generated from cloudposse/terraform-example-module
-
-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathmain.tf
57 lines (48 loc) · 2.87 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#-----------------------------------------------------------------------------------------------------------------------
# Subscribe the Account to Security Hub
#-----------------------------------------------------------------------------------------------------------------------
resource "aws_securityhub_account" "this" {
count = local.enabled ? 1 : 0
enable_default_standards = var.enable_default_standards
}
#-----------------------------------------------------------------------------------------------------------------------
# Optionally subscribe to Security Hub Standards
# https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards.html
#-----------------------------------------------------------------------------------------------------------------------
resource "aws_securityhub_standards_subscription" "this" {
for_each = local.enabled ? local.enabled_standards_arns : []
depends_on = [aws_securityhub_account.this]
standards_arn = each.key
}
#-----------------------------------------------------------------------------------------------------------------------
# Optionally setup finding aggregator
# https://docs.aws.amazon.com/securityhub/latest/userguide/finding-aggregation.html
#-----------------------------------------------------------------------------------------------------------------------
resource "aws_securityhub_finding_aggregator" "this" {
count = local.enabled && var.finding_aggregator_enabled ? 1 : 0
linking_mode = var.finding_aggregator_linking_mode
specified_regions = var.finding_aggregator_linking_mode == "ALL_REGIONS" ? null : var.finding_aggregator_regions
depends_on = [aws_securityhub_account.this]
}
#-----------------------------------------------------------------------------------------------------------------------
# Locals and Data References
#-----------------------------------------------------------------------------------------------------------------------
locals {
enabled = module.this.enabled
enable_notifications = local.enabled && (var.create_sns_topic || var.imported_findings_notification_arn != null)
create_sns_topic = local.enabled && var.create_sns_topic
imported_findings_notification_arn = local.enable_notifications ? (var.imported_findings_notification_arn != null ? var.imported_findings_notification_arn : module.sns_topic[0].sns_topic.arn) : null
enabled_standards_arns = toset([
for standard in var.enabled_standards :
format("arn:%s:securityhub:%s::%s", one(data.aws_partition.this[*].partition), length(regexall("ruleset", standard)) == 0 ? one(data.aws_region.this[*].name) : "", standard) if local.enabled
])
}
data "aws_caller_identity" "this" {
count = local.enabled ? 1 : 0
}
data "aws_partition" "this" {
count = local.enabled ? 1 : 0
}
data "aws_region" "this" {
count = local.enabled ? 1 : 0
}