From 7baa72372c8d384b068017f4ae63b42bfb5cf9c8 Mon Sep 17 00:00:00 2001 From: Umbert Date: Thu, 30 May 2024 16:04:57 +0200 Subject: [PATCH 1/6] feat: Add ap-southeast-3 aws region --- README.md | 1 + analyzer_baselines.tf | 14 +++++++++++++ config_baselines.tf | 26 +++++++++++++++++++++++++ ebs_baselines.tf | 9 +++++++++ examples/external-bucket/main.tf | 1 + examples/external-bucket/regions.tf | 5 +++++ examples/organization/master/main.tf | 1 + examples/organization/master/regions.tf | 5 +++++ examples/organization/member/main.tf | 1 + examples/organization/member/regions.tf | 5 +++++ examples/select-region/main.tf | 1 + examples/select-region/regions.tf | 5 +++++ examples/simple/main.tf | 1 + examples/simple/regions.tf | 5 +++++ guardduty_baselines.tf | 17 ++++++++++++++++ main.tf | 2 +- outputs.tf | 8 ++++++++ securityhub_baselines.tf | 17 ++++++++++++++++ variables.tf | 1 + vpc_baselines.tf | 19 ++++++++++++++++++ 20 files changed, 143 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 55b5c742..c84fa37f 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 1af69a50..4c665930 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -90,6 +90,20 @@ module "analyzer_baseline_ap-southeast-2" { tags = var.tags } +module "analyzer_baseline_ap-southeast-3" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + module "analyzer_baseline_ca-central-1" { count = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/analyzer-baseline" diff --git a/config_baselines.tf b/config_baselines.tf index 8e7278ea..33fb6d9b 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -6,6 +6,7 @@ locals { one(module.config_baseline_ap-south-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-2[*].config_sns_topic), + one(module.config_baseline_ap-southeast-3[*].config_sns_topic), one(module.config_baseline_ca-central-1[*].config_sns_topic), one(module.config_baseline_eu-central-1[*].config_sns_topic), one(module.config_baseline_eu-north-1[*].config_sns_topic), @@ -226,6 +227,27 @@ module "config_baseline_ap-southeast-2" { depends_on = [aws_s3_bucket_policy.audit_log] } +module "config_baseline_ap-southeast-3" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/config-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + iam_role_arn = one(aws_iam_role.recorder[*].arn) + s3_bucket_name = local.audit_log_bucket_id + s3_key_prefix = var.config_s3_bucket_key_prefix + delivery_frequency = var.config_delivery_frequency + sns_topic_name = var.config_sns_topic_name + sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id + include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-3" + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.audit_log] +} + module "config_baseline_ca-central-1" { count = var.config_baseline_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/config-baseline" @@ -481,6 +503,7 @@ resource "aws_config_config_rule" "iam_mfa" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -516,6 +539,7 @@ resource "aws_config_config_rule" "unused_credentials" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -556,6 +580,7 @@ resource "aws_config_config_rule" "user_no_policies" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -596,6 +621,7 @@ resource "aws_config_config_rule" "no_policies_with_full_admin_access" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 3da9c5ea..86af2d20 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -56,6 +56,15 @@ module "ebs_baseline_ap-southeast-2" { } } +module "ebs_baseline_ap-southeast-3" { + count = contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.ap-southeast-3 + } +} + module "ebs_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/ebs-baseline" diff --git a/examples/external-bucket/main.tf b/examples/external-bucket/main.tf index 8ab31369..d5c7e98f 100644 --- a/examples/external-bucket/main.tf +++ b/examples/external-bucket/main.tf @@ -37,6 +37,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/external-bucket/regions.tf b/examples/external-bucket/regions.tf index 6937e512..ae84f002 100644 --- a/examples/external-bucket/regions.tf +++ b/examples/external-bucket/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf index f74dfcf4..c5a9c901 100644 --- a/examples/organization/master/main.tf +++ b/examples/organization/master/main.tf @@ -53,6 +53,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/organization/master/regions.tf b/examples/organization/master/regions.tf index 6937e512..ae84f002 100644 --- a/examples/organization/master/regions.tf +++ b/examples/organization/master/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 8c20c3d9..cefd0d10 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -46,6 +46,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/organization/member/regions.tf b/examples/organization/member/regions.tf index 6937e512..ae84f002 100644 --- a/examples/organization/member/regions.tf +++ b/examples/organization/member/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/select-region/main.tf b/examples/select-region/main.tf index 391872ec..9dd6cc35 100644 --- a/examples/select-region/main.tf +++ b/examples/select-region/main.tf @@ -44,6 +44,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/select-region/regions.tf b/examples/select-region/regions.tf index 6937e512..ae84f002 100644 --- a/examples/select-region/regions.tf +++ b/examples/select-region/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 5e672c8e..58d4f5cc 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -41,6 +41,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/simple/regions.tf b/examples/simple/regions.tf index 6937e512..ae84f002 100644 --- a/examples/simple/regions.tf +++ b/examples/simple/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf index 1d88499f..8cf119d8 100644 --- a/guardduty_baselines.tf +++ b/guardduty_baselines.tf @@ -111,6 +111,23 @@ module "guardduty_baseline_ap-southeast-2" { tags = var.tags } +module "guardduty_baseline_ap-southeast-3" { + source = "./modules/guardduty-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + count = contains(var.target_regions, "ap-southeast-3") && var.guardduty_enabled ? 1 : 0 + disable_email_notification = var.guardduty_disable_email_notification + finding_publishing_frequency = var.guardduty_finding_publishing_frequency + invitation_message = var.guardduty_invitation_message + master_account_id = local.guardduty_master_account_id + member_accounts = local.guardduty_member_accounts + + tags = var.tags +} + module "guardduty_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" diff --git a/main.tf b/main.tf index 1b807f35..7cae3fdc 100644 --- a/main.tf +++ b/main.tf @@ -11,7 +11,7 @@ terraform { configuration_aliases = [ aws.ap-northeast-1, aws.ap-northeast-2, aws.ap-northeast-3, aws.ap-south-1, - aws.ap-southeast-1, aws.ap-southeast-2, + aws.ap-southeast-1, aws.ap-southeast-2, aws.ap-southeast-3, aws.ca-central-1, aws.eu-central-1, aws.eu-north-1, diff --git a/outputs.tf b/outputs.tf index beae8b0b..34235e1d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -64,6 +64,7 @@ output "config_configuration_recorder" { "ap-south-1" = one(module.config_baseline_ap-south-1[*].configuration_recorder) "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].configuration_recorder) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].configuration_recorder) + "ap-southeast-3" = one(module.config_baseline_ap-southeast-3[*].configuration_recorder) "ca-central-1" = one(module.config_baseline_ca-central-1[*].configuration_recorder) "eu-central-1" = one(module.config_baseline_eu-central-1[*].configuration_recorder) "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder) @@ -87,6 +88,7 @@ output "config_sns_topic" { "ap-south-1" = one(module.config_baseline_ap-south-1[*].config_sns_topic) "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].config_sns_topic) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].config_sns_topic) + "ap-southeast-3" = one(module.config_baseline_ap-southeast-3[*].config_sns_topic) "ca-central-1" = one(module.config_baseline_ca-central-1[*].config_sns_topic) "eu-central-1" = one(module.config_baseline_eu-central-1[*].config_sns_topic) "eu-north-1" = one(module.config_baseline_eu-north-1[*].config_sns_topic) @@ -115,6 +117,7 @@ output "guardduty_detector" { "ap-south-1" = one(module.guardduty_baseline_ap-south-1[*].guardduty_detector) "ap-southeast-1" = one(module.guardduty_baseline_ap-southeast-1[*].guardduty_detector) "ap-southeast-2" = one(module.guardduty_baseline_ap-southeast-2[*].guardduty_detector) + "ap-southeast-3" = one(module.guardduty_baseline_ap-southeast-3[*].guardduty_detector) "ca-central-1" = one(module.guardduty_baseline_ca-central-1[*].guardduty_detector) "eu-central-1" = one(module.guardduty_baseline_eu-central-1[*].guardduty_detector) "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) @@ -156,6 +159,7 @@ output "vpc_flow_logs_group" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].vpc_flow_logs_group) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].vpc_flow_logs_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].vpc_flow_logs_group) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].vpc_flow_logs_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].vpc_flow_logs_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].vpc_flow_logs_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].vpc_flow_logs_group) @@ -180,6 +184,7 @@ output "default_vpc" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_vpc) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_vpc) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_vpc) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_vpc) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_vpc) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_vpc) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_vpc) @@ -204,6 +209,7 @@ output "default_security_group" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_security_group) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_security_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_security_group) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_security_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_security_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_security_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_security_group) @@ -228,6 +234,7 @@ output "default_network_acl" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_network_acl) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_network_acl) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_network_acl) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_network_acl) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_network_acl) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_network_acl) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_network_acl) @@ -252,6 +259,7 @@ output "default_route_table" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_route_table) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_route_table) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_route_table) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_route_table) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_route_table) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_route_table) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_route_table) diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index a8324d6e..e791fa22 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -108,6 +108,23 @@ module "securityhub_baseline_ap-southeast-2" { member_accounts = local.securityhub_member_accounts } +module "securityhub_baseline_ap-southeast-3" { + count = contains(var.target_regions, "ap-southeast-3") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + aggregate_findings = var.region == "ap-southeast-3" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + module "securityhub_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" diff --git a/variables.tf b/variables.tf index a942f3c9..eaa98451 100644 --- a/variables.tf +++ b/variables.tf @@ -49,6 +49,7 @@ variable "target_regions" { "ap-south-1", "ap-southeast-1", "ap-southeast-2", + "ap-southeast-3", "ca-central-1", "eu-central-1", "eu-north-1", diff --git a/vpc_baselines.tf b/vpc_baselines.tf index fd2ed472..8f1e4c35 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -177,6 +177,25 @@ module "vpc_baseline_ap-southeast-2" { tags = var.tags } +module "vpc_baseline_ap-southeast-3" { + count = var.vpc_enable && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + module "vpc_baseline_ca-central-1" { count = var.vpc_enable && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/vpc-baseline" From 921db3109c6d8bcf6cbef7978fad751b0ae85573 Mon Sep 17 00:00:00 2001 From: Umbert Date: Thu, 30 May 2024 16:15:20 +0200 Subject: [PATCH 2/6] feat: Add me-south-1 aws region --- README.md | 1 + analyzer_baselines.tf | 14 +++++++++++++ config_baselines.tf | 26 +++++++++++++++++++++++++ ebs_baselines.tf | 9 +++++++++ examples/external-bucket/main.tf | 1 + examples/external-bucket/regions.tf | 5 +++++ examples/organization/master/main.tf | 1 + examples/organization/master/regions.tf | 5 +++++ examples/organization/member/main.tf | 1 + examples/organization/member/regions.tf | 5 +++++ examples/select-region/main.tf | 1 + examples/select-region/regions.tf | 5 +++++ examples/simple/main.tf | 1 + examples/simple/regions.tf | 5 +++++ guardduty_baselines.tf | 17 ++++++++++++++++ main.tf | 1 + outputs.tf | 8 ++++++++ securityhub_baselines.tf | 17 ++++++++++++++++ variables.tf | 1 + vpc_baselines.tf | 19 ++++++++++++++++++ 20 files changed, 143 insertions(+) diff --git a/README.md b/README.md index 55b5c742..2f080f13 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 1af69a50..c386bab5 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -174,6 +174,20 @@ module "analyzer_baseline_eu-west-3" { tags = var.tags } +module "analyzer_baseline_me-south-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.me-south-1 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + module "analyzer_baseline_sa-east-1" { count = local.is_analyzer_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/analyzer-baseline" diff --git a/config_baselines.tf b/config_baselines.tf index 8e7278ea..69eff4e3 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -12,6 +12,7 @@ locals { one(module.config_baseline_eu-west-1[*].config_sns_topic), one(module.config_baseline_eu-west-2[*].config_sns_topic), one(module.config_baseline_eu-west-3[*].config_sns_topic), + one(module.config_baseline_me-south-1[*].config_sns_topic), one(module.config_baseline_sa-east-1[*].config_sns_topic), one(module.config_baseline_us-east-1[*].config_sns_topic), one(module.config_baseline_us-east-2[*].config_sns_topic), @@ -352,6 +353,27 @@ module "config_baseline_eu-west-3" { depends_on = [aws_s3_bucket_policy.audit_log] } +module "config_baseline_me-south-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/config-baseline" + + providers = { + aws = aws.me-south-1 + } + + iam_role_arn = one(aws_iam_role.recorder[*].arn) + s3_bucket_name = local.audit_log_bucket_id + s3_key_prefix = var.config_s3_bucket_key_prefix + delivery_frequency = var.config_delivery_frequency + sns_topic_name = var.config_sns_topic_name + sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id + include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "me-south-1" + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.audit_log] +} + module "config_baseline_sa-east-1" { count = var.config_baseline_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/config-baseline" @@ -487,6 +509,7 @@ resource "aws_config_config_rule" "iam_mfa" { module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -522,6 +545,7 @@ resource "aws_config_config_rule" "unused_credentials" { module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -562,6 +586,7 @@ resource "aws_config_config_rule" "user_no_policies" { module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -602,6 +627,7 @@ resource "aws_config_config_rule" "no_policies_with_full_admin_access" { module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 3da9c5ea..1e938df9 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -110,6 +110,15 @@ module "ebs_baseline_eu-west-3" { } } +module "ebs_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.me-south-1 + } +} + module "ebs_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/ebs-baseline" diff --git a/examples/external-bucket/main.tf b/examples/external-bucket/main.tf index 8ab31369..7187bc77 100644 --- a/examples/external-bucket/main.tf +++ b/examples/external-bucket/main.tf @@ -43,6 +43,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/external-bucket/regions.tf b/examples/external-bucket/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/external-bucket/regions.tf +++ b/examples/external-bucket/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf index f74dfcf4..39b810bc 100644 --- a/examples/organization/master/main.tf +++ b/examples/organization/master/main.tf @@ -59,6 +59,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/organization/master/regions.tf b/examples/organization/master/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/organization/master/regions.tf +++ b/examples/organization/master/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 8c20c3d9..1b2cac8a 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -52,6 +52,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.eme-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/organization/member/regions.tf b/examples/organization/member/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/organization/member/regions.tf +++ b/examples/organization/member/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/select-region/main.tf b/examples/select-region/main.tf index 391872ec..591430dc 100644 --- a/examples/select-region/main.tf +++ b/examples/select-region/main.tf @@ -50,6 +50,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/select-region/regions.tf b/examples/select-region/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/select-region/regions.tf +++ b/examples/select-region/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 5e672c8e..15dd623b 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -47,6 +47,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/simple/regions.tf b/examples/simple/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/simple/regions.tf +++ b/examples/simple/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf index 1d88499f..3240f741 100644 --- a/guardduty_baselines.tf +++ b/guardduty_baselines.tf @@ -213,6 +213,23 @@ module "guardduty_baseline_eu-west-3" { tags = var.tags } +module "guardduty_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") && var.guardduty_enabled ? 1 : 0 + source = "./modules/guardduty-baseline" + + providers = { + aws = aws.me-south-1 + } + + disable_email_notification = var.guardduty_disable_email_notification + finding_publishing_frequency = var.guardduty_finding_publishing_frequency + invitation_message = var.guardduty_invitation_message + master_account_id = local.guardduty_master_account_id + member_accounts = local.guardduty_member_accounts + + tags = var.tags +} + module "guardduty_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" diff --git a/main.tf b/main.tf index 1b807f35..e9efeafe 100644 --- a/main.tf +++ b/main.tf @@ -16,6 +16,7 @@ terraform { aws.eu-central-1, aws.eu-north-1, aws.eu-west-1, aws.eu-west-2, aws.eu-west-3, + aws.me-south-1, aws.sa-east-1, aws.us-east-1, aws.us-east-2, aws.us-west-1, aws.us-west-2, diff --git a/outputs.tf b/outputs.tf index beae8b0b..b81cf129 100644 --- a/outputs.tf +++ b/outputs.tf @@ -69,6 +69,7 @@ output "config_configuration_recorder" { "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder) "eu-west-2" = one(module.config_baseline_eu-west-2[*].configuration_recorder) "eu-west-3" = one(module.config_baseline_eu-west-3[*].configuration_recorder) + "me-south-1" = one(module.config_baseline_me-south-1[*].configuration_recorder) "sa-east-1" = one(module.config_baseline_sa-east-1[*].configuration_recorder) "us-east-1" = one(module.config_baseline_us-east-1[*].configuration_recorder) "us-east-2" = one(module.config_baseline_us-east-2[*].configuration_recorder) @@ -93,6 +94,7 @@ output "config_sns_topic" { "eu-west-1" = one(module.config_baseline_eu-west-1[*].config_sns_topic) "eu-west-2" = one(module.config_baseline_eu-west-2[*].config_sns_topic) "eu-west-3" = one(module.config_baseline_eu-west-3[*].config_sns_topic) + "me-south-1" = one(module.config_baseline_me-south-1[*].config_sns_topic) "sa-east-1" = one(module.config_baseline_sa-east-1[*].config_sns_topic) "us-east-1" = one(module.config_baseline_us-east-1[*].config_sns_topic) "us-east-2" = one(module.config_baseline_us-east-2[*].config_sns_topic) @@ -120,6 +122,7 @@ output "guardduty_detector" { "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) "eu-west-1" = one(module.guardduty_baseline_eu-west-1[*].guardduty_detector) "eu-west-2" = one(module.guardduty_baseline_eu-west-2[*].guardduty_detector) + "me-south-1" = one(module.guardduty_baseline_me-south-1[*].guardduty_detector) "sa-east-1" = one(module.guardduty_baseline_sa-east-1[*].guardduty_detector) "us-east-1" = one(module.guardduty_baseline_us-east-1[*].guardduty_detector) "us-east-2" = one(module.guardduty_baseline_us-east-2[*].guardduty_detector) @@ -162,6 +165,7 @@ output "vpc_flow_logs_group" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].vpc_flow_logs_group) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].vpc_flow_logs_group) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].vpc_flow_logs_group) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].vpc_flow_logs_group) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].vpc_flow_logs_group) "us-east-1" = one(module.vpc_baseline_us-east-1[*].vpc_flow_logs_group) "us-east-2" = one(module.vpc_baseline_us-east-2[*].vpc_flow_logs_group) @@ -186,6 +190,7 @@ output "default_vpc" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_vpc) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_vpc) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_vpc) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_vpc) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_vpc) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_vpc) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_vpc) @@ -210,6 +215,7 @@ output "default_security_group" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_security_group) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_security_group) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_security_group) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_security_group) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_security_group) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_security_group) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_security_group) @@ -234,6 +240,7 @@ output "default_network_acl" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_network_acl) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_network_acl) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_network_acl) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_network_acl) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_network_acl) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_network_acl) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_network_acl) @@ -258,6 +265,7 @@ output "default_route_table" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_route_table) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_route_table) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_route_table) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_route_table) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_route_table) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_route_table) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_route_table) diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index a8324d6e..f211d7c9 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -210,6 +210,23 @@ module "securityhub_baseline_eu-west-3" { member_accounts = local.securityhub_member_accounts } +module "securityhub_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.me-south-1 + } + + aggregate_findings = var.region == "me-south-1" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + module "securityhub_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" diff --git a/variables.tf b/variables.tf index a942f3c9..7873b762 100644 --- a/variables.tf +++ b/variables.tf @@ -55,6 +55,7 @@ variable "target_regions" { "eu-west-1", "eu-west-2", "eu-west-3", + "me-south-1", "sa-east-1", "us-east-1", "us-east-2", diff --git a/vpc_baselines.tf b/vpc_baselines.tf index fd2ed472..84a79e45 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -291,6 +291,25 @@ module "vpc_baseline_eu-west-3" { tags = var.tags } +module "vpc_baseline_me-south-1" { + count = var.vpc_enable && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.me-south-1 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + module "vpc_baseline_sa-east-1" { count = var.vpc_enable && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/vpc-baseline" From 434ebde2710dac652a405efa2c123d7535a0cfb6 Mon Sep 17 00:00:00 2001 From: Umbert <708948+umbertix@users.noreply.github.com> Date: Mon, 24 Jun 2024 11:12:07 +0200 Subject: [PATCH 3/6] Update examples/organization/member/main.tf Typo on the example provider name --- examples/organization/member/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 1b2cac8a..dd7f1d58 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -52,7 +52,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 - aws.eme-south-1 = aws.me-south-1 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 From 64237ca4908b1d96139163a847491431e28d7549 Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 11:47:29 +0200 Subject: [PATCH 4/6] Upgrade the release pipeline to v4 The current version of release pipeline action has been archived, Upgrading to v4 --- .chglog/config.yml | 2 +- .github/workflows/release-please.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.chglog/config.yml b/.chglog/config.yml index 58eea04b..7904f52b 100755 --- a/.chglog/config.yml +++ b/.chglog/config.yml @@ -2,7 +2,7 @@ style: github template: CHANGELOG.tpl.md info: title: CHANGELOG - repository_url: https://github.com/nozaq/terraform-aws-secure-baseline + repository_url: https://github.com/Unumed/terraform-aws-secure-baseline options: commits: filters: diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index e1e02b2b..5181f09a 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -7,6 +7,7 @@ jobs: release-please: runs-on: ubuntu-latest steps: - - uses: google-github-actions/release-please-action@v3 + - uses: googleapis/release-please-action@v4 with: release-type: terraform-module + token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }} From 6836f0368d25635dfd7ffd4a5c02ced0a6c58ab4 Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 13:21:50 +0200 Subject: [PATCH 5/6] Add missing permissions Add missing permissions to pipeline definition --- .github/workflows/release-please.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 5181f09a..71589fb0 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -2,7 +2,13 @@ on: push: branches: - main + +permissions: + contents: write + pull-requests: write + name: release-please + jobs: release-please: runs-on: ubuntu-latest From b1d190930b654f68be0531e99a4f5e1335e5dbf1 Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 14:07:26 +0200 Subject: [PATCH 6/6] chore(main): release 2.2.0 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ea69b0d..87356fcd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [2.2.0](https://github.com/Unumed/terraform-aws-secure-baseline/compare/v2.1.0...v2.2.0) (2024-06-24) + + +### Features + +* Add ap-southeast-3 aws region ([7baa723](https://github.com/Unumed/terraform-aws-secure-baseline/commit/7baa72372c8d384b068017f4ae63b42bfb5cf9c8)) + ## [2.1.0](https://github.com/nozaq/terraform-aws-secure-baseline/compare/v2.0.0...v2.1.0) (2022-12-03)