# Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 # SPDX-License-Identifier: MIT-0
 #
 # Permission is hereby granted, free of charge, to any person obtaining a copy of this
 # software and associated documentation files (the "Software"), to deal in the Software
 # without restriction, including without limitation the rights to use, copy, modify,
 # merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 # permit persons to whom the Software is furnished to do so.
 #
 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
 # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
 # PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
 # HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
 # SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

# Enable GuardDuty
resource "aws_guardduty_detector" "GuardDuty_Detector" {
  enable                       = true
  finding_publishing_frequency = "${var.GuardDuty_Finding_Publishing_Frequency}"
  depends_on                   = ["aws_securityhub_account.Security_Hub_Enabled"]
}
# Enable Security Hub
resource "aws_securityhub_account" "Security_Hub_Enabled" {
  depends_on = ["aws_config_configuration_recorder_status.Config_Recorder_Enabled"]
}
# Enable CIS standard
resource "aws_securityhub_standards_subscription" "Security_Hub_CIS_Standard_Subscription" {
  depends_on    = ["aws_securityhub_account.Security_Hub_Enabled"]
  standards_arn = "arn:aws:securityhub:::ruleset/cis-aws-foundations-benchmark/v/1.2.0"
}
# Enable PCI-DSS standard
resource "aws_securityhub_standards_subscription" "Security_Hub_PCIDSS_Standard_Subscription" {
  depends_on    = ["aws_securityhub_account.Security_Hub_Enabled"]
  standards_arn = "arn:aws:securityhub:${var.AWS_REGION}::standards/pci-dss/v/3.2.1"
}
# create IAM access analyzer
resource "aws_accessanalyzer_analyzer" "IAA" {
  analyzer_name = "terraformanalyzer"
  depends_on    = ["aws_securityhub_account.Security_Hub_Enabled"]
}
# Create Inspector assessment that targets all Instances 
resource "aws_inspector_assessment_target" "Inspector_Assessment_Target_All" {
  name = "target-all-instances"
}
# Change rule package Variables dependent on location
resource "aws_inspector_assessment_template" "Inspector_Assessment_Template" {
  name               = "all-assessments-template"
  duration           = 3600
  target_arn         = "${aws_inspector_assessment_target.Inspector_Assessment_Target_All.arn}"
  rules_package_arns = "${var.Inspector_Assessment_Rules_Packages_APSoutheast2}"
}