diff --git a/security_hub.tf b/security_hub.tf index 5f04a7f..b4a7a78 100644 --- a/security_hub.tf +++ b/security_hub.tf @@ -7,6 +7,7 @@ resource "aws_securityhub_organization_admin_account" "default" { resource "aws_securityhub_account" "management" { control_finding_generator = var.aws_security_hub.control_finding_generator + enable_default_standards = var.aws_security_hub.enable_default_standards_on_core depends_on = [aws_securityhub_organization_configuration.default] } @@ -28,7 +29,7 @@ resource "aws_securityhub_standards_subscription" "management" { standards_arn = each.value - depends_on = [aws_securityhub_account.default] + depends_on = [aws_securityhub_account.management] } // AWS Security Hub - Audit account configuration and enrollment @@ -36,6 +37,7 @@ resource "aws_securityhub_account" "default" { provider = aws.audit control_finding_generator = var.aws_security_hub.control_finding_generator + enable_default_standards = var.aws_security_hub.enable_default_standards_on_core } resource "aws_securityhub_organization_configuration" "default" { @@ -114,6 +116,15 @@ resource "aws_sns_topic_subscription" "security_hub_findings" { } // AWS Security Hub - Logging account enrollment +resource "aws_securityhub_account" "logging" { + provider = aws.audit + + control_finding_generator = var.aws_security_hub.control_finding_generator + enable_default_standards = var.aws_security_hub.enable_default_standards_on_core + + depends_on = [aws_securityhub_organization_configuration.default] +} + resource "aws_securityhub_member" "logging" { provider = aws.audit @@ -123,7 +134,7 @@ resource "aws_securityhub_member" "logging" { ignore_changes = [invite] } - depends_on = [aws_securityhub_organization_configuration.default] + depends_on = [aws_securityhub_account.logging] } resource "aws_securityhub_standards_subscription" "logging" { @@ -131,5 +142,5 @@ resource "aws_securityhub_standards_subscription" "logging" { provider = aws.logging standards_arn = each.value - depends_on = [aws_securityhub_account.default] + depends_on = [aws_securityhub_account.logging] } diff --git a/variables.tf b/variables.tf index cd6442f..bf78c0c 100644 --- a/variables.tf +++ b/variables.tf @@ -111,22 +111,20 @@ variable "aws_required_tags" { variable "aws_security_hub" { type = object({ - enabled = optional(bool, true) - auto_enable_controls = optional(bool, true) - auto_enable_default_standards = optional(bool, false) - control_finding_generator = optional(string, "SECURITY_CONTROL") - create_cis_metric_filters = optional(bool, true) - product_arns = optional(list(string), []) - standards_arns = optional(list(string), null) + enable_default_standards_on_core = optional(bool, true) + auto_enable_default_standards = optional(bool, false) + control_finding_generator = optional(string, "SECURITY_CONTROL") + create_cis_metric_filters = optional(bool, true) + product_arns = optional(list(string), []) + standards_arns = optional(list(string), null) }) default = { - enabled = true - auto_enable_controls = true - auto_enable_default_standards = false - control_finding_generator = "SECURITY_CONTROL" - create_cis_metric_filters = true - product_arns = [] - standards_arns = null + enable_default_standards_on_core = true + auto_enable_default_standards = false + control_finding_generator = "SECURITY_CONTROL" + create_cis_metric_filters = true + product_arns = [] + standards_arns = null } description = "AWS Security Hub settings"