added varaible for the logging_account in aws_s3 module

locals.tf

@@ -210,7 +210,7 @@ locals {
   rds_performance_insight          = var.enable_nist_features == true ? true : false
   rds_performance_retention_period = var.enable_nist_features == true ? 7 : 0
 
-    ###nist-resource-chcker
+  ###nist-resource-chcker
   bucket_exists   = try(module.resource_checker[0].bucket_external["exists"], "false")
   waf_exists      = try(module.resource_checker[0].waf_external["exists"], "false")
   waf_arn         = try(module.resource_checker[0].waf_external["arn"], "")

main.tf

@@ -97,8 +97,8 @@ module "vpc" {
   hub_environment        = var.hub_environment
   hub                    = var.hub
   vpc_nist_endpoints     = var.vpc_nist_endpoints
-  local_s3_bucket_arn = var.enable_nist_features == false ? null : local.bucket_exists == "false" ? module.spoke_logging_bucket[0].local_s3_bucket_arn : "arn:aws:s3:::aws-waf-logs-infra-${var.spoke_account_id}-${var.location}-bkt"
-  depends_on          = [module.spoke_logging_bucket]
+  local_s3_bucket_arn    = var.enable_nist_features == false ? null : local.bucket_exists == "false" ? module.spoke_logging_bucket[0].local_s3_bucket_arn : "arn:aws:s3:::aws-waf-logs-infra-${var.spoke_account_id}-${var.location}-bkt"
+  depends_on             = [module.spoke_logging_bucket]
 
 }
 
@@ -313,7 +313,7 @@ module "postgresql" {
   tags = merge(local.tags, { "Backup" = var.enable_nist_features == true ? "Enabled" : null })
 
   # DB subnet group - use public subnet if public access is requested
-  publicly_accessible =  length(local.postgres_public_access_cidrs) > 0 && var.enable_nist_features == false ? true : false
+  publicly_accessible = length(local.postgres_public_access_cidrs) > 0 && var.enable_nist_features == false ? true : false
   subnet_ids          = length(local.postgres_public_access_cidrs) > 0 ? length(module.vpc.public_subnets) > 0 ? module.vpc.database_subnets : module.vpc.database_subnets : module.vpc.database_subnets
 
   # DB parameter group
@@ -395,12 +395,13 @@ module "spoke_logging_bucket" {
   spoke_account_id       = var.spoke_account_id
   tags                   = local.tags
   hub_environment        = var.hub_environment
-  depends_on = [module.resource_checker]
+  logging_account        = var.logging_account
+  depends_on             = [module.resource_checker]
 }
 
 ###################################Config Conformance Pack############################
 module "nist_pack" {
-  count = var.enable_nist_features == true ? 1 : 0
+  count                        = var.enable_nist_features == true ? 1 : 0
   source                       = "./modules/aws_config"
   conformance_pack_name        = var.conformance_pack_name
   custom_conformance_pack_name = var.custom_conformance_pack_name
@@ -416,15 +417,15 @@ module "iam_access_analyzer" {
   analyzer_type_external = "ACCOUNT"
   analyzer_type_unused   = "ACCOUNT_UNUSED_ACCESS"
   tags                   = local.tags
-  depends_on = [module.resource_checker]
+  depends_on             = [module.resource_checker]
 
 }
 
 ######### WAF & WAF LOGGING #########
 module "spoke_waf" {
-  count      = var.enable_nist_features == true && local.waf_exists == "false" ? 1 : 0
-  depends_on = [ module.spoke_logging_bucket , module.resource_checker]
-  source     = "./modules/aws_waf"
+  count               = var.enable_nist_features == true && local.waf_exists == "false" ? 1 : 0
+  depends_on          = [module.spoke_logging_bucket, module.resource_checker]
+  source              = "./modules/aws_waf"
   local_s3_bucket_arn = var.enable_nist_features == false ? null : local.bucket_exists == "false" ? module.spoke_logging_bucket[0].local_s3_bucket_arn : "arn:aws:s3:::aws-waf-logs-infra-${var.spoke_account_id}-${var.location}-bkt"
   spoke_account_id    = var.spoke_account_id
   location            = var.location

modules/aws_s3/main.tf

@@ -76,7 +76,7 @@ data "aws_iam_policy_document" "assume_role_local" {
     }
     principals {
       type        = "AWS"
-      identifiers = ["arn:aws:iam::730335345263:role/sascloud-awsng-logging-cross-account-iam-role"]
+      identifiers = ["arn:aws:iam::${var.logging_account}:role/sascloud-awsng-logging-cross-account-iam-role"]
     }
     actions = ["sts:AssumeRole"]
   }

modules/aws_s3/variables.tf

@@ -41,3 +41,8 @@ variable "prefixes" {
   default = ["vpc-flow", "alb-nlb", "dns-query"]
 }
 
+variable "logging_account" {
+  description = "Central logging accoutn ID"
+  type        = string
+}
+

outputs.tf

@@ -122,7 +122,7 @@ output "postgres_servers" {
 
 output "nat_ip" {
   description = "List of public Elastic IPs created for AWS NAT Gateway."
-  value       = var.enable_nist_features == true ?  null : module.vpc.nat_public_ips[0]
+  value       = var.enable_nist_features == true ? null : module.vpc.nat_public_ips[0]
 }
 
 output "prefix" {

variables.tf

@@ -779,7 +779,7 @@ variable "analyzer_name" {
 variable "central_logging_bucket" {
   type        = string
   description = "Centralized logging bucket"
-  default = ""
+  default     = ""
 }
 
 variable "conformance_pack_name" {
@@ -865,6 +865,10 @@ variable "org_id" {
   default = ""
 }
 
+variable "logging_account" {
+  description = "Central logging accoutn ID"
+  type        = string
+}
 
 
 

vms.tf

@@ -33,7 +33,7 @@ resource "aws_fsx_ontap_file_system" "ontap-fs" {
   security_group_ids  = [local.workers_security_group_id]
   tags                = merge(local.tags, { "Name" : "${var.prefix}-ontap-fs", "Backup" = var.enable_nist_features == true ? "Enabled" : null })
   kms_key_id          = lookup(local.kms_keys, "fsx_key", null)
-  depends_on = [module.ontap]
+  depends_on          = [module.ontap]
 }
 
 # ONTAP storage virtual machine and volume resources
@@ -180,6 +180,6 @@ module "nfs" {
   ssh_public_key        = local.ssh_public_key
   enable_ebs_encryption = var.enable_ebs_encryption
 
-  cloud_init = data.cloudinit_config.nfs[0].rendered
-  ebs_cmk_key          = lookup(local.kms_keys, "ebs_key", null)
+  cloud_init  = data.cloudinit_config.nfs[0].rendered
+  ebs_cmk_key = lookup(local.kms_keys, "ebs_key", null)
 }