diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 1af69a5..f7a711c 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -104,6 +104,20 @@ module "analyzer_baseline_ca-central-1" { tags = var.tags } +module "analyzer_baseline_ca-west-1" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ca-west-1") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.ca-west-1 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + module "analyzer_baseline_eu-central-1" { count = local.is_analyzer_enabled && contains(var.target_regions, "eu-central-1") ? 1 : 0 source = "./modules/analyzer-baseline" diff --git a/config_baselines.tf b/config_baselines.tf index 8e7278e..40659ce 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -7,6 +7,7 @@ locals { one(module.config_baseline_ap-southeast-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-2[*].config_sns_topic), one(module.config_baseline_ca-central-1[*].config_sns_topic), + one(module.config_baseline_ca-west-1[*].config_sns_topic), one(module.config_baseline_eu-central-1[*].config_sns_topic), one(module.config_baseline_eu-north-1[*].config_sns_topic), one(module.config_baseline_eu-west-1[*].config_sns_topic), @@ -247,6 +248,27 @@ module "config_baseline_ca-central-1" { depends_on = [aws_s3_bucket_policy.audit_log] } +module "config_baseline_ca-west-1" { + count = var.config_baseline_enabled && contains(var.target_regions, "ca-west-1") ? 1 : 0 + source = "./modules/config-baseline" + + providers = { + aws = aws.ca-west-1 + } + + iam_role_arn = one(aws_iam_role.recorder[*].arn) + s3_bucket_name = local.audit_log_bucket_id + s3_key_prefix = var.config_s3_bucket_key_prefix + delivery_frequency = var.config_delivery_frequency + sns_topic_name = var.config_sns_topic_name + sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id + include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ca-west-1" + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.audit_log] +} + module "config_baseline_eu-central-1" { count = var.config_baseline_enabled && contains(var.target_regions, "eu-central-1") ? 1 : 0 source = "./modules/config-baseline" @@ -482,6 +504,7 @@ resource "aws_config_config_rule" "iam_mfa" { module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, module.config_baseline_ca-central-1, + module.config_baseline_ca-west-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, module.config_baseline_eu-west-1, @@ -517,6 +540,7 @@ resource "aws_config_config_rule" "unused_credentials" { module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, module.config_baseline_ca-central-1, + module.config_baseline_ca-west-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, module.config_baseline_eu-west-1, @@ -557,6 +581,7 @@ resource "aws_config_config_rule" "user_no_policies" { module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, module.config_baseline_ca-central-1, + module.config_baseline_ca-west-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, module.config_baseline_eu-west-1, @@ -597,6 +622,7 @@ resource "aws_config_config_rule" "no_policies_with_full_admin_access" { module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, module.config_baseline_ca-central-1, + module.config_baseline_ca-west-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, module.config_baseline_eu-west-1, diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 3da9c5e..e138615 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -65,6 +65,15 @@ module "ebs_baseline_ca-central-1" { } } +module "ebs_baseline_ca-west-1" { + count = contains(var.target_regions, "ca-west-1") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.ca-west-1 + } +} + module "ebs_baseline_eu-central-1" { count = contains(var.target_regions, "eu-central-1") ? 1 : 0 source = "./modules/ebs-baseline" diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf index 1d88499..e70ec86 100644 --- a/guardduty_baselines.tf +++ b/guardduty_baselines.tf @@ -128,6 +128,23 @@ module "guardduty_baseline_ca-central-1" { tags = var.tags } +module "guardduty_baseline_ca-west-1" { + count = contains(var.target_regions, "cawest-1") && var.guardduty_enabled ? 1 : 0 + source = "./modules/guardduty-baseline" + + providers = { + aws = aws.ca-west-1 + } + + disable_email_notification = var.guardduty_disable_email_notification + finding_publishing_frequency = var.guardduty_finding_publishing_frequency + invitation_message = var.guardduty_invitation_message + master_account_id = local.guardduty_master_account_id + member_accounts = local.guardduty_member_accounts + + tags = var.tags +} + module "guardduty_baseline_eu-central-1" { count = contains(var.target_regions, "eu-central-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" diff --git a/main.tf b/main.tf index 1b807f3..81b0ad4 100644 --- a/main.tf +++ b/main.tf @@ -12,7 +12,7 @@ terraform { aws.ap-northeast-1, aws.ap-northeast-2, aws.ap-northeast-3, aws.ap-south-1, aws.ap-southeast-1, aws.ap-southeast-2, - aws.ca-central-1, + aws.ca-central-1, aws.ca-west-1, aws.eu-central-1, aws.eu-north-1, aws.eu-west-1, aws.eu-west-2, aws.eu-west-3, diff --git a/outputs.tf b/outputs.tf index beae8b0..f9b9189 100644 --- a/outputs.tf +++ b/outputs.tf @@ -65,6 +65,7 @@ output "config_configuration_recorder" { "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].configuration_recorder) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].configuration_recorder) "ca-central-1" = one(module.config_baseline_ca-central-1[*].configuration_recorder) + "ca-west-1" = one(module.config_baseline_ca-west-1[*].configuration_recorder) "eu-central-1" = one(module.config_baseline_eu-central-1[*].configuration_recorder) "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder) "eu-west-2" = one(module.config_baseline_eu-west-2[*].configuration_recorder) @@ -88,6 +89,7 @@ output "config_sns_topic" { "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].config_sns_topic) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].config_sns_topic) "ca-central-1" = one(module.config_baseline_ca-central-1[*].config_sns_topic) + "ca-west-1" = one(module.config_baseline_ca-west-1[*].config_sns_topic) "eu-central-1" = one(module.config_baseline_eu-central-1[*].config_sns_topic) "eu-north-1" = one(module.config_baseline_eu-north-1[*].config_sns_topic) "eu-west-1" = one(module.config_baseline_eu-west-1[*].config_sns_topic) @@ -116,6 +118,7 @@ output "guardduty_detector" { "ap-southeast-1" = one(module.guardduty_baseline_ap-southeast-1[*].guardduty_detector) "ap-southeast-2" = one(module.guardduty_baseline_ap-southeast-2[*].guardduty_detector) "ca-central-1" = one(module.guardduty_baseline_ca-central-1[*].guardduty_detector) + "ca-west-1" = one(module.guardduty_baseline_ca-west-1[*].guardduty_detector) "eu-central-1" = one(module.guardduty_baseline_eu-central-1[*].guardduty_detector) "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) "eu-west-1" = one(module.guardduty_baseline_eu-west-1[*].guardduty_detector) @@ -157,6 +160,7 @@ output "vpc_flow_logs_group" { "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].vpc_flow_logs_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].vpc_flow_logs_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].vpc_flow_logs_group) + "ca-west-1" = one(module.vpc_baseline_ca-west-1[*].vpc_flow_logs_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].vpc_flow_logs_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].vpc_flow_logs_group) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].vpc_flow_logs_group) @@ -181,6 +185,7 @@ output "default_vpc" { "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_vpc) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_vpc) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_vpc) + "ca-west-1" = one(module.vpc_baseline_ca-west-1[*].default_vpc) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_vpc) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_vpc) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_vpc) @@ -205,6 +210,7 @@ output "default_security_group" { "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_security_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_security_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_security_group) + "ca-west-1" = one(module.vpc_baseline_ca-west-1[*].default_security_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_security_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_security_group) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_security_group) @@ -229,6 +235,7 @@ output "default_network_acl" { "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_network_acl) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_network_acl) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_network_acl) + "ca-west-1" = one(module.vpc_baseline_ca-west-1[*].default_network_acl) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_network_acl) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_network_acl) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_network_acl) @@ -253,6 +260,7 @@ output "default_route_table" { "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_route_table) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_route_table) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_route_table) + "ca-west-1" = one(module.vpc_baseline_ca-west-1[*].default_route_table) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_route_table) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_route_table) "eu-west-1" = one(module.vpc_baseline_eu-west-1[*].default_route_table) diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index a8324d6..3b01316 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -125,6 +125,23 @@ module "securityhub_baseline_ca-central-1" { member_accounts = local.securityhub_member_accounts } +module "securityhub_baseline_ca-west-1" { + count = contains(var.target_regions, "ca-west-1") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.ca-west-1 + } + + aggregate_findings = var.region == "ca-west-1" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + module "securityhub_baseline_eu-central-1" { count = contains(var.target_regions, "eu-central-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" diff --git a/variables.tf b/variables.tf index a942f3c..083ff36 100644 --- a/variables.tf +++ b/variables.tf @@ -50,6 +50,7 @@ variable "target_regions" { "ap-southeast-1", "ap-southeast-2", "ca-central-1", + "ca-west-1", "eu-central-1", "eu-north-1", "eu-west-1", diff --git a/vpc_baselines.tf b/vpc_baselines.tf index fd2ed47..3b8852c 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -196,6 +196,25 @@ module "vpc_baseline_ca-central-1" { tags = var.tags } +module "vpc_baseline_ca-west-1" { + count = var.vpc_enable && contains(var.target_regions, "ca-west-1") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.ca-west-1 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + module "vpc_baseline_eu-central-1" { count = var.vpc_enable && contains(var.target_regions, "eu-central-1") ? 1 : 0 source = "./modules/vpc-baseline"