diff --git a/.chglog/config.yml b/.chglog/config.yml index 58eea04b..7904f52b 100755 --- a/.chglog/config.yml +++ b/.chglog/config.yml @@ -2,7 +2,7 @@ style: github template: CHANGELOG.tpl.md info: title: CHANGELOG - repository_url: https://github.com/nozaq/terraform-aws-secure-baseline + repository_url: https://github.com/Unumed/terraform-aws-secure-baseline options: commits: filters: diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index e1e02b2b..71589fb0 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -2,11 +2,18 @@ on: push: branches: - main + +permissions: + contents: write + pull-requests: write + name: release-please + jobs: release-please: runs-on: ubuntu-latest steps: - - uses: google-github-actions/release-please-action@v3 + - uses: googleapis/release-please-action@v4 with: release-type: terraform-module + token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ea69b0d..87356fcd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [2.2.0](https://github.com/Unumed/terraform-aws-secure-baseline/compare/v2.1.0...v2.2.0) (2024-06-24) + + +### Features + +* Add ap-southeast-3 aws region ([7baa723](https://github.com/Unumed/terraform-aws-secure-baseline/commit/7baa72372c8d384b068017f4ae63b42bfb5cf9c8)) + ## [2.1.0](https://github.com/nozaq/terraform-aws-secure-baseline/compare/v2.0.0...v2.1.0) (2022-12-03) diff --git a/README.md b/README.md index 55b5c742..7bda972a 100644 --- a/README.md +++ b/README.md @@ -63,12 +63,14 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 1af69a50..9985d4b3 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -90,6 +90,20 @@ module "analyzer_baseline_ap-southeast-2" { tags = var.tags } +module "analyzer_baseline_ap-southeast-3" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + module "analyzer_baseline_ca-central-1" { count = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/analyzer-baseline" @@ -174,6 +188,20 @@ module "analyzer_baseline_eu-west-3" { tags = var.tags } +module "analyzer_baseline_me-south-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.me-south-1 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + module "analyzer_baseline_sa-east-1" { count = local.is_analyzer_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/analyzer-baseline" diff --git a/config_baselines.tf b/config_baselines.tf index 8e7278ea..ca449c5d 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -6,12 +6,14 @@ locals { one(module.config_baseline_ap-south-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-2[*].config_sns_topic), + one(module.config_baseline_ap-southeast-3[*].config_sns_topic), one(module.config_baseline_ca-central-1[*].config_sns_topic), one(module.config_baseline_eu-central-1[*].config_sns_topic), one(module.config_baseline_eu-north-1[*].config_sns_topic), one(module.config_baseline_eu-west-1[*].config_sns_topic), one(module.config_baseline_eu-west-2[*].config_sns_topic), one(module.config_baseline_eu-west-3[*].config_sns_topic), + one(module.config_baseline_me-south-1[*].config_sns_topic), one(module.config_baseline_sa-east-1[*].config_sns_topic), one(module.config_baseline_us-east-1[*].config_sns_topic), one(module.config_baseline_us-east-2[*].config_sns_topic), @@ -226,6 +228,27 @@ module "config_baseline_ap-southeast-2" { depends_on = [aws_s3_bucket_policy.audit_log] } +module "config_baseline_ap-southeast-3" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/config-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + iam_role_arn = one(aws_iam_role.recorder[*].arn) + s3_bucket_name = local.audit_log_bucket_id + s3_key_prefix = var.config_s3_bucket_key_prefix + delivery_frequency = var.config_delivery_frequency + sns_topic_name = var.config_sns_topic_name + sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id + include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-3" + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.audit_log] +} + module "config_baseline_ca-central-1" { count = var.config_baseline_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/config-baseline" @@ -352,6 +375,27 @@ module "config_baseline_eu-west-3" { depends_on = [aws_s3_bucket_policy.audit_log] } +module "config_baseline_me-south-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/config-baseline" + + providers = { + aws = aws.me-south-1 + } + + iam_role_arn = one(aws_iam_role.recorder[*].arn) + s3_bucket_name = local.audit_log_bucket_id + s3_key_prefix = var.config_s3_bucket_key_prefix + delivery_frequency = var.config_delivery_frequency + sns_topic_name = var.config_sns_topic_name + sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id + include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "me-south-1" + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.audit_log] +} + module "config_baseline_sa-east-1" { count = var.config_baseline_enabled && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/config-baseline" @@ -481,12 +525,14 @@ resource "aws_config_config_rule" "iam_mfa" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -516,12 +562,14 @@ resource "aws_config_config_rule" "unused_credentials" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -556,12 +604,14 @@ resource "aws_config_config_rule" "user_no_policies" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, @@ -596,12 +646,14 @@ resource "aws_config_config_rule" "no_policies_with_full_admin_access" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, module.config_baseline_eu-west-1, module.config_baseline_eu-west-2, module.config_baseline_eu-west-3, + module.config_baseline_me-south-1, module.config_baseline_sa-east-1, module.config_baseline_us-east-1, module.config_baseline_us-east-2, diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 3da9c5ea..3a765c15 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -56,6 +56,15 @@ module "ebs_baseline_ap-southeast-2" { } } +module "ebs_baseline_ap-southeast-3" { + count = contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.ap-southeast-3 + } +} + module "ebs_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/ebs-baseline" @@ -110,6 +119,15 @@ module "ebs_baseline_eu-west-3" { } } +module "ebs_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.me-south-1 + } +} + module "ebs_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/ebs-baseline" diff --git a/examples/external-bucket/main.tf b/examples/external-bucket/main.tf index 8ab31369..16e7e5bf 100644 --- a/examples/external-bucket/main.tf +++ b/examples/external-bucket/main.tf @@ -37,12 +37,14 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/external-bucket/regions.tf b/examples/external-bucket/regions.tf index 6937e512..1a3ae7f5 100644 --- a/examples/external-bucket/regions.tf +++ b/examples/external-bucket/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" @@ -63,6 +68,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf index f74dfcf4..26c3517c 100644 --- a/examples/organization/master/main.tf +++ b/examples/organization/master/main.tf @@ -53,12 +53,14 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/organization/master/regions.tf b/examples/organization/master/regions.tf index 6937e512..1a3ae7f5 100644 --- a/examples/organization/master/regions.tf +++ b/examples/organization/master/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" @@ -63,6 +68,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 8c20c3d9..7b67b048 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -46,12 +46,14 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/organization/member/regions.tf b/examples/organization/member/regions.tf index 6937e512..1a3ae7f5 100644 --- a/examples/organization/member/regions.tf +++ b/examples/organization/member/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" @@ -63,6 +68,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/select-region/main.tf b/examples/select-region/main.tf index 391872ec..dbc872c2 100644 --- a/examples/select-region/main.tf +++ b/examples/select-region/main.tf @@ -44,12 +44,14 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/select-region/regions.tf b/examples/select-region/regions.tf index 6937e512..1a3ae7f5 100644 --- a/examples/select-region/regions.tf +++ b/examples/select-region/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" @@ -63,6 +68,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 5e672c8e..d3e75ce8 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -41,12 +41,14 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 aws.eu-west-1 = aws.eu-west-1 aws.eu-west-2 = aws.eu-west-2 aws.eu-west-3 = aws.eu-west-3 + aws.me-south-1 = aws.me-south-1 aws.sa-east-1 = aws.sa-east-1 aws.us-east-1 = aws.us-east-1 aws.us-east-2 = aws.us-east-2 diff --git a/examples/simple/regions.tf b/examples/simple/regions.tf index 6937e512..1a3ae7f5 100644 --- a/examples/simple/regions.tf +++ b/examples/simple/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" @@ -63,6 +68,11 @@ provider "aws" { alias = "eu-west-3" } +provider "aws" { + region = "me-south-1" + alias = "me-south-1" +} + provider "aws" { region = "sa-east-1" alias = "sa-east-1" diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf index 1d88499f..9ad8336e 100644 --- a/guardduty_baselines.tf +++ b/guardduty_baselines.tf @@ -111,6 +111,23 @@ module "guardduty_baseline_ap-southeast-2" { tags = var.tags } +module "guardduty_baseline_ap-southeast-3" { + source = "./modules/guardduty-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + count = contains(var.target_regions, "ap-southeast-3") && var.guardduty_enabled ? 1 : 0 + disable_email_notification = var.guardduty_disable_email_notification + finding_publishing_frequency = var.guardduty_finding_publishing_frequency + invitation_message = var.guardduty_invitation_message + master_account_id = local.guardduty_master_account_id + member_accounts = local.guardduty_member_accounts + + tags = var.tags +} + module "guardduty_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" @@ -213,6 +230,23 @@ module "guardduty_baseline_eu-west-3" { tags = var.tags } +module "guardduty_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") && var.guardduty_enabled ? 1 : 0 + source = "./modules/guardduty-baseline" + + providers = { + aws = aws.me-south-1 + } + + disable_email_notification = var.guardduty_disable_email_notification + finding_publishing_frequency = var.guardduty_finding_publishing_frequency + invitation_message = var.guardduty_invitation_message + master_account_id = local.guardduty_master_account_id + member_accounts = local.guardduty_member_accounts + + tags = var.tags +} + module "guardduty_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" diff --git a/main.tf b/main.tf index 1b807f35..8fc28504 100644 --- a/main.tf +++ b/main.tf @@ -11,11 +11,12 @@ terraform { configuration_aliases = [ aws.ap-northeast-1, aws.ap-northeast-2, aws.ap-northeast-3, aws.ap-south-1, - aws.ap-southeast-1, aws.ap-southeast-2, + aws.ap-southeast-1, aws.ap-southeast-2, aws.ap-southeast-3, aws.ca-central-1, aws.eu-central-1, aws.eu-north-1, aws.eu-west-1, aws.eu-west-2, aws.eu-west-3, + aws.me-south-1, aws.sa-east-1, aws.us-east-1, aws.us-east-2, aws.us-west-1, aws.us-west-2, diff --git a/outputs.tf b/outputs.tf index beae8b0b..edf842d5 100644 --- a/outputs.tf +++ b/outputs.tf @@ -64,11 +64,13 @@ output "config_configuration_recorder" { "ap-south-1" = one(module.config_baseline_ap-south-1[*].configuration_recorder) "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].configuration_recorder) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].configuration_recorder) + "ap-southeast-3" = one(module.config_baseline_ap-southeast-3[*].configuration_recorder) "ca-central-1" = one(module.config_baseline_ca-central-1[*].configuration_recorder) "eu-central-1" = one(module.config_baseline_eu-central-1[*].configuration_recorder) "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder) "eu-west-2" = one(module.config_baseline_eu-west-2[*].configuration_recorder) "eu-west-3" = one(module.config_baseline_eu-west-3[*].configuration_recorder) + "me-south-1" = one(module.config_baseline_me-south-1[*].configuration_recorder) "sa-east-1" = one(module.config_baseline_sa-east-1[*].configuration_recorder) "us-east-1" = one(module.config_baseline_us-east-1[*].configuration_recorder) "us-east-2" = one(module.config_baseline_us-east-2[*].configuration_recorder) @@ -87,12 +89,14 @@ output "config_sns_topic" { "ap-south-1" = one(module.config_baseline_ap-south-1[*].config_sns_topic) "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].config_sns_topic) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].config_sns_topic) + "ap-southeast-3" = one(module.config_baseline_ap-southeast-3[*].config_sns_topic) "ca-central-1" = one(module.config_baseline_ca-central-1[*].config_sns_topic) "eu-central-1" = one(module.config_baseline_eu-central-1[*].config_sns_topic) "eu-north-1" = one(module.config_baseline_eu-north-1[*].config_sns_topic) "eu-west-1" = one(module.config_baseline_eu-west-1[*].config_sns_topic) "eu-west-2" = one(module.config_baseline_eu-west-2[*].config_sns_topic) "eu-west-3" = one(module.config_baseline_eu-west-3[*].config_sns_topic) + "me-south-1" = one(module.config_baseline_me-south-1[*].config_sns_topic) "sa-east-1" = one(module.config_baseline_sa-east-1[*].config_sns_topic) "us-east-1" = one(module.config_baseline_us-east-1[*].config_sns_topic) "us-east-2" = one(module.config_baseline_us-east-2[*].config_sns_topic) @@ -115,11 +119,13 @@ output "guardduty_detector" { "ap-south-1" = one(module.guardduty_baseline_ap-south-1[*].guardduty_detector) "ap-southeast-1" = one(module.guardduty_baseline_ap-southeast-1[*].guardduty_detector) "ap-southeast-2" = one(module.guardduty_baseline_ap-southeast-2[*].guardduty_detector) + "ap-southeast-3" = one(module.guardduty_baseline_ap-southeast-3[*].guardduty_detector) "ca-central-1" = one(module.guardduty_baseline_ca-central-1[*].guardduty_detector) "eu-central-1" = one(module.guardduty_baseline_eu-central-1[*].guardduty_detector) "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) "eu-west-1" = one(module.guardduty_baseline_eu-west-1[*].guardduty_detector) "eu-west-2" = one(module.guardduty_baseline_eu-west-2[*].guardduty_detector) + "me-south-1" = one(module.guardduty_baseline_me-south-1[*].guardduty_detector) "sa-east-1" = one(module.guardduty_baseline_sa-east-1[*].guardduty_detector) "us-east-1" = one(module.guardduty_baseline_us-east-1[*].guardduty_detector) "us-east-2" = one(module.guardduty_baseline_us-east-2[*].guardduty_detector) @@ -156,12 +162,14 @@ output "vpc_flow_logs_group" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].vpc_flow_logs_group) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].vpc_flow_logs_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].vpc_flow_logs_group) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].vpc_flow_logs_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].vpc_flow_logs_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].vpc_flow_logs_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].vpc_flow_logs_group) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].vpc_flow_logs_group) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].vpc_flow_logs_group) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].vpc_flow_logs_group) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].vpc_flow_logs_group) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].vpc_flow_logs_group) "us-east-1" = one(module.vpc_baseline_us-east-1[*].vpc_flow_logs_group) "us-east-2" = one(module.vpc_baseline_us-east-2[*].vpc_flow_logs_group) @@ -180,12 +188,14 @@ output "default_vpc" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_vpc) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_vpc) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_vpc) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_vpc) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_vpc) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_vpc) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_vpc) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_vpc) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_vpc) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_vpc) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_vpc) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_vpc) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_vpc) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_vpc) @@ -204,12 +214,14 @@ output "default_security_group" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_security_group) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_security_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_security_group) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_security_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_security_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_security_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_security_group) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_security_group) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_security_group) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_security_group) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_security_group) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_security_group) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_security_group) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_security_group) @@ -228,12 +240,14 @@ output "default_network_acl" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_network_acl) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_network_acl) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_network_acl) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_network_acl) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_network_acl) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_network_acl) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_network_acl) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_network_acl) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_network_acl) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_network_acl) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_network_acl) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_network_acl) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_network_acl) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_network_acl) @@ -252,12 +266,14 @@ output "default_route_table" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_route_table) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_route_table) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_route_table) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_route_table) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_route_table) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_route_table) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_route_table) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_route_table) "eu-west-2" = one(module.vpc_baseline_eu-west-2[*].default_route_table) "eu-west-3" = one(module.vpc_baseline_eu-west-3[*].default_route_table) + "me-south-1" = one(module.vpc_baseline_me-south-1[*].default_route_table) "sa-east-1" = one(module.vpc_baseline_sa-east-1[*].default_route_table) "us-east-1" = one(module.vpc_baseline_us-east-1[*].default_route_table) "us-east-2" = one(module.vpc_baseline_us-east-2[*].default_route_table) diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index a8324d6e..37bb432b 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -108,6 +108,23 @@ module "securityhub_baseline_ap-southeast-2" { member_accounts = local.securityhub_member_accounts } +module "securityhub_baseline_ap-southeast-3" { + count = contains(var.target_regions, "ap-southeast-3") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + aggregate_findings = var.region == "ap-southeast-3" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + module "securityhub_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" @@ -210,6 +227,23 @@ module "securityhub_baseline_eu-west-3" { member_accounts = local.securityhub_member_accounts } +module "securityhub_baseline_me-south-1" { + count = contains(var.target_regions, "me-south-1") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.me-south-1 + } + + aggregate_findings = var.region == "me-south-1" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + module "securityhub_baseline_sa-east-1" { count = contains(var.target_regions, "sa-east-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" diff --git a/variables.tf b/variables.tf index a942f3c9..b33d402c 100644 --- a/variables.tf +++ b/variables.tf @@ -49,12 +49,14 @@ variable "target_regions" { "ap-south-1", "ap-southeast-1", "ap-southeast-2", + "ap-southeast-3", "ca-central-1", "eu-central-1", "eu-north-1", "eu-west-1", "eu-west-2", "eu-west-3", + "me-south-1", "sa-east-1", "us-east-1", "us-east-2", diff --git a/vpc_baselines.tf b/vpc_baselines.tf index fd2ed472..e816d836 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -177,6 +177,25 @@ module "vpc_baseline_ap-southeast-2" { tags = var.tags } +module "vpc_baseline_ap-southeast-3" { + count = var.vpc_enable && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + module "vpc_baseline_ca-central-1" { count = var.vpc_enable && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/vpc-baseline" @@ -291,6 +310,25 @@ module "vpc_baseline_eu-west-3" { tags = var.tags } +module "vpc_baseline_me-south-1" { + count = var.vpc_enable && contains(var.target_regions, "me-south-1") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.me-south-1 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + module "vpc_baseline_sa-east-1" { count = var.vpc_enable && contains(var.target_regions, "sa-east-1") ? 1 : 0 source = "./modules/vpc-baseline"