diff --git a/README.md b/README.md index 0b60809..225170f 100644 --- a/README.md +++ b/README.md @@ -550,7 +550,7 @@ module "landing_zone" { | [aws\_guardduty](#input\_aws\_guardduty) | AWS GuardDuty settings | 
object({
    enabled                       = optional(bool, true)
    finding_publishing_frequency  = optional(string, "FIFTEEN_MINUTES")
    ebs_malware_protection_status = optional(bool, true)
    eks_audit_logs_status         = optional(bool, true)
    lambda_network_logs_status    = optional(bool, true)
    rds_login_events_status       = optional(bool, true)
    s3_data_events_status         = optional(bool, true)
    runtime_monitoring_status = optional(object({
      enabled                             = optional(bool, true)
      eks_addon_management_status         = optional(bool, true)
      ecs_fargate_agent_management_status = optional(bool, true)
      ec2_agent_management_status         = optional(bool, true)
    }), {})
  })
| `{}` | no | | [aws\_inspector](#input\_aws\_inspector) | AWS Inspector settings, at least one of the scan options must be enabled | 
object({
    enabled                 = optional(bool, false)
    enable_scan_ec2         = optional(bool, true)
    enable_scan_ecr         = optional(bool, true)
    enable_scan_lambda      = optional(bool, true)
    enable_scan_lambda_code = optional(bool, true)
    resource_create_timeout = optional(string, "15m")
  })
| 
{
  "enable_scan_ec2": true,
  "enable_scan_ecr": true,
  "enable_scan_lambda": true,
  "enable_scan_lambda_code": true,
  "enabled": false,
  "resource_create_timeout": "15m"
}
| no | | [aws\_required\_tags](#input\_aws\_required\_tags) | AWS Required tags settings | 
map(list(object({
    name         = string
    values       = optional(list(string))
    enforced_for = optional(list(string))
  })))
| `null` | no | -| [aws\_security\_hub](#input\_aws\_security\_hub) | AWS Security Hub settings | 
object({
    aggregator_linking_mode         = optional(string, "ALL_REGIONS")
    aggregator_specified_regions    = optional(list(string), [])
    auto_enable_controls            = optional(bool, true)
    auto_enable_default_standards   = optional(bool, false)
    auto_enable_new_accounts        = optional(bool, true)
    control_finding_generator       = optional(string, "SECURITY_CONTROL")
    create_cis_metric_filters       = optional(bool, true)
    organization_configuration_type = optional(string, "LOCAL")
    product_arns                    = optional(list(string), [])
    standards_arns                  = optional(list(string), null)
  })
| `{}` | no | +| [aws\_security\_hub](#input\_aws\_security\_hub) | AWS Security Hub settings | 
object({
    aggregator_linking_mode         = optional(string, "ALL_REGIONS")
    aggregator_specified_regions    = optional(list(string), null)
    auto_enable_controls            = optional(bool, true)
    auto_enable_default_standards   = optional(bool, false)
    auto_enable_new_accounts        = optional(bool, true)
    control_finding_generator       = optional(string, "SECURITY_CONTROL")
    create_cis_metric_filters       = optional(bool, true)
    organization_configuration_type = optional(string, "LOCAL")
    product_arns                    = optional(list(string), [])
    standards_arns                  = optional(list(string), null)
  })
| `{}` | no | | [aws\_security\_hub\_sns\_subscription](#input\_aws\_security\_hub\_sns\_subscription) | Subscription options for the LandingZone-SecurityHubFindings SNS topic | 
map(object({
    endpoint = string
    protocol = string
  }))
| `{}` | no | | [aws\_service\_control\_policies](#input\_aws\_service\_control\_policies) | AWS SCP's parameters to disable required/denied policies, set a list of allowed AWS regions, and set principals that are exempt from the restriction | 
object({
    allowed_regions                 = optional(list(string), [])
    aws_deny_disabling_security_hub = optional(bool, true)
    aws_deny_leaving_org            = optional(bool, true)
    aws_deny_root_user_ous          = optional(list(string), [])
    aws_require_imdsv2              = optional(bool, true)
    principal_exceptions            = optional(list(string), [])
  })
| `{}` | no | | [aws\_sso\_permission\_sets](#input\_aws\_sso\_permission\_sets) | Map of AWS IAM Identity Center permission sets with AWS accounts and group names that should be granted access to each account | 
map(object({
    assignments         = list(map(list(string)))
    inline_policy       = optional(string, null)
    managed_policy_arns = optional(list(string), [])
    session_duration    = optional(string, "PT4H")
  }))
| `{}` | no | diff --git a/security_hub.tf b/security_hub.tf index 010703f..56d46f5 100644 --- a/security_hub.tf +++ b/security_hub.tf @@ -146,7 +146,7 @@ resource "aws_securityhub_standards_subscription" "logging" { resource "aws_securityhub_finding_aggregator" "default" { linking_mode = var.aws_security_hub.aggregator_linking_mode - specified_regions = var.aws_security_hub.aggregator_specified_regions + specified_regions = var.aws_security_hub.aggregator_specified_regions == [] ? null : var.aws_security_hub.aggregator_specified_regions depends_on = [aws_securityhub_account.default] } diff --git a/variables.tf b/variables.tf index 49e38cf..06d075f 100644 --- a/variables.tf +++ b/variables.tf @@ -152,7 +152,7 @@ variable "aws_required_tags" { variable "aws_security_hub" { type = object({ aggregator_linking_mode = optional(string, "ALL_REGIONS") - aggregator_specified_regions = optional(list(string), null) + aggregator_specified_regions = optional(list(string), []) auto_enable_controls = optional(bool, true) auto_enable_default_standards = optional(bool, false) auto_enable_new_accounts = optional(bool, true)