fixed tf deprecation added benchmark 3 (#296)

* fixed tf deprecation added benchmark 3

* updating variable definitions for CKV_AWS_338; also missing end curly brace

---------

Co-authored-by: tnicholson-aws <tnicholson@beyondtrust.com>
Co-authored-by: cyphronix <57731583+cyphronix@users.noreply.github.com>

Author: 3 people

aws_sra_examples/terraform/common/main.tf

@@ -144,7 +144,7 @@ resource "local_file" "config_file_creation" {
     # Security Hub Settings
     ########################################################################
     disable_security_hub                     = false
-    cis_standard_version                     = "1.4.0"
+    cis_standard_version                     = "3.0.0"
     compliance_frequency                     = "7"
     securityhub_control_tower_regions_only   = true
     enable_cis_standard                      = false

aws_sra_examples/terraform/common/sra_execution_role/main.tf

@@ -13,16 +13,17 @@ resource "aws_iam_role" "sra_execution_role" {
       Action = "sts:AssumeRole",
       Effect = "Allow",
       Principal = {
-        AWS = "arn:${var.aws_partition}:iam::${var.management_account_id}:root"
+        AWS = format("arn:%s:iam::%s:root", var.aws_partition, var.management_account_id)
       }
     }]
   })
 
-  managed_policy_arns = [
-    "arn:${var.aws_partition}:iam::aws:policy/AdministratorAccess"
-  ]
-
   tags = {
     "sra-solution" = var.solution_name
   }
+}
+
+resource "aws_iam_role_policy_attachment" "sra_execution_role_admin_policy" {
+  role       = aws_iam_role.sra_execution_role.name
+  policy_arn = format("arn:%s:iam::aws:policy/AdministratorAccess", var.aws_partition)
 }

aws_sra_examples/terraform/solutions/security_hub/README.md

@@ -182,7 +182,7 @@ Please navigate to the [installing the AWS SRA Solutions](./../../README.md#inst
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_audit_account_id"></a> [audit\_account\_id](#input\_audit\_account\_id) | AWS Account ID of the Control Tower Audit account. | `string` | n/a | yes |
-| <a name="input_cis_standard_version"></a> [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"1.4.0"` | no |
+| <a name="input_cis_standard_version"></a> [cis\_standard\_version](#input\_cis\_standard\_version) | CIS Standard Version | `string` | `"3.0.0"` | no |
 | <a name="input_compliance_frequency"></a> [compliance\_frequency](#input\_compliance\_frequency) | Frequency to Check for Organizational Compliance (in days between 1 and 30, default is 7) | `number` | `7` | no |
 | <a name="input_control_tower_lifecycle_rule_name"></a> [control\_tower\_lifecycle\_rule\_name](#input\_control\_tower\_lifecycle\_rule\_name) | The name of the AWS Control Tower Life Cycle Rule | `string` | `"sra-securityhub-org-trigger"` | no |
 | <a name="input_create_lambda_log_group"></a> [create\_lambda\_log\_group](#input\_create\_lambda\_log\_group) | Indicates whether a CloudWatch Log Group should be explicitly created for the Lambda function | `bool` | `false` | no |

aws_sra_examples/terraform/solutions/security_hub/configuration/variables.tf

@@ -129,7 +129,11 @@ variable "lambda_log_group_kms_key" {
 variable "lambda_log_group_retention" {
   description = "Specifies the number of days you want to retain log events"
   type        = number
-  default     = 14
+  default     = 365
+  validation {
+    condition = var.lambda_log_group_retention >= 365
+    error_message = "Cloudwatch log group retention must be at least 365 days to meet CKV_AWS338 best practice."
+  }
 }
 
 variable "lambda_log_level" {

aws_sra_examples/terraform/solutions/security_hub/variables.tf

@@ -37,7 +37,11 @@ variable "sra_solution_name" {
 variable "cis_standard_version" {
   description = "CIS Standard Version"
   type        = string
-  default     = "1.4.0"
+  default     = "3.0.0"
+  validation {
+    condition     = contains(["NONE", "1.2.0", "1.4.0", "3.0.0"], var.cis_standard_version)
+    error_message = "Valid values for cis_standard_version are NONE, 1.2.0, 1.4.0, or 3.0.0."
+  } 
 }
 
 variable "compliance_frequency" {
@@ -155,7 +159,11 @@ variable "lambda_log_group_kms_key" {
 variable "lambda_log_group_retention" {
   description = "Specifies the number of days you want to retain log events"
   type        = number
-  default     = 14
+  default     = 365
+  validation {
+    condition = var.lambda_log_group_retention >= 365
+    error_message = "Cloudwatch log group retention must be at least 365 days to meet CKV_AWS_338 best practice."
+  }
 }
 
 variable "lambda_log_level" {