diff --git a/config.tf b/config.tf index 74079f2..203705e 100644 --- a/config.tf +++ b/config.tf @@ -1,7 +1,7 @@ locals { aws_config_aggregators = flatten([ for account in toset(try(var.aws_config.aggregator_account_ids, [])) : [ - for region in toset(try(var.allowed_regions, [])) : { + for region in toset(try(local.allowed_regions_with_us_east, [])) : { account_id = account region = region } @@ -32,7 +32,7 @@ resource "aws_config_aggregate_authorization" "master" { } resource "aws_config_aggregate_authorization" "master_to_audit" { - for_each = toset(coalescelist(var.allowed_regions, [data.aws_region.current.name])) + for_each = local.allowed_regions_with_us_east account_id = var.control_tower_account_ids.audit region = each.value diff --git a/locals.tf b/locals.tf index 0727e22..d6d9659 100644 --- a/locals.tf +++ b/locals.tf @@ -34,4 +34,8 @@ locals { security_hub_has_cis_aws_foundations_enabled = length(regexall( "cis-aws-foundations-benchmark/v", join(",", local.security_hub_standards_arns) )) > 0 ? true : false + + allowed_regions = toset(distinct(concat(var.allowed_regions, [data.aws_region.current.name]))) + allowed_regions_with_us_east = toset(distinct(concat(var.allowed_regions, [data.aws_region.current.name], ["us-east-1"]))) + allowed_regions_except_home_region = setsubtract(local.allowed_regions_with_us_east, [data.aws_region.current.name]) } diff --git a/organizations_policy.tf b/organizations_policy.tf index f515965..b91cae8 100644 --- a/organizations_policy.tf +++ b/organizations_policy.tf @@ -3,7 +3,7 @@ locals { allowed_regions = { enable = var.allowed_regions != null ? true : false policy = var.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", { - allowed = var.allowed_regions != null ? var.allowed_regions : [] + allowed = var.allowed_regions != null ? local.allowed_regions : [] exceptions = local.aws_service_control_policies_principal_exceptions }) : null } diff --git a/security_hub.tf b/security_hub.tf index a6bcac8..15b079a 100644 --- a/security_hub.tf +++ b/security_hub.tf @@ -1,7 +1,3 @@ -locals { - all_regions_except_home_region = setsubtract(var.allowed_regions, (data.aws_region.current.name)) -} - // AWS Security Hub - Management account configuration and enrollment resource "aws_securityhub_organization_admin_account" "default" { admin_account_id = data.aws_caller_identity.audit.account_id @@ -111,11 +107,11 @@ resource "aws_securityhub_member" "logging" { resource "aws_securityhub_finding_aggregator" "default" { - count = length(local.all_regions_except_home_region) == 0 ? 0 : 1 + count = length(local.allowed_regions_except_home_region) == 0 ? 0 : 1 provider = aws.audit linking_mode = var.aws_security_hub.aggregator_linking_mode - specified_regions = var.aws_security_hub.aggregator_linking_mode == "SPECIFIED_REGIONS" ? local.all_regions_except_home_region : null + specified_regions = var.aws_security_hub.aggregator_linking_mode == "SPECIFIED_REGIONS" ? local.allowed_regions_with_us_east : null depends_on = [aws_securityhub_account.default] }