module "iam-baseline" {
  # iam password policy, baseline roles, access analyzer, cloudhealth role
  source = "../../modules/security_identity_compliance/roles_iam_resources"

  customer-name      = var.customer-name
  default-tags       = local.default-tags
  create-cloudhealth-resources = false
}

module "cloudtrail" {
  # Create cloudtrail
  source = "../../modules/security_identity_compliance/cloudtrail_cwlogs"
  resource-prefix = local.resource-prefix
  default-tags = local.default-tags
}

module "delete-default-vpcs" {
  # delete default VPCs in all regions
  source = "../../modules/networking/delete-default-vpcs"
}

module "enable-aws-config" {
  # enable aws config in all regions and setup aggregation
  source = "../../modules/security_identity_compliance/aws_config"
  resource-prefix = local.resource-prefix
  default-tags  = local.default-tags
}

module "enable-guardduty" {
  /* enable guardduty
  If you are using AWS organisation, GD delegated admin should be configured
  on the landing zone security account. This allows centralised management.
  See https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html
  */
  source = "../../modules/security_identity_compliance/guardduty"
  default-tags = local.default-tags
}

module "enable-securityhub" {
  /* enable security hub
  If you are using AWS organisation, SH deleted admin should be configured
  on the landing zone security account. This allows centralised management.
  https://docs.aws.amazon.com/securityhub/latest/userguide/designate-orgs-admin-account.html
  */
  source = "../../modules/security_identity_compliance/security_hub"
}

module "default-account-settings" {
  # other default account settings
  source = "../../modules/security_identity_compliance/other-default-settings"
}