From 6bbc490127d89b803a4ed81edf7a5d5239f51a68 Mon Sep 17 00:00:00 2001 From: RoseSecurity <72598486+RoseSecurity@users.noreply.github.com> Date: Mon, 19 Aug 2024 07:46:17 -0500 Subject: [PATCH] feat: IAM Access Analyzer Component (#1066) Co-authored-by: Andriy Knysh --- modules/access-analyzer/README.md | 195 +++++++++++++++++ modules/access-analyzer/context.tf | 279 ++++++++++++++++++++++++ modules/access-analyzer/main.tf | 37 ++++ modules/access-analyzer/outputs.tf | 19 ++ modules/access-analyzer/providers.tf | 19 ++ modules/access-analyzer/remote-state.tf | 11 + modules/access-analyzer/variables.tf | 62 ++++++ modules/access-analyzer/versions.tf | 10 + 8 files changed, 632 insertions(+) create mode 100644 modules/access-analyzer/README.md create mode 100644 modules/access-analyzer/context.tf create mode 100644 modules/access-analyzer/main.tf create mode 100644 modules/access-analyzer/outputs.tf create mode 100644 modules/access-analyzer/providers.tf create mode 100644 modules/access-analyzer/remote-state.tf create mode 100644 modules/access-analyzer/variables.tf create mode 100644 modules/access-analyzer/versions.tf diff --git a/modules/access-analyzer/README.md b/modules/access-analyzer/README.md new file mode 100644 index 000000000..86203888b --- /dev/null +++ b/modules/access-analyzer/README.md @@ -0,0 +1,195 @@ +# Component: `access-analyzer` + +This component is responsible for configuring AWS Identity and Access Management Access Analyzer within an AWS +Organization. + +IAM Access Analyzer helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM +roles, shared with an external entity. This lets you identify unintended access to your resources and data, which is a +security risk. IAM Access Analyzer identifies resources shared with external principals by using logic-based reasoning +to analyze the resource-based policies in your AWS environment. For each instance of a resource shared outside of your +account, IAM Access Analyzer generates a finding. Findings include information about the access and the external +principal granted to it. You can review findings to determine if the access is intended and safe or if the access is +unintended and a security risk. In addition to helping you identify resources shared with an external entity, you can +use IAM Access Analyzer findings to preview how your policy affects public and cross-account access to your resource +before deploying resource permissions. The findings are organized in a visual summary dashboard. The dashboard +highlights the split between public and cross-account access findings, and provides a breakdown of findings by resource +type. + +IAM Access Analyzer analyzes only policies applied to resources in the same AWS Region where it's enabled. To monitor +all resources in your AWS environment, you must create an analyzer to enable IAM Access Analyzer in each Region where +you're using supported AWS resources. + +AWS Identity and Access Management Access Analyzer provides the following capabilities: + +- IAM Access Analyzer external access analyzers help identify resources in your organization and accounts that are + shared with an external entity. + +- IAM Access Analyzer unused access analyzers help identify unused access in your organization and accounts. + +- IAM Access Analyzer validates IAM policies against policy grammar and AWS best practices. + +- IAM Access Analyzer custom policy checks help validate IAM policies against your specified security standards. + +- IAM Access Analyzer generates IAM policies based on access activity in your AWS CloudTrail logs. + +Here's a typical workflow: + +**Delegate Access Analyzer to another account**: From the Organization management (root) account, delegate +administration to a specific AWS account within your organization (usually the security account). + +**Create Access Analyzers in the Delegated Administrator Account**: Enable the Access Analyzers for external access and +unused access in the delegated administrator account. + +## Deployment Overview + +```yaml +components: + terraform: + access-analyzer/defaults: + metadata: + component: access-analyzer + type: abstract + vars: + enabled: true + global_environment: gbl + account_map_tenant: core + root_account_stage: root + delegated_administrator_account_name: core-mgt + accessanalyzer_service_principal: "access-analyzer.amazonaws.com" + accessanalyzer_organization_enabled: false + accessanalyzer_organization_unused_access_enabled: false + organizations_delegated_administrator_enabled: false +``` + +```yaml +import: + - catalog/access-analyzer/defaults + +components: + terraform: + access-analyzer/root: + metadata: + component: access-analyzer + inherits: + - access-analyzer/defaults + vars: + organizations_delegated_administrator_enabled: true +``` + +```yaml +import: + - catalog/access-analyzer/defaults + +components: + terraform: + access-analyzer/delegated-administrator: + metadata: + component: access-analyzer + inherits: + - access-analyzer/defaults + vars: + accessanalyzer_organization_enabled: true + accessanalyzer_organization_unused_access_enabled: true + unused_access_age: 30 +``` + +### Provisioning + +Delegate Access Analyzer to the security account: + +```bash +atmos terraform apply access-analyzer/root -s plat-dev-gbl-root +``` + +Provision Access Analyzers for external access and unused access in the delegated administrator (security) account in +each region: + +```bash +atmos terraform apply access-analyzer/delegated-administrator -s plat-dev-use1-mgt +``` + + + +## Requirements + +| Name | Version | +| ------------------------------------------------------------------------ | -------- | +| [terraform](#requirement_terraform) | >= 1.3.0 | +| [aws](#requirement_aws) | >= 4.9.0 | + +## Providers + +| Name | Version | +| ------------------------------------------------ | -------- | +| [aws](#provider_aws) | >= 4.9.0 | + +## Modules + +| Name | Source | Version | +| -------------------------------------------------------------------- | -------------------------------------------------- | ------- | +| [account_map](#module_account_map) | cloudposse/stack-config/yaml//modules/remote-state | 1.5.0 | +| [iam_roles](#module_iam_roles) | ../../account-map/modules/iam-roles | n/a | +| [this](#module_this) | cloudposse/label/null | 0.25.0 | + +## Resources + +| Name | Type | +| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | +| [aws_accessanalyzer_analyzer.organization](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer) | resource | +| [aws_accessanalyzer_analyzer.organization_unused_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer) | resource | +| [aws_organizations_delegated_administrator.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------: | +| [accessanalyzer_organization_enabled](#input_accessanalyzer_organization_enabled) | Flag to enable the Organization Access Analyzer | `bool` | n/a | yes | +| [accessanalyzer_organization_unused_access_enabled](#input_accessanalyzer_organization_unused_access_enabled) | Flag to enable the Organization unused access Access Analyzer | `bool` | n/a | yes | +| [accessanalyzer_service_principal](#input_accessanalyzer_service_principal) | The Access Analyzer service principal for which you want to make the member account a delegated administrator | `string` | `"access-analyzer.amazonaws.com"` | no | +| [account_map_tenant](#input_account_map_tenant) | The tenant where the `account_map` component required by remote-state is deployed | `string` | n/a | yes | +| [additional_tag_map](#input_additional_tag_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | +| [attributes](#input_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | +| [context](#input_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged. | `any` | 
{
 "additional_tag_map": {},
 "attributes": [],
 "delimiter": null,
 "descriptor_formats": {},
 "enabled": true,
 "environment": null,
 "id_length_limit": null,
 "label_key_case": null,
 "label_order": [],
 "label_value_case": null,
 "labels_as_tags": [
 "unset"
 ],
 "name": null,
 "namespace": null,
 "regex_replace_chars": null,
 "stage": null,
 "tags": {},
 "tenant": null
}
| no | +| [delegated_administrator_account_name](#input_delegated_administrator_account_name) | The name of the account that is the AWS Organization Delegated Administrator account | `string` | n/a | yes | +| [delimiter](#input_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | +| [descriptor_formats](#input_descriptor_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | +| [enabled](#input_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | +| [environment](#input_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | +| [global_environment](#input_global_environment) | Global environment name | `string` | `"gbl"` | no | +| [id_length_limit](#input_id_length_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | +| [label_key_case](#input_label_key_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | +| [label_order](#input_label_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | +| [label_value_case](#input_label_value_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | +| [labels_as_tags](#input_labels_as_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
 "default"
]
| no | +| [name](#input_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | +| [namespace](#input_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | +| [organization_management_account_name](#input_organization_management_account_name) | The name of the AWS Organization management account | `string` | `null` | no | +| [organizations_delegated_administrator_enabled](#input_organizations_delegated_administrator_enabled) | Flag to enable the Organization delegated administrator | `bool` | n/a | yes | +| [regex_replace_chars](#input_regex_replace_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | +| [region](#input_region) | AWS Region | `string` | n/a | yes | +| [root_account_stage](#input_root_account_stage) | The stage name for the Organization root (management) account. This is used to lookup account IDs from account names
using the `account-map` component. | `string` | `"root"` | no | +| [stage](#input_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | +| [tags](#input_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | +| [tenant](#input_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | +| [unused_access_age](#input_unused_access_age) | The specified access age in days for which to generate findings for unused access | `number` | `30` | no | + +## Outputs + +| Name | Description | +| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------ | +| [aws_organizations_delegated_administrator_id](#output_aws_organizations_delegated_administrator_id) | AWS Organizations Delegated Administrator ID | +| [aws_organizations_delegated_administrator_status](#output_aws_organizations_delegated_administrator_status) | AWS Organizations Delegated Administrator status | +| [organization_accessanalyzer_id](#output_organization_accessanalyzer_id) | Organization Access Analyzer ID | +| [organization_unused_access_accessanalyzer_id](#output_organization_unused_access_accessanalyzer_id) | Organization unused access Access Analyzer ID | + + + +## References + +- https://aws.amazon.com/iam/access-analyzer/ +- https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html +- https://repost.aws/knowledge-center/iam-access-analyzer-organization +- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/accessanalyzer_analyzer +- https://github.com/hashicorp/terraform-provider-aws/issues/19312 +- https://github.com/hashicorp/terraform-provider-aws/pull/19389 +- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/organizations_delegated_administrator diff --git a/modules/access-analyzer/context.tf b/modules/access-analyzer/context.tf new file mode 100644 index 000000000..5e0ef8856 --- /dev/null +++ b/modules/access-analyzer/context.tf @@ -0,0 +1,279 @@ +# +# ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label +# All other instances of this file should be a copy of that one +# +# +# Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf +# and then place it in your Terraform module to automatically get +# Cloud Posse's standard configuration inputs suitable for passing +# to Cloud Posse modules. +# +# curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf +# +# Modules should access the whole context as `module.this.context` +# to get the input variables with nulls for defaults, +# for example `context = module.this.context`, +# and access individual variables as `module.this.`, +# with final values filled in. +# +# For example, when using defaults, `module.this.context.delimiter` +# will be null, and `module.this.delimiter` will be `-` (hyphen). +# + +module "this" { + source = "cloudposse/label/null" + version = "0.25.0" # requires Terraform >= 0.13.0 + + enabled = var.enabled + namespace = var.namespace + tenant = var.tenant + environment = var.environment + stage = var.stage + name = var.name + delimiter = var.delimiter + attributes = var.attributes + tags = var.tags + additional_tag_map = var.additional_tag_map + label_order = var.label_order + regex_replace_chars = var.regex_replace_chars + id_length_limit = var.id_length_limit + label_key_case = var.label_key_case + label_value_case = var.label_value_case + descriptor_formats = var.descriptor_formats + labels_as_tags = var.labels_as_tags + + context = var.context +} + +# Copy contents of cloudposse/terraform-null-label/variables.tf here + +variable "context" { + type = any + default = { + enabled = true + namespace = null + tenant = null + environment = null + stage = null + name = null + delimiter = null + attributes = [] + tags = {} + additional_tag_map = {} + regex_replace_chars = null + label_order = [] + id_length_limit = null + label_key_case = null + label_value_case = null + descriptor_formats = {} + # Note: we have to use [] instead of null for unset lists due to + # https://github.com/hashicorp/terraform/issues/28137 + # which was not fixed until Terraform 1.0.0, + # but we want the default to be all the labels in `label_order` + # and we want users to be able to prevent all tag generation + # by setting `labels_as_tags` to `[]`, so we need + # a different sentinel to indicate "default" + labels_as_tags = ["unset"] + } + description = <<-EOT + Single object for setting entire context at once. + See description of individual variables for details. + Leave string and numeric variables as `null` to use default value. + Individual variable settings (non-null) override settings in context object, + except for attributes, tags, and additional_tag_map, which are merged. + EOT + + validation { + condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`." + } + + validation { + condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"]) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} + +variable "enabled" { + type = bool + default = null + description = "Set to false to prevent the module from creating any resources" +} + +variable "namespace" { + type = string + default = null + description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" +} + +variable "tenant" { + type = string + default = null + description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for" +} + +variable "environment" { + type = string + default = null + description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" +} + +variable "stage" { + type = string + default = null + description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'" +} + +variable "name" { + type = string + default = null + description = <<-EOT + ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. + This is the only ID element not also included as a `tag`. + The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. + EOT +} + +variable "delimiter" { + type = string + default = null + description = <<-EOT + Delimiter to be used between ID elements. + Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. + EOT +} + +variable "attributes" { + type = list(string) + default = [] + description = <<-EOT + ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, + in the order they appear in the list. New attributes are appended to the + end of the list. The elements of the list are joined by the `delimiter` + and treated as a single ID element. + EOT +} + +variable "labels_as_tags" { + type = set(string) + default = ["default"] + description = <<-EOT + Set of labels (ID elements) to include as tags in the `tags` output. + Default is to include all labels. + Tags with empty values will not be included in the `tags` output. + Set to `[]` to suppress all generated tags. + **Notes:** + The value of the `name` tag, if included, will be the `id`, not the `name`. + Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be + changed in later chained modules. Attempts to change it will be silently ignored. + EOT +} + +variable "tags" { + type = map(string) + default = {} + description = <<-EOT + Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). + Neither the tag keys nor the tag values will be modified by this module. + EOT +} + +variable "additional_tag_map" { + type = map(string) + default = {} + description = <<-EOT + Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. + This is for some rare cases where resources want additional configuration of tags + and therefore take a list of maps with tag key, value, and additional configuration. + EOT +} + +variable "label_order" { + type = list(string) + default = null + description = <<-EOT + The order in which the labels (ID elements) appear in the `id`. + Defaults to ["namespace", "environment", "stage", "name", "attributes"]. + You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. + EOT +} + +variable "regex_replace_chars" { + type = string + default = null + description = <<-EOT + Terraform regular expression (regex) string. + Characters matching the regex will be removed from the ID elements. + If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. + EOT +} + +variable "id_length_limit" { + type = number + default = null + description = <<-EOT + Limit `id` to this many characters (minimum 6). + Set to `0` for unlimited length. + Set to `null` for keep the existing setting, which defaults to `0`. + Does not affect `id_full`. + EOT + validation { + condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0 + error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length." + } +} + +variable "label_key_case" { + type = string + default = null + description = <<-EOT + Controls the letter case of the `tags` keys (label names) for tags generated by this module. + Does not affect keys of tags passed in via the `tags` input. + Possible values: `lower`, `title`, `upper`. + Default value: `title`. + EOT + + validation { + condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case) + error_message = "Allowed values: `lower`, `title`, `upper`." + } +} + +variable "label_value_case" { + type = string + default = null + description = <<-EOT + Controls the letter case of ID elements (labels) as included in `id`, + set as tag values, and output by this module individually. + Does not affect values of tags passed in via the `tags` input. + Possible values: `lower`, `title`, `upper` and `none` (no transformation). + Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. + Default value: `lower`. + EOT + + validation { + condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case) + error_message = "Allowed values: `lower`, `title`, `upper`, `none`." + } +} + +variable "descriptor_formats" { + type = any + default = {} + description = <<-EOT + Describe additional descriptors to be output in the `descriptors` output map. + Map of maps. Keys are names of descriptors. Values are maps of the form + `{ + format = string + labels = list(string) + }` + (Type is `any` so the map values can later be enhanced to provide additional options.) + `format` is a Terraform format string to be passed to the `format()` function. + `labels` is a list of labels, in order, to pass to `format()` function. + Label values will be normalized before being passed to `format()` so they will be + identical to how they appear in `id`. + Default is `{}` (`descriptors` output will be empty). + EOT +} + +#### End of copy of cloudposse/terraform-null-label/variables.tf diff --git a/modules/access-analyzer/main.tf b/modules/access-analyzer/main.tf new file mode 100644 index 000000000..db6f89e38 --- /dev/null +++ b/modules/access-analyzer/main.tf @@ -0,0 +1,37 @@ +locals { + enabled = module.this.enabled + account_map = module.account_map.outputs.full_account_map + org_delegated_administrator_account_id = local.account_map[var.delegated_administrator_account_name] +} + +resource "aws_accessanalyzer_analyzer" "organization" { + count = local.enabled && var.accessanalyzer_organization_enabled ? 1 : 0 + + analyzer_name = format("%s-organization", module.this.id) + type = "ORGANIZATION" + + tags = module.this.tags +} + +resource "aws_accessanalyzer_analyzer" "organization_unused_access" { + count = local.enabled && var.accessanalyzer_organization_unused_access_enabled ? 1 : 0 + + analyzer_name = format("%s-organization-unused-access", module.this.id) + type = "ORGANIZATION_UNUSED_ACCESS" + + configuration { + unused_access { + unused_access_age = var.unused_access_age + } + } + + tags = module.this.tags +} + +# Delegate Access Analyzer to the administrator account (usually the security account) +resource "aws_organizations_delegated_administrator" "default" { + count = local.enabled && var.organizations_delegated_administrator_enabled ? 1 : 0 + + account_id = local.org_delegated_administrator_account_id + service_principal = var.accessanalyzer_service_principal +} diff --git a/modules/access-analyzer/outputs.tf b/modules/access-analyzer/outputs.tf new file mode 100644 index 000000000..a7e70d6c7 --- /dev/null +++ b/modules/access-analyzer/outputs.tf @@ -0,0 +1,19 @@ +output "organization_accessanalyzer_id" { + value = one(aws_accessanalyzer_analyzer.organization[*].id) + description = "Organization Access Analyzer ID" +} + +output "organization_unused_access_accessanalyzer_id" { + value = one(aws_accessanalyzer_analyzer.organization_unused_access[*].id) + description = "Organization unused access Access Analyzer ID" +} + +output "aws_organizations_delegated_administrator_id" { + value = one(aws_organizations_delegated_administrator.default[*].id) + description = "AWS Organizations Delegated Administrator ID" +} + +output "aws_organizations_delegated_administrator_status" { + value = one(aws_organizations_delegated_administrator.default[*].status) + description = "AWS Organizations Delegated Administrator status" +} diff --git a/modules/access-analyzer/providers.tf b/modules/access-analyzer/providers.tf new file mode 100644 index 000000000..ef923e10a --- /dev/null +++ b/modules/access-analyzer/providers.tf @@ -0,0 +1,19 @@ +provider "aws" { + region = var.region + + # Profile is deprecated in favor of terraform_role_arn. When profiles are not in use, terraform_profile_name is null. + profile = module.iam_roles.terraform_profile_name + + dynamic "assume_role" { + # module.iam_roles.terraform_role_arn may be null, in which case do not assume a role. + for_each = compact([module.iam_roles.terraform_role_arn]) + content { + role_arn = assume_role.value + } + } +} + +module "iam_roles" { + source = "../account-map/modules/iam-roles" + context = module.this.context +} diff --git a/modules/access-analyzer/remote-state.tf b/modules/access-analyzer/remote-state.tf new file mode 100644 index 000000000..ba717f1ab --- /dev/null +++ b/modules/access-analyzer/remote-state.tf @@ -0,0 +1,11 @@ +module "account_map" { + source = "cloudposse/stack-config/yaml//modules/remote-state" + version = "1.5.0" + + component = "account-map" + tenant = (var.account_map_tenant != "") ? var.account_map_tenant : module.this.tenant + stage = var.root_account_stage + environment = var.global_environment + + context = module.this.context +} diff --git a/modules/access-analyzer/variables.tf b/modules/access-analyzer/variables.tf new file mode 100644 index 000000000..f6244ecd1 --- /dev/null +++ b/modules/access-analyzer/variables.tf @@ -0,0 +1,62 @@ +variable "region" { + type = string + description = "AWS Region" +} + +variable "account_map_tenant" { + type = string + description = "The tenant where the `account_map` component required by remote-state is deployed" +} + +variable "delegated_administrator_account_name" { + type = string + description = "The name of the account that is the AWS Organization Delegated Administrator account" +} + +variable "global_environment" { + type = string + default = "gbl" + description = "Global environment name" +} + +variable "organization_management_account_name" { + type = string + default = null + description = "The name of the AWS Organization management account" +} + +variable "root_account_stage" { + type = string + default = "root" + description = <<-DOC + The stage name for the Organization root (management) account. This is used to lookup account IDs from account names + using the `account-map` component. + DOC +} + +variable "accessanalyzer_organization_enabled" { + type = bool + description = "Flag to enable the Organization Access Analyzer" +} + +variable "accessanalyzer_organization_unused_access_enabled" { + type = bool + description = "Flag to enable the Organization unused access Access Analyzer" +} + +variable "unused_access_age" { + type = number + description = "The specified access age in days for which to generate findings for unused access" + default = 30 +} + +variable "organizations_delegated_administrator_enabled" { + type = bool + description = "Flag to enable the Organization delegated administrator" +} + +variable "accessanalyzer_service_principal" { + type = string + description = "The Access Analyzer service principal for which you want to make the member account a delegated administrator" + default = "access-analyzer.amazonaws.com" +} diff --git a/modules/access-analyzer/versions.tf b/modules/access-analyzer/versions.tf new file mode 100644 index 000000000..b5920b7b1 --- /dev/null +++ b/modules/access-analyzer/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.9.0" + } + } +}