Skip to content

Commit

Permalink
fix: allow more flexibility in configuring security hub for core acco…
Browse files Browse the repository at this point in the history
…unts
  • Loading branch information
carlovoSBP committed Oct 4, 2023
1 parent eb590f1 commit bb9cce7
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 17 deletions.
17 changes: 14 additions & 3 deletions security_hub.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ resource "aws_securityhub_organization_admin_account" "default" {

resource "aws_securityhub_account" "management" {
control_finding_generator = var.aws_security_hub.control_finding_generator
enable_default_standards = var.enable_default_standards_on_core

depends_on = [aws_securityhub_organization_configuration.default]
}
Expand All @@ -28,14 +29,15 @@ resource "aws_securityhub_standards_subscription" "management" {

standards_arn = each.value

depends_on = [aws_securityhub_account.default]
depends_on = [aws_securityhub_account.management]
}

// AWS Security Hub - Audit account configuration and enrollment
resource "aws_securityhub_account" "default" {
provider = aws.audit

control_finding_generator = var.aws_security_hub.control_finding_generator
enable_default_standards = var.enable_default_standards_on_core
}

resource "aws_securityhub_organization_configuration" "default" {
Expand Down Expand Up @@ -114,6 +116,15 @@ resource "aws_sns_topic_subscription" "security_hub_findings" {
}

// AWS Security Hub - Logging account enrollment
resource "aws_securityhub_account" "logging" {
provider = aws.audit

control_finding_generator = var.aws_security_hub.control_finding_generator
enable_default_standards = var.enable_default_standards_on_core

depends_on = [aws_securityhub_organization_configuration.default]
}

resource "aws_securityhub_member" "logging" {
provider = aws.audit

Expand All @@ -123,13 +134,13 @@ resource "aws_securityhub_member" "logging" {
ignore_changes = [invite]
}

depends_on = [aws_securityhub_organization_configuration.default]
depends_on = [aws_securityhub_account.logging]
}

resource "aws_securityhub_standards_subscription" "logging" {
for_each = toset(local.security_hub_standards_arns)
provider = aws.logging

standards_arn = each.value
depends_on = [aws_securityhub_account.default]
depends_on = [aws_securityhub_account.logging]
}
26 changes: 12 additions & 14 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -111,22 +111,20 @@ variable "aws_required_tags" {

variable "aws_security_hub" {
type = object({
enabled = optional(bool, true)
auto_enable_controls = optional(bool, true)
auto_enable_default_standards = optional(bool, false)
control_finding_generator = optional(string, "SECURITY_CONTROL")
create_cis_metric_filters = optional(bool, true)
product_arns = optional(list(string), [])
standards_arns = optional(list(string), null)
enable_default_standards_on_core = optional(bool, true)
auto_enable_default_standards = optional(bool, false)
control_finding_generator = optional(string, "SECURITY_CONTROL")
create_cis_metric_filters = optional(bool, true)
product_arns = optional(list(string), [])
standards_arns = optional(list(string), null)
})
default = {
enabled = true
auto_enable_controls = true
auto_enable_default_standards = false
control_finding_generator = "SECURITY_CONTROL"
create_cis_metric_filters = true
product_arns = []
standards_arns = null
enable_default_standards_on_core = true
auto_enable_default_standards = false
control_finding_generator = "SECURITY_CONTROL"
create_cis_metric_filters = true
product_arns = []
standards_arns = null
}
description = "AWS Security Hub settings"

Expand Down

0 comments on commit bb9cce7

Please sign in to comment.