Skip to content

Latest commit

 

History

History

access-analyzer

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
migrations.tf
migrations.tf
 
 
outputs.tf
outputs.tf
 
 
resource-group.tf
resource-group.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

access-analyzer

This module creates following resources.

  • aws_accessanalyzer_analyzer
  • aws_accessanalyzer_archive_rule (optional)

Requirements

Name Version
terraform >= 1.12
aws >= 6.12

Providers

Name Version
aws 6.13.0

Modules

Name Source Version
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.12.0

Resources

Name Type
aws_accessanalyzer_analyzer.this resource
aws_accessanalyzer_archive_rule.this resource

Inputs

Name Description Type Default Required
name (Required) The name of the Analyzer. string n/a yes
archive_rules (Optional) A list of archive rules for the AccessAnalyzer Analyzer. Each item of archive_rules block as defined below.
(Required) name - The name of archive rule.
(Required) filters - A list of filter criterias for the archive rule. Each item of filters block as defined below.
(Required) criteria - The filter criteria.
(Optional) contains - Contains comparator.
(Optional) exists - Exists comparator (Boolean).
(Optional) eq - Equal comparator.
(Optional) neq - Not Equal comparator.		 
list(object({
    name = string
    filters = list(object({
      criteria = string
      contains = optional(list(string))
      exists   = optional(bool)
      eq       = optional(list(string))
      neq      = optional(list(string))
    }))
  }))
 [] no
internal_access_analysis (Optional) A configurations for the INTERNAL_ACCESS type Analyzer. internal_access_analysis as defined below.
(Optional) rules - A list of rules for internal access analyzer. Each item of rules block as defined below.
(Required) inclusion - An inclusion rule to filter findings. inclusion as defined below.
(Optional) accounts - A set of account IDs to include in the analysis. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
(Optional) resource_arns - A set of resource ARNs to include in the analysis. The analyzer will only generate findings for resources that match these ARNs.
(Optional) resource_types - A set of resource types to include in the analysis. The analyzer will only generate findings for resources of these types		 
object({
    rules = optional(list(object({
      inclusion = object({
        accounts       = optional(set(string), [])
        resource_arns  = optional(set(string), [])
        resource_types = optional(set(string), [])
      })
    })), [])
  })
 {} no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
region (Optional) The region in which to create the module resources. If not provided, the module resources will be created in the provider's configured region. string null no
resource_group (Optional) A configurations of Resource Group for this module. resource_group as defined below.
(Optional) enabled - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to true.
(Optional) name - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. If not provided, a name will be generated using the module name and instance name.
(Optional) description - The description of Resource Group. Defaults to Managed by Terraform..		 
object({
    enabled     = optional(bool, true)
    name        = optional(string, "")
    description = optional(string, "Managed by Terraform.")
  })
 {} no
scope (Optional) A scope of Analyzer. Valid values are ACCOUNT or ORGANIZATION. Defaults to ACCOUNT. string "ACCOUNT" no
tags (Optional) A map of tags to add to all resources. map(string) {} no
type (Optional) A finding type of Analyzer. Valid values are EXTERNAL_ACCESS, INTERNAL_ACCESS or UNUSED_ACCESS. Defaults to EXTERNAL_ACCESS. string "EXTERNAL_ACCESS" no
unused_access_analysis (Optional) A configurations for the UNUSED_ACCESS type Analyzer. unused_access_analysis as defined below.
(Optional) tracking_period - A number of days for the tracking the period. Findings will be generated for access that hasn't been used in more than the specified number of days. Defaults to 90.
(Optional) rules - A list of rules for unused access analyzer. Each item of rules block as defined below.
(Required) exclusion - An exclusion rule to filter findings. exclusion as defined below.
(Optional) accounts - A set of account IDs to exclude from the analysis. Account IDs can only be applied to the analysis rule criteria for organization-level analyzers.
(Optional) resource_tags - A list of tag key and value pairs to exclude from the analysis.		 
object({
    tracking_period = optional(number, 90)
    rules = optional(list(object({
      exclusion = object({
        accounts      = optional(set(string), [])
        resource_tags = optional(list(map(string)), [])
      })
    })), [])
  })
 {} no

Outputs

Name Description
archive_rules A list of archive rules for the Analyzer.
arn The Amazon Resource Name (ARN) of this Analyzer.
id The ID of this Analyzer.
internal_access_analysis The configurations for the INTERNAL_ACCESS type Analyzer.
name The name of the Analyzer.
region The AWS region this module resources resides in.
resource_group The resource group created to manage resources in this module.
scope The scope of Analyzer.
type The finding type of Analyzer.
unused_access_analysis The configurations for the UNUSED_ACCESS type Analyzer.