optional(list(object({
      name                = string
      association_status  = string
      security_control_id = string
      standards_arn       = string
      updated_reason      = optional(string)
    })), [])
  })
| `{}` | no | ## Outputs | Name | Description | |------|-------------| -| [account](#output\_account) | Object containing the SecurityHub account resource | -| [action\_targets](#output\_action\_targets) | Object containing the SecurityHub action targets resources | -| [subscriptions](#output\_subscriptions) | Object containing the SecurityHub subscriptions resources | +| [account](#output\_account) | Object of the Security Hub account resource | +| [action\_targets](#output\_action\_targets) | Map of Security Hub action targets | +| [product\_subscriptions](#output\_product\_subscriptions) | Map of Security Hub Product Subscriptions | +| [standards\_control\_associations](#output\_standards\_control\_associations) | Map of Security Hub Standards Control Associations | +| [standards\_subscriptions](#output\_standards\_subscriptions) | Map of Security Hub Standards Subscriptions | diff --git a/main.tf b/main.tf index 23d3e01..b845452 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,12 @@ resource "aws_securityhub_account" "this" { auto_enable_controls = var.security_hub.auto_enable_controls control_finding_generator = var.security_hub.control_finding_generator - enable_default_standards = false + + # Set to `false` and instead use `aws_securityhub_standards_subscription` to + # enable default standards. This ensures the standards_arn will always be present, + # so it can be used in the `aws_securityhub_standards_control_association` resource + # to create the dependency on the subscription. + enable_default_standards = false } resource "aws_securityhub_action_target" "this" { diff --git a/modules/cross-account-member/README.md b/modules/cross-account-member/README.md index 53a80e8..2b35285 100644 --- a/modules/cross-account-member/README.md +++ b/modules/cross-account-member/README.md @@ -5,38 +5,34 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | -| [aws](#requirement\_aws) | >= 4.64.0 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 5.70.0 | ## Providers -No providers. +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 5.70.0 | +| [aws.administrator](#provider\_aws.administrator) | >= 5.70.0 | +| [terraform](#provider\_terraform) | n/a | ## Resources -No resources. +| Name | Type | +|------|------| ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [member\_email](#input\_member\_email) | Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow | `string` | n/a | yes | -| [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | 
list(object({
    name        = string
    description = string
    identifer   = string
  }))
| `[]` | no | -| [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no | -| [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no | -| [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no | -| [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no | -| [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no | -| [standards\_controls](#input\_standards\_controls) | List of Security Hub standards to enable or disable in current region. | 
list(object({
    name                  = string
    standards_control_arn = string
    control_status        = string
    disabled_reason       = string
  }))
| `[]` | no | +| [security\_hub](#input\_security\_hub) | Object of inputs for Security Hub configuration | 
object({
    member_email = string
    master_id    = optional(string)

    auto_enable_controls      = optional(bool, true)
    control_finding_generator = optional(string)
    enable_default_standards  = optional(bool, true)

    product_subscription_arns  = optional(list(string), [])
    standard_subscription_arns = optional(list(string), [])

    action_targets = optional(list(object({
      name        = string
      description = string
      identifier  = string
    })), [])

    standards_control_associations = optional(list(object({
      name                = string
      association_status  = string
      security_control_id = string
      standards_arn       = string
      updated_reason      = optional(string)
    })), [])
  })
| n/a | yes | ## Outputs | Name | Description | |------|-------------| | [accepter](#output\_accepter) | Object containing the SecurityHub accepter resource | -| [account](#output\_account) | Object containing the SecurityHub account resource | -| [action\_targets](#output\_action\_targets) | Object containing the SecurityHub action targets resources | +| [account](#output\_account) | Object containing the SecurityHub resources | | [member](#output\_member) | Object containing the SecurityHub member resource | -| [subscriptions](#output\_subscriptions) | Object containing the SecurityHub subscriptions resources | From c07a582c9c9f08fa92c4eb2d50e1349842e48c16 Mon Sep 17 00:00:00 2001 From: Loren Gordon Date: Fri, 27 Dec 2024 09:25:03 -0800 Subject: [PATCH 4/4] Bumps version to 5.0.0 --- .bumpversion.cfg | 2 +- CHANGELOG.md | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index 2d2497a..c61c792 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 4.2.1 +current_version = 5.0.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/CHANGELOG.md b/CHANGELOG.md index 14e3608..3fd83ee 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +### [5.0.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/5.0.0) + +**Released**: 2024.12.30 + +**Summary**: + +* Simplifies implementation by removing unnecessary submodules +* Implements "single-object" input approach to make it easy to pass the input + object around in a root module and update it using `merge()` +* Eliminates use of module-level `depends_on` +* Uses newer `standards_control_associations` instead of `standards_control` + resource, due to explicit reference to `standards_arn` instead of requiring + `depends_on` for the standards subscription + ### [4.2.1](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.2.1) **Released**: 2023.08.30