chore(main): release 3.0.0

[github-actions]

🤖 I have created a release beep boop

3.0.0 (2024-09-20)

⚠ BREAKING CHANGES

• this change disables glacier transition rules by default since transitioning small objects is officially not recommended. it can be enabled by setting var.audit_log_lifecycle_glacier_transition_days to a positive number.
• resources regarding S3 bucket configurations need manual import after upgrade. See docs/upgrade-1.0.md for guidance.

Features

• add "tags" argument (9bee890)
• add a flag to enable force_destroy on S3 buckets (91c50ed), closes #48
• add a flag to enable/disable VPC Flow Logs (#146) (d681d9f), closes #143
• add a flag to toggle Security Hub (#201) (7514a84)
• add an argument to specify target regions. (2500dd7)
• add cloudtrail insight selector type specification (#180) (60c75ab)
• add eu-north-1 region support (2a13893)
• add flag for disabling config-baseline (#190) (4018bc0)
• add flag to allow recording global resources in all regions (#168) (d0805ec)
• add functionality to manually enable/disable guardduty-baseline module (#183) (3e648a6)
• add IAM baseline module (3593e1e)
• add in support to enable 3rd party products (#206) (32e3db0)
• add inputs to toggle submodules (#240) (ceabfc7)
• add kms_master_key_id to alarm baseline and config-baseline module (#216) (46864f6)
• add new S3 bucket configuration resources (#261) (150a537)
• add option to publish VPC Flow Logs to either S3 or CW (#151) (c1d81fa), closes #144
• add parameters to make role creations optional (#127) (c149cd2)
• add permissions boundaries for IAM entities support (#288) (219f003)
• add S3 bucket key support (#236) (fb0dd55)
• add support for logging dynamodb events (#207) (0a37c1d)
• add tags to flow logs (#120) (1c0e406)
• add tags to guardduty (#121) (5a808e5)
• add the organizational AWS Config aggregated view (b7db3db)
• add various outputs (c8c05b6)
• add vpc_enable variable (#170) (f680ad6)
• add/enable ap-northeast-3 (Osaka) region (#177) (1e6ab04)
• adds lambda function invocation logging (#205) (cd07fe3)
• allow enabling/disabling individual alarms (#164) (1638655)
• allow member accounts access to the audit log bucket (ee87366)
• allow use of organization trail to be toggled via variable (#259) (0b636bb)
• allow using an external bucket instead of creating a new one (f2f8e4a), closes #47
• apply default subnet changes to existing subnets (#237) (1b0f314), closes #198
• apply tags to default network resources (#133) (4214de4), closes #123
• associate members to master in SecurityHub (#147) (4bea2ba), closes #145
• automatically accepts invite from the master (#256) (aa478e1)
• automatically archive audit logs into Amazon Glacier (3583ede)
• disable automatic public ip assignments in default subnets (#189) (35603a7)
• do not setup CloudTrail for member accounts (4579ba0)
• enable access analyzer for org (#167) (4f492e3), closes #166
• enable AWS Config rules for monitoring (0a5131c)
• enable CIS benchmark v1.4.0 standard (#308) (bb724cd)
• enable finding aggregator in the main region (#241) (31eae8f)
• enable GuardDuty in all regions (00969b6)
• enable GuardDuty in eu-north-1 region (5bb651d)
• enable GuardDuty in Paris region. (2f6a7b8)
• enable Insights event logging by default (#185) (854d9d1)
• enable managed config rules for benchmark compliance (5dc385e)
• enable S3 account-level public block (#188) (30d197a), closes #176
• enable Security Hub in each region (#105) (318ca1d), closes #95
• enable SecurityHub and CIS standard subscription (6cafa6e), closes #23
• enable versioning with secure buckets (c3bd177)
• encrypt the sns topic (#103) (ecd33c1), closes #94
• enforce strong password policy by default (#252) (6bc61ca)
• force using HTTPS to access the access log bucket (#129) (c02f6a3)
• force using HTTPS to access the audit log bucket (#128) (2573da4)
• GuardDuty: Enable S3 events sources (#209) (dad4821)
• make all roles to be optional (#115) (ea475c5)
• make audit log bucket access logs bucket name customizable (#303) (07dc101)
• make delivery of CloudTrail to CloudWatch Logs and SNS optional (#117) (12b25f1)
• make glacier transition rules optional (#293) (f0cdf3e)
• new SecurityHub standards support (#113) (e9b18fe)
• only include global resources in the specified region (156c7b7)
• optionally ignore SSO logins for MFA alarms (#234) (cf9b14c)
• output an ID of the audit log bucket (1221acf)
• return resources as outputs instead of specific attributes (385093a)
• support GuardDuty master/member accounts (6d40848)
• support organization trails (3622b0d)
• take finding_publishing_frequency as an input variable (9942e27)
• upgrade to terraform 0.12 (8718796)
• use S3 lifecycle rule V2 (#285) (2b471bd)
• use the audit log bucket for Flow Logs by default (#152) (de6e678)
• various updates to comply with CIS Benchmark v1.3.0 (#131) (a52a098)

Bug Fixes

• add a wildcard suffix to log group ARN (#119) (0f1a8af), closes #118
• add in new region (#91) (2276b6d)
• adjust filter pattern for unauthorized_api_calls alarm (#212) (3d5332a)
• adjust passwort policy to match CIS 1.3+ (#213) (7297a2b)
• adjust passwort policy to match CIS 1.3+ (#214) (b363f5a)
• allow alarm variables to be set at top level module (#178) (5c03791)
• avoid for_each key error (#273) (0122d6f)
• broken output value (671d684)
• Change how to workaround the default ACL issue. (5c981b0), closes #17
• create a global rule after recorders. (51173ff)
• create a log group for VPC Flow Logs in each region (ce67a3b)
• deprecation warnings (#140) (7cf8fc1)
• do not enable SecurityHub when not enabled (#111) (42c9611), closes #110
• do not manage datasources in member accounts. (#215) (6f18666)
• do not override guardduty_master_account_id for simplicity (126da70)
• do not read AWS Organization when account_type is set to "individual" (9c60572)
• edge case when not logging to cloudwatch (#161) (a87c731)
• ensure to have the audit log bucket before CloudTrail (#102) (892b0ab)
• incorrect references in external-bucket example (050b73b)
• insufficient permission to accept organization trails. (a4828f7)
• invalid reference when flow logs is disabled (#157) (10c7ead), closes #156
• is_enabled flag with ap-northeast-3 (#192) (89a2756)
• logging policies when using custom prefixes (#141) (423215c)
• make sns_topic_kms_master_key_id optional (#219) (55e6f29)
• mark var.member_accounts required (#272) (8612941)
• no findings aggregator for member accounts (#257) (85864f5), closes #254
• omit GuardDuty config for eu-west-3 region until supported (258bb5a)
• permissions for organization trail (d68aed3)
• prevent AWS Config to fire alarms (#139) (3d57fcc)
• remove aws_default_vpc dependency (#238) (0c39831)
• remove a default subnet resource (d9ccfc8)
• remove a redundant Config rule (#132) (d93a11c)
• require AWS provider v4.1.0 (#268) (05dd88c)
• require AWS provider v4.2.0 (#270) (3c30413)
• set the minimum terraform version to 1.1.4 (#255) (4d3cbd4)
• support standard options for ap-east-1 (c5394a5)
• temporarily disable mfa_delete on secure buckets (583f76d)
• the condition to use the organization trail (#265) (5f63932)
• the minimum required version of the AWS provider (#227) (4fcada9), closes #226
• typo (#203) (51d4629)
• update var names in the CI script (000643d)
• upgrade minimum provider requirements (#248) (6742a37)
• upgrade the AWS provider to v4.3 (#287) (271d99e)
• use CIS recommended filter pattern (#239) (3366cac)
• use count instead of var.enabled (#262) (8fda7c7)
• use the same CMK for encrypting the SNS topic (#104) (505b748)
• when VPC is disabled, disable vpc logging for it (#197) (09e5d75)

---

This PR was generated with Release Please. See documentation.