chore: seperating out the code to make it easier to consume, and fixing inspector

Author: gambol99

README.md

@@ -47,5 +47,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 
 | Name | Description |
 |------|-------------|
+| <a name="output_inspector_resource_types"></a> [inspector\_resource\_types](#output\_inspector\_resource\_types) | A list of resources type to enable for inspector |
+| <a name="output_securityhub_policy_associations"></a> [securityhub\_policy\_associations](#output\_securityhub\_policy\_associations) | A map of policy associations by policy name |
 | <a name="output_securityhub_policy_configurations"></a> [securityhub\_policy\_configurations](#output\_securityhub\_policy\_configurations) | A map of all the policies to the central configuration arns |
 <!-- END_TF_DOCS -->

access_analyzer.tf

@@ -0,0 +1,19 @@
+
+locals {
+  ## Determine if the macie service is managed by the landing zone
+  analyzer_enabled = var.access_analyzer != null
+}
+
+## Provision the unused access analyzer
+resource "aws_accessanalyzer_analyzer" "unused_access" {
+  count = local.analyzer_enabled && try(var.access_analyzer.enable_unused_analyzer, false) ? 1 : 0
+
+  analyzer_name = var.access_analyzer.unused_analyzer_name
+  type          = "ORGANIZATION_UNUSED_ACCESS"
+  configuration {
+    unused_access {
+      unused_access_age = var.access_analyzer.unused_access_age
+    }
+  }
+}
+

config.tf

@@ -0,0 +1,23 @@
+
+## Provision and distribute the stacksets to the appropriate accounts for aws config rules.
+module "config_rule_groups" {
+  for_each = var.config.rule_groups
+  source   = "appvia/stackset/aws"
+  version  = "0.1.10"
+
+  name                 = format("%s%s", var.config.stackset_name_prefix, lower(each.key))
+  description          = format("Used to configure and distribute the AWS Config rules for %s", each.key)
+  call_as              = "DELEGATED_ADMIN"
+  enabled_regions      = try(each.value.enabled_regions, null)
+  exclude_accounts     = each.value.exclude_accounts
+  organizational_units = each.value.associations
+  permission_model     = "SERVICE_MANAGED"
+  tags                 = local.tags
+
+  template = templatefile("${path.module}/assets/cloudformation/config.yaml", {
+    "description"     = each.value.description
+    "rule_group_name" = each.key
+    "rules"           = each.value.rules
+  })
+}
+

inspector.tf

@@ -0,0 +1,29 @@
+
+locals {
+  ## A list of resources type to enable for inspector
+  inspector_resources_types = compact([
+    var.inspector.enable_ec2_scan ? "EC2" : null,
+    var.inspector.enable_ecr_scan ? "ECR" : null,
+    var.inspector.enable_lambda_code_scan ? "LAMBDA_CODE" : null,
+    var.inspector.enable_lambda_scan ? "LAMBDA" : null,
+  ])
+}
+
+resource "aws_inspector2_enabler" "inspector" {
+  count = var.inspector.enable ? 1 : 0
+
+  account_ids    = [var.inspector.account_id]
+  resource_types = local.inspector_resources_types
+}
+
+## All new accounts will have inspector enabled for the following resource types, any
+## existing accounts will need to be enabled manually via the aws_inspector2_member_association
+resource "aws_inspector2_organization_configuration" "auto_enable_inspector_new_accounts" {
+  auto_enable {
+    ec2         = var.inspector.enable_ec2_scan
+    ecr         = var.inspector.enable_ecr_scan
+    lambda      = var.inspector.enable_lambda_scan
+    lambda_code = var.inspector.enable_lambda_code_scan
+  }
+}
+

locals.tf

@@ -4,73 +4,4 @@ locals {
   region = data.aws_region.current.name
   ## Tag applied to all resources
   tags = merge(var.tags, {})
-
-  ## Determine if the macie service is managed by the landing zone
-  analyzer_enabled = var.access_analyzer != null
-  ## Determine if the macie service is managed by the landing zone
-  macie_enabled = var.macie != null
-
-  ## The subscription for the standards
-  standards_subscription = {
-    aws_foundational_best_practices = "arn:aws:securityhub:${local.region}::standards/aws-foundational-security-best-practices/v/1.0.0"
-    cis_v120                        = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
-    cis_v140                        = "arn:aws:securityhub:${local.region}::standards/cis-aws-foundations-benchmark/v/1.4.0"
-    nist_sp_800_53_rev5             = "arn:aws:securityhub:${local.region}::standards/nist-800-53/v/5.0.0"
-    pci_dss                         = "arn:aws:securityhub:${local.region}::standards/pci-dss/v/3.2.1"
-  }
-
-  ## A list of resources type to enable for inspector
-  inspector_resources_types = [
-    var.inspector.enable_ec2_scan ? "EC2" : null,
-    var.inspector.enable_ecr_scan ? "ECR" : null,
-    var.inspector.enable_lambda_code_scan ? "LAMBDA_CODE" : null,
-    var.inspector.enable_lambda_scan ? "LAMBDA" : null,
-  ]
-
-  ## A lost of policy associations
-  policy_associations_all = flatten([
-    for policy_name, policy in var.securityhub.policies : [
-      for association in policy.associations : {
-        key       = format("%s-%s", policy_name, coalesce(association.account_id, association.organization_unit))
-        policy    = policy_name
-        target_id = coalesce(association.account_id, association.organization_unit)
-      }
-    ] if length(policy.associations) > 0
-  ])
-
-  ## A map of policy associations by policy name
-  policy_associations_by_policy = {
-    for association in local.policy_associations_all : association.key => {
-      policy    = association.policy
-      target_id = association.target_id
-    }
-  }
-
-  ## A map of all the policies to the central configuration arns
-  policy_standards = {
-    for policy in aws_securityhub_configuration_policy.current : policy.name => policy.id
-  }
-
-  #
-  ## Notifications related
-
-  ## Indicates if the notifications for slack are enabled
-  enable_slack_notifications = var.notifications.slack != null
-  ## Indicates if the notifications for teams are enabled
-  enable_teams_notifications = var.notifications.teams != null
-
-  ## The configuration for the slack notification
-  slack = local.enable_slack_notifications ? {
-    lambda_name = try(var.notifications.slack.lambda_name, null)
-    webhook_url = try(var.notifications.slack.webhook_url, null)
-  } : null
-
-  teams = local.enable_teams_notifications ? {
-    lambda_name = try(var.notifications.teams.lambda_name, null)
-    webhook_url = try(var.notifications.teams.webhook_url, null)
-  } : null
-
-  email = {
-    addresses = try(var.notifications.email.addresses, [])
-  }
 }

macie.tf

@@ -0,0 +1,23 @@
+
+locals {
+  ## Determine if the macie service is managed by the landing zone
+  macie_enabled = var.macie != null
+}
+
+## Provision the stackset to enable the macie service across all the accounts
+module "macie" {
+  count   = local.macie_enabled ? 1 : 0
+  source  = "appvia/stackset/aws"
+  version = "0.1.10"
+
+  name             = try(var.macie.stackset_name, null)
+  description      = "Configuration for the AWS macie service, configured by the landing zone"
+  exclude_accounts = try(var.macie.exclude_accounts, null)
+  region           = var.region
+  tags             = local.tags
+
+  template = templatefile("${path.module}/assets/cloudformation/macie.yaml", {
+    frequency = var.macie.frequency
+    status    = var.macie.enable ? "ENABLED" : "DISABLED"
+  })
+}

main.tf

@@ -1,148 +0,0 @@
-## AWS Config
-
-## Provision and distribute the stacksets to the appropriate accounts for aws config rules.
-module "config_rule_groups" {
-  for_each = var.config.rule_groups
-  source   = "appvia/stackset/aws"
-  version  = "0.1.10"
-
-  name                 = format("%s%s", var.config.stackset_name_prefix, lower(each.key))
-  description          = format("Used to configure and distribute the AWS Config rules for %s", each.key)
-  call_as              = "DELEGATED_ADMIN"
-  enabled_regions      = try(each.value.enabled_regions, null)
-  exclude_accounts     = each.value.exclude_accounts
-  organizational_units = each.value.associations
-  permission_model     = "SERVICE_MANAGED"
-  tags                 = local.tags
-
-  template = templatefile("${path.module}/assets/cloudformation/config.yaml", {
-    "description"     = each.value.description
-    "rule_group_name" = each.key
-    "rules"           = each.value.rules
-  })
-}
-
-## AWS Inspector
-
-
-resource "aws_inspector2_enabler" "inspector" {
-  count = var.inspector.enable ? 1 : 0
-
-  account_ids    = [var.inspector.account_id]
-  resource_types = local.inspector_resources_types
-}
-
-## All new accounts will have inspector enabled for the following resource types, any
-## existing accounts will need to be enabled manually via the aws_inspector2_member_association
-resource "aws_inspector2_organization_configuration" "auto_enable_inspector_new_accounts" {
-  auto_enable {
-    ec2         = var.inspector.enable_ec2_scan
-    ecr         = var.inspector.enable_ecr_scan
-    lambda      = var.inspector.enable_lambda_scan
-    lambda_code = var.inspector.enable_lambda_code_scan
-  }
-}
-
-## AWS Macie
-
-## Provision the stackset to enable the macie service across all the accounts
-module "macie" {
-  count   = local.macie_enabled ? 1 : 0
-  source  = "appvia/stackset/aws"
-  version = "0.1.10"
-
-  name             = try(var.macie.stackset_name, null)
-  description      = "Configuration for the AWS macie service, configured by the landing zone"
-  exclude_accounts = try(var.macie.exclude_accounts, null)
-  region           = var.region
-  tags             = local.tags
-
-  template = templatefile("${path.module}/assets/cloudformation/macie.yaml", {
-    frequency = var.macie.frequency
-    status    = var.macie.enable ? "ENABLED" : "DISABLED"
-  })
-}
-
-## AWS Access Analyzer
-
-## Provision the unused access analyzer
-resource "aws_accessanalyzer_analyzer" "unused_access" {
-  count = local.analyzer_enabled && try(var.access_analyzer.enable_unused_analyzer, false) ? 1 : 0
-
-  analyzer_name = var.access_analyzer.unused_analyzer_name
-  type          = "ORGANIZATION_UNUSED_ACCESS"
-  configuration {
-    unused_access {
-      unused_access_age = var.access_analyzer.unused_access_age
-    }
-  }
-}
-
-## AWS Security Hub
-
-## Provision a securityhub aggregator in the account
-resource "aws_securityhub_finding_aggregator" "current" {
-  count = var.securityhub.aggregator.create ? 1 : 0
-
-  linking_mode      = var.securityhub.aggregator.linking_mode
-  specified_regions = var.securityhub.aggregator.specified_regions
-}
-
-## Provision the organization configuration
-resource "aws_securityhub_organization_configuration" "current" {
-  auto_enable           = var.securityhub.configuration.auto_enable
-  auto_enable_standards = var.securityhub.configuration.auto_enable_standards
-
-  organization_configuration {
-    configuration_type = var.securityhub.configuration.organization_configuration.configuration_type
-  }
-
-  depends_on = [
-    aws_securityhub_finding_aggregator.current,
-  ]
-}
-
-## Provision one or more configuration policies for the security hub
-resource "aws_securityhub_configuration_policy" "current" {
-  for_each = var.securityhub.policies
-
-  name        = each.key
-  description = each.value.description
-
-  configuration_policy {
-    service_enabled = each.value.enable
-
-    enabled_standard_arns = [
-      for standard in each.value.policy.standard_arns : local.standards_subscription[standard]
-    ]
-
-    security_controls_configuration {
-      disabled_control_identifiers = each.value.policy.controls.disabled
-
-      dynamic "security_control_custom_parameter" {
-        for_each = each.value.policy.controls.custom_parameter != null ? each.value.policy.controls.custom_parameter : []
-
-        content {
-          security_control_id = security_control_custom_parameter.value.security_control_id
-
-          parameter {
-            name       = security_control_custom_parameter.value.parameter.name
-            value_type = security_control_custom_parameter.value.parameter.value_type
-          }
-        }
-      }
-    }
-  }
-
-  depends_on = [aws_securityhub_organization_configuration.current]
-}
-
-## Associate a security hub policy with an account or organizational unit
-resource "aws_securityhub_configuration_policy_association" "current" {
-  for_each = local.policy_associations_by_policy
-
-  policy_id = aws_securityhub_configuration_policy.current[each.value.policy].id
-  target_id = each.value.target_id
-
-  depends_on = [aws_securityhub_configuration_policy.current]
-}

notifications.tf

@@ -21,6 +21,26 @@ locals {
     detail-type = ["Security Hub Findings - Imported"],
     source      = ["aws.securityhub"]
   })
+
+  ## Indicates if the notifications for slack are enabled
+  enable_slack_notifications = var.notifications.slack != null
+  ## Indicates if the notifications for teams are enabled
+  enable_teams_notifications = var.notifications.teams != null
+
+  ## The configuration for the slack notification
+  slack = local.enable_slack_notifications ? {
+    lambda_name = try(var.notifications.slack.lambda_name, null)
+    webhook_url = try(var.notifications.slack.webhook_url, null)
+  } : null
+
+  teams = local.enable_teams_notifications ? {
+    lambda_name = try(var.notifications.teams.lambda_name, null)
+    webhook_url = try(var.notifications.teams.webhook_url, null)
+  } : null
+
+  email = {
+    addresses = try(var.notifications.email.addresses, [])
+  }
 }
 
 ## Provision the notifications to forward the security hub findings to the messaging channel

outputs.tf

@@ -3,3 +3,13 @@ output "securityhub_policy_configurations" {
   description = "A map of all the policies to the central configuration arns"
   value       = local.policy_standards
 }
+
+output "securityhub_policy_associations" {
+  description = "A map of policy associations by policy name"
+  value       = local.policy_associations_by_policy
+}
+
+output "inspector_resource_types" {
+  description = "A list of resources type to enable for inspector"
+  value       = try(local.inspector_resources_types, [])
+}