standards control feature added

plus3it · Jun 1, 2023 · a0b1067 · a0b1067
1 parent abe3ae1
commit a0b1067
Show file tree

Hide file tree

Showing 14 changed files with 149 additions and 1 deletion.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 4.0.0
+current_version = 4.1.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,14 @@
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
+### [4.1.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.1.0)
+
+**Released**: 2023.05.25
+
+**Summary**:
+
+*   Brought Standards_Control under management to enable or disable specified controls
+
 
 ### [4.0.0](https://github.com/plus3it/terraform-aws-tardigrade-security-hub/releases/tag/4.0.0)
 

diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ No resources.
 | <a name="input_control_finding_generator"></a> [control\_finding\_generator](#input\_control\_finding\_generator) | (Optional) Updates whether the calling account has consolidated control findings turned on. | `string` | `"SECURITY_CONTROL"` | no |
 | <a name="input_product_subscription_arns"></a> [product\_subscription\_arns](#input\_product\_subscription\_arns) | List of product arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_product_subscription.html | `list(string)` | `[]` | no |
 | <a name="input_standard_subscription_arns"></a> [standard\_subscription\_arns](#input\_standard\_subscription\_arns) | List of standard arns to subscribe to. See https://www.terraform.io/docs/providers/aws/r/securityhub_standards_subscription.html | `list(string)` | `[]` | no |
+| <a name="input_standards_control"></a> [standards\_control](#input\_standards\_control) | List of Security Hub standards to enable or disable in current region. | <pre>list(object({<br>    name                  = string<br>    standards_control_arn = string<br>    control_status        = string<br>    disabled_reason       = string<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -17,6 +17,20 @@ module "subscriptions" {
   ]
 }
 
+# Manage Control status
+module "standards_control" {
+  source   = "./modules/standards_control"
+  for_each = { for control in var.standards_control : control.name => control }
+
+  standards_control_arn = each.value.standards_control_arn
+  control_status        = each.value.control_status
+  disabled_reason       = each.value.disabled_reason
+
+  depends_on = [
+    module.subscriptions
+  ]
+}
+
 # Manage action targets
 module "action_targets" {
   source   = "./modules/action_target"

diff --git a/modules/cross-account-member/main.tf b/modules/cross-account-member/main.tf
@@ -6,6 +6,7 @@ module "account" {
   control_finding_generator  = var.control_finding_generator
   product_subscription_arns  = var.product_subscription_arns
   standard_subscription_arns = var.standard_subscription_arns
+  standards_control          = var.standards_control
 }
 
 # Send invite from administrator account

diff --git a/modules/cross-account-member/variables.tf b/modules/cross-account-member/variables.tf
@@ -30,3 +30,14 @@ variable "standard_subscription_arns" {
   type        = list(string)
   default     = []
 }
+
+variable "standards_control" {
+  description = "List of Security Hub standards to enable or disable in current region."
+  type = list(object({
+    name                  = string
+    standards_control_arn = string
+    control_status        = string
+    disabled_reason       = string
+  }))
+  default = []
+}
diff --git a/modules/standards_control/README.md b/modules/standards_control/README.md
@@ -0,0 +1,36 @@
+# terraform-aws-tardigrade-security-hub/standards_control
+
+<!-- BEGIN TFDOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.64.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.64.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_control_status"></a> [control\_status](#input\_control\_status) | Control status enabled or disabled | `string` | n/a | yes |
+| <a name="input_disabled_reason"></a> [disabled\_reason](#input\_disabled\_reason) | A description of the reason why you are disabling a security standard control | `string` | n/a | yes |
+| <a name="input_standards_control_arn"></a> [standards\_control\_arn](#input\_standards\_control\_arn) | The standards control ARN | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_standards_control"></a> [standards\_control](#output\_standards\_control) | Object containing SecurityHub standards control resource |
+
+<!-- END TFDOCS -->
diff --git a/modules/standards_control/main.tf b/modules/standards_control/main.tf
@@ -0,0 +1,5 @@
+resource "aws_securityhub_standards_control" "this" {
+  standards_control_arn = var.standards_control_arn
+  control_status        = var.control_status
+  disabled_reason       = var.disabled_reason
+}
diff --git a/modules/standards_control/outputs.tf b/modules/standards_control/outputs.tf
@@ -0,0 +1,4 @@
+output "standards_control" {
+  description = "Object containing SecurityHub standards control resource"
+  value       = aws_securityhub_standards_control.this
+}
diff --git a/modules/standards_control/variables.tf b/modules/standards_control/variables.tf
@@ -0,0 +1,14 @@
+variable "standards_control_arn" {
+  description = "The standards control ARN"
+  type        = string
+}
+
+variable "control_status" {
+  description = "Control status enabled or disabled"
+  type        = string
+}
+
+variable "disabled_reason" {
+  description = "A description of the reason why you are disabling a security standard control"
+  type        = string
+}
diff --git a/modules/standards_control/versions.tf b/modules/standards_control/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.64.0"
+    }
+  }
+}
diff --git a/tests/securityhub_cross_account/main.tf b/tests/securityhub_cross_account/main.tf
@@ -38,8 +38,25 @@ module "securityhub" {
   product_subscription_arns = [
     "arn:aws:securityhub:us-east-1:453761072151:product/turbot/turbot",
   ]
+
+  standards_control = [
+    {
+      name                  = "cis-aws-foundations-benchmark"
+      standards_control_arn = "arn:aws:securityhub:us-east-1:303523384066:control/cis-aws-foundations-benchmark/v/1.2.0/1.10"
+      control_status        = "ENABLED"
+      disabled_reason       = ""
+    },
+    {
+      name                  = "pci-dss"
+      standards_control_arn = "arn:aws:securityhub:us-east-1:303523384066:control/pci-dss/v/3.2.1/PCI.AutoScaling.1"
+      control_status        = "DISABLED"
+      disabled_reason       = "I don't like security"
+    }
+  ]
 }
 
 output "securityhub" {
   value = module.securityhub
 }
+
+
diff --git a/tests/securityhub_same_account/main.tf b/tests/securityhub_same_account/main.tf
@@ -13,8 +13,24 @@ module "securityhub" {
   product_subscription_arns = [
     "arn:aws:securityhub:us-east-1:453761072151:product/turbot/turbot",
   ]
+
+  standards_control = [
+    {
+      name                  = "cis-aws-foundations-benchmark"
+      standards_control_arn = "arn:aws:securityhub:us-east-1:303523384066:control/cis-aws-foundations-benchmark/v/1.2.0/1.10"
+      control_status        = "ENABLED"
+      disabled_reason       = ""
+    },
+    {
+      name                  = "pci-dss"
+      standards_control_arn = "arn:aws:securityhub:us-east-1:303523384066:control/pci-dss/v/3.2.1/PCI.AutoScaling.1"
+      control_status        = "DISABLED"
+      disabled_reason       = "I don't like security"
+    }
+  ]
 }
 
 output "securityhub" {
   value = module.securityhub
 }
+
diff --git a/variables.tf b/variables.tf
@@ -8,6 +8,17 @@ variable "action_targets" {
   default = []
 }
 
+variable "standards_control" {
+  description = "List of Security Hub standards to enable or disable in current region."
+  type = list(object({
+    name                  = string
+    standards_control_arn = string
+    control_status        = string
+    disabled_reason       = string
+  }))
+  default = []
+}
+
 variable "control_finding_generator" {
   description = "(Optional) Updates whether the calling account has consolidated control findings turned on."
   type        = string