Terraform Security Hub Central Account

[AliElKhatteb]

Terraform and AWS Provider Version

terraform v1.10.5
aws provider v5.54.1

Affected Resource(s) or Data Source(s)

provider "aws" {
  alias   = "management"
  # Use "aws configure" to create the "management" profile with the Management account credentials
  profile = "management" 
}

provider "aws" {
  alias   = "audit"
  # Use "aws configure" to create the "audit" profile with the Audit account credentials
  profile = "audit" 
}

data "aws_caller_identity" "audit" {
  provider = aws.audit
}

resource "aws_securityhub_account" "audit" {
  provider                 = aws.audit
  enable_default_standards = false
}

resource "aws_securityhub_organization_admin_account" "this" {
  provider         = aws.management
  admin_account_id = data.aws_caller_identity.audit.account_id
  depends_on       = [aws_securityhub_account.audit]
}

resource "aws_securityhub_finding_aggregator" "this" {
  provider     = aws.audit
  linking_mode = "ALL_REGIONS"
  depends_on   = [aws_securityhub_account.audit]
}

resource "aws_securityhub_organization_configuration" "this" {
  provider              = aws.audit
  auto_enable           = false
  auto_enable_standards = "NONE"
  organization_configuration {
    configuration_type = "CENTRAL"
  }
  depends_on = [
    aws_securityhub_organization_admin_account.this,
    aws_securityhub_finding_aggregator.this
  ]
}

data "aws_region" "audit" {
  provider = aws.audit
}

data "aws_partition" "audit" {
  provider = aws.audit
}

resource "aws_securityhub_configuration_policy" "this" {
  provider    = aws.audit
  name        = "ExamplePolicy"
  description = "This is an example SHCP."
  configuration_policy {
    service_enabled       = true
    enabled_standard_arns = ["arn:${data.aws_partition.audit.partition}:securityhub:${data.aws_region.audit.name}::standards/cis-aws-foundations-benchmark/v/1.4.0"]
    security_controls_configuration {
      disabled_control_identifiers = ["IAM.6"]
    }
  }
  depends_on = [aws_securityhub_organization_configuration.this]
}

data "aws_organizations_organization" "this" {
  provider = aws.management
}

resource "time_sleep" "aws_securityhub_configuration_policy_this" {
  destroy_duration = "10s"
  depends_on       = [aws_securityhub_configuration_policy.this]
}

resource "aws_securityhub_configuration_policy_association" "org" {
  provider   = aws.audit
  target_id  = data.aws_organizations_organization.this.roots[0].id
  policy_id  = aws_securityhub_configuration_policy.this.id
  depends_on = [time_sleep.aws_securityhub_configuration_policy_this]
}

Expected Behavior

it should enable Central security hub account, but it shouldn't enable Security hub in all accounts.

Actual Behavior

it enabled security hub in all other accounts, i need only to send the findings from the accounts that security hub is already enabled

Relevant Error/Panic Output

Sample Terraform Configuration

Click to expand configuration

Steps to Reproduce

1.terraform apply
2.aws security hub got enabled in all accounts eventhough it shouldnt

Debug Logging

Click to expand log output

GenAI / LLM Assisted Development

n/a

Important Facts and References

No response

Would you like to implement a fix?

No

[github-actions]

Community Guidelines

This comment is added to every new Issue to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

• Please vote on this Issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
• Please see our prioritization guide for additional information on how the maintainers handle prioritization.
• Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Issue and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.
• For new resources and data sources, use skaff to generate scaffolding with comments detailing common expectations.

[acwwat]

@AliElKhatteb Since the configuration policy has service_enabled set to true, and the aws_securityhub_configuration_policy_association resource associates it to the org root, all org member accounts will have Security Hub enabled as expected.

While I can't think of a reliable way to detect and apply the configuration to accounts that already have SH enabled, you can probably list those accounts in a variable and use for_each with the aws_securityhub_configuration_policy_association resource and the target_id argument (which can be account, org, or root ID).