Improve macie-account module

tedilabs · May 8, 2024 · ce65f6a · ce65f6a
1 parent b97717a
commit ce65f6a
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 32 deletions.
diff --git a/modules/macie-account/README.md b/modules/macie-account/README.md
@@ -18,7 +18,7 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.48.0 |
 
 ## Modules
 
@@ -39,9 +39,9 @@ This module creates following resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_discovery_result"></a> [discovery\_result](#input\_discovery\_result) | (Optional) The configuration for discovery result location and encryption of the macie account. A `discovery_result` block as defined below.<br>    (Required) `s3_bucket` - The name of the S3 bucket in which Amazon Macie exports the data discovery result.<br>    (Optional) `s3_key_prefix` - The key prefix for the specified S3 bucket. Defaults to `""`.<br>    (Required) `encryption_kms_key` - The Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data. | `map(any)` | `null` | no |
+| <a name="input_discovery_result_repository"></a> [discovery\_result\_repository](#input\_discovery\_result\_repository) | (Optional) The configuration for discovery result location and encryption of the macie account. A `discovery_result_repository` block as defined below.<br>    (Optional) `s3_bucket` - A configuration for the S3 bucket in which Amazon Macie exports the data discovery results. `s3_bucket` as defined below.<br>      (Required) `name` - The name of the S3 bucket in which Amazon Macie exports the data classification results.<br>      (Optional) `key_prefix` - The key prefix for the specified S3 bucket.<br>      (Required) `sse_kms_key` - The ARN of the AWS KMS key to be used to encrypt the data. | <pre>object({<br>    s3_bucket = optional(object({<br>      name        = string<br>      key_prefix  = optional(string, "")<br>      sse_kms_key = string<br>    }))<br>  })</pre> | `{}` | no |
 | <a name="input_enabled"></a> [enabled](#input\_enabled) | (Optional) Whether to enable Amazon Macie and start all Macie activities for the account. Defaults to `true`. Set `false` to suspend Macie, it stops monitoring your AWS environment and does not generate new findings. The existing findings remain intact and are not affected. Delete `aws_macie2_account` resource to disable Macie, it permanently deletes all of your existing findings, classification jobs, and other Macie resources. | `bool` | `true` | no |
-| <a name="input_member_accounts"></a> [member\_accounts](#input\_member\_accounts) | (Optional) A list of configurations for member accounts on the macie account. Each block of `member_accounts` as defined below.<br>    (Required) `account_id` -<br>    (Required) `email` -<br>    (Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account.<br>    (Optional) `tags` - A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie. | `any` | `[]` | no |
+| <a name="input_member_accounts"></a> [member\_accounts](#input\_member\_accounts) | (Optional) A list of configurations for member accounts on the macie account. Each block of `member_accounts` as defined below.<br>    (Required) `account_id` - The AWS account ID for the account.<br>    (Required) `email` -  The email address for the account.<br>    (Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account. Defaults to `true`.<br>    (Optional) `tags` - A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie. | <pre>list(object({<br>    account_id = string<br>    email      = string<br>    enabled    = optional(bool, true)<br>    tags       = optional(map(string), {})<br>  }))</pre> | `[]` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
@@ -54,6 +54,7 @@ This module creates following resources.
 | Name | Description |
 |------|-------------|
 | <a name="output_created_at"></a> [created\_at](#output\_created\_at) | The date and time, in UTC and extended RFC 3339 format, when the Amazon Macie account was created. |
+| <a name="output_discovery_result_repository"></a> [discovery\_result\_repository](#output\_discovery\_result\_repository) | The configuration for discovery result location and encryption of the macie account. |
 | <a name="output_enabled"></a> [enabled](#output\_enabled) | Whether the macie account is eanbled. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the macie account. |
 | <a name="output_member_accounts"></a> [member\_accounts](#output\_member\_accounts) | The list of configruations for member accounts on the macie account. |

diff --git a/modules/macie-account/main.tf b/modules/macie-account/main.tf
@@ -41,6 +41,10 @@ resource "aws_macie2_account" "this" {
 
 # TODO: Cannot delete member account from AWS Organization
 # https://github.com/hashicorp/terraform-provider-aws/issues/26219
+# INFO: Not supported attributes
+# - `invite`
+# - `invitation_message`
+# - `invitation_disable_email_notification`
 resource "aws_macie2_member" "this" {
   for_each = {
     for account in var.member_accounts :
@@ -51,11 +55,13 @@ resource "aws_macie2_member" "this" {
   email      = each.value.email
   status     = try(each.value.enabled, true) ? "ENABLED" : "PAUSED"
 
+
   ## Invitation
   # invite                                = true
   # invitation_message                    = "Message of the invitation"
   # invitation_disable_email_notification = true
 
+
   tags = merge(
     {
       "Name" = each.key
@@ -84,12 +90,12 @@ resource "aws_macie2_member" "this" {
 ###################################################
 
 resource "aws_macie2_classification_export_configuration" "this" {
-  count = var.discovery_result != null ? 1 : 0
+  count = var.discovery_result_repository.s3_bucket != null ? 1 : 0
 
   s3_destination {
-    bucket_name = var.discovery_result.s3_bucket
-    key_prefix  = try(var.discovery_result.s3_key_prefix, "")
-    kms_key_arn = var.discovery_result.encryption_kms_key
+    bucket_name = var.discovery_result_repository.s3_bucket.name
+    key_prefix  = var.discovery_result_repository.s3_bucket.key_prefix
+    kms_key_arn = var.discovery_result_repository.s3_bucket.sse_kms_key
   }
 
   depends_on = [

diff --git a/modules/macie-account/outputs.tf b/modules/macie-account/outputs.tf
@@ -43,18 +43,22 @@ output "member_accounts" {
   value = {
     for id, account in aws_macie2_member.this :
     id => {
-      id      = account.id
-      arn     = account.arn
-      email   = account.email
-      enabled = account.status == "ENABLED"
+      id                  = account.id
+      arn                 = account.arn
+      email               = account.email
+      enabled             = account.status == "ENABLED"
+      relationship_status = account.relationship_status
+
+      updated_at = account.updated_at
     }
   }
 }
 
-# TODO
-# output "discovery_result" {
-#   description = <<EOF
-#   The configuration for discovery result location and encryption of the macie account.
-#   EOF
-#   value       = aws_macie2_classification_export_configuration.this
-# }
+output "discovery_result_repository" {
+  description = <<EOF
+  The configuration for discovery result location and encryption of the macie account.
+  EOF
+  value = {
+    s3_bucket = var.discovery_result_repository.s3_bucket
+  }
+}
diff --git a/modules/macie-account/variables.tf b/modules/macie-account/variables.tf
@@ -20,27 +20,40 @@ variable "update_frequency" {
 variable "member_accounts" {
   description = <<EOF
   (Optional) A list of configurations for member accounts on the macie account. Each block of `member_accounts` as defined below.
-    (Required) `account_id` -
-    (Required) `email` -
-    (Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account.
+    (Required) `account_id` - The AWS account ID for the account.
+    (Required) `email` -  The email address for the account.
+    (Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account. Defaults to `true`.
     (Optional) `tags` - A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie.
   EOF
-  type        = any
-  default     = []
-  nullable    = false
+  type = list(object({
+    account_id = string
+    email      = string
+    enabled    = optional(bool, true)
+    tags       = optional(map(string), {})
+  }))
+  default  = []
+  nullable = false
 }
 
-
-variable "discovery_result" {
+variable "discovery_result_repository" {
   description = <<EOF
-  (Optional) The configuration for discovery result location and encryption of the macie account. A `discovery_result` block as defined below.
-    (Required) `s3_bucket` - The name of the S3 bucket in which Amazon Macie exports the data discovery result.
-    (Optional) `s3_key_prefix` - The key prefix for the specified S3 bucket. Defaults to `""`.
-    (Required) `encryption_kms_key` - The Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data.
+  (Optional) The configuration for discovery result location and encryption of the macie account. A `discovery_result_repository` block as defined below.
+    (Optional) `s3_bucket` - A configuration for the S3 bucket in which Amazon Macie exports the data discovery results. `s3_bucket` as defined below.
+      (Required) `name` - The name of the S3 bucket in which Amazon Macie exports the data classification results.
+      (Optional) `key_prefix` - The key prefix for the specified S3 bucket.
+      (Required) `sse_kms_key` - The ARN of the AWS KMS key to be used to encrypt the data.
   EOF
-  type        = map(any)
-  default     = null
+  type = object({
+    s3_bucket = optional(object({
+      name        = string
+      key_prefix  = optional(string, "")
+      sse_kms_key = string
+    }))
+  })
+  default  = {}
+  nullable = false
 }
+
 variable "tags" {
   description = "(Optional) A map of tags to add to all resources."
   type        = map(string)