From 8f13ac5f55942bf19de3665f3a79e95af311bd3e Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 10 Nov 2023 14:45:21 +0900 Subject: [PATCH 01/27] Fix typo --- VERSION | 2 +- modules/iam-role/outputs.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index 697f087..48f7a71 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.28.0 +0.28.1 diff --git a/modules/iam-role/outputs.tf b/modules/iam-role/outputs.tf index b2e404f..7f7ce85 100644 --- a/modules/iam-role/outputs.tf +++ b/modules/iam-role/outputs.tf @@ -47,7 +47,7 @@ output "instance_profile" { id = aws_iam_instance_profile.this[0].unique_id arn = aws_iam_instance_profile.this[0].arn name = aws_iam_instance_profile.this[0].name - path = aws_iam_instance_profile.this[1].path + path = aws_iam_instance_profile.this[0].path created_at = aws_iam_instance_profile.this[0].create_date } : null From d3ffd5d7cf10e74bc6b57d9a7395f1ba9e70647a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 26 Dec 2023 11:32:42 +0900 Subject: [PATCH 02/27] Bump tj-actions/changed-files from 40 to 41 (#101) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 40 to 41. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/v40...v41) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 92b2077..fd6ca9f 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v41 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v41 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index 884f3ee..52c19f9 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v40 + uses: tj-actions/changed-files@v41 with: files: | **/*.yaml From 1654d752c417689345652030be85d0e15cdf8e9f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 17 Mar 2024 13:11:52 +0000 Subject: [PATCH 03/27] Bump tj-actions/changed-files from 41 to 43 (#103) --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index fd6ca9f..20f5bd6 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v41 + uses: tj-actions/changed-files@v43 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v41 + uses: tj-actions/changed-files@v43 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index 52c19f9..b1f80a3 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v41 + uses: tj-actions/changed-files@v43 with: files: | **/*.yaml From df281e71a60e108c5787913b5d09df2fb7c86d89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 31 Mar 2024 10:56:33 +0000 Subject: [PATCH 04/27] Bump tj-actions/changed-files from 43 to 44 (#104) --- .github/workflows/terraform.integration.yaml | 4 ++-- .github/workflows/yaml.integration.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform.integration.yaml b/.github/workflows/terraform.integration.yaml index 20f5bd6..daca2fa 100644 --- a/.github/workflows/terraform.integration.yaml +++ b/.github/workflows/terraform.integration.yaml @@ -31,7 +31,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v43 + uses: tj-actions/changed-files@v44 with: files: | modules/** @@ -40,7 +40,7 @@ jobs: - name: Get Changed Directories id: changed-directories - uses: tj-actions/changed-files@v43 + uses: tj-actions/changed-files@v44 with: files: | modules/** diff --git a/.github/workflows/yaml.integration.yaml b/.github/workflows/yaml.integration.yaml index b1f80a3..fc933f2 100644 --- a/.github/workflows/yaml.integration.yaml +++ b/.github/workflows/yaml.integration.yaml @@ -29,7 +29,7 @@ jobs: - name: Get Changed Files id: changed-files - uses: tj-actions/changed-files@v43 + uses: tj-actions/changed-files@v44 with: files: | **/*.yaml From fa2b7eef4a09706138119f2395e54a569e82cbf1 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Thu, 11 Apr 2024 14:42:03 +0900 Subject: [PATCH 05/27] Improve variables for org-account and org-organizational-unit modules --- VERSION | 2 +- modules/org-account/variables.tf | 36 +++++++++++++------- modules/org-organizational-unit/variables.tf | 24 ++++++++----- 3 files changed, 41 insertions(+), 21 deletions(-) diff --git a/VERSION b/VERSION index 48f7a71..a37255a 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.28.1 +0.28.2 diff --git a/modules/org-account/variables.tf b/modules/org-account/variables.tf index b36008c..4530006 100644 --- a/modules/org-account/variables.tf +++ b/modules/org-account/variables.tf @@ -1,53 +1,62 @@ variable "name" { - description = "A friendly name for the member account." + description = "(Required) A friendly name for the member account." type = string + nullable = false } variable "email" { - description = "The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account." + description = "(Required) The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account." type = string + nullable = false } variable "parent_id" { - description = "Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection." + description = "(Optional) Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection." type = string default = null + nullable = true } variable "iam_user_access_to_billing_allowed" { - description = "If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information." + description = "(Optional) If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information." type = bool default = false + nullable = false } variable "preconfigured_administrator_role_name" { - description = "The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account." + description = "(Optional) The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account." type = string default = null + nullable = false } variable "delegated_services" { - description = "A list of service principals of the AWS service for which you want to make the member account a delegated administrator." + description = "(Optional) A list of service principals of the AWS service for which you want to make the member account a delegated administrator." type = set(string) default = [] + nullable = false } variable "policies" { - description = "List of IDs of the policies to be attached to the Account." + description = "(Optional) List of IDs of the policies to be attached to the Account." type = list(string) default = [] + nullable = false } variable "tags" { - description = "A map of tags to add to all resources." + description = "(Optional) A map of tags to add to all resources." type = map(string) default = {} + nullable = false } variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." + description = "(Optional) Whether to create AWS Resource Tags for the module informations." type = bool default = true + nullable = false } @@ -56,19 +65,22 @@ variable "module_tags_enabled" { ################################################### variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." + description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." type = bool default = true + nullable = false } variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." + description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." type = string default = "" + nullable = false } variable "resource_group_description" { - description = "The description of Resource Group." + description = "(Optional) The description of Resource Group." type = string default = "Managed by Terraform." + nullable = false } diff --git a/modules/org-organizational-unit/variables.tf b/modules/org-organizational-unit/variables.tf index d423097..8532d0a 100644 --- a/modules/org-organizational-unit/variables.tf +++ b/modules/org-organizational-unit/variables.tf @@ -1,30 +1,35 @@ variable "name" { - description = "The name of the Organizational Unit." + description = "(Required) The name of the Organizational Unit." type = string + nullable = false } variable "parent_id" { - description = "The ID of the parent organizational unit, which may be the root." + description = "(Optional) The ID of the parent organizational unit, which may be the root." type = string default = null + nullable = true } variable "policies" { - description = "List of IDs of the policies to be attached to the Organizational Unit." + description = "(Optional) List of IDs of the policies to be attached to the Organizational Unit." type = list(string) default = [] + nullable = false } variable "tags" { - description = "A map of tags to add to all resources." + description = "(Optional) A map of tags to add to all resources." type = map(string) default = {} + nullable = false } variable "module_tags_enabled" { - description = "Whether to create AWS Resource Tags for the module informations." + description = "(Optional) Whether to create AWS Resource Tags for the module informations." type = bool default = true + nullable = false } @@ -33,19 +38,22 @@ variable "module_tags_enabled" { ################################################### variable "resource_group_enabled" { - description = "Whether to create Resource Group to find and group AWS resources which are created by this module." + description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." type = bool default = true + nullable = false } variable "resource_group_name" { - description = "The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." + description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." type = string default = "" + nullable = false } variable "resource_group_description" { - description = "The description of Resource Group." + description = "(Optional) The description of Resource Group." type = string default = "Managed by Terraform." + nullable = false } From 1b18698fdc145bc1e13b9aacb25e61e90b68ed6f Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Thu, 11 Apr 2024 16:49:28 +0900 Subject: [PATCH 06/27] Fix wrong nullable configuration in arg-account module --- VERSION | 2 +- modules/org-account/variables.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index a37255a..b79f04f 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.28.2 +0.28.3 diff --git a/modules/org-account/variables.tf b/modules/org-account/variables.tf index 4530006..18d619c 100644 --- a/modules/org-account/variables.tf +++ b/modules/org-account/variables.tf @@ -28,7 +28,7 @@ variable "preconfigured_administrator_role_name" { description = "(Optional) The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account." type = string default = null - nullable = false + nullable = true } variable "delegated_services" { From 2c397b75d04c86c5b56fc1daab4bda5909387584 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 12 Apr 2024 00:16:30 +0900 Subject: [PATCH 07/27] Bump actions/labeler from 4 to 5 (#99) Bumps [actions/labeler](https://github.com/actions/labeler) from 4 to 5. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](https://github.com/actions/labeler/compare/v4...v5) --- updated-dependencies: - dependency-name: actions/labeler dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pull-request-labeler.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-request-labeler.yaml b/.github/workflows/pull-request-labeler.yaml index 1784c72..d5ac851 100644 --- a/.github/workflows/pull-request-labeler.yaml +++ b/.github/workflows/pull-request-labeler.yaml @@ -9,7 +9,7 @@ jobs: steps: - name: Add Labels for PR - uses: actions/labeler@v4 + uses: actions/labeler@v5 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" configuration-path: .github/labeler.yaml From e8e500adb8647628b84939e430f0a6232af846a0 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Wed, 17 Apr 2024 17:42:41 +0900 Subject: [PATCH 08/27] Migrate org and sso related modules to terraform-aws-organization (#105) --- .github/labeler.yaml | 21 - .github/labels.yaml | 21 - README.md | 20 +- modules/org-account/README.md | 79 -- .../org-account/delegated-administrators.tf | 55 - modules/org-account/main.tf | 58 - modules/org-account/migrations.tf | 5 - modules/org-account/outputs.tf | 49 - modules/org-account/resource-group.tf | 31 - modules/org-account/variables.tf | 86 -- modules/org-account/versions.tf | 10 - modules/org-organization/README.md | 66 - modules/org-organization/main.tf | 63 - modules/org-organization/outputs.tf | 72 -- modules/org-organization/variables.tf | 61 - modules/org-organization/versions.tf | 10 - modules/org-organizational-unit/README.md | 58 - modules/org-organizational-unit/main.tf | 46 - modules/org-organizational-unit/migrations.tf | 5 - modules/org-organizational-unit/outputs.tf | 24 - .../org-organizational-unit/resource-group.tf | 31 - modules/org-organizational-unit/variables.tf | 59 - modules/org-organizational-unit/versions.tf | 10 - modules/ram-share/README.md | 63 - modules/ram-share/get-permissions.sh | 13 - modules/ram-share/main.tf | 61 - modules/ram-share/outputs.tf | 40 - modules/ram-share/permissions.json | 706 ----------- modules/ram-share/raw.json | 1060 ----------------- modules/ram-share/resource-group.tf | 31 - modules/ram-share/variables.tf | 72 -- modules/ram-share/versions.tf | 10 - .../sso-access-control-attributes/README.md | 45 - modules/sso-access-control-attributes/main.tf | 33 - .../sso-access-control-attributes/outputs.tf | 17 - .../variables.tf | 6 - .../sso-access-control-attributes/versions.tf | 10 - modules/sso-account-assignment/README.md | 56 - modules/sso-account-assignment/main.tf | 79 -- modules/sso-account-assignment/outputs.tf | 44 - modules/sso-account-assignment/variables.tf | 25 - modules/sso-account-assignment/versions.tf | 10 - modules/sso-permission-set/README.md | 72 -- modules/sso-permission-set/main.tf | 132 -- modules/sso-permission-set/migrations.tf | 5 - modules/sso-permission-set/outputs.tf | 60 - modules/sso-permission-set/resource-group.tf | 31 - modules/sso-permission-set/variables.tf | 166 --- modules/sso-permission-set/versions.tf | 10 - 49 files changed, 2 insertions(+), 3795 deletions(-) delete mode 100644 modules/org-account/README.md delete mode 100644 modules/org-account/delegated-administrators.tf delete mode 100644 modules/org-account/main.tf delete mode 100644 modules/org-account/migrations.tf delete mode 100644 modules/org-account/outputs.tf delete mode 100644 modules/org-account/resource-group.tf delete mode 100644 modules/org-account/variables.tf delete mode 100644 modules/org-account/versions.tf delete mode 100644 modules/org-organization/README.md delete mode 100644 modules/org-organization/main.tf delete mode 100644 modules/org-organization/outputs.tf delete mode 100644 modules/org-organization/variables.tf delete mode 100644 modules/org-organization/versions.tf delete mode 100644 modules/org-organizational-unit/README.md delete mode 100644 modules/org-organizational-unit/main.tf delete mode 100644 modules/org-organizational-unit/migrations.tf delete mode 100644 modules/org-organizational-unit/outputs.tf delete mode 100644 modules/org-organizational-unit/resource-group.tf delete mode 100644 modules/org-organizational-unit/variables.tf delete mode 100644 modules/org-organizational-unit/versions.tf delete mode 100644 modules/ram-share/README.md delete mode 100755 modules/ram-share/get-permissions.sh delete mode 100644 modules/ram-share/main.tf delete mode 100644 modules/ram-share/outputs.tf delete mode 100644 modules/ram-share/permissions.json delete mode 100644 modules/ram-share/raw.json delete mode 100644 modules/ram-share/resource-group.tf delete mode 100644 modules/ram-share/variables.tf delete mode 100644 modules/ram-share/versions.tf delete mode 100644 modules/sso-access-control-attributes/README.md delete mode 100644 modules/sso-access-control-attributes/main.tf delete mode 100644 modules/sso-access-control-attributes/outputs.tf delete mode 100644 modules/sso-access-control-attributes/variables.tf delete mode 100644 modules/sso-access-control-attributes/versions.tf delete mode 100644 modules/sso-account-assignment/README.md delete mode 100644 modules/sso-account-assignment/main.tf delete mode 100644 modules/sso-account-assignment/outputs.tf delete mode 100644 modules/sso-account-assignment/variables.tf delete mode 100644 modules/sso-account-assignment/versions.tf delete mode 100644 modules/sso-permission-set/README.md delete mode 100644 modules/sso-permission-set/main.tf delete mode 100644 modules/sso-permission-set/migrations.tf delete mode 100644 modules/sso-permission-set/outputs.tf delete mode 100644 modules/sso-permission-set/resource-group.tf delete mode 100644 modules/sso-permission-set/variables.tf delete mode 100644 modules/sso-permission-set/versions.tf diff --git a/.github/labeler.yaml b/.github/labeler.yaml index 8af2129..eb29d70 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -23,26 +23,5 @@ ":floppy_disk: iam-user": - modules/iam-user/**/* -":floppy_disk: org-account": -- modules/org-account/**/* - -":floppy_disk: org-organization": -- modules/org-organization/**/* - -":floppy_disk: org-organizational-unit": -- modules/org-organizational-unit/**/* - -":floppy_disk: ram-share": -- modules/ram-share/**/* - ":floppy_disk: region": - modules/region/**/* - -":floppy_disk: sso-access-control-attributes": -- modules/sso-access-control-attributes/**/* - -":floppy_disk: sso-account-assignments": -- modules/sso-account-assignments/**/* - -":floppy_disk: sso-permission-set": -- modules/sso-permission-set/**/* diff --git a/.github/labels.yaml b/.github/labels.yaml index 510ed23..bb4b5c8 100644 --- a/.github/labels.yaml +++ b/.github/labels.yaml @@ -64,27 +64,6 @@ - color: "fbca04" description: "This issue or pull request is related to iam-user module." name: ":floppy_disk: iam-user" -- color: "fbca04" - description: "This issue or pull request is related to org-account module." - name: ":floppy_disk: org-account" -- color: "fbca04" - description: "This issue or pull request is related to org-organization module." - name: ":floppy_disk: org-organization" -- color: "fbca04" - description: "This issue or pull request is related to org-organizational-unit module." - name: ":floppy_disk: org-organizational-unit" -- color: "fbca04" - description: "This issue or pull request is related to ram-share module." - name: ":floppy_disk: ram-share" - color: "fbca04" description: "This issue or pull request is related to region module." name: ":floppy_disk: region" -- color: "fbca04" - description: "This issue or pull request is related to sso-access-control-attributes module." - name: ":floppy_disk: sso-access-control-attributes" -- color: "fbca04" - description: "This issue or pull request is related to sso-account-assignment module." - name: ":floppy_disk: sso-account-assignment" -- color: "fbca04" - description: "This issue or pull request is related to sso-permission-set module." - name: ":floppy_disk: sso-permission-set" diff --git a/README.md b/README.md index ff276c7..f87dfae 100644 --- a/README.md +++ b/README.md @@ -15,14 +15,7 @@ Terraform module which creates Account and IAM related resources on AWS. - [iam-saml-identity-provider](./modules/iam-saml-identity-provider) - [iam-service-linked-role](./modules/iam-service-linked-role) - [iam-user](./modules/iam-user) -- [org-account](./modules/org-account) -- [org-organization](./modules/org-organization) -- [org-organizational-unit](./modules/org-organizational-unit) -- [ram-share](./modules/ram-share) - [region](./modules/region) -- [sso-access-control-attributes](./modules/sso-access-control-attributes) -- [sso-account-assignment](./modules/sso-account-assignment) -- [sso-permission-set](./modules/sso-permission-set) ## Target AWS Services @@ -40,19 +33,9 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- - Policy - OpenID Connect Identity Provider - SAML Identity Provider -- **AWS IAM Identity Center (AWS SSO)** - - Access Control Attributes - - Account Assignment - - Permission Set -- **AWS Organization** - - Organization - - Organization Unit - - Account - **AWS Resource Explorer** - Index - View -- **AWS RAM (Resource Access Manager)** - - Share ## Examples @@ -78,6 +61,7 @@ Enjoying [terraform-aws-account](https://github.com/tedilabs/terraform-aws-accou - [AWS Domain](https://github.com/tedilabs/terraform-aws-domain) - A package of Terraform Modules to manage AWS Domain resources. - [AWS Load Balancer](https://github.com/tedilabs/terraform-aws-load-balancer) - A package of Terraform Modules to manage AWS Load Balancer resources. - [AWS Network](https://github.com/tedilabs/terraform-aws-network) - A package of Terraform Modules to manage AWS Network resources. +- [AWS Organization](https://github.com/tedilabs/terraform-aws-organization) - A package of Terraform Modules to manage AWS Organization resources. - [AWS Security](https://github.com/tedilabs/terraform-aws-security) - A package of Terraform Modules to manage AWS Security resources. Or check out [the full list](https://github.com/search?q=org%3Atedilabs+topic%3Aterraform-module&type=repositories) @@ -92,4 +76,4 @@ Like this project? Follow the repository on [GitHub](https://github.com/tedilabs Provided under the terms of the [Apache License](LICENSE). -Copyright © 2021-2023, [Byungjin Park](https://www.posquit0.com). +Copyright © 2021-2024, [Byungjin Park](https://www.posquit0.com). diff --git a/modules/org-account/README.md b/modules/org-account/README.md deleted file mode 100644 index 420b44e..0000000 --- a/modules/org-account/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# org-account - -This module creates following resources. - -- `aws_organizations_account` -- `aws_organizations_policy_attachment` (optional) -- `aws_organizations_delegated_administrator` (optional) -- `aws_fms_admin_account` (optional) -- `aws_guardduty_organization_admin_account` (optional) -- `aws_macie2_organization_admin_account` (optional) -- `aws_securityhub_organization_admin_account` (optional) -- `aws_vpc_ipam_organization_admin_account` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 3.65 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.19.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_fms_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/fms_admin_account) | resource | -| [aws_guardduty_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_admin_account) | resource | -| [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource | -| [aws_organizations_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_account) | resource | -| [aws_organizations_delegated_administrator.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator) | resource | -| [aws_organizations_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource | -| [aws_securityhub_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/securityhub_organization_admin_account) | resource | -| [aws_vpc_ipam_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipam_organization_admin_account) | resource | -| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [email](#input\_email) | The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account. | `string` | n/a | yes | -| [name](#input\_name) | A friendly name for the member account. | `string` | n/a | yes | -| [delegated\_services](#input\_delegated\_services) | A list of service principals of the AWS service for which you want to make the member account a delegated administrator. | `set(string)` | `[]` | no | -| [iam\_user\_access\_to\_billing\_allowed](#input\_iam\_user\_access\_to\_billing\_allowed) | If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [parent\_id](#input\_parent\_id) | Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection. | `string` | `null` | no | -| [policies](#input\_policies) | List of IDs of the policies to be attached to the Account. | `list(string)` | `[]` | no | -| [preconfigured\_administrator\_role\_name](#input\_preconfigured\_administrator\_role\_name) | The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account. | `string` | `null` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | The Amazon Resource Name (ARN) of this account. | -| [created\_at](#output\_created\_at) | The datetime which this account joined to the organization. | -| [created\_by](#output\_created\_by) | The method how this account joined to the organization. | -| [delegated\_services](#output\_delegated\_services) | A list of service principals of the AWS service which the member account is a delegated administrator. | -| [email](#output\_email) | The email address of this account. | -| [iam\_user\_access\_to\_billing\_allowed](#output\_iam\_user\_access\_to\_billing\_allowed) | Whether accessing account billing information by IAM User is allowed. | -| [id](#output\_id) | The ID of this account. | -| [name](#output\_name) | The name of this account. | -| [parent\_id](#output\_parent\_id) | The ID of the parent Organizational Unit. | -| [preconfigured\_administrator\_role\_name](#output\_preconfigured\_administrator\_role\_name) | The name of an IAM role that allow users in the master account to assume as administrator. | - diff --git a/modules/org-account/delegated-administrators.tf b/modules/org-account/delegated-administrators.tf deleted file mode 100644 index 24bc3a7..0000000 --- a/modules/org-account/delegated-administrators.tf +++ /dev/null @@ -1,55 +0,0 @@ -locals { - independent_services = [ - "fms.amazonaws.com", - "guardduty.amazonaws.com", - "ipam.amazonaws.com", - "macie.amazonaws.com", - "securityhub.amazonaws.com", - ] -} - - -################################################### -# Delegated Administrators for Organization Account -################################################### - -resource "aws_organizations_delegated_administrator" "this" { - for_each = toset([ - for service in var.delegated_services : - service - if !contains(local.independent_services, service) - ]) - - account_id = aws_organizations_account.this.id - service_principal = each.key -} - -resource "aws_fms_admin_account" "this" { - count = contains(var.delegated_services, "fms.amazonaws.com") ? 1 : 0 - - account_id = aws_organizations_account.this.id -} - -resource "aws_guardduty_organization_admin_account" "this" { - count = contains(var.delegated_services, "guardduty.amazonaws.com") ? 1 : 0 - - admin_account_id = aws_organizations_account.this.id -} - -resource "aws_macie2_organization_admin_account" "this" { - count = contains(var.delegated_services, "macie.amazonaws.com") ? 1 : 0 - - admin_account_id = aws_organizations_account.this.id -} - -resource "aws_securityhub_organization_admin_account" "this" { - count = contains(var.delegated_services, "securityhub.amazonaws.com") ? 1 : 0 - - admin_account_id = aws_organizations_account.this.id -} - -resource "aws_vpc_ipam_organization_admin_account" "this" { - count = contains(var.delegated_services, "ipam.amazonaws.com") ? 1 : 0 - - delegated_admin_account_id = aws_organizations_account.this.id -} diff --git a/modules/org-account/main.tf b/modules/org-account/main.tf deleted file mode 100644 index b51c4fc..0000000 --- a/modules/org-account/main.tf +++ /dev/null @@ -1,58 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-account" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -data "aws_organizations_organization" "this" {} - -locals { - organization_root_id = data.aws_organizations_organization.this.roots[0].id -} - -resource "aws_organizations_account" "this" { - name = var.name - email = var.email - parent_id = coalesce(var.parent_id, local.organization_root_id) - - iam_user_access_to_billing = var.iam_user_access_to_billing_allowed ? "ALLOW" : "DENY" - role_name = var.preconfigured_administrator_role_name - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) - - # There is no AWS Organizations API for reading role_name - lifecycle { - ignore_changes = [ - iam_user_access_to_billing, - role_name, - ] - } -} - - -################################################### -# AWS Managed Policies -################################################### - -resource "aws_organizations_policy_attachment" "this" { - for_each = toset(var.policies) - - target_id = aws_organizations_account.this.id - policy_id = each.key -} diff --git a/modules/org-account/migrations.tf b/modules/org-account/migrations.tf deleted file mode 100644 index e5d6bcd..0000000 --- a/modules/org-account/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2022-11-24 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/org-account/outputs.tf b/modules/org-account/outputs.tf deleted file mode 100644 index d18c738..0000000 --- a/modules/org-account/outputs.tf +++ /dev/null @@ -1,49 +0,0 @@ -output "name" { - description = "The name of this account." - value = aws_organizations_account.this.name -} - -output "email" { - description = "The email address of this account." - value = aws_organizations_account.this.email -} - -output "id" { - description = "The ID of this account." - value = aws_organizations_account.this.id -} - -output "arn" { - description = "The Amazon Resource Name (ARN) of this account." - value = aws_organizations_account.this.arn -} - -output "parent_id" { - description = "The ID of the parent Organizational Unit." - value = aws_organizations_account.this.parent_id -} - -output "iam_user_access_to_billing_allowed" { - description = "Whether accessing account billing information by IAM User is allowed." - value = var.iam_user_access_to_billing_allowed -} - -output "preconfigured_administrator_role_name" { - description = "The name of an IAM role that allow users in the master account to assume as administrator." - value = var.preconfigured_administrator_role_name -} - -output "delegated_services" { - description = "A list of service principals of the AWS service which the member account is a delegated administrator." - value = var.delegated_services -} - -output "created_by" { - description = "The method how this account joined to the organization." - value = aws_organizations_account.this.joined_method -} - -output "created_at" { - description = "The datetime which this account joined to the organization." - value = aws_organizations_account.this.joined_timestamp -} diff --git a/modules/org-account/resource-group.tf b/modules/org-account/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/org-account/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/org-account/variables.tf b/modules/org-account/variables.tf deleted file mode 100644 index 18d619c..0000000 --- a/modules/org-account/variables.tf +++ /dev/null @@ -1,86 +0,0 @@ -variable "name" { - description = "(Required) A friendly name for the member account." - type = string - nullable = false -} - -variable "email" { - description = "(Required) The email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account." - type = string - nullable = false -} - -variable "parent_id" { - description = "(Optional) Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection." - type = string - default = null - nullable = true -} - -variable "iam_user_access_to_billing_allowed" { - description = "(Optional) If true, the new account enables IAM users to access account billing information if they have the required permissions. If false, then only the root user of the new account can access account billing information." - type = bool - default = false - nullable = false -} - -variable "preconfigured_administrator_role_name" { - description = "(Optional) The name of an IAM role that Organizations automatically preconfigures in the new member account. This role trusts the master account, allowing users in the master account to assume the role, as permitted by the master account administrator. The role has administrator permissions in the new member account." - type = string - default = null - nullable = true -} - -variable "delegated_services" { - description = "(Optional) A list of service principals of the AWS service for which you want to make the member account a delegated administrator." - type = set(string) - default = [] - nullable = false -} - -variable "policies" { - description = "(Optional) List of IDs of the policies to be attached to the Account." - type = list(string) - default = [] - nullable = false -} - -variable "tags" { - description = "(Optional) A map of tags to add to all resources." - type = map(string) - default = {} - nullable = false -} - -variable "module_tags_enabled" { - description = "(Optional) Whether to create AWS Resource Tags for the module informations." - type = bool - default = true - nullable = false -} - - -################################################### -# Resource Group -################################################### - -variable "resource_group_enabled" { - description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true - nullable = false -} - -variable "resource_group_name" { - description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" - nullable = false -} - -variable "resource_group_description" { - description = "(Optional) The description of Resource Group." - type = string - default = "Managed by Terraform." - nullable = false -} diff --git a/modules/org-account/versions.tf b/modules/org-account/versions.tf deleted file mode 100644 index 637a0b2..0000000 --- a/modules/org-account/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.5" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.65" - } - } -} diff --git a/modules/org-organization/README.md b/modules/org-organization/README.md deleted file mode 100644 index 392b4d8..0000000 --- a/modules/org-organization/README.md +++ /dev/null @@ -1,66 +0,0 @@ -# org-organization - -This module creates following resources. - -- `aws_organizations_organization` -- `aws_organizations_policy_attachment` (optional) -- `aws_ram_sharing_with_organization` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 5.13 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.17.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organization) | resource | -| [aws_organizations_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource | -| [aws_ram_sharing_with_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_sharing_with_organization) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | (Required) The name of the Organization. | `string` | n/a | yes | -| [ai\_services\_opt\_out\_policy\_type\_enabled](#input\_ai\_services\_opt\_out\_policy\_type\_enabled) | (Optional) Whether to enable AI services opt-out polices in the Organization. | `bool` | `false` | no | -| [all\_features\_enabled](#input\_all\_features\_enabled) | (Optional) Whether to create AWS Organization with all features or only consolidated billing feature. | `bool` | `true` | no | -| [backup\_policy\_type\_enabled](#input\_backup\_policy\_type\_enabled) | (Optional) Whether to enable Backup polices in the Organization. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [policies](#input\_policies) | (Optional) List of IDs of the policies to be attached to the Organization. | `list(string)` | `[]` | no | -| [service\_control\_policy\_type\_enabled](#input\_service\_control\_policy\_type\_enabled) | (Optional) Whether to enable Service control polices(SCPs) in the Organization. | `bool` | `true` | no | -| [tag\_policy\_type\_enabled](#input\_tag\_policy\_type\_enabled) | (Optional) Whether to enable Tag polices in the Organization. | `bool` | `false` | no | -| [trusted\_access\_enabled\_service\_principals](#input\_trusted\_access\_enabled\_service\_principals) | (Optional) List of AWS service principal names for which you want to enable integration with the organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must `all_featrues_enabled` set to true. | `set(string)` | `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [accounts](#output\_accounts) | The accounts for the Organization. | -| [ai\_services\_opt\_out\_policy\_type\_enabled](#output\_ai\_services\_opt\_out\_policy\_type\_enabled) | Whether AI services opt-out polices are enabled. | -| [all\_features\_enabled](#output\_all\_features\_enabled) | Whether AWS Organization was configured with all features or only consolidated billing feature. | -| [arn](#output\_arn) | The Amazon Resource Name (ARN) of the Organization. | -| [backup\_policy\_type\_enabled](#output\_backup\_policy\_type\_enabled) | Whether Backup polices are enabled. | -| [id](#output\_id) | The ID of the Organization. | -| [master\_account](#output\_master\_account) | The master account for the Organization. | -| [name](#output\_name) | The name of the Organization. | -| [non\_master\_accounts](#output\_non\_master\_accounts) | The non-master accounts for the Organization. | -| [root](#output\_root) | The root information of the Organization. | -| [service\_control\_policy\_type\_enabled](#output\_service\_control\_policy\_type\_enabled) | Whether Service control polices(SCPs) are enabled. | -| [tag\_policy\_type\_enabled](#output\_tag\_policy\_type\_enabled) | Whether Tag polices are enabled. | -| [trusted\_access\_enabled\_service\_principals](#output\_trusted\_access\_enabled\_service\_principals) | List of AWS service principal names which is integrated with the organization. | - diff --git a/modules/org-organization/main.tf b/modules/org-organization/main.tf deleted file mode 100644 index 95f4908..0000000 --- a/modules/org-organization/main.tf +++ /dev/null @@ -1,63 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-account" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -locals { - individual_trusted_accesses = toset([ - "ram.amazonaws.com", - ]) - organization_managed_trusted_accesses = setsubtract( - var.trusted_access_enabled_service_principals, - local.individual_trusted_accesses - ) -} - - -################################################### -# Organization -################################################### - -resource "aws_organizations_organization" "this" { - feature_set = var.all_features_enabled ? "ALL" : "CONSOLIDATED_BILLING" - enabled_policy_types = compact([ - var.ai_services_opt_out_policy_type_enabled ? "AISERVICES_OPT_OUT_POLICY" : "", - var.backup_policy_type_enabled ? "BACKUP_POLICY" : "", - var.service_control_policy_type_enabled ? "SERVICE_CONTROL_POLICY" : "", - var.tag_policy_type_enabled ? "TAG_POLICY" : "", - ]) - - aws_service_access_principals = var.all_features_enabled ? local.organization_managed_trusted_accesses : [] -} - - -################################################### -# AWS Managed Policies -################################################### - -resource "aws_organizations_policy_attachment" "this" { - for_each = toset(var.policies) - - target_id = aws_organizations_organization.this.roots[0].id - policy_id = each.key -} - - -################################################### -# Individual Trusted Accesses -################################################### - -resource "aws_ram_sharing_with_organization" "this" { - count = contains(var.trusted_access_enabled_service_principals, "ram.amazonaws.com") ? 1 : 0 -} diff --git a/modules/org-organization/outputs.tf b/modules/org-organization/outputs.tf deleted file mode 100644 index c158d8d..0000000 --- a/modules/org-organization/outputs.tf +++ /dev/null @@ -1,72 +0,0 @@ -output "name" { - description = "The name of the Organization." - value = var.name -} - -output "id" { - description = "The ID of the Organization." - value = aws_organizations_organization.this.id -} - -output "arn" { - description = "The Amazon Resource Name (ARN) of the Organization." - value = aws_organizations_organization.this.arn -} - -output "all_features_enabled" { - description = "Whether AWS Organization was configured with all features or only consolidated billing feature." - value = var.all_features_enabled -} - -output "ai_services_opt_out_policy_type_enabled" { - description = "Whether AI services opt-out polices are enabled." - value = var.ai_services_opt_out_policy_type_enabled -} - -output "backup_policy_type_enabled" { - description = "Whether Backup polices are enabled." - value = var.backup_policy_type_enabled -} - -output "service_control_policy_type_enabled" { - description = "Whether Service control polices(SCPs) are enabled." - value = var.service_control_policy_type_enabled -} - -output "tag_policy_type_enabled" { - description = "Whether Tag polices are enabled." - value = var.tag_policy_type_enabled -} - -output "trusted_access_enabled_service_principals" { - description = "List of AWS service principal names which is integrated with the organization." - value = var.trusted_access_enabled_service_principals -} - -output "accounts" { - description = "The accounts for the Organization." - value = aws_organizations_organization.this.accounts -} - -output "master_account" { - description = "The master account for the Organization." - value = { - id = aws_organizations_organization.this.master_account_id - arn = aws_organizations_organization.this.master_account_arn - email = aws_organizations_organization.this.master_account_email - } -} - -output "non_master_accounts" { - description = "The non-master accounts for the Organization." - value = aws_organizations_organization.this.non_master_accounts -} - -output "root" { - description = "The root information of the Organization." - value = { - id = aws_organizations_organization.this.roots[0].id - arn = aws_organizations_organization.this.roots[0].arn - name = aws_organizations_organization.this.roots[0].name - } -} diff --git a/modules/org-organization/variables.tf b/modules/org-organization/variables.tf deleted file mode 100644 index 1096ace..0000000 --- a/modules/org-organization/variables.tf +++ /dev/null @@ -1,61 +0,0 @@ -variable "name" { - description = "(Required) The name of the Organization." - type = string - nullable = false -} - -variable "all_features_enabled" { - description = "(Optional) Whether to create AWS Organization with all features or only consolidated billing feature." - type = bool - default = true - nullable = false -} - -variable "ai_services_opt_out_policy_type_enabled" { - description = "(Optional) Whether to enable AI services opt-out polices in the Organization." - type = bool - default = false - nullable = false -} - -variable "backup_policy_type_enabled" { - description = "(Optional) Whether to enable Backup polices in the Organization." - type = bool - default = false - nullable = false -} - -variable "service_control_policy_type_enabled" { - description = "(Optional) Whether to enable Service control polices(SCPs) in the Organization." - type = bool - default = true - nullable = false -} - -variable "tag_policy_type_enabled" { - description = "(Optional) Whether to enable Tag polices in the Organization." - type = bool - default = false - nullable = false -} - -variable "trusted_access_enabled_service_principals" { - description = "(Optional) List of AWS service principal names for which you want to enable integration with the organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must `all_featrues_enabled` set to true." - type = set(string) - default = [] - nullable = false -} - -variable "policies" { - description = "(Optional) List of IDs of the policies to be attached to the Organization." - type = list(string) - default = [] - nullable = false -} - -variable "module_tags_enabled" { - description = "(Optional) Whether to create AWS Resource Tags for the module informations." - type = bool - default = true - nullable = false -} diff --git a/modules/org-organization/versions.tf b/modules/org-organization/versions.tf deleted file mode 100644 index 4b03844..0000000 --- a/modules/org-organization/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.5" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 5.13" - } - } -} diff --git a/modules/org-organizational-unit/README.md b/modules/org-organizational-unit/README.md deleted file mode 100644 index 864aa41..0000000 --- a/modules/org-organizational-unit/README.md +++ /dev/null @@ -1,58 +0,0 @@ -# org-organizational-unit - -This module creates following resources. - -- `aws_organizations_organizational_unit` -- `aws_organizations_policy_attachment` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 3.65 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.19.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_organizations_organizational_unit.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_organizational_unit) | resource | -| [aws_organizations_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_policy_attachment) | resource | -| [aws_organizations_organization.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/organizations_organization) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | The name of the Organizational Unit. | `string` | n/a | yes | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [parent\_id](#input\_parent\_id) | The ID of the parent organizational unit, which may be the root. | `string` | `null` | no | -| [policies](#input\_policies) | List of IDs of the policies to be attached to the Organizational Unit. | `list(string)` | `[]` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [tags](#input\_tags) | A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [accounts](#output\_accounts) | The accounts for the Organizational Unit. | -| [arn](#output\_arn) | The Amazon Resource Name (ARN) of the Organizational Unit. | -| [id](#output\_id) | The ID of the Organizational Unit. | -| [name](#output\_name) | The name of the Organizational Unit. | -| [parent\_id](#output\_parent\_id) | The ID of the parent Organizational Unit. | - diff --git a/modules/org-organizational-unit/main.tf b/modules/org-organizational-unit/main.tf deleted file mode 100644 index 7cb81ec..0000000 --- a/modules/org-organizational-unit/main.tf +++ /dev/null @@ -1,46 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-account" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -data "aws_organizations_organization" "this" {} - -locals { - organization_root_id = data.aws_organizations_organization.this.roots[0].id -} - -resource "aws_organizations_organizational_unit" "this" { - name = var.name - parent_id = coalesce(var.parent_id, local.organization_root_id) - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# AWS Managed Policies -################################################### - -resource "aws_organizations_policy_attachment" "this" { - for_each = toset(var.policies) - - target_id = aws_organizations_organizational_unit.this.id - policy_id = each.key -} diff --git a/modules/org-organizational-unit/migrations.tf b/modules/org-organizational-unit/migrations.tf deleted file mode 100644 index e5d6bcd..0000000 --- a/modules/org-organizational-unit/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2022-11-24 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/org-organizational-unit/outputs.tf b/modules/org-organizational-unit/outputs.tf deleted file mode 100644 index 9c6d2bd..0000000 --- a/modules/org-organizational-unit/outputs.tf +++ /dev/null @@ -1,24 +0,0 @@ -output "name" { - description = "The name of the Organizational Unit." - value = aws_organizations_organizational_unit.this.name -} - -output "id" { - description = "The ID of the Organizational Unit." - value = aws_organizations_organizational_unit.this.id -} - -output "arn" { - description = "The Amazon Resource Name (ARN) of the Organizational Unit." - value = aws_organizations_organizational_unit.this.arn -} - -output "parent_id" { - description = "The ID of the parent Organizational Unit." - value = aws_organizations_organizational_unit.this.parent_id -} - -output "accounts" { - description = "The accounts for the Organizational Unit." - value = aws_organizations_organizational_unit.this.accounts -} diff --git a/modules/org-organizational-unit/resource-group.tf b/modules/org-organizational-unit/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/org-organizational-unit/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/org-organizational-unit/variables.tf b/modules/org-organizational-unit/variables.tf deleted file mode 100644 index 8532d0a..0000000 --- a/modules/org-organizational-unit/variables.tf +++ /dev/null @@ -1,59 +0,0 @@ -variable "name" { - description = "(Required) The name of the Organizational Unit." - type = string - nullable = false -} - -variable "parent_id" { - description = "(Optional) The ID of the parent organizational unit, which may be the root." - type = string - default = null - nullable = true -} - -variable "policies" { - description = "(Optional) List of IDs of the policies to be attached to the Organizational Unit." - type = list(string) - default = [] - nullable = false -} - -variable "tags" { - description = "(Optional) A map of tags to add to all resources." - type = map(string) - default = {} - nullable = false -} - -variable "module_tags_enabled" { - description = "(Optional) Whether to create AWS Resource Tags for the module informations." - type = bool - default = true - nullable = false -} - - -################################################### -# Resource Group -################################################### - -variable "resource_group_enabled" { - description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true - nullable = false -} - -variable "resource_group_name" { - description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" - nullable = false -} - -variable "resource_group_description" { - description = "(Optional) The description of Resource Group." - type = string - default = "Managed by Terraform." - nullable = false -} diff --git a/modules/org-organizational-unit/versions.tf b/modules/org-organizational-unit/versions.tf deleted file mode 100644 index 637a0b2..0000000 --- a/modules/org-organizational-unit/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.5" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 3.65" - } - } -} diff --git a/modules/ram-share/README.md b/modules/ram-share/README.md deleted file mode 100644 index ed17aab..0000000 --- a/modules/ram-share/README.md +++ /dev/null @@ -1,63 +0,0 @@ -# ram-share - -This module creates following resources. - -- `aws_ram_resource_share` -- `aws_ram_principal_association` (optional) -- `aws_ram_resource_association` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.29 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.19.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_ram_principal_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_principal_association) | resource | -| [aws_ram_resource_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_association) | resource | -| [aws_ram_resource_share.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ram_resource_share) | resource | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | (Required) The name of the resource share. | `string` | n/a | yes | -| [external\_principals\_allowed](#input\_external\_principals\_allowed) | (Optional) Indicates whether principals outside your organization can be associated with a resource share. | `bool` | `false` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [permissions](#input\_permissions) | (Optional) A list of the names of the RAM permission to associate with the resource share. If you do not specify, RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share. | `list(string)` | `[]` | no | -| [principals](#input\_principals) | (Optional) A list of the Amazon Resource Names (ARNs) of the principal to associate with the RAM Resource Share. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN. | `list(string)` | `[]` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [resources](#input\_resources) | (Optional) A list of the Amazon Resource Names (ARNs) of the resource to associate with the RAM Resource Share. | `list(string)` | `[]` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | The Amazon Resource Name (ARN) of the resource share. | -| [external\_principals\_allowed](#output\_external\_principals\_allowed) | Whether principals outside your organization can be associated with a resource share. | -| [id](#output\_id) | The ID of the resource share. | -| [name](#output\_name) | The name of the resource share. | -| [permissions](#output\_permissions) | A list of the Amazon Resource Names (ARNs) of the RAM permission associated with the resource share. | -| [principals](#output\_principals) | A list of the Amazon Resource Names (ARNs) of the principal associated with the resource share. | -| [resources](#output\_resources) | A list of the Amazon Resource Names (ARNs) of the resource associated with the resource share. | - diff --git a/modules/ram-share/get-permissions.sh b/modules/ram-share/get-permissions.sh deleted file mode 100755 index e4cd767..0000000 --- a/modules/ram-share/get-permissions.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env sh - -cat raw.json | jq ' - [ - .permissions[] | { - arn: .arn, - name: .name, - resource_type: .resourceType, - is_default: .isResourceTypeDefault, - created_at: .creationTime, - updated_at: .lastUpdatedTime, - } - ] | sort_by(.resource_type)' diff --git a/modules/ram-share/main.tf b/modules/ram-share/main.tf deleted file mode 100644 index cbf3e6b..0000000 --- a/modules/ram-share/main.tf +++ /dev/null @@ -1,61 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-account" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -locals { - permission_arns = [ - for permission in var.permissions : - "arn:aws:ram::aws:permission/${permission}" - ] -} - -resource "aws_ram_resource_share" "this" { - name = var.name - - allow_external_principals = var.external_principals_allowed - permission_arns = local.permission_arns - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# Principal Associations -################################################### - -resource "aws_ram_principal_association" "this" { - for_each = toset(var.principals) - - resource_share_arn = aws_ram_resource_share.this.arn - principal = each.value -} - - -################################################### -# Resource Associations -################################################### - -resource "aws_ram_resource_association" "this" { - for_each = toset(var.resources) - - resource_share_arn = aws_ram_resource_share.this.arn - resource_arn = each.value -} diff --git a/modules/ram-share/outputs.tf b/modules/ram-share/outputs.tf deleted file mode 100644 index 2831cef..0000000 --- a/modules/ram-share/outputs.tf +++ /dev/null @@ -1,40 +0,0 @@ -output "name" { - description = "The name of the resource share." - value = aws_ram_resource_share.this.name -} - -output "id" { - description = "The ID of the resource share." - value = aws_ram_resource_share.this.id -} - -output "arn" { - description = "The Amazon Resource Name (ARN) of the resource share." - value = aws_ram_resource_share.this.arn -} - -output "external_principals_allowed" { - description = "Whether principals outside your organization can be associated with a resource share." - value = aws_ram_resource_share.this.allow_external_principals -} - -output "permissions" { - description = "A list of the Amazon Resource Names (ARNs) of the RAM permission associated with the resource share." - value = aws_ram_resource_share.this.permission_arns -} - -output "principals" { - description = "A list of the Amazon Resource Names (ARNs) of the principal associated with the resource share." - value = toset([ - for association in aws_ram_principal_association.this : - association.principal - ]) -} - -output "resources" { - description = "A list of the Amazon Resource Names (ARNs) of the resource associated with the resource share." - value = toset([ - for association in aws_ram_resource_association.this : - association.resource_arn - ]) -} diff --git a/modules/ram-share/permissions.json b/modules/ram-share/permissions.json deleted file mode 100644 index b1e4aa4..0000000 --- a/modules/ram-share/permissions.json +++ /dev/null @@ -1,706 +0,0 @@ -[ - { - "arn": "arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority", - "name": "AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority", - "resource_type": "acm-pca:CertificateAuthority", - "is_default": false, - "created_at": 1656619411.663, - "updated_at": 1656619411.663 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority", - "name": "AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority", - "resource_type": "acm-pca:CertificateAuthority", - "is_default": false, - "created_at": 1668783946.905, - "updated_at": 1668783946.905 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority", - "name": "AWSRAMDefaultPermissionCertificateAuthority", - "resource_type": "acm-pca:CertificateAuthority", - "is_default": true, - "created_at": 1656619463.278, - "updated_at": 1656619463.278 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMEndEntityClientAuthCertificateIssuanceCertificateAuthority", - "name": "AWSRAMEndEntityClientAuthCertificateIssuanceCertificateAuthority", - "resource_type": "acm-pca:CertificateAuthority", - "is_default": false, - "created_at": 1656619413.412, - "updated_at": 1656619413.412 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMEndEntityServerAuthCertificateIssuanceCertificateAuthority", - "name": "AWSRAMEndEntityServerAuthCertificateIssuanceCertificateAuthority", - "resource_type": "acm-pca:CertificateAuthority", - "is_default": false, - "created_at": 1656619414.244, - "updated_at": 1656619414.244 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMRevokeCertificateCertificateAuthority", - "name": "AWSRAMRevokeCertificateCertificateAuthority", - "resource_type": "acm-pca:CertificateAuthority", - "is_default": false, - "created_at": 1656619416.747, - "updated_at": 1656619416.747 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority", - "name": "AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority", - "resource_type": "acm-pca:CertificateAuthority", - "is_default": false, - "created_at": 1656619414.846, - "updated_at": 1656619414.846 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh", - "name": "AWSRAMDefaultPermissionAppMesh", - "resource_type": "appmesh:Mesh", - "is_default": true, - "created_at": 1680017275.91, - "updated_at": 1680017275.91 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionAppSyncAllowSourceGraphQLAccess", - "name": "AWSRAMPermissionAppSyncAllowSourceGraphQLAccess", - "resource_type": "appsync:Apis", - "is_default": false, - "created_at": 1683045153.876, - "updated_at": 1683045153.876 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionAppSyncMergedApiOperationAccess", - "name": "AWSRAMPermissionAppSyncMergedApiOperationAccess", - "resource_type": "appsync:Apis", - "is_default": false, - "created_at": 1683045152.769, - "updated_at": 1683045152.769 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionAppSyncSourceApiOperationAccess", - "name": "AWSRAMPermissionAppSyncSourceApiOperationAccess", - "resource_type": "appsync:Apis", - "is_default": true, - "created_at": 1683045154.649, - "updated_at": 1683045154.649 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionMarketplaceCatalogEntityReadOnly", - "name": "AWSRAMDefaultPermissionMarketplaceCatalogEntityReadOnly", - "resource_type": "aws-marketplace:Entity", - "is_default": true, - "created_at": 1677521890.983, - "updated_at": 1677521890.983 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionMarketplaceCatalogEntityFullAccess", - "name": "AWSRAMPermissionMarketplaceCatalogEntityFullAccess", - "resource_type": "aws-marketplace:Entity", - "is_default": false, - "created_at": 1677521904.261, - "updated_at": 1677521904.261 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject", - "name": "AWSRAMDefaultPermissionCodeBuildProject", - "resource_type": "codebuild:Project", - "is_default": true, - "created_at": 1656619457.595, - "updated_at": 1656619457.595 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup", - "name": "AWSRAMDefaultPermissionCodeBuildReportGroup", - "resource_type": "codebuild:ReportGroup", - "is_default": true, - "created_at": 1656619457.761, - "updated_at": 1656619457.761 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation", - "name": "AWSRAMDefaultPermissionCapacityReservation", - "resource_type": "ec2:CapacityReservation", - "is_default": true, - "created_at": 1656619457.419, - "updated_at": 1656619457.419 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCoipPool", - "name": "AWSRAMDefaultPermissionCoipPool", - "resource_type": "ec2:CoipPool", - "is_default": true, - "created_at": 1656619452.75, - "updated_at": 1656619452.75 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost", - "name": "AWSRAMDefaultPermissionDedicatedHost", - "resource_type": "ec2:DedicatedHost", - "is_default": true, - "created_at": 1656619458.351, - "updated_at": 1656619458.351 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionServerManageability", - "name": "AWSRAMDefaultPermissionServerManageability", - "resource_type": "ec2:DedicatedHost", - "is_default": true, - "created_at": 1656619458.93, - "updated_at": 1656619458.93 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsIpamPool", - "name": "AWSRAMDefaultPermissionsIpamPool", - "resource_type": "ec2:IpamPool", - "is_default": true, - "created_at": 1656619469.3, - "updated_at": 1656619469.3 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionIpamPoolByoipCidrImport", - "name": "AWSRAMPermissionIpamPoolByoipCidrImport", - "resource_type": "ec2:IpamPool", - "is_default": false, - "created_at": 1656619435.003, - "updated_at": 1656619435.003 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionIpamResourceDiscovery", - "name": "AWSRAMPermissionIpamResourceDiscovery", - "resource_type": "ec2:IpamResourceDiscovery", - "is_default": true, - "created_at": 1666904525.951, - "updated_at": 1666904525.951 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLocalGateway", - "name": "AWSRAMDefaultPermissionLocalGateway", - "resource_type": "ec2:LocalGatewayRouteTable", - "is_default": true, - "created_at": 1660150032.685, - "updated_at": 1660150032.685 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsPlacementGroup", - "name": "AWSRAMDefaultPermissionsPlacementGroup", - "resource_type": "ec2:PlacementGroup", - "is_default": true, - "created_at": 1656619469.46, - "updated_at": 1656619469.46 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionPrefixList", - "name": "AWSRAMDefaultPermissionPrefixList", - "resource_type": "ec2:PrefixList", - "is_default": true, - "created_at": 1656619460.594, - "updated_at": 1656619460.594 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet", - "name": "AWSRAMDefaultPermissionSubnet", - "resource_type": "ec2:Subnet", - "is_default": true, - "created_at": 1668109491.38, - "updated_at": 1668109491.38 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTrafficMirror", - "name": "AWSRAMDefaultPermissionTrafficMirror", - "resource_type": "ec2:TrafficMirrorTarget", - "is_default": true, - "created_at": 1656619454.601, - "updated_at": 1656619454.601 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway", - "name": "AWSRAMDefaultPermissionTransitGateway", - "resource_type": "ec2:TransitGateway", - "is_default": true, - "created_at": 1656619453.29, - "updated_at": 1656619453.29 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGatewayMulticastDomain", - "name": "AWSRAMDefaultPermissionTransitGatewayMulticastDomain", - "resource_type": "ec2:TransitGatewayMulticastDomain", - "is_default": true, - "created_at": 1656619453.461, - "updated_at": 1656619453.461 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionVerifiedAccessGroup", - "name": "AWSRAMPermissionVerifiedAccessGroup", - "resource_type": "ec2:VerifiedAccessGroup", - "is_default": true, - "created_at": 1668095846.972, - "updated_at": 1668095846.972 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog", - "name": "AWSRAMDefaultPermissionGlueCatalog", - "resource_type": "glue:Catalog", - "is_default": true, - "created_at": 1656619466.612, - "updated_at": 1656619466.612 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueAllTablesReadWriteForCatalog", - "name": "AWSRAMPermissionGlueAllTablesReadWriteForCatalog", - "resource_type": "glue:Catalog", - "is_default": false, - "created_at": 1666891196.25, - "updated_at": 1666891196.25 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueDatabaseReadWriteForCatalog", - "name": "AWSRAMPermissionGlueDatabaseReadWriteForCatalog", - "resource_type": "glue:Catalog", - "is_default": false, - "created_at": 1666891220.322, - "updated_at": 1666891220.322 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueTableReadWriteForCatalog", - "name": "AWSRAMPermissionGlueTableReadWriteForCatalog", - "resource_type": "glue:Catalog", - "is_default": false, - "created_at": 1666891170.644, - "updated_at": 1666891170.644 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueDatabaseReadWriteForCatalog", - "name": "AWSRAMPermissionLFTagGlueDatabaseReadWriteForCatalog", - "resource_type": "glue:Catalog", - "is_default": false, - "created_at": 1666891357.435, - "updated_at": 1666891357.435 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueTableReadWriteForCatalog", - "name": "AWSRAMPermissionLFTagGlueTableReadWriteForCatalog", - "resource_type": "glue:Catalog", - "is_default": false, - "created_at": 1666891297.593, - "updated_at": 1666891297.593 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase", - "name": "AWSRAMDefaultPermissionGlueDatabase", - "resource_type": "glue:Database", - "is_default": true, - "created_at": 1656619465.912, - "updated_at": 1656619465.912 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueAllTablesReadWriteForDatabase", - "name": "AWSRAMLFEnabledGlueAllTablesReadWriteForDatabase", - "resource_type": "glue:Database", - "is_default": false, - "created_at": 1687896324.471, - "updated_at": 1687896324.471 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueDatabaseReadWrite", - "name": "AWSRAMLFEnabledGlueDatabaseReadWrite", - "resource_type": "glue:Database", - "is_default": false, - "created_at": 1687896327.153, - "updated_at": 1687896327.153 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueAllTablesReadWriteForDatabase", - "name": "AWSRAMPermissionGlueAllTablesReadWriteForDatabase", - "resource_type": "glue:Database", - "is_default": false, - "created_at": 1666891183.345, - "updated_at": 1666891183.345 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueDatabaseReadWrite", - "name": "AWSRAMPermissionGlueDatabaseReadWrite", - "resource_type": "glue:Database", - "is_default": false, - "created_at": 1666891208.415, - "updated_at": 1666891208.415 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueTableReadWriteForDatabase", - "name": "AWSRAMPermissionGlueTableReadWriteForDatabase", - "resource_type": "glue:Database", - "is_default": false, - "created_at": 1666891157.062, - "updated_at": 1666891157.062 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueDatabaseReadWrite", - "name": "AWSRAMPermissionLFTagGlueDatabaseReadWrite", - "resource_type": "glue:Database", - "is_default": false, - "created_at": 1666891334.138, - "updated_at": 1666891334.138 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueTableReadWriteForDatabase", - "name": "AWSRAMPermissionLFTagGlueTableReadWriteForDatabase", - "resource_type": "glue:Database", - "is_default": false, - "created_at": 1666891309.92, - "updated_at": 1666891309.92 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable", - "name": "AWSRAMDefaultPermissionGlueTable", - "resource_type": "glue:Table", - "is_default": true, - "created_at": 1656619464.372, - "updated_at": 1656619464.372 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueDatabaseReadWriteForTable", - "name": "AWSRAMLFEnabledGlueDatabaseReadWriteForTable", - "resource_type": "glue:Table", - "is_default": false, - "created_at": 1687896333.534, - "updated_at": 1687896333.534 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueTableReadWrite", - "name": "AWSRAMLFEnabledGlueTableReadWrite", - "resource_type": "glue:Table", - "is_default": false, - "created_at": 1687896321.095, - "updated_at": 1687896321.095 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueDatabaseReadWriteForTable", - "name": "AWSRAMPermissionGlueDatabaseReadWriteForTable", - "resource_type": "glue:Table", - "is_default": false, - "created_at": 1656619449.034, - "updated_at": 1656619449.034 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueTableReadWrite", - "name": "AWSRAMPermissionGlueTableReadWrite", - "resource_type": "glue:Table", - "is_default": false, - "created_at": 1656619443.947, - "updated_at": 1656619443.947 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueDatabaseReadWriteForTable", - "name": "AWSRAMPermissionLFTagGlueDatabaseReadWriteForTable", - "resource_type": "glue:Table", - "is_default": false, - "created_at": 1666891346.191, - "updated_at": 1666891346.191 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueTableReadWrite", - "name": "AWSRAMPermissionLFTagGlueTableReadWrite", - "resource_type": "glue:Table", - "is_default": false, - "created_at": 1666891321.908, - "updated_at": 1666891321.908 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderComponent", - "name": "AWSRAMDefaultPermissionImageBuilderComponent", - "resource_type": "imagebuilder:Component", - "is_default": true, - "created_at": 1656619461.977, - "updated_at": 1656619461.977 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderContainerRecipe", - "name": "AWSRAMDefaultPermissionImageBuilderContainerRecipe", - "resource_type": "imagebuilder:ContainerRecipe", - "is_default": true, - "created_at": 1656619462.126, - "updated_at": 1656619462.126 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImage", - "name": "AWSRAMDefaultPermissionImageBuilderImage", - "resource_type": "imagebuilder:Image", - "is_default": true, - "created_at": 1656619461.201, - "updated_at": 1656619461.201 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImageRecipe", - "name": "AWSRAMDefaultPermissionImageBuilderImageRecipe", - "resource_type": "imagebuilder:ImageRecipe", - "is_default": true, - "created_at": 1656619462.832, - "updated_at": 1656619462.832 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration", - "name": "AWSRAMDefaultPermissionLicenseConfiguration", - "resource_type": "license-manager:LicenseConfiguration", - "is_default": true, - "created_at": 1656619457.242, - "updated_at": 1656619457.242 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallPolicy", - "name": "AWSRAMDefaultPermissionNetworkFirewallPolicy", - "resource_type": "network-firewall:FirewallPolicy", - "is_default": true, - "created_at": 1656619466.783, - "updated_at": 1656619466.783 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup", - "name": "AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup", - "resource_type": "network-firewall:StatefulRulegroup", - "is_default": true, - "created_at": 1692911780.762, - "updated_at": 1692911780.762 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup", - "name": "AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup", - "resource_type": "network-firewall:StatelessRulegroup", - "is_default": true, - "created_at": 1656619467.508, - "updated_at": 1656619467.508 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsNetworkManagerCoreNetwork", - "name": "AWSRAMDefaultPermissionsNetworkManagerCoreNetwork", - "resource_type": "networkmanager:CoreNetwork", - "is_default": true, - "created_at": 1656619424.683, - "updated_at": 1656619424.683 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMTransitGatewayPermissionsNetworkManagerCoreNetwork", - "name": "AWSRAMTransitGatewayPermissionsNetworkManagerCoreNetwork", - "resource_type": "networkmanager:CoreNetwork", - "is_default": false, - "created_at": 1656619428.071, - "updated_at": 1656619428.071 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMVPCPermissionsNetworkManagerCoreNetwork", - "name": "AWSRAMVPCPermissionsNetworkManagerCoreNetwork", - "resource_type": "networkmanager:CoreNetwork", - "is_default": false, - "created_at": 1656619426.477, - "updated_at": 1656619426.477 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsOutpost", - "name": "AWSRAMDefaultPermissionOutpostsOutpost", - "resource_type": "outposts:Outpost", - "is_default": true, - "created_at": 1656619418.935, - "updated_at": 1656619418.935 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsSite", - "name": "AWSRAMDefaultPermissionOutpostsSite", - "resource_type": "outposts:Site", - "is_default": true, - "created_at": 1656619420.958, - "updated_at": 1656619420.958 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster", - "name": "AWSRAMDefaultPermissionRDSCluster", - "resource_type": "rds:Cluster", - "is_default": true, - "created_at": 1656619456.671, - "updated_at": 1656619456.671 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRefactorSpacesEnvironment", - "name": "AWSRAMDefaultPermissionRefactorSpacesEnvironment", - "resource_type": "refactor-spaces:Environment", - "is_default": true, - "created_at": 1656619470.283, - "updated_at": 1656619470.283 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup", - "name": "AWSRAMDefaultPermissionResourceGroup", - "resource_type": "resource-groups:Group", - "is_default": true, - "created_at": 1656619450.914, - "updated_at": 1656619450.914 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverFirewallRuleGroup", - "name": "AWSRAMDefaultPermissionResolverFirewallRuleGroup", - "resource_type": "route53resolver:FirewallRuleGroup", - "is_default": true, - "created_at": 1656619456.095, - "updated_at": 1656619456.095 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverQueryLogConfig", - "name": "AWSRAMDefaultPermissionResolverQueryLogConfig", - "resource_type": "route53resolver:ResolverQueryLogConfig", - "is_default": true, - "created_at": 1656619454.922, - "updated_at": 1656619454.922 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule", - "name": "AWSRAMDefaultPermissionResolverRule", - "resource_type": "route53resolver:ResolverRule", - "is_default": true, - "created_at": 1656619454.752, - "updated_at": 1656619454.752 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionS3Outposts", - "name": "AWSRAMDefaultPermissionS3Outposts", - "resource_type": "s3-outposts:Outpost", - "is_default": true, - "created_at": 1682450662.66, - "updated_at": 1682450662.66 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerFeatureGroupAdmin", - "name": "AWSRAMPermissionSageMakerFeatureGroupAdmin", - "resource_type": "sagemaker:FeatureGroup", - "is_default": false, - "created_at": 1681745120.978, - "updated_at": 1681745120.978 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerFeatureGroupReadOnly", - "name": "AWSRAMPermissionSageMakerFeatureGroupReadOnly", - "resource_type": "sagemaker:FeatureGroup", - "is_default": true, - "created_at": 1681745117.344, - "updated_at": 1681745117.344 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerFeatureGroupReadWrite", - "name": "AWSRAMPermissionSageMakerFeatureGroupReadWrite", - "resource_type": "sagemaker:FeatureGroup", - "is_default": false, - "created_at": 1681745119.51, - "updated_at": 1681745119.51 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsSageMakerLineageGroup", - "name": "AWSRAMDefaultPermissionsSageMakerLineageGroup", - "resource_type": "sagemaker:LineageGroup", - "is_default": true, - "created_at": 1656619469.619, - "updated_at": 1656619469.619 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerModelCards", - "name": "AWSRAMPermissionSageMakerModelCards", - "resource_type": "sagemaker:ModelCard", - "is_default": true, - "created_at": 1688575724.369, - "updated_at": 1688575724.369 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerModelCardsAllowExport", - "name": "AWSRAMPermissionSageMakerModelCardsAllowExport", - "resource_type": "sagemaker:ModelCard", - "is_default": false, - "created_at": 1688575722.729, - "updated_at": 1688575722.729 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSageMakerPipeline", - "name": "AWSRAMDefaultPermissionSageMakerPipeline", - "resource_type": "sagemaker:Pipeline", - "is_default": true, - "created_at": 1656619469.883, - "updated_at": 1656619469.883 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerPipelineAllowExecution", - "name": "AWSRAMPermissionSageMakerPipelineAllowExecution", - "resource_type": "sagemaker:Pipeline", - "is_default": false, - "created_at": 1656619429.648, - "updated_at": 1656619429.648 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerCatalogResourceSearch", - "name": "AWSRAMPermissionSageMakerCatalogResourceSearch", - "resource_type": "sagemaker:SagemakerCatalog", - "is_default": true, - "created_at": 1685991467.308, - "updated_at": 1685991467.308 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationAllowAssociation", - "name": "AWSRAMPermissionServiceCatalogAppRegistryApplicationAllowAssociation", - "resource_type": "servicecatalog:Applications", - "is_default": false, - "created_at": 1656619432.204, - "updated_at": 1656619432.204 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly", - "name": "AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly", - "resource_type": "servicecatalog:Applications", - "is_default": true, - "created_at": 1656619430.336, - "updated_at": 1656619430.336 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupAllowAssociation", - "name": "AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupAllowAssociation", - "resource_type": "servicecatalog:AttributeGroups", - "is_default": false, - "created_at": 1656619433.382, - "updated_at": 1656619433.382 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly", - "name": "AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly", - "resource_type": "servicecatalog:AttributeGroups", - "is_default": true, - "created_at": 1656619432.392, - "updated_at": 1656619432.392 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMContactsContact", - "name": "AWSRAMDefaultPermissionSSMContactsContact", - "resource_type": "ssm-contacts:Contact", - "is_default": true, - "created_at": 1656619468.373, - "updated_at": 1656619468.373 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMIncidentsResponsePlan", - "name": "AWSRAMDefaultPermissionSSMIncidentsResponsePlan", - "resource_type": "ssm-incidents:ResponsePlan", - "is_default": true, - "created_at": 1656619467.833, - "updated_at": 1656619467.833 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionVpcLatticeServiceReadWrite", - "name": "AWSRAMPermissionVpcLatticeServiceReadWrite", - "resource_type": "vpc-lattice:Service", - "is_default": true, - "created_at": 1675793122.662, - "updated_at": 1675793122.662 - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionVpcLatticeServiceNetworkReadWrite", - "name": "AWSRAMPermissionVpcLatticeServiceNetworkReadWrite", - "resource_type": "vpc-lattice:ServiceNetwork", - "is_default": true, - "created_at": 1675793131.89, - "updated_at": 1675793131.89 - } -] diff --git a/modules/ram-share/raw.json b/modules/ram-share/raw.json deleted file mode 100644 index 4efb963..0000000 --- a/modules/ram-share/raw.json +++ /dev/null @@ -1,1060 +0,0 @@ -{ - "permissions": [ - { - "arn": "arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority", - "creationTime": 1656619411.663, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619411.663, - "name": "AWSRAMBlankEndEntityCertificateAPICSRPassthroughIssuanceCertificateAuthority", - "permissionType": "AWS_MANAGED", - "resourceType": "acm-pca:CertificateAuthority", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority", - "creationTime": 1668783946.905, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1668783946.905, - "name": "AWSRAMBlankEndEntityCertificateAPIPassthroughIssuanceCertificateAuthority", - "permissionType": "AWS_MANAGED", - "resourceType": "acm-pca:CertificateAuthority", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionAppMesh", - "creationTime": 1680017275.91, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1680017275.91, - "name": "AWSRAMDefaultPermissionAppMesh", - "permissionType": "AWS_MANAGED", - "resourceType": "appmesh:Mesh", - "status": "ATTACHABLE", - "version": "3" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCapacityReservation", - "creationTime": 1656619457.419, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619457.419, - "name": "AWSRAMDefaultPermissionCapacityReservation", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:CapacityReservation", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCertificateAuthority", - "creationTime": 1656619463.278, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619463.278, - "name": "AWSRAMDefaultPermissionCertificateAuthority", - "permissionType": "AWS_MANAGED", - "resourceType": "acm-pca:CertificateAuthority", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildProject", - "creationTime": 1656619457.595, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619457.595, - "name": "AWSRAMDefaultPermissionCodeBuildProject", - "permissionType": "AWS_MANAGED", - "resourceType": "codebuild:Project", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCodeBuildReportGroup", - "creationTime": 1656619457.761, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619457.761, - "name": "AWSRAMDefaultPermissionCodeBuildReportGroup", - "permissionType": "AWS_MANAGED", - "resourceType": "codebuild:ReportGroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionCoipPool", - "creationTime": 1656619452.75, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619452.75, - "name": "AWSRAMDefaultPermissionCoipPool", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:CoipPool", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionDedicatedHost", - "creationTime": 1656619458.351, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619458.351, - "name": "AWSRAMDefaultPermissionDedicatedHost", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:DedicatedHost", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueCatalog", - "creationTime": 1656619466.612, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619466.612, - "name": "AWSRAMDefaultPermissionGlueCatalog", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Catalog", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueDatabase", - "creationTime": 1656619465.912, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619465.912, - "name": "AWSRAMDefaultPermissionGlueDatabase", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Database", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionGlueTable", - "creationTime": 1656619464.372, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619464.372, - "name": "AWSRAMDefaultPermissionGlueTable", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Table", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderComponent", - "creationTime": 1656619461.977, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619461.977, - "name": "AWSRAMDefaultPermissionImageBuilderComponent", - "permissionType": "AWS_MANAGED", - "resourceType": "imagebuilder:Component", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderContainerRecipe", - "creationTime": 1656619462.126, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619462.126, - "name": "AWSRAMDefaultPermissionImageBuilderContainerRecipe", - "permissionType": "AWS_MANAGED", - "resourceType": "imagebuilder:ContainerRecipe", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImage", - "creationTime": 1656619461.201, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619461.201, - "name": "AWSRAMDefaultPermissionImageBuilderImage", - "permissionType": "AWS_MANAGED", - "resourceType": "imagebuilder:Image", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionImageBuilderImageRecipe", - "creationTime": 1656619462.832, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619462.832, - "name": "AWSRAMDefaultPermissionImageBuilderImageRecipe", - "permissionType": "AWS_MANAGED", - "resourceType": "imagebuilder:ImageRecipe", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLicenseConfiguration", - "creationTime": 1656619457.242, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619457.242, - "name": "AWSRAMDefaultPermissionLicenseConfiguration", - "permissionType": "AWS_MANAGED", - "resourceType": "license-manager:LicenseConfiguration", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionLocalGateway", - "creationTime": 1660150032.685, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1660150032.685, - "name": "AWSRAMDefaultPermissionLocalGateway", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:LocalGatewayRouteTable", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionMarketplaceCatalogEntityReadOnly", - "creationTime": 1677521890.983, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1677521890.983, - "name": "AWSRAMDefaultPermissionMarketplaceCatalogEntityReadOnly", - "permissionType": "AWS_MANAGED", - "resourceType": "aws-marketplace:Entity", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallPolicy", - "creationTime": 1656619466.783, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619466.783, - "name": "AWSRAMDefaultPermissionNetworkFirewallPolicy", - "permissionType": "AWS_MANAGED", - "resourceType": "network-firewall:FirewallPolicy", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup", - "creationTime": 1692911780.762, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1692911780.762, - "name": "AWSRAMDefaultPermissionNetworkFirewallStatefulRuleGroup", - "permissionType": "AWS_MANAGED", - "resourceType": "network-firewall:StatefulRulegroup", - "status": "ATTACHABLE", - "version": "2" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup", - "creationTime": 1656619467.508, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619467.508, - "name": "AWSRAMDefaultPermissionNetworkFirewallStatelessRuleGroup", - "permissionType": "AWS_MANAGED", - "resourceType": "network-firewall:StatelessRulegroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsOutpost", - "creationTime": 1656619418.935, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619418.935, - "name": "AWSRAMDefaultPermissionOutpostsOutpost", - "permissionType": "AWS_MANAGED", - "resourceType": "outposts:Outpost", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionOutpostsSite", - "creationTime": 1656619420.958, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619420.958, - "name": "AWSRAMDefaultPermissionOutpostsSite", - "permissionType": "AWS_MANAGED", - "resourceType": "outposts:Site", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionPrefixList", - "creationTime": 1656619460.594, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619460.594, - "name": "AWSRAMDefaultPermissionPrefixList", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:PrefixList", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRDSCluster", - "creationTime": 1656619456.671, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619456.671, - "name": "AWSRAMDefaultPermissionRDSCluster", - "permissionType": "AWS_MANAGED", - "resourceType": "rds:Cluster", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionRefactorSpacesEnvironment", - "creationTime": 1656619470.283, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619470.283, - "name": "AWSRAMDefaultPermissionRefactorSpacesEnvironment", - "permissionType": "AWS_MANAGED", - "resourceType": "refactor-spaces:Environment", - "status": "ATTACHABLE", - "version": "2" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverFirewallRuleGroup", - "creationTime": 1656619456.095, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619456.095, - "name": "AWSRAMDefaultPermissionResolverFirewallRuleGroup", - "permissionType": "AWS_MANAGED", - "resourceType": "route53resolver:FirewallRuleGroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverQueryLogConfig", - "creationTime": 1656619454.922, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619454.922, - "name": "AWSRAMDefaultPermissionResolverQueryLogConfig", - "permissionType": "AWS_MANAGED", - "resourceType": "route53resolver:ResolverQueryLogConfig", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResolverRule", - "creationTime": 1656619454.752, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619454.752, - "name": "AWSRAMDefaultPermissionResolverRule", - "permissionType": "AWS_MANAGED", - "resourceType": "route53resolver:ResolverRule", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionResourceGroup", - "creationTime": 1656619450.914, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619450.914, - "name": "AWSRAMDefaultPermissionResourceGroup", - "permissionType": "AWS_MANAGED", - "resourceType": "resource-groups:Group", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionS3Outposts", - "creationTime": 1682450662.66, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1682450662.66, - "name": "AWSRAMDefaultPermissionS3Outposts", - "permissionType": "AWS_MANAGED", - "resourceType": "s3-outposts:Outpost", - "status": "ATTACHABLE", - "version": "3" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMContactsContact", - "creationTime": 1656619468.373, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619468.373, - "name": "AWSRAMDefaultPermissionSSMContactsContact", - "permissionType": "AWS_MANAGED", - "resourceType": "ssm-contacts:Contact", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSSMIncidentsResponsePlan", - "creationTime": 1656619467.833, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619467.833, - "name": "AWSRAMDefaultPermissionSSMIncidentsResponsePlan", - "permissionType": "AWS_MANAGED", - "resourceType": "ssm-incidents:ResponsePlan", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSageMakerPipeline", - "creationTime": 1656619469.883, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619469.883, - "name": "AWSRAMDefaultPermissionSageMakerPipeline", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:Pipeline", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionServerManageability", - "creationTime": 1656619458.93, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619458.93, - "name": "AWSRAMDefaultPermissionServerManageability", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:DedicatedHost", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionSubnet", - "creationTime": 1668109491.38, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1668109491.38, - "name": "AWSRAMDefaultPermissionSubnet", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:Subnet", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTrafficMirror", - "creationTime": 1656619454.601, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619454.601, - "name": "AWSRAMDefaultPermissionTrafficMirror", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:TrafficMirrorTarget", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGateway", - "creationTime": 1656619453.29, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619453.29, - "name": "AWSRAMDefaultPermissionTransitGateway", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:TransitGateway", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionTransitGatewayMulticastDomain", - "creationTime": 1656619453.461, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619453.461, - "name": "AWSRAMDefaultPermissionTransitGatewayMulticastDomain", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:TransitGatewayMulticastDomain", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsIpamPool", - "creationTime": 1656619469.3, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619469.3, - "name": "AWSRAMDefaultPermissionsIpamPool", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:IpamPool", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsNetworkManagerCoreNetwork", - "creationTime": 1656619424.683, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619424.683, - "name": "AWSRAMDefaultPermissionsNetworkManagerCoreNetwork", - "permissionType": "AWS_MANAGED", - "resourceType": "networkmanager:CoreNetwork", - "status": "ATTACHABLE", - "version": "2" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsPlacementGroup", - "creationTime": 1656619469.46, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619469.46, - "name": "AWSRAMDefaultPermissionsPlacementGroup", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:PlacementGroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMDefaultPermissionsSageMakerLineageGroup", - "creationTime": 1656619469.619, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619469.619, - "name": "AWSRAMDefaultPermissionsSageMakerLineageGroup", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:LineageGroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMEndEntityClientAuthCertificateIssuanceCertificateAuthority", - "creationTime": 1656619413.412, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619413.412, - "name": "AWSRAMEndEntityClientAuthCertificateIssuanceCertificateAuthority", - "permissionType": "AWS_MANAGED", - "resourceType": "acm-pca:CertificateAuthority", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMEndEntityServerAuthCertificateIssuanceCertificateAuthority", - "creationTime": 1656619414.244, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619414.244, - "name": "AWSRAMEndEntityServerAuthCertificateIssuanceCertificateAuthority", - "permissionType": "AWS_MANAGED", - "resourceType": "acm-pca:CertificateAuthority", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueAllTablesReadWriteForDatabase", - "creationTime": 1687896324.471, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1687896324.471, - "name": "AWSRAMLFEnabledGlueAllTablesReadWriteForDatabase", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Database", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueDatabaseReadWrite", - "creationTime": 1687896327.153, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1687896327.153, - "name": "AWSRAMLFEnabledGlueDatabaseReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Database", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueDatabaseReadWriteForTable", - "creationTime": 1687896333.534, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1687896333.534, - "name": "AWSRAMLFEnabledGlueDatabaseReadWriteForTable", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Table", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMLFEnabledGlueTableReadWrite", - "creationTime": 1687896321.095, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1687896321.095, - "name": "AWSRAMLFEnabledGlueTableReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Table", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionAppSyncAllowSourceGraphQLAccess", - "creationTime": 1683045153.876, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1683045153.876, - "name": "AWSRAMPermissionAppSyncAllowSourceGraphQLAccess", - "permissionType": "AWS_MANAGED", - "resourceType": "appsync:Apis", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionAppSyncMergedApiOperationAccess", - "creationTime": 1683045152.769, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1683045152.769, - "name": "AWSRAMPermissionAppSyncMergedApiOperationAccess", - "permissionType": "AWS_MANAGED", - "resourceType": "appsync:Apis", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionAppSyncSourceApiOperationAccess", - "creationTime": 1683045154.649, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1683045154.649, - "name": "AWSRAMPermissionAppSyncSourceApiOperationAccess", - "permissionType": "AWS_MANAGED", - "resourceType": "appsync:Apis", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueAllTablesReadWriteForCatalog", - "creationTime": 1666891196.25, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891196.25, - "name": "AWSRAMPermissionGlueAllTablesReadWriteForCatalog", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Catalog", - "status": "ATTACHABLE", - "version": "3" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueAllTablesReadWriteForDatabase", - "creationTime": 1666891183.345, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891183.345, - "name": "AWSRAMPermissionGlueAllTablesReadWriteForDatabase", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Database", - "status": "ATTACHABLE", - "version": "3" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueDatabaseReadWrite", - "creationTime": 1666891208.415, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891208.415, - "name": "AWSRAMPermissionGlueDatabaseReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Database", - "status": "ATTACHABLE", - "version": "3" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueDatabaseReadWriteForCatalog", - "creationTime": 1666891220.322, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891220.322, - "name": "AWSRAMPermissionGlueDatabaseReadWriteForCatalog", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Catalog", - "status": "ATTACHABLE", - "version": "3" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueDatabaseReadWriteForTable", - "creationTime": 1656619449.034, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619449.034, - "name": "AWSRAMPermissionGlueDatabaseReadWriteForTable", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Table", - "status": "ATTACHABLE", - "version": "2" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueTableReadWrite", - "creationTime": 1656619443.947, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619443.947, - "name": "AWSRAMPermissionGlueTableReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Table", - "status": "ATTACHABLE", - "version": "2" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueTableReadWriteForCatalog", - "creationTime": 1666891170.644, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891170.644, - "name": "AWSRAMPermissionGlueTableReadWriteForCatalog", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Catalog", - "status": "ATTACHABLE", - "version": "3" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionGlueTableReadWriteForDatabase", - "creationTime": 1666891157.062, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891157.062, - "name": "AWSRAMPermissionGlueTableReadWriteForDatabase", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Database", - "status": "ATTACHABLE", - "version": "3" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionIpamPoolByoipCidrImport", - "creationTime": 1656619435.003, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619435.003, - "name": "AWSRAMPermissionIpamPoolByoipCidrImport", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:IpamPool", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionIpamResourceDiscovery", - "creationTime": 1666904525.951, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1666904525.951, - "name": "AWSRAMPermissionIpamResourceDiscovery", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:IpamResourceDiscovery", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueDatabaseReadWrite", - "creationTime": 1666891334.138, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891334.138, - "name": "AWSRAMPermissionLFTagGlueDatabaseReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Database", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueDatabaseReadWriteForCatalog", - "creationTime": 1666891357.435, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891357.435, - "name": "AWSRAMPermissionLFTagGlueDatabaseReadWriteForCatalog", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Catalog", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueDatabaseReadWriteForTable", - "creationTime": 1666891346.191, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891346.191, - "name": "AWSRAMPermissionLFTagGlueDatabaseReadWriteForTable", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Table", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueTableReadWrite", - "creationTime": 1666891321.908, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891321.908, - "name": "AWSRAMPermissionLFTagGlueTableReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Table", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueTableReadWriteForCatalog", - "creationTime": 1666891297.593, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891297.593, - "name": "AWSRAMPermissionLFTagGlueTableReadWriteForCatalog", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Catalog", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionLFTagGlueTableReadWriteForDatabase", - "creationTime": 1666891309.92, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1666891309.92, - "name": "AWSRAMPermissionLFTagGlueTableReadWriteForDatabase", - "permissionType": "AWS_MANAGED", - "resourceType": "glue:Database", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionMarketplaceCatalogEntityFullAccess", - "creationTime": 1677521904.261, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1677521904.261, - "name": "AWSRAMPermissionMarketplaceCatalogEntityFullAccess", - "permissionType": "AWS_MANAGED", - "resourceType": "aws-marketplace:Entity", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerCatalogResourceSearch", - "creationTime": 1685991467.308, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1685991467.308, - "name": "AWSRAMPermissionSageMakerCatalogResourceSearch", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:SagemakerCatalog", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerFeatureGroupAdmin", - "creationTime": 1681745120.978, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1681745120.978, - "name": "AWSRAMPermissionSageMakerFeatureGroupAdmin", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:FeatureGroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerFeatureGroupReadOnly", - "creationTime": 1681745117.344, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1681745117.344, - "name": "AWSRAMPermissionSageMakerFeatureGroupReadOnly", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:FeatureGroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerFeatureGroupReadWrite", - "creationTime": 1681745119.51, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1681745119.51, - "name": "AWSRAMPermissionSageMakerFeatureGroupReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:FeatureGroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerModelCards", - "creationTime": 1688575724.369, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1688575724.369, - "name": "AWSRAMPermissionSageMakerModelCards", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:ModelCard", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerModelCardsAllowExport", - "creationTime": 1688575722.729, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1688575722.729, - "name": "AWSRAMPermissionSageMakerModelCardsAllowExport", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:ModelCard", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionSageMakerPipelineAllowExecution", - "creationTime": 1656619429.648, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619429.648, - "name": "AWSRAMPermissionSageMakerPipelineAllowExecution", - "permissionType": "AWS_MANAGED", - "resourceType": "sagemaker:Pipeline", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationAllowAssociation", - "creationTime": 1656619432.204, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619432.204, - "name": "AWSRAMPermissionServiceCatalogAppRegistryApplicationAllowAssociation", - "permissionType": "AWS_MANAGED", - "resourceType": "servicecatalog:Applications", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly", - "creationTime": 1656619430.336, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619430.336, - "name": "AWSRAMPermissionServiceCatalogAppRegistryApplicationReadOnly", - "permissionType": "AWS_MANAGED", - "resourceType": "servicecatalog:Applications", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupAllowAssociation", - "creationTime": 1656619433.382, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619433.382, - "name": "AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupAllowAssociation", - "permissionType": "AWS_MANAGED", - "resourceType": "servicecatalog:AttributeGroups", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly", - "creationTime": 1656619432.392, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1656619432.392, - "name": "AWSRAMPermissionServiceCatalogAppRegistryAttributeGroupReadOnly", - "permissionType": "AWS_MANAGED", - "resourceType": "servicecatalog:AttributeGroups", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionVerifiedAccessGroup", - "creationTime": 1668095846.972, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1668095846.972, - "name": "AWSRAMPermissionVerifiedAccessGroup", - "permissionType": "AWS_MANAGED", - "resourceType": "ec2:VerifiedAccessGroup", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionVpcLatticeServiceNetworkReadWrite", - "creationTime": 1675793131.89, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1675793131.89, - "name": "AWSRAMPermissionVpcLatticeServiceNetworkReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "vpc-lattice:ServiceNetwork", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMPermissionVpcLatticeServiceReadWrite", - "creationTime": 1675793122.662, - "defaultVersion": true, - "isResourceTypeDefault": true, - "lastUpdatedTime": 1675793122.662, - "name": "AWSRAMPermissionVpcLatticeServiceReadWrite", - "permissionType": "AWS_MANAGED", - "resourceType": "vpc-lattice:Service", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMRevokeCertificateCertificateAuthority", - "creationTime": 1656619416.747, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619416.747, - "name": "AWSRAMRevokeCertificateCertificateAuthority", - "permissionType": "AWS_MANAGED", - "resourceType": "acm-pca:CertificateAuthority", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority", - "creationTime": 1656619414.846, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619414.846, - "name": "AWSRAMSubordinateCACertificatePathLen0IssuanceCertificateAuthority", - "permissionType": "AWS_MANAGED", - "resourceType": "acm-pca:CertificateAuthority", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMTransitGatewayPermissionsNetworkManagerCoreNetwork", - "creationTime": 1656619428.071, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619428.071, - "name": "AWSRAMTransitGatewayPermissionsNetworkManagerCoreNetwork", - "permissionType": "AWS_MANAGED", - "resourceType": "networkmanager:CoreNetwork", - "status": "ATTACHABLE", - "version": "1" - }, - { - "arn": "arn:aws:ram::aws:permission/AWSRAMVPCPermissionsNetworkManagerCoreNetwork", - "creationTime": 1656619426.477, - "defaultVersion": true, - "isResourceTypeDefault": false, - "lastUpdatedTime": 1656619426.477, - "name": "AWSRAMVPCPermissionsNetworkManagerCoreNetwork", - "permissionType": "AWS_MANAGED", - "resourceType": "networkmanager:CoreNetwork", - "status": "ATTACHABLE", - "version": "1" - } - ] -} diff --git a/modules/ram-share/resource-group.tf b/modules/ram-share/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/ram-share/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/ram-share/variables.tf b/modules/ram-share/variables.tf deleted file mode 100644 index 73b59a3..0000000 --- a/modules/ram-share/variables.tf +++ /dev/null @@ -1,72 +0,0 @@ -variable "name" { - description = "(Required) The name of the resource share." - type = string -} - -variable "external_principals_allowed" { - description = "(Optional) Indicates whether principals outside your organization can be associated with a resource share." - type = bool - default = false - nullable = false -} - -variable "permissions" { - description = "(Optional) A list of the names of the RAM permission to associate with the resource share. If you do not specify, RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share." - type = list(string) - default = [] - nullable = false -} - -variable "principals" { - description = "(Optional) A list of the Amazon Resource Names (ARNs) of the principal to associate with the RAM Resource Share. Possible values are an AWS account ID, an AWS Organizations Organization ARN, or an AWS Organizations Organization Unit ARN." - type = list(string) - default = [] - nullable = false -} - -variable "resources" { - description = "(Optional) A list of the Amazon Resource Names (ARNs) of the resource to associate with the RAM Resource Share." - type = list(string) - default = [] - nullable = false -} - -variable "tags" { - description = "(Optional) A map of tags to add to all resources." - type = map(string) - default = {} - nullable = false -} - -variable "module_tags_enabled" { - description = "(Optional) Whether to create AWS Resource Tags for the module informations." - type = bool - default = true - nullable = false -} - - -################################################### -# Resource Group -################################################### - -variable "resource_group_enabled" { - description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true - nullable = false -} - -variable "resource_group_name" { - description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" - nullable = false -} - -variable "resource_group_description" { - description = "(Optional) The description of Resource Group." - type = string - default = "Managed by Terraform." - nullable = false -} diff --git a/modules/ram-share/versions.tf b/modules/ram-share/versions.tf deleted file mode 100644 index acc0dcc..0000000 --- a/modules/ram-share/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.5" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.29" - } - } -} diff --git a/modules/sso-access-control-attributes/README.md b/modules/sso-access-control-attributes/README.md deleted file mode 100644 index 21eca4a..0000000 --- a/modules/sso-access-control-attributes/README.md +++ /dev/null @@ -1,45 +0,0 @@ -# sso-access-control-attributes - -This module creates following resources. - -- `aws_ssoadmin_instance_access_control_attributes` - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.49 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.19.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_ssoadmin_instance_access_control_attributes.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_instance_access_control_attributes) | resource | -| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [attributes](#input\_attributes) | (Optional) A map of attributes for access control are used in permission policies that determine who in an identity source can access your AWS resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [attributes](#output\_attributes) | A map of attributes for access control are used in permission policies that determine who in an identity source can access your AWS resources. | -| [instance\_arn](#output\_instance\_arn) | The Amazon Resource Name (ARN) of the SSO Instance. | -| [status](#output\_status) | The status of ID of the Instance Access Control Attribute `instance_arn`. | - diff --git a/modules/sso-access-control-attributes/main.tf b/modules/sso-access-control-attributes/main.tf deleted file mode 100644 index ca6ebfb..0000000 --- a/modules/sso-access-control-attributes/main.tf +++ /dev/null @@ -1,33 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-account" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = "attributes" - } -} - -data "aws_ssoadmin_instances" "this" {} - -locals { - sso_instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] -} - - -resource "aws_ssoadmin_instance_access_control_attributes" "this" { - count = length(keys(var.attributes)) > 0 ? 1 : 0 - - instance_arn = local.sso_instance_arn - - dynamic "attribute" { - for_each = var.attributes - - content { - key = attribute.key - - value { - source = [attribute.value] - } - } - } -} diff --git a/modules/sso-access-control-attributes/outputs.tf b/modules/sso-access-control-attributes/outputs.tf deleted file mode 100644 index c15a552..0000000 --- a/modules/sso-access-control-attributes/outputs.tf +++ /dev/null @@ -1,17 +0,0 @@ -output "instance_arn" { - description = "The Amazon Resource Name (ARN) of the SSO Instance." - value = one(aws_ssoadmin_instance_access_control_attributes.this[*].instance_arn) -} - -output "attributes" { - description = "A map of attributes for access control are used in permission policies that determine who in an identity source can access your AWS resources." - value = { - for attr in try(one(aws_ssoadmin_instance_access_control_attributes.this[*]).attribute, []) : - attr.key => tolist(tolist(attr.value)[0].source)[0] - } -} - -output "status" { - description = "The status of ID of the Instance Access Control Attribute `instance_arn`." - value = one(aws_ssoadmin_instance_access_control_attributes.this[*].status) -} diff --git a/modules/sso-access-control-attributes/variables.tf b/modules/sso-access-control-attributes/variables.tf deleted file mode 100644 index a22b665..0000000 --- a/modules/sso-access-control-attributes/variables.tf +++ /dev/null @@ -1,6 +0,0 @@ -variable "attributes" { - description = "(Optional) A map of attributes for access control are used in permission policies that determine who in an identity source can access your AWS resources." - type = map(string) - default = {} - nullable = false -} diff --git a/modules/sso-access-control-attributes/versions.tf b/modules/sso-access-control-attributes/versions.tf deleted file mode 100644 index 1649a61..0000000 --- a/modules/sso-access-control-attributes/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.5" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.49" - } - } -} diff --git a/modules/sso-account-assignment/README.md b/modules/sso-account-assignment/README.md deleted file mode 100644 index eeb708c..0000000 --- a/modules/sso-account-assignment/README.md +++ /dev/null @@ -1,56 +0,0 @@ -# sso-account-assignment - -This module creates following resources. - -- `aws_ssoadmin_account_assignment` - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.64 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.19.0 | - -## Modules - -No modules. - -## Resources - -| Name | Type | -|------|------| -| [aws_ssoadmin_account_assignment.groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource | -| [aws_ssoadmin_account_assignment.users](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_account_assignment) | resource | -| [aws_identitystore_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_group) | data source | -| [aws_identitystore_user.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/identitystore_user) | data source | -| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source | -| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_permission_set) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [account\_id](#input\_account\_id) | (Required) The identifier of an AWS account which the assignment willb e created. Typically a 10-12 digit string. | `string` | n/a | yes | -| [permission\_set\_arn](#input\_permission\_set\_arn) | (Required) The ARN of the Permission Set that the admin wants to grant the principal access to. | `string` | n/a | yes | -| [groups](#input\_groups) | (Optional) List of names of Group entities who can access to the Permission Set. | `list(string)` | `[]` | no | -| [users](#input\_users) | (Optional) List of names of User entities who can access to the Permission Set. | `list(string)` | `[]` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [account\_id](#output\_account\_id) | The identifier of an AWS account. | -| [group\_assignments](#output\_group\_assignments) | List of groups who can access to the Permission Set. | -| [identity\_store\_id](#output\_identity\_store\_id) | The ID of SSO Identity Store. | -| [instance\_arn](#output\_instance\_arn) | The Amazon Resource Name (ARN) of the SSO Instance. | -| [name](#output\_name) | The name of the Account Assignment. | -| [permission\_set](#output\_permission\_set) | The Amazon Resource Name (ARN) of the Permission Set | -| [user\_assignments](#output\_user\_assignments) | List of users who can access to the Permission Set. | - diff --git a/modules/sso-account-assignment/main.tf b/modules/sso-account-assignment/main.tf deleted file mode 100644 index deb194f..0000000 --- a/modules/sso-account-assignment/main.tf +++ /dev/null @@ -1,79 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-account" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = "${var.account_id}/${data.aws_ssoadmin_permission_set.this.name}" - } -} - -data "aws_ssoadmin_instances" "this" {} - -data "aws_ssoadmin_permission_set" "this" { - instance_arn = local.sso_instance_arn - arn = var.permission_set_arn -} - -data "aws_identitystore_group" "this" { - for_each = toset(var.groups) - - identity_store_id = local.sso_identity_store_id - - alternate_identifier { - unique_attribute { - attribute_path = "DisplayName" - attribute_value = each.key - } - } -} - -data "aws_identitystore_user" "this" { - for_each = toset(var.users) - - identity_store_id = local.sso_identity_store_id - - alternate_identifier { - unique_attribute { - attribute_path = "UserName" - attribute_value = each.key - } - } -} - -locals { - sso_instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] - sso_identity_store_id = tolist(data.aws_ssoadmin_instances.this.identity_store_ids)[0] -} - - -################################################### -# Account Assignments -################################################### - -resource "aws_ssoadmin_account_assignment" "groups" { - for_each = toset(var.groups) - - instance_arn = local.sso_instance_arn - - target_type = "AWS_ACCOUNT" - target_id = var.account_id - - permission_set_arn = var.permission_set_arn - - principal_type = "GROUP" - principal_id = data.aws_identitystore_group.this[each.key].group_id -} - -resource "aws_ssoadmin_account_assignment" "users" { - for_each = toset(var.users) - - instance_arn = local.sso_instance_arn - - target_type = "AWS_ACCOUNT" - target_id = var.account_id - - permission_set_arn = var.permission_set_arn - - principal_type = "USER" - principal_id = data.aws_identitystore_user.this[each.key].user_id -} diff --git a/modules/sso-account-assignment/outputs.tf b/modules/sso-account-assignment/outputs.tf deleted file mode 100644 index e8f157c..0000000 --- a/modules/sso-account-assignment/outputs.tf +++ /dev/null @@ -1,44 +0,0 @@ -output "name" { - description = "The name of the Account Assignment." - value = local.metadata.name -} - -output "account_id" { - description = "The identifier of an AWS account." - value = var.account_id -} - -output "permission_set" { - description = "The Amazon Resource Name (ARN) of the Permission Set" - value = var.permission_set_arn -} - -output "instance_arn" { - description = "The Amazon Resource Name (ARN) of the SSO Instance." - value = local.sso_instance_arn -} - -output "identity_store_id" { - description = "The ID of SSO Identity Store." - value = local.sso_identity_store_id -} - -output "group_assignments" { - description = "List of groups who can access to the Permission Set." - value = [ - for name, group in aws_ssoadmin_account_assignment.groups : { - id = group.principal_id - name = name - } - ] -} - -output "user_assignments" { - description = "List of users who can access to the Permission Set." - value = [ - for name, user in aws_ssoadmin_account_assignment.users : { - id = user.principal_id - name = name - } - ] -} diff --git a/modules/sso-account-assignment/variables.tf b/modules/sso-account-assignment/variables.tf deleted file mode 100644 index 600713c..0000000 --- a/modules/sso-account-assignment/variables.tf +++ /dev/null @@ -1,25 +0,0 @@ -variable "account_id" { - description = "(Required) The identifier of an AWS account which the assignment willb e created. Typically a 10-12 digit string." - type = string - nullable = false -} - -variable "permission_set_arn" { - description = "(Required) The ARN of the Permission Set that the admin wants to grant the principal access to." - type = string - nullable = false -} - -variable "groups" { - description = "(Optional) List of names of Group entities who can access to the Permission Set." - type = list(string) - default = [] - nullable = false -} - -variable "users" { - description = "(Optional) List of names of User entities who can access to the Permission Set." - type = list(string) - default = [] - nullable = false -} diff --git a/modules/sso-account-assignment/versions.tf b/modules/sso-account-assignment/versions.tf deleted file mode 100644 index f3017e1..0000000 --- a/modules/sso-account-assignment/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 1.5" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.64" - } - } -} diff --git a/modules/sso-permission-set/README.md b/modules/sso-permission-set/README.md deleted file mode 100644 index a161e72..0000000 --- a/modules/sso-permission-set/README.md +++ /dev/null @@ -1,72 +0,0 @@ -# sso-permission-set - -This module creates following resources. - -- `aws_ssoadmin_permission_set` -- `aws_ssoadmin_customer_managed_policy_attachment` (optional) -- `aws_ssoadmin_managed_policy_attachment` (optional) -- `aws_ssoadmin_permissions_boundary_attachment` (optional) -- `aws_ssoadmin_permission_set_inline_policy` (optional) - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.64 | - -## Providers - -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | 5.19.0 | - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | - -## Resources - -| Name | Type | -|------|------| -| [aws_ssoadmin_customer_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_customer_managed_policy_attachment) | resource | -| [aws_ssoadmin_managed_policy_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_managed_policy_attachment) | resource | -| [aws_ssoadmin_permission_set.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set) | resource | -| [aws_ssoadmin_permission_set_inline_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permission_set_inline_policy) | resource | -| [aws_ssoadmin_permissions_boundary_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssoadmin_permissions_boundary_attachment) | resource | -| [aws_ssoadmin_instances.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssoadmin_instances) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [name](#input\_name) | (Required) The name of the Permission Set. | `string` | n/a | yes | -| [description](#input\_description) | (Optional) The description of the Permission Set. | `string` | `"Managed by Terraform."` | no | -| [inline\_policy](#input\_inline\_policy) | (Optional) The IAM inline policy to attach to a Permission Set. Only supports one IAM inline policy per Permission Set. Creating or updating this resource will automatically Provision the Permission Set to apply the corresponding updates to all assigned accounts. | `string` | `null` | no | -| [managed\_policies](#input\_managed\_policies) | (Optional) The configuration for managed policies to be attached to the Permission Set. You can assign AWS managed policies, customer managed policies. Each value of `managed_policies` block as defined below.
(Required) `type` - The type of the managed policy. Valid values are `AWS_MANAGED` or `CUSTOMER_MANAGED`.
(Optional) `name` - The name of the customer managed policy. Required if `type` is `CUSTOMER_MANAGED`.
(Optional) `path` - The path of the customer managed policy. Default to `/`.
(Optional) `arn` - The ARN of the AWS-managed policy. Required if `type` is `AWS_MANAGED`. | 
list(object({
    type = string
    name = optional(string)
    path = optional(string, "/")
    arn  = optional(string)
  }))
| `[]` | no | -| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [permissions\_boundary](#input\_permissions\_boundary) | (Optional) The configuration for the permissions boundary policy to be attached to the Permission Set. `permissions_boundary` block as defined below.
(Required) `type` - The type of the permissions boundary policy. Valid values are `AWS_MANAGED` or `CUSTOMER_MANAGED`.
(Optional) `name` - The name of the customer managed permissions boundary policy. Required if `type` is `CUSTOMER_MANAGED`.
(Optional) `path` - The path of the customer managed permissions boundary policy. Default to `/`.
(Optional) `arn` - The ARN of the AWS-managed permissions boundary policy. Required if `type` is `AWS_MANAGED`. | 
object({
    type = string
    name = optional(string)
    path = optional(string, "/")
    arn  = optional(string)
  })
| `null` | no | -| [relay\_state](#input\_relay\_state) | (Optional) The relay state URL used to redirect users within the application during the federation authentication process. | `string` | `null` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [session\_duration](#input\_session\_duration) | (Optional) The length of time that the application user sessions are valid in seconds. Duration should be a number between `3600` (1 hour) and `43200` (12 hours). | `number` | `3600` | no | -| [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| [arn](#output\_arn) | The Amazon Resource Name (ARN) of the Permission Set. | -| [created\_at](#output\_created\_at) | The date the Permission Set was created in RFC3339 format. | -| [inline\_policy](#output\_inline\_policy) | The IAM inline policy which are attached to the Permission Set. | -| [instance\_arn](#output\_instance\_arn) | The Amazon Resource Name (ARN) of the SSO Instance. | -| [managed\_policies](#output\_managed\_policies) | A list of managed policies which are attached to the Permission Set. | -| [name](#output\_name) | The name of the Permission Set. | -| [permissions\_boundary](#output\_permissions\_boundary) | The configuration for the permissions boundary policy of the Permission Set. | -| [relay\_state](#output\_relay\_state) | The relay state URL used to redirect users within the application during the federation authentication process. | -| [session\_duration](#output\_session\_duration) | The length of time that the application user sessions are valid in seconds. | - diff --git a/modules/sso-permission-set/main.tf b/modules/sso-permission-set/main.tf deleted file mode 100644 index 5977820..0000000 --- a/modules/sso-permission-set/main.tf +++ /dev/null @@ -1,132 +0,0 @@ -locals { - metadata = { - package = "terraform-aws-account" - version = trimspace(file("${path.module}/../../VERSION")) - module = basename(path.module) - name = var.name - } - module_tags = var.module_tags_enabled ? { - "module.terraform.io/package" = local.metadata.package - "module.terraform.io/version" = local.metadata.version - "module.terraform.io/name" = local.metadata.module - "module.terraform.io/full-name" = "${local.metadata.package}/${local.metadata.module}" - "module.terraform.io/instance" = local.metadata.name - } : {} -} - -data "aws_ssoadmin_instances" "this" {} - -locals { - sso_instance_arn = tolist(data.aws_ssoadmin_instances.this.arns)[0] - - session_duration = { - "H" = floor(var.session_duration / 3600) - "M" = floor((var.session_duration % 3600) / 60) - "S" = floor((var.session_duration % 3600) % 60) - } - session_duration_iso_8601 = join("", [ - "PT", - join("", [ - for unit, n in local.session_duration : - "${n}${unit}" - if n > 0 - ]) - ]) -} - - -resource "aws_ssoadmin_permission_set" "this" { - name = var.name - description = var.description - instance_arn = local.sso_instance_arn - - session_duration = local.session_duration_iso_8601 - relay_state = var.relay_state - - tags = merge( - { - "Name" = local.metadata.name - }, - local.module_tags, - var.tags, - ) -} - - -################################################### -# Managed Policies -################################################### - -resource "aws_ssoadmin_managed_policy_attachment" "this" { - for_each = { - for policy in var.managed_policies : - policy.arn => policy - if policy.type == "AWS_MANAGED" - } - - - instance_arn = aws_ssoadmin_permission_set.this.instance_arn - permission_set_arn = aws_ssoadmin_permission_set.this.arn - - managed_policy_arn = each.key -} - -resource "aws_ssoadmin_customer_managed_policy_attachment" "this" { - for_each = { - for policy in var.managed_policies : - "${policy.path}/${policy.name}" => policy - if policy.type == "CUSTOMER_MANAGED" - } - - instance_arn = aws_ssoadmin_permission_set.this.instance_arn - permission_set_arn = aws_ssoadmin_permission_set.this.arn - - customer_managed_policy_reference { - name = each.value.name - path = each.value.path - } -} - - -################################################### -# Inline Policy -################################################### - -resource "aws_ssoadmin_permission_set_inline_policy" "this" { - count = var.inline_policy != null ? 1 : 0 - - instance_arn = aws_ssoadmin_permission_set.this.instance_arn - permission_set_arn = aws_ssoadmin_permission_set.this.arn - inline_policy = var.inline_policy -} - - -################################################### -# Permissions Boundary Policy -################################################### - -resource "aws_ssoadmin_permissions_boundary_attachment" "this" { - count = var.permissions_boundary != null ? 1 : 0 - - instance_arn = aws_ssoadmin_permission_set.this.instance_arn - permission_set_arn = aws_ssoadmin_permission_set.this.arn - - dynamic "permissions_boundary" { - for_each = var.permissions_boundary.type == "CUSTOMER_MANAGED" ? [var.permissions_boundary] : [] - - content { - customer_managed_policy_reference { - name = permissions_boundary.value.name - path = permissions_boundary.value.path - } - } - } - - dynamic "permissions_boundary" { - for_each = var.permissions_boundary.type == "AWS_MANAGED" ? [var.permissions_boundary] : [] - - content { - managed_policy_arn = permissions_boundary.value.arn - } - } -} diff --git a/modules/sso-permission-set/migrations.tf b/modules/sso-permission-set/migrations.tf deleted file mode 100644 index e5d6bcd..0000000 --- a/modules/sso-permission-set/migrations.tf +++ /dev/null @@ -1,5 +0,0 @@ -# 2022-11-24 -moved { - from = aws_resourcegroups_group.this[0] - to = module.resource_group[0].aws_resourcegroups_group.this -} diff --git a/modules/sso-permission-set/outputs.tf b/modules/sso-permission-set/outputs.tf deleted file mode 100644 index d0e3ed7..0000000 --- a/modules/sso-permission-set/outputs.tf +++ /dev/null @@ -1,60 +0,0 @@ -output "name" { - description = "The name of the Permission Set." - value = aws_ssoadmin_permission_set.this.name -} - -output "arn" { - description = "The Amazon Resource Name (ARN) of the Permission Set." - value = aws_ssoadmin_permission_set.this.arn -} - -output "instance_arn" { - description = "The Amazon Resource Name (ARN) of the SSO Instance." - value = aws_ssoadmin_permission_set.this.instance_arn -} - -output "session_duration" { - description = "The length of time that the application user sessions are valid in seconds." - value = aws_ssoadmin_permission_set.this.session_duration -} - -output "relay_state" { - description = "The relay state URL used to redirect users within the application during the federation authentication process." - value = aws_ssoadmin_permission_set.this.relay_state -} - -output "managed_policies" { - description = "A list of managed policies which are attached to the Permission Set." - value = [ - for policy in var.managed_policies : - try( - { - type = policy.type - arn = aws_ssoadmin_managed_policy_attachment.this[policy.arn].managed_policy_arn - name = aws_ssoadmin_managed_policy_attachment.this[policy.arn].managed_policy_name - path = trimsuffix(trimprefix(policy.arn, "arn:aws:iam::aws:policy"), aws_ssoadmin_managed_policy_attachment.this[policy.arn].managed_policy_name) - }, - { - type = policy.type - arn = null - name = policy.name - path = policy.path - }, - ) - ] -} - -output "inline_policy" { - description = "The IAM inline policy which are attached to the Permission Set." - value = var.inline_policy -} - -output "permissions_boundary" { - description = "The configuration for the permissions boundary policy of the Permission Set." - value = var.permissions_boundary -} - -output "created_at" { - description = "The date the Permission Set was created in RFC3339 format." - value = aws_ssoadmin_permission_set.this.created_date -} diff --git a/modules/sso-permission-set/resource-group.tf b/modules/sso-permission-set/resource-group.tf deleted file mode 100644 index 7487ba0..0000000 --- a/modules/sso-permission-set/resource-group.tf +++ /dev/null @@ -1,31 +0,0 @@ -locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name - : join(".", [ - local.metadata.package, - local.metadata.module, - replace(local.metadata.name, "/[^a-zA-Z0-9_\\.-]/", "-"), - ]) - ) -} - - -module "resource_group" { - source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" - - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 - - name = local.resource_group_name - description = var.resource_group_description - - query = { - resource_tags = local.module_tags - } - - module_tags_enabled = false - tags = merge( - local.module_tags, - var.tags, - ) -} diff --git a/modules/sso-permission-set/variables.tf b/modules/sso-permission-set/variables.tf deleted file mode 100644 index 92e373b..0000000 --- a/modules/sso-permission-set/variables.tf +++ /dev/null @@ -1,166 +0,0 @@ -variable "name" { - description = "(Required) The name of the Permission Set." - type = string - nullable = false -} - -variable "description" { - description = "(Optional) The description of the Permission Set." - type = string - default = "Managed by Terraform." - nullable = false -} - -variable "session_duration" { - description = "(Optional) The length of time that the application user sessions are valid in seconds. Duration should be a number between `3600` (1 hour) and `43200` (12 hours)." - type = number - default = 3600 - nullable = false - - validation { - condition = alltrue([ - var.session_duration >= 3600, - var.session_duration <= 43200 - ]) - error_message = "The value of session duration should be a number between 3600 (1 hour) and 43200 (12 hours)." - } -} - -variable "relay_state" { - description = "(Optional) The relay state URL used to redirect users within the application during the federation authentication process." - type = string - default = null -} - -variable "managed_policies" { - description = < Date: Thu, 18 Apr 2024 01:06:40 +0900 Subject: [PATCH 09/27] Support to manage additional regions for account module (#106) --- modules/account/README.md | 1 + modules/account/contacts.tf | 8 ++++++++ modules/account/outputs.tf | 5 +++++ modules/account/regions.tf | 31 +++++++++++++++++++++++++++++++ modules/account/variables.tf | 28 ++++++++++++++++++++++++++++ 5 files changed, 73 insertions(+) create mode 100644 modules/account/regions.tf diff --git a/modules/account/README.md b/modules/account/README.md index f598cf9..2ac0456 100644 --- a/modules/account/README.md +++ b/modules/account/README.md @@ -7,6 +7,7 @@ This module creates following resources. - `aws_iam_security_token_service_preferences` - `aws_account_primary_contact` (optional) - `aws_account_alternate_contact` (optional) +- `aws_account_region` (optional) - `aws_s3_account_public_access_block` - `aws_spot_datafeed_subscription` (optional) diff --git a/modules/account/contacts.tf b/modules/account/contacts.tf index 08c1bd4..30b914d 100644 --- a/modules/account/contacts.tf +++ b/modules/account/contacts.tf @@ -2,6 +2,8 @@ # Primary Contact ################################################### +# INFO: Not supported attributes +# - `account_id` resource "aws_account_primary_contact" "this" { count = var.primary_contact != null ? 1 : 0 @@ -26,6 +28,8 @@ resource "aws_account_primary_contact" "this" { # Alternate Contacts ################################################### +# INFO: Not supported attributes +# - `account_id` resource "aws_account_alternate_contact" "billing" { count = var.billing_contact != null ? 1 : 0 @@ -37,6 +41,8 @@ resource "aws_account_alternate_contact" "billing" { phone_number = var.billing_contact.phone } +# INFO: Not supported attributes +# - `account_id` resource "aws_account_alternate_contact" "operation" { count = var.operation_contact != null ? 1 : 0 @@ -48,6 +54,8 @@ resource "aws_account_alternate_contact" "operation" { phone_number = var.operation_contact.phone } +# INFO: Not supported attributes +# - `account_id` resource "aws_account_alternate_contact" "security" { count = var.security_contact != null ? 1 : 0 diff --git a/modules/account/outputs.tf b/modules/account/outputs.tf index be0a301..a840e25 100644 --- a/modules/account/outputs.tf +++ b/modules/account/outputs.tf @@ -18,6 +18,11 @@ output "password_policy" { value = aws_iam_account_password_policy.this } +output "additional_regions" { + description = "A set of additional regions enabled in the account." + value = var.additional_regions +} + output "primary_contact" { description = "The primary contact attached to an AWS Account." value = try({ diff --git a/modules/account/regions.tf b/modules/account/regions.tf new file mode 100644 index 0000000..20f75a3 --- /dev/null +++ b/modules/account/regions.tf @@ -0,0 +1,31 @@ +locals { + available_regions = [ + "af-south-1", + "ap-east-1", + "ap-south-2", + "ap-southeast-3", + "ap-southeast-4", + "ca-west-1", + "eu-south-1", + "eu-south-2", + "eu-central-2", + "me-south-1", + "me-central-1", + "il-central-1", + ] +} + +################################################### +# Regions +################################################### + +# INFO: Not supported attributes +# - `account_id` +# INFO: Not supported idempotent operation +# TODO: How to manage disabled region? +resource "aws_account_region" "this" { + for_each = var.additional_regions + + region_name = each.value + enabled = true +} diff --git a/modules/account/variables.tf b/modules/account/variables.tf index 3ecaf41..4c43e05 100644 --- a/modules/account/variables.tf +++ b/modules/account/variables.tf @@ -21,6 +21,34 @@ variable "password_policy" { nullable = false } +variable "additional_regions" { + description = "(Optional) A set of regions to enable in the account." + type = set(string) + default = [] + nullable = false + + validation { + condition = alltrue([ + for region in var.additional_regions : + contains([ + "af-south-1", + "ap-east-1", + "ap-south-2", + "ap-southeast-3", + "ap-southeast-4", + "ca-west-1", + "eu-south-1", + "eu-south-2", + "eu-central-2", + "me-south-1", + "me-central-1", + "il-central-1", + ], region) + ]) + error_message = "Available regions for `additional_regions` are `af-south-1`, `ap-east-1`, `ap-south-2`, `ap-southeast-3`, `ap-southeast-4`, `ca-west-1`, `eu-south-1`, `eu-south-2`, `eu-central-2`, `me-south-1`, `me-central-1`, `il-central-1`." + } +} + variable "primary_contact" { description = < Date: Thu, 18 Apr 2024 01:08:21 +0900 Subject: [PATCH 10/27] Bump to v0.29.0 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index b79f04f..ae6dd4e 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.28.3 +0.29.0 From 7525fb8d747529edf70e4fb7940ebe56147d44f1 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Thu, 2 May 2024 20:06:23 +0900 Subject: [PATCH 11/27] Support support-app slack in account module (#107) --- modules/account/README.md | 12 +++++++- modules/account/outputs.tf | 28 ++++++++++++++++++ modules/account/support-app.tf | 50 ++++++++++++++++++++++++++++++++ modules/account/variables.tf | 52 ++++++++++++++++++++++++++++++++++ modules/account/versions.tf | 4 +++ 5 files changed, 145 insertions(+), 1 deletion(-) create mode 100644 modules/account/support-app.tf diff --git a/modules/account/README.md b/modules/account/README.md index 2ac0456..8e69c98 100644 --- a/modules/account/README.md +++ b/modules/account/README.md @@ -18,12 +18,14 @@ This module creates following resources. |------|---------| | [terraform](#requirement\_terraform) | >= 1.5 | | [aws](#requirement\_aws) | >= 5.10 | +| [awscc](#requirement\_awscc) | >= 0.75 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.47.0 | +| [awscc](#provider\_awscc) | 0.75.0 | ## Modules @@ -37,11 +39,15 @@ No modules. | [aws_account_alternate_contact.operation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact) | resource | | [aws_account_alternate_contact.security](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_alternate_contact) | resource | | [aws_account_primary_contact.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_primary_contact) | resource | +| [aws_account_region.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/account_region) | resource | | [aws_iam_account_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_alias) | resource | | [aws_iam_account_password_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_account_password_policy) | resource | | [aws_iam_security_token_service_preferences.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_security_token_service_preferences) | resource | | [aws_s3_account_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_account_public_access_block) | resource | | [aws_spot_datafeed_subscription.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/spot_datafeed_subscription) | resource | +| [awscc_supportapp_account_alias.this](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/supportapp_account_alias) | resource | +| [awscc_supportapp_slack_channel_configuration.this](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/supportapp_slack_channel_configuration) | resource | +| [awscc_supportapp_slack_workspace_configuration.this](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/resources/supportapp_slack_workspace_configuration) | resource | | [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | ## Inputs @@ -49,6 +55,7 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) The name for the AWS account. Used for the account alias. | `string` | n/a | yes | +| [additional\_regions](#input\_additional\_regions) | (Optional) A set of regions to enable in the account. | `set(string)` | `[]` | no | | [billing\_contact](#input\_billing\_contact) | (Optional) The configuration of the billing contact for the AWS Account. `billing_contact` as defined below.
(Required) `name` - The name of the billing contact.
(Optional) `title` - The tile of the billing contact. Defaults to `Billing Manager`.
(Required) `email` - The email address of the billing contact.
(Required) `phone` - The phone number of the billing contact. | 
object({
    name  = string
    title = optional(string, "Billing Manager")
    email = string
    phone = string
  })
| `null` | no | | [ec2\_spot\_datafeed\_subscription](#input\_ec2\_spot\_datafeed\_subscription) | (Optional) The configuration of the Spot Data Feed Subscription. `ec2_spot_datafeed_subscription` as defined below.
(Optional) `enabled` - Indicate whether to enable Spot Data Feed Subscription to S3 Bucket. Defaults to `false`.
(Optional) `s3_bucket` - The configuration of the S3 bucket where AWS deliver the spot data feed. `s3_bucket` as defined below.
(Required) `name` - The name of the S3 bucket where AWS deliver the spot data feed.
(Optional) `key_prefix` - The path of directory inside S3 bucket to place spot pricing data. | 
object({
    enabled = optional(bool, false)
    s3_bucket = optional(object({
      name       = optional(string, "")
      key_prefix = optional(string, "")
    }))
  })
| `{}` | no | | [operation\_contact](#input\_operation\_contact) | (Optional) The configuration of the operation contact for the AWS Account. `operation_contact` as defined below.
(Required) `name` - The name of the operation contact.
(Optional) `title` - The tile of the operation contact. Defaults to `Operation Manager`.
(Required) `email` - The email address of the operation contact.
(Required) `phone` - The phone number of the operation contact. | 
object({
    name  = string
    title = optional(string, "Operation Manager")
    email = string
    phone = string
  })
| `null` | no | @@ -57,11 +64,13 @@ No modules. | [s3\_public\_access\_enabled](#input\_s3\_public\_access\_enabled) | (Optional) Whether to enable S3 account-level Public Access Block configuration. Block the public access to S3 bucket if the value is `false`. | `bool` | `false` | no | | [security\_contact](#input\_security\_contact) | (Optional) The configuration of the security contact for the AWS Account. `security_contact` as defined below.
(Required) `name` - The name of the security contact.
(Optional) `title` - The tile of the security contact. Defaults to `Security Manager`.
(Required) `email` - The email address of the security contact.
(Required) `phone` - The phone number of the security contact. | 
object({
    name  = string
    title = optional(string, "Security Manager")
    email = string
    phone = string
  })
| `null` | no | | [sts\_global\_endpoint\_token\_version](#input\_sts\_global\_endpoint\_token\_version) | (Optional) The version of the STS global endpoint token. Valid values are `v1` and
`v2`. Defaults to `v1`.
`v1` - Version 1 Tokens are valid only in AWS Regions that are available by default. These tokens do not work in manually enabled Regions, such as Asia Pacific (Hong Kong).
`v2` - Version 2 tokens are valid in all Regions. However, version 2 tokens include more characters and might affect systems where you temporarily store tokens. | `string` | `"v1"` | no | +| [support\_app](#input\_support\_app) | (Optional) The configuration of the Support App for the AWS Account. `support_app` as defined below.
(Optional) `account_alias` - An account alias associated with a customer's account.
(Optional) `slack_workspaces` - A set of team ID for each Slack workspace, which uniquely identifies a workspace.
(Optional) `slack_channel_configurations` - A list of configurations for each Slack channels. Each block of `slack_channel_configurations` as defined below.
(Optional) `name` - The name of the Slack channel configuration.
(Required) `workspace` - The team ID of the Slack workspace, which uniquely identifies a workspace.
(Required) `channel` - The ID of the Slack channel.
(Optional) `permission` - The permission of the default IAM role which created by this module. Valid values are `READ_ONLY` and `FULL_ACCESS`. Defaults to `FULL_ACCESS`.
(Optional) `channel_role` - The ARN (Amazon Resource Name) of the IAM role associated with the Support App to post messages to the Slack channel. Only required to override default role which created with `permission`.
(Optional) `notification_case_severity` - The severity level of the support case that a customer wants to get notified for. Valid values are `ALL`, `HIGH`, and `NONE`. Defaults to `ALL`.
(Optional) `notification_on_add_correspondence_to_case` - Whether to notify when a correspondence is added to a case. Defaults to `true`.
(Optional) `notification_on_create_or_reopen_case` - Whether to notify when a case is created or reopened. Defaults to `true`.
(Optional) `notification_on_resolve_case` - Whether to notify when a case is resolved. Defaults to `true`. | 
object({
    account_alias    = optional(string)
    slack_workspaces = optional(set(string), [])
    slack_channel_configurations = optional(list(object({
      name      = optional(string)
      workspace = string
      channel   = string

      # permission   = optional(string, "FULL_ACCESS")
      channel_role = optional(string)

      notification_case_severity                 = optional(string, "ALL")
      notification_on_add_correspondence_to_case = optional(bool, true)
      notification_on_create_or_reopen_case      = optional(bool, true)
      notification_on_resolve_case               = optional(bool, true)
    })), [])
  })
| `{}` | no | ## Outputs | Name | Description | |------|-------------| +| [additional\_regions](#output\_additional\_regions) | A set of additional regions enabled in the account. | | [billing\_contact](#output\_billing\_contact) | The billing contact attached to an AWS Account. | | [ec2](#output\_ec2) | The account-level configurations of EC2 service.
`spot_datafeed_subscription` - To help you understand the charges for your Spot instances, Amazon EC2 provides a data feed that describes your Spot instance usage and pricing. This data feed is sent to an Amazon S3 bucket that you specify when you subscribe to the data feed. | | [id](#output\_id) | The AWS Account ID. | @@ -73,4 +82,5 @@ No modules. | [security\_contact](#output\_security\_contact) | The security contact attached to an AWS Account. | | [signin\_url](#output\_signin\_url) | The URL to signin for the AWS account. | | [sts](#output\_sts) | The account-level configurations of STS service.
`global_endpoint_token_version` - The version of the STS global endpoint token. | +| [support\_app](#output\_support\_app) | The account-level configurations of Support App service.
`account_alias` - The account alias associated with a customer's account. | diff --git a/modules/account/outputs.tf b/modules/account/outputs.tf index a840e25..2e67264 100644 --- a/modules/account/outputs.tf +++ b/modules/account/outputs.tf @@ -100,6 +100,34 @@ output "sts" { } } +output "support_app" { + description = < { + name = configuration.channel_name + workspace = configuration.team_id + channel = configuration.channel_id + + channel_role = { + arn = configuration.channel_role_arn + } + + notification_case_severity = upper(configuration.notify_on_case_severity) + notification_on_add_correspondence_to_case = configuration.notify_on_add_correspondence_to_case + notification_on_create_or_reopen_case = configuration.notify_on_create_or_reopen_case + notification_on_resolve_case = configuration.notify_on_resolve_case + } + } + } +} + output "s3" { description = < configuration + } + + channel_name = each.key + team_id = awscc_supportapp_slack_workspace_configuration.this[each.value.workspace].team_id + channel_id = each.value.channel + + + ## Permissions + # TODO: Use default role with `permission` variable + channel_role_arn = each.value.channel_role + + + ## Notification + notify_on_case_severity = lower(each.value.notification_case_severity) + notify_on_add_correspondence_to_case = each.value.notification_on_add_correspondence_to_case + notify_on_create_or_reopen_case = each.value.notification_on_create_or_reopen_case + notify_on_resolve_case = each.value.notification_on_resolve_case +} diff --git a/modules/account/variables.tf b/modules/account/variables.tf index 4c43e05..c59e42b 100644 --- a/modules/account/variables.tf +++ b/modules/account/variables.tf @@ -173,6 +173,58 @@ variable "sts_global_endpoint_token_version" { } } +variable "support_app" { + description = < Date: Thu, 2 May 2024 20:06:39 +0900 Subject: [PATCH 12/27] Bump to v0.29.1 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index ae6dd4e..25939d3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.29.0 +0.29.1 From c8def1986c324dd35222db4b6a52be134a7cb9fa Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 3 May 2024 01:54:27 +0900 Subject: [PATCH 13/27] Update dependabot --- .github/dependabot.yml | 63 +++++++++++++----------------------------- 1 file changed, 19 insertions(+), 44 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f646627..9371bcf 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,46 +1,21 @@ version: 2 updates: -- package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/account" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/iam-group" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/iam-role" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/iam-user" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/org-account" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/org-organization" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/org-organizational-unit" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/service-quota-requests" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/sso-account-assignment" - schedule: - interval: "daily" -- package-ecosystem: "terraform" - directory: "/modules/sso-permission-set" - schedule: - interval: "daily" +- package-ecosystem: github-actions + directory: / + schedule: + interval: daily + +- package-ecosystem: terraform + directories: + - /modules/account + - /modules/iam-group + - /modules/iam-oidc-identity-provider + - /modules/iam-policy + - /modules/iam-predefined-policies + - /modules/iam-role + - /modules/iam-saml-identity-provider + - /modules/iam-service-linked-role + - /modules/iam-user + - /modules/region + schedule: + interval: weekly From abd8283c0be160e3cbeac44c7cb7ca2927e66c03 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Wed, 8 May 2024 14:23:58 +0900 Subject: [PATCH 14/27] Add regional delegated administrator for macie in region module --- modules/region/README.md | 6 +++++- modules/region/macie.tf | 9 +++++++++ modules/region/outputs.tf | 10 ++++++++++ modules/region/variables.tf | 12 ++++++++++++ 4 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 modules/region/macie.tf diff --git a/modules/region/README.md b/modules/region/README.md index c551d9e..846ecdf 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -5,6 +5,7 @@ This module creates following resources. - `aws_ebs_encryption_by_default` - `aws_ebs_default_kms_key` (optional) - `aws_ec2_serial_console_access` +- `aws_macie2_organization_admin_account` (optional) - `aws_resourceexplorer2_index` (optional) - `aws_resourceexplorer2_view` (optional) - `aws_servicequotas_service_quota` (optional) @@ -21,7 +22,7 @@ This module creates following resources. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.48.0 | ## Modules @@ -37,6 +38,7 @@ This module creates following resources. | [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource | | [aws_ec2_availability_zone_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_availability_zone_group) | resource | | [aws_ec2_serial_console_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_serial_console_access) | resource | +| [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource | | [aws_resourceexplorer2_index.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_index) | resource | | [aws_resourceexplorer2_view.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_view) | resource | | [aws_servicequotas_service_quota.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/servicequotas_service_quota) | resource | @@ -48,6 +50,7 @@ This module creates following resources. |------|-------------|------|---------|:--------:| | [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
| `{}` | no | | [ec2\_serial\_console\_enabled](#input\_ec2\_serial\_console\_enabled) | (Optional) Whether serial console access is enabled for the current AWS region. | `bool` | `false` | no | +| [macie](#input\_macie) | (Optional) The configuration of Macie in the current AWS region. `macie` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [resource\_explorer](#input\_resource\_explorer) | (Optional) The configuration of the Resource Explorer in the current AWS region. `resource_explorer` as defined below.
(Optional) `enabled` - Whether or not to enable the Resource Explorer in the current AWS region. Defaults to `true`.
(Optional) `index_type` - The type of the index. Valid values are `AGGREGATOR`, `LOCAL`. Defaults to `LOCAL`.
(Optional) `views` - A list of views to create. `views` as defined below.
(Required) `name` - The name of the view. The name must be no more than 64 characters long, and can include letters, digits, and the dash (-) character. The name must be unique within its AWS Region.
(Optional) `is_default` - Whether the view is the default view for the AWS Region. Defaults to `false`.
(Optional) `filter_queries` - A list of filter queries. Specify which resources are included in the results of queries made using this view. The filter string is combined using a logical AND operator. Defaults to `[]` (include all resources).
(Optional) `additional_resource_attributes` - A list of additional resource attributes. By default, the results include ARN, owner account, Region, service, and resource type. Valid values are `tags`. Defaults to `[]`. | 
object({
    enabled    = optional(bool, true)
    index_type = optional(string, "LOCAL")
    views = optional(list(object({
      name           = string
      is_default     = optional(bool, false)
      filter_queries = optional(list(string), [])

      additional_resource_attributes = optional(set(string), [])
    })), [])
  })
| `{}` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Groupolicy. | `string` | `"Managed by Terraform."` | no | @@ -67,6 +70,7 @@ This module creates following resources. | [ebs](#output\_ebs) | The region-level configurations of EBS service.
`default_encryption` - The configurations for EBS Default Encryption. | | [ec2](#output\_ec2) | The region-level configurations of EC2 service.
`serial_console` - The configurations for EC2 Serial Console. | | [id](#output\_id) | The ID of the current region. | +| [macie](#output\_macie) | The region-level configurations of Macie service.
`delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. | | [name](#output\_name) | The name of the current region. | | [resource\_explorer](#output\_resource\_explorer) | The region-level configurations of Resource Explorer service.
`enabled` - Whether the Resource Explorer is enabled in the current AWS region.
`index_type` - The type of the index.
`views` - The list of views. | | [service\_quotas](#output\_service\_quotas) | The region-level configurations of Service Quotas. | diff --git a/modules/region/macie.tf b/modules/region/macie.tf new file mode 100644 index 0000000..1218c36 --- /dev/null +++ b/modules/region/macie.tf @@ -0,0 +1,9 @@ +################################################### +# Delegated Administrator for Macie +################################################### + +resource "aws_macie2_organization_admin_account" "this" { + count = var.macie.delegated_administrator != null ? 1 : 0 + + admin_account_id = var.macie.delegated_administrator +} diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf index 6cb00b9..fc5a9bf 100644 --- a/modules/region/outputs.tf +++ b/modules/region/outputs.tf @@ -43,6 +43,16 @@ output "ec2" { } } +output "macie" { + description = < Date: Wed, 8 May 2024 14:30:56 +0900 Subject: [PATCH 15/27] Bump to v0.29.2 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 25939d3..20f0687 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.29.1 +0.29.2 From 37219ed9edecb2f57700595c5eaebabaa6e31e58 Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Thu, 9 May 2024 17:02:51 +0900 Subject: [PATCH 16/27] Support ec2_image_block_public_access in region (#116) --- modules/region/README.md | 6 ++++-- modules/region/ec2.tf | 14 +++++++++++++- modules/region/outputs.tf | 8 ++++---- modules/region/variables.tf | 17 ++++++++++++----- 4 files changed, 33 insertions(+), 12 deletions(-) diff --git a/modules/region/README.md b/modules/region/README.md index 846ecdf..c1f60f5 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -4,6 +4,7 @@ This module creates following resources. - `aws_ebs_encryption_by_default` - `aws_ebs_default_kms_key` (optional) +- `aws_ec2_image_block_public_access` - `aws_ec2_serial_console_access` - `aws_macie2_organization_admin_account` (optional) - `aws_resourceexplorer2_index` (optional) @@ -37,6 +38,7 @@ This module creates following resources. | [aws_ebs_default_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_default_kms_key) | resource | | [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource | | [aws_ec2_availability_zone_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_availability_zone_group) | resource | +| [aws_ec2_image_block_public_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource | | [aws_ec2_serial_console_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_serial_console_access) | resource | | [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource | | [aws_resourceexplorer2_index.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_index) | resource | @@ -49,7 +51,7 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
| `{}` | no | -| [ec2\_serial\_console\_enabled](#input\_ec2\_serial\_console\_enabled) | (Optional) Whether serial console access is enabled for the current AWS region. | `bool` | `false` | no | +| [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    serial_console_enabled    = optional(bool, false)
  })
| `{}` | no | | [macie](#input\_macie) | (Optional) The configuration of Macie in the current AWS region. `macie` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [resource\_explorer](#input\_resource\_explorer) | (Optional) The configuration of the Resource Explorer in the current AWS region. `resource_explorer` as defined below.
(Optional) `enabled` - Whether or not to enable the Resource Explorer in the current AWS region. Defaults to `true`.
(Optional) `index_type` - The type of the index. Valid values are `AGGREGATOR`, `LOCAL`. Defaults to `LOCAL`.
(Optional) `views` - A list of views to create. `views` as defined below.
(Required) `name` - The name of the view. The name must be no more than 64 characters long, and can include letters, digits, and the dash (-) character. The name must be unique within its AWS Region.
(Optional) `is_default` - Whether the view is the default view for the AWS Region. Defaults to `false`.
(Optional) `filter_queries` - A list of filter queries. Specify which resources are included in the results of queries made using this view. The filter string is combined using a logical AND operator. Defaults to `[]` (include all resources).
(Optional) `additional_resource_attributes` - A list of additional resource attributes. By default, the results include ARN, owner account, Region, service, and resource type. Valid values are `tags`. Defaults to `[]`. | 
object({
    enabled    = optional(bool, true)
    index_type = optional(string, "LOCAL")
    views = optional(list(object({
      name           = string
      is_default     = optional(bool, false)
      filter_queries = optional(list(string), [])

      additional_resource_attributes = optional(set(string), [])
    })), [])
  })
| `{}` | no | @@ -68,7 +70,7 @@ This module creates following resources. | [code](#output\_code) | The short code of the current region. | | [description](#output\_description) | The description of the current region in this format: `Location (Region name)` | | [ebs](#output\_ebs) | The region-level configurations of EBS service.
`default_encryption` - The configurations for EBS Default Encryption. | -| [ec2](#output\_ec2) | The region-level configurations of EC2 service.
`serial_console` - The configurations for EC2 Serial Console. | +| [ec2](#output\_ec2) | The region-level configurations of EC2 service.
`ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region.
`serial_console_enabled` - Whether serial console access is enabled for the current AWS region. | | [id](#output\_id) | The ID of the current region. | | [macie](#output\_macie) | The region-level configurations of Macie service.
`delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. | | [name](#output\_name) | The name of the current region. | diff --git a/modules/region/ec2.tf b/modules/region/ec2.tf index 12aae8f..85bcbbb 100644 --- a/modules/region/ec2.tf +++ b/modules/region/ec2.tf @@ -1,7 +1,19 @@ +################################################### +# Public Access Block for EC2 AMI +################################################### + +resource "aws_ec2_image_block_public_access" "this" { + state = (var.ec2.ami_public_access_enabled + ? "unblocked" + : "block-new-sharing" + ) +} + + ################################################### # Serial Consol Access for EC2 ################################################### resource "aws_ec2_serial_console_access" "this" { - enabled = var.ec2_serial_console_enabled + enabled = var.ec2.serial_console_enabled } diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf index fc5a9bf..3b6cac5 100644 --- a/modules/region/outputs.tf +++ b/modules/region/outputs.tf @@ -34,12 +34,12 @@ output "ebs" { output "ec2" { description = < Date: Thu, 9 May 2024 17:33:10 +0900 Subject: [PATCH 17/27] Support ec2 instance metadata defaults in region (#117) --- modules/region/README.md | 8 +++++--- modules/region/ec2.tf | 22 ++++++++++++++++++++++ modules/region/outputs.tf | 5 +++-- modules/region/variables.tf | 13 ++++++++++++- modules/region/versions.tf | 4 ++-- 5 files changed, 44 insertions(+), 8 deletions(-) diff --git a/modules/region/README.md b/modules/region/README.md index c1f60f5..8c45f31 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -5,6 +5,7 @@ This module creates following resources. - `aws_ebs_encryption_by_default` - `aws_ebs_default_kms_key` (optional) - `aws_ec2_image_block_public_access` +- `aws_ec2_instance_metadata_defaults` - `aws_ec2_serial_console_access` - `aws_macie2_organization_admin_account` (optional) - `aws_resourceexplorer2_index` (optional) @@ -16,8 +17,8 @@ This module creates following resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 4.22 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.43 | ## Providers @@ -39,6 +40,7 @@ This module creates following resources. | [aws_ebs_encryption_by_default.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ebs_encryption_by_default) | resource | | [aws_ec2_availability_zone_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_availability_zone_group) | resource | | [aws_ec2_image_block_public_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource | +| [aws_ec2_instance_metadata_defaults.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults) | resource | | [aws_ec2_serial_console_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_serial_console_access) | resource | | [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource | | [aws_resourceexplorer2_index.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_index) | resource | @@ -51,7 +53,7 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
| `{}` | no | -| [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    serial_console_enabled    = optional(bool, false)
  })
| `{}` | no | +| [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `instance_metadata_defaults` - The configuration of the regional instance metadata default settings. `instance_metadata_defaults` as defined below.
(Optional) `http_enabled` - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to `null` (No preference).
(Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`. Defaults to `null` (No preference).
(Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `null` (No preference).
(Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `null` (No preference).
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    instance_metadata_defaults = optional(object({
      http_enabled                = optional(bool)
      http_token_required         = optional(bool)
      http_put_response_hop_limit = optional(number)
      instance_tags_enabled       = optional(bool)
    }), {})
    serial_console_enabled = optional(bool, false)
  })
| `{}` | no | | [macie](#input\_macie) | (Optional) The configuration of Macie in the current AWS region. `macie` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [resource\_explorer](#input\_resource\_explorer) | (Optional) The configuration of the Resource Explorer in the current AWS region. `resource_explorer` as defined below.
(Optional) `enabled` - Whether or not to enable the Resource Explorer in the current AWS region. Defaults to `true`.
(Optional) `index_type` - The type of the index. Valid values are `AGGREGATOR`, `LOCAL`. Defaults to `LOCAL`.
(Optional) `views` - A list of views to create. `views` as defined below.
(Required) `name` - The name of the view. The name must be no more than 64 characters long, and can include letters, digits, and the dash (-) character. The name must be unique within its AWS Region.
(Optional) `is_default` - Whether the view is the default view for the AWS Region. Defaults to `false`.
(Optional) `filter_queries` - A list of filter queries. Specify which resources are included in the results of queries made using this view. The filter string is combined using a logical AND operator. Defaults to `[]` (include all resources).
(Optional) `additional_resource_attributes` - A list of additional resource attributes. By default, the results include ARN, owner account, Region, service, and resource type. Valid values are `tags`. Defaults to `[]`. | 
object({
    enabled    = optional(bool, true)
    index_type = optional(string, "LOCAL")
    views = optional(list(object({
      name           = string
      is_default     = optional(bool, false)
      filter_queries = optional(list(string), [])

      additional_resource_attributes = optional(set(string), [])
    })), [])
  })
| `{}` | no | diff --git a/modules/region/ec2.tf b/modules/region/ec2.tf index 85bcbbb..7bb5fab 100644 --- a/modules/region/ec2.tf +++ b/modules/region/ec2.tf @@ -10,6 +10,28 @@ resource "aws_ec2_image_block_public_access" "this" { } +################################################### +# Instance Metadata Defaults for EC2 +################################################### + +resource "aws_ec2_instance_metadata_defaults" "this" { + http_endpoint = (var.ec2.instance_metadata_defaults.http_enabled != null + ? (var.ec2.instance_metadata_defaults.http_enabled ? "enabled" : "disabled") + : "no-preference" + ) + http_tokens = (var.ec2.instance_metadata_defaults.http_token_required != null + ? (var.ec2.instance_metadata_defaults.http_token_required ? "required" : "optional") + : "no-preference" + ) + http_put_response_hop_limit = coalesce(var.ec2.instance_metadata_defaults.http_put_response_hop_limit, -1) + + instance_metadata_tags = (var.ec2.instance_metadata_defaults.instance_tags_enabled != null + ? (var.ec2.instance_metadata_defaults.instance_tags_enabled ? "enabled" : "disabled") + : "no-preference" + ) +} + + ################################################### # Serial Consol Access for EC2 ################################################### diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf index 3b6cac5..31e5391 100644 --- a/modules/region/outputs.tf +++ b/modules/region/outputs.tf @@ -38,8 +38,9 @@ output "ec2" { `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. EOF value = { - ami_public_access_enabled = aws_ec2_image_block_public_access.this.state == "unblocked" - serial_console_enabled = aws_ec2_serial_console_access.this.enabled + ami_public_access_enabled = aws_ec2_image_block_public_access.this.state == "unblocked" + instance_metadata_defaults = var.ec2.instance_metadata_defaults + serial_console_enabled = aws_ec2_serial_console_access.this.enabled } } diff --git a/modules/region/variables.tf b/modules/region/variables.tf index 80e8cab..18e92ad 100644 --- a/modules/region/variables.tf +++ b/modules/region/variables.tf @@ -16,11 +16,22 @@ variable "ec2" { description = < Date: Thu, 9 May 2024 17:34:07 +0900 Subject: [PATCH 18/27] Bump to v0.30.0 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 20f0687..c25c8e5 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.29.2 +0.30.0 From 21e0f4d233839a9b722007075283bb9ec1c871a5 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Thu, 9 May 2024 23:24:46 +0900 Subject: [PATCH 19/27] Add regional delegated administrator for inspector in region --- modules/region/README.md | 4 ++++ modules/region/inspector.tf | 9 +++++++++ modules/region/outputs.tf | 10 ++++++++++ modules/region/variables.tf | 12 ++++++++++++ 4 files changed, 35 insertions(+) create mode 100644 modules/region/inspector.tf diff --git a/modules/region/README.md b/modules/region/README.md index 8c45f31..4f8a06c 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -7,6 +7,7 @@ This module creates following resources. - `aws_ec2_image_block_public_access` - `aws_ec2_instance_metadata_defaults` - `aws_ec2_serial_console_access` +- `aws_inspector2_delegated_admin_account` (optional) - `aws_macie2_organization_admin_account` (optional) - `aws_resourceexplorer2_index` (optional) - `aws_resourceexplorer2_view` (optional) @@ -42,6 +43,7 @@ This module creates following resources. | [aws_ec2_image_block_public_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource | | [aws_ec2_instance_metadata_defaults.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults) | resource | | [aws_ec2_serial_console_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_serial_console_access) | resource | +| [aws_inspector2_delegated_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_delegated_admin_account) | resource | | [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource | | [aws_resourceexplorer2_index.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_index) | resource | | [aws_resourceexplorer2_view.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_view) | resource | @@ -54,6 +56,7 @@ This module creates following resources. |------|-------------|------|---------|:--------:| | [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
| `{}` | no | | [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `instance_metadata_defaults` - The configuration of the regional instance metadata default settings. `instance_metadata_defaults` as defined below.
(Optional) `http_enabled` - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to `null` (No preference).
(Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`. Defaults to `null` (No preference).
(Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `null` (No preference).
(Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `null` (No preference).
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    instance_metadata_defaults = optional(object({
      http_enabled                = optional(bool)
      http_token_required         = optional(bool)
      http_put_response_hop_limit = optional(number)
      instance_tags_enabled       = optional(bool)
    }), {})
    serial_console_enabled = optional(bool, false)
  })
| `{}` | no | +| [inspector](#input\_inspector) | (Optional) The configuration of Inspector in the current AWS region. `inspector` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization. The delegated administrator is granted all of the permissions required to administer Inspector for your organization. When you choose a delegated administrator, Inspector is activated for that account. Can be used in only management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [macie](#input\_macie) | (Optional) The configuration of Macie in the current AWS region. `macie` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | | [resource\_explorer](#input\_resource\_explorer) | (Optional) The configuration of the Resource Explorer in the current AWS region. `resource_explorer` as defined below.
(Optional) `enabled` - Whether or not to enable the Resource Explorer in the current AWS region. Defaults to `true`.
(Optional) `index_type` - The type of the index. Valid values are `AGGREGATOR`, `LOCAL`. Defaults to `LOCAL`.
(Optional) `views` - A list of views to create. `views` as defined below.
(Required) `name` - The name of the view. The name must be no more than 64 characters long, and can include letters, digits, and the dash (-) character. The name must be unique within its AWS Region.
(Optional) `is_default` - Whether the view is the default view for the AWS Region. Defaults to `false`.
(Optional) `filter_queries` - A list of filter queries. Specify which resources are included in the results of queries made using this view. The filter string is combined using a logical AND operator. Defaults to `[]` (include all resources).
(Optional) `additional_resource_attributes` - A list of additional resource attributes. By default, the results include ARN, owner account, Region, service, and resource type. Valid values are `tags`. Defaults to `[]`. | 
object({
    enabled    = optional(bool, true)
    index_type = optional(string, "LOCAL")
    views = optional(list(object({
      name           = string
      is_default     = optional(bool, false)
      filter_queries = optional(list(string), [])

      additional_resource_attributes = optional(set(string), [])
    })), [])
  })
| `{}` | no | @@ -74,6 +77,7 @@ This module creates following resources. | [ebs](#output\_ebs) | The region-level configurations of EBS service.
`default_encryption` - The configurations for EBS Default Encryption. | | [ec2](#output\_ec2) | The region-level configurations of EC2 service.
`ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region.
`serial_console_enabled` - Whether serial console access is enabled for the current AWS region. | | [id](#output\_id) | The ID of the current region. | +| [inspector](#output\_inspector) | The region-level configurations of Inspector service.
`delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization. | | [macie](#output\_macie) | The region-level configurations of Macie service.
`delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. | | [name](#output\_name) | The name of the current region. | | [resource\_explorer](#output\_resource\_explorer) | The region-level configurations of Resource Explorer service.
`enabled` - Whether the Resource Explorer is enabled in the current AWS region.
`index_type` - The type of the index.
`views` - The list of views. | diff --git a/modules/region/inspector.tf b/modules/region/inspector.tf new file mode 100644 index 0000000..580899f --- /dev/null +++ b/modules/region/inspector.tf @@ -0,0 +1,9 @@ +################################################### +# Delegated Administrator for Inspector +################################################### + +resource "aws_inspector2_delegated_admin_account" "this" { + count = var.inspector.delegated_administrator != null ? 1 : 0 + + account_id = var.inspector.delegated_administrator +} diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf index 31e5391..69c489b 100644 --- a/modules/region/outputs.tf +++ b/modules/region/outputs.tf @@ -44,6 +44,16 @@ output "ec2" { } } +output "inspector" { + description = < Date: Fri, 10 May 2024 00:01:34 +0900 Subject: [PATCH 20/27] Fix ec2_instance_metadata_defaults --- modules/region/README.md | 2 +- modules/region/ec2.tf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/modules/region/README.md b/modules/region/README.md index 4f8a06c..66f3b3a 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -5,7 +5,7 @@ This module creates following resources. - `aws_ebs_encryption_by_default` - `aws_ebs_default_kms_key` (optional) - `aws_ec2_image_block_public_access` -- `aws_ec2_instance_metadata_defaults` +- `aws_ec2_instance_metadata_defaults` (optional) - `aws_ec2_serial_console_access` - `aws_inspector2_delegated_admin_account` (optional) - `aws_macie2_organization_admin_account` (optional) diff --git a/modules/region/ec2.tf b/modules/region/ec2.tf index 7bb5fab..ea4748a 100644 --- a/modules/region/ec2.tf +++ b/modules/region/ec2.tf @@ -15,6 +15,11 @@ resource "aws_ec2_image_block_public_access" "this" { ################################################### resource "aws_ec2_instance_metadata_defaults" "this" { + count = anytrue([ + for k, v in var.ec2.instance_metadata_defaults : + v != null + ]) ? 1 : 0 + http_endpoint = (var.ec2.instance_metadata_defaults.http_enabled != null ? (var.ec2.instance_metadata_defaults.http_enabled ? "enabled" : "disabled") : "no-preference" From 019ed6f870e7cc2dc96fe22e6f28fe4313fb4c0b Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 10 May 2024 00:01:55 +0900 Subject: [PATCH 21/27] Add regional delegated administrator for guardduty in region --- modules/region/README.md | 4 ++++ modules/region/guardduty.tf | 10 ++++++++++ modules/region/outputs.tf | 10 ++++++++++ modules/region/variables.tf | 12 ++++++++++++ 4 files changed, 36 insertions(+) create mode 100644 modules/region/guardduty.tf diff --git a/modules/region/README.md b/modules/region/README.md index 66f3b3a..51afe79 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -7,6 +7,7 @@ This module creates following resources. - `aws_ec2_image_block_public_access` - `aws_ec2_instance_metadata_defaults` (optional) - `aws_ec2_serial_console_access` +- `aws_guardduty_organization_admin_account` (optional) - `aws_inspector2_delegated_admin_account` (optional) - `aws_macie2_organization_admin_account` (optional) - `aws_resourceexplorer2_index` (optional) @@ -43,6 +44,7 @@ This module creates following resources. | [aws_ec2_image_block_public_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_image_block_public_access) | resource | | [aws_ec2_instance_metadata_defaults.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_metadata_defaults) | resource | | [aws_ec2_serial_console_access.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_serial_console_access) | resource | +| [aws_guardduty_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/guardduty_organization_admin_account) | resource | | [aws_inspector2_delegated_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/inspector2_delegated_admin_account) | resource | | [aws_macie2_organization_admin_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/macie2_organization_admin_account) | resource | | [aws_resourceexplorer2_index.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/resourceexplorer2_index) | resource | @@ -56,6 +58,7 @@ This module creates following resources. |------|-------------|------|---------|:--------:| | [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
| `{}` | no | | [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `instance_metadata_defaults` - The configuration of the regional instance metadata default settings. `instance_metadata_defaults` as defined below.
(Optional) `http_enabled` - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to `null` (No preference).
(Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`. Defaults to `null` (No preference).
(Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `null` (No preference).
(Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `null` (No preference).
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    instance_metadata_defaults = optional(object({
      http_enabled                = optional(bool)
      http_token_required         = optional(bool)
      http_put_response_hop_limit = optional(number)
      instance_tags_enabled       = optional(bool)
    }), {})
    serial_console_enabled = optional(bool, false)
  })
| `{}` | no | +| [guardduty](#input\_guardduty) | (Optional) The configuration of GuardDuty in the current AWS region. `guardduty` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. The delegated administrator will be assigned the two GuardDuty roles required to administer GuardDuty policy in your organization. Can be used in only management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [inspector](#input\_inspector) | (Optional) The configuration of Inspector in the current AWS region. `inspector` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization. The delegated administrator is granted all of the permissions required to administer Inspector for your organization. When you choose a delegated administrator, Inspector is activated for that account. Can be used in only management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [macie](#input\_macie) | (Optional) The configuration of Macie in the current AWS region. `macie` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. This can be configured only if Macie is enabled for the organization. The account must be a management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | @@ -76,6 +79,7 @@ This module creates following resources. | [description](#output\_description) | The description of the current region in this format: `Location (Region name)` | | [ebs](#output\_ebs) | The region-level configurations of EBS service.
`default_encryption` - The configurations for EBS Default Encryption. | | [ec2](#output\_ec2) | The region-level configurations of EC2 service.
`ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region.
`serial_console_enabled` - Whether serial console access is enabled for the current AWS region. | +| [guardduty](#output\_guardduty) | The region-level configurations of GuardDuty service.
`delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. | | [id](#output\_id) | The ID of the current region. | | [inspector](#output\_inspector) | The region-level configurations of Inspector service.
`delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Inspector administrator account for the organization. | | [macie](#output\_macie) | The region-level configurations of Macie service.
`delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon Macie administrator account for the organization. | diff --git a/modules/region/guardduty.tf b/modules/region/guardduty.tf new file mode 100644 index 0000000..e5086bc --- /dev/null +++ b/modules/region/guardduty.tf @@ -0,0 +1,10 @@ +################################################### +# Delegated Administrator for GuardDuty +################################################### + +resource "aws_guardduty_organization_admin_account" "this" { + count = var.guardduty.delegated_administrator != null ? 1 : 0 + + admin_account_id = var.guardduty.delegated_administrator +} + diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf index 69c489b..e5b754e 100644 --- a/modules/region/outputs.tf +++ b/modules/region/outputs.tf @@ -44,6 +44,16 @@ output "ec2" { } } +output "guardduty" { + description = < Date: Tue, 21 May 2024 14:51:42 +0900 Subject: [PATCH 22/27] Fix bug of urn output in iam-oidc-identity-provider module --- VERSION | 2 +- modules/iam-oidc-identity-provider/README.md | 4 ++-- modules/iam-oidc-identity-provider/outputs.tf | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/VERSION b/VERSION index c25c8e5..1a44cad 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.30.0 +0.30.1 diff --git a/modules/iam-oidc-identity-provider/README.md b/modules/iam-oidc-identity-provider/README.md index 548155a..b802d00 100644 --- a/modules/iam-oidc-identity-provider/README.md +++ b/modules/iam-oidc-identity-provider/README.md @@ -18,8 +18,8 @@ This module creates following resources. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.24.0 | -| [tls](#provider\_tls) | 4.0.4 | +| [aws](#provider\_aws) | 5.50.0 | +| [tls](#provider\_tls) | 4.0.5 | ## Modules diff --git a/modules/iam-oidc-identity-provider/outputs.tf b/modules/iam-oidc-identity-provider/outputs.tf index c62ef4d..9d90236 100644 --- a/modules/iam-oidc-identity-provider/outputs.tf +++ b/modules/iam-oidc-identity-provider/outputs.tf @@ -15,7 +15,7 @@ output "url" { output "urn" { description = "The URN of the identity provider." - value = aws_iam_openid_connect_provider.this.url + value = trimprefix(trimprefix(aws_iam_openid_connect_provider.this.url, "http://"), "https://") } output "audiences" { From 071853c6952407d554e7a41f1fe0613035f5ab96 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 24 May 2024 15:00:20 +0900 Subject: [PATCH 23/27] Add cloudwatch sink configurations into region module --- modules/region/README.md | 7 ++++++- modules/region/cloudwatch.tf | 29 +++++++++++++++++++++++++++++ modules/region/outputs.tf | 10 ++++++++++ modules/region/variables.tf | 25 +++++++++++++++++++++++++ 4 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 modules/region/cloudwatch.tf diff --git a/modules/region/README.md b/modules/region/README.md index 51afe79..42627c4 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -10,6 +10,8 @@ This module creates following resources. - `aws_guardduty_organization_admin_account` (optional) - `aws_inspector2_delegated_admin_account` (optional) - `aws_macie2_organization_admin_account` (optional) +- `aws_oam_sink` (optional) +- `aws_oam_sink_policy` (optional) - `aws_resourceexplorer2_index` (optional) - `aws_resourceexplorer2_view` (optional) - `aws_servicequotas_service_quota` (optional) @@ -26,12 +28,13 @@ This module creates following resources. | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.48.0 | +| [aws](#provider\_aws) | 5.51.0 | ## Modules | Name | Source | Version | |------|--------|---------| +| [cloudwatch\_oam\_sink](#module\_cloudwatch\_oam\_sink) | tedilabs/observability/aws//modules/cloudwatch-oam-sink | ~> 0.2.0 | | [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | ## Resources @@ -56,6 +59,7 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [cloudwatch](#input\_cloudwatch) | (Optional) The configuration of CloudWatch in the current AWS region. `cloudwatch` as defined below.
(Optional) `oam_sinks` - A list of CloudWatch OAM(Observability Access Manager) sinks. Each items of `oam_sinks` as defined below.
(Required) `name` - The name of the CloudWatch OAM sink.
(Optional) `telemetry_types` - A set of the telemetry types can be shared with it. Valid values are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`, `AWS::ApplicationInsights::Application`, `AWS::InternetMonitor::Monitor`.
(Optional) `allowed_source_accounts` - A list of the IDs of AWS accounts that will share data with this monitoring account.
(Optional) `allowed_source_organizations` - A list of the organization IDs of AWS accounts that will share data with this monitoring account.
(Optional) `allowed_source_organization_paths` - A list of the organization paths of the AWS accounts that will share data with this monitoring account.
(Optional) `tags` - A map of tags to add to the resource. | 
object({
    oam_sinks = optional(list(object({
      name                              = string
      telemetry_types                   = optional(set(string), [])
      allowed_source_accounts           = optional(list(string), [])
      allowed_source_organizations      = optional(list(string), [])
      allowed_source_organization_paths = optional(list(string), [])
      tags                              = optional(map(string), {})
    })), [])
  })
| `{}` | no | | [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
| `{}` | no | | [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `instance_metadata_defaults` - The configuration of the regional instance metadata default settings. `instance_metadata_defaults` as defined below.
(Optional) `http_enabled` - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to `null` (No preference).
(Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`. Defaults to `null` (No preference).
(Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `null` (No preference).
(Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `null` (No preference).
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    instance_metadata_defaults = optional(object({
      http_enabled                = optional(bool)
      http_token_required         = optional(bool)
      http_put_response_hop_limit = optional(number)
      instance_tags_enabled       = optional(bool)
    }), {})
    serial_console_enabled = optional(bool, false)
  })
| `{}` | no | | [guardduty](#input\_guardduty) | (Optional) The configuration of GuardDuty in the current AWS region. `guardduty` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. The delegated administrator will be assigned the two GuardDuty roles required to administer GuardDuty policy in your organization. Can be used in only management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | @@ -75,6 +79,7 @@ This module creates following resources. | Name | Description | |------|-------------| +| [cloudwdatch](#output\_cloudwdatch) | The region-level configurations of CloudWatch service.
`oam_sinks` - A list of CloudWatch OAM(Observability Access Manager) sinks. | | [code](#output\_code) | The short code of the current region. | | [description](#output\_description) | The description of the current region in this format: `Location (Region name)` | | [ebs](#output\_ebs) | The region-level configurations of EBS service.
`default_encryption` - The configurations for EBS Default Encryption. | diff --git a/modules/region/cloudwatch.tf b/modules/region/cloudwatch.tf new file mode 100644 index 0000000..5f79bc2 --- /dev/null +++ b/modules/region/cloudwatch.tf @@ -0,0 +1,29 @@ +################################################### +# CloudWatch OAM (Observability Access Manager) +################################################### + +module "cloudwatch_oam_sink" { + for_each = { + for sink in var.cloudwatch.oam_sinks : + sink.name => sink + } + + source = "tedilabs/observability/aws//modules/cloudwatch-oam-sink" + version = "~> 0.2.0" + + name = each.key + telemetry_types = each.value.telemetry_types + + allowed_source_accounts = each.value.allowed_source_accounts + allowed_source_organizations = each.value.allowed_source_organizations + allowed_source_organization_paths = each.value.allowed_source_organization_paths + + resource_group_enabled = false + module_tags_enabled = false + + tags = merge( + local.module_tags, + var.tags, + each.value.tags, + ) +} diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf index e5b754e..5744166 100644 --- a/modules/region/outputs.tf +++ b/modules/region/outputs.tf @@ -18,6 +18,16 @@ output "description" { value = data.aws_region.this.description } +output "cloudwdatch" { + description = < Date: Fri, 24 May 2024 15:00:45 +0900 Subject: [PATCH 24/27] Bump to v0.30.2 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 1a44cad..0f72177 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.30.1 +0.30.2 From e124f6f21c836de6d98620dec652caa0fcbc0be2 Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 24 May 2024 17:27:23 +0900 Subject: [PATCH 25/27] Change `oam_sinks` to `oam_sink` in region --- modules/region/README.md | 4 ++-- modules/region/cloudwatch.tf | 15 ++++++--------- modules/region/outputs.tf | 4 ++-- modules/region/variables.tf | 6 +++--- 4 files changed, 13 insertions(+), 16 deletions(-) diff --git a/modules/region/README.md b/modules/region/README.md index 42627c4..789e198 100644 --- a/modules/region/README.md +++ b/modules/region/README.md @@ -59,7 +59,7 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [cloudwatch](#input\_cloudwatch) | (Optional) The configuration of CloudWatch in the current AWS region. `cloudwatch` as defined below.
(Optional) `oam_sinks` - A list of CloudWatch OAM(Observability Access Manager) sinks. Each items of `oam_sinks` as defined below.
(Required) `name` - The name of the CloudWatch OAM sink.
(Optional) `telemetry_types` - A set of the telemetry types can be shared with it. Valid values are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`, `AWS::ApplicationInsights::Application`, `AWS::InternetMonitor::Monitor`.
(Optional) `allowed_source_accounts` - A list of the IDs of AWS accounts that will share data with this monitoring account.
(Optional) `allowed_source_organizations` - A list of the organization IDs of AWS accounts that will share data with this monitoring account.
(Optional) `allowed_source_organization_paths` - A list of the organization paths of the AWS accounts that will share data with this monitoring account.
(Optional) `tags` - A map of tags to add to the resource. | 
object({
    oam_sinks = optional(list(object({
      name                              = string
      telemetry_types                   = optional(set(string), [])
      allowed_source_accounts           = optional(list(string), [])
      allowed_source_organizations      = optional(list(string), [])
      allowed_source_organization_paths = optional(list(string), [])
      tags                              = optional(map(string), {})
    })), [])
  })
| `{}` | no | +| [cloudwatch](#input\_cloudwatch) | (Optional) The configuration of CloudWatch in the current AWS region. `cloudwatch` as defined below.
(Optional) `oam_sink` - A configuration of CloudWatch OAM(Observability Access Manager) sink. `oam_sink` as defined below.
(Required) `name` - The name of the CloudWatch OAM sink.
(Optional) `telemetry_types` - A set of the telemetry types can be shared with it. Valid values are `AWS::CloudWatch::Metric`, `AWS::Logs::LogGroup`, `AWS::XRay::Trace`, `AWS::ApplicationInsights::Application`, `AWS::InternetMonitor::Monitor`.
(Optional) `allowed_source_accounts` - A list of the IDs of AWS accounts that will share data with this monitoring account.
(Optional) `allowed_source_organizations` - A list of the organization IDs of AWS accounts that will share data with this monitoring account.
(Optional) `allowed_source_organization_paths` - A list of the organization paths of the AWS accounts that will share data with this monitoring account.
(Optional) `tags` - A map of tags to add to the resource. | 
object({
    oam_sink = optional(object({
      name                              = string
      telemetry_types                   = optional(set(string), [])
      allowed_source_accounts           = optional(list(string), [])
      allowed_source_organizations      = optional(list(string), [])
      allowed_source_organization_paths = optional(list(string), [])
      tags                              = optional(map(string), {})
    }))
  })
| `{}` | no | | [ebs\_default\_encryption](#input\_ebs\_default\_encryption) | (Optional) The configuration of the EBS default encryption. `ebs_default_encryption` as defined below.
(Optional) `enabled` - Whether or not default EBS encryption is enabled.
(Optional) `kms_key` - The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume. | 
object({
    enabled = optional(bool, false)
    kms_key = optional(string)
  })
| `{}` | no | | [ec2](#input\_ec2) | (Optional) The configuration of EC2 in the current AWS region. `ec2` as defined below.
(Optional) `ami_public_access_enabled` - Whether to allow or block public access for AMIs at the account level to prevent the public sharing of your AMIs in this region. Defaults to `false`.
(Optional) `instance_metadata_defaults` - The configuration of the regional instance metadata default settings. `instance_metadata_defaults` as defined below.
(Optional) `http_enabled` - Whether to enable or disable the HTTP metadata endpoint on your instances. Defaults to `null` (No preference).
(Optional) `http_token_required` - Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Defaults to `false`. Defaults to `null` (No preference).
(Optional) `http_put_response_hop_limit` - A desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from `1` to `64`. Defaults to `null` (No preference).
(Optional) `instance_tags_enabled` - Whether to enable the access to instance tags from the instance metadata service. Defaults to `null` (No preference).
(Optional) `serial_console_enabled` - Whether serial console access is enabled for the current AWS region. Defaults to `false`. | 
object({
    ami_public_access_enabled = optional(bool, false)
    instance_metadata_defaults = optional(object({
      http_enabled                = optional(bool)
      http_token_required         = optional(bool)
      http_put_response_hop_limit = optional(number)
      instance_tags_enabled       = optional(bool)
    }), {})
    serial_console_enabled = optional(bool, false)
  })
| `{}` | no | | [guardduty](#input\_guardduty) | (Optional) The configuration of GuardDuty in the current AWS region. `guardduty` as defined below.
(Optional) `delegated_administrator` - The AWS account ID for the account to designate as the delegated Amazon GuardDuty administrator account for the organization. The delegated administrator will be assigned the two GuardDuty roles required to administer GuardDuty policy in your organization. Can be used in only management account of the organization. | 
object({
    delegated_administrator = optional(string)
  })
| `{}` | no | @@ -79,7 +79,7 @@ This module creates following resources. | Name | Description | |------|-------------| -| [cloudwdatch](#output\_cloudwdatch) | The region-level configurations of CloudWatch service.
`oam_sinks` - A list of CloudWatch OAM(Observability Access Manager) sinks. | +| [cloudwdatch](#output\_cloudwdatch) | The region-level configurations of CloudWatch service.
`oam_sink` - A configuration of CloudWatch OAM(Observability Access Manager) sink. | | [code](#output\_code) | The short code of the current region. | | [description](#output\_description) | The description of the current region in this format: `Location (Region name)` | | [ebs](#output\_ebs) | The region-level configurations of EBS service.
`default_encryption` - The configurations for EBS Default Encryption. | diff --git a/modules/region/cloudwatch.tf b/modules/region/cloudwatch.tf index 5f79bc2..252261c 100644 --- a/modules/region/cloudwatch.tf +++ b/modules/region/cloudwatch.tf @@ -3,20 +3,17 @@ ################################################### module "cloudwatch_oam_sink" { - for_each = { - for sink in var.cloudwatch.oam_sinks : - sink.name => sink - } + count = var.cloudwatch.oam_sink != null ? 1 : 0 source = "tedilabs/observability/aws//modules/cloudwatch-oam-sink" version = "~> 0.2.0" - name = each.key - telemetry_types = each.value.telemetry_types + name = var.cloudwatch.oam_sink.name + telemetry_types = var.cloudwatch.oam_sink.telemetry_types - allowed_source_accounts = each.value.allowed_source_accounts - allowed_source_organizations = each.value.allowed_source_organizations - allowed_source_organization_paths = each.value.allowed_source_organization_paths + allowed_source_accounts = var.cloudwatch.oam_sink.allowed_source_accounts + allowed_source_organizations = var.cloudwatch.oam_sink.allowed_source_organizations + allowed_source_organization_paths = var.cloudwatch.oam_sink.allowed_source_organization_paths resource_group_enabled = false module_tags_enabled = false diff --git a/modules/region/outputs.tf b/modules/region/outputs.tf index 5744166..fd052c2 100644 --- a/modules/region/outputs.tf +++ b/modules/region/outputs.tf @@ -21,10 +21,10 @@ output "description" { output "cloudwdatch" { description = < Date: Fri, 24 May 2024 17:27:45 +0900 Subject: [PATCH 26/27] Bump to v0.30.3 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 0f72177..e8262eb 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.30.2 +0.30.3 From 5be009d36e4ac6412b2c0f5747c82e3dd187c29b Mon Sep 17 00:00:00 2001 From: Byungjin Park Date: Fri, 24 May 2024 17:32:03 +0900 Subject: [PATCH 27/27] Fix --- VERSION | 2 +- modules/region/cloudwatch.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/VERSION b/VERSION index e8262eb..db287d4 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -0.30.3 +0.30.4 diff --git a/modules/region/cloudwatch.tf b/modules/region/cloudwatch.tf index 252261c..6e93c87 100644 --- a/modules/region/cloudwatch.tf +++ b/modules/region/cloudwatch.tf @@ -21,6 +21,6 @@ module "cloudwatch_oam_sink" { tags = merge( local.module_tags, var.tags, - each.value.tags, + var.cloudwatch.oam_sink.tags, ) }