feat(access-analyzer): support configurations for unused access and internal access

Author: posquit0

modules/access-analyzer/README.md

@@ -10,20 +10,20 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.34 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.12 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.12 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.46.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 6.13.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 |
+| <a name="module_resource_group"></a> [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.12.0 |
 
 ## Resources
 
@@ -37,15 +37,15 @@ This module creates following resources.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input\_name) | (Required) The name of the Analyzer. | `string` | n/a | yes |
-| <a name="input_archive_rules"></a> [archive\_rules](#input\_archive\_rules) | (Optional) A list of archive rules for the AccessAnalyzer Analyzer. Each item of `archive_rules` block as defined below.<br>    (Required) `name` - The name of archive rule.<br>    (Required) `filters` - A list of filter criterias for the archive rule. Each item of `filters` block as defined below.<br>      (Required) `criteria` - The filter criteria.<br>      (Optional) `contains` - Contains comparator.<br>      (Optional) `exists` - Exists comparator (Boolean).<br>      (Optional) `eq` - Equal comparator.<br>      (Optional) `neq` - Not Equal comparator. | `any` | `[]` | no |
+| <a name="input_archive_rules"></a> [archive\_rules](#input\_archive\_rules) | (Optional) A list of archive rules for the AccessAnalyzer Analyzer. Each item of `archive_rules` block as defined below.<br/>    (Required) `name` - The name of archive rule.<br/>    (Required) `filters` - A list of filter criterias for the archive rule. Each item of `filters` block as defined below.<br/>      (Required) `criteria` - The filter criteria.<br/>      (Optional) `contains` - Contains comparator.<br/>      (Optional) `exists` - Exists comparator (Boolean).<br/>      (Optional) `eq` - Equal comparator.<br/>      (Optional) `neq` - Not Equal comparator. | <pre>list(object({<br/>    name = string<br/>    filters = list(object({<br/>      criteria = string<br/>      contains = optional(list(string))<br/>      exists   = optional(bool)<br/>      eq       = optional(list(string))<br/>      neq      = optional(list(string))<br/>    }))<br/>  }))</pre> | `[]` | no |
+| <a name="input_internal_access_analysis"></a> [internal\_access\_analysis](#input\_internal\_access\_analysis) | (Optional) A configurations for the `INTERNAL_ACCESS` type Analyzer. `internal_access_analysis` as defined below.<br/>    (Optional) `rules` - A list of rules for internal access analyzer. Each item of `rules` block as defined below.<br/>      (Required) `inclusion` - An inclusion rule to filter findings. `inclusion` as defined below.<br/>        (Optional) `accounts` - A set of account IDs to include in the analysis. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.<br/>        (Optional) `resource_arns` - A set of resource ARNs to include in the analysis. The analyzer will only generate findings for resources that match these ARNs.<br/>        (Optional) `resource_types` - A set of resource types to include in the analysis. The analyzer will only generate findings for resources of these types | <pre>object({<br/>    rules = optional(list(object({<br/>      inclusion = object({<br/>        accounts       = optional(set(string), [])<br/>        resource_arns  = optional(set(string), [])<br/>        resource_types = optional(set(string), [])<br/>      })<br/>    })), [])<br/>  })</pre> | `{}` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
-| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
-| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_region"></a> [region](#input\_region) | (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. | `string` | `null` | no |
+| <a name="input_resource_group"></a> [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.<br/>    (Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.<br/>    (Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.<br/>    (Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | <pre>object({<br/>    enabled     = optional(bool, true)<br/>    name        = optional(string, "")<br/>    description = optional(string, "Managed by Terraform.")<br/>  })</pre> | `{}` | no |
 | <a name="input_scope"></a> [scope](#input\_scope) | (Optional) A scope of Analyzer. Valid values are `ACCOUNT` or `ORGANIZATION`. Defaults to `ACCOUNT`. | `string` | `"ACCOUNT"` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
-| <a name="input_type"></a> [type](#input\_type) | (Optional) A finding type of Analyzer. Valid values are `EXTERNAL_ACCESS` or `UNUSED_ACCESS`. Defaults to `EXTERNAL_ACCESS`. | `string` | `"EXTERNAL_ACCESS"` | no |
-| <a name="input_unused_access_tracking_period"></a> [unused\_access\_tracking\_period](#input\_unused\_access\_tracking\_period) | (Optional) A number of days for the tracking the period. Findings will be generated for access that hasn't been used in more than the specified number of days. Defaults to `90`. | `number` | `90` | no |
+| <a name="input_type"></a> [type](#input\_type) | (Optional) A finding type of Analyzer. Valid values are `EXTERNAL_ACCESS`, `INTERNAL_ACCESS` or `UNUSED_ACCESS`. Defaults to `EXTERNAL_ACCESS`. | `string` | `"EXTERNAL_ACCESS"` | no |
+| <a name="input_unused_access_analysis"></a> [unused\_access\_analysis](#input\_unused\_access\_analysis) | (Optional) A configurations for the `UNUSED_ACCESS` type Analyzer. `unused_access_analysis` as defined below.<br/>    (Optional) `tracking_period` - A number of days for the tracking the period. Findings will be generated for access that hasn't been used in more than the specified number of days. Defaults to `90`.<br/>    (Optional) `rules` - A list of rules for unused access analyzer. Each item of `rules` block as defined below.<br/>      (Required) `exclusion` - An exclusion rule to filter findings. `exclusion` as defined below.<br/>        (Optional) `accounts` - A set of account IDs to exclude from the analysis. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.<br/>        (Optional) `resource_tags` - A list of tag key and value pairs to exclude from the analysis. | <pre>object({<br/>    tracking_period = optional(number, 90)<br/>    rules = optional(list(object({<br/>      exclusion = object({<br/>        accounts      = optional(set(string), [])<br/>        resource_tags = optional(list(map(string)), [])<br/>      })<br/>    })), [])<br/>  })</pre> | `{}` | no |
 
 ## Outputs
 
@@ -54,8 +54,11 @@ This module creates following resources.
 | <a name="output_archive_rules"></a> [archive\_rules](#output\_archive\_rules) | A list of archive rules for the Analyzer. |
 | <a name="output_arn"></a> [arn](#output\_arn) | The Amazon Resource Name (ARN) of this Analyzer. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of this Analyzer. |
+| <a name="output_internal_access_analysis"></a> [internal\_access\_analysis](#output\_internal\_access\_analysis) | The configurations for the `INTERNAL_ACCESS` type Analyzer. |
 | <a name="output_name"></a> [name](#output\_name) | The name of the Analyzer. |
+| <a name="output_region"></a> [region](#output\_region) | The AWS region this module resources resides in. |
+| <a name="output_resource_group"></a> [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. |
 | <a name="output_scope"></a> [scope](#output\_scope) | The scope of Analyzer. |
 | <a name="output_type"></a> [type](#output\_type) | The finding type of Analyzer. |
-| <a name="output_unused_access_tracking_period"></a> [unused\_access\_tracking\_period](#output\_unused\_access\_tracking\_period) | The scope of Analyzer. |
+| <a name="output_unused_access_analysis"></a> [unused\_access\_analysis](#output\_unused\_access\_analysis) | The configurations for the `UNUSED_ACCESS` type Analyzer. |
 <!-- END_TF_DOCS -->

modules/access-analyzer/main.tf

@@ -20,24 +20,74 @@ locals {
 ###################################################
 
 resource "aws_accessanalyzer_analyzer" "this" {
+  region = var.region
+
   analyzer_name = var.name
-  type = (var.type == "EXTERNAL_ACCESS"
-    ? var.scope
-    : (var.type == "UNUSED_ACCESS"
-      ? "${var.scope}_UNUSED_ACCESS"
-      : null
-    )
-  )
+  type          = "${var.scope}${var.type == "EXTERNAL_ACCESS" ? "" : "_${var.type}"}"
 
   dynamic "configuration" {
-    for_each = var.type == "UNUSED_ACCESS" ? ["go"] : []
+    for_each = contains(["INTERNAL_ACCESS", "UNUSED_ACCESS"], var.type) ? ["go"] : []
 
     content {
+      dynamic "internal_access" {
+        for_each = var.type == "INTERNAL_ACCESS" ? ["go"] : []
+
+        content {
+          dynamic "analysis_rule" {
+            for_each = length(var.internal_access_analysis.rules) > 0 ? ["go"] : []
+            iterator = rule
+
+            content {
+              dynamic "inclusion" {
+                for_each = var.internal_access_analysis.rules[*].inclusion
+
+                content {
+                  account_ids = (length(inclusion.value.accounts) > 0
+                    ? inclusion.value.accounts
+                    : null
+                  )
+                  resource_arns = (length(inclusion.value.resource_arns) > 0
+                    ? inclusion.value.resource_arns
+                    : null
+                  )
+                  resource_types = (length(inclusion.value.resource_types) > 0
+                    ? inclusion.value.resource_types
+                    : null
+                  )
+                }
+              }
+            }
+          }
+        }
+      }
+
       dynamic "unused_access" {
         for_each = var.type == "UNUSED_ACCESS" ? ["go"] : []
 
         content {
-          unused_access_age = var.unused_access_tracking_period
+          unused_access_age = var.unused_access_analysis.tracking_period
+
+          dynamic "analysis_rule" {
+            for_each = length(var.unused_access_analysis.rules) > 0 ? ["go"] : []
+            iterator = rule
+
+            content {
+              dynamic "exclusion" {
+                for_each = var.unused_access_analysis.rules[*].exclusion
+
+                content {
+                  account_ids = (length(exclusion.value.accounts) > 0
+                    ? exclusion.value.accounts
+                    : null
+                  )
+                  resource_tags = (length(exclusion.value.resource_tags) > 0
+                    ? exclusion.value.resource_tags
+                    : null
+                  )
+                }
+              }
+            }
+          }
         }
       }
     }
@@ -58,6 +108,8 @@ resource "aws_accessanalyzer_archive_rule" "this" {
     rule.name => rule
   }
 
+  region = var.region
+
   analyzer_name = aws_accessanalyzer_analyzer.this.analyzer_name
   rule_name     = each.key
 

modules/access-analyzer/outputs.tf

@@ -1,3 +1,8 @@
+output "region" {
+  description = "The AWS region this module resources resides in."
+  value       = aws_accessanalyzer_analyzer.this.region
+}
+
 output "name" {
   description = "The name of the Analyzer."
   value       = aws_accessanalyzer_analyzer.this.analyzer_name
@@ -23,10 +28,23 @@ output "scope" {
   value       = var.scope
 }
 
-output "unused_access_tracking_period" {
-  description = "The scope of Analyzer."
+output "internal_access_analysis" {
+  description = "The configurations for the `INTERNAL_ACCESS` type Analyzer."
+  value = (var.type == "INTERNAL_ACCESS"
+    ? {
+      rules = var.internal_access_analysis.rules
+    }
+    : null
+  )
+}
+
+output "unused_access_analysis" {
+  description = "The configurations for the `UNUSED_ACCESS` type Analyzer."
   value = (var.type == "UNUSED_ACCESS"
-    ? one(aws_accessanalyzer_analyzer.this.configuration[0].unused_access[*].unused_access_age)
+    ? {
+      tracking_period = one(aws_accessanalyzer_analyzer.this.configuration[0].unused_access[*].unused_access_age)
+      rules           = var.unused_access_analysis.rules
+    }
     : null
   )
 }

modules/access-analyzer/resource-group.tf

@@ -16,6 +16,8 @@ module "resource_group" {
 
   count = (var.resource_group.enabled && var.module_tags_enabled) ? 1 : 0
 
+  region = var.region
+
   name        = local.resource_group_name
   description = var.resource_group.description
 

modules/access-analyzer/variables.tf

@@ -1,17 +1,25 @@
+variable "region" {
+  description = "(Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region."
+  type        = string
+  default     = null
+  nullable    = true
+}
+
 variable "name" {
   description = "(Required) The name of the Analyzer."
   type        = string
+  nullable    = false
 }
 
 variable "type" {
-  description = "(Optional) A finding type of Analyzer. Valid values are `EXTERNAL_ACCESS` or `UNUSED_ACCESS`. Defaults to `EXTERNAL_ACCESS`."
+  description = "(Optional) A finding type of Analyzer. Valid values are `EXTERNAL_ACCESS`, `INTERNAL_ACCESS` or `UNUSED_ACCESS`. Defaults to `EXTERNAL_ACCESS`."
   type        = string
   default     = "EXTERNAL_ACCESS"
   nullable    = false
 
   validation {
-    condition     = contains(["EXTERNAL_ACCESS", "UNUSED_ACCESS"], var.type)
-    error_message = "The `type` should be one of `EXTERNAL_ACCESS`, `UNUSED_ACCESS`."
+    condition     = contains(["EXTERNAL_ACCESS", "INTERNAL_ACCESS", "UNUSED_ACCESS"], var.type)
+    error_message = "The `type` should be one of `EXTERNAL_ACCESS`, `INTERNAL_ACCESS`, `UNUSED_ACCESS`."
   }
 }
 
@@ -27,18 +35,55 @@ variable "scope" {
   }
 }
 
-variable "unused_access_tracking_period" {
-  description = "(Optional) A number of days for the tracking the period. Findings will be generated for access that hasn't been used in more than the specified number of days. Defaults to `90`."
-  type        = number
-  default     = 90
-  nullable    = false
+variable "internal_access_analysis" {
+  description = <<EOF
+  (Optional) A configurations for the `INTERNAL_ACCESS` type Analyzer. `internal_access_analysis` as defined below.
+    (Optional) `rules` - A list of rules for internal access analyzer. Each item of `rules` block as defined below.
+      (Required) `inclusion` - An inclusion rule to filter findings. `inclusion` as defined below.
+        (Optional) `accounts` - A set of account IDs to include in the analysis. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
+        (Optional) `resource_arns` - A set of resource ARNs to include in the analysis. The analyzer will only generate findings for resources that match these ARNs.
+        (Optional) `resource_types` - A set of resource types to include in the analysis. The analyzer will only generate findings for resources of these types
+  EOF
+  type = object({
+    rules = optional(list(object({
+      inclusion = object({
+        accounts       = optional(set(string), [])
+        resource_arns  = optional(set(string), [])
+        resource_types = optional(set(string), [])
+      })
+    })), [])
+  })
+  default  = {}
+  nullable = false
+}
+
+variable "unused_access_analysis" {
+  description = <<EOF
+  (Optional) A configurations for the `UNUSED_ACCESS` type Analyzer. `unused_access_analysis` as defined below.
+    (Optional) `tracking_period` - A number of days for the tracking the period. Findings will be generated for access that hasn't been used in more than the specified number of days. Defaults to `90`.
+    (Optional) `rules` - A list of rules for unused access analyzer. Each item of `rules` block as defined below.
+      (Required) `exclusion` - An exclusion rule to filter findings. `exclusion` as defined below.
+        (Optional) `accounts` - A set of account IDs to exclude from the analysis. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
+        (Optional) `resource_tags` - A list of tag key and value pairs to exclude from the analysis.
+  EOF
+  type = object({
+    tracking_period = optional(number, 90)
+    rules = optional(list(object({
+      exclusion = object({
+        accounts      = optional(set(string), [])
+        resource_tags = optional(list(map(string)), [])
+      })
+    })), [])
+  })
+  default  = {}
+  nullable = false
 
   validation {
     condition = alltrue([
-      var.unused_access_tracking_period >= 1,
-      var.unused_access_tracking_period <= 180
+      var.unused_access_analysis.tracking_period >= 1,
+      var.unused_access_analysis.tracking_period <= 180
     ])
-    error_message = "Valid value for `unused_access_tracking_period` is between 1 and 180."
+    error_message = "Valid value for `tracking_period` is between 1 and 180."
   }
 }
 
@@ -53,9 +98,18 @@ variable "archive_rules" {
       (Optional) `eq` - Equal comparator.
       (Optional) `neq` - Not Equal comparator.
   EOF
-  type        = any
-  default     = []
-  nullable    = false
+  type = list(object({
+    name = string
+    filters = list(object({
+      criteria = string
+      contains = optional(list(string))
+      exists   = optional(bool)
+      eq       = optional(list(string))
+      neq      = optional(list(string))
+    }))
+  }))
+  default  = []
+  nullable = false
 
   validation {
     condition = alltrue([
@@ -85,9 +139,6 @@ variable "module_tags_enabled" {
 # Resource Group
 ###################################################
 
-
-
-
 variable "resource_group" {
   description = <<EOF
   (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.

modules/access-analyzer/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.6"
+  required_version = ">= 1.12"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.34"
+      version = ">= 6.12"
     }
   }
 }