From acd146446546d1929ad3efdaf4acda5a5a4fd9a4 Mon Sep 17 00:00:00 2001 From: nozaq Date: Fri, 7 Jan 2022 22:45:24 +0900 Subject: [PATCH] refactor: use module count instead of having ennabled variable in each submodule. (#195) * refactor: use `count` to toggle vpc-baseline * refactor: use `count` to toggle guardduty-baseline * refactor: use `count` to toggle securityhub-baseline * refactor: use `count` to toggle ebs-baseline * refactor: use `count` to toggle analyzer-baseline * refactor: use `count` to toggle config-baseline * refactor: use `count` to toggle cloudtrail-baseline * refactor: use `count` to toggle alarm-baseline * refactor: add migrations --- README.md | 4 +- analyzer_baselines.tf | 35 +- config_baselines.tf | 68 +-- ebs_baselines.tf | 50 +- guardduty_baselines.tf | 34 +- main.tf | 8 +- migrations.tf | 529 +++++++++++++++++++++ modules/alarm-baseline/README.md | 3 +- modules/alarm-baseline/main.tf | 101 ++-- modules/alarm-baseline/migrations.tf | 13 + modules/alarm-baseline/variables.tf | 5 - modules/alarm-baseline/versions.tf | 2 +- modules/analyzer-baseline/README.md | 3 +- modules/analyzer-baseline/main.tf | 2 - modules/analyzer-baseline/migrations.tf | 8 + modules/analyzer-baseline/variables.tf | 5 - modules/analyzer-baseline/versions.tf | 2 +- modules/cloudtrail-baseline/README.md | 3 +- modules/cloudtrail-baseline/main.tf | 22 +- modules/cloudtrail-baseline/migrations.tf | 13 + modules/cloudtrail-baseline/outputs.tf | 10 +- modules/cloudtrail-baseline/variables.tf | 5 - modules/cloudtrail-baseline/versions.tf | 2 +- modules/config-baseline/README.md | 3 +- modules/config-baseline/main.tf | 25 +- modules/config-baseline/migrations.tf | 28 ++ modules/config-baseline/outputs.tf | 4 +- modules/config-baseline/variables.tf | 5 - modules/config-baseline/versions.tf | 2 +- modules/ebs-baseline/README.md | 6 +- modules/ebs-baseline/main.tf | 2 - modules/ebs-baseline/migrations.tf | 8 + modules/ebs-baseline/variables.tf | 4 - modules/ebs-baseline/versions.tf | 2 +- modules/guardduty-baseline/README.md | 3 +- modules/guardduty-baseline/main.tf | 10 +- modules/guardduty-baseline/migrations.tf | 8 + modules/guardduty-baseline/outputs.tf | 2 +- modules/guardduty-baseline/variables.tf | 5 - modules/guardduty-baseline/versions.tf | 2 +- modules/securityhub-baseline/README.md | 3 +- modules/securityhub-baseline/main.tf | 11 +- modules/securityhub-baseline/migrations.tf | 9 + modules/securityhub-baseline/variables.tf | 5 - modules/securityhub-baseline/versions.tf | 2 +- modules/vpc-baseline/README.md | 3 +- modules/vpc-baseline/main.tf | 20 +- modules/vpc-baseline/migrations.tf | 23 + modules/vpc-baseline/outputs.tf | 10 +- modules/vpc-baseline/variables.tf | 5 - modules/vpc-baseline/versions.tf | 2 +- outputs.tf | 282 +++++------ securityhub_baselines.tf | 35 +- vpc_baselines.tf | 34 +- 54 files changed, 1016 insertions(+), 474 deletions(-) create mode 100644 migrations.tf create mode 100644 modules/alarm-baseline/migrations.tf create mode 100644 modules/analyzer-baseline/migrations.tf create mode 100644 modules/cloudtrail-baseline/migrations.tf create mode 100644 modules/config-baseline/migrations.tf create mode 100644 modules/ebs-baseline/migrations.tf create mode 100644 modules/guardduty-baseline/migrations.tf create mode 100644 modules/securityhub-baseline/migrations.tf create mode 100644 modules/vpc-baseline/migrations.tf diff --git a/README.md b/README.md index f1399334..5e080429 100644 --- a/README.md +++ b/README.md @@ -110,7 +110,7 @@ This module is composed of several submodules and each of which can be used inde | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.15 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.50.0 | ## Providers @@ -377,7 +377,7 @@ This module is composed of several submodules and each of which can be used inde | [cloudtrail\_sns\_topic](#output\_cloudtrail\_sns\_topic) | The sns topic linked to the cloudtrail. | | [config\_configuration\_recorder](#output\_config\_configuration\_recorder) | The configuration recorder in each region. | | [config\_iam\_role](#output\_config\_iam\_role) | The IAM role used for delivering AWS Config records to CloudWatch Logs. | -| [config\_sns\_topic](#output\_config\_sns\_topic) | The SNS topic that AWS Config delivers notifications to. | +| [config\_sns\_topic](#output\_config\_sns\_topic) | The SNS topic) that AWS Config delivers notifications to. | | [default\_network\_acl](#output\_default\_network\_acl) | The default network ACL. | | [default\_route\_table](#output\_default\_route\_table) | The default route table. | | [default\_security\_group](#output\_default\_security\_group) | The ID of the default security group. | diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 69a74954..69caab85 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -6,220 +6,221 @@ locals { # Analyzer Baseline # -------------------------------------------------------------------------------------------------- module "analyzer_baseline_ap-northeast-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.ap-northeast-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-1") + analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_ap-northeast-2" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-2") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.ap-northeast-2 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-2") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_ap-south-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-south-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.ap-south-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-south-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_ap-northeast-3" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-3") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.ap-northeast-3 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-northeast-3") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_ap-southeast-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.ap-southeast-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_ap-southeast-2" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-2") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.ap-southeast-2 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-2") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_ca-central-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.ca-central-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_eu-central-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "eu-central-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.eu-central-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-central-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_eu-north-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "eu-north-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.eu-north-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-north-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_eu-west-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.eu-west-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_eu-west-2" { + count = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-2") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.eu-west-2 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-2") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_eu-west-3" { + count = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-3") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.eu-west-3 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "eu-west-3") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_sa-east-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.sa-east-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "sa-east-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_us-east-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "us-east-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.us-east-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "us-east-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_us-east-2" { + count = local.is_analyzer_enabled && contains(var.target_regions, "us-east-2") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.us-east-2 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "us-east-2") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_us-west-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "us-west-1") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.us-west-1 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "us-west-1") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags } module "analyzer_baseline_us-west-2" { + count = local.is_analyzer_enabled && contains(var.target_regions, "us-west-2") ? 1 : 0 source = "./modules/analyzer-baseline" providers = { aws = aws.us-west-2 } - enabled = local.is_analyzer_enabled && contains(var.target_regions, "us-west-2") analyzer_name = var.analyzer_name is_organization = local.is_master_account tags = var.tags diff --git a/config_baselines.tf b/config_baselines.tf index 68d0de2f..de3cb477 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -1,22 +1,22 @@ locals { config_topics = [ - module.config_baseline_ap-northeast-1.config_sns_topic, - module.config_baseline_ap-northeast-2.config_sns_topic, - module.config_baseline_ap-northeast-3.config_sns_topic, - module.config_baseline_ap-south-1.config_sns_topic, - module.config_baseline_ap-southeast-1.config_sns_topic, - module.config_baseline_ap-southeast-2.config_sns_topic, - module.config_baseline_ca-central-1.config_sns_topic, - module.config_baseline_eu-central-1.config_sns_topic, - module.config_baseline_eu-north-1.config_sns_topic, - module.config_baseline_eu-west-1.config_sns_topic, - module.config_baseline_eu-west-2.config_sns_topic, - module.config_baseline_eu-west-3.config_sns_topic, - module.config_baseline_sa-east-1.config_sns_topic, - module.config_baseline_us-east-1.config_sns_topic, - module.config_baseline_us-east-2.config_sns_topic, - module.config_baseline_us-west-1.config_sns_topic, - module.config_baseline_us-west-2.config_sns_topic, + one(module.config_baseline_ap-northeast-1[*].config_sns_topic), + one(module.config_baseline_ap-northeast-2[*].config_sns_topic), + one(module.config_baseline_ap-northeast-3[*].config_sns_topic), + one(module.config_baseline_ap-south-1[*].config_sns_topic), + one(module.config_baseline_ap-southeast-1[*].config_sns_topic), + one(module.config_baseline_ap-southeast-2[*].config_sns_topic), + one(module.config_baseline_ca-central-1[*].config_sns_topic), + one(module.config_baseline_eu-central-1[*].config_sns_topic), + one(module.config_baseline_eu-north-1[*].config_sns_topic), + one(module.config_baseline_eu-west-1[*].config_sns_topic), + one(module.config_baseline_eu-west-2[*].config_sns_topic), + one(module.config_baseline_eu-west-3[*].config_sns_topic), + one(module.config_baseline_sa-east-1[*].config_sns_topic), + one(module.config_baseline_us-east-1[*].config_sns_topic), + one(module.config_baseline_us-east-2[*].config_sns_topic), + one(module.config_baseline_us-west-1[*].config_sns_topic), + one(module.config_baseline_us-west-2[*].config_sns_topic), ] } @@ -92,13 +92,13 @@ resource "aws_iam_role_policy_attachment" "recorder_read_policy" { # Global resource types are only recorded in the region specified by var.region. # -------------------------------------------------------------------------------------------------- module "config_baseline_ap-northeast-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.ap-northeast-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -112,13 +112,13 @@ module "config_baseline_ap-northeast-1" { } module "config_baseline_ap-northeast-2" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-2") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.ap-northeast-2 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-2") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -132,13 +132,13 @@ module "config_baseline_ap-northeast-2" { } module "config_baseline_ap-northeast-3" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-3") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.ap-northeast-3 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-northeast-3") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -152,13 +152,13 @@ module "config_baseline_ap-northeast-3" { } module "config_baseline_ap-south-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-south-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.ap-south-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-south-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -172,13 +172,13 @@ module "config_baseline_ap-south-1" { } module "config_baseline_ap-southeast-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.ap-southeast-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -192,13 +192,13 @@ module "config_baseline_ap-southeast-1" { } module "config_baseline_ap-southeast-2" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-2") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.ap-southeast-2 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-2") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -212,13 +212,13 @@ module "config_baseline_ap-southeast-2" { } module "config_baseline_ca-central-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.ca-central-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "ca-central-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -232,13 +232,13 @@ module "config_baseline_ca-central-1" { } module "config_baseline_eu-central-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "eu-central-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.eu-central-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-central-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -252,13 +252,13 @@ module "config_baseline_eu-central-1" { } module "config_baseline_eu-north-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "eu-north-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.eu-north-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-north-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -272,13 +272,13 @@ module "config_baseline_eu-north-1" { } module "config_baseline_eu-west-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "eu-west-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.eu-west-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-west-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -292,13 +292,13 @@ module "config_baseline_eu-west-1" { } module "config_baseline_eu-west-2" { + count = var.config_baseline_enabled && contains(var.target_regions, "eu-west-2") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.eu-west-2 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-west-2") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -312,13 +312,13 @@ module "config_baseline_eu-west-2" { } module "config_baseline_eu-west-3" { + count = var.config_baseline_enabled && contains(var.target_regions, "eu-west-3") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.eu-west-3 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "eu-west-3") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -332,13 +332,13 @@ module "config_baseline_eu-west-3" { } module "config_baseline_sa-east-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.sa-east-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "sa-east-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -352,13 +352,13 @@ module "config_baseline_sa-east-1" { } module "config_baseline_us-east-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "us-east-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.us-east-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "us-east-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -372,13 +372,13 @@ module "config_baseline_us-east-1" { } module "config_baseline_us-east-2" { + count = var.config_baseline_enabled && contains(var.target_regions, "us-east-2") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.us-east-2 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "us-east-2") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -392,13 +392,13 @@ module "config_baseline_us-east-2" { } module "config_baseline_us-west-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "us-west-1") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.us-west-1 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "us-west-1") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix @@ -412,13 +412,13 @@ module "config_baseline_us-west-1" { } module "config_baseline_us-west-2" { + count = var.config_baseline_enabled && contains(var.target_regions, "us-west-2") ? 1 : 0 source = "./modules/config-baseline" providers = { aws = aws.us-west-2 } - enabled = var.config_baseline_enabled && contains(var.target_regions, "us-west-2") iam_role_arn = one(aws_iam_role.recorder[*].arn) s3_bucket_name = local.audit_log_bucket_id s3_key_prefix = var.config_s3_bucket_key_prefix diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 2a3ec0c3..51091ab5 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -2,170 +2,154 @@ # SecurityHub Baseline # -------------------------------------------------------------------------------------------------- module "ebs_baseline_ap-northeast-1" { + count = contains(var.target_regions, "ap-northeast-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.ap-northeast-1 } - enabled = contains(var.target_regions, "ap-northeast-1") } module "ebs_baseline_ap-northeast-2" { + count = contains(var.target_regions, "ap-northeast-2") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.ap-northeast-2 } - - enabled = contains(var.target_regions, "ap-northeast-2") } module "ebs_baseline_ap-northeast-3" { + count = contains(var.target_regions, "ap-northeast-3") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.ap-northeast-3 } - - enabled = contains(var.target_regions, "ap-northeast-3") } module "ebs_baseline_ap-south-1" { + count = contains(var.target_regions, "ap-south-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.ap-south-1 } - - enabled = contains(var.target_regions, "ap-south-1") } module "ebs_baseline_ap-southeast-1" { + count = contains(var.target_regions, "ap-southeast-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.ap-southeast-1 } - - enabled = contains(var.target_regions, "ap-southeast-1") } module "ebs_baseline_ap-southeast-2" { + count = contains(var.target_regions, "ap-southeast-2") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.ap-southeast-2 } - - enabled = contains(var.target_regions, "ap-southeast-2") } module "ebs_baseline_ca-central-1" { + count = contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.ca-central-1 } - - enabled = contains(var.target_regions, "ca-central-1") } module "ebs_baseline_eu-central-1" { + count = contains(var.target_regions, "eu-central-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.eu-central-1 } - - enabled = contains(var.target_regions, "eu-central-1") } module "ebs_baseline_eu-north-1" { + count = contains(var.target_regions, "eu-north-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.eu-north-1 } - - enabled = contains(var.target_regions, "eu-north-1") } module "ebs_baseline_eu-west-1" { + count = contains(var.target_regions, "eu-west-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.eu-west-1 } - - enabled = contains(var.target_regions, "eu-west-1") } module "ebs_baseline_eu-west-2" { + count = contains(var.target_regions, "eu-west-2") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.eu-west-2 } - - enabled = contains(var.target_regions, "eu-west-2") } module "ebs_baseline_eu-west-3" { + count = contains(var.target_regions, "eu-west-3") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.eu-west-3 } - - enabled = contains(var.target_regions, "eu-west-3") } module "ebs_baseline_sa-east-1" { + count = contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.sa-east-1 } - - enabled = contains(var.target_regions, "sa-east-1") } module "ebs_baseline_us-east-1" { + count = contains(var.target_regions, "us-east-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.us-east-1 } - - enabled = contains(var.target_regions, "us-east-1") } module "ebs_baseline_us-east-2" { + count = contains(var.target_regions, "us-east-2") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.us-east-2 } - - enabled = contains(var.target_regions, "us-east-2") } module "ebs_baseline_us-west-1" { + count = contains(var.target_regions, "us-west-1") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.us-west-1 } - - enabled = contains(var.target_regions, "us-west-1") } module "ebs_baseline_us-west-2" { + count = contains(var.target_regions, "us-west-2") ? 1 : 0 source = "./modules/ebs-baseline" providers = { aws = aws.us-west-2 } - - enabled = contains(var.target_regions, "us-west-2") } diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf index 24e62d91..48d2bd89 100644 --- a/guardduty_baselines.tf +++ b/guardduty_baselines.tf @@ -9,13 +9,13 @@ locals { } module "guardduty_baseline_ap-northeast-1" { + count = contains(var.target_regions, "ap-northeast-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.ap-northeast-1 } - enabled = contains(var.target_regions, "ap-northeast-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -26,13 +26,13 @@ module "guardduty_baseline_ap-northeast-1" { } module "guardduty_baseline_ap-northeast-2" { + count = contains(var.target_regions, "ap-northeast-2") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.ap-northeast-2 } - enabled = contains(var.target_regions, "ap-northeast-2") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -43,13 +43,13 @@ module "guardduty_baseline_ap-northeast-2" { } module "guardduty_baseline_ap-northeast-3" { + count = contains(var.target_regions, "ap-northeast-3") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.ap-northeast-3 } - enabled = contains(var.target_regions, "ap-northeast-3") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -60,13 +60,13 @@ module "guardduty_baseline_ap-northeast-3" { } module "guardduty_baseline_ap-south-1" { + count = contains(var.target_regions, "ap-south-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.ap-south-1 } - enabled = contains(var.target_regions, "ap-south-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -77,13 +77,13 @@ module "guardduty_baseline_ap-south-1" { } module "guardduty_baseline_ap-southeast-1" { + count = contains(var.target_regions, "ap-southeast-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.ap-southeast-1 } - enabled = contains(var.target_regions, "ap-southeast-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -100,7 +100,7 @@ module "guardduty_baseline_ap-southeast-2" { aws = aws.ap-southeast-2 } - enabled = contains(var.target_regions, "ap-southeast-2") && var.guardduty_enabled + count = contains(var.target_regions, "ap-southeast-2") && var.guardduty_enabled ? 1 : 0 disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -111,13 +111,13 @@ module "guardduty_baseline_ap-southeast-2" { } module "guardduty_baseline_ca-central-1" { + count = contains(var.target_regions, "ca-central-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.ca-central-1 } - enabled = contains(var.target_regions, "ca-central-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -128,13 +128,13 @@ module "guardduty_baseline_ca-central-1" { } module "guardduty_baseline_eu-central-1" { + count = contains(var.target_regions, "eu-central-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.eu-central-1 } - enabled = contains(var.target_regions, "eu-central-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -145,13 +145,13 @@ module "guardduty_baseline_eu-central-1" { } module "guardduty_baseline_eu-north-1" { + count = contains(var.target_regions, "eu-north-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.eu-north-1 } - enabled = contains(var.target_regions, "eu-north-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -162,13 +162,13 @@ module "guardduty_baseline_eu-north-1" { } module "guardduty_baseline_eu-west-1" { + count = contains(var.target_regions, "eu-west-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.eu-west-1 } - enabled = contains(var.target_regions, "eu-west-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -179,13 +179,13 @@ module "guardduty_baseline_eu-west-1" { } module "guardduty_baseline_eu-west-2" { + count = contains(var.target_regions, "eu-west-2") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.eu-west-2 } - enabled = contains(var.target_regions, "eu-west-2") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -196,13 +196,13 @@ module "guardduty_baseline_eu-west-2" { } module "guardduty_baseline_eu-west-3" { + count = contains(var.target_regions, "eu-west-3") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.eu-west-3 } - enabled = contains(var.target_regions, "eu-west-3") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -213,13 +213,13 @@ module "guardduty_baseline_eu-west-3" { } module "guardduty_baseline_sa-east-1" { + count = contains(var.target_regions, "sa-east-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.sa-east-1 } - enabled = contains(var.target_regions, "sa-east-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -230,13 +230,13 @@ module "guardduty_baseline_sa-east-1" { } module "guardduty_baseline_us-east-1" { + count = contains(var.target_regions, "us-east-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.us-east-1 } - enabled = contains(var.target_regions, "us-east-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -247,13 +247,13 @@ module "guardduty_baseline_us-east-1" { } module "guardduty_baseline_us-east-2" { + count = contains(var.target_regions, "us-east-2") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.us-east-2 } - enabled = contains(var.target_regions, "us-east-2") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -264,13 +264,13 @@ module "guardduty_baseline_us-east-2" { } module "guardduty_baseline_us-west-1" { + count = contains(var.target_regions, "us-west-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.us-west-1 } - enabled = contains(var.target_regions, "us-west-1") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message @@ -281,13 +281,13 @@ module "guardduty_baseline_us-west-1" { } module "guardduty_baseline_us-west-2" { + count = contains(var.target_regions, "us-west-2") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" providers = { aws = aws.us-west-2 } - enabled = contains(var.target_regions, "us-west-2") && var.guardduty_enabled disable_email_notification = var.guardduty_disable_email_notification finding_publishing_frequency = var.guardduty_finding_publishing_frequency invitation_message = var.guardduty_invitation_message diff --git a/main.tf b/main.tf index ae2cc5c4..bf9953e0 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.15" + required_version = ">= 1.1.3" required_providers { aws = { @@ -64,9 +64,9 @@ module "iam_baseline" { # -------------------------------------------------------------------------------------------------- module "cloudtrail_baseline" { + count = local.is_cloudtrail_enabled ? 1 : 0 source = "./modules/cloudtrail-baseline" - enabled = local.is_cloudtrail_enabled aws_account_id = var.aws_account_id cloudtrail_depends_on = [aws_s3_bucket_policy.audit_log] cloudtrail_name = var.cloudtrail_name @@ -93,9 +93,9 @@ module "cloudtrail_baseline" { # -------------------------------------------------------------------------------------------------- module "alarm_baseline" { + count = local.is_cloudtrail_enabled && var.cloudtrail_cloudwatch_logs_enabled ? 1 : 0 source = "./modules/alarm-baseline" - enabled = local.is_cloudtrail_enabled && var.cloudtrail_cloudwatch_logs_enabled unauthorized_api_calls_enabled = var.unauthorized_api_calls_enabled no_mfa_console_signin_enabled = var.no_mfa_console_signin_enabled mfa_console_signin_allow_sso = var.mfa_console_signin_allow_sso @@ -113,7 +113,7 @@ module "alarm_baseline" { vpc_changes_enabled = var.vpc_changes_enabled organizations_changes_enabled = var.organizations_changes_enabled alarm_namespace = var.alarm_namespace - cloudtrail_log_group_name = local.is_cloudtrail_enabled ? module.cloudtrail_baseline.log_group : "" + cloudtrail_log_group_name = local.is_cloudtrail_enabled ? module.cloudtrail_baseline[0].log_group : "" sns_topic_name = var.alarm_sns_topic_name sns_topic_kms_master_key_id = var.alarm_sns_topic_kms_master_key_id diff --git a/migrations.tf b/migrations.tf new file mode 100644 index 00000000..53342e0b --- /dev/null +++ b/migrations.tf @@ -0,0 +1,529 @@ +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Replacing `enabled` argument in each sub-module with `count` meta-argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = module.cloudtrail_baseline + to = module.cloudtrail_baseline[0] +} + +moved { + from = module.alarm_baseline + to = module.alarm_baseline[0] +} + +# Config baseline +moved { + from = module.config_baseline_ap-northeast-1 + to = module.config_baseline_ap-northeast-1[0] +} + +moved { + from = module.config_baseline_ap-northeast-2 + to = module.config_baseline_ap-northeast-2[0] +} + +moved { + from = module.config_baseline_ap-northeast-3 + to = module.config_baseline_ap-northeast-3[0] +} + +moved { + from = module.config_baseline_ap-south-1 + to = module.config_baseline_ap-south-1[0] +} + +moved { + from = module.config_baseline_ap-southeast-1 + to = module.config_baseline_ap-southeast-1[0] +} + +moved { + from = module.config_baseline_ap-southeast-2 + to = module.config_baseline_ap-southeast-2[0] +} + +moved { + from = module.config_baseline_ca-central-1 + to = module.config_baseline_ca-central-1[0] +} + +moved { + from = module.config_baseline_eu-central-1 + to = module.config_baseline_eu-central-1[0] +} + +moved { + from = module.config_baseline_eu-north-1 + to = module.config_baseline_eu-north-1[0] +} + +moved { + from = module.config_baseline_eu-west-1 + to = module.config_baseline_eu-west-1[0] +} + +moved { + from = module.config_baseline_eu-west-2 + to = module.config_baseline_eu-west-2[0] +} + +moved { + from = module.config_baseline_eu-west-3 + to = module.config_baseline_eu-west-3[0] +} + +moved { + from = module.config_baseline_sa-east-1 + to = module.config_baseline_sa-east-1[0] +} + +moved { + from = module.config_baseline_us-east-1 + to = module.config_baseline_us-east-1[0] +} + +moved { + from = module.config_baseline_us-east-2 + to = module.config_baseline_us-east-2[0] +} + +moved { + from = module.config_baseline_us-west-1 + to = module.config_baseline_us-west-1[0] +} + +moved { + from = module.config_baseline_us-west-2 + to = module.config_baseline_us-west-2[0] +} + +# EBS baseline +moved { + from = module.ebs_baseline_ap-northeast-1 + to = module.ebs_baseline_ap-northeast-1[0] +} + +moved { + from = module.ebs_baseline_ap-northeast-2 + to = module.ebs_baseline_ap-northeast-2[0] +} + +moved { + from = module.ebs_baseline_ap-northeast-3 + to = module.ebs_baseline_ap-northeast-3[0] +} + +moved { + from = module.ebs_baseline_ap-south-1 + to = module.ebs_baseline_ap-south-1[0] +} + +moved { + from = module.ebs_baseline_ap-southeast-1 + to = module.ebs_baseline_ap-southeast-1[0] +} + +moved { + from = module.ebs_baseline_ap-southeast-2 + to = module.ebs_baseline_ap-southeast-2[0] +} + +moved { + from = module.ebs_baseline_ca-central-1 + to = module.ebs_baseline_ca-central-1[0] +} + +moved { + from = module.ebs_baseline_eu-central-1 + to = module.ebs_baseline_eu-central-1[0] +} + +moved { + from = module.ebs_baseline_eu-north-1 + to = module.ebs_baseline_eu-north-1[0] +} + +moved { + from = module.ebs_baseline_eu-west-1 + to = module.ebs_baseline_eu-west-1[0] +} + +moved { + from = module.ebs_baseline_eu-west-2 + to = module.ebs_baseline_eu-west-2[0] +} + +moved { + from = module.ebs_baseline_eu-west-3 + to = module.ebs_baseline_eu-west-3[0] +} + +moved { + from = module.ebs_baseline_sa-east-1 + to = module.ebs_baseline_sa-east-1[0] +} + +moved { + from = module.ebs_baseline_us-east-1 + to = module.ebs_baseline_us-east-1[0] +} + +moved { + from = module.ebs_baseline_us-east-2 + to = module.ebs_baseline_us-east-2[0] +} + +moved { + from = module.ebs_baseline_us-west-1 + to = module.ebs_baseline_us-west-1[0] +} + +moved { + from = module.ebs_baseline_us-west-2 + to = module.ebs_baseline_us-west-2[0] +} + +# Guardduty baseline +moved { + from = module.guardduty_baseline_ap-northeast-1 + to = module.guardduty_baseline_ap-northeast-1[0] +} + +moved { + from = module.guardduty_baseline_ap-northeast-2 + to = module.guardduty_baseline_ap-northeast-2[0] +} + +moved { + from = module.guardduty_baseline_ap-northeast-3 + to = module.guardduty_baseline_ap-northeast-3[0] +} + +moved { + from = module.guardduty_baseline_ap-south-1 + to = module.guardduty_baseline_ap-south-1[0] +} + +moved { + from = module.guardduty_baseline_ap-southeast-1 + to = module.guardduty_baseline_ap-southeast-1[0] +} + +moved { + from = module.guardduty_baseline_ap-southeast-2 + to = module.guardduty_baseline_ap-southeast-2[0] +} + +moved { + from = module.guardduty_baseline_ca-central-1 + to = module.guardduty_baseline_ca-central-1[0] +} + +moved { + from = module.guardduty_baseline_eu-central-1 + to = module.guardduty_baseline_eu-central-1[0] +} + +moved { + from = module.guardduty_baseline_eu-north-1 + to = module.guardduty_baseline_eu-north-1[0] +} + +moved { + from = module.guardduty_baseline_eu-west-1 + to = module.guardduty_baseline_eu-west-1[0] +} + +moved { + from = module.guardduty_baseline_eu-west-2 + to = module.guardduty_baseline_eu-west-2[0] +} + +moved { + from = module.guardduty_baseline_eu-west-3 + to = module.guardduty_baseline_eu-west-3[0] +} + +moved { + from = module.guardduty_baseline_sa-east-1 + to = module.guardduty_baseline_sa-east-1[0] +} + +moved { + from = module.guardduty_baseline_us-east-1 + to = module.guardduty_baseline_us-east-1[0] +} + +moved { + from = module.guardduty_baseline_us-east-2 + to = module.guardduty_baseline_us-east-2[0] +} + +moved { + from = module.guardduty_baseline_us-west-1 + to = module.guardduty_baseline_us-west-1[0] +} + +moved { + from = module.guardduty_baseline_us-west-2 + to = module.guardduty_baseline_us-west-2[0] +} + +# SecurityHub baseline +moved { + from = module.securityhub_baseline_ap-northeast-1 + to = module.securityhub_baseline_ap-northeast-1[0] +} + +moved { + from = module.securityhub_baseline_ap-northeast-2 + to = module.securityhub_baseline_ap-northeast-2[0] +} + +moved { + from = module.securityhub_baseline_ap-northeast-3 + to = module.securityhub_baseline_ap-northeast-3[0] +} + +moved { + from = module.securityhub_baseline_ap-south-1 + to = module.securityhub_baseline_ap-south-1[0] +} + +moved { + from = module.securityhub_baseline_ap-southeast-1 + to = module.securityhub_baseline_ap-southeast-1[0] +} + +moved { + from = module.securityhub_baseline_ap-southeast-2 + to = module.securityhub_baseline_ap-southeast-2[0] +} + +moved { + from = module.securityhub_baseline_ca-central-1 + to = module.securityhub_baseline_ca-central-1[0] +} + +moved { + from = module.securityhub_baseline_eu-central-1 + to = module.securityhub_baseline_eu-central-1[0] +} + +moved { + from = module.securityhub_baseline_eu-north-1 + to = module.securityhub_baseline_eu-north-1[0] +} + +moved { + from = module.securityhub_baseline_eu-west-1 + to = module.securityhub_baseline_eu-west-1[0] +} + +moved { + from = module.securityhub_baseline_eu-west-2 + to = module.securityhub_baseline_eu-west-2[0] +} + +moved { + from = module.securityhub_baseline_eu-west-3 + to = module.securityhub_baseline_eu-west-3[0] +} + +moved { + from = module.securityhub_baseline_sa-east-1 + to = module.securityhub_baseline_sa-east-1[0] +} + +moved { + from = module.securityhub_baseline_us-east-1 + to = module.securityhub_baseline_us-east-1[0] +} + +moved { + from = module.securityhub_baseline_us-east-2 + to = module.securityhub_baseline_us-east-2[0] +} + +moved { + from = module.securityhub_baseline_us-west-1 + to = module.securityhub_baseline_us-west-1[0] +} + +moved { + from = module.securityhub_baseline_us-west-2 + to = module.securityhub_baseline_us-west-2[0] +} + +# vpc baseline +moved { + from = module.vpc_baseline_ap-northeast-1 + to = module.vpc_baseline_ap-northeast-1[0] +} + +moved { + from = module.vpc_baseline_ap-northeast-2 + to = module.vpc_baseline_ap-northeast-2[0] +} + +moved { + from = module.vpc_baseline_ap-northeast-3 + to = module.vpc_baseline_ap-northeast-3[0] +} + +moved { + from = module.vpc_baseline_ap-south-1 + to = module.vpc_baseline_ap-south-1[0] +} + +moved { + from = module.vpc_baseline_ap-southeast-1 + to = module.vpc_baseline_ap-southeast-1[0] +} + +moved { + from = module.vpc_baseline_ap-southeast-2 + to = module.vpc_baseline_ap-southeast-2[0] +} + +moved { + from = module.vpc_baseline_ca-central-1 + to = module.vpc_baseline_ca-central-1[0] +} + +moved { + from = module.vpc_baseline_eu-central-1 + to = module.vpc_baseline_eu-central-1[0] +} + +moved { + from = module.vpc_baseline_eu-north-1 + to = module.vpc_baseline_eu-north-1[0] +} + +moved { + from = module.vpc_baseline_eu-west-1 + to = module.vpc_baseline_eu-west-1[0] +} + +moved { + from = module.vpc_baseline_eu-west-2 + to = module.vpc_baseline_eu-west-2[0] +} + +moved { + from = module.vpc_baseline_eu-west-3 + to = module.vpc_baseline_eu-west-3[0] +} + +moved { + from = module.vpc_baseline_sa-east-1 + to = module.vpc_baseline_sa-east-1[0] +} + +moved { + from = module.vpc_baseline_us-east-1 + to = module.vpc_baseline_us-east-1[0] +} + +moved { + from = module.vpc_baseline_us-east-2 + to = module.vpc_baseline_us-east-2[0] +} + +moved { + from = module.vpc_baseline_us-west-1 + to = module.vpc_baseline_us-west-1[0] +} + +moved { + from = module.vpc_baseline_us-west-2 + to = module.vpc_baseline_us-west-2[0] +} + +# analyzer baseline +moved { + from = module.analyzer_baseline_ap-northeast-1 + to = module.analyzer_baseline_ap-northeast-1[0] +} + +moved { + from = module.analyzer_baseline_ap-northeast-2 + to = module.analyzer_baseline_ap-northeast-2[0] +} + +moved { + from = module.analyzer_baseline_ap-northeast-3 + to = module.analyzer_baseline_ap-northeast-3[0] +} + +moved { + from = module.analyzer_baseline_ap-south-1 + to = module.analyzer_baseline_ap-south-1[0] +} + +moved { + from = module.analyzer_baseline_ap-southeast-1 + to = module.analyzer_baseline_ap-southeast-1[0] +} + +moved { + from = module.analyzer_baseline_ap-southeast-2 + to = module.analyzer_baseline_ap-southeast-2[0] +} + +moved { + from = module.analyzer_baseline_ca-central-1 + to = module.analyzer_baseline_ca-central-1[0] +} + +moved { + from = module.analyzer_baseline_eu-central-1 + to = module.analyzer_baseline_eu-central-1[0] +} + +moved { + from = module.analyzer_baseline_eu-north-1 + to = module.analyzer_baseline_eu-north-1[0] +} + +moved { + from = module.analyzer_baseline_eu-west-1 + to = module.analyzer_baseline_eu-west-1[0] +} + +moved { + from = module.analyzer_baseline_eu-west-2 + to = module.analyzer_baseline_eu-west-2[0] +} + +moved { + from = module.analyzer_baseline_eu-west-3 + to = module.analyzer_baseline_eu-west-3[0] +} + +moved { + from = module.analyzer_baseline_sa-east-1 + to = module.analyzer_baseline_sa-east-1[0] +} + +moved { + from = module.analyzer_baseline_us-east-1 + to = module.analyzer_baseline_us-east-1[0] +} + +moved { + from = module.analyzer_baseline_us-east-2 + to = module.analyzer_baseline_us-east-2[0] +} + +moved { + from = module.analyzer_baseline_us-west-1 + to = module.analyzer_baseline_us-west-1[0] +} + +moved { + from = module.analyzer_baseline_us-west-2 + to = module.analyzer_baseline_us-west-2[0] +} diff --git a/modules/alarm-baseline/README.md b/modules/alarm-baseline/README.md index d50b460a..81f2ac24 100644 --- a/modules/alarm-baseline/README.md +++ b/modules/alarm-baseline/README.md @@ -7,7 +7,7 @@ Set up CloudWatch alarms to notify you when critical changes happen in your AWS | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.50.0 | ## Providers @@ -70,7 +70,6 @@ No modules. | [cloudtrail\_log\_group\_name](#input\_cloudtrail\_log\_group\_name) | The name of the CloudWatch Logs group to which CloudTrail events are delivered. | `any` | n/a | yes | | [console\_signin\_failures\_enabled](#input\_console\_signin\_failures\_enabled) | The boolean flag whether the console\_signin\_failures alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [disable\_or\_delete\_cmk\_enabled](#input\_disable\_or\_delete\_cmk\_enabled) | The boolean flag whether the disable\_or\_delete\_cmk alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no | -| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [iam\_changes\_enabled](#input\_iam\_changes\_enabled) | The boolean flag whether the iam\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [mfa\_console\_signin\_allow\_sso](#input\_mfa\_console\_signin\_allow\_sso) | The boolean flag whether the no\_mfa\_console\_signin alarm allows SSO auth to be ignored. | `bool` | `false` | no | | [nacl\_changes\_enabled](#input\_nacl\_changes\_enabled) | The boolean flag whether the nacl\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no | diff --git a/modules/alarm-baseline/main.tf b/modules/alarm-baseline/main.tf index 2f54ae40..bef948e4 100644 --- a/modules/alarm-baseline/main.tf +++ b/modules/alarm-baseline/main.tf @@ -6,8 +6,6 @@ data "aws_region" "current" {} # -------------------------------------------------------------------------------------------------- resource "aws_sns_topic" "alarms" { - count = var.enabled ? 1 : 0 - name = var.sns_topic_name kms_master_key_id = var.sns_topic_kms_master_key_id @@ -16,18 +14,15 @@ resource "aws_sns_topic" "alarms" { } resource "aws_sns_topic_policy" "alarms" { - count = var.enabled ? 1 : 0 - arn = aws_sns_topic.alarms[0].arn + arn = aws_sns_topic.alarms.arn - policy = data.aws_iam_policy_document.alarms-sns-policy[0].json + policy = data.aws_iam_policy_document.alarms-sns-policy.json } data "aws_iam_policy_document" "alarms-sns-policy" { - count = var.enabled ? 1 : 0 - statement { actions = ["sns:Publish"] - resources = [aws_sns_topic.alarms[0].arn] + resources = [aws_sns_topic.alarms.arn] principals { type = "Service" @@ -47,7 +42,7 @@ data "aws_iam_policy_document" "alarms-sns-policy" { # -------------------------------------------------------------------------------------------------- resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" { - count = var.enabled && var.unauthorized_api_calls_enabled ? 1 : 0 + count = var.unauthorized_api_calls_enabled ? 1 : 0 name = "UnauthorizedAPICalls" pattern = "{(($.errorCode = \"*UnauthorizedOperation\") || ($.errorCode = \"AccessDenied*\")) && (($.sourceIPAddress!=\"delivery.logs.amazonaws.com\") && ($.eventName!=\"HeadBucket\"))}" @@ -61,7 +56,7 @@ resource "aws_cloudwatch_log_metric_filter" "unauthorized_api_calls" { } resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" { - count = var.enabled && var.unauthorized_api_calls_enabled ? 1 : 0 + count = var.unauthorized_api_calls_enabled ? 1 : 0 alarm_name = "UnauthorizedAPICalls" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -72,7 +67,7 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring unauthorized API calls will help reveal application errors and may reduce time to detect malicious activity." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -80,7 +75,7 @@ resource "aws_cloudwatch_metric_alarm" "unauthorized_api_calls" { } resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" { - count = var.enabled && var.no_mfa_console_signin_enabled ? 1 : 0 + count = var.no_mfa_console_signin_enabled ? 1 : 0 name = "NoMFAConsoleSignin" pattern = join(" ", [ @@ -97,7 +92,7 @@ resource "aws_cloudwatch_log_metric_filter" "no_mfa_console_signin" { } resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" { - count = var.enabled && var.no_mfa_console_signin_enabled ? 1 : 0 + count = var.no_mfa_console_signin_enabled ? 1 : 0 alarm_name = "NoMFAConsoleSignin" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -108,7 +103,7 @@ resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring for single-factor console logins will increase visibility into accounts that are not protected by MFA." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -116,7 +111,7 @@ resource "aws_cloudwatch_metric_alarm" "no_mfa_console_signin" { } resource "aws_cloudwatch_log_metric_filter" "root_usage" { - count = var.enabled && var.root_usage_enabled ? 1 : 0 + count = var.root_usage_enabled ? 1 : 0 name = "RootUsage" pattern = "{ $.userIdentity.type = \"Root\" && $.userIdentity.invokedBy NOT EXISTS && $.eventType != \"AwsServiceEvent\" }" @@ -130,7 +125,7 @@ resource "aws_cloudwatch_log_metric_filter" "root_usage" { } resource "aws_cloudwatch_metric_alarm" "root_usage" { - count = var.enabled && var.root_usage_enabled ? 1 : 0 + count = var.root_usage_enabled ? 1 : 0 alarm_name = "RootUsage" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -141,7 +136,7 @@ resource "aws_cloudwatch_metric_alarm" "root_usage" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring for root account logins will provide visibility into the use of a fully privileged account and an opportunity to reduce the use of it." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -149,7 +144,7 @@ resource "aws_cloudwatch_metric_alarm" "root_usage" { } resource "aws_cloudwatch_log_metric_filter" "iam_changes" { - count = var.enabled && var.iam_changes_enabled ? 1 : 0 + count = var.iam_changes_enabled ? 1 : 0 name = "IAMChanges" pattern = "{($.eventName=DeleteGroupPolicy)||($.eventName=DeleteRolePolicy)||($.eventName=DeleteUserPolicy)||($.eventName=PutGroupPolicy)||($.eventName=PutRolePolicy)||($.eventName=PutUserPolicy)||($.eventName=CreatePolicy)||($.eventName=DeletePolicy)||($.eventName=CreatePolicyVersion)||($.eventName=DeletePolicyVersion)||($.eventName=AttachRolePolicy)||($.eventName=DetachRolePolicy)||($.eventName=AttachUserPolicy)||($.eventName=DetachUserPolicy)||($.eventName=AttachGroupPolicy)||($.eventName=DetachGroupPolicy)}" @@ -163,7 +158,7 @@ resource "aws_cloudwatch_log_metric_filter" "iam_changes" { } resource "aws_cloudwatch_metric_alarm" "iam_changes" { - count = var.enabled && var.iam_changes_enabled ? 1 : 0 + count = var.iam_changes_enabled ? 1 : 0 alarm_name = "IAMChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -174,7 +169,7 @@ resource "aws_cloudwatch_metric_alarm" "iam_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to IAM policies will help ensure authentication and authorization controls remain intact." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -182,7 +177,7 @@ resource "aws_cloudwatch_metric_alarm" "iam_changes" { } resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" { - count = var.enabled && var.cloudtrail_cfg_changes_enabled ? 1 : 0 + count = var.cloudtrail_cfg_changes_enabled ? 1 : 0 name = "CloudTrailCfgChanges" pattern = "{ ($.eventName = CreateTrail) || ($.eventName = UpdateTrail) || ($.eventName = DeleteTrail) || ($.eventName = StartLogging) || ($.eventName = StopLogging) }" @@ -196,7 +191,7 @@ resource "aws_cloudwatch_log_metric_filter" "cloudtrail_cfg_changes" { } resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" { - count = var.enabled && var.cloudtrail_cfg_changes_enabled ? 1 : 0 + count = var.cloudtrail_cfg_changes_enabled ? 1 : 0 alarm_name = "CloudTrailCfgChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -207,7 +202,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to CloudTrail's configuration will help ensure sustained visibility to activities performed in the AWS account." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -215,7 +210,7 @@ resource "aws_cloudwatch_metric_alarm" "cloudtrail_cfg_changes" { } resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" { - count = var.enabled && var.console_signin_failures_enabled ? 1 : 0 + count = var.console_signin_failures_enabled ? 1 : 0 name = "ConsoleSigninFailures" pattern = "{ ($.eventName = ConsoleLogin) && ($.errorMessage = \"Failed authentication\") }" @@ -229,7 +224,7 @@ resource "aws_cloudwatch_log_metric_filter" "console_signin_failures" { } resource "aws_cloudwatch_metric_alarm" "console_signin_failures" { - count = var.enabled && var.console_signin_failures_enabled ? 1 : 0 + count = var.console_signin_failures_enabled ? 1 : 0 alarm_name = "ConsoleSigninFailures" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -240,7 +235,7 @@ resource "aws_cloudwatch_metric_alarm" "console_signin_failures" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -248,7 +243,7 @@ resource "aws_cloudwatch_metric_alarm" "console_signin_failures" { } resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" { - count = var.enabled && var.disable_or_delete_cmk_enabled ? 1 : 0 + count = var.disable_or_delete_cmk_enabled ? 1 : 0 name = "DisableOrDeleteCMK" pattern = "{ ($.eventSource = kms.amazonaws.com) && (($.eventName = DisableKey) || ($.eventName = ScheduleKeyDeletion)) }" @@ -262,7 +257,7 @@ resource "aws_cloudwatch_log_metric_filter" "disable_or_delete_cmk" { } resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" { - count = var.enabled && var.disable_or_delete_cmk_enabled ? 1 : 0 + count = var.disable_or_delete_cmk_enabled ? 1 : 0 alarm_name = "DisableOrDeleteCMK" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -273,7 +268,7 @@ resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring failed console logins may decrease lead time to detect an attempt to brute force a credential, which may provide an indicator, such as source IP, that can be used in other event correlation." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -281,7 +276,7 @@ resource "aws_cloudwatch_metric_alarm" "disable_or_delete_cmk" { } resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" { - count = var.enabled && var.s3_bucket_policy_changes_enabled ? 1 : 0 + count = var.s3_bucket_policy_changes_enabled ? 1 : 0 name = "S3BucketPolicyChanges" pattern = "{ ($.eventSource = s3.amazonaws.com) && (($.eventName = PutBucketAcl) || ($.eventName = PutBucketPolicy) || ($.eventName = PutBucketCors) || ($.eventName = PutBucketLifecycle) || ($.eventName = PutBucketReplication) || ($.eventName = DeleteBucketPolicy) || ($.eventName = DeleteBucketCors) || ($.eventName = DeleteBucketLifecycle) || ($.eventName = DeleteBucketReplication)) }" @@ -295,7 +290,7 @@ resource "aws_cloudwatch_log_metric_filter" "s3_bucket_policy_changes" { } resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" { - count = var.enabled && var.s3_bucket_policy_changes_enabled ? 1 : 0 + count = var.s3_bucket_policy_changes_enabled ? 1 : 0 alarm_name = "S3BucketPolicyChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -306,7 +301,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to S3 bucket policies may reduce time to detect and correct permissive policies on sensitive S3 buckets." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -314,7 +309,7 @@ resource "aws_cloudwatch_metric_alarm" "s3_bucket_policy_changes" { } resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" { - count = var.enabled && var.aws_config_changes_enabled ? 1 : 0 + count = var.aws_config_changes_enabled ? 1 : 0 name = "AWSConfigChanges" pattern = "{ ($.eventSource = config.amazonaws.com) && (($.eventName=StopConfigurationRecorder)||($.eventName=DeleteDeliveryChannel)||($.eventName=PutDeliveryChannel)||($.eventName=PutConfigurationRecorder)) }" @@ -328,7 +323,7 @@ resource "aws_cloudwatch_log_metric_filter" "aws_config_changes" { } resource "aws_cloudwatch_metric_alarm" "aws_config_changes" { - count = var.enabled && var.aws_config_changes_enabled ? 1 : 0 + count = var.aws_config_changes_enabled ? 1 : 0 alarm_name = "AWSConfigChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -339,7 +334,7 @@ resource "aws_cloudwatch_metric_alarm" "aws_config_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to AWS Config configuration will help ensure sustained visibility of configuration items within the AWS account." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -347,7 +342,7 @@ resource "aws_cloudwatch_metric_alarm" "aws_config_changes" { } resource "aws_cloudwatch_log_metric_filter" "security_group_changes" { - count = var.enabled && var.security_group_changes_enabled ? 1 : 0 + count = var.security_group_changes_enabled ? 1 : 0 name = "SecurityGroupChanges" pattern = "{ ($.eventName = AuthorizeSecurityGroupIngress) || ($.eventName = AuthorizeSecurityGroupEgress) || ($.eventName = RevokeSecurityGroupIngress) || ($.eventName = RevokeSecurityGroupEgress) || ($.eventName = CreateSecurityGroup) || ($.eventName = DeleteSecurityGroup)}" @@ -361,7 +356,7 @@ resource "aws_cloudwatch_log_metric_filter" "security_group_changes" { } resource "aws_cloudwatch_metric_alarm" "security_group_changes" { - count = var.enabled && var.security_group_changes_enabled ? 1 : 0 + count = var.security_group_changes_enabled ? 1 : 0 alarm_name = "SecurityGroupChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -372,7 +367,7 @@ resource "aws_cloudwatch_metric_alarm" "security_group_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to security group will help ensure that resources and services are not unintentionally exposed." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -380,7 +375,7 @@ resource "aws_cloudwatch_metric_alarm" "security_group_changes" { } resource "aws_cloudwatch_log_metric_filter" "nacl_changes" { - count = var.enabled && var.nacl_changes_enabled ? 1 : 0 + count = var.nacl_changes_enabled ? 1 : 0 name = "NACLChanges" pattern = "{ ($.eventName = CreateNetworkAcl) || ($.eventName = CreateNetworkAclEntry) || ($.eventName = DeleteNetworkAcl) || ($.eventName = DeleteNetworkAclEntry) || ($.eventName = ReplaceNetworkAclEntry) || ($.eventName = ReplaceNetworkAclAssociation) }" @@ -394,7 +389,7 @@ resource "aws_cloudwatch_log_metric_filter" "nacl_changes" { } resource "aws_cloudwatch_metric_alarm" "nacl_changes" { - count = var.enabled && var.nacl_changes_enabled ? 1 : 0 + count = var.nacl_changes_enabled ? 1 : 0 alarm_name = "NACLChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -405,7 +400,7 @@ resource "aws_cloudwatch_metric_alarm" "nacl_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to NACLs will help ensure that AWS resources and services are not unintentionally exposed." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -413,7 +408,7 @@ resource "aws_cloudwatch_metric_alarm" "nacl_changes" { } resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" { - count = var.enabled && var.network_gw_changes_enabled ? 1 : 0 + count = var.network_gw_changes_enabled ? 1 : 0 name = "NetworkGWChanges" pattern = "{ ($.eventName = CreateCustomerGateway) || ($.eventName = DeleteCustomerGateway) || ($.eventName = AttachInternetGateway) || ($.eventName = CreateInternetGateway) || ($.eventName = DeleteInternetGateway) || ($.eventName = DetachInternetGateway) }" @@ -427,7 +422,7 @@ resource "aws_cloudwatch_log_metric_filter" "network_gw_changes" { } resource "aws_cloudwatch_metric_alarm" "network_gw_changes" { - count = var.enabled && var.network_gw_changes_enabled ? 1 : 0 + count = var.network_gw_changes_enabled ? 1 : 0 alarm_name = "NetworkGWChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -438,7 +433,7 @@ resource "aws_cloudwatch_metric_alarm" "network_gw_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to network gateways will help ensure that all ingress/egress traffic traverses the VPC border via a controlled path." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -446,7 +441,7 @@ resource "aws_cloudwatch_metric_alarm" "network_gw_changes" { } resource "aws_cloudwatch_log_metric_filter" "route_table_changes" { - count = var.enabled && var.route_table_changes_enabled ? 1 : 0 + count = var.route_table_changes_enabled ? 1 : 0 name = "RouteTableChanges" pattern = "{ ($.eventName = CreateRoute) || ($.eventName = CreateRouteTable) || ($.eventName = ReplaceRoute) || ($.eventName = ReplaceRouteTableAssociation) || ($.eventName = DeleteRouteTable) || ($.eventName = DeleteRoute) || ($.eventName = DisassociateRouteTable) }" @@ -460,7 +455,7 @@ resource "aws_cloudwatch_log_metric_filter" "route_table_changes" { } resource "aws_cloudwatch_metric_alarm" "route_table_changes" { - count = var.enabled && var.route_table_changes_enabled ? 1 : 0 + count = var.route_table_changes_enabled ? 1 : 0 alarm_name = "RouteTableChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -471,7 +466,7 @@ resource "aws_cloudwatch_metric_alarm" "route_table_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to route tables will help ensure that all VPC traffic flows through an expected path." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -479,7 +474,7 @@ resource "aws_cloudwatch_metric_alarm" "route_table_changes" { } resource "aws_cloudwatch_log_metric_filter" "vpc_changes" { - count = var.enabled && var.vpc_changes_enabled ? 1 : 0 + count = var.vpc_changes_enabled ? 1 : 0 name = "VPCChanges" pattern = "{ ($.eventName = CreateVpc) || ($.eventName = DeleteVpc) || ($.eventName = ModifyVpcAttribute) || ($.eventName = AcceptVpcPeeringConnection) || ($.eventName = CreateVpcPeeringConnection) || ($.eventName = DeleteVpcPeeringConnection) || ($.eventName = RejectVpcPeeringConnection) || ($.eventName = AttachClassicLinkVpc) || ($.eventName = DetachClassicLinkVpc) || ($.eventName = DisableVpcClassicLink) || ($.eventName = EnableVpcClassicLink) }" @@ -493,7 +488,7 @@ resource "aws_cloudwatch_log_metric_filter" "vpc_changes" { } resource "aws_cloudwatch_metric_alarm" "vpc_changes" { - count = var.enabled && var.vpc_changes_enabled ? 1 : 0 + count = var.vpc_changes_enabled ? 1 : 0 alarm_name = "VPCChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -504,7 +499,7 @@ resource "aws_cloudwatch_metric_alarm" "vpc_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring changes to VPC will help ensure that all VPC traffic flows through an expected path." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] @@ -512,7 +507,7 @@ resource "aws_cloudwatch_metric_alarm" "vpc_changes" { } resource "aws_cloudwatch_log_metric_filter" "organizations_changes" { - count = var.enabled && var.organizations_changes_enabled ? 1 : 0 + count = var.organizations_changes_enabled ? 1 : 0 name = "OrganizationsChanges" pattern = "{ ($.eventSource = organizations.amazonaws.com) && (($.eventName = \"AcceptHandshake\") || ($.eventName = \"AttachPolicy\") || ($.eventName = \"CreateAccount\") || ($.eventName = \"CreateOrganizationalUnit\") || ($.eventName= \"CreatePolicy\") || ($.eventName = \"DeclineHandshake\") || ($.eventName = \"DeleteOrganization\") || ($.eventName = \"DeleteOrganizationalUnit\") || ($.eventName = \"DeletePolicy\") || ($.eventName = \"DetachPolicy\") || ($.eventName = \"DisablePolicyType\") || ($.eventName = \"EnablePolicyType\") || ($.eventName = \"InviteAccountToOrganization\") || ($.eventName = \"LeaveOrganization\") || ($.eventName = \"MoveAccount\") || ($.eventName = \"RemoveAccountFromOrganization\") || ($.eventName = \"UpdatePolicy\") || ($.eventName =\"UpdateOrganizationalUnit\")) }" @@ -526,7 +521,7 @@ resource "aws_cloudwatch_log_metric_filter" "organizations_changes" { } resource "aws_cloudwatch_metric_alarm" "organizations_changes" { - count = var.enabled && var.organizations_changes_enabled ? 1 : 0 + count = var.organizations_changes_enabled ? 1 : 0 alarm_name = "OrganizationsChanges" comparison_operator = "GreaterThanOrEqualToThreshold" @@ -537,7 +532,7 @@ resource "aws_cloudwatch_metric_alarm" "organizations_changes" { statistic = "Sum" threshold = "1" alarm_description = "Monitoring AWS Organizations changes can help you prevent any unwanted, accidental or intentional modifications that may lead to unauthorized access or other security breaches." - alarm_actions = [aws_sns_topic.alarms[0].arn] + alarm_actions = [aws_sns_topic.alarms.arn] treat_missing_data = "notBreaching" insufficient_data_actions = [] diff --git a/modules/alarm-baseline/migrations.tf b/modules/alarm-baseline/migrations.tf new file mode 100644 index 00000000..60065478 --- /dev/null +++ b/modules/alarm-baseline/migrations.tf @@ -0,0 +1,13 @@ +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Removing `enabled` argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = aws_sns_topic.alarms[0] + to = aws_sns_topic.alarms +} + +moved { + from = aws_sns_topic_policy.alarms[0] + to = aws_sns_topic_policy.alarms +} diff --git a/modules/alarm-baseline/variables.tf b/modules/alarm-baseline/variables.tf index 1631a6be..f35feee8 100644 --- a/modules/alarm-baseline/variables.tf +++ b/modules/alarm-baseline/variables.tf @@ -1,8 +1,3 @@ -variable "enabled" { - description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." - default = true -} - variable "unauthorized_api_calls_enabled" { description = "The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false." default = true diff --git a/modules/alarm-baseline/versions.tf b/modules/alarm-baseline/versions.tf index 811c8034..706c4a0d 100644 --- a/modules/alarm-baseline/versions.tf +++ b/modules/alarm-baseline/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.1.3" required_providers { aws = { diff --git a/modules/analyzer-baseline/README.md b/modules/analyzer-baseline/README.md index ed33cc2a..3e0b99fc 100644 --- a/modules/analyzer-baseline/README.md +++ b/modules/analyzer-baseline/README.md @@ -9,7 +9,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.50.0 | ## Providers @@ -33,7 +33,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [analyzer\_name](#input\_analyzer\_name) | The name for the IAM Access Analyzer resource to be created. | `string` | `"default-analyer"` | no | -| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [is\_organization](#input\_is\_organization) | The boolean flag whether this module is configured for the organization master account or the individual account. | `bool` | `false` | no | | [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map` |
{
"Terraform": true
}
| no | diff --git a/modules/analyzer-baseline/main.tf b/modules/analyzer-baseline/main.tf index 93b248a1..74108796 100644 --- a/modules/analyzer-baseline/main.tf +++ b/modules/analyzer-baseline/main.tf @@ -1,6 +1,4 @@ resource "aws_accessanalyzer_analyzer" "default" { - count = var.enabled ? 1 : 0 - analyzer_name = var.analyzer_name type = var.is_organization ? "ORGANIZATION" : "ACCOUNT" diff --git a/modules/analyzer-baseline/migrations.tf b/modules/analyzer-baseline/migrations.tf new file mode 100644 index 00000000..48abae80 --- /dev/null +++ b/modules/analyzer-baseline/migrations.tf @@ -0,0 +1,8 @@ +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Removing `enabled` argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = aws_accessanalyzer_analyzer.default[0] + to = aws_accessanalyzer_analyzer.default +} diff --git a/modules/analyzer-baseline/variables.tf b/modules/analyzer-baseline/variables.tf index 4d9f0a18..9df076e6 100644 --- a/modules/analyzer-baseline/variables.tf +++ b/modules/analyzer-baseline/variables.tf @@ -1,8 +1,3 @@ -variable "enabled" { - description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." - default = true -} - variable "analyzer_name" { description = "The name for the IAM Access Analyzer resource to be created." default = "default-analyer" diff --git a/modules/analyzer-baseline/versions.tf b/modules/analyzer-baseline/versions.tf index 811c8034..706c4a0d 100644 --- a/modules/analyzer-baseline/versions.tf +++ b/modules/analyzer-baseline/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.1.3" required_providers { aws = { diff --git a/modules/cloudtrail-baseline/README.md b/modules/cloudtrail-baseline/README.md index ac3fa736..1a64d4ee 100644 --- a/modules/cloudtrail-baseline/README.md +++ b/modules/cloudtrail-baseline/README.md @@ -7,7 +7,7 @@ Enable CloudTrail in all regions and deliver events to CloudWatch Logs. CloudTra | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.50.0 | ## Providers @@ -49,7 +49,6 @@ No modules. | [cloudwatch\_logs\_group\_name](#input\_cloudwatch\_logs\_group\_name) | The name of CloudWatch Logs group to which CloudTrail events are delivered. | `string` | `"cloudtrail-multi-region"` | no | | [cloudwatch\_logs\_retention\_in\_days](#input\_cloudwatch\_logs\_retention\_in\_days) | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | `365` | no | | [dynamodb\_event\_logging\_tables](#input\_dynamodb\_event\_logging\_tables) | The list of DynamoDB table ARNs on which to enable event logging. | `list` |
[
"arn:aws:dynamodb"
]
| no | -| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [iam\_role\_name](#input\_iam\_role\_name) | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | `"CloudTrail-CloudWatch-Delivery-Role"` | no | | [iam\_role\_policy\_name](#input\_iam\_role\_policy\_name) | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | `"CloudTrail-CloudWatch-Delivery-Policy"` | no | | [is\_organization\_trail](#input\_is\_organization\_trail) | Specifies whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | `false` | no | diff --git a/modules/cloudtrail-baseline/main.tf b/modules/cloudtrail-baseline/main.tf index f00709fc..cb02401e 100644 --- a/modules/cloudtrail-baseline/main.tf +++ b/modules/cloudtrail-baseline/main.tf @@ -2,7 +2,7 @@ # CloudWatch Logs group to accept CloudTrail event stream. # -------------------------------------------------------------------------------------------------- resource "aws_cloudwatch_log_group" "cloudtrail_events" { - count = var.cloudwatch_logs_enabled && var.enabled ? 1 : 0 + count = var.cloudwatch_logs_enabled ? 1 : 0 name = var.cloudwatch_logs_group_name retention_in_days = var.cloudwatch_logs_retention_in_days @@ -26,7 +26,7 @@ data "aws_iam_policy_document" "cloudwatch_delivery_assume_policy" { } resource "aws_iam_role" "cloudwatch_delivery" { - count = var.cloudwatch_logs_enabled && var.enabled ? 1 : 0 + count = var.cloudwatch_logs_enabled ? 1 : 0 name = var.iam_role_name assume_role_policy = data.aws_iam_policy_document.cloudwatch_delivery_assume_policy.json @@ -35,7 +35,7 @@ resource "aws_iam_role" "cloudwatch_delivery" { } data "aws_iam_policy_document" "cloudwatch_delivery_policy" { - count = var.cloudwatch_logs_enabled && var.enabled ? 1 : 0 + count = var.cloudwatch_logs_enabled ? 1 : 0 statement { sid = "AWSCloudTrailCreateLogStream2014110" @@ -51,7 +51,7 @@ data "aws_iam_policy_document" "cloudwatch_delivery_policy" { } resource "aws_iam_role_policy" "cloudwatch_delivery_policy" { - count = var.cloudwatch_logs_enabled && var.enabled ? 1 : 0 + count = var.cloudwatch_logs_enabled ? 1 : 0 name = var.iam_role_policy_name role = aws_iam_role.cloudwatch_delivery[0].id @@ -187,8 +187,6 @@ data "aws_iam_policy_document" "cloudtrail_key_policy" { } resource "aws_kms_key" "cloudtrail" { - count = var.enabled ? 1 : 0 - description = "A KMS key to encrypt CloudTrail events." deletion_window_in_days = var.key_deletion_window_in_days enable_key_rotation = "true" @@ -204,14 +202,14 @@ resource "aws_kms_key" "cloudtrail" { # -------------------------------------------------------------------------------------------------- resource "aws_sns_topic" "cloudtrail-sns-topic" { - count = var.cloudtrail_sns_topic_enabled && var.enabled ? 1 : 0 + count = var.cloudtrail_sns_topic_enabled ? 1 : 0 name = var.cloudtrail_sns_topic_name - kms_master_key_id = aws_kms_key.cloudtrail[0].id + kms_master_key_id = aws_kms_key.cloudtrail.id } data "aws_iam_policy_document" "cloudtrail-sns-policy" { - count = var.cloudtrail_sns_topic_enabled && var.enabled ? 1 : 0 + count = var.cloudtrail_sns_topic_enabled ? 1 : 0 statement { actions = ["sns:Publish"] @@ -225,7 +223,7 @@ data "aws_iam_policy_document" "cloudtrail-sns-policy" { } resource "aws_sns_topic_policy" "local-account-cloudtrail" { - count = var.cloudtrail_sns_topic_enabled && var.enabled ? 1 : 0 + count = var.cloudtrail_sns_topic_enabled ? 1 : 0 arn = aws_sns_topic.cloudtrail-sns-topic[0].arn policy = data.aws_iam_policy_document.cloudtrail-sns-policy[0].json @@ -236,8 +234,6 @@ resource "aws_sns_topic_policy" "local-account-cloudtrail" { # -------------------------------------------------------------------------------------------------- resource "aws_cloudtrail" "global" { - count = var.enabled ? 1 : 0 - name = var.cloudtrail_name cloud_watch_logs_group_arn = var.cloudwatch_logs_enabled ? "${aws_cloudwatch_log_group.cloudtrail_events[0].arn}:*" : null @@ -246,7 +242,7 @@ resource "aws_cloudtrail" "global" { include_global_service_events = true is_multi_region_trail = true is_organization_trail = var.is_organization_trail - kms_key_id = aws_kms_key.cloudtrail[0].arn + kms_key_id = aws_kms_key.cloudtrail.arn s3_bucket_name = var.s3_bucket_name s3_key_prefix = var.s3_key_prefix sns_topic_name = var.cloudtrail_sns_topic_enabled ? aws_sns_topic.cloudtrail-sns-topic[0].arn : null diff --git a/modules/cloudtrail-baseline/migrations.tf b/modules/cloudtrail-baseline/migrations.tf new file mode 100644 index 00000000..d256924d --- /dev/null +++ b/modules/cloudtrail-baseline/migrations.tf @@ -0,0 +1,13 @@ +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Removing `enabled` argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = aws_kms_key.cloudtrail[0] + to = aws_kms_key.cloudtrail +} + +moved { + from = aws_cloudtrail.global[0] + to = aws_cloudtrail.global +} diff --git a/modules/cloudtrail-baseline/outputs.tf b/modules/cloudtrail-baseline/outputs.tf index 416e69fd..95d44711 100644 --- a/modules/cloudtrail-baseline/outputs.tf +++ b/modules/cloudtrail-baseline/outputs.tf @@ -1,24 +1,24 @@ output "cloudtrail" { description = "The trail for recording events in all regions." - value = var.enabled ? aws_cloudtrail.global[0] : null + value = aws_cloudtrail.global } output "cloudtrail_sns_topic" { description = "The sns topic linked to the cloudtrail." - value = var.cloudtrail_sns_topic_enabled && var.enabled ? aws_sns_topic.cloudtrail-sns-topic[0] : null + value = var.cloudtrail_sns_topic_enabled ? aws_sns_topic.cloudtrail-sns-topic[0] : null } output "kms_key" { description = "The KMS key used for encrypting CloudTrail events." - value = var.enabled ? aws_kms_key.cloudtrail[0] : null + value = aws_kms_key.cloudtrail } output "log_delivery_iam_role" { description = "The IAM role used for delivering CloudTrail events to CloudWatch Logs." - value = var.cloudwatch_logs_enabled && var.enabled ? aws_iam_role.cloudwatch_delivery[0] : null + value = var.cloudwatch_logs_enabled ? aws_iam_role.cloudwatch_delivery[0] : null } output "log_group" { description = "The CloudWatch Logs log group which stores CloudTrail events." - value = var.cloudwatch_logs_enabled && var.enabled ? aws_cloudwatch_log_group.cloudtrail_events[0].name : null + value = var.cloudwatch_logs_enabled ? aws_cloudwatch_log_group.cloudtrail_events[0].name : null } diff --git a/modules/cloudtrail-baseline/variables.tf b/modules/cloudtrail-baseline/variables.tf index 06fe6089..aa22226b 100644 --- a/modules/cloudtrail-baseline/variables.tf +++ b/modules/cloudtrail-baseline/variables.tf @@ -1,8 +1,3 @@ -variable "enabled" { - description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." - default = true -} - variable "aws_account_id" { description = "The AWS Account ID number of the account." } diff --git a/modules/cloudtrail-baseline/versions.tf b/modules/cloudtrail-baseline/versions.tf index 811c8034..706c4a0d 100644 --- a/modules/cloudtrail-baseline/versions.tf +++ b/modules/cloudtrail-baseline/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.1.3" required_providers { aws = { diff --git a/modules/config-baseline/README.md b/modules/config-baseline/README.md index 55e73882..2ce0a6ca 100644 --- a/modules/config-baseline/README.md +++ b/modules/config-baseline/README.md @@ -7,7 +7,7 @@ Enable AWS Config in all regions to automatically take configuration snapshots. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.50.0 | ## Providers @@ -39,7 +39,6 @@ No modules. |------|-------------|------|---------|:--------:| | [delivery\_channel\_name](#input\_delivery\_channel\_name) | The name of the delivery channel. | `string` | `"default"` | no | | [delivery\_frequency](#input\_delivery\_frequency) | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | `"One_Hour"` | no | -| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [iam\_role\_arn](#input\_iam\_role\_arn) | The ARN of the IAM Role which AWS Config will use. | `any` | n/a | yes | | [include\_global\_resource\_types](#input\_include\_global\_resource\_types) | Specifies whether AWS Config includes all supported types of global resources with the resources that it records. | `bool` | `true` | no | | [recorder\_name](#input\_recorder\_name) | The name of the configuration recorder. | `string` | `"default"` | no | diff --git a/modules/config-baseline/main.tf b/modules/config-baseline/main.tf index 7ed259f0..777483f1 100644 --- a/modules/config-baseline/main.tf +++ b/modules/config-baseline/main.tf @@ -6,8 +6,6 @@ data "aws_region" "current" {} # -------------------------------------------------------------------------------------------------- resource "aws_sns_topic" "config" { - count = var.enabled ? 1 : 0 - name = var.sns_topic_name kms_master_key_id = var.sns_topic_kms_master_key_id @@ -16,18 +14,15 @@ resource "aws_sns_topic" "config" { } resource "aws_sns_topic_policy" "config" { - count = var.enabled ? 1 : 0 - arn = aws_sns_topic.config[0].arn + arn = aws_sns_topic.config.arn - policy = data.aws_iam_policy_document.config-sns-policy[0].json + policy = data.aws_iam_policy_document.config-sns-policy.json } data "aws_iam_policy_document" "config-sns-policy" { - count = var.enabled ? 1 : 0 - statement { actions = ["sns:Publish"] - resources = [aws_sns_topic.config[0].arn] + resources = [aws_sns_topic.config.arn] principals { type = "Service" @@ -43,8 +38,6 @@ data "aws_iam_policy_document" "config-sns-policy" { } resource "aws_config_configuration_recorder" "recorder" { - count = var.enabled ? 1 : 0 - name = var.recorder_name role_arn = var.iam_role_arn @@ -56,26 +49,22 @@ resource "aws_config_configuration_recorder" "recorder" { } resource "aws_config_delivery_channel" "bucket" { - count = var.enabled ? 1 : 0 - name = var.delivery_channel_name s3_bucket_name = var.s3_bucket_name s3_key_prefix = var.s3_key_prefix - sns_topic_arn = aws_sns_topic.config[0].arn + sns_topic_arn = aws_sns_topic.config.arn snapshot_delivery_properties { delivery_frequency = var.delivery_frequency } - depends_on = [aws_config_configuration_recorder.recorder[0]] + depends_on = [aws_config_configuration_recorder.recorder] } resource "aws_config_configuration_recorder_status" "recorder" { - count = var.enabled ? 1 : 0 - - name = aws_config_configuration_recorder.recorder[0].id + name = aws_config_configuration_recorder.recorder.id is_enabled = true - depends_on = [aws_config_delivery_channel.bucket[0]] + depends_on = [aws_config_delivery_channel.bucket] } diff --git a/modules/config-baseline/migrations.tf b/modules/config-baseline/migrations.tf new file mode 100644 index 00000000..5e062c52 --- /dev/null +++ b/modules/config-baseline/migrations.tf @@ -0,0 +1,28 @@ +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Removing `enabled` argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = aws_sns_topic.config[0] + to = aws_sns_topic.config +} + +moved { + from = aws_sns_topic_policy.config[0] + to = aws_sns_topic_policy.config +} + +moved { + from = aws_config_configuration_recorder.recorder[0] + to = aws_config_configuration_recorder.recorder +} + +moved { + from = aws_config_configuration_recorder_status.recorder[0] + to = aws_config_configuration_recorder_status.recorder +} + +moved { + from = aws_config_delivery_channel.bucket[0] + to = aws_config_delivery_channel.bucket +} diff --git a/modules/config-baseline/outputs.tf b/modules/config-baseline/outputs.tf index 295ace30..20ee6775 100644 --- a/modules/config-baseline/outputs.tf +++ b/modules/config-baseline/outputs.tf @@ -1,9 +1,9 @@ output "configuration_recorder" { description = "The configuration recorder." - value = var.enabled ? aws_config_configuration_recorder.recorder[0] : null + value = aws_config_configuration_recorder.recorder } output "config_sns_topic" { description = "The SNS topic that AWS Config delivers notifications to." - value = var.enabled ? aws_sns_topic.config[0] : null + value = aws_sns_topic.config } diff --git a/modules/config-baseline/variables.tf b/modules/config-baseline/variables.tf index 842eba95..7be7cbf3 100644 --- a/modules/config-baseline/variables.tf +++ b/modules/config-baseline/variables.tf @@ -1,8 +1,3 @@ -variable "enabled" { - description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." - default = true -} - variable "iam_role_arn" { description = "The ARN of the IAM Role which AWS Config will use." } diff --git a/modules/config-baseline/versions.tf b/modules/config-baseline/versions.tf index 811c8034..706c4a0d 100644 --- a/modules/config-baseline/versions.tf +++ b/modules/config-baseline/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.1.3" required_providers { aws = { diff --git a/modules/ebs-baseline/README.md b/modules/ebs-baseline/README.md index 059c6d74..4c0c2e44 100644 --- a/modules/ebs-baseline/README.md +++ b/modules/ebs-baseline/README.md @@ -9,7 +9,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.50.0 | ## Providers @@ -30,9 +30,7 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no | +No inputs. ## Outputs diff --git a/modules/ebs-baseline/main.tf b/modules/ebs-baseline/main.tf index 280ce04e..ce108c13 100644 --- a/modules/ebs-baseline/main.tf +++ b/modules/ebs-baseline/main.tf @@ -2,7 +2,5 @@ # Enable Default EBS Encryption # -------------------------------------------------------------------------------------------------- resource "aws_ebs_encryption_by_default" "this" { - count = var.enabled ? 1 : 0 - enabled = true } diff --git a/modules/ebs-baseline/migrations.tf b/modules/ebs-baseline/migrations.tf new file mode 100644 index 00000000..c12b94ba --- /dev/null +++ b/modules/ebs-baseline/migrations.tf @@ -0,0 +1,8 @@ +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Removing `enabled` argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = aws_ebs_encryption_by_default.this[0] + to = aws_ebs_encryption_by_default.this +} diff --git a/modules/ebs-baseline/variables.tf b/modules/ebs-baseline/variables.tf index 9b77876f..e69de29b 100644 --- a/modules/ebs-baseline/variables.tf +++ b/modules/ebs-baseline/variables.tf @@ -1,4 +0,0 @@ -variable "enabled" { - description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." - default = true -} diff --git a/modules/ebs-baseline/versions.tf b/modules/ebs-baseline/versions.tf index 811c8034..706c4a0d 100644 --- a/modules/ebs-baseline/versions.tf +++ b/modules/ebs-baseline/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.1.3" required_providers { aws = { diff --git a/modules/guardduty-baseline/README.md b/modules/guardduty-baseline/README.md index 0d10b1d8..22c41942 100644 --- a/modules/guardduty-baseline/README.md +++ b/modules/guardduty-baseline/README.md @@ -7,7 +7,7 @@ Enable GuardDuty in all regions. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.50.0 | ## Providers @@ -33,7 +33,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [disable\_email\_notification](#input\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | `false` | no | -| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [finding\_publishing\_frequency](#input\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | `"SIX_HOURS"` | no | | [invitation\_message](#input\_invitation\_message) | Message for invitation. | `string` | `"This is an automatic invitation message from guardduty-baseline module."` | no | | [master\_account\_id](#input\_master\_account\_id) | AWS account ID for master account. | `string` | `""` | no | diff --git a/modules/guardduty-baseline/main.tf b/modules/guardduty-baseline/main.tf index d2416510..d2b1229d 100644 --- a/modules/guardduty-baseline/main.tf +++ b/modules/guardduty-baseline/main.tf @@ -3,8 +3,6 @@ # -------------------------------------------------------------------------------------------------- resource "aws_guardduty_detector" "default" { - count = var.enabled ? 1 : 0 - enable = true finding_publishing_frequency = var.finding_publishing_frequency @@ -23,9 +21,9 @@ resource "aws_guardduty_detector" "default" { } resource "aws_guardduty_member" "members" { - count = var.enabled ? length(var.member_accounts) : 0 + count = length(var.member_accounts) - detector_id = aws_guardduty_detector.default[0].id + detector_id = aws_guardduty_detector.default.id invite = true account_id = var.member_accounts[count.index].account_id @@ -35,8 +33,8 @@ resource "aws_guardduty_member" "members" { } resource "aws_guardduty_invite_accepter" "master" { - count = var.enabled && var.master_account_id != "" ? 1 : 0 + count = var.master_account_id != "" ? 1 : 0 - detector_id = aws_guardduty_detector.default[0].id + detector_id = aws_guardduty_detector.default.id master_account_id = var.master_account_id } diff --git a/modules/guardduty-baseline/migrations.tf b/modules/guardduty-baseline/migrations.tf new file mode 100644 index 00000000..76cad35e --- /dev/null +++ b/modules/guardduty-baseline/migrations.tf @@ -0,0 +1,8 @@ +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Removing `enabled` argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = aws_guardduty_detector.default[0] + to = aws_guardduty_detector.default +} diff --git a/modules/guardduty-baseline/outputs.tf b/modules/guardduty-baseline/outputs.tf index f0413467..067efd52 100644 --- a/modules/guardduty-baseline/outputs.tf +++ b/modules/guardduty-baseline/outputs.tf @@ -1,4 +1,4 @@ output "guardduty_detector" { description = "The GuardDuty detector." - value = var.enabled ? aws_guardduty_detector.default[0] : null + value = aws_guardduty_detector.default } diff --git a/modules/guardduty-baseline/variables.tf b/modules/guardduty-baseline/variables.tf index 0aa9d673..07e5177a 100644 --- a/modules/guardduty-baseline/variables.tf +++ b/modules/guardduty-baseline/variables.tf @@ -1,8 +1,3 @@ -variable "enabled" { - description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." - default = true -} - variable "disable_email_notification" { description = "Boolean whether an email notification is sent to the accounts." default = false diff --git a/modules/guardduty-baseline/versions.tf b/modules/guardduty-baseline/versions.tf index 811c8034..706c4a0d 100644 --- a/modules/guardduty-baseline/versions.tf +++ b/modules/guardduty-baseline/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.1.3" required_providers { aws = { diff --git a/modules/securityhub-baseline/README.md b/modules/securityhub-baseline/README.md index 0d8a0ba0..7a2790b1 100644 --- a/modules/securityhub-baseline/README.md +++ b/modules/securityhub-baseline/README.md @@ -12,7 +12,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.50.0 | ## Providers @@ -45,7 +45,6 @@ No modules. | [enable\_cis\_standard](#input\_enable\_cis\_standard) | Boolean whether CIS standard is enabled. | `bool` | `true` | no | | [enable\_pci\_dss\_standard](#input\_enable\_pci\_dss\_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | `true` | no | | [enable\_product\_arns](#input\_enable\_product\_arns) | List of Security Hub product ARNs, `` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | `[]` | no | -| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. |
list(object({
account_id = string
email = string
}))
| `[]` | no | ## Outputs diff --git a/modules/securityhub-baseline/main.tf b/modules/securityhub-baseline/main.tf index ab1a24c6..89ab92d7 100644 --- a/modules/securityhub-baseline/main.tf +++ b/modules/securityhub-baseline/main.tf @@ -3,14 +3,13 @@ data "aws_region" "current" {} # Enable SecurityHub # -------------------------------------------------------------------------------------------------- resource "aws_securityhub_account" "main" { - count = var.enabled ? 1 : 0 } # -------------------------------------------------------------------------------------------------- # Add member accounts # -------------------------------------------------------------------------------------------------- resource "aws_securityhub_member" "members" { - count = var.enabled ? length(var.member_accounts) : 0 + count = length(var.member_accounts) depends_on = [aws_securityhub_account.main] account_id = var.member_accounts[count.index].account_id @@ -22,7 +21,7 @@ resource "aws_securityhub_member" "members" { # Subscribe CIS benchmark # -------------------------------------------------------------------------------------------------- resource "aws_securityhub_standards_subscription" "cis" { - count = var.enabled && var.enable_cis_standard ? 1 : 0 + count = var.enable_cis_standard ? 1 : 0 standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0" @@ -33,7 +32,7 @@ resource "aws_securityhub_standards_subscription" "cis" { # Subscribe AWS foundational security best practices standard # -------------------------------------------------------------------------------------------------- resource "aws_securityhub_standards_subscription" "aws_foundational" { - count = var.enabled && var.enable_aws_foundational_standard ? 1 : 0 + count = var.enable_aws_foundational_standard ? 1 : 0 standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0" @@ -44,7 +43,7 @@ resource "aws_securityhub_standards_subscription" "aws_foundational" { # Subscribe PCI DSS standard # -------------------------------------------------------------------------------------------------- resource "aws_securityhub_standards_subscription" "pci_dss" { - count = var.enabled && var.enable_pci_dss_standard ? 1 : 0 + count = var.enable_pci_dss_standard ? 1 : 0 standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1" @@ -55,7 +54,7 @@ resource "aws_securityhub_standards_subscription" "pci_dss" { # Subscribe to 3rd party products # -------------------------------------------------------------------------------------------------- resource "aws_securityhub_product_subscription" "products" { - count = var.enabled ? length(var.enable_product_arns) : 0 + count = length(var.enable_product_arns) product_arn = replace(var.enable_product_arns[count.index], "", data.aws_region.current.name) diff --git a/modules/securityhub-baseline/migrations.tf b/modules/securityhub-baseline/migrations.tf new file mode 100644 index 00000000..bf0d1408 --- /dev/null +++ b/modules/securityhub-baseline/migrations.tf @@ -0,0 +1,9 @@ + +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Removing `enabled` argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = aws_securityhub_account.main[0] + to = aws_securityhub_account.main +} diff --git a/modules/securityhub-baseline/variables.tf b/modules/securityhub-baseline/variables.tf index 0dc4fd27..dccd49fe 100644 --- a/modules/securityhub-baseline/variables.tf +++ b/modules/securityhub-baseline/variables.tf @@ -1,8 +1,3 @@ -variable "enabled" { - description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." - default = true -} - variable "enable_cis_standard" { description = "Boolean whether CIS standard is enabled." default = true diff --git a/modules/securityhub-baseline/versions.tf b/modules/securityhub-baseline/versions.tf index 811c8034..706c4a0d 100644 --- a/modules/securityhub-baseline/versions.tf +++ b/modules/securityhub-baseline/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.1.3" required_providers { aws = { diff --git a/modules/vpc-baseline/README.md b/modules/vpc-baseline/README.md index d8e663f9..4823ec37 100644 --- a/modules/vpc-baseline/README.md +++ b/modules/vpc-baseline/README.md @@ -11,7 +11,7 @@ | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13 | +| [terraform](#requirement\_terraform) | >= 1.1.3 | | [aws](#requirement\_aws) | >= 3.55.0 | ## Providers @@ -44,7 +44,6 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [enable\_flow\_logs](#input\_enable\_flow\_logs) | The boolean flag whether to enable VPC Flow Logs in the default VPC | `bool` | `true` | no | -| [enabled](#input\_enabled) | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no | | [flow\_logs\_destination\_type](#input\_flow\_logs\_destination\_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | `"cloud-watch-logs"` | no | | [flow\_logs\_iam\_role\_arn](#input\_flow\_logs\_iam\_role\_arn) | The ARN of the IAM Role which will be used by VPC Flow Logs if vpc\_log\_destination\_type is cloud-watch-logs. | `string` | `""` | no | | [flow\_logs\_log\_group\_name](#input\_flow\_logs\_log\_group\_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is cloud-watch-logs. | `string` | `""` | no | diff --git a/modules/vpc-baseline/main.tf b/modules/vpc-baseline/main.tf index 938cf923..fea4edd7 100644 --- a/modules/vpc-baseline/main.tf +++ b/modules/vpc-baseline/main.tf @@ -23,7 +23,7 @@ data "aws_subnet" "default" { # -------------------------------------------------------------------------------------------------- resource "aws_cloudwatch_log_group" "default_vpc_flow_logs" { - count = var.enabled && var.enable_flow_logs && local.is_cw_logs ? 1 : 0 + count = var.enable_flow_logs && local.is_cw_logs ? 1 : 0 name = var.flow_logs_log_group_name retention_in_days = var.flow_logs_retention_in_days @@ -32,12 +32,12 @@ resource "aws_cloudwatch_log_group" "default_vpc_flow_logs" { } resource "aws_flow_log" "default_vpc_flow_logs" { - count = var.enabled && var.enable_flow_logs ? 1 : 0 + count = var.enable_flow_logs ? 1 : 0 log_destination_type = var.flow_logs_destination_type log_destination = local.is_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0].arn : local.s3_destination_arn iam_role_arn = local.is_cw_logs ? var.flow_logs_iam_role_arn : null - vpc_id = aws_default_vpc.default[0].id + vpc_id = aws_default_vpc.default.id traffic_type = "ALL" tags = var.tags @@ -48,8 +48,6 @@ resource "aws_flow_log" "default_vpc_flow_logs" { # -------------------------------------------------------------------------------------------------- resource "aws_default_vpc" "default" { - count = var.enabled ? 1 : 0 - tags = merge( var.tags, { Name = "Default VPC" } @@ -69,9 +67,7 @@ resource "aws_default_subnet" "default" { } resource "aws_default_route_table" "default" { - count = var.enabled ? 1 : 0 - - default_route_table_id = aws_default_vpc.default[0].default_route_table_id + default_route_table_id = aws_default_vpc.default.default_route_table_id tags = merge( var.tags, @@ -83,9 +79,7 @@ resource "aws_default_route_table" "default" { // https://github.com/hashicorp/terraform/issues/9824 // https://github.com/terraform-providers/terraform-provider-aws/issues/346 resource "aws_default_network_acl" "default" { - count = var.enabled ? 1 : 0 - - default_network_acl_id = aws_default_vpc.default[0].default_network_acl_id + default_network_acl_id = aws_default_vpc.default.default_network_acl_id tags = merge( var.tags, @@ -98,9 +92,7 @@ resource "aws_default_network_acl" "default" { } resource "aws_default_security_group" "default" { - count = var.enabled ? 1 : 0 - - vpc_id = aws_default_vpc.default[0].id + vpc_id = aws_default_vpc.default.id tags = merge( var.tags, diff --git a/modules/vpc-baseline/migrations.tf b/modules/vpc-baseline/migrations.tf new file mode 100644 index 00000000..363c5c26 --- /dev/null +++ b/modules/vpc-baseline/migrations.tf @@ -0,0 +1,23 @@ +# -------------------------------------------------------------------------------------------------- +# Migrations to 0.31.0 +# Removing `enabled` argument. +# -------------------------------------------------------------------------------------------------- +moved { + from = aws_default_vpc.default[0] + to = aws_default_vpc.default +} + +moved { + from = aws_default_route_table.default[0] + to = aws_default_route_table.default +} + +moved { + from = aws_default_network_acl.default[0] + to = aws_default_network_acl.default +} + +moved { + from = aws_default_security_group.default[0] + to = aws_default_security_group.default +} diff --git a/modules/vpc-baseline/outputs.tf b/modules/vpc-baseline/outputs.tf index a50d0923..c6a6b069 100644 --- a/modules/vpc-baseline/outputs.tf +++ b/modules/vpc-baseline/outputs.tf @@ -1,24 +1,24 @@ output "default_vpc" { description = "The default VPC." - value = var.enabled ? aws_default_vpc.default[0] : null + value = aws_default_vpc.default } output "default_security_group" { description = "The default security group." - value = var.enabled ? aws_default_security_group.default[0] : null + value = aws_default_security_group.default } output "default_network_acl" { description = "The default network ACL." - value = var.enabled ? aws_default_network_acl.default[0] : null + value = aws_default_network_acl.default } output "default_route_table" { description = "The default route table." - value = var.enabled ? aws_default_route_table.default[0] : null + value = aws_default_route_table.default } output "vpc_flow_logs_group" { description = "The CloudWatch Logs log group which stores VPC Flow Logs." - value = var.enabled && local.is_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0] : null + value = local.is_cw_logs ? aws_cloudwatch_log_group.default_vpc_flow_logs[0] : null } diff --git a/modules/vpc-baseline/variables.tf b/modules/vpc-baseline/variables.tf index a92dcb43..79bf944c 100644 --- a/modules/vpc-baseline/variables.tf +++ b/modules/vpc-baseline/variables.tf @@ -1,8 +1,3 @@ -variable "enabled" { - description = "The boolean flag whether this module is enabled or not. No resources are created when set to false." - default = true -} - variable "enable_flow_logs" { description = "The boolean flag whether to enable VPC Flow Logs in the default VPC" default = true diff --git a/modules/vpc-baseline/versions.tf b/modules/vpc-baseline/versions.tf index e95c3bb8..0103f91a 100644 --- a/modules/vpc-baseline/versions.tf +++ b/modules/vpc-baseline/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13" + required_version = ">= 1.1.3" required_providers { aws = { diff --git a/outputs.tf b/outputs.tf index 7897d755..a3caaa12 100644 --- a/outputs.tf +++ b/outputs.tf @@ -13,7 +13,7 @@ output "audit_bucket" { output "alarm_sns_topic" { description = "The SNS topic to which CloudWatch Alarms will be sent." - value = module.alarm_baseline.alarm_sns_topic + value = one(module.alarm_baseline[*].alarm_sns_topic) } # -------------------------------------------------------------------------------------------------- @@ -22,27 +22,27 @@ output "alarm_sns_topic" { output "cloudtrail" { description = "The trail for recording events in all regions." - value = module.cloudtrail_baseline.cloudtrail + value = one(module.cloudtrail_baseline[*].cloudtrail) } output "cloudtrail_sns_topic" { description = "The sns topic linked to the cloudtrail." - value = module.cloudtrail_baseline.cloudtrail_sns_topic + value = one(module.cloudtrail_baseline[*].cloudtrail_sns_topic) } output "cloudtrail_kms_key" { description = "The KMS key used for encrypting CloudTrail events." - value = module.cloudtrail_baseline.kms_key + value = one(module.cloudtrail_baseline[*].kms_key) } output "cloudtrail_log_delivery_iam_role" { description = "The IAM role used for delivering CloudTrail events to CloudWatch Logs." - value = module.cloudtrail_baseline.log_delivery_iam_role + value = one(module.cloudtrail_baseline[*].log_delivery_iam_role) } output "cloudtrail_log_group" { description = "The CloudWatch Logs log group which stores CloudTrail events." - value = module.cloudtrail_baseline.log_group + value = one(module.cloudtrail_baseline[*].log_group) } # -------------------------------------------------------------------------------------------------- @@ -58,46 +58,46 @@ output "config_configuration_recorder" { description = "The configuration recorder in each region." value = { - "ap-northeast-1" = module.config_baseline_ap-northeast-1.configuration_recorder - "ap-northeast-2" = module.config_baseline_ap-northeast-2.configuration_recorder - "ap-northeast-3" = module.config_baseline_ap-northeast-3.configuration_recorder - "ap-south-1" = module.config_baseline_ap-south-1.configuration_recorder - "ap-southeast-1" = module.config_baseline_ap-southeast-1.configuration_recorder - "ap-southeast-2" = module.config_baseline_ap-southeast-2.configuration_recorder - "ca-central-1" = module.config_baseline_ca-central-1.configuration_recorder - "eu-central-1" = module.config_baseline_eu-central-1.configuration_recorder - "eu-west-1" = module.config_baseline_eu-west-1.configuration_recorder - "eu-west-2" = module.config_baseline_eu-west-2.configuration_recorder - "eu-west-3" = module.config_baseline_eu-west-3.configuration_recorder - "sa-east-1" = module.config_baseline_sa-east-1.configuration_recorder - "us-east-1" = module.config_baseline_us-east-1.configuration_recorder - "us-east-2" = module.config_baseline_us-east-2.configuration_recorder - "us-west-1" = module.config_baseline_us-west-1.configuration_recorder - "us-west-2" = module.config_baseline_us-west-2.configuration_recorder + "ap-northeast-1" = one(module.config_baseline_ap-northeast-1[*].configuration_recorder) + "ap-northeast-2" = one(module.config_baseline_ap-northeast-2[*].configuration_recorder) + "ap-northeast-3" = one(module.config_baseline_ap-northeast-3[*].configuration_recorder) + "ap-south-1" = one(module.config_baseline_ap-south-1[*].configuration_recorder) + "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].configuration_recorder) + "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].configuration_recorder) + "ca-central-1" = one(module.config_baseline_ca-central-1[*].configuration_recorder) + "eu-central-1" = one(module.config_baseline_eu-central-1[*].configuration_recorder) + "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder) + "eu-west-2" = one(module.config_baseline_eu-west-2[*].configuration_recorder) + "eu-west-3" = one(module.config_baseline_eu-west-3[*].configuration_recorder) + "sa-east-1" = one(module.config_baseline_sa-east-1[*].configuration_recorder) + "us-east-1" = one(module.config_baseline_us-east-1[*].configuration_recorder) + "us-east-2" = one(module.config_baseline_us-east-2[*].configuration_recorder) + "us-west-1" = one(module.config_baseline_us-west-1[*].configuration_recorder) + "us-west-2" = one(module.config_baseline_us-west-2[*].configuration_recorder) } } output "config_sns_topic" { - description = "The SNS topic that AWS Config delivers notifications to." + description = "The SNS topic) that AWS Config delivers notifications to." value = { - "ap-northeast-1" = module.config_baseline_ap-northeast-1.config_sns_topic - "ap-northeast-2" = module.config_baseline_ap-northeast-2.config_sns_topic - "ap-northeast-3" = module.config_baseline_ap-northeast-3.config_sns_topic - "ap-south-1" = module.config_baseline_ap-south-1.config_sns_topic - "ap-southeast-1" = module.config_baseline_ap-southeast-1.config_sns_topic - "ap-southeast-2" = module.config_baseline_ap-southeast-2.config_sns_topic - "ca-central-1" = module.config_baseline_ca-central-1.config_sns_topic - "eu-central-1" = module.config_baseline_eu-central-1.config_sns_topic - "eu-north-1" = module.config_baseline_eu-north-1.config_sns_topic - "eu-west-1" = module.config_baseline_eu-west-1.config_sns_topic - "eu-west-2" = module.config_baseline_eu-west-2.config_sns_topic - "eu-west-3" = module.config_baseline_eu-west-3.config_sns_topic - "sa-east-1" = module.config_baseline_sa-east-1.config_sns_topic - "us-east-1" = module.config_baseline_us-east-1.config_sns_topic - "us-east-2" = module.config_baseline_us-east-2.config_sns_topic - "us-west-1" = module.config_baseline_us-west-1.config_sns_topic - "us-west-2" = module.config_baseline_us-west-2.config_sns_topic + "ap-northeast-1" = one(module.config_baseline_ap-northeast-1[*].config_sns_topic) + "ap-northeast-2" = one(module.config_baseline_ap-northeast-2[*].config_sns_topic) + "ap-northeast-3" = one(module.config_baseline_ap-northeast-3[*].config_sns_topic) + "ap-south-1" = one(module.config_baseline_ap-south-1[*].config_sns_topic) + "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].config_sns_topic) + "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].config_sns_topic) + "ca-central-1" = one(module.config_baseline_ca-central-1[*].config_sns_topic) + "eu-central-1" = one(module.config_baseline_eu-central-1[*].config_sns_topic) + "eu-north-1" = one(module.config_baseline_eu-north-1[*].config_sns_topic) + "eu-west-1" = one(module.config_baseline_eu-west-1[*].config_sns_topic) + "eu-west-2" = one(module.config_baseline_eu-west-2[*].config_sns_topic) + "eu-west-3" = one(module.config_baseline_eu-west-3[*].config_sns_topic) + "sa-east-1" = one(module.config_baseline_sa-east-1[*].config_sns_topic) + "us-east-1" = one(module.config_baseline_us-east-1[*].config_sns_topic) + "us-east-2" = one(module.config_baseline_us-east-2[*].config_sns_topic) + "us-west-1" = one(module.config_baseline_us-west-1[*].config_sns_topic) + "us-west-2" = one(module.config_baseline_us-west-2[*].config_sns_topic) } } @@ -109,22 +109,22 @@ output "guardduty_detector" { description = "The GuardDuty detector in each region." value = { - "ap-northeast-1" = module.guardduty_baseline_ap-northeast-1.guardduty_detector - "ap-northeast-2" = module.guardduty_baseline_ap-northeast-2.guardduty_detector - "ap-northeast-3" = module.guardduty_baseline_ap-northeast-3.guardduty_detector - "ap-south-1" = module.guardduty_baseline_ap-south-1.guardduty_detector - "ap-southeast-1" = module.guardduty_baseline_ap-southeast-1.guardduty_detector - "ap-southeast-2" = module.guardduty_baseline_ap-southeast-2.guardduty_detector - "ca-central-1" = module.guardduty_baseline_ca-central-1.guardduty_detector - "eu-central-1" = module.guardduty_baseline_eu-central-1.guardduty_detector - "eu-north-1" = module.guardduty_baseline_eu-north-1.guardduty_detector - "eu-west-1" = module.guardduty_baseline_eu-west-1.guardduty_detector - "eu-west-2" = module.guardduty_baseline_eu-west-2.guardduty_detector - "sa-east-1" = module.guardduty_baseline_sa-east-1.guardduty_detector - "us-east-1" = module.guardduty_baseline_us-east-1.guardduty_detector - "us-east-2" = module.guardduty_baseline_us-east-2.guardduty_detector - "us-west-1" = module.guardduty_baseline_us-west-1.guardduty_detector - "us-west-2" = module.guardduty_baseline_us-west-2.guardduty_detector + "ap-northeast-1" = one(module.guardduty_baseline_ap-northeast-1[*].guardduty_detector) + "ap-northeast-2" = one(module.guardduty_baseline_ap-northeast-2[*].guardduty_detector) + "ap-northeast-3" = one(module.guardduty_baseline_ap-northeast-3[*].guardduty_detector) + "ap-south-1" = one(module.guardduty_baseline_ap-south-1[*].guardduty_detector) + "ap-southeast-1" = one(module.guardduty_baseline_ap-southeast-1[*].guardduty_detector) + "ap-southeast-2" = one(module.guardduty_baseline_ap-southeast-2[*].guardduty_detector) + "ca-central-1" = one(module.guardduty_baseline_ca-central-1[*].guardduty_detector) + "eu-central-1" = one(module.guardduty_baseline_eu-central-1[*].guardduty_detector) + "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) + "eu-west-1" = one(module.guardduty_baseline_eu-west-1[*].guardduty_detector) + "eu-west-2" = one(module.guardduty_baseline_eu-west-2[*].guardduty_detector) + "sa-east-1" = one(module.guardduty_baseline_sa-east-1[*].guardduty_detector) + "us-east-1" = one(module.guardduty_baseline_us-east-1[*].guardduty_detector) + "us-east-2" = one(module.guardduty_baseline_us-east-2[*].guardduty_detector) + "us-west-1" = one(module.guardduty_baseline_us-west-1[*].guardduty_detector) + "us-west-2" = one(module.guardduty_baseline_us-west-2[*].guardduty_detector) } } @@ -150,23 +150,23 @@ output "vpc_flow_logs_group" { description = "The CloudWatch Logs log group which stores VPC Flow Logs in each region." value = local.is_cw_logs ? { - "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.vpc_flow_logs_group - "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.vpc_flow_logs_group - "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.vpc_flow_logs_group - "ap-south-1" = module.vpc_baseline_ap-south-1.vpc_flow_logs_group - "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.vpc_flow_logs_group - "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.vpc_flow_logs_group - "ca-central-1" = module.vpc_baseline_ca-central-1.vpc_flow_logs_group - "eu-central-1" = module.vpc_baseline_eu-central-1.vpc_flow_logs_group - "eu-north-1" = module.vpc_baseline_eu-north-1.vpc_flow_logs_group - "eu-west-1" = module.vpc_baseline_eu-west-1.vpc_flow_logs_group - "eu-west-2" = module.vpc_baseline_eu-west-2.vpc_flow_logs_group - "eu-west-3" = module.vpc_baseline_eu-west-3.vpc_flow_logs_group - "sa-east-1" = module.vpc_baseline_sa-east-1.vpc_flow_logs_group - "us-east-1" = module.vpc_baseline_us-east-1.vpc_flow_logs_group - "us-east-2" = module.vpc_baseline_us-east-2.vpc_flow_logs_group - "us-west-1" = module.vpc_baseline_us-west-1.vpc_flow_logs_group - "us-west-2" = module.vpc_baseline_us-west-2.vpc_flow_logs_group + "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].vpc_flow_logs_group) + "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].vpc_flow_logs_group) + "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].vpc_flow_logs_group) + "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].vpc_flow_logs_group) + "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].vpc_flow_logs_group) + "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].vpc_flow_logs_group) + "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].vpc_flow_logs_group) + "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].vpc_flow_logs_group) + "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].vpc_flow_logs_group) + "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].vpc_flow_logs_group) + "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].vpc_flow_logs_group) + "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].vpc_flow_logs_group) + "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].vpc_flow_logs_group) + "us-east-1" = one(module.vpc_baseline_us-east-1[*].vpc_flow_logs_group) + "us-east-2" = one(module.vpc_baseline_us-east-2[*].vpc_flow_logs_group) + "us-west-1" = one(module.vpc_baseline_us-west-1[*].vpc_flow_logs_group) + "us-west-2" = one(module.vpc_baseline_us-west-2[*].vpc_flow_logs_group) } : null } @@ -174,23 +174,23 @@ output "default_vpc" { description = "The default VPC." value = { - "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.default_vpc - "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.default_vpc - "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.default_vpc - "ap-south-1" = module.vpc_baseline_ap-south-1.default_vpc - "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.default_vpc - "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.default_vpc - "ca-central-1" = module.vpc_baseline_ca-central-1.default_vpc - "eu-central-1" = module.vpc_baseline_eu-central-1.default_vpc - "eu-north-1" = module.vpc_baseline_eu-north-1.default_vpc - "eu-west-1" = module.vpc_baseline_eu-west-1.default_vpc - "eu-west-2" = module.vpc_baseline_eu-west-2.default_vpc - "eu-west-3" = module.vpc_baseline_eu-west-3.default_vpc - "sa-east-1" = module.vpc_baseline_sa-east-1.default_vpc - "us-east-1" = module.vpc_baseline_us-east-1.default_vpc - "us-east-2" = module.vpc_baseline_us-east-2.default_vpc - "us-west-1" = module.vpc_baseline_us-west-1.default_vpc - "us-west-2" = module.vpc_baseline_us-west-2.default_vpc + "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].default_vpc) + "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].default_vpc) + "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].default_vpc) + "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_vpc) + "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_vpc) + "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_vpc) + "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_vpc) + "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_vpc) + "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_vpc) + "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_vpc) + "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_vpc) + "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_vpc) + "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_vpc) + "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_vpc) + "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_vpc) + "us-west-1" = one(module.vpc_baseline_us-west-1[*].default_vpc) + "us-west-2" = one(module.vpc_baseline_us-west-2[*].default_vpc) } } @@ -198,23 +198,23 @@ output "default_security_group" { description = "The ID of the default security group." value = { - "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.default_security_group - "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.default_security_group - "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.default_security_group - "ap-south-1" = module.vpc_baseline_ap-south-1.default_security_group - "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.default_security_group - "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.default_security_group - "ca-central-1" = module.vpc_baseline_ca-central-1.default_security_group - "eu-central-1" = module.vpc_baseline_eu-central-1.default_security_group - "eu-north-1" = module.vpc_baseline_eu-north-1.default_security_group - "eu-west-1" = module.vpc_baseline_eu-west-1.default_security_group - "eu-west-2" = module.vpc_baseline_eu-west-2.default_security_group - "eu-west-3" = module.vpc_baseline_eu-west-3.default_security_group - "sa-east-1" = module.vpc_baseline_sa-east-1.default_security_group - "us-east-1" = module.vpc_baseline_us-east-1.default_security_group - "us-east-2" = module.vpc_baseline_us-east-2.default_security_group - "us-west-1" = module.vpc_baseline_us-west-1.default_security_group - "us-west-2" = module.vpc_baseline_us-west-2.default_security_group + "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].default_security_group) + "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].default_security_group) + "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].default_security_group) + "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_security_group) + "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_security_group) + "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_security_group) + "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_security_group) + "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_security_group) + "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_security_group) + "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_security_group) + "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_security_group) + "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_security_group) + "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_security_group) + "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_security_group) + "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_security_group) + "us-west-1" = one(module.vpc_baseline_us-west-1[*].default_security_group) + "us-west-2" = one(module.vpc_baseline_us-west-2[*].default_security_group) } } @@ -222,23 +222,23 @@ output "default_network_acl" { description = "The default network ACL." value = { - "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.default_network_acl - "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.default_network_acl - "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.default_network_acl - "ap-south-1" = module.vpc_baseline_ap-south-1.default_network_acl - "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.default_network_acl - "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.default_network_acl - "ca-central-1" = module.vpc_baseline_ca-central-1.default_network_acl - "eu-central-1" = module.vpc_baseline_eu-central-1.default_network_acl - "eu-north-1" = module.vpc_baseline_eu-north-1.default_network_acl - "eu-west-1" = module.vpc_baseline_eu-west-1.default_network_acl - "eu-west-2" = module.vpc_baseline_eu-west-2.default_network_acl - "eu-west-3" = module.vpc_baseline_eu-west-3.default_network_acl - "sa-east-1" = module.vpc_baseline_sa-east-1.default_network_acl - "us-east-1" = module.vpc_baseline_us-east-1.default_network_acl - "us-east-2" = module.vpc_baseline_us-east-2.default_network_acl - "us-west-1" = module.vpc_baseline_us-west-1.default_network_acl - "us-west-2" = module.vpc_baseline_us-west-2.default_network_acl + "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].default_network_acl) + "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].default_network_acl) + "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].default_network_acl) + "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_network_acl) + "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_network_acl) + "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_network_acl) + "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_network_acl) + "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_network_acl) + "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_network_acl) + "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_network_acl) + "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_network_acl) + "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_network_acl) + "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_network_acl) + "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_network_acl) + "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_network_acl) + "us-west-1" = one(module.vpc_baseline_us-west-1[*].default_network_acl) + "us-west-2" = one(module.vpc_baseline_us-west-2[*].default_network_acl) } } @@ -246,23 +246,23 @@ output "default_route_table" { description = "The default route table." value = { - "ap-northeast-1" = module.vpc_baseline_ap-northeast-1.default_route_table - "ap-northeast-2" = module.vpc_baseline_ap-northeast-2.default_route_table - "ap-northeast-3" = module.vpc_baseline_ap-northeast-3.default_route_table - "ap-south-1" = module.vpc_baseline_ap-south-1.default_route_table - "ap-southeast-1" = module.vpc_baseline_ap-southeast-1.default_route_table - "ap-southeast-2" = module.vpc_baseline_ap-southeast-2.default_route_table - "ca-central-1" = module.vpc_baseline_ca-central-1.default_route_table - "eu-central-1" = module.vpc_baseline_eu-central-1.default_route_table - "eu-north-1" = module.vpc_baseline_eu-north-1.default_route_table - "eu-west-1" = module.vpc_baseline_eu-west-1.default_route_table - "eu-west-2" = module.vpc_baseline_eu-west-2.default_route_table - "eu-west-3" = module.vpc_baseline_eu-west-3.default_route_table - "sa-east-1" = module.vpc_baseline_sa-east-1.default_route_table - "us-east-1" = module.vpc_baseline_us-east-1.default_route_table - "us-east-2" = module.vpc_baseline_us-east-2.default_route_table - "us-west-1" = module.vpc_baseline_us-west-1.default_route_table - "us-west-2" = module.vpc_baseline_us-west-2.default_route_table + "ap-northeast-1" = one(module.vpc_baseline_ap-northeast-1[*].default_route_table) + "ap-northeast-2" = one(module.vpc_baseline_ap-northeast-2[*].default_route_table) + "ap-northeast-3" = one(module.vpc_baseline_ap-northeast-3[*].default_route_table) + "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_route_table) + "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_route_table) + "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_route_table) + "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_route_table) + "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_route_table) + "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_route_table) + "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_route_table) + "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_route_table) + "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_route_table) + "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_route_table) + "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_route_table) + "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_route_table) + "us-west-1" = one(module.vpc_baseline_us-west-1[*].default_route_table) + "us-west-2" = one(module.vpc_baseline_us-west-2[*].default_route_table) } } diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index ba90ed9a..19c07e1a 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -6,12 +6,13 @@ locals { } module "securityhub_baseline_ap-northeast-1" { + count = contains(var.target_regions, "ap-northeast-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.ap-northeast-1 } - enabled = contains(var.target_regions, "ap-northeast-1") && var.securityhub_enabled + enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -19,13 +20,13 @@ module "securityhub_baseline_ap-northeast-1" { } module "securityhub_baseline_ap-northeast-2" { + count = contains(var.target_regions, "ap-northeast-2") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.ap-northeast-2 } - enabled = contains(var.target_regions, "ap-northeast-2") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -34,13 +35,13 @@ module "securityhub_baseline_ap-northeast-2" { } module "securityhub_baseline_ap-northeast-3" { + count = contains(var.target_regions, "ap-northeast-3") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.ap-northeast-3 } - enabled = contains(var.target_regions, "ap-northeast-3") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -49,13 +50,13 @@ module "securityhub_baseline_ap-northeast-3" { } module "securityhub_baseline_ap-south-1" { + count = contains(var.target_regions, "ap-south-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.ap-south-1 } - enabled = contains(var.target_regions, "ap-south-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -64,13 +65,13 @@ module "securityhub_baseline_ap-south-1" { } module "securityhub_baseline_ap-southeast-1" { + count = contains(var.target_regions, "ap-southeast-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.ap-southeast-1 } - enabled = contains(var.target_regions, "ap-southeast-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -79,13 +80,13 @@ module "securityhub_baseline_ap-southeast-1" { } module "securityhub_baseline_ap-southeast-2" { + count = contains(var.target_regions, "ap-southeast-2") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.ap-southeast-2 } - enabled = contains(var.target_regions, "ap-southeast-2") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -94,13 +95,13 @@ module "securityhub_baseline_ap-southeast-2" { } module "securityhub_baseline_ca-central-1" { + count = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.ca-central-1 } - enabled = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -109,13 +110,13 @@ module "securityhub_baseline_ca-central-1" { } module "securityhub_baseline_eu-central-1" { + count = contains(var.target_regions, "eu-central-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.eu-central-1 } - enabled = contains(var.target_regions, "eu-central-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -124,13 +125,13 @@ module "securityhub_baseline_eu-central-1" { } module "securityhub_baseline_eu-north-1" { + count = contains(var.target_regions, "eu-north-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.eu-north-1 } - enabled = contains(var.target_regions, "eu-north-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -139,13 +140,13 @@ module "securityhub_baseline_eu-north-1" { } module "securityhub_baseline_eu-west-1" { + count = contains(var.target_regions, "eu-west-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.eu-west-1 } - enabled = contains(var.target_regions, "eu-west-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -154,13 +155,13 @@ module "securityhub_baseline_eu-west-1" { } module "securityhub_baseline_eu-west-2" { + count = contains(var.target_regions, "eu-west-2") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.eu-west-2 } - enabled = contains(var.target_regions, "eu-west-2") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -169,13 +170,13 @@ module "securityhub_baseline_eu-west-2" { } module "securityhub_baseline_eu-west-3" { + count = contains(var.target_regions, "eu-west-3") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.eu-west-3 } - enabled = contains(var.target_regions, "eu-west-3") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -184,13 +185,13 @@ module "securityhub_baseline_eu-west-3" { } module "securityhub_baseline_sa-east-1" { + count = contains(var.target_regions, "sa-east-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.sa-east-1 } - enabled = contains(var.target_regions, "sa-east-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -199,13 +200,13 @@ module "securityhub_baseline_sa-east-1" { } module "securityhub_baseline_us-east-1" { + count = contains(var.target_regions, "us-east-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.us-east-1 } - enabled = contains(var.target_regions, "us-east-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -214,13 +215,13 @@ module "securityhub_baseline_us-east-1" { } module "securityhub_baseline_us-east-2" { + count = contains(var.target_regions, "us-east-2") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.us-east-2 } - enabled = contains(var.target_regions, "us-east-2") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -229,13 +230,13 @@ module "securityhub_baseline_us-east-2" { } module "securityhub_baseline_us-west-1" { + count = contains(var.target_regions, "us-west-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.us-west-1 } - enabled = contains(var.target_regions, "us-west-1") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard @@ -244,13 +245,13 @@ module "securityhub_baseline_us-west-1" { } module "securityhub_baseline_us-west-2" { + count = contains(var.target_regions, "us-west-2") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" providers = { aws = aws.us-west-2 } - enabled = contains(var.target_regions, "us-west-2") && var.securityhub_enabled enable_cis_standard = var.securityhub_enable_cis_standard enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard diff --git a/vpc_baselines.tf b/vpc_baselines.tf index 4bb08b5d..ba364029 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -62,13 +62,13 @@ resource "aws_iam_role_policy" "flow_logs_publish_policy" { # -------------------------------------------------------------------------------------------------- module "vpc_baseline_ap-northeast-1" { + count = local.is_enabled && contains(var.target_regions, "ap-northeast-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.ap-northeast-1 } - enabled = local.is_enabled && contains(var.target_regions, "ap-northeast-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -82,13 +82,13 @@ module "vpc_baseline_ap-northeast-1" { } module "vpc_baseline_ap-northeast-2" { + count = local.is_enabled && contains(var.target_regions, "ap-northeast-2") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.ap-northeast-2 } - enabled = local.is_enabled && contains(var.target_regions, "ap-northeast-2") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -102,13 +102,13 @@ module "vpc_baseline_ap-northeast-2" { } module "vpc_baseline_ap-northeast-3" { + count = local.is_enabled && contains(var.target_regions, "ap-northeast-3") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.ap-northeast-3 } - enabled = local.is_enabled && contains(var.target_regions, "ap-northeast-3") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -122,13 +122,13 @@ module "vpc_baseline_ap-northeast-3" { } module "vpc_baseline_ap-south-1" { + count = local.is_enabled && contains(var.target_regions, "ap-south-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.ap-south-1 } - enabled = local.is_enabled && contains(var.target_regions, "ap-south-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -142,13 +142,13 @@ module "vpc_baseline_ap-south-1" { } module "vpc_baseline_ap-southeast-1" { + count = local.is_enabled && contains(var.target_regions, "ap-southeast-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.ap-southeast-1 } - enabled = local.is_enabled && contains(var.target_regions, "ap-southeast-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -162,13 +162,13 @@ module "vpc_baseline_ap-southeast-1" { } module "vpc_baseline_ap-southeast-2" { + count = local.is_enabled && contains(var.target_regions, "ap-southeast-2") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.ap-southeast-2 } - enabled = local.is_enabled && contains(var.target_regions, "ap-southeast-2") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -182,13 +182,13 @@ module "vpc_baseline_ap-southeast-2" { } module "vpc_baseline_ca-central-1" { + count = local.is_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.ca-central-1 } - enabled = local.is_enabled && contains(var.target_regions, "ca-central-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -202,13 +202,13 @@ module "vpc_baseline_ca-central-1" { } module "vpc_baseline_eu-central-1" { + count = local.is_enabled && contains(var.target_regions, "eu-central-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.eu-central-1 } - enabled = local.is_enabled && contains(var.target_regions, "eu-central-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -222,13 +222,13 @@ module "vpc_baseline_eu-central-1" { } module "vpc_baseline_eu-north-1" { + count = local.is_enabled && contains(var.target_regions, "eu-north-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.eu-north-1 } - enabled = local.is_enabled && contains(var.target_regions, "eu-north-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -242,13 +242,13 @@ module "vpc_baseline_eu-north-1" { } module "vpc_baseline_eu-west-1" { + count = local.is_enabled && contains(var.target_regions, "eu-west-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.eu-west-1 } - enabled = local.is_enabled && contains(var.target_regions, "eu-west-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -262,13 +262,13 @@ module "vpc_baseline_eu-west-1" { } module "vpc_baseline_eu-west-2" { + count = local.is_enabled && contains(var.target_regions, "eu-west-2") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.eu-west-2 } - enabled = local.is_enabled && contains(var.target_regions, "eu-west-2") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -282,13 +282,13 @@ module "vpc_baseline_eu-west-2" { } module "vpc_baseline_eu-west-3" { + count = local.is_enabled && contains(var.target_regions, "eu-west-3") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.eu-west-3 } - enabled = local.is_enabled && contains(var.target_regions, "eu-west-3") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -302,13 +302,13 @@ module "vpc_baseline_eu-west-3" { } module "vpc_baseline_sa-east-1" { + count = local.is_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.sa-east-1 } - enabled = local.is_enabled && contains(var.target_regions, "sa-east-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -322,13 +322,13 @@ module "vpc_baseline_sa-east-1" { } module "vpc_baseline_us-east-1" { + count = local.is_enabled && contains(var.target_regions, "us-east-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.us-east-1 } - enabled = local.is_enabled && contains(var.target_regions, "us-east-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -342,13 +342,13 @@ module "vpc_baseline_us-east-1" { } module "vpc_baseline_us-east-2" { + count = local.is_enabled && contains(var.target_regions, "us-east-2") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.us-east-2 } - enabled = local.is_enabled && contains(var.target_regions, "us-east-2") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -362,13 +362,13 @@ module "vpc_baseline_us-east-2" { } module "vpc_baseline_us-west-1" { + count = local.is_enabled && contains(var.target_regions, "us-west-1") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.us-west-1 } - enabled = local.is_enabled && contains(var.target_regions, "us-west-1") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name @@ -382,13 +382,13 @@ module "vpc_baseline_us-west-1" { } module "vpc_baseline_us-west-2" { + count = local.is_enabled && contains(var.target_regions, "us-west-2") ? 1 : 0 source = "./modules/vpc-baseline" providers = { aws = aws.us-west-2 } - enabled = local.is_enabled && contains(var.target_regions, "us-west-2") enable_flow_logs = var.vpc_enable_flow_logs flow_logs_destination_type = var.vpc_flow_logs_destination_type flow_logs_log_group_name = var.vpc_flow_logs_log_group_name