Support to manage additional regions for account module

modules/account/README.md

@@ -7,6 +7,7 @@ This module creates following resources.
 - `aws_iam_security_token_service_preferences`
 - `aws_account_primary_contact` (optional)
 - `aws_account_alternate_contact` (optional)
+- `aws_account_region` (optional)
 - `aws_s3_account_public_access_block`
 - `aws_spot_datafeed_subscription` (optional)
 

modules/account/contacts.tf

@@ -2,6 +2,8 @@
 # Primary Contact
 ###################################################
 
+# INFO: Not supported attributes
+# - `account_id`
 resource "aws_account_primary_contact" "this" {
   count = var.primary_contact != null ? 1 : 0
 
@@ -26,6 +28,8 @@ resource "aws_account_primary_contact" "this" {
 # Alternate Contacts
 ###################################################
 
+# INFO: Not supported attributes
+# - `account_id`
 resource "aws_account_alternate_contact" "billing" {
   count = var.billing_contact != null ? 1 : 0
 
@@ -37,6 +41,8 @@ resource "aws_account_alternate_contact" "billing" {
   phone_number  = var.billing_contact.phone
 }
 
+# INFO: Not supported attributes
+# - `account_id`
 resource "aws_account_alternate_contact" "operation" {
   count = var.operation_contact != null ? 1 : 0
 
@@ -48,6 +54,8 @@ resource "aws_account_alternate_contact" "operation" {
   phone_number  = var.operation_contact.phone
 }
 
+# INFO: Not supported attributes
+# - `account_id`
 resource "aws_account_alternate_contact" "security" {
   count = var.security_contact != null ? 1 : 0
 

modules/account/outputs.tf

@@ -18,6 +18,11 @@ output "password_policy" {
   value       = aws_iam_account_password_policy.this
 }
 
+output "additional_regions" {
+  description = "A set of additional regions enabled in the account."
+  value       = var.additional_regions
+}
+
 output "primary_contact" {
   description = "The primary contact attached to an AWS Account."
   value = try({

modules/account/regions.tf

@@ -0,0 +1,31 @@
+locals {
+  available_regions = [
+    "af-south-1",
+    "ap-east-1",
+    "ap-south-2",
+    "ap-southeast-3",
+    "ap-southeast-4",
+    "ca-west-1",
+    "eu-south-1",
+    "eu-south-2",
+    "eu-central-2",
+    "me-south-1",
+    "me-central-1",
+    "il-central-1",
+  ]
+}
+
+###################################################
+# Regions
+###################################################
+
+# INFO: Not supported attributes
+# - `account_id`
+# INFO: Not supported idempotent operation
+# TODO: How to manage disabled region?
+resource "aws_account_region" "this" {
+  for_each = var.additional_regions
+
+  region_name = each.value
+  enabled     = true
+}

modules/account/variables.tf

@@ -21,6 +21,34 @@ variable "password_policy" {
   nullable = false
 }
 
+variable "additional_regions" {
+  description = "(Optional) A set of regions to enable in the account."
+  type        = set(string)
+  default     = []
+  nullable    = false
+
+  validation {
+    condition = alltrue([
+      for region in var.additional_regions :
+      contains([
+        "af-south-1",
+        "ap-east-1",
+        "ap-south-2",
+        "ap-southeast-3",
+        "ap-southeast-4",
+        "ca-west-1",
+        "eu-south-1",
+        "eu-south-2",
+        "eu-central-2",
+        "me-south-1",
+        "me-central-1",
+        "il-central-1",
+      ], region)
+    ])
+    error_message = "Available regions for `additional_regions` are `af-south-1`, `ap-east-1`, `ap-south-2`, `ap-southeast-3`, `ap-southeast-4`, `ca-west-1`, `eu-south-1`, `eu-south-2`, `eu-central-2`, `me-south-1`, `me-central-1`, `il-central-1`."
+  }
+}
+
 variable "primary_contact" {
   description = <<EOF
   (Optional) The configuration of the primary contact for the AWS Account. `primary_contact` as defined below.