From 6655c8aa0f70ef66a6a32bc270dc018d963f78f8 Mon Sep 17 00:00:00 2001
From: Byungjin Park <posquit0.bj@gmail.com>
Date: Thu, 18 Apr 2024 00:54:48 +0900
Subject: [PATCH] Support to manage additional regions for account module

---
 modules/account/README.md    |  1 +
 modules/account/contacts.tf  |  8 ++++++++
 modules/account/outputs.tf   |  5 +++++
 modules/account/regions.tf   | 31 +++++++++++++++++++++++++++++++
 modules/account/variables.tf | 28 ++++++++++++++++++++++++++++
 5 files changed, 73 insertions(+)
 create mode 100644 modules/account/regions.tf

diff --git a/modules/account/README.md b/modules/account/README.md
index f598cf9..2ac0456 100644
--- a/modules/account/README.md
+++ b/modules/account/README.md
@@ -7,6 +7,7 @@ This module creates following resources.
 - `aws_iam_security_token_service_preferences`
 - `aws_account_primary_contact` (optional)
 - `aws_account_alternate_contact` (optional)
+- `aws_account_region` (optional)
 - `aws_s3_account_public_access_block`
 - `aws_spot_datafeed_subscription` (optional)
 
diff --git a/modules/account/contacts.tf b/modules/account/contacts.tf
index 08c1bd4..30b914d 100644
--- a/modules/account/contacts.tf
+++ b/modules/account/contacts.tf
@@ -2,6 +2,8 @@
 # Primary Contact
 ###################################################
 
+# INFO: Not supported attributes
+# - `account_id`
 resource "aws_account_primary_contact" "this" {
   count = var.primary_contact != null ? 1 : 0
 
@@ -26,6 +28,8 @@ resource "aws_account_primary_contact" "this" {
 # Alternate Contacts
 ###################################################
 
+# INFO: Not supported attributes
+# - `account_id`
 resource "aws_account_alternate_contact" "billing" {
   count = var.billing_contact != null ? 1 : 0
 
@@ -37,6 +41,8 @@ resource "aws_account_alternate_contact" "billing" {
   phone_number  = var.billing_contact.phone
 }
 
+# INFO: Not supported attributes
+# - `account_id`
 resource "aws_account_alternate_contact" "operation" {
   count = var.operation_contact != null ? 1 : 0
 
@@ -48,6 +54,8 @@ resource "aws_account_alternate_contact" "operation" {
   phone_number  = var.operation_contact.phone
 }
 
+# INFO: Not supported attributes
+# - `account_id`
 resource "aws_account_alternate_contact" "security" {
   count = var.security_contact != null ? 1 : 0
 
diff --git a/modules/account/outputs.tf b/modules/account/outputs.tf
index be0a301..a840e25 100644
--- a/modules/account/outputs.tf
+++ b/modules/account/outputs.tf
@@ -18,6 +18,11 @@ output "password_policy" {
   value       = aws_iam_account_password_policy.this
 }
 
+output "additional_regions" {
+  description = "A set of additional regions enabled in the account."
+  value       = var.additional_regions
+}
+
 output "primary_contact" {
   description = "The primary contact attached to an AWS Account."
   value = try({
diff --git a/modules/account/regions.tf b/modules/account/regions.tf
new file mode 100644
index 0000000..20f75a3
--- /dev/null
+++ b/modules/account/regions.tf
@@ -0,0 +1,31 @@
+locals {
+  available_regions = [
+    "af-south-1",
+    "ap-east-1",
+    "ap-south-2",
+    "ap-southeast-3",
+    "ap-southeast-4",
+    "ca-west-1",
+    "eu-south-1",
+    "eu-south-2",
+    "eu-central-2",
+    "me-south-1",
+    "me-central-1",
+    "il-central-1",
+  ]
+}
+
+###################################################
+# Regions
+###################################################
+
+# INFO: Not supported attributes
+# - `account_id`
+# INFO: Not supported idempotent operation
+# TODO: How to manage disabled region?
+resource "aws_account_region" "this" {
+  for_each = var.additional_regions
+
+  region_name = each.value
+  enabled     = true
+}
diff --git a/modules/account/variables.tf b/modules/account/variables.tf
index 3ecaf41..4c43e05 100644
--- a/modules/account/variables.tf
+++ b/modules/account/variables.tf
@@ -21,6 +21,34 @@ variable "password_policy" {
   nullable = false
 }
 
+variable "additional_regions" {
+  description = "(Optional) A set of regions to enable in the account."
+  type        = set(string)
+  default     = []
+  nullable    = false
+
+  validation {
+    condition = alltrue([
+      for region in var.additional_regions :
+      contains([
+        "af-south-1",
+        "ap-east-1",
+        "ap-south-2",
+        "ap-southeast-3",
+        "ap-southeast-4",
+        "ca-west-1",
+        "eu-south-1",
+        "eu-south-2",
+        "eu-central-2",
+        "me-south-1",
+        "me-central-1",
+        "il-central-1",
+      ], region)
+    ])
+    error_message = "Available regions for `additional_regions` are `af-south-1`, `ap-east-1`, `ap-south-2`, `ap-southeast-3`, `ap-southeast-4`, `ca-west-1`, `eu-south-1`, `eu-south-2`, `eu-central-2`, `me-south-1`, `me-central-1`, `il-central-1`."
+  }
+}
+
 variable "primary_contact" {
   description = <<EOF
   (Optional) The configuration of the primary contact for the AWS Account. `primary_contact` as defined below.