Skip to content

Commit 7514a84

Browse files
midu-vtgmidu-vtg
authored
feat: add a flag to toggle Security Hub (nozaq#201)
1 parent 09e5d75 commit 7514a84

File tree

3 files changed

+23
-17
lines changed

3 files changed

+23
-17
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -334,6 +334,7 @@ This module is composed of several submodules and each of which can be used inde
334334
| <a name="input_s3_ignore_public_acls"></a> [s3\_ignore\_public\_acls](#input\_s3\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | `true` | no |
335335
| <a name="input_s3_restrict_public_buckets"></a> [s3\_restrict\_public\_buckets](#input\_s3\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | `true` | no |
336336
| <a name="input_security_group_changes_enabled"></a> [security\_group\_changes\_enabled](#input\_security\_group\_changes\_enabled) | The boolean flag whether the security\_group\_changes alarm is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
337+
| <a name="input_securityhub_enabled"></a> [securityhub\_enabled](#input\_securityhub\_enabled) | Boolean whether the securityhub-baseline module is enabled or disabled | `bool` | `true` | no |
337338
| <a name="input_securityhub_enable_aws_foundational_standard"></a> [securityhub\_enable\_aws\_foundational\_standard](#input\_securityhub\_enable\_aws\_foundational\_standard) | Boolean whether AWS Foundations standard is enabled. | `bool` | `true` | no |
338339
| <a name="input_securityhub_enable_cis_standard"></a> [securityhub\_enable\_cis\_standard](#input\_securityhub\_enable\_cis\_standard) | Boolean whether CIS standard is enabled. | `bool` | `true` | no |
339340
| <a name="input_securityhub_enable_pci_dss_standard"></a> [securityhub\_enable\_pci\_dss\_standard](#input\_securityhub\_enable\_pci\_dss\_standard) | Boolean whether PCI DSS standard is enabled. | `bool` | `false` | no |

securityhub_baselines.tf

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ module "securityhub_baseline_ap-northeast-1" {
1111
providers = {
1212
aws = aws.ap-northeast-1
1313
}
14-
enabled = contains(var.target_regions, "ap-northeast-1")
14+
enabled = contains(var.target_regions, "ap-northeast-1") && var.securityhub_enabled
1515
enable_cis_standard = var.securityhub_enable_cis_standard
1616
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
1717
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -25,7 +25,7 @@ module "securityhub_baseline_ap-northeast-2" {
2525
aws = aws.ap-northeast-2
2626
}
2727

28-
enabled = contains(var.target_regions, "ap-northeast-2")
28+
enabled = contains(var.target_regions, "ap-northeast-2") && var.securityhub_enabled
2929
enable_cis_standard = var.securityhub_enable_cis_standard
3030
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
3131
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -39,7 +39,7 @@ module "securityhub_baseline_ap-northeast-3" {
3939
aws = aws.ap-northeast-3
4040
}
4141

42-
enabled = contains(var.target_regions, "ap-northeast-3")
42+
enabled = contains(var.target_regions, "ap-northeast-3") && var.securityhub_enabled
4343
enable_cis_standard = var.securityhub_enable_cis_standard
4444
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
4545
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -53,7 +53,7 @@ module "securityhub_baseline_ap-south-1" {
5353
aws = aws.ap-south-1
5454
}
5555

56-
enabled = contains(var.target_regions, "ap-south-1")
56+
enabled = contains(var.target_regions, "ap-south-1") && var.securityhub_enabled
5757
enable_cis_standard = var.securityhub_enable_cis_standard
5858
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
5959
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -67,7 +67,7 @@ module "securityhub_baseline_ap-southeast-1" {
6767
aws = aws.ap-southeast-1
6868
}
6969

70-
enabled = contains(var.target_regions, "ap-southeast-1")
70+
enabled = contains(var.target_regions, "ap-southeast-1") && var.securityhub_enabled
7171
enable_cis_standard = var.securityhub_enable_cis_standard
7272
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
7373
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -81,7 +81,7 @@ module "securityhub_baseline_ap-southeast-2" {
8181
aws = aws.ap-southeast-2
8282
}
8383

84-
enabled = contains(var.target_regions, "ap-southeast-2")
84+
enabled = contains(var.target_regions, "ap-southeast-2") && var.securityhub_enabled
8585
enable_cis_standard = var.securityhub_enable_cis_standard
8686
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
8787
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -95,7 +95,7 @@ module "securityhub_baseline_ca-central-1" {
9595
aws = aws.ca-central-1
9696
}
9797

98-
enabled = contains(var.target_regions, "ca-central-1")
98+
enabled = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled
9999
enable_cis_standard = var.securityhub_enable_cis_standard
100100
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
101101
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -109,7 +109,7 @@ module "securityhub_baseline_eu-central-1" {
109109
aws = aws.eu-central-1
110110
}
111111

112-
enabled = contains(var.target_regions, "eu-central-1")
112+
enabled = contains(var.target_regions, "eu-central-1") && var.securityhub_enabled
113113
enable_cis_standard = var.securityhub_enable_cis_standard
114114
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
115115
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -123,7 +123,7 @@ module "securityhub_baseline_eu-north-1" {
123123
aws = aws.eu-north-1
124124
}
125125

126-
enabled = contains(var.target_regions, "eu-north-1")
126+
enabled = contains(var.target_regions, "eu-north-1") && var.securityhub_enabled
127127
enable_cis_standard = var.securityhub_enable_cis_standard
128128
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
129129
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -137,7 +137,7 @@ module "securityhub_baseline_eu-west-1" {
137137
aws = aws.eu-west-1
138138
}
139139

140-
enabled = contains(var.target_regions, "eu-west-1")
140+
enabled = contains(var.target_regions, "eu-west-1") && var.securityhub_enabled
141141
enable_cis_standard = var.securityhub_enable_cis_standard
142142
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
143143
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -151,7 +151,7 @@ module "securityhub_baseline_eu-west-2" {
151151
aws = aws.eu-west-2
152152
}
153153

154-
enabled = contains(var.target_regions, "eu-west-2")
154+
enabled = contains(var.target_regions, "eu-west-2") && var.securityhub_enabled
155155
enable_cis_standard = var.securityhub_enable_cis_standard
156156
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
157157
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -165,7 +165,7 @@ module "securityhub_baseline_eu-west-3" {
165165
aws = aws.eu-west-3
166166
}
167167

168-
enabled = contains(var.target_regions, "eu-west-3")
168+
enabled = contains(var.target_regions, "eu-west-3") && var.securityhub_enabled
169169
enable_cis_standard = var.securityhub_enable_cis_standard
170170
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
171171
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -179,7 +179,7 @@ module "securityhub_baseline_sa-east-1" {
179179
aws = aws.sa-east-1
180180
}
181181

182-
enabled = contains(var.target_regions, "sa-east-1")
182+
enabled = contains(var.target_regions, "sa-east-1") && var.securityhub_enabled
183183
enable_cis_standard = var.securityhub_enable_cis_standard
184184
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
185185
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -193,7 +193,7 @@ module "securityhub_baseline_us-east-1" {
193193
aws = aws.us-east-1
194194
}
195195

196-
enabled = contains(var.target_regions, "us-east-1")
196+
enabled = contains(var.target_regions, "us-east-1") && var.securityhub_enabled
197197
enable_cis_standard = var.securityhub_enable_cis_standard
198198
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
199199
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -207,7 +207,7 @@ module "securityhub_baseline_us-east-2" {
207207
aws = aws.us-east-2
208208
}
209209

210-
enabled = contains(var.target_regions, "us-east-2")
210+
enabled = contains(var.target_regions, "us-east-2") && var.securityhub_enabled
211211
enable_cis_standard = var.securityhub_enable_cis_standard
212212
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
213213
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -221,7 +221,7 @@ module "securityhub_baseline_us-west-1" {
221221
aws = aws.us-west-1
222222
}
223223

224-
enabled = contains(var.target_regions, "us-west-1")
224+
enabled = contains(var.target_regions, "us-west-1") && var.securityhub_enabled
225225
enable_cis_standard = var.securityhub_enable_cis_standard
226226
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
227227
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
@@ -235,7 +235,7 @@ module "securityhub_baseline_us-west-2" {
235235
aws = aws.us-west-2
236236
}
237237

238-
enabled = contains(var.target_regions, "us-west-2")
238+
enabled = contains(var.target_regions, "us-west-2") && var.securityhub_enabled
239239
enable_cis_standard = var.securityhub_enable_cis_standard
240240
enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard
241241
enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard

variables.tf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -481,6 +481,11 @@ variable "s3_restrict_public_buckets" {
481481
# --------------------------------------------------------------------------------------------------
482482
# Variables for securityhub-baseline module.
483483
# --------------------------------------------------------------------------------------------------
484+
variable "securityhub_enabled" {
485+
description = "Boolean whether the securityhub-baseline module is enabled or disabled"
486+
default = true
487+
}
488+
484489
variable "securityhub_enable_cis_standard" {
485490
description = "Boolean whether CIS standard is enabled."
486491
default = true

0 commit comments

Comments
 (0)