From 7baa72372c8d384b068017f4ae63b42bfb5cf9c8 Mon Sep 17 00:00:00 2001 From: Umbert Date: Thu, 30 May 2024 16:04:57 +0200 Subject: [PATCH] feat: Add ap-southeast-3 aws region --- README.md | 1 + analyzer_baselines.tf | 14 +++++++++++++ config_baselines.tf | 26 +++++++++++++++++++++++++ ebs_baselines.tf | 9 +++++++++ examples/external-bucket/main.tf | 1 + examples/external-bucket/regions.tf | 5 +++++ examples/organization/master/main.tf | 1 + examples/organization/master/regions.tf | 5 +++++ examples/organization/member/main.tf | 1 + examples/organization/member/regions.tf | 5 +++++ examples/select-region/main.tf | 1 + examples/select-region/regions.tf | 5 +++++ examples/simple/main.tf | 1 + examples/simple/regions.tf | 5 +++++ guardduty_baselines.tf | 17 ++++++++++++++++ main.tf | 2 +- outputs.tf | 8 ++++++++ securityhub_baselines.tf | 17 ++++++++++++++++ variables.tf | 1 + vpc_baselines.tf | 19 ++++++++++++++++++ 20 files changed, 143 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 55b5c742..c84fa37f 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/analyzer_baselines.tf b/analyzer_baselines.tf index 1af69a50..4c665930 100644 --- a/analyzer_baselines.tf +++ b/analyzer_baselines.tf @@ -90,6 +90,20 @@ module "analyzer_baseline_ap-southeast-2" { tags = var.tags } +module "analyzer_baseline_ap-southeast-3" { + count = local.is_analyzer_enabled && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/analyzer-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + analyzer_name = var.analyzer_name + is_organization = local.is_master_account + + tags = var.tags +} + module "analyzer_baseline_ca-central-1" { count = local.is_analyzer_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/analyzer-baseline" diff --git a/config_baselines.tf b/config_baselines.tf index 8e7278ea..33fb6d9b 100644 --- a/config_baselines.tf +++ b/config_baselines.tf @@ -6,6 +6,7 @@ locals { one(module.config_baseline_ap-south-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-1[*].config_sns_topic), one(module.config_baseline_ap-southeast-2[*].config_sns_topic), + one(module.config_baseline_ap-southeast-3[*].config_sns_topic), one(module.config_baseline_ca-central-1[*].config_sns_topic), one(module.config_baseline_eu-central-1[*].config_sns_topic), one(module.config_baseline_eu-north-1[*].config_sns_topic), @@ -226,6 +227,27 @@ module "config_baseline_ap-southeast-2" { depends_on = [aws_s3_bucket_policy.audit_log] } +module "config_baseline_ap-southeast-3" { + count = var.config_baseline_enabled && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/config-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + iam_role_arn = one(aws_iam_role.recorder[*].arn) + s3_bucket_name = local.audit_log_bucket_id + s3_key_prefix = var.config_s3_bucket_key_prefix + delivery_frequency = var.config_delivery_frequency + sns_topic_name = var.config_sns_topic_name + sns_topic_kms_master_key_id = var.config_sns_topic_kms_master_key_id + include_global_resource_types = var.config_global_resources_all_regions ? true : var.region == "ap-southeast-3" + + tags = var.tags + + depends_on = [aws_s3_bucket_policy.audit_log] +} + module "config_baseline_ca-central-1" { count = var.config_baseline_enabled && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/config-baseline" @@ -481,6 +503,7 @@ resource "aws_config_config_rule" "iam_mfa" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -516,6 +539,7 @@ resource "aws_config_config_rule" "unused_credentials" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -556,6 +580,7 @@ resource "aws_config_config_rule" "user_no_policies" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, @@ -596,6 +621,7 @@ resource "aws_config_config_rule" "no_policies_with_full_admin_access" { module.config_baseline_ap-south-1, module.config_baseline_ap-southeast-1, module.config_baseline_ap-southeast-2, + module.config_baseline_ap-southeast-3, module.config_baseline_ca-central-1, module.config_baseline_eu-central-1, module.config_baseline_eu-north-1, diff --git a/ebs_baselines.tf b/ebs_baselines.tf index 3da9c5ea..86af2d20 100644 --- a/ebs_baselines.tf +++ b/ebs_baselines.tf @@ -56,6 +56,15 @@ module "ebs_baseline_ap-southeast-2" { } } +module "ebs_baseline_ap-southeast-3" { + count = contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/ebs-baseline" + + providers = { + aws = aws.ap-southeast-3 + } +} + module "ebs_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/ebs-baseline" diff --git a/examples/external-bucket/main.tf b/examples/external-bucket/main.tf index 8ab31369..d5c7e98f 100644 --- a/examples/external-bucket/main.tf +++ b/examples/external-bucket/main.tf @@ -37,6 +37,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/external-bucket/regions.tf b/examples/external-bucket/regions.tf index 6937e512..ae84f002 100644 --- a/examples/external-bucket/regions.tf +++ b/examples/external-bucket/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/organization/master/main.tf b/examples/organization/master/main.tf index f74dfcf4..c5a9c901 100644 --- a/examples/organization/master/main.tf +++ b/examples/organization/master/main.tf @@ -53,6 +53,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/organization/master/regions.tf b/examples/organization/master/regions.tf index 6937e512..ae84f002 100644 --- a/examples/organization/master/regions.tf +++ b/examples/organization/master/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/organization/member/main.tf b/examples/organization/member/main.tf index 8c20c3d9..cefd0d10 100644 --- a/examples/organization/member/main.tf +++ b/examples/organization/member/main.tf @@ -46,6 +46,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/organization/member/regions.tf b/examples/organization/member/regions.tf index 6937e512..ae84f002 100644 --- a/examples/organization/member/regions.tf +++ b/examples/organization/member/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/select-region/main.tf b/examples/select-region/main.tf index 391872ec..9dd6cc35 100644 --- a/examples/select-region/main.tf +++ b/examples/select-region/main.tf @@ -44,6 +44,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/select-region/regions.tf b/examples/select-region/regions.tf index 6937e512..ae84f002 100644 --- a/examples/select-region/regions.tf +++ b/examples/select-region/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/examples/simple/main.tf b/examples/simple/main.tf index 5e672c8e..58d4f5cc 100644 --- a/examples/simple/main.tf +++ b/examples/simple/main.tf @@ -41,6 +41,7 @@ module "secure_baseline" { aws.ap-south-1 = aws.ap-south-1 aws.ap-southeast-1 = aws.ap-southeast-1 aws.ap-southeast-2 = aws.ap-southeast-2 + aws.ap-southeast-3 = aws.ap-southeast-3 aws.ca-central-1 = aws.ca-central-1 aws.eu-central-1 = aws.eu-central-1 aws.eu-north-1 = aws.eu-north-1 diff --git a/examples/simple/regions.tf b/examples/simple/regions.tf index 6937e512..ae84f002 100644 --- a/examples/simple/regions.tf +++ b/examples/simple/regions.tf @@ -33,6 +33,11 @@ provider "aws" { alias = "ap-southeast-2" } +provider "aws" { + region = "ap-southeast-3" + alias = "ap-southeast-3" +} + provider "aws" { region = "ca-central-1" alias = "ca-central-1" diff --git a/guardduty_baselines.tf b/guardduty_baselines.tf index 1d88499f..8cf119d8 100644 --- a/guardduty_baselines.tf +++ b/guardduty_baselines.tf @@ -111,6 +111,23 @@ module "guardduty_baseline_ap-southeast-2" { tags = var.tags } +module "guardduty_baseline_ap-southeast-3" { + source = "./modules/guardduty-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + count = contains(var.target_regions, "ap-southeast-3") && var.guardduty_enabled ? 1 : 0 + disable_email_notification = var.guardduty_disable_email_notification + finding_publishing_frequency = var.guardduty_finding_publishing_frequency + invitation_message = var.guardduty_invitation_message + master_account_id = local.guardduty_master_account_id + member_accounts = local.guardduty_member_accounts + + tags = var.tags +} + module "guardduty_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") && var.guardduty_enabled ? 1 : 0 source = "./modules/guardduty-baseline" diff --git a/main.tf b/main.tf index 1b807f35..7cae3fdc 100644 --- a/main.tf +++ b/main.tf @@ -11,7 +11,7 @@ terraform { configuration_aliases = [ aws.ap-northeast-1, aws.ap-northeast-2, aws.ap-northeast-3, aws.ap-south-1, - aws.ap-southeast-1, aws.ap-southeast-2, + aws.ap-southeast-1, aws.ap-southeast-2, aws.ap-southeast-3, aws.ca-central-1, aws.eu-central-1, aws.eu-north-1, diff --git a/outputs.tf b/outputs.tf index beae8b0b..34235e1d 100644 --- a/outputs.tf +++ b/outputs.tf @@ -64,6 +64,7 @@ output "config_configuration_recorder" { "ap-south-1" = one(module.config_baseline_ap-south-1[*].configuration_recorder) "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].configuration_recorder) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].configuration_recorder) + "ap-southeast-3" = one(module.config_baseline_ap-southeast-3[*].configuration_recorder) "ca-central-1" = one(module.config_baseline_ca-central-1[*].configuration_recorder) "eu-central-1" = one(module.config_baseline_eu-central-1[*].configuration_recorder) "eu-west-1" = one(module.config_baseline_eu-west-1[*].configuration_recorder) @@ -87,6 +88,7 @@ output "config_sns_topic" { "ap-south-1" = one(module.config_baseline_ap-south-1[*].config_sns_topic) "ap-southeast-1" = one(module.config_baseline_ap-southeast-1[*].config_sns_topic) "ap-southeast-2" = one(module.config_baseline_ap-southeast-2[*].config_sns_topic) + "ap-southeast-3" = one(module.config_baseline_ap-southeast-3[*].config_sns_topic) "ca-central-1" = one(module.config_baseline_ca-central-1[*].config_sns_topic) "eu-central-1" = one(module.config_baseline_eu-central-1[*].config_sns_topic) "eu-north-1" = one(module.config_baseline_eu-north-1[*].config_sns_topic) @@ -115,6 +117,7 @@ output "guardduty_detector" { "ap-south-1" = one(module.guardduty_baseline_ap-south-1[*].guardduty_detector) "ap-southeast-1" = one(module.guardduty_baseline_ap-southeast-1[*].guardduty_detector) "ap-southeast-2" = one(module.guardduty_baseline_ap-southeast-2[*].guardduty_detector) + "ap-southeast-3" = one(module.guardduty_baseline_ap-southeast-3[*].guardduty_detector) "ca-central-1" = one(module.guardduty_baseline_ca-central-1[*].guardduty_detector) "eu-central-1" = one(module.guardduty_baseline_eu-central-1[*].guardduty_detector) "eu-north-1" = one(module.guardduty_baseline_eu-north-1[*].guardduty_detector) @@ -156,6 +159,7 @@ output "vpc_flow_logs_group" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].vpc_flow_logs_group) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].vpc_flow_logs_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].vpc_flow_logs_group) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].vpc_flow_logs_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].vpc_flow_logs_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].vpc_flow_logs_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].vpc_flow_logs_group) @@ -180,6 +184,7 @@ output "default_vpc" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_vpc) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_vpc) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_vpc) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_vpc) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_vpc) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_vpc) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_vpc) @@ -204,6 +209,7 @@ output "default_security_group" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_security_group) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_security_group) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_security_group) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_security_group) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_security_group) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_security_group) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_security_group) @@ -228,6 +234,7 @@ output "default_network_acl" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_network_acl) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_network_acl) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_network_acl) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_network_acl) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_network_acl) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_network_acl) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_network_acl) @@ -252,6 +259,7 @@ output "default_route_table" { "ap-south-1" = one(module.vpc_baseline_ap-south-1[*].default_route_table) "ap-southeast-1" = one(module.vpc_baseline_ap-southeast-1[*].default_route_table) "ap-southeast-2" = one(module.vpc_baseline_ap-southeast-2[*].default_route_table) + "ap-southeast-3" = one(module.vpc_baseline_ap-southeast-3[*].default_route_table) "ca-central-1" = one(module.vpc_baseline_ca-central-1[*].default_route_table) "eu-central-1" = one(module.vpc_baseline_eu-central-1[*].default_route_table) "eu-north-1" = one(module.vpc_baseline_eu-north-1[*].default_route_table) diff --git a/securityhub_baselines.tf b/securityhub_baselines.tf index a8324d6e..e791fa22 100644 --- a/securityhub_baselines.tf +++ b/securityhub_baselines.tf @@ -108,6 +108,23 @@ module "securityhub_baseline_ap-southeast-2" { member_accounts = local.securityhub_member_accounts } +module "securityhub_baseline_ap-southeast-3" { + count = contains(var.target_regions, "ap-southeast-3") && var.securityhub_enabled ? 1 : 0 + source = "./modules/securityhub-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + aggregate_findings = var.region == "ap-southeast-3" + enable_cis_standard = var.securityhub_enable_cis_standard + enable_pci_dss_standard = var.securityhub_enable_pci_dss_standard + enable_aws_foundational_standard = var.securityhub_enable_aws_foundational_standard + enable_product_arns = var.securityhub_enable_product_arns + master_account_id = local.securityhub_master_account_id + member_accounts = local.securityhub_member_accounts +} + module "securityhub_baseline_ca-central-1" { count = contains(var.target_regions, "ca-central-1") && var.securityhub_enabled ? 1 : 0 source = "./modules/securityhub-baseline" diff --git a/variables.tf b/variables.tf index a942f3c9..eaa98451 100644 --- a/variables.tf +++ b/variables.tf @@ -49,6 +49,7 @@ variable "target_regions" { "ap-south-1", "ap-southeast-1", "ap-southeast-2", + "ap-southeast-3", "ca-central-1", "eu-central-1", "eu-north-1", diff --git a/vpc_baselines.tf b/vpc_baselines.tf index fd2ed472..8f1e4c35 100644 --- a/vpc_baselines.tf +++ b/vpc_baselines.tf @@ -177,6 +177,25 @@ module "vpc_baseline_ap-southeast-2" { tags = var.tags } +module "vpc_baseline_ap-southeast-3" { + count = var.vpc_enable && contains(var.target_regions, "ap-southeast-3") ? 1 : 0 + source = "./modules/vpc-baseline" + + providers = { + aws = aws.ap-southeast-3 + } + + enable_flow_logs = var.vpc_enable_flow_logs + flow_logs_destination_type = var.vpc_flow_logs_destination_type + flow_logs_log_group_name = var.vpc_flow_logs_log_group_name + flow_logs_iam_role_arn = local.flow_logs_to_cw_logs ? aws_iam_role.flow_logs_publisher[0].arn : null + flow_logs_retention_in_days = var.vpc_flow_logs_retention_in_days + flow_logs_s3_arn = local.flow_logs_s3_arn + flow_logs_s3_key_prefix = var.vpc_flow_logs_s3_key_prefix + + tags = var.tags +} + module "vpc_baseline_ca-central-1" { count = var.vpc_enable && contains(var.target_regions, "ca-central-1") ? 1 : 0 source = "./modules/vpc-baseline"