Unsuitable for use in multiple regions due to forced aws_securityhub_finding_aggregator

[kevins9]

I attempted to use multiple instances of this module to configure Security Hub in multiple regions. (Perhaps this is unnecessary, and I misunderstand how Security Hub works?) This is not currently possible (v0.0.1) because the Security Hub finding aggregator can only exist in a single region, and the module always creates this. I worked around the problem here by vendoring & modifying the module; please accept my apologies for not creating a proper PR but I don't have time to set up the dev environment.

My change was as follows: Change the default value of var.linking_mode to null.

Modify aws_securityhub_finding_aggregator.this:

resource "aws_securityhub_finding_aggregator" "this" {
  for_each          = var.linking_mode != null ? toset(["enabled"]) : []
  linking_mode      = var.linking_mode
  specified_regions = var.specified_regions

  depends_on = [time_sleep.wait_securityhub_enable]
}

moved {
  from = aws_securityhub_finding_aggregator.this
  to   = aws_securityhub_finding_aggregator.this["enabled"]
}

Users now only get a finding aggregator if they set a linking_mode, and I was able to create two instances of Security Hub to my delegated admin account in different regions, with only one finding aggregator. Unfortunately, my fix changes the default behavior of the module, so perhaps you would not want to implement it identically, and instead require users to opt out of the finding aggregator by nulling the input.

[rodrigobersa]

Hey @kevins9 !

Thanks for opening this issue, and sharing this workaround, in fact I was not aware of this information regarding the finding aggregator. Let me take a closer look in the multi-region setup.