Merge pull request #4 from venkyio/main

add exclude rule packs

Sorry for the long delay, thanks for the PR!

examples/complete/main.tf

@@ -13,6 +13,12 @@ module "managed_rules" {
  "Operational-Best-Practices-for-NIST-800-53-rev-4",
  ]
 
+ rule_packs_to_exclude = [
+ "Operational-Best-Practices-for-CIS-AWS-v1.4-Level1",
+ "Operational-Best-Practices-for-CIS-AWS-v1.4-Level2",
+ ]
+
+
  # Extra rules not included in the Packs you want to deploy
  rules_to_include = [
  "dax-encryption-enabled",
@@ -35,4 +41,4 @@ module "managed_rules" {
  }
  }
  }
-}
+}

locals.tf

@@ -6,6 +6,11 @@ locals {
  local.pack_file["packs"][pack]
  ]
 
+ rule_packs_to_exclude = [
+ for pack in var.rule_packs_to_exclude :
+ local.pack_file["packs"][pack]
+ ]
+
  rules_collected = sort(
  distinct(
  flatten(
@@ -17,9 +22,20 @@ locals {
  )
  )
 
+ rules_exclude_collected = sort(
+ distinct(
+ flatten(
+ concat(
+ var.rules_to_exclude,
+ local.rule_packs_to_exclude
+ )
+ )
+ )
+ )
+
  final_rules = [
  for rule in local.rules_collected :
- rule if !contains(var.rules_to_exclude, rule)
+ rule if !contains(local.rules_exclude_collected, rule)
  ]
 
  final_managed_rules = merge(local.managed_rules, var.rule_overrides)

variables.tf

@@ -19,6 +19,15 @@ variable "rule_packs" {
  type = list(string)
 }
 
+# In cases where rules from other packs overlap and let's say we want to exclude all overlap rules from a pack.. 
+# this feature should address that. Example use case is where securityhub deploys CIS Level1 and 2 Rules and 
+# lets say we want to exclude all these rules from NIST pack
+variable "rule_packs_to_exclude" {
+ description = "A list of Rule Packs (based off AWS Conformance Packs) from which overlap rules to exclude"
+ default = []
+ type = list(string)
+}
+
 variable "rules_to_exclude" {
  description = "A list of individual AWS-managed Config Rules to exclude from deployment"
  default = []