Refactors implementation to remove unneeded submodules and modernize syntax

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 4.2.1
+current_version = 5.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

CHANGELOG.md

@@ -4,6 +4,20 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### [5.0.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/5.0.0)
+
+**Released**: 2024.12.30
+
+**Summary**:
+
+*   Simplifies implementation by removing unnecessary submodules
+*   Implements "single-object" input approach to make it easy to pass the input
+    object around in a root module and update it using `merge()`
+*   Eliminates use of module-level `depends_on`
+*   Uses newer `standards_control_associations` instead of `standards_control`
+    resource, due to explicit reference to `standards_arn` instead of requiring
+    `depends_on` for the standards subscription
+
 ### [4.2.1](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.2.1)
 
 **Released**: 2023.08.30

README.md

@@ -8,43 +8,44 @@ You can find example implementations of this module in the tests folder. This mo
 requires 2 different AWS accounts to test and so the terraform aws provider definitions
 are assuming that you will be using a profile with the name `aws` and `awsalternate`.
 
-Note: the implementation `tests/create_securityhub_member` will require you to provide the variables
-`email_address` prior to use
+Note: the implementation `tests/test-cross-account` will require you to provide the variable
+`email_address`.
 
 <!-- BEGIN TFDOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.70.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.70.0 |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_action_targets"></a> [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | <pre>list(object({<br>    name        = string<br>    description = string<br>    identifer   = string<br>  }))</pre> | `[]` | no |
-| <a name="input_auto_enable_controls"></a> [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no |
-| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `null` | no |
-| <a name="input_enable_default_standards"></a> [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no |
-| <a name="input_product_subscription_arns"></a> [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
-| <a name="input_standard_subscription_arns"></a> [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
-| <a name="input_standards_controls"></a> [standards\_controls](#input\_standards\_controls) | List of Security Hub standards to enable or disable in current region. | <pre>list(object({<br>    name                  = string<br>    standards_control_arn = string<br>    control_status        = string<br>    disabled_reason       = string<br>  }))</pre> | `[]` | no |
+| <a name="input_security_hub"></a> [security\_hub](#input\_security\_hub) | Object of inputs for Security Hub configuration | <pre>object({<br>    auto_enable_controls      = optional(bool, true)<br>    control_finding_generator = optional(string)<br>    enable_default_standards  = optional(bool, true)<br><br>    product_subscription_arns  = optional(list(string), [])<br>    standard_subscription_arns = optional(list(string), [])<br><br>    action_targets = optional(list(object({<br>      name        = string<br>      description = string<br>      identifier  = string<br>    })), [])<br><br>    standards_control_associations = optional(list(object({<br>      name                = string<br>      association_status  = string<br>      security_control_id = string<br>      standards_arn       = string<br>      updated_reason      = optional(string)<br>    })), [])<br>  })</pre> | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
-| <a name="output_account"></a> [account](#output\_account) | Object containing the SecurityHub account resource |
-| <a name="output_action_targets"></a> [action\_targets](#output\_action\_targets) | Object containing the SecurityHub action targets resources |
-| <a name="output_subscriptions"></a> [subscriptions](#output\_subscriptions) | Object containing the SecurityHub subscriptions resources |
+| <a name="output_account"></a> [account](#output\_account) | Object of the Security Hub account resource |
+| <a name="output_action_targets"></a> [action\_targets](#output\_action\_targets) | Map of Security Hub action targets |
+| <a name="output_product_subscriptions"></a> [product\_subscriptions](#output\_product\_subscriptions) | Map of Security Hub Product Subscriptions |
+| <a name="output_standards_control_associations"></a> [standards\_control\_associations](#output\_standards\_control\_associations) | Map of Security Hub Standards Control Associations |
+| <a name="output_standards_subscriptions"></a> [standards\_subscriptions](#output\_standards\_subscriptions) | Map of Security Hub Standards Subscriptions |
 
 <!-- END TFDOCS -->

main.tf

@@ -1,46 +1,69 @@
-# Enable SecurityHub
-module "account" {
-  source = "./modules/account"
+resource "aws_securityhub_account" "this" {
+  auto_enable_controls      = var.security_hub.auto_enable_controls
+  control_finding_generator = var.security_hub.control_finding_generator
 
-  auto_enable_controls      = var.auto_enable_controls
-  control_finding_generator = var.control_finding_generator
-  enable_default_standards  = var.enable_default_standards
+  # Set to `false` and instead use `aws_securityhub_standards_subscription` to
+  # enable default standards. This ensures the standards_arn will always be present,
+  # so it can be used in the `aws_securityhub_standards_control_association` resource
+  # to create the dependency on the subscription.
+  enable_default_standards = false
 }
 
-# Manage subscriptions
-module "subscriptions" {
-  source = "./modules/subscriptions"
+resource "aws_securityhub_action_target" "this" {
+  for_each = { for action_target in var.security_hub.action_targets : action_target.name => action_target }
 
-  standard_subscription_arns = var.standard_subscription_arns
-  product_subscription_arns  = var.product_subscription_arns
+  name        = each.value.name
+  identifier  = each.value.identifier
+  description = each.value.description
 
   depends_on = [
-    module.account
+    aws_securityhub_account.this,
   ]
 }
 
-# Manage Control status
-module "standards_controls" {
-  source   = "./modules/standards_controls"
-  for_each = { for control in var.standards_controls : control.name => control }
+resource "aws_securityhub_product_subscription" "this" {
+  for_each = toset(var.security_hub.product_subscription_arns)
+
+  product_arn = each.value
+
+  depends_on = [
+    aws_securityhub_account.this,
+  ]
+}
 
-  standards_control_arn = each.value.standards_control_arn
-  control_status        = each.value.control_status
-  disabled_reason       = each.value.disabled_reason
+resource "aws_securityhub_standards_subscription" "this" {
+  for_each = toset(local.standards_subscription_arns)
 
+  standards_arn = each.value
 
   depends_on = [
-    module.account,
-    module.subscriptions
+    aws_securityhub_account.this,
   ]
 }
 
-# Manage action targets
-module "action_targets" {
-  source   = "./modules/action_target"
-  for_each = { for action_target in var.action_targets : action_target.name => action_target }
+resource "aws_securityhub_standards_control_association" "this" {
+  for_each = { for association in var.security_hub.standards_control_associations : association.name => association }
 
-  name        = each.key
-  description = each.value.description
-  identifier  = each.value.identifier
+  standards_arn       = aws_securityhub_standards_subscription.this[each.value.standards_arn].standards_arn
+  security_control_id = each.value.security_control_id
+  association_status  = each.value.association_status
+  updated_reason      = each.value.updated_reason
 }
+
+locals {
+  standards_subscription_arns = flatten([
+    var.security_hub.enable_default_standards ? local.default_standards_arns : [],
+    var.security_hub.standard_subscription_arns,
+  ])
+
+  default_standards_arns = [
+    "arn:${local.partition}:securityhub:${local.region}::standards/aws-foundational-security-best-practices/v/1.0.0",
+    "arn:${local.partition}:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0",
+  ]
+
+  partition = data.aws_partition.current.partition
+  region    = data.aws_region.current.name
+}
+
+data "aws_partition" "current" {}
+data "aws_region" "current" {}