Skip to content

Commit

Permalink
Ensure allowed_regions contains at least one region.
Browse files Browse the repository at this point in the history
  • Loading branch information
Johan Steenhoven authored and Johan Steenhoven committed Dec 17, 2024
1 parent 3e36ef6 commit 1f2476e
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 9 deletions.
4 changes: 2 additions & 2 deletions config.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
locals {
aws_config_aggregators = flatten([
for account in toset(try(var.aws_config.aggregator_account_ids, [])) : [
for region in toset(try(var.allowed_regions, [])) : {
for region in toset(try(local.allowed_regions_with_us_east, [])) : {
account_id = account
region = region
}
Expand Down Expand Up @@ -32,7 +32,7 @@ resource "aws_config_aggregate_authorization" "master" {
}

resource "aws_config_aggregate_authorization" "master_to_audit" {
for_each = toset(coalescelist(var.allowed_regions, [data.aws_region.current.name]))
for_each = local.allowed_regions_with_us_east

account_id = var.control_tower_account_ids.audit
region = each.value
Expand Down
4 changes: 4 additions & 0 deletions locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,8 @@ locals {
security_hub_has_cis_aws_foundations_enabled = length(regexall(
"cis-aws-foundations-benchmark/v", join(",", local.security_hub_standards_arns)
)) > 0 ? true : false

allowed_regions = toset(distinct(concat(var.allowed_regions, [data.aws_region.current.name])))
allowed_regions_with_us_east = toset(distinct(concat(var.allowed_regions, [data.aws_region.current.name], ["us-east-1"])))
allowed_regions_except_home_region = setsubtract(local.allowed_regions_with_us_east, [data.aws_region.current.name])
}
2 changes: 1 addition & 1 deletion organizations_policy.tf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ locals {
allowed_regions = {
enable = var.allowed_regions != null ? true : false
policy = var.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", {
allowed = var.allowed_regions != null ? var.allowed_regions : []
allowed = var.allowed_regions != null ? local.allowed_regions : []
exceptions = local.aws_service_control_policies_principal_exceptions
}) : null
}
Expand Down
8 changes: 2 additions & 6 deletions security_hub.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,3 @@
locals {
all_regions_except_home_region = setsubtract(var.allowed_regions, (data.aws_region.current.name))
}

// AWS Security Hub - Management account configuration and enrollment
resource "aws_securityhub_organization_admin_account" "default" {
admin_account_id = data.aws_caller_identity.audit.account_id
Expand Down Expand Up @@ -111,11 +107,11 @@ resource "aws_securityhub_member" "logging" {


resource "aws_securityhub_finding_aggregator" "default" {
count = length(local.all_regions_except_home_region) == 0 ? 0 : 1
count = length(local.allowed_regions_except_home_region) == 0 ? 0 : 1
provider = aws.audit

linking_mode = var.aws_security_hub.aggregator_linking_mode
specified_regions = var.aws_security_hub.aggregator_linking_mode == "SPECIFIED_REGIONS" ? local.all_regions_except_home_region : null
specified_regions = var.aws_security_hub.aggregator_linking_mode == "SPECIFIED_REGIONS" ? local.allowed_regions_with_us_east : null

depends_on = [aws_securityhub_account.default]
}
Expand Down

0 comments on commit 1f2476e

Please sign in to comment.