Support unused access analyzer in access-analyzer

tedilabs · Apr 23, 2024 · 63f4578 · 63f4578
1 parent 61b285b
commit 63f4578
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 13 deletions.
diff --git a/modules/access-analyzer/README.md b/modules/access-analyzer/README.md
@@ -10,14 +10,14 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.22 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.34 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.46.0 |
 
 ## Modules
 
@@ -42,8 +42,10 @@ This module creates following resources.
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_scope"></a> [scope](#input\_scope) | (Optional) A scope of Analyzer. Valid values are `ACCOUNT` or `ORGANIZATION`. Defaults to `ACCOUNT`. | `string` | `"ACCOUNT"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
-| <a name="input_type"></a> [type](#input\_type) | (Optional) Type of Analyzer. Valid values are `ACCOUNT` or `ORGANIZATION`. Defaults to `ACCOUNT`. | `string` | `"ACCOUNT"` | no |
+| <a name="input_type"></a> [type](#input\_type) | (Optional) A finding type of Analyzer. Valid values are `EXTERNAL_ACCESS` or `UNUSED_ACCESS`. Defaults to `EXTERNAL_ACCESS`. | `string` | `"EXTERNAL_ACCESS"` | no |
+| <a name="input_unused_access_tracking_period"></a> [unused\_access\_tracking\_period](#input\_unused\_access\_tracking\_period) | (Optional) A number of days for the tracking the period. Findings will be generated for access that hasn't been used in more than the specified number of days. Defaults to `90`. | `number` | `90` | no |
 
 ## Outputs
 
@@ -53,5 +55,7 @@ This module creates following resources.
 | <a name="output_arn"></a> [arn](#output\_arn) | The Amazon Resource Name (ARN) of this Analyzer. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of this Analyzer. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the Analyzer. |
-| <a name="output_type"></a> [type](#output\_type) | The type of Analyzer. |
+| <a name="output_scope"></a> [scope](#output\_scope) | The scope of Analyzer. |
+| <a name="output_type"></a> [type](#output\_type) | The finding type of Analyzer. |
+| <a name="output_unused_access_tracking_period"></a> [unused\_access\_tracking\_period](#output\_unused\_access\_tracking\_period) | The scope of Analyzer. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/modules/access-analyzer/main.tf b/modules/access-analyzer/main.tf
@@ -14,9 +14,34 @@ locals {
   } : {}
 }
 
+
+###################################################
+# Access Analyzer
+###################################################
+
 resource "aws_accessanalyzer_analyzer" "this" {
   analyzer_name = var.name
-  type          = var.type
+  type = (var.type == "EXTERNAL_ACCESS"
+    ? var.scope
+    : (var.type == "UNUSED_ACCESS"
+      ? "${var.scope}_UNUSED_ACCESS"
+      : null
+    )
+  )
+
+  dynamic "configuration" {
+    for_each = var.type == "UNUSED_ACCESS" ? ["go"] : []
+
+    content {
+      dynamic "unused_access" {
+        for_each = var.type == "UNUSED_ACCESS" ? ["go"] : []
+
+        content {
+          unused_access_age = var.unused_access_tracking_period
+        }
+      }
+    }
+  }
 
   tags = merge(
     {

diff --git a/modules/access-analyzer/outputs.tf b/modules/access-analyzer/outputs.tf
@@ -14,8 +14,21 @@ output "arn" {
 }
 
 output "type" {
-  description = "The type of Analyzer."
-  value       = aws_accessanalyzer_analyzer.this.type
+  description = "The finding type of Analyzer."
+  value       = var.type
+}
+
+output "scope" {
+  description = "The scope of Analyzer."
+  value       = var.scope
+}
+
+output "unused_access_tracking_period" {
+  description = "The scope of Analyzer."
+  value = (var.type == "UNUSED_ACCESS"
+    ? one(aws_accessanalyzer_analyzer.this.configuration[0].unused_access[*].unused_access_age)
+    : null
+  )
 }
 
 output "archive_rules" {

diff --git a/modules/access-analyzer/variables.tf b/modules/access-analyzer/variables.tf
@@ -4,14 +4,41 @@ variable "name" {
 }
 
 variable "type" {
-  description = "(Optional) Type of Analyzer. Valid values are `ACCOUNT` or `ORGANIZATION`. Defaults to `ACCOUNT`."
+  description = "(Optional) A finding type of Analyzer. Valid values are `EXTERNAL_ACCESS` or `UNUSED_ACCESS`. Defaults to `EXTERNAL_ACCESS`."
+  type        = string
+  default     = "EXTERNAL_ACCESS"
+  nullable    = false
+
+  validation {
+    condition     = contains(["EXTERNAL_ACCESS", "UNUSED_ACCESS"], var.type)
+    error_message = "The `type` should be one of `EXTERNAL_ACCESS`, `UNUSED_ACCESS`."
+  }
+}
+
+variable "scope" {
+  description = "(Optional) A scope of Analyzer. Valid values are `ACCOUNT` or `ORGANIZATION`. Defaults to `ACCOUNT`."
   type        = string
   default     = "ACCOUNT"
   nullable    = false
 
   validation {
-    condition     = contains(["ACCOUNT", "ORGANIZATION"], var.type)
-    error_message = "The `type` should be one of `ACCOUNT`, `ORGANIZATION`."
+    condition     = contains(["ACCOUNT", "ORGANIZATION"], var.scope)
+    error_message = "The `scope` should be one of `ACCOUNT`, `ORGANIZATION`."
+  }
+}
+
+variable "unused_access_tracking_period" {
+  description = "(Optional) A number of days for the tracking the period. Findings will be generated for access that hasn't been used in more than the specified number of days. Defaults to `90`."
+  type        = number
+  default     = 90
+  nullable    = false
+
+  validation {
+    condition = alltrue([
+      var.unused_access_tracking_period >= 1,
+      var.unused_access_tracking_period <= 180
+    ])
+    error_message = "Valid value for `unused_access_tracking_period` is between 1 and 180."
   }
 }
 

diff --git a/modules/access-analyzer/versions.tf b/modules/access-analyzer/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.22"
+      version = ">= 5.34"
     }
   }
 }