From 7baa72372c8d384b068017f4ae63b42bfb5cf9c8 Mon Sep 17 00:00:00 2001 From: Umbert Date: Thu, 30 May 2024 16:04:57 +0200 Subject: [PATCH 01/12] feat: Add ap-southeast-3 aws region --- README.md | 1 + analyzer_baselines.tf | 14 +++++++++++++ config_baselines.tf | 26 +++++++++++++++++++++++++ ebs_baselines.tf | 9 +++++++++ examples/external-bucket/main.tf | 1 + examples/external-bucket/regions.tf | 5 +++++ examples/organization/master/main.tf | 1 + examples/organization/master/regions.tf | 5 +++++ examples/organization/member/main.tf | 1 + examples/organization/member/regions.tf | 5 +++++ examples/select-region/main.tf | 1 + examples/select-region/regions.tf | 5 +++++ examples/simple/main.tf | 1 + examples/simple/regions.tf | 5 +++++ guardduty_baselines.tf | 17 ++++++++++++++++ main.tf | 2 +- outputs.tf | 8 ++++++++ securityhub_baselines.tf | 17 ++++++++++++++++ variables.tf | 1 + vpc_baselines.tf | 19 ++++++++++++++++++ 20 files changed, 143 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 55b5c742..c84fa37f 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 1af69a50..4c665930 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -90,6 +90,20 @@ module "analyzer_baseline_ap-southeast-2" { tags = var.tags } +module "analyzer_baseline_ap-southeast-3" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + module "analyzer_baseline_ca-central-1" { count = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/analyzer-baseline" diff --git a/config_baselines.tf b/config_baselines.tf index 8e7278ea..33fb6d9b 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -6,6 +6,7 @@ locals { one(module.config_baseline_ap-south-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-2[*].config_sns_topic), + one(module.config_baseline_ap-southeast-3[*].config_sns_topic), one(module.config_baseline_ca-central-1[*].config_sns_topic), one(module.config_baseline_eu-central-1[*].config_sns_topic), one(module.config_baseline_eu-north-1[*].config_sns_topic), @@ -226,6 +227,27 @@ module "config_baseline_ap-southeast-2" { depends_on = [aws_s3_bucket_policy.audit_log] } +module "config_baseline_ap-southeast-3" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/config-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + iam_role_arn = one(aws_iam_role.recorder[*].arn) + s3_bucket_name = local.audit_log_bucket_id + s3_key_prefix = var.config_s3_bucket_key_prefix + delivery_frequency = var.config_delivery_frequency + sns_topic_name = var.config_sns_topic_name + sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id + include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-3" + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.audit_log] +} + module "config_baseline_ca-central-1" { count = var.config_baseline_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/config-baseline" @@ -481,6 +503,7 @@ resource "aws_config_config_rule" "iam_mfa" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -516,6 +539,7 @@ resource "aws_config_config_rule" "unused_credentials" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -556,6 +580,7 @@ resource "aws_config_config_rule" "user_no_policies" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -596,6 +621,7 @@ resource "aws_config_config_rule" "no_policies_with_full_admin_access" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 3da9c5ea..86af2d20 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -56,6 +56,15 @@ module "ebs_baseline_ap-southeast-2" { } } +module "ebs_baseline_ap-southeast-3" { + count = contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.ap-southeast-3 + } +} + module "ebs_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/ebs-baseline" diff --git a/examples/external-bucket/main.tf b/examples/external-bucket/main.tf index 8ab31369..d5c7e98f 100644 --- a/examples/external-bucket/main.tf +++ b/examples/external-bucket/main.tf @@ -37,6 +37,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/external-bucket/regions.tf b/examples/external-bucket/regions.tf index 6937e512..ae84f002 100644 --- a/examples/external-bucket/regions.tf +++ b/examples/external-bucket/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf index f74dfcf4..c5a9c901 100644 --- a/examples/organization/master/main.tf +++ b/examples/organization/master/main.tf @@ -53,6 +53,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/organization/master/regions.tf b/examples/organization/master/regions.tf index 6937e512..ae84f002 100644 --- a/examples/organization/master/regions.tf +++ b/examples/organization/master/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 8c20c3d9..cefd0d10 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -46,6 +46,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/organization/member/regions.tf b/examples/organization/member/regions.tf index 6937e512..ae84f002 100644 --- a/examples/organization/member/regions.tf +++ b/examples/organization/member/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/select-region/main.tf b/examples/select-region/main.tf index 391872ec..9dd6cc35 100644 --- a/examples/select-region/main.tf +++ b/examples/select-region/main.tf @@ -44,6 +44,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/select-region/regions.tf b/examples/select-region/regions.tf index 6937e512..ae84f002 100644 --- a/examples/select-region/regions.tf +++ b/examples/select-region/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 5e672c8e..58d4f5cc 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -41,6 +41,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/simple/regions.tf b/examples/simple/regions.tf index 6937e512..ae84f002 100644 --- a/examples/simple/regions.tf +++ b/examples/simple/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf index 1d88499f..8cf119d8 100644 --- a/guardduty_baselines.tf +++ b/guardduty_baselines.tf @@ -111,6 +111,23 @@ module "guardduty_baseline_ap-southeast-2" { tags = var.tags } +module "guardduty_baseline_ap-southeast-3" { + source = "./modules/guardduty-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + count = contains(var.target_regions, "ap-southeast-3") && var.guardduty_enabled ? 1 : 0 + disable_email_notification = var.guardduty_disable_email_notification + finding_publishing_frequency = var.guardduty_finding_publishing_frequency + invitation_message = var.guardduty_invitation_message + master_account_id = local.guardduty_master_account_id + member_accounts = local.guardduty_member_accounts + + tags = var.tags +} + module "guardduty_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" diff --git a/main.tf b/main.tf index 1b807f35..7cae3fdc 100644 --- a/main.tf +++ b/main.tf @@ -11,7 +11,7 @@ terraform { configuration_aliases = [ aws.ap-northeast-1, aws.ap-northeast-2, aws.ap-northeast-3, aws.ap-south-1, - aws.ap-southeast-1, aws.ap-southeast-2, + aws.ap-southeast-1, aws.ap-southeast-2, aws.ap-southeast-3, aws.ca-central-1, aws.eu-central-1, aws.eu-north-1, diff --git a/outputs.tf b/outputs.tf index beae8b0b..34235e1d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -64,6 +64,7 @@ output "config_configuration_recorder" { "ap-south-1" = one(module.config_baseline_ap-south-1[*].configuration_recorder) "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].configuration_recorder) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].configuration_recorder) + "ap-southeast-3" = one(module.config_baseline_ap-southeast-3[*].configuration_recorder) "ca-central-1" = one(module.config_baseline_ca-central-1[*].configuration_recorder) "eu-central-1" = one(module.config_baseline_eu-central-1[*].configuration_recorder) "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder) @@ -87,6 +88,7 @@ output "config_sns_topic" { "ap-south-1" = one(module.config_baseline_ap-south-1[*].config_sns_topic) "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].config_sns_topic) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].config_sns_topic) + "ap-southeast-3" = one(module.config_baseline_ap-southeast-3[*].config_sns_topic) "ca-central-1" = one(module.config_baseline_ca-central-1[*].config_sns_topic) "eu-central-1" = one(module.config_baseline_eu-central-1[*].config_sns_topic) "eu-north-1" = one(module.config_baseline_eu-north-1[*].config_sns_topic) @@ -115,6 +117,7 @@ output "guardduty_detector" { "ap-south-1" = one(module.guardduty_baseline_ap-south-1[*].guardduty_detector) "ap-southeast-1" = one(module.guardduty_baseline_ap-southeast-1[*].guardduty_detector) "ap-southeast-2" = one(module.guardduty_baseline_ap-southeast-2[*].guardduty_detector) + "ap-southeast-3" = one(module.guardduty_baseline_ap-southeast-3[*].guardduty_detector) "ca-central-1" = one(module.guardduty_baseline_ca-central-1[*].guardduty_detector) "eu-central-1" = one(module.guardduty_baseline_eu-central-1[*].guardduty_detector) "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) @@ -156,6 +159,7 @@ output "vpc_flow_logs_group" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].vpc_flow_logs_group) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].vpc_flow_logs_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].vpc_flow_logs_group) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].vpc_flow_logs_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].vpc_flow_logs_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].vpc_flow_logs_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].vpc_flow_logs_group) @@ -180,6 +184,7 @@ output "default_vpc" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_vpc) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_vpc) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_vpc) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_vpc) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_vpc) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_vpc) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_vpc) @@ -204,6 +209,7 @@ output "default_security_group" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_security_group) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_security_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_security_group) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_security_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_security_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_security_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_security_group) @@ -228,6 +234,7 @@ output "default_network_acl" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_network_acl) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_network_acl) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_network_acl) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_network_acl) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_network_acl) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_network_acl) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_network_acl) @@ -252,6 +259,7 @@ output "default_route_table" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_route_table) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_route_table) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_route_table) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_route_table) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_route_table) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_route_table) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_route_table) diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index a8324d6e..e791fa22 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -108,6 +108,23 @@ module "securityhub_baseline_ap-southeast-2" { member_accounts = local.securityhub_member_accounts } +module "securityhub_baseline_ap-southeast-3" { + count = contains(var.target_regions, "ap-southeast-3") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + aggregate_findings = var.region == "ap-southeast-3" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + module "securityhub_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" diff --git a/variables.tf b/variables.tf index a942f3c9..eaa98451 100644 --- a/variables.tf +++ b/variables.tf @@ -49,6 +49,7 @@ variable "target_regions" { "ap-south-1", "ap-southeast-1", "ap-southeast-2", + "ap-southeast-3", "ca-central-1", "eu-central-1", "eu-north-1", diff --git a/vpc_baselines.tf b/vpc_baselines.tf index fd2ed472..8f1e4c35 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -177,6 +177,25 @@ module "vpc_baseline_ap-southeast-2" { tags = var.tags } +module "vpc_baseline_ap-southeast-3" { + count = var.vpc_enable && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + module "vpc_baseline_ca-central-1" { count = var.vpc_enable && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/vpc-baseline" From 921db3109c6d8bcf6cbef7978fad751b0ae85573 Mon Sep 17 00:00:00 2001 From: Umbert Date: Thu, 30 May 2024 16:15:20 +0200 Subject: [PATCH 02/12] feat: Add me-south-1 aws region --- README.md | 1 + analyzer_baselines.tf | 14 +++++++++++++ config_baselines.tf | 26 +++++++++++++++++++++++++ ebs_baselines.tf | 9 +++++++++ examples/external-bucket/main.tf | 1 + examples/external-bucket/regions.tf | 5 +++++ examples/organization/master/main.tf | 1 + examples/organization/master/regions.tf | 5 +++++ examples/organization/member/main.tf | 1 + examples/organization/member/regions.tf | 5 +++++ examples/select-region/main.tf | 1 + examples/select-region/regions.tf | 5 +++++ examples/simple/main.tf | 1 + examples/simple/regions.tf | 5 +++++ guardduty_baselines.tf | 17 ++++++++++++++++ main.tf | 1 + outputs.tf | 8 ++++++++ securityhub_baselines.tf | 17 ++++++++++++++++ variables.tf | 1 + vpc_baselines.tf | 19 ++++++++++++++++++ 20 files changed, 143 insertions(+) diff --git a/README.md b/README.md index 55b5c742..2f080f13 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 1af69a50..c386bab5 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -174,6 +174,20 @@ module "analyzer_baseline_eu-west-3" { tags = var.tags } +module "analyzer_baseline_me-south-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.me-south-1 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + module "analyzer_baseline_sa-east-1" { count = local.is_analyzer_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/analyzer-baseline" diff --git a/config_baselines.tf b/config_baselines.tf index 8e7278ea..69eff4e3 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -12,6 +12,7 @@ locals { one(module.config_baseline_eu-west-1[*].config_sns_topic), one(module.config_baseline_eu-west-2[*].config_sns_topic), one(module.config_baseline_eu-west-3[*].config_sns_topic), + one(module.config_baseline_me-south-1[*].config_sns_topic), one(module.config_baseline_sa-east-1[*].config_sns_topic), one(module.config_baseline_us-east-1[*].config_sns_topic), one(module.config_baseline_us-east-2[*].config_sns_topic), @@ -352,6 +353,27 @@ module "config_baseline_eu-west-3" { depends_on = [aws_s3_bucket_policy.audit_log] } +module "config_baseline_me-south-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/config-baseline" + + providers = { + aws = aws.me-south-1 + } + + iam_role_arn = one(aws_iam_role.recorder[*].arn) + s3_bucket_name = local.audit_log_bucket_id + s3_key_prefix = var.config_s3_bucket_key_prefix + delivery_frequency = var.config_delivery_frequency + sns_topic_name = var.config_sns_topic_name + sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id + include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "me-south-1" + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.audit_log] +} + module "config_baseline_sa-east-1" { count = var.config_baseline_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/config-baseline" @@ -487,6 +509,7 @@ resource "aws_config_config_rule" "iam_mfa" { module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -522,6 +545,7 @@ resource "aws_config_config_rule" "unused_credentials" { module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -562,6 +586,7 @@ resource "aws_config_config_rule" "user_no_policies" { module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -602,6 +627,7 @@ resource "aws_config_config_rule" "no_policies_with_full_admin_access" { module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 3da9c5ea..1e938df9 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -110,6 +110,15 @@ module "ebs_baseline_eu-west-3" { } } +module "ebs_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.me-south-1 + } +} + module "ebs_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/ebs-baseline" diff --git a/examples/external-bucket/main.tf b/examples/external-bucket/main.tf index 8ab31369..7187bc77 100644 --- a/examples/external-bucket/main.tf +++ b/examples/external-bucket/main.tf @@ -43,6 +43,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/external-bucket/regions.tf b/examples/external-bucket/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/external-bucket/regions.tf +++ b/examples/external-bucket/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf index f74dfcf4..39b810bc 100644 --- a/examples/organization/master/main.tf +++ b/examples/organization/master/main.tf @@ -59,6 +59,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/organization/master/regions.tf b/examples/organization/master/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/organization/master/regions.tf +++ b/examples/organization/master/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 8c20c3d9..1b2cac8a 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -52,6 +52,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.eme-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/organization/member/regions.tf b/examples/organization/member/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/organization/member/regions.tf +++ b/examples/organization/member/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/select-region/main.tf b/examples/select-region/main.tf index 391872ec..591430dc 100644 --- a/examples/select-region/main.tf +++ b/examples/select-region/main.tf @@ -50,6 +50,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/select-region/regions.tf b/examples/select-region/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/select-region/regions.tf +++ b/examples/select-region/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 5e672c8e..15dd623b 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -47,6 +47,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/simple/regions.tf b/examples/simple/regions.tf index 6937e512..7cd7e82d 100644 --- a/examples/simple/regions.tf +++ b/examples/simple/regions.tf @@ -63,6 +63,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf index 1d88499f..3240f741 100644 --- a/guardduty_baselines.tf +++ b/guardduty_baselines.tf @@ -213,6 +213,23 @@ module "guardduty_baseline_eu-west-3" { tags = var.tags } +module "guardduty_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") && var.guardduty_enabled ? 1 : 0 + source = "./modules/guardduty-baseline" + + providers = { + aws = aws.me-south-1 + } + + disable_email_notification = var.guardduty_disable_email_notification + finding_publishing_frequency = var.guardduty_finding_publishing_frequency + invitation_message = var.guardduty_invitation_message + master_account_id = local.guardduty_master_account_id + member_accounts = local.guardduty_member_accounts + + tags = var.tags +} + module "guardduty_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" diff --git a/main.tf b/main.tf index 1b807f35..e9efeafe 100644 --- a/main.tf +++ b/main.tf @@ -16,6 +16,7 @@ terraform { aws.eu-central-1, aws.eu-north-1, aws.eu-west-1, aws.eu-west-2, aws.eu-west-3, + aws.me-south-1, aws.sa-east-1, aws.us-east-1, aws.us-east-2, aws.us-west-1, aws.us-west-2, diff --git a/outputs.tf b/outputs.tf index beae8b0b..b81cf129 100644 --- a/outputs.tf +++ b/outputs.tf @@ -69,6 +69,7 @@ output "config_configuration_recorder" { "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder) "eu-west-2" = one(module.config_baseline_eu-west-2[*].configuration_recorder) "eu-west-3" = one(module.config_baseline_eu-west-3[*].configuration_recorder) + "me-south-1" = one(module.config_baseline_me-south-1[*].configuration_recorder) "sa-east-1" = one(module.config_baseline_sa-east-1[*].configuration_recorder) "us-east-1" = one(module.config_baseline_us-east-1[*].configuration_recorder) "us-east-2" = one(module.config_baseline_us-east-2[*].configuration_recorder) @@ -93,6 +94,7 @@ output "config_sns_topic" { "eu-west-1" = one(module.config_baseline_eu-west-1[*].config_sns_topic) "eu-west-2" = one(module.config_baseline_eu-west-2[*].config_sns_topic) "eu-west-3" = one(module.config_baseline_eu-west-3[*].config_sns_topic) + "me-south-1" = one(module.config_baseline_me-south-1[*].config_sns_topic) "sa-east-1" = one(module.config_baseline_sa-east-1[*].config_sns_topic) "us-east-1" = one(module.config_baseline_us-east-1[*].config_sns_topic) "us-east-2" = one(module.config_baseline_us-east-2[*].config_sns_topic) @@ -120,6 +122,7 @@ output "guardduty_detector" { "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) "eu-west-1" = one(module.guardduty_baseline_eu-west-1[*].guardduty_detector) "eu-west-2" = one(module.guardduty_baseline_eu-west-2[*].guardduty_detector) + "me-south-1" = one(module.guardduty_baseline_me-south-1[*].guardduty_detector) "sa-east-1" = one(module.guardduty_baseline_sa-east-1[*].guardduty_detector) "us-east-1" = one(module.guardduty_baseline_us-east-1[*].guardduty_detector) "us-east-2" = one(module.guardduty_baseline_us-east-2[*].guardduty_detector) @@ -162,6 +165,7 @@ output "vpc_flow_logs_group" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].vpc_flow_logs_group) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].vpc_flow_logs_group) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].vpc_flow_logs_group) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].vpc_flow_logs_group) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].vpc_flow_logs_group) "us-east-1" = one(module.vpc_baseline_us-east-1[*].vpc_flow_logs_group) "us-east-2" = one(module.vpc_baseline_us-east-2[*].vpc_flow_logs_group) @@ -186,6 +190,7 @@ output "default_vpc" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_vpc) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_vpc) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_vpc) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_vpc) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_vpc) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_vpc) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_vpc) @@ -210,6 +215,7 @@ output "default_security_group" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_security_group) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_security_group) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_security_group) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_security_group) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_security_group) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_security_group) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_security_group) @@ -234,6 +240,7 @@ output "default_network_acl" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_network_acl) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_network_acl) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_network_acl) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_network_acl) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_network_acl) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_network_acl) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_network_acl) @@ -258,6 +265,7 @@ output "default_route_table" { "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_route_table) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_route_table) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_route_table) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_route_table) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_route_table) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_route_table) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_route_table) diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index a8324d6e..f211d7c9 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -210,6 +210,23 @@ module "securityhub_baseline_eu-west-3" { member_accounts = local.securityhub_member_accounts } +module "securityhub_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.me-south-1 + } + + aggregate_findings = var.region == "me-south-1" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + module "securityhub_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" diff --git a/variables.tf b/variables.tf index a942f3c9..7873b762 100644 --- a/variables.tf +++ b/variables.tf @@ -55,6 +55,7 @@ variable "target_regions" { "eu-west-1", "eu-west-2", "eu-west-3", + "me-south-1", "sa-east-1", "us-east-1", "us-east-2", diff --git a/vpc_baselines.tf b/vpc_baselines.tf index fd2ed472..84a79e45 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -291,6 +291,25 @@ module "vpc_baseline_eu-west-3" { tags = var.tags } +module "vpc_baseline_me-south-1" { + count = var.vpc_enable && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.me-south-1 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + module "vpc_baseline_sa-east-1" { count = var.vpc_enable && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/vpc-baseline" From 882e8aaf714b684e06446187de4fa6377ec8a664 Mon Sep 17 00:00:00 2001 From: Umbert Date: Thu, 30 May 2024 16:16:59 +0200 Subject: [PATCH 03/12] fix: Add missing resource output for guarduty in eu-west-3 --- outputs.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/outputs.tf b/outputs.tf index beae8b0b..ebdd92d6 100644 --- a/outputs.tf +++ b/outputs.tf @@ -120,6 +120,7 @@ output "guardduty_detector" { "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) "eu-west-1" = one(module.guardduty_baseline_eu-west-1[*].guardduty_detector) "eu-west-2" = one(module.guardduty_baseline_eu-west-2[*].guardduty_detector) + "eu-west-3" = one(module.guardduty_baseline_eu-west-3[*].guardduty_detector) "sa-east-1" = one(module.guardduty_baseline_sa-east-1[*].guardduty_detector) "us-east-1" = one(module.guardduty_baseline_us-east-1[*].guardduty_detector) "us-east-2" = one(module.guardduty_baseline_us-east-2[*].guardduty_detector) From 434ebde2710dac652a405efa2c123d7535a0cfb6 Mon Sep 17 00:00:00 2001 From: Umbert <708948+umbertix@users.noreply.github.com> Date: Mon, 24 Jun 2024 11:12:07 +0200 Subject: [PATCH 04/12] Update examples/organization/member/main.tf Typo on the example provider name --- examples/organization/member/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 1b2cac8a..dd7f1d58 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -52,7 +52,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 - aws.eme-south-1 = aws.me-south-1 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 From 64237ca4908b1d96139163a847491431e28d7549 Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 11:47:29 +0200 Subject: [PATCH 05/12] Upgrade the release pipeline to v4 The current version of release pipeline action has been archived, Upgrading to v4 --- .chglog/config.yml | 2 +- .github/workflows/release-please.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.chglog/config.yml b/.chglog/config.yml index 58eea04b..7904f52b 100755 --- a/.chglog/config.yml +++ b/.chglog/config.yml @@ -2,7 +2,7 @@ style: github template: CHANGELOG.tpl.md info: title: CHANGELOG - repository_url: https://github.com/nozaq/terraform-aws-secure-baseline + repository_url: https://github.com/Unumed/terraform-aws-secure-baseline options: commits: filters: diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index e1e02b2b..5181f09a 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -7,6 +7,7 @@ jobs: release-please: runs-on: ubuntu-latest steps: - - uses: google-github-actions/release-please-action@v3 + - uses: googleapis/release-please-action@v4 with: release-type: terraform-module + token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }} From 6836f0368d25635dfd7ffd4a5c02ced0a6c58ab4 Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 13:21:50 +0200 Subject: [PATCH 06/12] Add missing permissions Add missing permissions to pipeline definition --- .github/workflows/release-please.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 5181f09a..71589fb0 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -2,7 +2,13 @@ on: push: branches: - main + +permissions: + contents: write + pull-requests: write + name: release-please + jobs: release-please: runs-on: ubuntu-latest From b1d190930b654f68be0531e99a4f5e1335e5dbf1 Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 14:07:26 +0200 Subject: [PATCH 07/12] chore(main): release 2.2.0 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ea69b0d..87356fcd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [2.2.0](https://github.com/Unumed/terraform-aws-secure-baseline/compare/v2.1.0...v2.2.0) (2024-06-24) + + +### Features + +* Add ap-southeast-3 aws region ([7baa723](https://github.com/Unumed/terraform-aws-secure-baseline/commit/7baa72372c8d384b068017f4ae63b42bfb5cf9c8)) + ## [2.1.0](https://github.com/nozaq/terraform-aws-secure-baseline/compare/v2.0.0...v2.1.0) (2022-12-03) From f1f3ef7b63b7d9fbd99c8ea8f16e48bf884ab930 Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 14:26:26 +0200 Subject: [PATCH 08/12] chore: Upgrade actions versions Upgrade the terraform actions to latest versions. --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index c2a7a4ce..3faafbb7 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -13,9 +13,9 @@ jobs: uses: actions/checkout@v2 - name: Terraform min/max versions id: minMax - uses: clowdhaus/terraform-min-max@v1.0.4 + uses: clowdhaus/terraform-min-max@v1.3.1 - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.4.1 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.9.0 with: terraform-version: ${{ steps.minMax.outputs.maxVersion }} terraform-docs-version: v0.16.0 From fbf7e23709ff2e7ae4c367cbe8e9a5215f6ee5c2 Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 14:28:40 +0200 Subject: [PATCH 09/12] Apply format Force apply formatting to comply with pipeline pre-commits --- README.md | 258 ++++++++++++++------------- examples/organization/member/main.tf | 2 +- 2 files changed, 131 insertions(+), 129 deletions(-) diff --git a/README.md b/README.md index 7bda972a..beef303a 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 - aws.me-south-1 = aws.me-south-1 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 @@ -115,144 +115,146 @@ This module is composed of several submodules and each of which can be used inde - Starting from v0.10, this module requires Terraform v0.12 or later. Please use v0.9 if you need to use Terraform v0.11 or ealier. + ## Requirements -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.1.4 | -| [aws](#requirement\_aws) | >= 4.3 | +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.1.4 | +| [aws](#requirement_aws) | >= 4.3 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 4.3 | +| Name | Version | +| ------------------------------------------------ | ------- | +| [aws](#provider_aws) | >= 4.3 | ## Inputs -| Name | Description | Type | Required | -|------|-------------|------|:--------:| -| [audit\_log\_bucket\_name](#input\_audit\_log\_bucket\_name) | The name of the S3 bucket to store various audit logs. | `string` | yes | -| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID number of the account. | `string` | yes | -| [region](#input\_region) | The AWS region in which global resources are set up. | `string` | yes | -| [support\_iam\_role\_principal\_arns](#input\_support\_iam\_role\_principal\_arns) | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(string)` | yes | -| [account\_type](#input\_account\_type) | The type of the AWS account. The possible values are `individual`, `master` and `member` . Specify `master` and `member` to set up centalized logging for multiple accounts in AWS Organization. Use individual` otherwise.` | `string` | no | -| [alarm\_baseline\_enabled](#input\_alarm\_baseline\_enabled) | Boolean whether alarm-baseline is enabled. | `bool` | no | -| [alarm\_namespace](#input\_alarm\_namespace) | The namespace in which all alarms are set up. | `string` | no | -| [alarm\_sns\_topic\_kms\_master\_key\_id](#input\_alarm\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no | -| [alarm\_sns\_topic\_name](#input\_alarm\_sns\_topic\_name) | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | no | -| [allow\_users\_to\_change\_password](#input\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password. | `bool` | no | -| [analyzer\_baseline\_enabled](#input\_analyzer\_baseline\_enabled) | Boolean whether analyzer-baseline is enabled. | `bool` | no | -| [analyzer\_name](#input\_analyzer\_name) | The name for the IAM Access Analyzer resource to be created. | `string` | no | -| [audit\_log\_bucket\_access\_logs\_name](#input\_audit\_log\_bucket\_access\_logs\_name) | The name of the S3 bucket to store various audit logs. | `string` | no | -| [audit\_log\_bucket\_custom\_policy\_json](#input\_audit\_log\_bucket\_custom\_policy\_json) | Override policy for the audit log bucket. Allows addition of extra policies. | `string` | no | -| [audit\_log\_bucket\_force\_destroy](#input\_audit\_log\_bucket\_force\_destroy) | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no | -| [audit\_log\_bucket\_key\_enabled](#input\_audit\_log\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket. | `bool` | no | -| [audit\_log\_lifecycle\_glacier\_transition\_days](#input\_audit\_log\_lifecycle\_glacier\_transition\_days) | The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition. | `number` | no | -| [aws\_config\_changes\_enabled](#input\_aws\_config\_changes\_enabled) | The boolean flag whether the aws\_config\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [cloudtrail\_baseline\_enabled](#input\_cloudtrail\_baseline\_enabled) | Boolean whether cloudtrail-baseline is enabled. | `bool` | no | -| [cloudtrail\_cfg\_changes\_enabled](#input\_cloudtrail\_cfg\_changes\_enabled) | The boolean flag whether the cloudtrail\_cfg\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [cloudtrail\_cloudwatch\_logs\_enabled](#input\_cloudtrail\_cloudwatch\_logs\_enabled) | Specifies whether the trail is delivered to CloudWatch Logs. | `bool` | no | -| [cloudtrail\_cloudwatch\_logs\_group\_name](#input\_cloudtrail\_cloudwatch\_logs\_group\_name) | The name of CloudWatch Logs group to which CloudTrail events are delivered. | `string` | no | -| [cloudtrail\_dynamodb\_event\_logging\_tables](#input\_cloudtrail\_dynamodb\_event\_logging\_tables) | The list of DynamoDB table ARNs on which to enable event logging. | `list(string)` | no | -| [cloudtrail\_iam\_role\_name](#input\_cloudtrail\_iam\_role\_name) | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no | -| [cloudtrail\_iam\_role\_policy\_name](#input\_cloudtrail\_iam\_role\_policy\_name) | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no | -| [cloudtrail\_key\_deletion\_window\_in\_days](#input\_cloudtrail\_key\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | no | -| [cloudtrail\_lambda\_invocation\_logging\_lambdas](#input\_cloudtrail\_lambda\_invocation\_logging\_lambdas) | The list of lambda ARNs on which to enable invocation logging. | `list(string)` | no | -| [cloudtrail\_name](#input\_cloudtrail\_name) | The name of the trail. | `string` | no | -| [cloudtrail\_s3\_key\_prefix](#input\_cloudtrail\_s3\_key\_prefix) | The prefix used when CloudTrail delivers events to the S3 bucket. | `string` | no | -| [cloudtrail\_s3\_object\_level\_logging\_buckets](#input\_cloudtrail\_s3\_object\_level\_logging\_buckets) | The list of S3 bucket ARNs on which to enable object-level logging. | `list(string)` | no | -| [cloudtrail\_sns\_topic\_enabled](#input\_cloudtrail\_sns\_topic\_enabled) | Specifies whether the trail is delivered to a SNS topic. | `bool` | no | -| [cloudtrail\_sns\_topic\_name](#input\_cloudtrail\_sns\_topic\_name) | The name of the SNS topic to link to the trail. | `string` | no | -| [cloudwatch\_logs\_retention\_in\_days](#input\_cloudwatch\_logs\_retention\_in\_days) | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no | -| [config\_aggregator\_name](#input\_config\_aggregator\_name) | The name of the organizational AWS Config Configuration Aggregator. | `string` | no | -| [config\_aggregator\_name\_prefix](#input\_config\_aggregator\_name\_prefix) | The prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator. | `string` | no | -| [config\_baseline\_enabled](#input\_config\_baseline\_enabled) | Boolean whether config-baseline is enabled. | `bool` | no | -| [config\_delivery\_frequency](#input\_config\_delivery\_frequency) | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | no | -| [config\_global\_resources\_all\_regions](#input\_config\_global\_resources\_all\_regions) | Record global resources in all regions. If false, only default region will record global resources. | `bool` | no | -| [config\_iam\_role\_name](#input\_config\_iam\_role\_name) | The name of the IAM Role which AWS Config will use. | `string` | no | -| [config\_iam\_role\_policy\_name](#input\_config\_iam\_role\_policy\_name) | The name of the IAM Role Policy which AWS Config will use. | `string` | no | -| [config\_s3\_bucket\_key\_prefix](#input\_config\_s3\_bucket\_key\_prefix) | The prefix used when writing AWS Config snapshots into the S3 bucket. | `string` | no | -| [config\_sns\_topic\_kms\_master\_key\_id](#input\_config\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no | -| [config\_sns\_topic\_name](#input\_config\_sns\_topic\_name) | The name of the SNS Topic to be used to notify configuration changes. | `string` | no | -| [console\_signin\_failures\_enabled](#input\_console\_signin\_failures\_enabled) | The boolean flag whether the console\_signin\_failures alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [create\_password\_policy](#input\_create\_password\_policy) | Define if the password policy should be created. | `bool` | no | -| [create\_support\_role](#input\_create\_support\_role) | Define if the support role should be created. | `bool` | no | -| [disable\_or\_delete\_cmk\_enabled](#input\_disable\_or\_delete\_cmk\_enabled) | The boolean flag whether the disable\_or\_delete\_cmk alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [guardduty\_disable\_email\_notification](#input\_guardduty\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | no | -| [guardduty\_enabled](#input\_guardduty\_enabled) | Boolean whether the guardduty-baseline module is enabled or disabled | `bool` | no | -| [guardduty\_finding\_publishing\_frequency](#input\_guardduty\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | no | -| [guardduty\_invitation\_message](#input\_guardduty\_invitation\_message) | Message for invitation. | `string` | no | -| [iam\_baseline\_enabled](#input\_iam\_baseline\_enabled) | Boolean whether iam-baseline is enabled. | `bool` | no | -| [iam\_changes\_enabled](#input\_iam\_changes\_enabled) | The boolean flag whether the iam\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [master\_account\_id](#input\_master\_account\_id) | The ID of the master AWS account to which the current AWS account is associated. Required if `account_type` is `member`. | `string` | no | -| [max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid. | `number` | no | -| [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | 
list(object({
    account_id = string
    email      = string
  }))
| no | -| [mfa\_console\_signin\_allow\_sso](#input\_mfa\_console\_signin\_allow\_sso) | The boolean flag whether the no\_mfa\_console\_signin alarm allows SSO auth to be ignored. | `bool` | no | -| [minimum\_password\_length](#input\_minimum\_password\_length) | Minimum length to require for user passwords. | `number` | no | -| [nacl\_changes\_enabled](#input\_nacl\_changes\_enabled) | The boolean flag whether the nacl\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [network\_gw\_changes\_enabled](#input\_network\_gw\_changes\_enabled) | The boolean flag whether the network\_gw\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [no\_mfa\_console\_signin\_enabled](#input\_no\_mfa\_console\_signin\_enabled) | The boolean flag whether the no\_mfa\_console\_signin alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [organizations\_changes\_enabled](#input\_organizations\_changes\_enabled) | The boolean flag whether the organizations\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | no | -| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no | -| [require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | no | -| [require\_numbers](#input\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | no | -| [require\_symbols](#input\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | no | -| [require\_uppercase\_characters](#input\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords. | `bool` | no | -| [root\_usage\_enabled](#input\_root\_usage\_enabled) | The boolean flag whether the root\_usage alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [route\_table\_changes\_enabled](#input\_route\_table\_changes\_enabled) | The boolean flag whether the route\_table\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [s3\_baseline\_enabled](#input\_s3\_baseline\_enabled) | Boolean whether s3-baseline is enabled. | `bool` | no | -| [s3\_block\_public\_acls](#input\_s3\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | `bool` | no | -| [s3\_block\_public\_policy](#input\_s3\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | `bool` | no | -| [s3\_bucket\_policy\_changes\_enabled](#input\_s3\_bucket\_policy\_changes\_enabled) | The boolean flag whether the s3\_bucket\_policy\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [s3\_ignore\_public\_acls](#input\_s3\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | no | -| [s3\_restrict\_public\_buckets](#input\_s3\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | no | -| [security\_group\_changes\_enabled](#input\_security\_group\_changes\_enabled) | The boolean flag whether the security\_group\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [securityhub\_enable\_aws\_foundational\_standard](#input\_securityhub\_enable\_aws\_foundational\_standard) | Boolean whether AWS Foundations standard is enabled. | `bool` | no | -| [securityhub\_enable\_cis\_standard](#input\_securityhub\_enable\_cis\_standard) | Boolean whether CIS standard is enabled. | `bool` | no | -| [securityhub\_enable\_pci\_dss\_standard](#input\_securityhub\_enable\_pci\_dss\_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | no | -| [securityhub\_enable\_product\_arns](#input\_securityhub\_enable\_product\_arns) | List of Security Hub product ARNs, `` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | no | -| [securityhub\_enabled](#input\_securityhub\_enabled) | Boolean whether the securityhub-baseline module is enabled or disabled | `bool` | no | -| [support\_iam\_role\_name](#input\_support\_iam\_role\_name) | The name of the the support role. | `string` | no | -| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no | -| [target\_regions](#input\_target\_regions) | A list of regions to set up with this module. | `list(string)` | no | -| [turn\_off\_organization\_trail](#input\_turn\_off\_organization\_trail) | Specifies whether the disable the organization trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | no | -| [unauthorized\_api\_calls\_enabled](#input\_unauthorized\_api\_calls\_enabled) | The boolean flag whether the unauthorized\_api\_calls alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [use\_external\_audit\_log\_bucket](#input\_use\_external\_audit\_log\_bucket) | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | `bool` | no | -| [vpc\_changes\_enabled](#input\_vpc\_changes\_enabled) | The boolean flag whether the vpc\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [vpc\_enable](#input\_vpc\_enable) | Boolean whether the VPC baseline module should be enabled | `bool` | no | -| [vpc\_enable\_flow\_logs](#input\_vpc\_enable\_flow\_logs) | The boolean flag whether to enable VPC Flow Logs in default VPCs | `bool` | no | -| [vpc\_flow\_logs\_destination\_type](#input\_vpc\_flow\_logs\_destination\_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | no | -| [vpc\_flow\_logs\_log\_group\_name](#input\_vpc\_flow\_logs\_log\_group\_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | `string` | no | -| [vpc\_flow\_logs\_retention\_in\_days](#input\_vpc\_flow\_logs\_retention\_in\_days) | Number of days to retain logs if vpc\_log\_destination\_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no | -| [vpc\_flow\_logs\_s3\_arn](#input\_vpc\_flow\_logs\_s3\_arn) | ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is s3. | `string` | no | -| [vpc\_flow\_logs\_s3\_key\_prefix](#input\_vpc\_flow\_logs\_s3\_key\_prefix) | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | `string` | no | -| [vpc\_iam\_role\_name](#input\_vpc\_iam\_role\_name) | The name of the IAM Role which VPC Flow Logs will use. | `string` | no | -| [vpc\_iam\_role\_policy\_name](#input\_vpc\_iam\_role\_policy\_name) | The name of the IAM Role Policy which VPC Flow Logs will use. | `string` | no | +| Name | Description | Type | Required | +| --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | :------: | +| [audit_log_bucket_name](#input_audit_log_bucket_name) | The name of the S3 bucket to store various audit logs. | `string` | yes | +| [aws_account_id](#input_aws_account_id) | The AWS Account ID number of the account. | `string` | yes | +| [region](#input_region) | The AWS region in which global resources are set up. | `string` | yes | +| [support_iam_role_principal_arns](#input_support_iam_role_principal_arns) | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(string)` | yes | +| [account_type](#input_account_type) | The type of the AWS account. The possible values are `individual`, `master` and `member` . Specify `master` and `member` to set up centalized logging for multiple accounts in AWS Organization. Use individual` otherwise.` | `string` | no | +| [alarm_baseline_enabled](#input_alarm_baseline_enabled) | Boolean whether alarm-baseline is enabled. | `bool` | no | +| [alarm_namespace](#input_alarm_namespace) | The namespace in which all alarms are set up. | `string` | no | +| [alarm_sns_topic_kms_master_key_id](#input_alarm_sns_topic_kms_master_key_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no | +| [alarm_sns_topic_name](#input_alarm_sns_topic_name) | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | no | +| [allow_users_to_change_password](#input_allow_users_to_change_password) | Whether to allow users to change their own password. | `bool` | no | +| [analyzer_baseline_enabled](#input_analyzer_baseline_enabled) | Boolean whether analyzer-baseline is enabled. | `bool` | no | +| [analyzer_name](#input_analyzer_name) | The name for the IAM Access Analyzer resource to be created. | `string` | no | +| [audit_log_bucket_access_logs_name](#input_audit_log_bucket_access_logs_name) | The name of the S3 bucket to store various audit logs. | `string` | no | +| [audit_log_bucket_custom_policy_json](#input_audit_log_bucket_custom_policy_json) | Override policy for the audit log bucket. Allows addition of extra policies. | `string` | no | +| [audit_log_bucket_force_destroy](#input_audit_log_bucket_force_destroy) | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no | +| [audit_log_bucket_key_enabled](#input_audit_log_bucket_key_enabled) | Whether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket. | `bool` | no | +| [audit_log_lifecycle_glacier_transition_days](#input_audit_log_lifecycle_glacier_transition_days) | The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition. | `number` | no | +| [aws_config_changes_enabled](#input_aws_config_changes_enabled) | The boolean flag whether the aws_config_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [cloudtrail_baseline_enabled](#input_cloudtrail_baseline_enabled) | Boolean whether cloudtrail-baseline is enabled. | `bool` | no | +| [cloudtrail_cfg_changes_enabled](#input_cloudtrail_cfg_changes_enabled) | The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [cloudtrail_cloudwatch_logs_enabled](#input_cloudtrail_cloudwatch_logs_enabled) | Specifies whether the trail is delivered to CloudWatch Logs. | `bool` | no | +| [cloudtrail_cloudwatch_logs_group_name](#input_cloudtrail_cloudwatch_logs_group_name) | The name of CloudWatch Logs group to which CloudTrail events are delivered. | `string` | no | +| [cloudtrail_dynamodb_event_logging_tables](#input_cloudtrail_dynamodb_event_logging_tables) | The list of DynamoDB table ARNs on which to enable event logging. | `list(string)` | no | +| [cloudtrail_iam_role_name](#input_cloudtrail_iam_role_name) | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no | +| [cloudtrail_iam_role_policy_name](#input_cloudtrail_iam_role_policy_name) | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no | +| [cloudtrail_key_deletion_window_in_days](#input_cloudtrail_key_deletion_window_in_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | no | +| [cloudtrail_lambda_invocation_logging_lambdas](#input_cloudtrail_lambda_invocation_logging_lambdas) | The list of lambda ARNs on which to enable invocation logging. | `list(string)` | no | +| [cloudtrail_name](#input_cloudtrail_name) | The name of the trail. | `string` | no | +| [cloudtrail_s3_key_prefix](#input_cloudtrail_s3_key_prefix) | The prefix used when CloudTrail delivers events to the S3 bucket. | `string` | no | +| [cloudtrail_s3_object_level_logging_buckets](#input_cloudtrail_s3_object_level_logging_buckets) | The list of S3 bucket ARNs on which to enable object-level logging. | `list(string)` | no | +| [cloudtrail_sns_topic_enabled](#input_cloudtrail_sns_topic_enabled) | Specifies whether the trail is delivered to a SNS topic. | `bool` | no | +| [cloudtrail_sns_topic_name](#input_cloudtrail_sns_topic_name) | The name of the SNS topic to link to the trail. | `string` | no | +| [cloudwatch_logs_retention_in_days](#input_cloudwatch_logs_retention_in_days) | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no | +| [config_aggregator_name](#input_config_aggregator_name) | The name of the organizational AWS Config Configuration Aggregator. | `string` | no | +| [config_aggregator_name_prefix](#input_config_aggregator_name_prefix) | The prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator. | `string` | no | +| [config_baseline_enabled](#input_config_baseline_enabled) | Boolean whether config-baseline is enabled. | `bool` | no | +| [config_delivery_frequency](#input_config_delivery_frequency) | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | no | +| [config_global_resources_all_regions](#input_config_global_resources_all_regions) | Record global resources in all regions. If false, only default region will record global resources. | `bool` | no | +| [config_iam_role_name](#input_config_iam_role_name) | The name of the IAM Role which AWS Config will use. | `string` | no | +| [config_iam_role_policy_name](#input_config_iam_role_policy_name) | The name of the IAM Role Policy which AWS Config will use. | `string` | no | +| [config_s3_bucket_key_prefix](#input_config_s3_bucket_key_prefix) | The prefix used when writing AWS Config snapshots into the S3 bucket. | `string` | no | +| [config_sns_topic_kms_master_key_id](#input_config_sns_topic_kms_master_key_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no | +| [config_sns_topic_name](#input_config_sns_topic_name) | The name of the SNS Topic to be used to notify configuration changes. | `string` | no | +| [console_signin_failures_enabled](#input_console_signin_failures_enabled) | The boolean flag whether the console_signin_failures alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [create_password_policy](#input_create_password_policy) | Define if the password policy should be created. | `bool` | no | +| [create_support_role](#input_create_support_role) | Define if the support role should be created. | `bool` | no | +| [disable_or_delete_cmk_enabled](#input_disable_or_delete_cmk_enabled) | The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [guardduty_disable_email_notification](#input_guardduty_disable_email_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | no | +| [guardduty_enabled](#input_guardduty_enabled) | Boolean whether the guardduty-baseline module is enabled or disabled | `bool` | no | +| [guardduty_finding_publishing_frequency](#input_guardduty_finding_publishing_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | no | +| [guardduty_invitation_message](#input_guardduty_invitation_message) | Message for invitation. | `string` | no | +| [iam_baseline_enabled](#input_iam_baseline_enabled) | Boolean whether iam-baseline is enabled. | `bool` | no | +| [iam_changes_enabled](#input_iam_changes_enabled) | The boolean flag whether the iam_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [master_account_id](#input_master_account_id) | The ID of the master AWS account to which the current AWS account is associated. Required if `account_type` is `member`. | `string` | no | +| [max_password_age](#input_max_password_age) | The number of days that an user password is valid. | `number` | no | +| [member_accounts](#input_member_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | 
list(object({
 account_id = string
 email = string
 }))
| no | +| [mfa_console_signin_allow_sso](#input_mfa_console_signin_allow_sso) | The boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored. | `bool` | no | +| [minimum_password_length](#input_minimum_password_length) | Minimum length to require for user passwords. | `number` | no | +| [nacl_changes_enabled](#input_nacl_changes_enabled) | The boolean flag whether the nacl_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [network_gw_changes_enabled](#input_network_gw_changes_enabled) | The boolean flag whether the network_gw_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [no_mfa_console_signin_enabled](#input_no_mfa_console_signin_enabled) | The boolean flag whether the no_mfa_console_signin alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [organizations_changes_enabled](#input_organizations_changes_enabled) | The boolean flag whether the organizations_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [password_reuse_prevention](#input_password_reuse_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | no | +| [permissions_boundary_arn](#input_permissions_boundary_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no | +| [require_lowercase_characters](#input_require_lowercase_characters) | Whether to require lowercase characters for user passwords. | `bool` | no | +| [require_numbers](#input_require_numbers) | Whether to require numbers for user passwords. | `bool` | no | +| [require_symbols](#input_require_symbols) | Whether to require symbols for user passwords. | `bool` | no | +| [require_uppercase_characters](#input_require_uppercase_characters) | Whether to require uppercase characters for user passwords. | `bool` | no | +| [root_usage_enabled](#input_root_usage_enabled) | The boolean flag whether the root_usage alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [route_table_changes_enabled](#input_route_table_changes_enabled) | The boolean flag whether the route_table_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [s3_baseline_enabled](#input_s3_baseline_enabled) | Boolean whether s3-baseline is enabled. | `bool` | no | +| [s3_block_public_acls](#input_s3_block_public_acls) | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | `bool` | no | +| [s3_block_public_policy](#input_s3_block_public_policy) | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | `bool` | no | +| [s3_bucket_policy_changes_enabled](#input_s3_bucket_policy_changes_enabled) | The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [s3_ignore_public_acls](#input_s3_ignore_public_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | no | +| [s3_restrict_public_buckets](#input_s3_restrict_public_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | no | +| [security_group_changes_enabled](#input_security_group_changes_enabled) | The boolean flag whether the security_group_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [securityhub_enable_aws_foundational_standard](#input_securityhub_enable_aws_foundational_standard) | Boolean whether AWS Foundations standard is enabled. | `bool` | no | +| [securityhub_enable_cis_standard](#input_securityhub_enable_cis_standard) | Boolean whether CIS standard is enabled. | `bool` | no | +| [securityhub_enable_pci_dss_standard](#input_securityhub_enable_pci_dss_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | no | +| [securityhub_enable_product_arns](#input_securityhub_enable_product_arns) | List of Security Hub product ARNs, `` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | no | +| [securityhub_enabled](#input_securityhub_enabled) | Boolean whether the securityhub-baseline module is enabled or disabled | `bool` | no | +| [support_iam_role_name](#input_support_iam_role_name) | The name of the the support role. | `string` | no | +| [tags](#input_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no | +| [target_regions](#input_target_regions) | A list of regions to set up with this module. | `list(string)` | no | +| [turn_off_organization_trail](#input_turn_off_organization_trail) | Specifies whether the disable the organization trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | no | +| [unauthorized_api_calls_enabled](#input_unauthorized_api_calls_enabled) | The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [use_external_audit_log_bucket](#input_use_external_audit_log_bucket) | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | `bool` | no | +| [vpc_changes_enabled](#input_vpc_changes_enabled) | The boolean flag whether the vpc_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [vpc_enable](#input_vpc_enable) | Boolean whether the VPC baseline module should be enabled | `bool` | no | +| [vpc_enable_flow_logs](#input_vpc_enable_flow_logs) | The boolean flag whether to enable VPC Flow Logs in default VPCs | `bool` | no | +| [vpc_flow_logs_destination_type](#input_vpc_flow_logs_destination_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | no | +| [vpc_flow_logs_log_group_name](#input_vpc_flow_logs_log_group_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | `string` | no | +| [vpc_flow_logs_retention_in_days](#input_vpc_flow_logs_retention_in_days) | Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no | +| [vpc_flow_logs_s3_arn](#input_vpc_flow_logs_s3_arn) | ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3. | `string` | no | +| [vpc_flow_logs_s3_key_prefix](#input_vpc_flow_logs_s3_key_prefix) | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | `string` | no | +| [vpc_iam_role_name](#input_vpc_iam_role_name) | The name of the IAM Role which VPC Flow Logs will use. | `string` | no | +| [vpc_iam_role_policy_name](#input_vpc_iam_role_policy_name) | The name of the IAM Role Policy which VPC Flow Logs will use. | `string` | no | ## Outputs -| Name | Description | -|------|-------------| -| [alarm\_sns\_topic](#output\_alarm\_sns\_topic) | The SNS topic to which CloudWatch Alarms will be sent. | -| [audit\_bucket](#output\_audit\_bucket) | The S3 bucket used for storing audit logs. | -| [cloudtrail](#output\_cloudtrail) | The trail for recording events in all regions. | -| [cloudtrail\_kms\_key](#output\_cloudtrail\_kms\_key) | The KMS key used for encrypting CloudTrail events. | -| [cloudtrail\_log\_delivery\_iam\_role](#output\_cloudtrail\_log\_delivery\_iam\_role) | The IAM role used for delivering CloudTrail events to CloudWatch Logs. | -| [cloudtrail\_log\_group](#output\_cloudtrail\_log\_group) | The CloudWatch Logs log group which stores CloudTrail events. | -| [cloudtrail\_sns\_topic](#output\_cloudtrail\_sns\_topic) | The sns topic linked to the cloudtrail. | -| [config\_configuration\_recorder](#output\_config\_configuration\_recorder) | The configuration recorder in each region. | -| [config\_iam\_role](#output\_config\_iam\_role) | The IAM role used for delivering AWS Config records to CloudWatch Logs. | -| [config\_sns\_topic](#output\_config\_sns\_topic) | The SNS topic) that AWS Config delivers notifications to. | -| [default\_network\_acl](#output\_default\_network\_acl) | The default network ACL. | -| [default\_route\_table](#output\_default\_route\_table) | The default route table. | -| [default\_security\_group](#output\_default\_security\_group) | The ID of the default security group. | -| [default\_vpc](#output\_default\_vpc) | The default VPC. | -| [guardduty\_detector](#output\_guardduty\_detector) | The GuardDuty detector in each region. | -| [support\_iam\_role](#output\_support\_iam\_role) | The IAM role used for the support user. | -| [vpc\_flow\_logs\_group](#output\_vpc\_flow\_logs\_group) | The CloudWatch Logs log group which stores VPC Flow Logs in each region. | -| [vpc\_flow\_logs\_iam\_role](#output\_vpc\_flow\_logs\_iam\_role) | The IAM role used for delivering VPC Flow Logs to CloudWatch Logs. | +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | +| [alarm_sns_topic](#output_alarm_sns_topic) | The SNS topic to which CloudWatch Alarms will be sent. | +| [audit_bucket](#output_audit_bucket) | The S3 bucket used for storing audit logs. | +| [cloudtrail](#output_cloudtrail) | The trail for recording events in all regions. | +| [cloudtrail_kms_key](#output_cloudtrail_kms_key) | The KMS key used for encrypting CloudTrail events. | +| [cloudtrail_log_delivery_iam_role](#output_cloudtrail_log_delivery_iam_role) | The IAM role used for delivering CloudTrail events to CloudWatch Logs. | +| [cloudtrail_log_group](#output_cloudtrail_log_group) | The CloudWatch Logs log group which stores CloudTrail events. | +| [cloudtrail_sns_topic](#output_cloudtrail_sns_topic) | The sns topic linked to the cloudtrail. | +| [config_configuration_recorder](#output_config_configuration_recorder) | The configuration recorder in each region. | +| [config_iam_role](#output_config_iam_role) | The IAM role used for delivering AWS Config records to CloudWatch Logs. | +| [config_sns_topic](#output_config_sns_topic) | The SNS topic) that AWS Config delivers notifications to. | +| [default_network_acl](#output_default_network_acl) | The default network ACL. | +| [default_route_table](#output_default_route_table) | The default route table. | +| [default_security_group](#output_default_security_group) | The ID of the default security group. | +| [default_vpc](#output_default_vpc) | The default VPC. | +| [guardduty_detector](#output_guardduty_detector) | The GuardDuty detector in each region. | +| [support_iam_role](#output_support_iam_role) | The IAM role used for the support user. | +| [vpc_flow_logs_group](#output_vpc_flow_logs_group) | The CloudWatch Logs log group which stores VPC Flow Logs in each region. | +| [vpc_flow_logs_iam_role](#output_vpc_flow_logs_iam_role) | The IAM role used for delivering VPC Flow Logs to CloudWatch Logs. | + [cis amazon web services foundations v1.4.0]: https://www.cisecurity.org/benchmark/amazon_web_services/ diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 7b67b048..c10c6dea 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -53,7 +53,7 @@ module "secure_baseline" { aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 - aws.me-south-1 = aws.me-south-1 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 From df2938681d41049aa004935da2e7b7feaa9e3c53 Mon Sep 17 00:00:00 2001 From: Umbert Pensato Bosch <708948+umbertix@users.noreply.github.com> Date: Mon, 24 Jun 2024 14:34:01 +0200 Subject: [PATCH 10/12] fix: Readme autogenerated file --- README.md | 256 +++++++++++++++++++++++++++--------------------------- 1 file changed, 127 insertions(+), 129 deletions(-) diff --git a/README.md b/README.md index beef303a..7e3e0d13 100644 --- a/README.md +++ b/README.md @@ -115,146 +115,144 @@ This module is composed of several submodules and each of which can be used inde - Starting from v0.10, this module requires Terraform v0.12 or later. Please use v0.9 if you need to use Terraform v0.11 or ealier. - ## Requirements -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.1.4 | -| [aws](#requirement_aws) | >= 4.3 | +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.1.4 | +| [aws](#requirement\_aws) | >= 4.3 | ## Providers -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | >= 4.3 | +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 4.3 | ## Inputs -| Name | Description | Type | Required | -| --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------- | :------: | -| [audit_log_bucket_name](#input_audit_log_bucket_name) | The name of the S3 bucket to store various audit logs. | `string` | yes | -| [aws_account_id](#input_aws_account_id) | The AWS Account ID number of the account. | `string` | yes | -| [region](#input_region) | The AWS region in which global resources are set up. | `string` | yes | -| [support_iam_role_principal_arns](#input_support_iam_role_principal_arns) | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(string)` | yes | -| [account_type](#input_account_type) | The type of the AWS account. The possible values are `individual`, `master` and `member` . Specify `master` and `member` to set up centalized logging for multiple accounts in AWS Organization. Use individual` otherwise.` | `string` | no | -| [alarm_baseline_enabled](#input_alarm_baseline_enabled) | Boolean whether alarm-baseline is enabled. | `bool` | no | -| [alarm_namespace](#input_alarm_namespace) | The namespace in which all alarms are set up. | `string` | no | -| [alarm_sns_topic_kms_master_key_id](#input_alarm_sns_topic_kms_master_key_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no | -| [alarm_sns_topic_name](#input_alarm_sns_topic_name) | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | no | -| [allow_users_to_change_password](#input_allow_users_to_change_password) | Whether to allow users to change their own password. | `bool` | no | -| [analyzer_baseline_enabled](#input_analyzer_baseline_enabled) | Boolean whether analyzer-baseline is enabled. | `bool` | no | -| [analyzer_name](#input_analyzer_name) | The name for the IAM Access Analyzer resource to be created. | `string` | no | -| [audit_log_bucket_access_logs_name](#input_audit_log_bucket_access_logs_name) | The name of the S3 bucket to store various audit logs. | `string` | no | -| [audit_log_bucket_custom_policy_json](#input_audit_log_bucket_custom_policy_json) | Override policy for the audit log bucket. Allows addition of extra policies. | `string` | no | -| [audit_log_bucket_force_destroy](#input_audit_log_bucket_force_destroy) | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no | -| [audit_log_bucket_key_enabled](#input_audit_log_bucket_key_enabled) | Whether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket. | `bool` | no | -| [audit_log_lifecycle_glacier_transition_days](#input_audit_log_lifecycle_glacier_transition_days) | The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition. | `number` | no | -| [aws_config_changes_enabled](#input_aws_config_changes_enabled) | The boolean flag whether the aws_config_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [cloudtrail_baseline_enabled](#input_cloudtrail_baseline_enabled) | Boolean whether cloudtrail-baseline is enabled. | `bool` | no | -| [cloudtrail_cfg_changes_enabled](#input_cloudtrail_cfg_changes_enabled) | The boolean flag whether the cloudtrail_cfg_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [cloudtrail_cloudwatch_logs_enabled](#input_cloudtrail_cloudwatch_logs_enabled) | Specifies whether the trail is delivered to CloudWatch Logs. | `bool` | no | -| [cloudtrail_cloudwatch_logs_group_name](#input_cloudtrail_cloudwatch_logs_group_name) | The name of CloudWatch Logs group to which CloudTrail events are delivered. | `string` | no | -| [cloudtrail_dynamodb_event_logging_tables](#input_cloudtrail_dynamodb_event_logging_tables) | The list of DynamoDB table ARNs on which to enable event logging. | `list(string)` | no | -| [cloudtrail_iam_role_name](#input_cloudtrail_iam_role_name) | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no | -| [cloudtrail_iam_role_policy_name](#input_cloudtrail_iam_role_policy_name) | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no | -| [cloudtrail_key_deletion_window_in_days](#input_cloudtrail_key_deletion_window_in_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | no | -| [cloudtrail_lambda_invocation_logging_lambdas](#input_cloudtrail_lambda_invocation_logging_lambdas) | The list of lambda ARNs on which to enable invocation logging. | `list(string)` | no | -| [cloudtrail_name](#input_cloudtrail_name) | The name of the trail. | `string` | no | -| [cloudtrail_s3_key_prefix](#input_cloudtrail_s3_key_prefix) | The prefix used when CloudTrail delivers events to the S3 bucket. | `string` | no | -| [cloudtrail_s3_object_level_logging_buckets](#input_cloudtrail_s3_object_level_logging_buckets) | The list of S3 bucket ARNs on which to enable object-level logging. | `list(string)` | no | -| [cloudtrail_sns_topic_enabled](#input_cloudtrail_sns_topic_enabled) | Specifies whether the trail is delivered to a SNS topic. | `bool` | no | -| [cloudtrail_sns_topic_name](#input_cloudtrail_sns_topic_name) | The name of the SNS topic to link to the trail. | `string` | no | -| [cloudwatch_logs_retention_in_days](#input_cloudwatch_logs_retention_in_days) | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no | -| [config_aggregator_name](#input_config_aggregator_name) | The name of the organizational AWS Config Configuration Aggregator. | `string` | no | -| [config_aggregator_name_prefix](#input_config_aggregator_name_prefix) | The prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator. | `string` | no | -| [config_baseline_enabled](#input_config_baseline_enabled) | Boolean whether config-baseline is enabled. | `bool` | no | -| [config_delivery_frequency](#input_config_delivery_frequency) | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | no | -| [config_global_resources_all_regions](#input_config_global_resources_all_regions) | Record global resources in all regions. If false, only default region will record global resources. | `bool` | no | -| [config_iam_role_name](#input_config_iam_role_name) | The name of the IAM Role which AWS Config will use. | `string` | no | -| [config_iam_role_policy_name](#input_config_iam_role_policy_name) | The name of the IAM Role Policy which AWS Config will use. | `string` | no | -| [config_s3_bucket_key_prefix](#input_config_s3_bucket_key_prefix) | The prefix used when writing AWS Config snapshots into the S3 bucket. | `string` | no | -| [config_sns_topic_kms_master_key_id](#input_config_sns_topic_kms_master_key_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no | -| [config_sns_topic_name](#input_config_sns_topic_name) | The name of the SNS Topic to be used to notify configuration changes. | `string` | no | -| [console_signin_failures_enabled](#input_console_signin_failures_enabled) | The boolean flag whether the console_signin_failures alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [create_password_policy](#input_create_password_policy) | Define if the password policy should be created. | `bool` | no | -| [create_support_role](#input_create_support_role) | Define if the support role should be created. | `bool` | no | -| [disable_or_delete_cmk_enabled](#input_disable_or_delete_cmk_enabled) | The boolean flag whether the disable_or_delete_cmk alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [guardduty_disable_email_notification](#input_guardduty_disable_email_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | no | -| [guardduty_enabled](#input_guardduty_enabled) | Boolean whether the guardduty-baseline module is enabled or disabled | `bool` | no | -| [guardduty_finding_publishing_frequency](#input_guardduty_finding_publishing_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | no | -| [guardduty_invitation_message](#input_guardduty_invitation_message) | Message for invitation. | `string` | no | -| [iam_baseline_enabled](#input_iam_baseline_enabled) | Boolean whether iam-baseline is enabled. | `bool` | no | -| [iam_changes_enabled](#input_iam_changes_enabled) | The boolean flag whether the iam_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [master_account_id](#input_master_account_id) | The ID of the master AWS account to which the current AWS account is associated. Required if `account_type` is `member`. | `string` | no | -| [max_password_age](#input_max_password_age) | The number of days that an user password is valid. | `number` | no | -| [member_accounts](#input_member_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | 
list(object({
 account_id = string
 email = string
 }))
| no | -| [mfa_console_signin_allow_sso](#input_mfa_console_signin_allow_sso) | The boolean flag whether the no_mfa_console_signin alarm allows SSO auth to be ignored. | `bool` | no | -| [minimum_password_length](#input_minimum_password_length) | Minimum length to require for user passwords. | `number` | no | -| [nacl_changes_enabled](#input_nacl_changes_enabled) | The boolean flag whether the nacl_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [network_gw_changes_enabled](#input_network_gw_changes_enabled) | The boolean flag whether the network_gw_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [no_mfa_console_signin_enabled](#input_no_mfa_console_signin_enabled) | The boolean flag whether the no_mfa_console_signin alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [organizations_changes_enabled](#input_organizations_changes_enabled) | The boolean flag whether the organizations_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [password_reuse_prevention](#input_password_reuse_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | no | -| [permissions_boundary_arn](#input_permissions_boundary_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no | -| [require_lowercase_characters](#input_require_lowercase_characters) | Whether to require lowercase characters for user passwords. | `bool` | no | -| [require_numbers](#input_require_numbers) | Whether to require numbers for user passwords. | `bool` | no | -| [require_symbols](#input_require_symbols) | Whether to require symbols for user passwords. | `bool` | no | -| [require_uppercase_characters](#input_require_uppercase_characters) | Whether to require uppercase characters for user passwords. | `bool` | no | -| [root_usage_enabled](#input_root_usage_enabled) | The boolean flag whether the root_usage alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [route_table_changes_enabled](#input_route_table_changes_enabled) | The boolean flag whether the route_table_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [s3_baseline_enabled](#input_s3_baseline_enabled) | Boolean whether s3-baseline is enabled. | `bool` | no | -| [s3_block_public_acls](#input_s3_block_public_acls) | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | `bool` | no | -| [s3_block_public_policy](#input_s3_block_public_policy) | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | `bool` | no | -| [s3_bucket_policy_changes_enabled](#input_s3_bucket_policy_changes_enabled) | The boolean flag whether the s3_bucket_policy_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [s3_ignore_public_acls](#input_s3_ignore_public_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | no | -| [s3_restrict_public_buckets](#input_s3_restrict_public_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | no | -| [security_group_changes_enabled](#input_security_group_changes_enabled) | The boolean flag whether the security_group_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [securityhub_enable_aws_foundational_standard](#input_securityhub_enable_aws_foundational_standard) | Boolean whether AWS Foundations standard is enabled. | `bool` | no | -| [securityhub_enable_cis_standard](#input_securityhub_enable_cis_standard) | Boolean whether CIS standard is enabled. | `bool` | no | -| [securityhub_enable_pci_dss_standard](#input_securityhub_enable_pci_dss_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | no | -| [securityhub_enable_product_arns](#input_securityhub_enable_product_arns) | List of Security Hub product ARNs, `` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | no | -| [securityhub_enabled](#input_securityhub_enabled) | Boolean whether the securityhub-baseline module is enabled or disabled | `bool` | no | -| [support_iam_role_name](#input_support_iam_role_name) | The name of the the support role. | `string` | no | -| [tags](#input_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no | -| [target_regions](#input_target_regions) | A list of regions to set up with this module. | `list(string)` | no | -| [turn_off_organization_trail](#input_turn_off_organization_trail) | Specifies whether the disable the organization trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | no | -| [unauthorized_api_calls_enabled](#input_unauthorized_api_calls_enabled) | The boolean flag whether the unauthorized_api_calls alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [use_external_audit_log_bucket](#input_use_external_audit_log_bucket) | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | `bool` | no | -| [vpc_changes_enabled](#input_vpc_changes_enabled) | The boolean flag whether the vpc_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | -| [vpc_enable](#input_vpc_enable) | Boolean whether the VPC baseline module should be enabled | `bool` | no | -| [vpc_enable_flow_logs](#input_vpc_enable_flow_logs) | The boolean flag whether to enable VPC Flow Logs in default VPCs | `bool` | no | -| [vpc_flow_logs_destination_type](#input_vpc_flow_logs_destination_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | no | -| [vpc_flow_logs_log_group_name](#input_vpc_flow_logs_log_group_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | `string` | no | -| [vpc_flow_logs_retention_in_days](#input_vpc_flow_logs_retention_in_days) | Number of days to retain logs if vpc_log_destination_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no | -| [vpc_flow_logs_s3_arn](#input_vpc_flow_logs_s3_arn) | ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc_log_destination_type is s3. | `string` | no | -| [vpc_flow_logs_s3_key_prefix](#input_vpc_flow_logs_s3_key_prefix) | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | `string` | no | -| [vpc_iam_role_name](#input_vpc_iam_role_name) | The name of the IAM Role which VPC Flow Logs will use. | `string` | no | -| [vpc_iam_role_policy_name](#input_vpc_iam_role_policy_name) | The name of the IAM Role Policy which VPC Flow Logs will use. | `string` | no | +| Name | Description | Type | Required | +|------|-------------|------|:--------:| +| [audit\_log\_bucket\_name](#input\_audit\_log\_bucket\_name) | The name of the S3 bucket to store various audit logs. | `string` | yes | +| [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID number of the account. | `string` | yes | +| [region](#input\_region) | The AWS region in which global resources are set up. | `string` | yes | +| [support\_iam\_role\_principal\_arns](#input\_support\_iam\_role\_principal\_arns) | List of ARNs of the IAM principal elements by which the support role could be assumed. | `list(string)` | yes | +| [account\_type](#input\_account\_type) | The type of the AWS account. The possible values are `individual`, `master` and `member` . Specify `master` and `member` to set up centalized logging for multiple accounts in AWS Organization. Use individual` otherwise.` | `string` | no | +| [alarm\_baseline\_enabled](#input\_alarm\_baseline\_enabled) | Boolean whether alarm-baseline is enabled. | `bool` | no | +| [alarm\_namespace](#input\_alarm\_namespace) | The namespace in which all alarms are set up. | `string` | no | +| [alarm\_sns\_topic\_kms\_master\_key\_id](#input\_alarm\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no | +| [alarm\_sns\_topic\_name](#input\_alarm\_sns\_topic\_name) | The name of the SNS Topic which will be notified when any alarm is performed. | `string` | no | +| [allow\_users\_to\_change\_password](#input\_allow\_users\_to\_change\_password) | Whether to allow users to change their own password. | `bool` | no | +| [analyzer\_baseline\_enabled](#input\_analyzer\_baseline\_enabled) | Boolean whether analyzer-baseline is enabled. | `bool` | no | +| [analyzer\_name](#input\_analyzer\_name) | The name for the IAM Access Analyzer resource to be created. | `string` | no | +| [audit\_log\_bucket\_access\_logs\_name](#input\_audit\_log\_bucket\_access\_logs\_name) | The name of the S3 bucket to store various audit logs. | `string` | no | +| [audit\_log\_bucket\_custom\_policy\_json](#input\_audit\_log\_bucket\_custom\_policy\_json) | Override policy for the audit log bucket. Allows addition of extra policies. | `string` | no | +| [audit\_log\_bucket\_force\_destroy](#input\_audit\_log\_bucket\_force\_destroy) | A boolean that indicates all objects should be deleted from the audit log bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | no | +| [audit\_log\_bucket\_key\_enabled](#input\_audit\_log\_bucket\_key\_enabled) | Whether or not to use Amazon S3 Bucket Keys for encrypting the audit log bucket. | `bool` | no | +| [audit\_log\_lifecycle\_glacier\_transition\_days](#input\_audit\_log\_lifecycle\_glacier\_transition\_days) | The number of days after log creation when the log file is archived into Glacier. Setting to zero disables the transition. | `number` | no | +| [aws\_config\_changes\_enabled](#input\_aws\_config\_changes\_enabled) | The boolean flag whether the aws\_config\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [cloudtrail\_baseline\_enabled](#input\_cloudtrail\_baseline\_enabled) | Boolean whether cloudtrail-baseline is enabled. | `bool` | no | +| [cloudtrail\_cfg\_changes\_enabled](#input\_cloudtrail\_cfg\_changes\_enabled) | The boolean flag whether the cloudtrail\_cfg\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [cloudtrail\_cloudwatch\_logs\_enabled](#input\_cloudtrail\_cloudwatch\_logs\_enabled) | Specifies whether the trail is delivered to CloudWatch Logs. | `bool` | no | +| [cloudtrail\_cloudwatch\_logs\_group\_name](#input\_cloudtrail\_cloudwatch\_logs\_group\_name) | The name of CloudWatch Logs group to which CloudTrail events are delivered. | `string` | no | +| [cloudtrail\_dynamodb\_event\_logging\_tables](#input\_cloudtrail\_dynamodb\_event\_logging\_tables) | The list of DynamoDB table ARNs on which to enable event logging. | `list(string)` | no | +| [cloudtrail\_iam\_role\_name](#input\_cloudtrail\_iam\_role\_name) | The name of the IAM Role to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no | +| [cloudtrail\_iam\_role\_policy\_name](#input\_cloudtrail\_iam\_role\_policy\_name) | The name of the IAM Role Policy to be used by CloudTrail to delivery logs to CloudWatch Logs group. | `string` | no | +| [cloudtrail\_key\_deletion\_window\_in\_days](#input\_cloudtrail\_key\_deletion\_window\_in\_days) | Duration in days after which the key is deleted after destruction of the resource, must be between 7 and 30 days. Defaults to 30 days. | `number` | no | +| [cloudtrail\_lambda\_invocation\_logging\_lambdas](#input\_cloudtrail\_lambda\_invocation\_logging\_lambdas) | The list of lambda ARNs on which to enable invocation logging. | `list(string)` | no | +| [cloudtrail\_name](#input\_cloudtrail\_name) | The name of the trail. | `string` | no | +| [cloudtrail\_s3\_key\_prefix](#input\_cloudtrail\_s3\_key\_prefix) | The prefix used when CloudTrail delivers events to the S3 bucket. | `string` | no | +| [cloudtrail\_s3\_object\_level\_logging\_buckets](#input\_cloudtrail\_s3\_object\_level\_logging\_buckets) | The list of S3 bucket ARNs on which to enable object-level logging. | `list(string)` | no | +| [cloudtrail\_sns\_topic\_enabled](#input\_cloudtrail\_sns\_topic\_enabled) | Specifies whether the trail is delivered to a SNS topic. | `bool` | no | +| [cloudtrail\_sns\_topic\_name](#input\_cloudtrail\_sns\_topic\_name) | The name of the SNS topic to link to the trail. | `string` | no | +| [cloudwatch\_logs\_retention\_in\_days](#input\_cloudwatch\_logs\_retention\_in\_days) | Number of days to retain logs for. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no | +| [config\_aggregator\_name](#input\_config\_aggregator\_name) | The name of the organizational AWS Config Configuration Aggregator. | `string` | no | +| [config\_aggregator\_name\_prefix](#input\_config\_aggregator\_name\_prefix) | The prefix of the name for the IAM role attached to the organizational AWS Config Configuration Aggregator. | `string` | no | +| [config\_baseline\_enabled](#input\_config\_baseline\_enabled) | Boolean whether config-baseline is enabled. | `bool` | no | +| [config\_delivery\_frequency](#input\_config\_delivery\_frequency) | The frequency which AWS Config sends a snapshot into the S3 bucket. | `string` | no | +| [config\_global\_resources\_all\_regions](#input\_config\_global\_resources\_all\_regions) | Record global resources in all regions. If false, only default region will record global resources. | `bool` | no | +| [config\_iam\_role\_name](#input\_config\_iam\_role\_name) | The name of the IAM Role which AWS Config will use. | `string` | no | +| [config\_iam\_role\_policy\_name](#input\_config\_iam\_role\_policy\_name) | The name of the IAM Role Policy which AWS Config will use. | `string` | no | +| [config\_s3\_bucket\_key\_prefix](#input\_config\_s3\_bucket\_key\_prefix) | The prefix used when writing AWS Config snapshots into the S3 bucket. | `string` | no | +| [config\_sns\_topic\_kms\_master\_key\_id](#input\_config\_sns\_topic\_kms\_master\_key\_id) | To enable SNS Topic encryption enter value with the ID of a custom master KMS key that is used for encryption | `string` | no | +| [config\_sns\_topic\_name](#input\_config\_sns\_topic\_name) | The name of the SNS Topic to be used to notify configuration changes. | `string` | no | +| [console\_signin\_failures\_enabled](#input\_console\_signin\_failures\_enabled) | The boolean flag whether the console\_signin\_failures alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [create\_password\_policy](#input\_create\_password\_policy) | Define if the password policy should be created. | `bool` | no | +| [create\_support\_role](#input\_create\_support\_role) | Define if the support role should be created. | `bool` | no | +| [disable\_or\_delete\_cmk\_enabled](#input\_disable\_or\_delete\_cmk\_enabled) | The boolean flag whether the disable\_or\_delete\_cmk alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [guardduty\_disable\_email\_notification](#input\_guardduty\_disable\_email\_notification) | Boolean whether an email notification is sent to the accounts. | `bool` | no | +| [guardduty\_enabled](#input\_guardduty\_enabled) | Boolean whether the guardduty-baseline module is enabled or disabled | `bool` | no | +| [guardduty\_finding\_publishing\_frequency](#input\_guardduty\_finding\_publishing\_frequency) | Specifies the frequency of notifications sent for subsequent finding occurrences. | `string` | no | +| [guardduty\_invitation\_message](#input\_guardduty\_invitation\_message) | Message for invitation. | `string` | no | +| [iam\_baseline\_enabled](#input\_iam\_baseline\_enabled) | Boolean whether iam-baseline is enabled. | `bool` | no | +| [iam\_changes\_enabled](#input\_iam\_changes\_enabled) | The boolean flag whether the iam\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [master\_account\_id](#input\_master\_account\_id) | The ID of the master AWS account to which the current AWS account is associated. Required if `account_type` is `member`. | `string` | no | +| [max\_password\_age](#input\_max\_password\_age) | The number of days that an user password is valid. | `number` | no | +| [member\_accounts](#input\_member\_accounts) | A list of IDs and emails of AWS accounts which associated as member accounts. | 
list(object({
    account_id = string
    email      = string
  }))
| no | +| [mfa\_console\_signin\_allow\_sso](#input\_mfa\_console\_signin\_allow\_sso) | The boolean flag whether the no\_mfa\_console\_signin alarm allows SSO auth to be ignored. | `bool` | no | +| [minimum\_password\_length](#input\_minimum\_password\_length) | Minimum length to require for user passwords. | `number` | no | +| [nacl\_changes\_enabled](#input\_nacl\_changes\_enabled) | The boolean flag whether the nacl\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [network\_gw\_changes\_enabled](#input\_network\_gw\_changes\_enabled) | The boolean flag whether the network\_gw\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [no\_mfa\_console\_signin\_enabled](#input\_no\_mfa\_console\_signin\_enabled) | The boolean flag whether the no\_mfa\_console\_signin alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [organizations\_changes\_enabled](#input\_organizations\_changes\_enabled) | The boolean flag whether the organizations\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [password\_reuse\_prevention](#input\_password\_reuse\_prevention) | The number of previous passwords that users are prevented from reusing. | `number` | no | +| [permissions\_boundary\_arn](#input\_permissions\_boundary\_arn) | The permissions boundary ARN for all IAM Roles, provisioned by this module | `string` | no | +| [require\_lowercase\_characters](#input\_require\_lowercase\_characters) | Whether to require lowercase characters for user passwords. | `bool` | no | +| [require\_numbers](#input\_require\_numbers) | Whether to require numbers for user passwords. | `bool` | no | +| [require\_symbols](#input\_require\_symbols) | Whether to require symbols for user passwords. | `bool` | no | +| [require\_uppercase\_characters](#input\_require\_uppercase\_characters) | Whether to require uppercase characters for user passwords. | `bool` | no | +| [root\_usage\_enabled](#input\_root\_usage\_enabled) | The boolean flag whether the root\_usage alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [route\_table\_changes\_enabled](#input\_route\_table\_changes\_enabled) | The boolean flag whether the route\_table\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [s3\_baseline\_enabled](#input\_s3\_baseline\_enabled) | Boolean whether s3-baseline is enabled. | `bool` | no | +| [s3\_block\_public\_acls](#input\_s3\_block\_public\_acls) | Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. | `bool` | no | +| [s3\_block\_public\_policy](#input\_s3\_block\_public\_policy) | Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. | `bool` | no | +| [s3\_bucket\_policy\_changes\_enabled](#input\_s3\_bucket\_policy\_changes\_enabled) | The boolean flag whether the s3\_bucket\_policy\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [s3\_ignore\_public\_acls](#input\_s3\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | no | +| [s3\_restrict\_public\_buckets](#input\_s3\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | no | +| [security\_group\_changes\_enabled](#input\_security\_group\_changes\_enabled) | The boolean flag whether the security\_group\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [securityhub\_enable\_aws\_foundational\_standard](#input\_securityhub\_enable\_aws\_foundational\_standard) | Boolean whether AWS Foundations standard is enabled. | `bool` | no | +| [securityhub\_enable\_cis\_standard](#input\_securityhub\_enable\_cis\_standard) | Boolean whether CIS standard is enabled. | `bool` | no | +| [securityhub\_enable\_pci\_dss\_standard](#input\_securityhub\_enable\_pci\_dss\_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | no | +| [securityhub\_enable\_product\_arns](#input\_securityhub\_enable\_product\_arns) | List of Security Hub product ARNs, `` will be replaced. See https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-partner-providers.html for list. | `list(string)` | no | +| [securityhub\_enabled](#input\_securityhub\_enabled) | Boolean whether the securityhub-baseline module is enabled or disabled | `bool` | no | +| [support\_iam\_role\_name](#input\_support\_iam\_role\_name) | The name of the the support role. | `string` | no | +| [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(string)` | no | +| [target\_regions](#input\_target\_regions) | A list of regions to set up with this module. | `list(string)` | no | +| [turn\_off\_organization\_trail](#input\_turn\_off\_organization\_trail) | Specifies whether the disable the organization trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. | `bool` | no | +| [unauthorized\_api\_calls\_enabled](#input\_unauthorized\_api\_calls\_enabled) | The boolean flag whether the unauthorized\_api\_calls alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [use\_external\_audit\_log\_bucket](#input\_use\_external\_audit\_log\_bucket) | A boolean that indicates whether the specific audit log bucket already exists. Create a new S3 bucket if it is set to false. | `bool` | no | +| [vpc\_changes\_enabled](#input\_vpc\_changes\_enabled) | The boolean flag whether the vpc\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | no | +| [vpc\_enable](#input\_vpc\_enable) | Boolean whether the VPC baseline module should be enabled | `bool` | no | +| [vpc\_enable\_flow\_logs](#input\_vpc\_enable\_flow\_logs) | The boolean flag whether to enable VPC Flow Logs in default VPCs | `bool` | no | +| [vpc\_flow\_logs\_destination\_type](#input\_vpc\_flow\_logs\_destination\_type) | The type of the logging destination. Valid values: cloud-watch-logs, s3 | `string` | no | +| [vpc\_flow\_logs\_log\_group\_name](#input\_vpc\_flow\_logs\_log\_group\_name) | The name of CloudWatch Logs group to which VPC Flow Logs are delivered. | `string` | no | +| [vpc\_flow\_logs\_retention\_in\_days](#input\_vpc\_flow\_logs\_retention\_in\_days) | Number of days to retain logs if vpc\_log\_destination\_type is cloud-watch-logs. CIS recommends 365 days. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653. Set to 0 to keep logs indefinitely. | `number` | no | +| [vpc\_flow\_logs\_s3\_arn](#input\_vpc\_flow\_logs\_s3\_arn) | ARN of the S3 bucket to which VPC Flow Logs are delivered if vpc\_log\_destination\_type is s3. | `string` | no | +| [vpc\_flow\_logs\_s3\_key\_prefix](#input\_vpc\_flow\_logs\_s3\_key\_prefix) | The prefix used when VPC Flow Logs delivers logs to the S3 bucket. | `string` | no | +| [vpc\_iam\_role\_name](#input\_vpc\_iam\_role\_name) | The name of the IAM Role which VPC Flow Logs will use. | `string` | no | +| [vpc\_iam\_role\_policy\_name](#input\_vpc\_iam\_role\_policy\_name) | The name of the IAM Role Policy which VPC Flow Logs will use. | `string` | no | ## Outputs -| Name | Description | -| ----------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------ | -| [alarm_sns_topic](#output_alarm_sns_topic) | The SNS topic to which CloudWatch Alarms will be sent. | -| [audit_bucket](#output_audit_bucket) | The S3 bucket used for storing audit logs. | -| [cloudtrail](#output_cloudtrail) | The trail for recording events in all regions. | -| [cloudtrail_kms_key](#output_cloudtrail_kms_key) | The KMS key used for encrypting CloudTrail events. | -| [cloudtrail_log_delivery_iam_role](#output_cloudtrail_log_delivery_iam_role) | The IAM role used for delivering CloudTrail events to CloudWatch Logs. | -| [cloudtrail_log_group](#output_cloudtrail_log_group) | The CloudWatch Logs log group which stores CloudTrail events. | -| [cloudtrail_sns_topic](#output_cloudtrail_sns_topic) | The sns topic linked to the cloudtrail. | -| [config_configuration_recorder](#output_config_configuration_recorder) | The configuration recorder in each region. | -| [config_iam_role](#output_config_iam_role) | The IAM role used for delivering AWS Config records to CloudWatch Logs. | -| [config_sns_topic](#output_config_sns_topic) | The SNS topic) that AWS Config delivers notifications to. | -| [default_network_acl](#output_default_network_acl) | The default network ACL. | -| [default_route_table](#output_default_route_table) | The default route table. | -| [default_security_group](#output_default_security_group) | The ID of the default security group. | -| [default_vpc](#output_default_vpc) | The default VPC. | -| [guardduty_detector](#output_guardduty_detector) | The GuardDuty detector in each region. | -| [support_iam_role](#output_support_iam_role) | The IAM role used for the support user. | -| [vpc_flow_logs_group](#output_vpc_flow_logs_group) | The CloudWatch Logs log group which stores VPC Flow Logs in each region. | -| [vpc_flow_logs_iam_role](#output_vpc_flow_logs_iam_role) | The IAM role used for delivering VPC Flow Logs to CloudWatch Logs. | - +| Name | Description | +|------|-------------| +| [alarm\_sns\_topic](#output\_alarm\_sns\_topic) | The SNS topic to which CloudWatch Alarms will be sent. | +| [audit\_bucket](#output\_audit\_bucket) | The S3 bucket used for storing audit logs. | +| [cloudtrail](#output\_cloudtrail) | The trail for recording events in all regions. | +| [cloudtrail\_kms\_key](#output\_cloudtrail\_kms\_key) | The KMS key used for encrypting CloudTrail events. | +| [cloudtrail\_log\_delivery\_iam\_role](#output\_cloudtrail\_log\_delivery\_iam\_role) | The IAM role used for delivering CloudTrail events to CloudWatch Logs. | +| [cloudtrail\_log\_group](#output\_cloudtrail\_log\_group) | The CloudWatch Logs log group which stores CloudTrail events. | +| [cloudtrail\_sns\_topic](#output\_cloudtrail\_sns\_topic) | The sns topic linked to the cloudtrail. | +| [config\_configuration\_recorder](#output\_config\_configuration\_recorder) | The configuration recorder in each region. | +| [config\_iam\_role](#output\_config\_iam\_role) | The IAM role used for delivering AWS Config records to CloudWatch Logs. | +| [config\_sns\_topic](#output\_config\_sns\_topic) | The SNS topic) that AWS Config delivers notifications to. | +| [default\_network\_acl](#output\_default\_network\_acl) | The default network ACL. | +| [default\_route\_table](#output\_default\_route\_table) | The default route table. | +| [default\_security\_group](#output\_default\_security\_group) | The ID of the default security group. | +| [default\_vpc](#output\_default\_vpc) | The default VPC. | +| [guardduty\_detector](#output\_guardduty\_detector) | The GuardDuty detector in each region. | +| [support\_iam\_role](#output\_support\_iam\_role) | The IAM role used for the support user. | +| [vpc\_flow\_logs\_group](#output\_vpc\_flow\_logs\_group) | The CloudWatch Logs log group which stores VPC Flow Logs in each region. | +| [vpc\_flow\_logs\_iam\_role](#output\_vpc\_flow\_logs\_iam\_role) | The IAM role used for delivering VPC Flow Logs to CloudWatch Logs. | [cis amazon web services foundations v1.4.0]: https://www.cisecurity.org/benchmark/amazon_web_services/ From e6f54bc6f8d05b3078320008e49595ae4396170b Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 14:38:07 +0200 Subject: [PATCH 11/12] chore(main): release 2.2.1 --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 87356fcd..b36411b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [2.2.1](https://github.com/Unumed/terraform-aws-secure-baseline/compare/v2.2.0...v2.2.1) (2024-06-24) + + +### Bug Fixes + +* Readme autogenerated file ([df29386](https://github.com/Unumed/terraform-aws-secure-baseline/commit/df2938681d41049aa004935da2e7b7feaa9e3c53)) + ## [2.2.0](https://github.com/Unumed/terraform-aws-secure-baseline/compare/v2.1.0...v2.2.0) (2024-06-24) From d1fc719156d9f12ad8cc74462d25547823780ddb Mon Sep 17 00:00:00 2001 From: unumed-umbo Date: Mon, 24 Jun 2024 15:18:44 +0200 Subject: [PATCH 12/12] fix: Badge links to point the correct repo Change the links to point to the correct new repo. --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7e3e0d13..88b6a587 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # terraform-aws-secure-baseline -[![Github Actions](https://github.com/nozaq/terraform-aws-secure-baseline/actions/workflows/main.yml/badge.svg)](https://github.com/nozaq/terraform-aws-secure-baseline/actions/workflows/main.yml) -[![Releases](https://img.shields.io/github/v/release/nozaq/terraform-aws-secure-baseline)](https://github.com/nozaq/terraform-aws-secure-baseline/releases/latest) +[![Github Actions](https://github.com/Unumed/terraform-aws-secure-baseline/actions/workflows/main.yml/badge.svg)](https://github.com/Unumed/terraform-aws-secure-baseline/actions/workflows/main.yml) +[![Releases](https://img.shields.io/github/v/release/Unumed/terraform-aws-secure-baseline)](https://github.com/Unumed/terraform-aws-secure-baseline/releases/latest) -[Terraform Module Registry](https://registry.terraform.io/modules/nozaq/secure-baseline/aws) +[Terraform Module Registry](https://registry.terraform.io/modules/Unumed/secure-baseline/aws) A terraform module to set up your AWS account with the reasonably secure configuration baseline. Most configurations are based on [CIS Amazon Web Services Foundations v1.4.0] and [AWS Foundational Security Best Practices v1.0.0]. @@ -48,7 +48,7 @@ data "aws_caller_identity" "current" {} data "aws_region" "current" {} module "secure_baseline" { - source = "nozaq/secure-baseline/aws" + source = "Unumed/secure-baseline/aws" audit_log_bucket_name = "YOUR_BUCKET_NAME" aws_account_id = data.aws_caller_identity.current.account_id