From ce65f6a046a1248d00fb24195e512425f2f69f0d Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Wed, 8 May 2024 17:23:31 +0900 Subject: [PATCH] Improve macie-account module --- modules/macie-account/README.md | 7 ++--- modules/macie-account/main.tf | 14 +++++++--- modules/macie-account/outputs.tf | 26 +++++++++++-------- modules/macie-account/variables.tf | 41 ++++++++++++++++++++---------- 4 files changed, 56 insertions(+), 32 deletions(-) diff --git a/modules/macie-account/README.md b/modules/macie-account/README.md index d870c01..42f2484 100644 --- a/modules/macie-account/README.md +++ b/modules/macie-account/README.md @@ -18,7 +18,7 @@ This module creates following resources. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.48.0 | ## Modules @@ -39,9 +39,9 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [discovery\_result](#input\_discovery\_result) | (Optional) The configuration for discovery result location and encryption of the macie account. A `discovery_result` block as defined below.
(Required) `s3_bucket` - The name of the S3 bucket in which Amazon Macie exports the data discovery result.
(Optional) `s3_key_prefix` - The key prefix for the specified S3 bucket. Defaults to `""`.
(Required) `encryption_kms_key` - The Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data. | `map(any)` | `null` | no | +| [discovery\_result\_repository](#input\_discovery\_result\_repository) | (Optional) The configuration for discovery result location and encryption of the macie account. A `discovery_result_repository` block as defined below.
(Optional) `s3_bucket` - A configuration for the S3 bucket in which Amazon Macie exports the data discovery results. `s3_bucket` as defined below.
(Required) `name` - The name of the S3 bucket in which Amazon Macie exports the data classification results.
(Optional) `key_prefix` - The key prefix for the specified S3 bucket.
(Required) `sse_kms_key` - The ARN of the AWS KMS key to be used to encrypt the data. | 
object({
    s3_bucket = optional(object({
      name        = string
      key_prefix  = optional(string, "")
      sse_kms_key = string
    }))
  })
| `{}` | no | | [enabled](#input\_enabled) | (Optional) Whether to enable Amazon Macie and start all Macie activities for the account. Defaults to `true`. Set `false` to suspend Macie, it stops monitoring your AWS environment and does not generate new findings. The existing findings remain intact and are not affected. Delete `aws_macie2_account` resource to disable Macie, it permanently deletes all of your existing findings, classification jobs, and other Macie resources. | `bool` | `true` | no | -| [member\_accounts](#input\_member\_accounts) | (Optional) A list of configurations for member accounts on the macie account. Each block of `member_accounts` as defined below.
(Required) `account_id` -
(Required) `email` -
(Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account.
(Optional) `tags` - A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie. | `any` | `[]` | no | +| [member\_accounts](#input\_member\_accounts) | (Optional) A list of configurations for member accounts on the macie account. Each block of `member_accounts` as defined below.
(Required) `account_id` - The AWS account ID for the account.
(Required) `email` - The email address for the account.
(Optional) `enabled` - Whether to enable Amazon Macie and start all Macie activities for the member account. Defaults to `true`.
(Optional) `tags` - A map of key-value pairs that specifies the tags to associate with the account in Amazon Macie. | 
list(object({
    account_id = string
    email      = string
    enabled    = optional(bool, true)
    tags       = optional(map(string), {})
  }))
| `[]` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | @@ -54,6 +54,7 @@ This module creates following resources. | Name | Description | |------|-------------| | [created\_at](#output\_created\_at) | The date and time, in UTC and extended RFC 3339 format, when the Amazon Macie account was created. | +| [discovery\_result\_repository](#output\_discovery\_result\_repository) | The configuration for discovery result location and encryption of the macie account. | | [enabled](#output\_enabled) | Whether the macie account is eanbled. | | [id](#output\_id) | The ID of the macie account. | | [member\_accounts](#output\_member\_accounts) | The list of configruations for member accounts on the macie account. | diff --git a/modules/macie-account/main.tf b/modules/macie-account/main.tf index 699930a..a4529e5 100644 --- a/modules/macie-account/main.tf +++ b/modules/macie-account/main.tf @@ -41,6 +41,10 @@ resource "aws_macie2_account" "this" { # TODO: Cannot delete member account from AWS Organization # https://github.com/hashicorp/terraform-provider-aws/issues/26219 +# INFO: Not supported attributes +# - `invite` +# - `invitation_message` +# - `invitation_disable_email_notification` resource "aws_macie2_member" "this" { for_each = { for account in var.member_accounts : @@ -51,11 +55,13 @@ resource "aws_macie2_member" "this" { email = each.value.email status = try(each.value.enabled, true) ? "ENABLED" : "PAUSED" + ## Invitation # invite = true # invitation_message = "Message of the invitation" # invitation_disable_email_notification = true + tags = merge( { "Name" = each.key @@ -84,12 +90,12 @@ resource "aws_macie2_member" "this" { ################################################### resource "aws_macie2_classification_export_configuration" "this" { - count = var.discovery_result != null ? 1 : 0 + count = var.discovery_result_repository.s3_bucket != null ? 1 : 0 s3_destination { - bucket_name = var.discovery_result.s3_bucket - key_prefix = try(var.discovery_result.s3_key_prefix, "") - kms_key_arn = var.discovery_result.encryption_kms_key + bucket_name = var.discovery_result_repository.s3_bucket.name + key_prefix = var.discovery_result_repository.s3_bucket.key_prefix + kms_key_arn = var.discovery_result_repository.s3_bucket.sse_kms_key } depends_on = [ diff --git a/modules/macie-account/outputs.tf b/modules/macie-account/outputs.tf index ffa22f0..aa3988b 100644 --- a/modules/macie-account/outputs.tf +++ b/modules/macie-account/outputs.tf @@ -43,18 +43,22 @@ output "member_accounts" { value = { for id, account in aws_macie2_member.this : id => { - id = account.id - arn = account.arn - email = account.email - enabled = account.status == "ENABLED" + id = account.id + arn = account.arn + email = account.email + enabled = account.status == "ENABLED" + relationship_status = account.relationship_status + + updated_at = account.updated_at } } } -# TODO -# output "discovery_result" { -# description = <