diff --git a/eventbridge.tf b/eventbridge.tf index c8a30a6..1e72836 100644 --- a/eventbridge.tf +++ b/eventbridge.tf @@ -91,14 +91,19 @@ resource "aws_cloudwatch_event_rule" "imported_findings" { tags = module.this.tags event_pattern = jsonencode( - { - "source" : [ - "aws.securityhub" - ], - "detail-type" : [ - var.cloudwatch_event_rule_pattern_detail_type - ] - } + merge( + { + "source" : [ + "aws.securityhub" + ], + "detail-type" : [ + var.cloudwatch_event_rule_pattern_detail_type + ] + }, + var.cloudwatch_event_rule_pattern_detail != null ? + { "detail" : var.cloudwatch_event_rule_pattern_detail } : + {} + ) ) } diff --git a/main.tf b/main.tf index db78b7c..1682352 100644 --- a/main.tf +++ b/main.tf @@ -4,7 +4,8 @@ resource "aws_securityhub_account" "this" { count = local.enabled ? 1 : 0 - enable_default_standards = var.enable_default_standards + enable_default_standards = var.enable_default_standards + control_finding_generator = var.control_finding_generator } #----------------------------------------------------------------------------------------------------------------------- diff --git a/variables.tf b/variables.tf index 4d03cf0..21124e2 100644 --- a/variables.tf +++ b/variables.tf @@ -9,6 +9,21 @@ variable "enable_default_standards" { default = true } +variable "control_finding_generator" { + description = <<-DOC + Updates whether the calling account has consolidated control findings turned on. + If the value for this field is set to , + + SECURITY_CONTROL - Security Hub generates a single finding for a control check even when + the check applies to multiple enabled standards. + + STANDARD_CONTROL - Security Hub generates separate findings for a control check when the + check applies to multiple enabled standards. + DOC + type = string + default = "SECURITY_CONTROL" +} + variable "enabled_standards" { description = <<-DOC A list of standards/rulesets to enable @@ -55,7 +70,7 @@ variable "imported_findings_notification_arn" { description = <<-DOC The ARN for an SNS topic to send findings notifications to. This is only used if create_sns_topic is false. - If you want to send findings to an existing SNS topic, set the value of this to the ARN of the existing topic and set + If you want to send findings to an existing SNS topic, set the value of this to the ARN of the existing topic and set create_sns_topic to false. DOC default = null @@ -64,7 +79,7 @@ variable "imported_findings_notification_arn" { variable "cloudwatch_event_rule_pattern_detail_type" { description = <<-DOC - The detail-type pattern used to match events that will be sent to SNS. + The detail-type pattern used to match events that will be sent to SNS. For more information, see: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html @@ -73,6 +88,17 @@ variable "cloudwatch_event_rule_pattern_detail_type" { default = "Security Hub Findings - Imported" } +variable "cloudwatch_event_rule_pattern_detail" { + description = <<-DOC + The detail pattern used to match events that will be sent to SNS. + + For more information, see: + https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html + DOC + type = any + default = null +} + variable "finding_aggregator_enabled" { description = <<-DOC Flag to indicate whether a finding aggregator should be created @@ -89,9 +115,9 @@ variable "finding_aggregator_enabled" { variable "finding_aggregator_linking_mode" { description = <<-DOC - Linking mode to use for the finding aggregator. + Linking mode to use for the finding aggregator. - The possible values are: + The possible values are: - `ALL_REGIONS` - Aggregate from all regions - `ALL_REGIONS_EXCEPT_SPECIFIED` - Aggregate from all regions except those specified in `var.finding_aggregator_regions` - `SPECIFIED_REGIONS` - Aggregate from regions specified in `finding_aggregator_enabled` @@ -102,7 +128,7 @@ variable "finding_aggregator_linking_mode" { variable "finding_aggregator_regions" { description = <<-DOC - A list of regions to aggregate findings from. + A list of regions to aggregate findings from. This is only used if `finding_aggregator_enabled` is `true`. DOC