Allow Security Hub product subscriptions from top module

Author: snemetz

README.md

@@ -122,6 +122,7 @@ This module is composed of several submodules, all of which can be used independ
 | <a name="input_s3_ignore_public_acls"></a> [s3\_ignore\_public\_acls](#input\_s3\_ignore\_public\_acls) | Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. | `bool` | `true` | no |
 | <a name="input_s3_restrict_public_buckets"></a> [s3\_restrict\_public\_buckets](#input\_s3\_restrict\_public\_buckets) | Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. | `bool` | `true` | no |
 | <a name="input_security_administrator_account_id"></a> [security\_administrator\_account\_id](#input\_security\_administrator\_account\_id) | AWS Security Administrator Account ID | `number` | n/a | yes |
+| <a name="input_securityhub_enable_products"></a> [securityhub\_enable\_products](#input\_securityhub\_enable\_products) | Subscribe Security Hub to Products | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Specifies object tags key and value. This applies to all resources created by this module. | `map(any)` | <pre>{<br>  "Environment": "infra",<br>  "Product": "security",<br>  "Team": "devops",<br>  "Terraform": true<br>}</pre> | no |
 | <a name="input_target_regions"></a> [target\_regions](#input\_target\_regions) | A list of regions to set up with this module. | `list(string)` | <pre>[<br>  "eu-west-1",<br>  "us-east-1",<br>  "us-east-2"<br>]</pre> | no |
 | <a name="input_vpc_flow_logs_s3_key_prefix"></a> [vpc\_flow\_logs\_s3\_key\_prefix](#input\_vpc\_flow\_logs\_s3\_key\_prefix) | S3 key prefix for VPC Flow Logs | `string` | `"flow-logs"` | no |

securityhub.tf

@@ -8,6 +8,7 @@ module "securityhub_eu-west-1" {
     aws = aws.eu-west-1
   }
   account_type                      = var.account_type
+  enable_products                   = var.securityhub_enable_products
   security_administrator_account_id = var.security_administrator_account_id
 }
 
@@ -20,6 +21,7 @@ module "securityhub_us-east-1" {
     aws = aws.us-east-1
   }
   account_type                      = var.account_type
+  enable_products                   = var.securityhub_enable_products
   security_administrator_account_id = var.security_administrator_account_id
 }
 
@@ -32,5 +34,6 @@ module "securityhub_us-east-2" {
     aws = aws.us-east-2
   }
   account_type                      = var.account_type
+  enable_products                   = var.securityhub_enable_products
   security_administrator_account_id = var.security_administrator_account_id
 }

variables.tf

@@ -399,6 +399,15 @@ variable "force_destroy" {
 #  default     = ""
 #}
 
+### -----------------------------
+### Security Hub Settings
+### -----------------------------
+variable "securityhub_enable_products" {
+  description = "Subscribe Security Hub to Products"
+  type        = list(string)
+  default     = []
+}
+
 ### -----------------------------
 ### Organization Settings
 ### -----------------------------