Merge pull request #116 from lorengordon/feat/account-inputs

.bumpversion.cfg

@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 4.1.0
+current_version = 4.2.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

README.md

@@ -32,7 +32,9 @@ No resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_action_targets"></a> [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | <pre>list(object({<br>    name        = string<br>    description = string<br>    identifer   = string<br>  }))</pre> | `[]` | no |
-| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
+| <a name="input_auto_enable_controls"></a> [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no |
+| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no |
+| <a name="input_enable_default_standards"></a> [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no |
 | <a name="input_product_subscription_arns"></a> [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
 | <a name="input_standard_subscription_arns"></a> [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
 | <a name="input_standards_controls"></a> [standards\_controls](#input\_standards\_controls) | List of Security Hub standards to enable or disable in current region. | <pre>list(object({<br>    name                  = string<br>    standards_control_arn = string<br>    control_status        = string<br>    disabled_reason       = string<br>  }))</pre> | `[]` | no |

main.tf

@@ -2,7 +2,9 @@
 module "account" {
   source = "./modules/account"
 
+  auto_enable_controls      = var.auto_enable_controls
   control_finding_generator = var.control_finding_generator
+  enable_default_standards  = var.enable_default_standards
 }
 
 # Manage subscriptions

modules/account/README.md

@@ -23,7 +23,9 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
+| <a name="input_auto_enable_controls"></a> [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no |
+| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no |
+| <a name="input_enable_default_standards"></a> [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no |
 
 ## Outputs
 

modules/account/main.tf

@@ -1,3 +1,5 @@
 resource "aws_securityhub_account" "this" {
+  auto_enable_controls      = var.auto_enable_controls
   control_finding_generator = var.control_finding_generator
+  enable_default_standards  = var.enable_default_standards
 }

modules/account/variables.tf

@@ -1,5 +1,17 @@
+variable "auto_enable_controls" {
+  description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`"
+  type        = bool
+  default     = true
+}
+
 variable "control_finding_generator" {
-  description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+  description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard."
   type        = string
   default     = "SECURITY_CONTROL"
 }
+
+variable "enable_default_standards" {
+  description = "Boolean that automatically enables new controls when they are added to standards that are enabled"
+  type        = bool
+  default     = true
+}

modules/cross-account-member/README.md

@@ -22,7 +22,9 @@ No resources.
 |------|-------------|------|---------|:--------:|
 | <a name="input_member_email"></a> [member\_email](#input\_member\_email) | Email address associated with the member account. Required for the cross-account SecurityHub member invite workflow | `string` | n/a | yes |
 | <a name="input_action_targets"></a> [action\_targets](#input\_action\_targets) | Schema list of SecurityHub action targets. | <pre>list(object({<br>    name        = string<br>    description = string<br>    identifer   = string<br>  }))</pre> | `[]` | no |
-| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
+| <a name="input_auto_enable_controls"></a> [auto\_enable\_controls](#input\_auto\_enable\_controls) | Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0` | `bool` | `true` | no |
+| <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard. | `string` | `"SECURITY_CONTROL"` | no |
+| <a name="input_enable_default_standards"></a> [enable\_default\_standards](#input\_enable\_default\_standards) | Boolean that automatically enables new controls when they are added to standards that are enabled | `bool` | `true` | no |
 | <a name="input_product_subscription_arns"></a> [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
 | <a name="input_standard_subscription_arns"></a> [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
 | <a name="input_standards_controls"></a> [standards\_controls](#input\_standards\_controls) | List of Security Hub standards to enable or disable in current region. | <pre>list(object({<br>    name                  = string<br>    standards_control_arn = string<br>    control_status        = string<br>    disabled_reason       = string<br>  }))</pre> | `[]` | no |

modules/cross-account-member/main.tf

@@ -3,7 +3,9 @@ module "account" {
   source = "../../"
 
   action_targets             = var.action_targets
+  auto_enable_controls       = var.auto_enable_controls
   control_finding_generator  = var.control_finding_generator
+  enable_default_standards   = var.enable_default_standards
   product_subscription_arns  = var.product_subscription_arns
   standard_subscription_arns = var.standard_subscription_arns
   standards_controls         = var.standards_controls

modules/cross-account-member/variables.tf

@@ -13,12 +13,24 @@ variable "action_targets" {
   default = []
 }
 
+variable "auto_enable_controls" {
+  description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`"
+  type        = bool
+  default     = true
+}
+
 variable "control_finding_generator" {
-  description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+  description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard."
   type        = string
   default     = "SECURITY_CONTROL"
 }
 
+variable "enable_default_standards" {
+  description = "Boolean that automatically enables new controls when they are added to standards that are enabled"
+  type        = bool
+  default     = true
+}
+
 variable "product_subscription_arns" {
   description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html"
   type        = list(string)

variables.tf

@@ -8,31 +8,43 @@ variable "action_targets" {
   default = []
 }
 
-variable "standards_controls" {
-  description = "List of Security Hub standards to enable or disable in current region."
-  type = list(object({
-    name                  = string
-    standards_control_arn = string
-    control_status        = string
-    disabled_reason       = string
-  }))
-  default = []
+variable "auto_enable_controls" {
+  description = "Boolean that enables the security standards that Security Hub has designated as automatically enabled including: `AWS Foundational Security Best Practices v1.0.0` and `CIS AWS Foundations Benchmark v1.2.0`"
+  type        = bool
+  default     = true
 }
 
 variable "control_finding_generator" {
-  description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
+  description = "Manages whether the account reports consolidated control findings, or generates separate findings for every enabled standard."
   type        = string
   default     = "SECURITY_CONTROL"
 }
 
-variable "standard_subscription_arns" {
-  description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html"
-  type        = list(string)
-  default     = []
+variable "enable_default_standards" {
+  description = "Boolean that automatically enables new controls when they are added to standards that are enabled"
+  type        = bool
+  default     = true
 }
 
 variable "product_subscription_arns" {
   description = "List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html"
   type        = list(string)
   default     = []
 }
+
+variable "standard_subscription_arns" {
+  description = "List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html"
+  type        = list(string)
+  default     = []
+}
+
+variable "standards_controls" {
+  description = "List of Security Hub standards to enable or disable in current region."
+  type = list(object({
+    name                  = string
+    standards_control_arn = string
+    control_status        = string
+    disabled_reason       = string
+  }))
+  default = []
+}