diff --git a/UPGRADING.md b/UPGRADING.md index c762184..23ac501 100644 --- a/UPGRADING.md +++ b/UPGRADING.md @@ -2,7 +2,7 @@ This document captures required refactoring on your part when upgrading to a module version that contains breaking changes. -## Upgrading to v4.1.0 +## Upgrading to v5.0.0 ### Behaviour @@ -11,6 +11,10 @@ This document captures required refactoring on your part when upgrading to a mod This version enables Security Hub Findings Aggregation for all regions. You can change this behauviour by setting `var.aws_security_hub.aggregator_linking_mode` to `ALL_REGIONS_EXCEPT_SPECIFIED` or `SPECIFIED_REGIONS` and providing the list of regions via `var.aws_security_hub.aggregator_specified_regions` +The following variables have been replaced: +* `aws_service_control_policies.allowed_regions` -> `allowed_regions` +* `aws_config.aggregator_regions` -> `allowed_regions` + ## Upgrading to v4.0.0 diff --git a/config.tf b/config.tf index 17f8171..74079f2 100644 --- a/config.tf +++ b/config.tf @@ -1,7 +1,7 @@ locals { aws_config_aggregators = flatten([ for account in toset(try(var.aws_config.aggregator_account_ids, [])) : [ - for region in toset(try(var.aws_config.aggregator_regions, [])) : { + for region in toset(try(var.allowed_regions, [])) : { account_id = account region = region } @@ -32,7 +32,7 @@ resource "aws_config_aggregate_authorization" "master" { } resource "aws_config_aggregate_authorization" "master_to_audit" { - for_each = toset(coalescelist(var.aws_config.aggregator_regions, [data.aws_region.current.name])) + for_each = toset(coalescelist(var.allowed_regions, [data.aws_region.current.name])) account_id = var.control_tower_account_ids.audit region = each.value diff --git a/organizations_policy.tf b/organizations_policy.tf index 3f2d3d3..f515965 100644 --- a/organizations_policy.tf +++ b/organizations_policy.tf @@ -1,9 +1,9 @@ locals { enabled_root_policies = { allowed_regions = { - enable = var.aws_service_control_policies.allowed_regions != null ? true : false - policy = var.aws_service_control_policies.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", { - allowed = var.aws_service_control_policies.allowed_regions != null ? var.aws_service_control_policies.allowed_regions : [] + enable = var.allowed_regions != null ? true : false + policy = var.allowed_regions != null ? templatefile("${path.module}/files/organizations/allowed_regions.json.tpl", { + allowed = var.allowed_regions != null ? var.allowed_regions : [] exceptions = local.aws_service_control_policies_principal_exceptions }) : null } diff --git a/security_hub.tf b/security_hub.tf index 35358fb..bcd85e8 100644 --- a/security_hub.tf +++ b/security_hub.tf @@ -110,7 +110,7 @@ resource "aws_securityhub_finding_aggregator" "default" { provider = aws.audit linking_mode = var.aws_security_hub.aggregator_linking_mode - specified_regions = var.aws_security_hub.aggregator_specified_regions + specified_regions = var.aws_security_hub.aggregator_linking_mode == "SPECIFIED_REGIONS" ? var.allowed_regions : null depends_on = [aws_securityhub_account.default] } diff --git a/variables.tf b/variables.tf index eb41d90..56f60f3 100644 --- a/variables.tf +++ b/variables.tf @@ -18,6 +18,11 @@ variable "additional_auditing_trail" { description = "CloudTrail configuration for additional auditing trail" } +variable "allowed_regions" { + type = list(string) + description = "List of AWS regions where operations are allowed and for which central services like Security Hub and AWS Config are configured." +} + variable "aws_account_password_policy" { type = object({ allow_users_to_change = bool @@ -57,7 +62,6 @@ variable "aws_auditmanager" { variable "aws_config" { type = object({ aggregator_account_ids = optional(list(string), []) - aggregator_regions = optional(list(string), []) delivery_channel_s3_bucket_name = optional(string, null) delivery_channel_s3_key_prefix = optional(string, null) delivery_frequency = optional(string, "TwentyFour_Hours") @@ -65,7 +69,6 @@ variable "aws_config" { }) default = { aggregator_account_ids = [] - aggregator_regions = [] delivery_channel_s3_bucket_name = null delivery_channel_s3_key_prefix = null delivery_frequency = "TwentyFour_Hours" @@ -151,13 +154,12 @@ variable "aws_required_tags" { variable "aws_security_hub" { type = object({ - aggregator_linking_mode = optional(string, "ALL_REGIONS") - aggregator_specified_regions = optional(list(string), null) - auto_enable_controls = optional(bool, true) - control_finding_generator = optional(string, "SECURITY_CONTROL") - create_cis_metric_filters = optional(bool, true) - product_arns = optional(list(string), []) - standards_arns = optional(list(string), null) + aggregator_linking_mode = optional(string, "SPECIFIED_REGIONS") + auto_enable_controls = optional(bool, true) + control_finding_generator = optional(string, "SECURITY_CONTROL") + create_cis_metric_filters = optional(bool, true) + product_arns = optional(list(string), []) + standards_arns = optional(list(string), null) }) default = {} description = "AWS Security Hub settings" @@ -166,6 +168,11 @@ variable "aws_security_hub" { condition = contains(["SECURITY_CONTROL", "STANDARD_CONTROL"], var.aws_security_hub.control_finding_generator) error_message = "The \"control_finding_generator\" variable must be set to either \"SECURITY_CONTROL\" or \"STANDARD_CONTROL\"." } + + validation { + condition = var.aws_security_hub.aggregator_linking_mode != "ALL_REGIONS" + error_message = "Security Hub Linking mode cannot be set to \"ALL_REGIONS\" since AWS Config needs to be configured in all regions individually." + } } variable "aws_security_hub_sns_subscription" {