Use central allowed_region for all region bound configurations

UPGRADING.md

@@ -2,7 +2,7 @@
 
 This document captures required refactoring on your part when upgrading to a module version that contains breaking changes.
 
-## Upgrading to v4.1.0
+## Upgrading to v5.0.0
 
 ### Behaviour
 
@@ -11,6 +11,10 @@ This document captures required refactoring on your part when upgrading to a mod
 
 This version enables Security Hub Findings Aggregation for all regions. You can change this behauviour by setting `var.aws_security_hub.aggregator_linking_mode` to `ALL_REGIONS_EXCEPT_SPECIFIED` or `SPECIFIED_REGIONS` and providing the list of regions via `var.aws_security_hub.aggregator_specified_regions`
 
+The following variables have been replaced:
+* `aws_service_control_policies.allowed_regions` -> `allowed_regions`
+* `aws_config.aggregator_regions` -> `allowed_regions`
+
 
 ## Upgrading to v4.0.0
 

config.tf

@@ -1,7 +1,7 @@
 locals {
   aws_config_aggregators = flatten([
     for account in toset(try(var.aws_config.aggregator_account_ids, [])) : [
-      for region in toset(try(var.aws_config.aggregator_regions, [])) : {
+      for region in toset(try(var.allowed_regions, [])) : {
         account_id = account
         region     = region
       }
@@ -32,7 +32,7 @@ resource "aws_config_aggregate_authorization" "master" {
 }
 
 resource "aws_config_aggregate_authorization" "master_to_audit" {
-  for_each = toset(coalescelist(var.aws_config.aggregator_regions, [data.aws_region.current.name]))
+  for_each = toset(coalescelist(var.allowed_regions, [data.aws_region.current.name]))
 
   account_id = var.control_tower_account_ids.audit
   region     = each.value

organizations_policy.tf

@@ -1,9 +1,9 @@
 locals {
   enabled_root_policies = {
     allowed_regions = {
-      enable = var.aws_service_control_policies.allowed_regions != null ? true : false
-      policy = var.aws_service_control_policies.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", {
-        allowed    = var.aws_service_control_policies.allowed_regions != null ? var.aws_service_control_policies.allowed_regions : []
+      enable = var.allowed_regions != null ? true : false
+      policy = var.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", {
+        allowed    = var.allowed_regions != null ? var.allowed_regions : []
         exceptions = local.aws_service_control_policies_principal_exceptions
       }) : null
     }

security_hub.tf

@@ -110,7 +110,7 @@ resource "aws_securityhub_finding_aggregator" "default" {
   provider = aws.audit
 
   linking_mode      = var.aws_security_hub.aggregator_linking_mode
-  specified_regions = var.aws_security_hub.aggregator_specified_regions
+  specified_regions = var.aws_security_hub.aggregator_linking_mode == "SPECIFIED_REGIONS" ? var.allowed_regions : null
 
   depends_on = [aws_securityhub_account.default]
 }

variables.tf

@@ -18,6 +18,11 @@ variable "additional_auditing_trail" {
   description = "CloudTrail configuration for additional auditing trail"
 }
 
+variable "allowed_regions" {
+  type        = list(string)
+  description = "List of AWS regions where operations are allowed and for which central services like Security Hub and AWS Config are configured."
+}
+
 variable "aws_account_password_policy" {
   type = object({
     allow_users_to_change        = bool
@@ -57,15 +62,13 @@ variable "aws_auditmanager" {
 variable "aws_config" {
   type = object({
     aggregator_account_ids          = optional(list(string), [])
-    aggregator_regions              = optional(list(string), [])
     delivery_channel_s3_bucket_name = optional(string, null)
     delivery_channel_s3_key_prefix  = optional(string, null)
     delivery_frequency              = optional(string, "TwentyFour_Hours")
     rule_identifiers                = optional(list(string), [])
   })
   default = {
     aggregator_account_ids          = []
-    aggregator_regions              = []
     delivery_channel_s3_bucket_name = null
     delivery_channel_s3_key_prefix  = null
     delivery_frequency              = "TwentyFour_Hours"
@@ -151,13 +154,12 @@ variable "aws_required_tags" {
 
 variable "aws_security_hub" {
   type = object({
-    aggregator_linking_mode      = optional(string, "ALL_REGIONS")
-    aggregator_specified_regions = optional(list(string), null)
-    auto_enable_controls         = optional(bool, true)
-    control_finding_generator    = optional(string, "SECURITY_CONTROL")
-    create_cis_metric_filters    = optional(bool, true)
-    product_arns                 = optional(list(string), [])
-    standards_arns               = optional(list(string), null)
+    aggregator_linking_mode   = optional(string, "SPECIFIED_REGIONS")
+    auto_enable_controls      = optional(bool, true)
+    control_finding_generator = optional(string, "SECURITY_CONTROL")
+    create_cis_metric_filters = optional(bool, true)
+    product_arns              = optional(list(string), [])
+    standards_arns            = optional(list(string), null)
   })
   default     = {}
   description = "AWS Security Hub settings"
@@ -166,6 +168,11 @@ variable "aws_security_hub" {
     condition     = contains(["SECURITY_CONTROL", "STANDARD_CONTROL"], var.aws_security_hub.control_finding_generator)
     error_message = "The \"control_finding_generator\" variable must be set to either \"SECURITY_CONTROL\" or \"STANDARD_CONTROL\"."
   }
+
+  validation {
+    condition     = var.aws_security_hub.aggregator_linking_mode != "ALL_REGIONS"
+    error_message = "Security Hub Linking mode cannot be set to \"ALL_REGIONS\" since AWS Config needs to be configured in all regions individually."
+  }
 }
 
 variable "aws_security_hub_sns_subscription" {