Merge pull request #4 from venkyio/main

grothja · web-flow · commit b23355d28e73 · 2022-01-23T18:07:19.000-05:00
add exclude rule packs

Sorry for the long delay, thanks for the PR!
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -13,6 +13,12 @@ module "managed_rules" {
     "Operational-Best-Practices-for-NIST-800-53-rev-4",
   ]
 
+  rule_packs_to_exclude = [
+    "Operational-Best-Practices-for-CIS-AWS-v1.4-Level1",
+    "Operational-Best-Practices-for-CIS-AWS-v1.4-Level2",
+  ]
+
+
   # Extra rules not included in the Packs you want to deploy
   rules_to_include = [
     "dax-encryption-enabled",
@@ -35,4 +41,4 @@ module "managed_rules" {
       }
     }
   }
-}
+}
diff --git a/locals.tf b/locals.tf
@@ -6,6 +6,11 @@ locals {
     local.pack_file["packs"][pack]
   ]
 
+  rule_packs_to_exclude = [
+    for pack in var.rule_packs_to_exclude :
+    local.pack_file["packs"][pack]
+  ]
+
   rules_collected = sort(
     distinct(
       flatten(
@@ -17,9 +22,20 @@ locals {
     )
   )
 
+  rules_exclude_collected = sort(
+    distinct(
+      flatten(
+        concat(
+          var.rules_to_exclude,
+          local.rule_packs_to_exclude
+        )
+      )
+    )
+  )
+
   final_rules = [
     for rule in local.rules_collected :
-    rule if !contains(var.rules_to_exclude, rule)
+    rule if !contains(local.rules_exclude_collected, rule)
   ]
 
   final_managed_rules = merge(local.managed_rules, var.rule_overrides)
diff --git a/variables.tf b/variables.tf
@@ -19,6 +19,15 @@ variable "rule_packs" {
   type        = list(string)
 }
 
+# In cases where rules from other packs overlap and let's say we want to exclude all overlap rules from a pack.. 
+# this feature should address that. Example use case is where securityhub deploys CIS Level1 and 2 Rules and 
+# lets say we want to exclude all these rules from NIST pack
+variable "rule_packs_to_exclude" {
+  description = "A list of Rule Packs (based off AWS Conformance Packs) from which overlap rules to exclude"
+  default     = []
+  type        = list(string)
+}
+
 variable "rules_to_exclude" {
   description = "A list of individual AWS-managed Config Rules to exclude from deployment"
   default     = []

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,12 @@ module "managed_rules" {`
`13`	`13`	`"Operational-Best-Practices-for-NIST-800-53-rev-4",`
`14`	`14`	`]`
`15`	`15`
	`16`	`+ rule_packs_to_exclude = [`
	`17`	`+ "Operational-Best-Practices-for-CIS-AWS-v1.4-Level1",`
	`18`	`+ "Operational-Best-Practices-for-CIS-AWS-v1.4-Level2",`
	`19`	`+ ]`
	`20`	`+`
	`21`	`+`
`16`	`22`	`# Extra rules not included in the Packs you want to deploy`
`17`	`23`	`rules_to_include = [`
`18`	`24`	`"dax-encryption-enabled",`
`@@ -35,4 +41,4 @@ module "managed_rules" {`
`35`	`41`	`}`
`36`	`42`	`}`
`37`	`43`	`}`
`38`		`-}`
	`44`	`+}`