feat: feature organization setup

clouddrove · Jul 24, 2023 · 0c0a53f · 0c0a53f
1 parent ec1ed8e
commit 0c0a53f
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 22 deletions.
diff --git a/_example/example.tf b/_example/example.tf
@@ -10,14 +10,25 @@ module "security-hub" {
 
   #member account add
   enable_member_account = true
-  member_account_id     = "123344847783"
-  member_mail_id        = "hello@clouddrove.com"
+  member_details = [
+    {
+      account_id = "560633484280"
+      mail_id    = "hello@clouddrove.com"
+      invite     = true
+    },
+    {
+      account_id = "1122334455"
+      mail_id    = "temp@clouddrove.com"
+      invite     = true
+    }
+  ]
 
   #standards 
   enabled_standards = [
     "standards/aws-foundational-security-best-practices/v/1.0.0",
     "ruleset/cis-aws-foundations-benchmark/v/1.2.0"
   ]
+
   #products
   enabled_products = [
     "product/aws/guardduty",

diff --git a/main.tf b/main.tf
@@ -14,7 +14,10 @@ locals {
 }
 
 resource "aws_securityhub_account" "security_hub" {
-  count = var.security_hub_enabled && var.enable ? 1 : 0
+  count                     = var.security_hub_enabled && var.enable ? 1 : 0
+  enable_default_standards  = var.enable_default_standards
+  control_finding_generator = var.control_finding_generator
+  auto_enable_controls      = var.auto_enable_controls
 }
 
 resource "aws_securityhub_standards_subscription" "standards" {
@@ -31,10 +34,12 @@ resource "aws_securityhub_product_subscription" "products" {
 
 # To enable add member account to security-hub. 
 resource "aws_securityhub_member" "example" {
-  count = var.enable_member_account && var.enable ? 1 : 0
+  for_each   = { for member in var.member_details : member.account_id => member }
+  account_id = each.value.account_id
+  email      = each.value.mail_id
+  invite     = each.value.invite
 
-  depends_on = [aws_securityhub_account.security_hub]
-  account_id = var.member_account_id
-  email      = var.member_mail_id
-  invite     = true
+  depends_on = [
+    aws_securityhub_account.security_hub
+  ]
 }
diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,45 @@
+variable "enable_organization" {
+  description = "To enable the delagated feature for the organization."
+  type        = bool
+  default     = false
+}
+
+variable "delegated_account_id" {
+  description = "Acconut id of the dalegated user."
+  type        = string
+  default     = null
+}
+
+variable "enable_default_standards" {
+  description = "Flag to indicate whether default standards should be enabled"
+  type        = bool
+  default     = true
+}
+
+variable "control_finding_generator" {
+  description = <<-DOC
+    Updates whether the calling account has consolidated control findings turned on. 
+    If the value for this field is set to SECURITY_CONTROL, 
+    Security Hub generates a single finding for a control check even when the check applies to multiple enabled standards. 
+    If the value for this field is set to STANDARD_CONTROL, 
+    Security Hub generates separate findings for a control check when the check applies to multiple enabled standards. 
+    For accounts that are part of an organization, 
+    this value can only be updated in the administrator account.
+  DOC
+  type        = string
+  default     = null
+}
+
+variable "auto_enable_controls" {
+  description = <<-DOC
+    Whether to automatically enable new controls when they are added to standards that are enabled. 
+    By default, this is set to true, and new controls are enabled automatically. 
+    To not automatically enable new controls, set this to false.
+  DOC
+  type        = bool
+  default     = true
+}
+
 variable "enabled_standards" {
   description = <<-DOC
     The possible values are:
@@ -25,25 +67,20 @@ variable "security_hub_enabled" {
   default     = true
   description = "To Enable seucirty-hub in aws account"
 }
-variable "member_account_id" {
-  type        = string
-  default     = ""
-  description = "The ID of the member AWS account."
-}
 
-variable "member_mail_id" {
-  type        = string
-  default     = ""
-  description = "The email of the member AWS account."
+variable "member_details" {
+  type = list(object({
+    account_id = string
+    mail_id    = string
+    invite     = bool
+  }))
+  default = []
 }
 
 variable "enable_member_account" {
   type        = bool
   default     = false
   description = "To create member account "
-
-
-
 }
 
 variable "enable" {
@@ -53,7 +90,6 @@ variable "enable" {
 }
 
 variable "name" {
-  type = string
+  type    = string
   default = ""
-
 }