feat: Allow overriding items for each control in cis-alarms module (#41)

fcoelho · web-flow · commit f04d5d1019a7 · 2022-04-14T15:31:01.000+02:00
diff --git a/examples/cis-alarms/README.md b/examples/cis-alarms/README.md
@@ -32,8 +32,10 @@ No providers.
 |------|--------|---------|
 | <a name="module_all_cis_alarms"></a> [all\_cis\_alarms](#module\_all\_cis\_alarms) | ../../modules/cis-alarms | n/a |
 | <a name="module_aws_sns_topic"></a> [aws\_sns\_topic](#module\_aws\_sns\_topic) | ../fixtures/aws_sns_topic | n/a |
+| <a name="module_control_overrides"></a> [control\_overrides](#module\_control\_overrides) | ../../modules/cis-alarms | n/a |
 | <a name="module_disabled_all_cis_alarms"></a> [disabled\_all\_cis\_alarms](#module\_disabled\_all\_cis\_alarms) | ../../modules/cis-alarms | n/a |
 | <a name="module_log"></a> [log](#module\_log) | ../fixtures/aws_cloudwatch_log_group | n/a |
+| <a name="module_second_aws_sns_topic"></a> [second\_aws\_sns\_topic](#module\_second\_aws\_sns\_topic) | ../fixtures/aws_sns_topic | n/a |
 
 ## Resources
 
diff --git a/examples/cis-alarms/main.tf b/examples/cis-alarms/main.tf
@@ -6,6 +6,10 @@ module "aws_sns_topic" {
   source = "../fixtures/aws_sns_topic"
 }
 
+module "second_aws_sns_topic" {
+  source = "../fixtures/aws_sns_topic"
+}
+
 module "log" {
   source = "../fixtures/aws_cloudwatch_log_group"
 }
@@ -30,3 +34,20 @@ module "disabled_all_cis_alarms" {
   log_group_name = module.log.cloudwatch_log_group_name
   alarm_actions  = [module.aws_sns_topic.sns_topic_arn]
 }
+
+module "control_overrides" {
+  source = "../../modules/cis-alarms"
+
+  log_group_name = module.log.cloudwatch_log_group_name
+  alarm_actions  = [module.aws_sns_topic.sns_topic_arn]
+
+  control_overrides = {
+    NoMFAConsoleSignin = {
+      pattern = "{($.eventName=\"ConsoleLogin\") && ($.additionalEventData.MFAUsed != \"Yes\") && ($.userIdentity.sessionContext.sessionIssuer.arn != \"arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*\")}"
+    }
+
+    AWSOrganizationsChanges = {
+      alarm_actions = [module.second_aws_sns_topic.sns_topic_arn]
+    }
+  }
+}
diff --git a/modules/cis-alarms/README.md b/modules/cis-alarms/README.md
@@ -36,6 +36,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_actions_enabled"></a> [actions\_enabled](#input\_actions\_enabled) | Indicates whether or not actions should be executed during any changes to the alarm's state. | `bool` | `true` | no |
 | <a name="input_alarm_actions"></a> [alarm\_actions](#input\_alarm\_actions) | List of ARNs to put as Cloudwatch Alarms actions (eg, ARN of SNS topic) | `list(string)` | `[]` | no |
+| <a name="input_control_overrides"></a> [control\_overrides](#input\_control\_overrides) | A map of overrides to apply to each control | `any` | `{}` | no |
 | <a name="input_create"></a> [create](#input\_create) | Whether to create the Cloudwatch log metric filter and metric alarms | `bool` | `true` | no |
 | <a name="input_disabled_controls"></a> [disabled\_controls](#input\_disabled\_controls) | List of IDs of disabled CIS controls | `list(string)` | `[]` | no |
 | <a name="input_log_group_name"></a> [log\_group\_name](#input\_log\_group\_name) | The name of the log group to associate the metric filter with | `string` | `""` | no |
diff --git a/modules/cis-alarms/main.tf b/modules/cis-alarms/main.tf
@@ -79,7 +79,7 @@ locals {
   ###############
 
   prefix   = var.use_random_name_prefix ? "${random_pet.this[0].id}-" : var.name_prefix
-  controls = { for k, v in local.all_controls : k => v if !contains(var.disabled_controls, k) }
+  controls = { for k, v in local.all_controls : k => merge(v, try(var.control_overrides[k], {})) if var.create && !contains(var.disabled_controls, k) }
 }
 
 resource "random_pet" "this" {
@@ -89,7 +89,7 @@ resource "random_pet" "this" {
 }
 
 resource "aws_cloudwatch_log_metric_filter" "this" {
-  for_each = var.create ? local.controls : {}
+  for_each = local.controls
 
   name           = "${local.prefix}${each.key}"
   pattern        = each.value["pattern"]
@@ -104,7 +104,7 @@ resource "aws_cloudwatch_log_metric_filter" "this" {
 }
 
 resource "aws_cloudwatch_metric_alarm" "this" {
-  for_each = var.create ? local.controls : {}
+  for_each = local.controls
 
   metric_name       = aws_cloudwatch_log_metric_filter.this[each.key].id
   namespace         = lookup(each.value, "namespace", var.namespace)
diff --git a/modules/cis-alarms/variables.tf b/modules/cis-alarms/variables.tf
@@ -16,6 +16,12 @@ variable "name_prefix" {
   default     = ""
 }
 
+variable "control_overrides" {
+  description = "A map of overrides to apply to each control"
+  default     = {}
+  type        = any
+}
+
 variable "disabled_controls" {
   description = "List of IDs of disabled CIS controls"
   type        = list(string)

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ locals {`
`79`	`79`	`###############`
`80`	`80`
`81`	`81`	`prefix = var.use_random_name_prefix ? "${random_pet.this[0].id}-" : var.name_prefix`
`82`		`- controls = { for k, v in local.all_controls : k => v if !contains(var.disabled_controls, k) }`
	`82`	`+ controls = { for k, v in local.all_controls : k => merge(v, try(var.control_overrides[k], {})) if var.create && !contains(var.disabled_controls, k) }`
`83`	`83`	`}`
`84`	`84`
`85`	`85`	`resource "random_pet" "this" {`
`@@ -89,7 +89,7 @@ resource "random_pet" "this" {`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`resource "aws_cloudwatch_log_metric_filter" "this" {`
`92`		`- for_each = var.create ? local.controls : {}`
	`92`	`+ for_each = local.controls`
`93`	`93`
`94`	`94`	`name = "${local.prefix}${each.key}"`
`95`	`95`	`pattern = each.value["pattern"]`
`@@ -104,7 +104,7 @@ resource "aws_cloudwatch_log_metric_filter" "this" {`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`resource "aws_cloudwatch_metric_alarm" "this" {`
`107`		`- for_each = var.create ? local.controls : {}`
	`107`	`+ for_each = local.controls`
`108`	`108`
`109`	`109`	`metric_name = aws_cloudwatch_log_metric_filter.this[each.key].id`
`110`	`110`	`namespace = lookup(each.value, "namespace", var.namespace)`