Skip to content

Commit de56e12

Browse files
committed
Updating module sessions
1 parent 98625c8 commit de56e12

File tree

20 files changed

+391
-86
lines changed

20 files changed

+391
-86
lines changed

.header.md

Lines changed: 19 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,31 @@
1-
# Terraform Module for AWS GuardDuty
1+
# Terraform Module for AWS Security Hub
22

3-
- [Terraform Module for AWS GuardDuty](#terraform-module-for-aws-guardduty)
4-
- [Overview Diagrams](#overview-diagrams)
5-
- [Stand-Alone](#stand-alone)
3+
Terraform module that creates AWS Security Hub resources.
4+
5+
- [Terraform Module for AWS Security Hub](#terraform-module-for-aws-security-hub)
6+
- [Usage](#usage)
7+
- [Standalone](#standalone)
68
- [Organizations](#organizations)
9+
- [Overview Diagrams](#overview-diagrams)
10+
- [Standalone](#standalone-1)
11+
- [Organizations](#organizations-1)
712
- [Terraform Module](#terraform-module)
813

14+
15+
## Usage
16+
17+
### Standalone
18+
19+
### Organizations
20+
921
## Overview Diagrams
1022

11-
### Stand-Alone
23+
### Standalone
1224

13-
![standalone-diagram](./docs/StandaloneGuardDuty_v1.png)
25+
![standalone-diagram](./docs/StandaloneSecurityHub_v1.png)
1426

1527
### Organizations
1628

17-
![organizations-diagram](./docs/OrgGuardDuty_v1.png)
29+
![organizations-diagram](./docs/OrgsSecurityHub_v1.png)
1830

1931
## Terraform Module

README.md

Lines changed: 25 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,20 +1,31 @@
1-
# Terraform Module for AWS GuardDuty
1+
# Terraform Module for AWS Security Hub
22

3-
- [Terraform Module for AWS GuardDuty](#terraform-module-for-aws-guardduty)
4-
- [Overview Diagrams](#overview-diagrams)
5-
- [Stand-Alone](#stand-alone)
3+
Terraform module that creates AWS Security Hub resources.
4+
5+
- [Terraform Module for AWS Security Hub](#terraform-module-for-aws-security-hub)
6+
- [Usage](#usage)
7+
- [Standalone](#standalone)
68
- [Organizations](#organizations)
9+
- [Overview Diagrams](#overview-diagrams)
10+
- [Standalone](#standalone-1)
11+
- [Organizations](#organizations-1)
712
- [Terraform Module](#terraform-module)
813

14+
## Usage
15+
16+
### Standalone
17+
18+
### Organizations
19+
920
## Overview Diagrams
1021

11-
### Stand-Alone
22+
### Standalone
1223

13-
![standalone-diagram](./docs/StandaloneGuardDuty\_v1.png)
24+
![standalone-diagram](./docs/StandaloneSecurityHub\_v1.png)
1425

1526
### Organizations
1627

17-
![organizations-diagram](./docs/OrgGuardDuty\_v1.png)
28+
![organizations-diagram](./docs/OrgsSecurityHub\_v1.png)
1829

1930
## Terraform Module
2031

@@ -61,4 +72,10 @@ No modules.
6172

6273
### Outputs
6374

64-
No outputs.
75+
| Name | Description |
76+
|------|-------------|
77+
| <a name="output_action_target"></a> [action\_target](#output\_action\_target) | Security Hub custome action targets. |
78+
| <a name="output_finding_aggregator"></a> [finding\_aggregator](#output\_finding\_aggregator) | Security Hub finding aggregator configuration. |
79+
| <a name="output_product_subscription"></a> [product\_subscription](#output\_product\_subscription) | Security Hub products subscriptions. |
80+
| <a name="output_securityhub_account"></a> [securityhub\_account](#output\_securityhub\_account) | Security Hub AWS account configuration. |
81+
| <a name="output_standards_subscription"></a> [standards\_subscription](#output\_standards\_subscription) | Security Hub compliance standards subscriptions. |

data.tf

Lines changed: 0 additions & 1 deletion
This file was deleted.

locals.tf

Lines changed: 0 additions & 24 deletions
This file was deleted.

main.tf

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,33 @@
1+
data "aws_region" "current" {}
2+
3+
locals {
4+
standards_subscription = {
5+
aws_foundational_security_best_practices = var.standards_config != null ? merge(var.standards_config.aws_foundational_security_best_practices,
6+
{
7+
arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
8+
}) : null
9+
cis_aws_foundations_benchmark_v120 = var.standards_config != null ? merge(var.standards_config.cis_aws_foundations_benchmark_v120,
10+
{
11+
arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
12+
}) : null
13+
cis_aws_foundations_benchmark_v140 = var.standards_config != null ? merge(var.standards_config.cis_aws_foundations_benchmark_v140,
14+
{
15+
arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"
16+
}) : null
17+
nist_sp_800_53_rev5 = var.standards_config != null ? merge(var.standards_config.nist_sp_800_53_rev5,
18+
{
19+
arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/nist-800-53/v/5.0.0"
20+
}) : null
21+
pci_dss = var.standards_config != null ? merge(var.standards_config.pci_dss,
22+
{
23+
arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
24+
}) : null
25+
}
26+
}
27+
28+
##################################################
29+
# Security Hub
30+
##################################################
131
resource "aws_securityhub_account" "this" {
232
enable_default_standards = var.enable_default_standards
333
control_finding_generator = var.control_finding_generator
@@ -11,6 +41,9 @@ resource "aws_securityhub_finding_aggregator" "this" {
1141
depends_on = [aws_securityhub_account.this]
1242
}
1343

44+
##################################################
45+
# Security Hub Subscriptions
46+
##################################################
1447
resource "aws_securityhub_product_subscription" "this" {
1548
for_each = var.product_config != null ? { for product in var.product_config : product.arn => product } : {}
1649
product_arn = each.value.arn
@@ -26,6 +59,9 @@ resource "aws_securityhub_standards_subscription" "this" {
2659
depends_on = [aws_securityhub_account.this]
2760
}
2861

62+
##################################################
63+
# Security Hub Action Targets
64+
##################################################
2965
resource "aws_securityhub_action_target" "this" {
3066
for_each = var.action_target != null ? { for target in var.action_target : target.identifier => target } : {}
3167

modules/organizations_admin/README.md

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
## Requirements
2+
3+
| Name | Version |
4+
|------|---------|
5+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
6+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
7+
8+
## Providers
9+
10+
| Name | Version |
11+
|------|---------|
12+
| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.5.0 |
13+
14+
## Modules
15+
16+
No modules.
17+
18+
## Resources
19+
20+
| Name | Type |
21+
|------|------|
22+
| [aws_securityhub_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource |
23+
| [aws_securityhub_organization_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_configuration) | resource |
24+
25+
## Inputs
26+
27+
| Name | Description | Type | Default | Required |
28+
|------|-------------|------|---------|:--------:|
29+
| <a name="input_admin_account_id"></a> [admin\_account\_id](#input\_admin\_account\_id) | AWS Organizations Admin Account Id. Defaults to `null` | `string` | `null` | no |
30+
| <a name="input_auto_enable_standards"></a> [auto\_enable\_standards](#input\_auto\_enable\_standards) | Automatically enable Security Hub default standards for new member accounts in the organization. To opt-out of enabling default standards, set to `NONE`. Defaults to `DEFAULT`. | `string` | `"DEFAULT"` | no |
31+
32+
## Outputs
33+
34+
| Name | Description |
35+
|------|-------------|
36+
| <a name="output_securityhub_delegated_admin_account"></a> [securityhub\_delegated\_admin\_account](#output\_securityhub\_delegated\_admin\_account) | AWS Security Hub Delegated Admin account. |
37+
| <a name="output_securityhub_organization_configuration"></a> [securityhub\_organization\_configuration](#output\_securityhub\_organization\_configuration) | AWS Security Hub Organizations configuration. |

modules/organizations_admin/main.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
##################################################
2+
# Security Hub Delegated Admin
3+
##################################################
14
resource "aws_securityhub_organization_admin_account" "this" {
25
count = var.admin_account_id == null ? 0 : 1
36
admin_account_id = var.admin_account_id

modules/organizations_admin/outputs.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
##################################################
2+
# Security Hub Delegated Admin
3+
##################################################
14
output "securityhub_delegated_admin_account" {
25
description = "AWS Security Hub Delegated Admin account."
36
value = aws_securityhub_organization_admin_account.this

modules/organizations_admin/variables.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
##################################################
2+
# Security Hub Delegated Admin
3+
##################################################
14
variable "admin_account_id" {
25
description = "AWS Organizations Admin Account Id. Defaults to `null`"
36
type = string
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
## Requirements
2+
3+
| Name | Version |
4+
|------|---------|
5+
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
6+
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.47 |
7+
8+
## Providers
9+
10+
| Name | Version |
11+
|------|---------|
12+
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.47 |
13+
| <a name="provider_aws.member"></a> [aws.member](#provider\_aws.member) | >= 4.47 |
14+
15+
## Modules
16+
17+
No modules.
18+
19+
## Resources
20+
21+
| Name | Type |
22+
|------|------|
23+
| [aws_securityhub_account.member](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_account) | resource |
24+
| [aws_securityhub_invite_accepter.member](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_invite_accepter) | resource |
25+
| [aws_securityhub_member.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_member) | resource |
26+
27+
## Inputs
28+
29+
| Name | Description | Type | Default | Required |
30+
|------|-------------|------|---------|:--------:|
31+
| <a name="input_member_config"></a> [member\_config](#input\_member\_config) | Specifies the member account configuration:<br> `account_id` - The 13 digit ID number of the member account. Example: `123456789012`.<br> `email` - Email address to send the invite for member account. Defaults to `null`.<br> `invite` - Whether to invite the account to SecurityHub as a member. Defaults to `false`. To detect if an invitation needs to be (re-)sent, the Terraform state value is true based on a `member_status` of `Disabled` \| `Enabled` \| `Invited` \| EmailVerificationInProgress. | <pre>list(object({<br> account_id = number<br> email = string<br> invite = bool<br> }))</pre> | `null` | no |
32+
33+
## Outputs
34+
35+
| Name | Description |
36+
|------|-------------|
37+
| <a name="output_securityhub_member"></a> [securityhub\_member](#output\_securityhub\_member) | AWS Security Hub member configuration. |
38+
| <a name="output_securityhub_member_account"></a> [securityhub\_member\_account](#output\_securityhub\_member\_account) | AWS Security Hub member account configuration. |
39+
| <a name="output_securityhub_member_invite"></a> [securityhub\_member\_invite](#output\_securityhub\_member\_invite) | AWS Security Hub organizations invite. |

0 commit comments

Comments
 (0)