feat: associate members to master in SecurityHub (nozaq#147)

nozaq · web-flow · commit 4bea2ba15929 · 2020-11-14T21:55:30.000+09:00
fixes nozaq#145
diff --git a/modules/securityhub-baseline/README.md b/modules/securityhub-baseline/README.md
@@ -24,10 +24,11 @@
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| enable\_aws\_foundational\_standard | Boolean whether AWS Foundations standard is enabled. | `bool` | `true` | no |
+| enable\_cis\_standard | Boolean whether CIS standard is enabled. | `bool` | `true` | no |
+| enable\_pci\_dss\_standard | Boolean whether PCI DSS standard is enabled. | `bool` | `true` | no |
 | enabled | The boolean flag whether this module is enabled or not. No resources are created when set to false. | `bool` | `true` | no |
-| securityhub\_enable\_aws\_foundational\_standard | Boolean whether AWS Foundations standard is enabled. | `bool` | `true` | no |
-| securityhub\_enable\_cis\_standard | Boolean whether CIS standard is enabled. | `bool` | `true` | no |
-| securityhub\_enable\_pci\_dss\_standard | Boolean whether PCI DSS standard is enabled. | `bool` | `true` | no |
+| member\_accounts | A list of IDs and emails of AWS accounts which associated as member accounts. | <pre>list(object({<br>    account_id = string<br>    email      = string<br>  }))</pre> | `[]` | no |
 
 ## Outputs
 
diff --git a/modules/securityhub-baseline/main.tf b/modules/securityhub-baseline/main.tf
@@ -6,11 +6,23 @@ resource "aws_securityhub_account" "main" {
   count = var.enabled ? 1 : 0
 }
 
+# --------------------------------------------------------------------------------------------------
+# Add member accounts
+# --------------------------------------------------------------------------------------------------
+resource "aws_securityhub_member" "members" {
+  count = var.enabled ? length(var.member_accounts) : 0
+
+  depends_on = [aws_securityhub_account.main]
+  account_id = var.member_accounts[count.index].account_id
+  email      = var.member_accounts[count.index].email
+  invite     = true
+}
+
 # --------------------------------------------------------------------------------------------------
 # Subscribe CIS benchmark
 # --------------------------------------------------------------------------------------------------
 resource "aws_securityhub_standards_subscription" "cis" {
-  count = var.enabled && var.securityhub_enable_cis_standard ? 1 : 0
+  count = var.enabled && var.enable_cis_standard ? 1 : 0
 
   standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
 
@@ -21,7 +33,7 @@ resource "aws_securityhub_standards_subscription" "cis" {
 # Subscribe AWS foundational security best practices standard
 # --------------------------------------------------------------------------------------------------
 resource "aws_securityhub_standards_subscription" "aws_foundational" {
-  count = var.enabled && var.securityhub_enable_aws_foundational_standard ? 1 : 0
+  count = var.enabled && var.enable_aws_foundational_standard ? 1 : 0
 
   standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/aws-foundational-security-best-practices/v/1.0.0"
 
@@ -32,7 +44,7 @@ resource "aws_securityhub_standards_subscription" "aws_foundational" {
 # Subscribe PCI DSS standard
 # --------------------------------------------------------------------------------------------------
 resource "aws_securityhub_standards_subscription" "pci_dss" {
-  count = var.enabled && var.securityhub_enable_pci_dss_standard ? 1 : 0
+  count = var.enabled && var.enable_pci_dss_standard ? 1 : 0
 
   standards_arn = "arn:aws:securityhub:${data.aws_region.current.name}::standards/pci-dss/v/3.2.1"
 
diff --git a/modules/securityhub-baseline/variables.tf b/modules/securityhub-baseline/variables.tf
@@ -3,17 +3,26 @@ variable "enabled" {
   default     = true
 }
 
-variable "securityhub_enable_cis_standard" {
+variable "enable_cis_standard" {
   description = "Boolean whether CIS standard is enabled."
   default     = true
 }
 
-variable "securityhub_enable_pci_dss_standard" {
+variable "enable_pci_dss_standard" {
   description = "Boolean whether PCI DSS standard is enabled."
   default     = true
 }
 
-variable "securityhub_enable_aws_foundational_standard" {
+variable "enable_aws_foundational_standard" {
   description = "Boolean whether AWS Foundations standard is enabled."
   default     = true
 }
+
+variable "member_accounts" {
+  description = "A list of IDs and emails of AWS accounts which associated as member accounts."
+  type = list(object({
+    account_id = string
+    email      = string
+  }))
+  default = []
+}
diff --git a/securityhub.tf b/securityhub.tf
@@ -1,16 +1,21 @@
 # --------------------------------------------------------------------------------------------------
 # SecurityHub Baseline
 # --------------------------------------------------------------------------------------------------
+locals {
+  securityhub_member_accounts = var.member_accounts
+}
+
 module "securityhub_baseline_ap-northeast-1" {
   source = "./modules/securityhub-baseline"
 
   providers = {
     aws = aws.ap-northeast-1
   }
-  enabled                                      = contains(var.target_regions, "ap-northeast-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "ap-northeast-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_ap-northeast-2" {
@@ -20,10 +25,11 @@ module "securityhub_baseline_ap-northeast-2" {
     aws = aws.ap-northeast-2
   }
 
-  enabled                                      = contains(var.target_regions, "ap-northeast-2")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "ap-northeast-2")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_ap-south-1" {
@@ -33,10 +39,11 @@ module "securityhub_baseline_ap-south-1" {
     aws = aws.ap-south-1
   }
 
-  enabled                                      = contains(var.target_regions, "ap-south-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "ap-south-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_ap-southeast-1" {
@@ -46,10 +53,11 @@ module "securityhub_baseline_ap-southeast-1" {
     aws = aws.ap-southeast-1
   }
 
-  enabled                                      = contains(var.target_regions, "ap-southeast-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "ap-southeast-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_ap-southeast-2" {
@@ -59,10 +67,11 @@ module "securityhub_baseline_ap-southeast-2" {
     aws = aws.ap-southeast-2
   }
 
-  enabled                                      = contains(var.target_regions, "ap-southeast-2")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "ap-southeast-2")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_ca-central-1" {
@@ -72,10 +81,11 @@ module "securityhub_baseline_ca-central-1" {
     aws = aws.ca-central-1
   }
 
-  enabled                                      = contains(var.target_regions, "ca-central-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "ca-central-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_eu-central-1" {
@@ -85,10 +95,11 @@ module "securityhub_baseline_eu-central-1" {
     aws = aws.eu-central-1
   }
 
-  enabled                                      = contains(var.target_regions, "eu-central-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "eu-central-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_eu-north-1" {
@@ -98,10 +109,11 @@ module "securityhub_baseline_eu-north-1" {
     aws = aws.eu-north-1
   }
 
-  enabled                                      = contains(var.target_regions, "eu-north-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "eu-north-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_eu-west-1" {
@@ -111,10 +123,11 @@ module "securityhub_baseline_eu-west-1" {
     aws = aws.eu-west-1
   }
 
-  enabled                                      = contains(var.target_regions, "eu-west-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "eu-west-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_eu-west-2" {
@@ -124,10 +137,11 @@ module "securityhub_baseline_eu-west-2" {
     aws = aws.eu-west-2
   }
 
-  enabled                                      = contains(var.target_regions, "eu-west-2")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "eu-west-2")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_eu-west-3" {
@@ -137,10 +151,11 @@ module "securityhub_baseline_eu-west-3" {
     aws = aws.eu-west-3
   }
 
-  enabled                                      = contains(var.target_regions, "eu-west-3")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "eu-west-3")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_sa-east-1" {
@@ -150,10 +165,11 @@ module "securityhub_baseline_sa-east-1" {
     aws = aws.sa-east-1
   }
 
-  enabled                                      = contains(var.target_regions, "sa-east-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "sa-east-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_us-east-1" {
@@ -163,10 +179,11 @@ module "securityhub_baseline_us-east-1" {
     aws = aws.us-east-1
   }
 
-  enabled                                      = contains(var.target_regions, "us-east-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "us-east-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_us-east-2" {
@@ -176,10 +193,11 @@ module "securityhub_baseline_us-east-2" {
     aws = aws.us-east-2
   }
 
-  enabled                                      = contains(var.target_regions, "us-east-2")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "us-east-2")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_us-west-1" {
@@ -189,10 +207,11 @@ module "securityhub_baseline_us-west-1" {
     aws = aws.us-west-1
   }
 
-  enabled                                      = contains(var.target_regions, "us-west-1")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "us-west-1")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
 
 module "securityhub_baseline_us-west-2" {
@@ -202,8 +221,9 @@ module "securityhub_baseline_us-west-2" {
     aws = aws.us-west-2
   }
 
-  enabled                                      = contains(var.target_regions, "us-west-2")
-  securityhub_enable_cis_standard              = var.securityhub_enable_cis_standard
-  securityhub_enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
-  securityhub_enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  enabled                          = contains(var.target_regions, "us-west-2")
+  enable_cis_standard              = var.securityhub_enable_cis_standard
+  enable_pci_dss_standard          = var.securityhub_enable_pci_dss_standard
+  enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard
+  member_accounts                  = local.securityhub_member_accounts
 }
